The Matrix

The Tsao case involved a restaurant that had its point of sale system exploited by a hacker. The hacker gained access to customer names and credit and debit card information. The plaintiff made two purchases at the restaurant during the time that the restaurant was compromised, and he asserted in his lawsuit that his personal information may have been accessed by hackers.

The restaurant moved to dismiss the complaint by arguing, among other things, that the plaintiff lacked Article III standing, and the district court granted the motion dismiss for lack of standing. The court noted that although the plaintiff claimed that his private data was “compromised” and “exposed” to criminals, he did not allege that his credit cards were used in any way by a third party or that his identity was stolen. Nor did the plaintiff identify “a single specific, concrete injury in fact that he or anyone else [] suffered as a result of any misuse of customer credit card information.” The court found that the plaintiff’s conclusory allegations of harm were speculative at best, and the mere evidence of a data breach, without more, was insufficient to satisfy injury in fact under Article III standing. 

The Eleventh Circuit affirmed the district court’s dismissal for lack of standing. On appeal, the plaintiff focused on two general theories of standing. First, he claimed that he could suffer future injury from misuse of personal information disclosed during the cyber-attack (though he had not yet), and that this risk of misuse alone was enough to satisfy the standing argument. The appellate court noted that the circuits are divided on whether a substantial risk of identity theft or other harm in the future as a result of a data breach may confer standing. Persuaded by information contained in a June 2007 United States Government Accountability Office report on data breaches, the court opined that the card information allegedly accessed by the hackers here generally could not be used alone to open unauthorized new accounts, and that most data breaches have not resulted in detected incidents of fraud on existing accounts. The court also noted that the plaintiff only offered “vague, conclusory allegations that members of the class [had] suffered any actual misuse of their personal data” but that “conclusory allegations of injury are not enough to standing.” The court therefore found that the plaintiff’s allegations did not support the conclusion that the breach presented a “substantial risk” of future identity theft or that identity theft was “certainly impending.”

The court also rejected the plaintiff’s additional claim that he suffered actual, present injuries in his efforts to mitigate the risk of identity theft caused by the data breach. Specifically, the plaintiff asserted that he had notified his card issuers and proactively took steps to mitigate the damage. However, the court found that the mitigation costs that the plaintiff alleged were inextricably tied to his perception of the actual risk of identity theft following the data breach. The court found that the plaintiff could not “conjure standing here by inflecting injuries on himself avoid an insubstantial, non-imminent risk of identity theft.”