986 F.3d 1332
11th Cir.2021Background
- PDQ experienced a point-of-sale data breach (May 19, 2017–April 20, 2018) that potentially exposed customers’ cardholder names, card numbers, expiration dates, CVV codes, and debit PIN data.
- Tsao used two cards at PDQ during the breach period; after PDQ’s public notice he canceled those cards and filed a nationwide (and alternative Florida) class action within two weeks.
- The complaint alleged increased risk of identity theft and asserted mitigation-related harms (lost rewards/cashback, time spent cancelling/replacing cards, and restricted access to preferred accounts), plus contract, negligence, unjust enrichment, and FDUTPA claims.
- PDQ moved to dismiss for lack of Article III standing, arguing alleged harms were speculative and any mitigation costs were self-inflicted.
- The district court dismissed without prejudice for lack of standing; the Eleventh Circuit affirmed, holding neither an increased-risk theory nor mitigation expenses (based on non-imminent risk) established a concrete, imminent injury.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Increased risk of identity theft from exposed card data | Tsao: exposure alone creates a substantial, imminent risk of future identity theft | PDQ: speculative; no allegations of actual misuse; exposure alone is insufficient | No standing — risk not certainly impending or a substantial risk; mere breach insufficient |
| Mitigation injuries (lost rewards, time, restricted account access) | Tsao: cancelling cards and related efforts caused present, concrete injuries | PDQ: harms are self-inflicted and cannot be used to manufacture Article III standing | No standing — mitigation costs tied to a non-imminent, insubstantial risk and thus cannot confer standing |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (Sup. Ct.) (concrete-injury requirement; injury must be "real" and not abstract)
- Clapper v. Amnesty Int'l USA, 568 U.S. 398 (Sup. Ct.) (threatened injury must be "certainly impending" or present a "substantial risk")
- Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir.) (en banc) (rejected standing based on elevated risk and on self-inflicted mitigation costs)
- Lujan v. Defs. of Wildlife, 504 U.S. 555 (Sup. Ct.) (standing elements framework)
- In re SuperValu, Inc., 870 F.3d 763 (8th Cir.) (compromised card data alone did not create substantial risk of identity theft)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir.) (contrasting authority recognizing standing where some misuse/fraud was alleged)
- Beck v. McDonald, 848 F.3d 262 (4th Cir.) (rejected increased-risk and mitigation-cost theories absent misuse)
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir.) (recognized standing where some concrete misuse or attempted misuse occurred)