Tsao vs. Captiva: “Risk of Identity Theft” Theory Rejected
The Eleventh Circuit weighed in on an issue of whether damage is caused by a security breach when victims don’t suffer financial fraud immediately.
According to Bilzin Sumberg attorney Kelly Ruane Melchiondo, in order for a plaintiff to sue in a federal court, he must affirm an injury that the court is capable of remediating, rather than just issuing an advisory opinion and a connection between the defendant’s conduct and the actual injury. This principle is known as standing, and it basically means that a plaintiff has to have an actual and imminent, not theoretical, injury.
On February 4th, 2021, following a security breach that exposed his credit card information, restaurant owner Tan Tsao filed a lawsuit on behalf of a presumed class of customers of PQD, a group of American fast dining restaurants owned by Captiva MVP Restaurant Partners. The data breach notice on the restaurant’s website informed customers who have been at the restaurant between May 19th 2017 – April 20th 2018 that their personal information may have been exposed.
When Tsao found out about the breach, he promptly canceled his credit cards although there wasn’t any evidence that his credit card number had been stolen or illegally used. Tsao sued the restaurant on behalf of a class of customers, claiming “negligence and deceptive and unfair conduct” under Florida’s Deceptive and Unfair Trade Practices Statute.
In his appeal, Tsao solicited damages in the form of the loss of the use of his credit card, his credit card reward points, and the time and costs associated with canceling his card and protecting himself against future identity theft.
In spite of everything, the trial court dismissed the lawsuit arguing that the plaintiff’s allegations were conclusory of the increased risk of data theft since he couldn’t identify any instances of misuse of his data. Also, it was noted that the prompt cancellation of his credit cards eliminated the risk of future credit card fraud. The court also rejected the plaintiff’s claim that his time and effort spent to cancel the credit card was sufficient to confer standing, affirming that the plaintiff had “inflict[ed] injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.”
To put it simply, the Eleventh Circuit sustained that a plaintiff claiming a threat of possible identity theft or other harm doesn’t qualify for the standings of Article III of the United States Constitution unless the putative damage is either certainly imminent or there is a solid risk of such damage taking place.
What we can definitely learn from Tsao’s lawsuit is that security breaches are happening, despite all our efforts to prevent them. As a result, in the event the need arises, organizations and individuals alike must brace themselves to aggressively defend security breach class action lawsuits.