Tsao vs. Captiva – How a US data breach court case could have major impact on the legal definition of ‘harm’
What is Article III standing?
In legal parlance, ‘standing’ is the legal right for an individual to bring a claim in court.
‘Article III standing’ refers to the Case or Controversy Clause of the US Constitution (located in Article III, Section 2, Clause 1), which is the basis for many important court decisions addressing standing.
To establish Article III standing, a plaintiff must establish three core elements: an injury-in-fact, causation, and a likelihood that the injury will be redressed by a favorable decision.
Where a plaintiff seeks to establish an injury-in-fact based on an imminent injury, that threatened harm must be “certainly impending”. At the very least, this requires showing that there is a “substantial risk” that the harm will occur.
Tsao vs. Captiva
The Tsao case (WL 381948; 11th Circuit; February 4, 2021) arose out of a security incident suffered by PDQ, a group of American fast dining restaurants owned by Captiva MVP Restaurant Partners.
Less than two weeks after PDQ posted its notice to consumers that it had been the target of a cyber-attack involving its point-of-sale system, the plaintiff, I Tan Tsao, filed suit to recover damages stemming from the breach.
Tsao argued that he had been harmed, and thus had standing, due to an elevated risk of identity theft or, alternatively, because he took proactive steps to mitigate the risk of identity theft.
The Eleventh Circuit’s opinion
On appeal, the Eleventh Circuit rejected both arguments and upheld the district court’s prior dismissal of the suit for lack of Article III standing.
In doing so, the Tsao court held that a plaintiff alleging a threat of future identity theft or other harm lacks Article III standing unless the hypothetical harm alleged is either certainly impending or there is a substantial risk of such harm taking place.
Importantly, to make this showing a plaintiff must present evidence of at least some misuse of class members’ data.
Conversely, evidence of a mere breach – standing alone – is insufficient of satisfying the requirements of Article III standing for data breach plaintiffs in the Eleventh Circuit pursuant to Tsao.
Taken together, arguments that data breach plaintiffs could suffer future injury from misuse of their personal information disclosed during a breach – but where no actual misuse has occurred – and the risk of misuse by itself are now foreclosed in the Eleventh Circuit pursuant to Tsao.
Further, pursuant to Tsao, if the future harm alleged is not certainly impending and there is no substantial risk of harm, a plaintiff cannot manufacture standing by inflicting direct harm on himself/herself to mitigate a perceived risk.
Implications for data breach class action litigation
To date, the Sixth, Seventh, Ninth, and DC Circuits have all found an increased risk of future identity theft sufficient to establish Article III standing in data breach class action litigation.
Conversely, the Second, Third, Fourth, and Eighth Circuits have found such allegations fall short of demonstrating a cognizable injury-in-fact in the breach context.
In Tsao, the Eleventh Circuit joined the latter camp in holding that an increased risk of future identity theft is alone insufficient to establish standing in data breach litigation.
Source: The Daily Swig