USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 1 of 28
[PUBLISH]
IN THE UNITED STATES COURT OF APPEALS
FOR THE ELEVENTH CIRCUIT ________________________
No. 18-14959 ________________________
D.C. Docket No. 8:18-cv-01606-WFJ-SPF
I TAN TSAO, individually and on behalf of all others similarly situated,
Plaintiff-Appellant,
versus
CAPTIVA MVP RESTAURANT PARTNERS, LLC, A Florida Limited Liability Company doing business as PDQ,
Defendant-Appellee. _______________________
Appeal from the United States District Court for the Middle District of Florida _______________________
(February 4, 2021)
Before JORDAN, TJOFLAT, and TRAXLER,* Circuit Judges.
TJOFLAT, Circuit Judge:
* The Honorable William B. Traxler, Senior United States Circuit Judge for the Fourth Circuit, sitting by designation. USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 2 of 28
I Tan Tsao seeks to bring a number of claims against PDQ—a restaurant he
patroned—following a data breach that exposed PDQ customers’ personal
financial information. Tsao’s appeal presents two questions. First, did Tsao have
standing to sue based on the theory that he and a proposed class of PDQ customers
are now exposed to a substantial risk of future identity theft, even though neither
Tsao nor the class members have suffered any misuse of their information?
Second, and alternatively, were Tsao’s efforts to mitigate the risk of future identity
theft a present, concrete injury sufficient to confer standing? For both questions,
we conclude the answer is no, and we accordingly affirm the District Court’s order
dismissing the case without prejudice.
I.
PDQ is a group of fast casual restaurants that sells chicken tenders, chicken
nuggets, salads, and sandwiches. Like most restaurants today, PDQ accepts
payment through a point of sale system where customers can insert credit or debit
cards to pay for their meal. When customers pay with a debit or credit card, PDQ
collects some data from the cards, including the cardholder’s name, the account
number, the card’s expiration date, the card verification value code (“CVV”), and
PIN data for debit cards. PDQ then stores this data in its point of sale system and
transmits the information to a third party for processing and for completion of the
payment.
2 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 3 of 28
Beginning on May 19, 2017, a hacker exploited PDQ’s point of sale system
and gained access to customers’ personal data—the credit and debit card
information—through an outside vendor’s remote connection tool. PDQ later
became aware of the breach, and on June 22, 2018, it posted a notice to customers
that it had “been the target of a cyber-attack.” The notice stated that “[a]ll PDQ
locations in operation” between May 19, 2017, and April 20, 2018, were affected
by the attack, and the notice listed the customers’ personal information that “may
have been accessed”: cardholder names, credit card numbers, card expiration dates,
and CVVs. Because of the nature of the breach, PDQ stated that it “was not
possible to determine the identity or exact number of credit card numbers or names
that were accessed or acquired during” the cyber-attack. The notice repeatedly
made clear that PDQ customers’ information “may” have been accessed.
In October 2017—during the data breach period—plaintiff Tsao made at
least two food purchases at a PDQ restaurant in Pinellas, Florida, using two
different cards. On October 8, he paid with a Wells Fargo Home Rebate card, and
on October 31, he paid with a Chase Sapphire Reserve card. Both of these cards
offer Tsao the ability to accrue points or rebates by making certain types of
purchases—gas, dining, groceries, and travel, just to name a few. The Chase card
also requires Tsao to pay an annual fee of $450.00. Because Tsao made purchases
at PDQ during the breach period, the credit card data from these cards may have
3 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 4 of 28
been accessed by hackers. So, when Tsao learned of the possible breach in 2018,
he contacted both Chase and Wells Fargo and cancelled his cards.
Less than two weeks after PDQ’s announcement of the cyber-attack, Tsao
filed a class action complaint (the “Complaint”) in the Middle District of Florida
on behalf of a nationwide class, or alternatively, a separate Florida class. The
Complaint lists a variety of injuries that PDQ customers allegedly suffered as a
result of the cyber-attack, including “theft of their personal financial information,”
“unauthorized charges on their debit and credit card accounts,” and “ascertainable
losses in the form of the loss of cash back or other benefits.” Tsao asserts that he
and the class members “have been placed at an imminent, immediate, and
continuing increased risk of harm from identity theft and identity fraud, requiring
them to take the time which they otherwise would have dedicated to other life
demands such as work and effort to mitigate the actual and potential impact of the
Data Breach on their lives.” The Complaint also includes some general
information from the Federal Trade Commission and Government Accountability
Office about the risks associated with cyber-attacks and lists a few noteworthy data
breaches involving the restaurant industry.
