I TAN TSAO, individually and on behalf of all others similarly situated v. CAPTIVA MVP RESTAURANT PARTNERS, LLC, A Florida Limited Liability Company doing business as PDQ
No. 18-14959
United States Court of Appeals, Eleventh Circuit
February 4, 2021
D.C. Docket No. 8:18-cv-01606-WFJ-SPF
Appeal from the United States District Court for the Middle District of Florida
(February 4, 2021)
Before JORDAN, TJOFLAT, and TRAXLER,* Circuit Judges.
TJOFLAT, Circuit Judge:
* The Honorable William B. Traxler, Senior United States Circuit Judge for the Fourth Circuit, sitting by designation.
I.
PDQ is a group of fast casual restaurants that sells chicken tenders, chicken nuggets, salads, and sandwiches. Like most restaurants today, PDQ accepts payment through a point of sale system where customers can insert credit or debit cards to pay for their meal. When customers pay with a debit or credit card, PDQ collects some data from the cards, including the cardholder‘s name, the account number, the card‘s expiration date, the card verification value code (“CVV“), and PIN data for debit cards. PDQ then stores this data in its point of sale system and transmits the information to a third party for processing and for completion of the payment.
In October 2017—during the dаta breach period—plaintiff Tsao made at least two food purchases at a PDQ restaurant in Pinellas, Florida, using two different cards. On October 8, he paid with a Wells Fargo Home Rebate card, and on October 31, he paid with a Chase Sapphire Reserve card. Both of these cards offer Tsao the ability to accrue points or rebates by making certain types of purchases—gas, dining, groceries, and travel, just to name a few. The Chase card also requires Tsao to pay an annual fee of $450.00. Because Tsao made purchases at PDQ during the breach period, the credit card data from these cards may have
Less than two weeks after PDQ‘s announcement of the cyber-attack, Tsao filed a class action complaint (the “Complaint“) in the Middle District of Florida on behalf of a nationwide class, or alternatively, a separate Florida class. The Complaint lists a variety of injuries that PDQ customers allegedly suffered as a result of the cyber-attack, including “theft of their personal financial information,” “unauthorized charges on their debit and credit card accounts,” and “ascertainable lossеs in the form of the loss of cash back or other benefits.” Tsao asserts that he and the class members “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.” The Complaint also includes some general information from the Federal Trade Commission and Government Accountability Office about the risks associated with cyber-attacks and lists a few noteworthy data breaches involving the restaurant industry.
Based on these alleged injuries, the Complaint claims that PDQ (1) breached an implied contract by failing to safeguard customers’ credit card data (Count I); (2) was negligent in failing to provide adequate security for the credit card data
PDQ moved to dismiss the Complaint on August 28, 2018. PDQ argued that the Complaint failed to state a claim under
Tsao‘s response to the motion to dismiss focused heavily on three types of injuries he allegеdly suffered in his efforts to mitigate the perceived risk of future identity theft: lost cash back or reward points, lost time spent addressing the problems caused by the cyber-attack, and restricted card access resulting from his credit card cancellations. On the first point—the loss of cash back or reward points—Tsao argued that, because he cancelled his Chase and Wells Fargo cards in anticipation of possible misuse, he temporarily “lost the opportunity to accrue” the rewards connected to those cards. And on the latter two points—lost time and restricted account access—Tsao asserted that he “expended time аnd effort” to cancel his cards and to deal with the impact of the cyberattack, and since he cancelled the cards, he lost access to his “preferred accounts.” Importantly, however, Tsao did not point to any specific instances in which his—or any other class member‘s—identity was stolen, cards were fraudulently charged, or data was misused. Rather, the thrust of Tsao‘s response was that he had standing (1)
On November 1, 2018, the District Court dismissed Tsao‘s Complaint without prejudice for lack of standing. The Court noted that although Tsao claimed that his private data was “compromised” and “exposed” to criminals, not once did he allege “that his credit cards were used in any way by a thief or that his identity was stolen.” Nor did Tsao identify “a single specific, concrete injury in fact that he or anyone else [] suffered as a result of any misuse of customer credit card information.” These conclusory allegations of harm, the Court found, were speculative at best, and mere “[e]vidence of a data breach, without more, [was] insufficient to satisfy injury in fact under Article III standing.”
This appeal followed. Tsao‘s briefing mostly retreads the arguments he made below—that he and the class are at an elevated risk of future identity theft and that he lost cash back and rewards point, time, and account access—in an effort to satisfy Article III‘s standing requirement. But after a careful review of the record and with the benefit of oral argument, we affirm the District Court‘s dismissal for lack of standing.
