Who has standing to bring claims for alleged statutory violations of privacy and cybersecurity statutes? There is no easy answer to this question. In Spokeo, Inc. v. Robins, the Supreme Court explained that just because a statute grants a plaintiff the right to sue under that statute, that does not necessarily mean the plaintiff has standing to bring that claim.1 Instead, since Spokeo, the federal district courts and courts of appeals have grappled with what sets of alleged facts are sufficient to confer standing. In the data breach context, the question is even more difficult to answer due to the wide-ranging risks and injuries associated with a data breach.
This QuickStudy will address two related developments in the analysis of Article III standing in data breach cases. First, we discuss the newly adopted standard for analysis in the Eleventh Circuit at the inception of a data breach case. Second, we examine a pending Supreme Court case that will determine whether Article III or Rule 23 permit certification of a damages class when most of the prospective class members have suffered no injury.
Who is “Injured” by a Data Breach?
Shortly after a data breach, the extent of harm done is often unknown. Whether and to what degree individuals may be harmed in the future as a result of the breach is difficult to predict. The eventual impact of the data breach depends upon (1) the amount, categories, and sensitivity of information collected, (2) the breached entity’s ability to limit or rehabilitate the disclosed information, as well as (3) the sophistication and intentions of the hacking entity. Rather than identifying traditionally “tangible” injuries, plaintiffs in data breach lawsuit often point to an increased risk of future harm (such as the fear of identity theft and addressing fraudulent transactions). So, in the data breach context, the question posed for the courts of appeals is what “risk” of possible future injury is enough to establish Article III standing? In February 2021, the Eleventh Circuit offered its opinion on this question.2
Tsao v. Captiva MVP Rest. Partners, LLC (11th Cir. 2021).
In Tsao v. Captiva MVP Rest. Partners, LLC, a restaurant customer brought a class action complaint asserting a number of claims3 against the restaurant “PDQ” following a data breach of PDQ’s point of sale system. Plaintiff’s class action complaint alleged that the hacker’s breach of the point of sale system resulted in numerous alleged injuries to the putative class. These alleged injuries were divided into two separate categories. Injuries the plaintiff had already suffered can be thought of as “Category 1” injuries. Injuries the plaintiff might suffer in the future, and the existing risk that those injuries might be realized, can be thought of as “Category 2” injuries.
The bulk of the Eleventh Circuit’s opinion deals with plaintiff’s theory of standing based on Category 2—the “elevated risk” of injury. However, the court’s framing of the alleged injuries in two separate categories provides insight as to how courts of appeals are analyzing plaintiffs’ factual allegations in support of standing in the data breach context.4 The Eleventh Circuit ultimately denied both standing theories, but for different reasons.
Category 1 — Injury he already suffered: “[M]itigation injuries—for example, lost time, lost rewards points, and loss of access to accounts . . . .”5
As to alleged injuries already suffered, the Eleventh Circuit quickly dismissed arguments regarding injury based on plaintiff’s mitigation efforts. The court concluded “[t]he mitigation costs [plaintiff] alleges are inextricably tied to his perception of the actual risk of identity theft . . . .” Plaintiff voluntarily cancelled his own credit cards, and “[plaintiff] cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft."6
Category 2 — Injuries he might suffer: “[H]e could suffer future injury from misuse of the personal information disclosed during the cyber-attack (though he has not yet) . . . .”7
The Eleventh Circuit began its substantive analysis of standing under the theory of “substantial risk of identity theft” and “increased risk of identity theft” by outlining the current state of the circuit split for standing in the data breach context. “Although this Circuit has not addressed the issue head-on, a number of our sister circuits have, and they are divided[:]”
Plaintiff Can Establish Standing Based on Increased Risk: Sixth Circuit; Seventh Circuit; Ninth Circuit; D.C. Circuit
Plaintiff Cannot Establish Standing Based on Increased Risk: Second Circuit; Third Circuit; Fourth Circuit; Eighth Circuit8
At a high-level, the Eleventh Circuit attempted to reconcile the split by noting “the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or actual access to...
