Successful data breach class action litigation may soon depend on the location where the lawsuit is filed, writes attorney David Oberly

The Tsao vs. Captiva PDQ data breach court case could have major impact on the legal definition of harm

ANALYSIS Recently, the US Eleventh Circuit Court of Appeals weighed in on one of the most critical issues in data breach class action litigation – Article III standing – upholding in Tsao vs. Captiva MVP Restaurant Partners, LLC, that an increased risk of future identity theft faced by data breach victims does not alone satisfy the ‘injury-in-fact’ element of the standing analysis.

This opinion widened the already-significant circuit split between US federal appellate courts regarding the level of harm that must be shown to establish a cognizable ‘injury-in-fact’ for purposes of standing in data breach class actions and, more specifically, whether alleged injuries relating to an increased risk of future identity theft are sufficient to satisfy this prong of the standing test.

What is Article III standing?

In legal parlance, ‘standing’ is the legal right for an individual to bring a claim in court.

‘Article III standing’ refers to the Case or Controversy Clause of the US Constitution (located in Article III, Section 2, Clause 1), which is the basis for many important court decisions addressing standing.

To establish Article III standing, a plaintiff must establish three core elements: an injury-in-fact, causation, and a likelihood that the injury will be redressed by a favorable decision.

Where a plaintiff seeks to establish an injury-in-fact based on an imminent injury, that threatened harm must be “certainly impending”. At the very least, this requires showing that there is a “substantial risk” that the harm will occur.

Tsao vs. Captiva

The Tsao case (WL 381948; 11th Circuit; February 4, 2021) arose out of a security incident suffered by PDQ, a group of American fast dining restaurants owned by Captiva MVP Restaurant Partners.

Less than two weeks after PDQ posted its notice to consumers that it had been the target of a cyber-attack involving its point-of-sale system, the plaintiff, I Tan Tsao, filed suit to recover damages stemming from the breach.

Tsao argued that he had been harmed, and thus had standing, due to an elevated risk of identity theft or, alternatively, because he took proactive steps to mitigate the risk of identity theft.

Tsao vs. Captiva - Fast dining chain PDQ was hit by a data breach in 2018Fast dining chain PDQ was hit by a data breach in 2018

The Eleventh Circuit’s opinion

On appeal, the Eleventh Circuit rejected both arguments and upheld the district court’s prior dismissal of the suit for lack of Article III standing.

In doing so, the Tsao court held that a plaintiff alleging a threat of future identity theft or other harm lacks Article III standing unless the hypothetical harm alleged is either certainly impending or there is a substantial risk of such harm taking place.

Read more of the latest cybersecurity policy and legislation news

Importantly, to make this showing a plaintiff must present evidence of at least some misuse of class members’ data.

Conversely, evidence of a mere breach – standing alone – is insufficient of satisfying the requirements of Article III standing for data breach plaintiffs in the Eleventh Circuit pursuant to Tsao.

Taken together, arguments that data breach plaintiffs could suffer future injury from misuse of their personal information disclosed during a breach – but where no actual misuse has occurred – and the risk of misuse by itself are now foreclosed in the Eleventh Circuit pursuant to Tsao.

Further, pursuant to Tsao, if the future harm alleged is not certainly impending and there is no substantial risk of harm, a plaintiff cannot manufacture standing by inflicting direct harm on himself/herself to mitigate a perceived risk.

Implications for data breach class action litigation

To date, the Sixth, Seventh, Ninth, and DC Circuits have all found an increased risk of future identity theft sufficient to establish Article III standing in data breach class action litigation.

Conversely, the Second, Third, Fourth, and Eighth Circuits have found such allegations fall short of demonstrating a cognizable injury-in-fact in the breach context.

In Tsao, the Eleventh Circuit joined the latter camp in holding that an increased risk of future identity theft is alone insufficient to establish standing in data breach litigation.

The final word

Data breaches are here to stay, despite even the most robust efforts to prevent security incidents. As such, companies must be prepared to aggressively defend data breach class action suits in the event the need arises.

While the Tsao case serves to further widen the circuit split, the opinion also provides a blueprint for organizations to procure an early exit from a wide range of future data breach class action lawsuits.

RECOMMENDED European Data Protection Board lays out data breach notification guidelines for organizations

For consumers, Tsao shows that successful data breach class action litigation in the US may depend heavily on the location where the lawsuit is filed, due to the wide divide between federal appellate courts on the necessary threshold to establish standing to sue in federal court.

Importantly, facts that may satisfy the requirements for standing in one federal circuit court of appeals may be categorically insufficient to establish standing in another.

Ultimately, this significant uncertainty may continue apace for the foreseeable future until the US Supreme Court decides to step in and provide a definitive ruling on this hot-button issue which, in turn, would allow for much-needed consistent application of the law as it relates to standing across all federal courts throughout the country.

YOU MIGHT ALSO LIKE CDPA: Virginia’s new Consumer Data Protection Act heralds start of another busy year for US privacy legislators