{"id":523,"date":"2021-03-12T14:34:07","date_gmt":"2021-03-12T14:34:07","guid":{"rendered":"https:\/\/www.tsfactory.com\/forums\/?p=523"},"modified":"2021-03-12T14:34:07","modified_gmt":"2021-03-12T14:34:07","slug":"tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm","status":"publish","type":"post","link":"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/","title":{"rendered":"Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019"},"content":{"rendered":"<h3>What is Article III standing?<\/h3>\n<p>In legal parlance, \u2018standing\u2019 is the legal right for an individual to bring a claim in court.<\/p>\n<p>\u2018Article III standing\u2019 refers to the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Case_or_controversy\" target=\"_blank\" rel=\"nofollow noopener\">Case or Controversy Clause<\/a> of the US Constitution (located in Article III, Section 2, Clause 1), which is the basis for many important court decisions addressing standing.<\/p>\n<p>To establish Article III standing, a plaintiff must establish three core elements: an injury-in-fact, causation, and a likelihood that the injury will be redressed by a favorable decision.<\/p>\n<p>Where a plaintiff seeks to establish an injury-in-fact based on an imminent injury, that threatened harm must be \u201ccertainly impending\u201d. At the very least, this requires showing that there is a \u201csubstantial risk\u201d that the harm will occur.<\/p>\n<h3>Tsao vs. Captiva<\/h3>\n<p>The <i>Tsao<\/i> case (WL 381948; 11th Circuit; February 4, 2021) arose out of a security incident suffered by PDQ, a group of American fast dining restaurants owned by Captiva MVP Restaurant Partners.<\/p>\n<p>Less than two weeks after PDQ posted its notice to consumers that it had been the target of a <a href=\"https:\/\/portswigger.net\/daily-swig\/cyber-attacks\" target=\"_blank\" rel=\"noopener\">cyber-attack<\/a> involving its point-of-sale system, the plaintiff, I Tan Tsao, filed suit to recover damages stemming from the breach.<\/p>\n<p>Tsao argued that he had been harmed, and thus had standing, due to an elevated risk of <a href=\"https:\/\/portswigger.net\/daily-swig\/privacy\" target=\"_blank\" rel=\"noopener\">identity theft<\/a> or, alternatively, because he took proactive steps to mitigate the risk of identity theft.<\/p>\n<h3>The Eleventh Circuit\u2019s opinion<\/h3>\n<p>On appeal, the Eleventh Circuit rejected both arguments and upheld the district court\u2019s prior dismissal of the suit for lack of Article III standing.<\/p>\n<p>In doing so, the <i>Tsao<\/i> court held that a plaintiff alleging a threat of future identity theft or other harm lacks Article III standing unless the hypothetical harm alleged is either certainly impending or there is a substantial risk of such harm taking place.<\/p>\n<p>Importantly, to make this showing a plaintiff must present evidence of at least some misuse of class members\u2019 data.<\/p>\n<p>Conversely, evidence of a mere breach \u2013 standing alone \u2013 is insufficient of satisfying the requirements of Article III standing for data breach plaintiffs in the Eleventh Circuit pursuant to <i>Tsao<\/i>.<\/p>\n<p>Taken together, arguments that data breach plaintiffs <i>could<\/i> suffer future injury from misuse of their personal information disclosed during a breach \u2013 but where no actual misuse has occurred \u2013 and the risk of misuse by itself are now foreclosed in the Eleventh Circuit pursuant to <i>Tsao<\/i>.<\/p>\n<p>Further, pursuant to <i>Tsao<\/i>, if the future harm alleged is not certainly impending and there is no substantial risk of harm, a plaintiff cannot manufacture standing by inflicting direct harm on himself\/herself to mitigate a perceived risk.<\/p>\n<h3>Implications for data breach class action litigation<\/h3>\n<p>To date, the Sixth, Seventh, Ninth, and DC Circuits have all found an increased risk of future identity theft sufficient to establish Article III standing in data breach class action litigation.<\/p>\n<p>Conversely, the Second, Third, Fourth, and Eighth Circuits have found such allegations fall short of demonstrating a cognizable injury-in-fact in the breach context.<\/p>\n<p>In <i>Tsao<\/i>, the Eleventh Circuit joined the latter camp in holding that an increased risk of future identity theft is alone insufficient to establish standing in data breach litigation.<\/p>\n<p>Source: The Daily Swig<\/p>\n<p><a href=\"https:\/\/portswigger.net\/daily-swig\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\">Read the Full Story Here<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is Article III standing? In legal parlance, \u2018standing\u2019 is the legal right for an individual to bring a claim in court. \u2018Article III standing\u2019 refers to the Case or Controversy Clause of the US Constitution (located in Article III, Section 2, Clause 1), which is the basis for many important court decisions addressing standing. