As part of a growing trend, the Eleventh Circuit recently held that an alleged risk of future identity theft does not establish standing where the plaintiff does not allege any information has actually been misused. Tsao v. Captiva MVP Rest. Partners, LLC, No. 18-14959, 2021 U.S. App. LEXIS 3055 (11th Cir. Feb. 4, 2021). The decision is a blow to the data breach plaintiffs’ bar, which routinely attempts to rely on third-party reports and other generic allegations concerning a risk of future harm to attempt to establish Article III standing.
The case arose after hackers allegedly gained access to PDQ’s point of sale system in May of 2017. Cardholder names, credit card numbers, card expiration dates, and CVVs may have been accessed as a result of the alleged breach. The plaintiff, whose information may have been accessed by the hackers, filed a class action against PDQ alleging claims of breach of implied contract, negligence, unjust enrichment, and violation of the Florida Unfair and Deceptive Trade Practices Act. The District Court dismissed the complaint for lack of standing.
On appeal, the Eleventh Circuit affirmed. It rejected the plaintiff’s reliance on third-party reports—a common allegation in data breach complaints—concerning the risk of identity theft, finding that those reports cut against the plaintiff because they established that the risk of identity theft is very low. Likewise, the Court also found any purported risk to the plaintiff to be low. The Eleventh Circuit seized on the fact that the plaintiff had immediately cancelled his credit cards, which extinguished any risk of fraudulent charges. Also, the absence of specific evidence that any putative class member’s information had been misused cut against finding a substantial risk of future identity theft. Based on the factors above, as well as the plaintiff’s reliance on “vague, conclusory allegations,” the Eleventh Circuit held “some risk … still exists, but that risk is not substantial and is, at best, speculative.” Id. at *25, 26.