The Eleventh Circuit affirmed a district court’s dismissal for lack of standing in a data incident case. The majority opinion, written by Senior Judge Gerald Bard Tjoflat and joined by Judge Adalberto Jordan and Senior Fourth Circuit Judge William Traxler sitting by designation, highlighted the disagreement among federal appellate courts about the type of harm that will support Article III standing in a data incident case. The court’s thorough caselaw review — occupying eight of the opinion’s 26 pages — lays the groundwork for Supreme Court review and is a not-so-subtle invitation for the justices to weigh in.

PDQ (short for “People Dedicated to Quality”) is a casual restaurant chain with nearly 50 locations across Florida. Between May 2017 and April 2018, a hacker accessed its point of sale system and gained access to customers’ personal data, including credit and debit card information. See Tsao v. Captiva MVP Rest. Partners, LLC, No. 18-14959, slip op. at 2–3 (11th Cir. Feb. 4, 2021). The purported class action was filed in July 2018 by I Tan Tsao, who twice patronized a Pinellas, Florida PDQ restaurant in October 2017, paying with a different credit card each time. Tsao brought a variety of claims under federal and Florida law, alleging that the data incident placed him “at an imminent, immediate, and continuing increased risk of harm from identity theft.” Id. at 4. At the motion to dismiss stage, he added allegations of present harm due to “lost cash back or reward points, lost time spent addressing the problems caused by the cyber-attack, and restricted card access resulting from his credit card cancellations.” Id. at 6. In November 2018, the district court dismissed all his claims without prejudice due to lack of standing. Id. at 7.

On appeal, the Eleventh Circuit panel likewise rejected Tsao’s Article III standing arguments. Noting that Tsao had not “alleged that social security numbers, birth dates, or driver’s license numbers were compromised,” the court ruled that both the threat that Tsao’s personal information may be misused in the future and his alleged present injuries (e.g., lost cash back or reward points) were wanting. Id. at 8.

Tsao’s appeal was likely dead on arrival given the Eleventh Circuit’s recent decision in Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. 2020) (en banc), which we reported on here and here. In Muransky, the en banc court held that Article III standing cannot be based on “a ‘hypothetical future harm’ [that] is not ‘certainly impending[.]’” Id. at 931 (citing Clapper v. Amnesty Int’l USA, 568 U.S. 398, 416 (2013)). Additionally, plaintiffs “cannot manufacture standing merely by inflicting harm on themselves.” Id.

The first issue — whether a “substantial risk of identity theft, fraud, and other harm in the future as a result of the data breach” supports a plaintiff’s standing — commands the lion’s share of the court’s analysis. In answering “no,” the court acknowledges that its holding conflicts with the Sixth, Seventh, Ninth and D.C. circuits, which have all found Article III standing in similar scenarios at the pleading stage. Tsao, slip op. at 14. As in Muransky, the Eleventh Circuit joined the Second, Third, Fourth, and Eighth circuits and held the opposite — that, even at the pleading stage, allegations of future harm are insufficient. Here, it is telling that the court presents the circuit split in the opinion’s heart rather than a prefatory background section.

Next, the court brushes off Tsao’s allegations of present injuries he suffered after canceling his credit cards. Tsao’s allegations of lost reward points, costs, and time associated with canceling and replacing his credit cards and restricted access to his preferred payment cards constitute self-inflicted injury, precisely the sort of “manufacturing” that Clapper and Muransky prohibit. Id. at 25–26. In other words, Tsao must allege an injury caused by the data incident rather than one caused by actions he took following it.

In a brief concurring opinion, Judge Jordan clarified that he joined the majority only because Muransky compelled him to, candidly revealing his hope that “the Supreme Court will soon grant certiorari in a case presenting the question of Article III standing in a data breach case.” He references his Muransky dissent, which emphasized the timing of the district court’s decision. In his eyes, Tsao’s allegation of “increased risk of a real harm — identity theft” — is “a general factual contention subject to proof or disproof with evidence at later stages of litigation.” Muransky, 979 F.3d at 964 (Jordan, J. dissenting). Judge Jordan sees the majority opinion as “a value-laden and normative inquiry,” Tsao, slip op. at 28 (Jordan, J. concurring), that defies “the procedural principle that an allegation need only be plausible at the pleading stage,” Muransky, 979 F.3d at 965 (Jordan, J. dissenting). His plea for Supreme Court guidance may gain urgency later this year, depending on the outcome of TransUnion LLC v. Ramirez, No. 20-297, an FCRA class standing case set for oral argument on March 30. Troutman’s reporting on Ramirez can be found here and here.

Regardless of the outcome on standing, we will continue to see these issues play out in other contexts. Indeed, courts have recognized that more is required to plead damages as an element of a substantive claim than is required to plead injury for Article III standing purposes. See, e.g., Krottner v. Starbucks Corp., 406 F. App’x 129 (9th Cir. 2010) (although Article III standing is satisfied due to a risk of future identity theft, negligence claims are dismissed because “[t]he mere danger of future harm, unaccompanied by present damage, will not support a negligence action.”); Attias v. CareFirst, Inc., 365 F. Supp. 3d 1 (D.D.C. 2019) (allegations sufficient to demonstrate Article III standing were insufficient to establish damages element). In short, even if a plaintiff can allege facts sufficient to establish Article III standing, he must still demonstrate specific damages giving rise to a cognizable tort, contract, or statutory claim. We will continue to monitor not only the standing issues, but also the interaction between standing and proof of damages in data incident cases.

The appeal is Tsao v. Captiva MVP Rest. Partners, LLC, No. 18-14959 (11th Cir.). The district court case is Tsao v. Captiva MVP Rest. Partners, LLC, No. 8:18-cv-01606-WFJ (M.D. Fla.).