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-523","post","type-post","status-publish","format-standard","hentry","category-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019 - Community<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019 - Community\" \/>\n<meta property=\"og:description\" content=\"What is Article III standing? In legal parlance, \u2018standing\u2019 is the legal right for an individual to bring a claim in court. \u2018Article III standing\u2019 refers to the Case or Controversy Clause of the US Constitution (located in Article III, Section 2, Clause 1), which is the basis for many important court decisions addressing standing. [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/\" \/>\n<meta property=\"og:site_name\" content=\"Community\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/TSFactoryLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-12T14:34:07+00:00\" \/>\n<meta name=\"author\" content=\"Chelsie Wyatt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:site\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chelsie Wyatt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/\",\"name\":\"Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019 - Community\",\"isPartOf\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\"},\"datePublished\":\"2021-03-12T14:34:07+00:00\",\"author\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.tsfactory.com\/forums\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/\",\"name\":\"Community\",\"description\":\"TSFactory\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\",\"name\":\"Chelsie Wyatt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"caption\":\"Chelsie Wyatt\"},\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019 - Community","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/","og_locale":"en_US","og_type":"article","og_title":"Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019 - Community","og_description":"What is Article III standing? In legal parlance, \u2018standing\u2019 is the legal right for an individual to bring a claim in court. \u2018Article III standing\u2019 refers to the Case or Controversy Clause of the US Constitution (located in Article III, Section 2, Clause 1), which is the basis for many important court decisions addressing standing. [&hellip;]","og_url":"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/","og_site_name":"Community","article_publisher":"https:\/\/www.facebook.com\/TSFactoryLLC\/","article_published_time":"2021-03-12T14:34:07+00:00","author":"Chelsie Wyatt","twitter_card":"summary_large_image","twitter_creator":"@TSFactoryLLC","twitter_site":"@TSFactoryLLC","twitter_misc":{"Written by":"Chelsie Wyatt","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/","url":"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/","name":"Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019 - Community","isPartOf":{"@id":"https:\/\/www.tsfactory.com\/forums\/#website"},"datePublished":"2021-03-12T14:34:07+00:00","author":{"@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f"},"breadcrumb":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/tsao-vs-captiva-how-a-us-data-breach-court-case-could-have-major-impact-on-the-legal-definition-of-harm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.tsfactory.com\/forums\/"},{"@type":"ListItem","position":2,"name":"Tsao vs. Captiva \u2013 How a US data breach court case could have major impact on the legal definition of \u2018harm\u2019"}]},{"@type":"WebSite","@id":"https:\/\/www.tsfactory.com\/forums\/#website","url":"https:\/\/www.tsfactory.com\/forums\/","name":"Community","description":"TSFactory","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f","name":"Chelsie Wyatt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","caption":"Chelsie Wyatt"},"url":"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/comments?post=523"}],"version-history":[{"count":1,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/523\/revisions"}],"predecessor-version":[{"id":524,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/523\/revisions\/524"}],"wp:attachment":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media?parent=523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/categories?post=523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/tags?post=523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}