II.
Whether plaintiffs have standing to sue is a threshold jurisdictional question that we review de novo. Debernardis v. IQ Formulations, LLC, 942 F.3d 1076, 1083 (11th Cir. 2019). On a facial attack to a complaint for lack of standing, we
III.
Tsao‘s arguments focus on two general theories of standing. First, he argues that he could suffer future injury from misuse of the personal information disclosed during the cyber-attack (though he has not yet), and this risk of misuse alone is enough to satisfy the standing requirement. Then, he argues that he has already suffered some “concrete, particularized” mitigation injuries—for example, lost time, lost rewards points, and loss of access to accounts—that are sufficient to confer standing. Below, we reject both of these theories of standing. But before we dive into Tsao‘s arguments, an overview of our standing case law is in order.
A.
Under Article III of the Constitution, the jurisdiction of a federal court is limited to “cases” and “controversies.” See Wilding v. DNC Servs. Corp., 941 F.3d 1116, 1124 (11th Cir. 2019). To satisfy the “case” or “controversy” requirement, a plaintiff in a matter must have standing to sue. See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1546-47 (2016). And for a plaintiff to have standing, it must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial
Of the three standing elements, Tsao‘s allegations implicate only injury. At the pleading stage, “general factual allegations of injury” are enough. Lujan, 504 U.S. at 561. But this does not mean that any allegations of injury can push a plaintiff across the standing threshold. Rather, a plaintiff must set forth general factual allegations that “plausibly and clearly allege a concrete injury,” Thole v. U. S. Bank N.A, 140 S. Ct. 1615, 1621 (2020), and that injury must be “‘actual оr imminent, not conjectural or hypothetical,‘” Spokeo, Inc., 136 S. Ct. at 1548 (quoting Lujan, 504 U.S. at 560). “[M]ere conclusory statements[] do not suffice.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009).
This standing framework raises two questions. First, what is a “concrete” injury? In Spokeo, the United States Supreme Court offered a straightforward definition: “A concrete injury must be de facto; that is, it must actually exist.” Spokeo, Inc., 136 S. Ct. at 1548 (quotations omitted). The Supreme Court noted that, when it uses the term “concrete,” it intends to “convey the usual meaning of
Typically, tangible1 injuries are “concrete.” See Trichell, 964 F.3d at 997. Tangible injuries can include both straightforward economic injuries, see Debernardis, 942 F.3d at 1084, and more nebulous injuries, like lost time, see Salcedo, 936 F.3d at 1173, or the loss of a “fraction of a vote,” id. at 1167 (quoting SCRAP, 412 U.S. at 689 n.14).
But although many types of injuries may qualify as “concrete,” there is another restriction on standing: “Where a ‘hypothetical future harm’ is not ‘certainly impending,’ plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves.‘” Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 931 (11th Cir. 2020) (en banc) (quoting Clapper v. Amnesty Int‘l USA, 568 U.S. 398, 416 (2013)).
In Clapper, the United States Supreme Court addressed whether a group of plaintiffs—people in the United States whose work required them to engage in sensitive international communications that may have been the target of surveillance under a federal statute—suffered an injury in fact because “there [wa]s an objectively reasonable likelihood that their communications w[ould] be acquired under [the statute] at some point in the future.” Clapper, 568 U.S. at 401. Thе Supreme Court found no injury—and thus no standing—because the plaintiffs “merely speculate[d] and ma[de] assumptions about whether their communications with their foreign contacts w[ould] be acquired” under the statute. Id. at 411. Such speculation was not enough: “[T]hreatened injury must be certainly impending to constitute injury in fact, . . . [a]llegations of possible future injury are not sufficient.” Id. at 409 (emphasis in original) (quotations omitted). While this standard does not require a plaintiff to show that it is “literally certain that the harms they identify will come about,” it, at the very least, requires a showing that there is a “substantial risk” that the harm will occur. Id. at 414 n.5.
This Circuit recently discussed Clapper‘s “high standard for the risk-of-harm analysis” in the context of speculative allegations of future identity theft.
But before the District Court could hold a fairness hearing on the class settlement, the Supreme Court issued its decision in Spokeo. Id. An objector to the Godiva settlement argued that the District Court was obliged to determine whether, in light of Spokeo, plaintiffs had standing to sue for a statutory violation, but the District Court ignored the issue and approved the settlement. Id. at 923.
