Tsao vs. Captiva: “Risk of Identity Theft” Theory Rejected

The Eleventh Circuit weighed in on an issue of whether damage is caused by a security breach when victims don’t suffer financial fraud immediately.

LAST UPDATED ON MARCH 12, 2021
QUICK READ
3 min
Let's get started!
CEZARINA
DINU
HEAD OF MARKETING COMMUNICATIONS & PR

According to Bilzin Sumberg attorney Kelly Ruane Melchiondo, in order for a plaintiff to sue in a federal court, he must affirm an injury that the court is capable of remediating, rather than just issuing an advisory opinion and a connection between the defendant’s conduct and the actual injury. This principle is known as standing, and it basically means that a plaintiff has to have an actual and imminent, not theoretical, injury.

Context

On February 4th, 2021, following a security breach that exposed his credit card information, restaurant owner Tan Tsao filed a lawsuit on behalf of a presumed class of customers of PQD, a group of American fast dining restaurants owned by Captiva MVP Restaurant Partners. The data breach notice on the restaurant’s website informed customers who have been at the restaurant between May 19th 2017 – April 20th 2018 that their personal information may have been exposed.

Source

[a]ll PDQ locations in operation between May 19, 2017, and April 20, 2018, were affected by the attack, and the notice listed the customers’ personal information that “may have been accessed”: cardholder names, credit card numbers, card expiration dates, and CVVs.Case 8:18-cv-01606-WFJ-SPF, Tsao vs. Captiva

The Plaint

When Tsao found out about the breach, he promptly canceled his credit cards although there wasn’t any evidence that his credit card number had been stolen or illegally used. Tsao sued the restaurant on behalf of a class of customers, claiming “negligence and deceptive and unfair conduct” under Florida’s Deceptive and Unfair Trade Practices Statute.

PDQ (1) breached an implied contract by failing to safeguard customers’ credit card data (Count I); (2) was negligent in failing to provide adequate security for the credit card data (Count II); (3) was per se negligent because PDQ violated Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45), which prohibits unfair practices that affect commerce (Count III); (4) was unjustly enriched when it received payments from the customers but failed to provide those customers with adequate data security (Count IV); and (5) violated the Florida Unfair and Deceptive Trade Practices Act by failing to, among other things, maintain “adequate . . . data security practices” (Count VI).Case 8:18-cv-01606-WFJ-SPF, Tsao vs. Captiva

In his appeal, Tsao solicited damages in the form of the loss of the use of his credit card, his credit card reward points, and the time and costs associated with canceling his card and protecting himself against future identity theft.

The Verdict

In spite of everything, the trial court dismissed the lawsuit arguing that the plaintiff’s allegations were conclusory of the increased risk of data theft since he couldn’t identify any instances of misuse of his data. Also, it was noted that the prompt cancellation of his credit cards eliminated the risk of future credit card fraud. The court also rejected the plaintiff’s claim that his time and effort spent to cancel the credit card was sufficient to confer standing, affirming that the plaintiff had “inflict[ed] injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.”

Tsao, by his own admission, voluntarily cancelled his credit cards, and the three types of harm he has identified flowed from that cancellation. By cancelling his cards, he voluntarily forwent the opportunity to accrue cash back or rewards points on those cards. By cancelling his cards, he voluntarily restricted access to his preferred payment cards. And by cancelling his cards, he voluntarily spent time safeguarding his accounts. Tsao cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.Case 8:18-cv-01606-WFJ-SPF, Tsao vs. Captiva

To put it simply, the Eleventh Circuit sustained that a plaintiff claiming a threat of possible identity theft or other harm doesn’t qualify for the standings of Article III of the United States Constitution unless the putative damage is either certainly imminent or there is a solid risk of such damage taking place.

What we can definitely learn from Tsao’s lawsuit is that security breaches are happening, despite all our efforts to prevent them. As a result, in the event the need arises, organizations and individuals alike must brace themselves to aggressively defend security breach class action lawsuits.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP