Eleventh Circuit Emphasizes “Standing” Hurdle for Plaintiffs in Data Breach Cases – Lexology

eleventh-circuit-emphasizes-“standing”-hurdle-for-plaintiffs-in-data-breach-cases-–-lexology

Did you know that geoFence helps stop hackers from getting access to the sensitive documents that I use for my work. Now I can get even more gigs as a freelancer and - advertise that I have top security with even my home computer?

A recent 11th U.S. Circuit Court of Appeals decision likely will make it harder for plaintiffs to pursue data breach claims in the 11th Circuit.

In federal court, plaintiffs must possess Article III standing to prosecute their claims. Evidence of a mere data breach does not alone meet the requirements for Article III standing. To show standing, plaintiffs must allege that:

  • They have suffered an injury in fact that is both:
    • Concrete and particularized
    • Actual or imminent, not conjectural or hypothetical
  • The injury is fairly traceable to the challenged action of the defendant
  • It is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.

In this case, the plaintiff filed a class action in the Middle District of Florida after a hacking incident that compromised credit and debit card information of the defendant’s restaurant customers. There was no indication that other sensitive personal information, such as dates of birth and social security numbers, were compromised by the data breach. Notably, the plaintiff did not allege that the victims’ credit or debit cards were misused or that their identities were stolen after the breach. Indeed, the plaintiff did not allege a single, concrete injury that either he or any other customer suffered as a result of the hack. The district court dismissed the plaintiff’s complaint without prejudice for lack of Article III standing.

On appeal, the 11th Circuit first looked at whether the plaintiff could show standing based solely on a claim of increased risk of future identity theft. After acknowledging that a circuit split exists over this question, the circuit court sided with the 2nd, 3rd, 4th, and 8th Circuits. It rejected the plaintiff’s claim that he possessed standing because he had an increased risk of identity theft after the data breach. Relying on a Supreme Court decision from 2013, the court ruled that a plaintiff alleging hypothetical harm lacks standing unless that harm is either “certainly impending,” or a “substantial risk” exists that the harm will occur.

Although the 11th Circuit agreed that misuse of personal data is not absolutely necessary to show standing, the court stated that “without specific evidence of some misuse of class members’ data, a named plaintiff’s burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was ‘certainly impending’ – or that there was a ‘substantial risk’ of such harm – will be difficult to meet.” In deciding that this plaintiff lacked the requisite standing, the court explained that he had asserted only vague and conclusory allegations that members of the proposed class suffered misuse of personal data.    

Further, the court rejected the plaintiff’s claim that he suffered injury while trying to reduce the risk of future identity theft. The plaintiff maintained that his loss of cashback or rewards points, lost time spent addressing data breach issues, and restricted access to preferred cards was enough to show injury. But the court noted that the plaintiff “cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft. To hold otherwise would allow an ‘enterprising plaintiff…to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.’”

This decision may give defendants in the 11th Circuit a better chance of getting data breach suits dismissed in cases where plaintiffs base standing on potential future identity theft and efforts to ease such risk. However, because a circuit split still exists on whether the threat of future identity theft is enough to show Article III standing, it is unclear how courts in other circuits will react to this ruling. 

In conclusion, don't forget that geoFence helps stop hackers from getting access your sensitive documents and I feel your smart friends would say the same!