This Court, sitting en banc, vacated the District Court‘s order approving the settlement and remanded with instructions to dismiss for lack of standing. Id. at 936. We reasoned, in relevant part, that Muransky‘s naked allegations that he and the class were exposed to an “elevated risk” of identity theft—but not that he and
From Clapper and Muransky, we can distill two legal principles relevant to Tsao‘s claims. First, a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either “certainly impending” or there is a “substаntial risk” of such harm.2 Clapper, 568 U.S. at 409, 414 n.5; Muransky, 979 F.3d at 931. Second, if the hypothetical harm alleged is not “certainly impending,” or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on itself to
B.
We begin with Tsao‘s theory that he has Article III standing because he faces a “substantial risk of identity theft, fraud, and other harm in the future as a result of the data breach.” Although this Circuit has not addressed the issue head-on, a number of our sister circuits have, and they are divided. On the one hand, the Sixth, Seventh, Ninth, and D.C. Circuits have all recognized—at the pleading stage—that a plaintiff can establish injury-in-fact based on the increased risk of identity theft. See Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017); Galaria v. Nationwide Mut. Ins. Co., 663 F. App‘x 384, 387-89 (6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694-95 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010); Pisciotta v. Old Nat‘l Bancorp, 499 F.3d 629, 633-34 (7th Cir. 2007). On the other hand, the Second, Third, Fourth, and Eighth Circuits have declined to find standing on that theory. See Beck v. McDonald, 848 F.3d 262, 273-76 (4th Cir. 2017); Whalen v. Michaels Stores, Inc., 689 F. App‘x 89, 90-91 (2d Cir. 2017); In re SuperValu, Inc., 870 F.3d 763, 770-72
Generally speaking, the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or actual access to personal data. In Attias, two plaintiffs alleged that they suffered identity theft when their anticipated tax refunds went missing. Attias, 865 F.3d at 626 n.2. In Galaria, plaintiffs alleged that their data was accessed and had “already been stolen” by “ill-intentioned criminals.” Galaria, 663 F. App‘x at 388. In Remijas, plaintiffs alleged that personal data had “already been stolen” and that “9,200 cards [] experienced fraudulent charges.” Remijas, 794 F.3d at 692-94. And in Krottner, at least one plaintiff alleged that someone “attempted to open a bank account in his name.” Krottner, 628 F.3d at 1142.
Though the Seventh Circuit‘s opinion appears to sweep broadly on its face, we are hesitant to read too closely into Pisciotta in light of two considerations. First, Pisciotta is a pre-Clapper decision, and thus it is unclear if the Seventh Circuit would have (or could have) reached the same conclusion with the benefit of the Supreme Court‘s opinion. Second, none of the Seventh Circuit data breach cases that followed Pisciotta—including Remijas, 794 F.3d at 693, Lewert v. P.F. Chang‘s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018)—even cite the case, suggesting that Pisciotta should not weigh too heavily in our analysis.
Similarly, in Reilly v. Ceridian Corp.—a pre-Clapper decision—a class of law firm employees brought a putative class action against a payroll processing firm (Ceridian) asserting various claims related to an increasеd risk of identity theft
The Fourth Circuit has likewise rejected the “increased risk of future identity theft” theory in the context of a data breach. In Beck v. McDonald, a class of veterans who received medical treatment and health care at a South Carolina Veterans Affairs Medical Center brought actions alleging violations of various federal statutes following two data breaches at the Medical Center. Beck, 848 F.3d at 266. The plaintiffs sought to establish Article III standing based on (1) the harm
And notably, the Eighth Circuit in In re SuperValu, Inc. found no standing on an “increased risk of future identity theft” theory, even when a named plaintiff alleged actual misuse of personal information. 870 F.3d at 769-71. There, a class of grocery store customers filed suit against SuperValu and other grocery store owner-operators following two data breaches in which the customers’ financial
We are persuaded by the reasoning of the Eighth Circuit in SuperValu, and the facts of that case map closely to the facts of this one. Here, as the plaintiffs did in SuperValu, Tsao has alleged that hackers may have accessed and stolen customer credit card data “including the cardholder name, the account number, expiration date, card verification value (‘CVV‘), and PIN data for debit cards.” And here, just like the plaintiffs in SuperValu, Tsao cites to the 2007 GAO Report on data breaches in support of his theory that the PDQ hack may result in future identity theft. But we, like the Eighth Circuit in SuperValu, believe the GAO Report actually demonstrates why there is no “substantial risk” of identity theft here. Tsao has not alleged that social security numbers, birth dates, or driver‘s license numbers were compromised in the PDQ breach, and the card information allegedly accessed by the PDQ hackers “generally cannot be used alone to open unauthorized new accounts.” GAO Report at 30. So, based on the GAO Report, it
This leaves us with the risk that the hackers, if they accessed and stole Tsao‘s credit card information, could make unauthorized purchases with his cards or drain his accounts. But again, the GAO Report suggests that most data breaches have not resulted in detected incidents of fraud on existing acсounts. See id. at 21. Indeed, the GAO Report reviewed the 24 largest data breaches between January 2000 and June 2005 and found that only 4 of the 24 breaches (roughly 16.667%) resulted in some form of identity theft, and only 3 resulted in account theft or fraud (12.5%). Id. at 24-25. Given the low rate of account theft, the GAO Report simply does not support the conclusion that the breach here presented a “substantial risk” that Tsao would suffer unauthorized charges on his cards or account draining.
