In an opinion that deepens an existing circuit court split, the Eleventh Circuit recently held that the future risk of identity theft is not sufficient to establish Article III standing.

The case, Tsao v. Captiva MVP Restaurant, involved a 2017 payment card breach involving PDQ, a restaurant where plaintiff had used his credit card.  Nearly a year later after the breach occurred, PDQ posted a notice of the breach on its website, stating that all customers who visited PDS restaurants during the relevant time period “may have” been affected by the breach.  Upon learning of the breach, the plaintiff cancelled his credit cards, although there was no evidence his card had been stolen or misused by any bad actors.

Plaintiff then brought suit on behalf of a putative class of PDQ customers, asserting negligence, negligence per se, breach of contract, unjust enrichment and unfair and deceptive practice claims, seeking damages relating to his loss of rewards points connected to his credit card, loss of the use of his card, and lost time and costs associated with cancelling his card and protecting against future identity theft.  The district court granted defendant’s motion to dismiss for lack of standing.

On appeal, the Eleventh Circuit summarized the current circuit court split on the question of whether fear of identity theft was sufficient to establish standing.  The Sixth, Seventh, Ninth and D.C. Courts of Appeals have ruled in favor of standing on this question while the Second, Third, and Eighth Circuits have held that fear of future identity theft is not sufficient to establish standing.  The First and Fourth Circuits have ruled in differing ways on the issue.

The Court noted that in all the cases in which Court of Appeals had found standing the plaintiffs had alleged either misuse or unauthorized access to their data whereas the plaintiff in Tsao alleged neither.  Because plaintiff hadn’t alleged misuse or access to his credit card information, and had cancelled his credit cards thereby foreclosing the possibility of future fraudulent charges, the Court held that he could not demonstrate that future identity theft was “certainly impending” or a “substantial risk” as required by Supreme Court case law.

Tsao is something of a departure from a recent trend among federal courts that have found standing in retail data breach cases and there are some reasons to believe that the Eleventh Circuit’s ruling may have limited effect.  To begin, a key fact in Tsao is that PDQ’s notice of breach only stated that consumer’s data may have been accessed.  As a result, Plaintiff did not allege actual access or misuse of his data whereas in most data breach cases, plaintiffs do allege access or misuse.  Judge Jordan, in his concurring opinion, suggests that to the extent that standing turns on whether the likelihood of future identity theft is substantial, the issue should not be decided at the motion to dismiss stage.

Moreover, the specific type of breach at issue here – payment card breach – also tends to limit arguments in favor of future identity theft because credit card numbers, unlike social security numbers, passport numbers or other sensitive data, cannot on their own cannot be used to commit identity theft.  Credit card companies also have very sophisticated fraud monitoring, which often leads to prompt cancellation of credit cards before consumers have suffered out of pocket losses that if incurred would otherwise provide a basis for standing. (See, for example, Michaels, SuperValu, and Zappos class actions). It remains to be seen whether Tsao is applicable to financial, healthcare, or other kinds of breaches where courts have found standing based on a fear of future identity theft.

The Eleventh Circuit opinion does not analyze in depth plaintiff’s standing claim based on present injuries – time and incidental cost associated with cancelling his credit cards – which is a standing argument that plaintiffs in other retail data breaches have successfully used.  The Court does not address these rulings, instead dismissing the argument on grounds that plaintiffs cannot “manufacture standing” by incurring costs to protect against future identity theft where the risk is not substantial even though the cancelling of the credit cards is what lessened the risk of future identity theft.

Overall, the Eleventh Circuit’s ruling in Tsao is welcome news for data breach defendants, particularly retail breach defendants. But it is not likely to be the last word on the issue of whether fear of future identity theft is sufficient to establish federal standing.  This is an issue that may ultimately be decided by the Supreme Court.