Standing Split: 11th Circuit Data Breach Standing Decision Takes Defendants’ Side in Circuit Court Division
The Eleventh Circuit Court of Appeals recently upheld the district court’s dismissal of a data breach suit for lack of standing, deepening a divide among circuit courts — including the District of Columbia and Fourth Circuits — that began almost immediately after the Supreme Court’s 2015 decision in Spokeo v. Robins.
In I Tan Tsao v. Captiva MVP Restaurant Partners, LLC, the plaintiff alleged that PDQ — a restaurant owned by the defendant that he patronized — had suffered a data breach that exposed him and proposed class members to damages. As his damages, he and his proposed class members alleged “theft of their personal financial information,” “unauthorized charges on their debit and credit card accounts,” and “ascertainable losses in the form of the loss of cash back or other benefits.” Based on these allegations, the plaintiff asserted that he and the class members had “been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.”
PDQ moved to dismiss for lack of standing, arguing that the plaintiff had not alleged injuries sufficiently “concrete” to support federal court jurisdiction under Article III. PDQ argued that the plaintiff’s abstract fear of identity theft did not suffice and that the mitigation efforts he took were self-inflicted injuries that could not support standing. The district court granted PDQ’s motion, and the plaintiff appealed.
The Eleventh Circuit affirmed. Citing Spokeo, the court held that a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either “certainly impending” or there is a “substantial risk” of such harm. Consequently, the court held, conclusory allegations of an “elevated risk of identity theft” or a “continuing increased risk” of identity theft “a simply not enough” to confer standing. The court continued: “[W]ithout specific evidence of some misuse of class members’ data, a named plaintiff’s burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was ‘certainly impending’—or that there was a “substantial risk” of such harm—will be difficult. . . . Evidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.”
As to whether the plaintiff’s mitigation efforts supplied the requisite Article III injury, the Eleventh Circuit held that “plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” The court reasoned that any loss incurred by the plaintiff’s cancellation of his credit cards, such as the loss of his reward points, were self inflicted and thus insufficient to support standing. The court therefore upheld the district court’s dismissal.
Tsao breaks sharply with several circuits. For example, in Attias v. CareFirst, the District of Columbia Circuit simply “assume[d], for purposes of the standing analysis, that plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft,” and consequently reversed the district court’s dismissal for lack of standing — a view shared by the Sixth, Seventh, and Ninth Circuits. By contrast, in Beck v. McDonald, the Fourth Circuit — which includes Maryland and Virginia — sided with the Second, Third, and Eighth Circuits to affirm the dismissal of a data breach case because the plaintiff had failed to allege facts that would “push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent.” (This particular circuit split means that residents of Washington, DC suburbs in Maryland and Virginia who wish to sue for a data breach will try to bring their suits in DC rather than their place of residence.)
In Spokeo, the Supreme Court emphasized the need for a concrete injury to maintain a lawsuit, and since then, data breach defendants have asserted standing (or a variant thereof) to avoid litigation, with varied results. Recently, in the Capitol One data breach suit, the defendants asserted that the plaintiffs could not allege a sufficient probability of being defrauded — basically, a disguised standing argument — but, citing Beck, the Eastern District of Virginia district court rejected the assertion. In the District of Columbia, a law firm accused of a data breach apparently tried to avoid Attias by characterizing its standing argument as a motion dismiss for failure to state a claim; this effort also failed, as the district court denied the motion.
This sharp circuit split, and litigants’ efforts to avoid Spokeo’s reach, increase the odds that the Supreme Court will eventually step in to clarify its holding in Spokeo. Meanwhile, data breach defendants will have to stay on top of court rulings and brace themselves for aggressive litigation over the standing issue.