Of course, we recognize that the GAO Report is over a decade old, and it is possible that some breaches may present a greater risk of identity theft than others. But even if we set aside the GAO Report and the reasoning of SuperValu, we remain unconvinced that Tsao has met his burden to show that the there is a “substantial risk” of harm, or that such harm is “certainly impending.” Clapper, 568 U.S. at 409, 414 n.5. Three considerations color this conclusion.
Second, Tsao offers only vague, conclusory allegations that members of the class have suffered any actual misuse of their personal data—here, “unauthorized charges.” But again, conclusory allegations of injury are not enough to confer standing. See Iqbal, 556 U.S. at 678. Of course, as our sister Circuits have recognized, evidence of actual misuse is not necessary for a plaintiff to establish standing following a data breach. See, e.g., Beck, 848 F.3d at 275 (stating that district court did not impermissibly require plaintiffs to demonstrate actual misuse). However, without specific evidence of some misuse of class members’ data, a named plaintiff‘s burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was “certainly impending“—or that there was a “substantial risk” of such harm—will be difficult
Third, Tsao immediately cancelled his credit cards following disclosure of the PDQ breach, effectively eliminating the risk of credit card fraud in the future. Of course, even if Tsao‘s cards are cancelled, some risk of future hаrm involving identity theft (for example, the use of Tsao‘s name) still exists, but that risk is not substantial and is, at best, speculative.
In short, Tsao has not alleged either that the PDQ data breach placed him at a “substantial risk” of future identity theft or that identity theft was “certainly impending.” Clapper, 568 U.S. at 409, 414 n.5. Evidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing. It follows that Tsao does not have standing here based on an “increased risk” of identity theft.
C.
We turn now to Tsao‘s claims that he has suffered actual, present injuries in his efforts to mitigate the risk of identity theft caused by the data breach.
It is well established that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper, 568 U.S. at 416; see also Muransky, 979 F.3d at 931 (citing Clapper and stating the same). In Muransky, this Court held that a plaintiff‘s mitigation costs—there, “additional time destroying or safeguarding his receipt“—were insufficient to confer standing because there was no substantial risk of identity theft. Muransky, 979 F.3d at 931. Although we noted that allegations of “wasted time” could sometimes “state a concrete harm for standing purposes,” we noted that Muransky‘s “management-of-risk claim [wa]s bound up with his arguments about actual risk,” id. at 930-31 (quotations and citations omitted). As a result, Muransky‘s “assertion of wasted
So too here. The mitigation costs Tsao alleges are inextricably tied to his perception of the actual risk of identity theft following the PDQ data breach. Tsao, by his own admission, voluntarily cancelled his credit cards, and the three types of harm he has identified flowed from that cancellation. By cancelling his cards, he voluntarily forwent the opportunity to accrue cash back or rewards points on those cards. By cancelling his cards, he voluntarily restricted access to his preferred payment cards. And by cancelling his cards, he voluntarily spent time safeguarding his accounts. Tsao cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft. To hold otherwise would allow “an enterprising plaintiff . . . to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Clapper, 568 U.S. at 416. The law does not permit such a result.
IV.
We hold that Tsao lacks Article III standing because he cannot demonstrate that there is a substantial risk of future identity theft—or that identity theft is certainly impending—and because he cannot manufacture standing by incurring
AFFIRMED.
Given our recent decision in Muransky v. Godiva Chocolatier, Inc., 979 F. 3d 917 (11th Cir. 2020) (en banc)—a decision from which I dissented—I concur in the judgment. I note only that the court here, rather than viewing Mr. Tsao‘s allegations favorably, necessarily engages in a value-laden and normative inquiry concerning the question of “substantial risk” at the motion-to-dismiss stage. That to me is problematic for a number of reasons, see id. at 964-70 (Jordan, J., dissenting), but Muransky apparently has sanctioned such an analytical approach. Hopefully the Supreme Court will soon grant certiorari in a case presenting the question of Article III standing in a data breach case.