Based on these alleged injuries, the Complaint claims that PDQ (1) breached
an implied contract by failing to safeguard customers’ credit card data (Count I);
(2) was negligent in failing to provide adequate security for the credit card data
4 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 5 of 28
(Count II); (3) was per se negligent because PDQ violated Section 5 of the Federal
Trade Commission Act (15 U.S.C. § 45), which prohibits unfair practices that
affect commerce (Count III); (4) was unjustly enriched when it received payments
from the customers but failed to provide those customers with adequate data
security (Count IV); and (5) violated the Florida Unfair and Deceptive Trade
Practices Act by failing to, among other things, maintain “adequate . . . data
security practices” (Count VI). The Complaint additionally seeks a declaratory
judgment stating that “PDQ’s existing data security measures do not comply with
its contractual obligations and duties of care” and that PDQ, in order to comply
with those obligations, is required to implement and maintain a variety of security
measures (Count V).
PDQ moved to dismiss the Complaint on August 28, 2018. PDQ argued that
the Complaint failed to state a claim under Federal Rules of Civil Procedure
12(b)(1), (b)(6), and (b)(7) “for failure to satisfy Article III standing, to state a
claim upon which relief can be granted, and/or for failure to join indispensable
parties.” On the standing issue, PDQ emphasized that, although customer data
may have been “compromised” or “exposed” during the cyber-attack, Tsao failed
to identify “a single incident involving an actual misuse of the credit card
information, much less any misuse . . . causing any of the customers any actual
injury” (emphasis in original). Instead, PDQ argued, Tsao’s claims were
5 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 6 of 28
“premised on a fear that his credit card information may be misused at some point
in the future,” and since he cancelled his cards before any misuse occurred, he was
foreclosed from alleging damages. And even if Tsao did incur some out-of-pocket
expenses to mitigate the risk of misuse, PDQ claimed that such “manufacture[d]
standing” was not enough to satisfy Article III.
Tsao’s response to the motion to dismiss focused heavily on three types of
injuries he allegedly suffered in his efforts to mitigate the perceived risk of future
identity theft: lost cash back or reward points, lost time spent addressing the
problems caused by the cyber-attack, and restricted card access resulting from his
credit card cancellations. On the first point—the loss of cash back or reward
points—Tsao argued that, because he cancelled his Chase and Wells Fargo cards in
anticipation of possible misuse, he temporarily “lost the opportunity to accrue” the
rewards connected to those cards. And on the latter two points—lost time and
restricted account access—Tsao asserted that he “expended time and effort” to
cancel his cards and to deal with the impact of the cyberattack, and since he
cancelled the cards, he lost access to his “preferred accounts.” Importantly,
however, Tsao did not point to any specific instances in which his—or any other
class member’s—identity was stolen, cards were fraudulently charged, or data was
misused. Rather, the thrust of Tsao’s response was that he had standing (1)
6 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 7 of 28
because he and the class were at an elevated risk of identity theft, or, alternatively,
(2) because he took “proactive[]” steps to mitigate the risk of identity theft.
On November 1, 2018, the District Court dismissed Tsao’s Complaint
without prejudice for lack of standing. The Court noted that although Tsao
claimed that his private data was “compromised” and “exposed” to criminals, not
once did he allege “that his credit cards were used in any way by a thief or that his
identity was stolen.” Nor did Tsao identify “a single specific, concrete injury in
fact that he or anyone else [] suffered as a result of any misuse of customer credit
card information.” These conclusory allegations of harm, the Court found, were
speculative at best, and mere “[e]vidence of a data breach, without more, [was]
insufficient to satisfy injury in fact under Article III standing.”
This appeal followed. Tsao’s briefing mostly retreads the arguments he
made below—that he and the class are at an elevated risk of future identity theft
and that he lost cash back and rewards point, time, and account access—in an
effort to satisfy Article III’s standing requirement. But after a careful review of the
record and with the benefit of oral argument, we affirm the District Court’s
dismissal for lack of standing.
II.
Whether plaintiffs have standing to sue is a threshold jurisdictional question
that we review de novo. Debernardis v. IQ Formulations, LLC, 942 F.3d 1076,
7 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 8 of 28
1083 (11th Cir. 2019). On a facial attack to a complaint for lack of standing, we
take the allegations of the complaint as true. McElmurray v. Consol. Gov’t of
Augusta-Richmond Cty., 501 F.3d 1244, 1251 (11th Cir. 2007).
III.
Tsao’s arguments focus on two general theories of standing. First, he argues
that he could suffer future injury from misuse of the personal information disclosed
during the cyber-attack (though he has not yet), and this risk of misuse alone is
enough to satisfy the standing requirement. Then, he argues that he has already
suffered some “concrete, particularized” mitigation injuries—for example, lost
time, lost rewards points, and loss of access to accounts—that are sufficient to
confer standing. Below, we reject both of these theories of standing. But before
we dive into Tsao’s arguments, an overview of our standing case law is in order.
A.
Under Article III of the Constitution, the jurisdiction of a federal court is
limited to “cases” and “controversies.” See Wilding v. DNC Servs. Corp., 941 F.3d
1116, 1124 (11th Cir. 2019). To satisfy the “case” or “controversy” requirement, a
plaintiff in a matter must have standing to sue. See Spokeo, Inc. v. Robins, 136 S.
Ct. 1540, 1546–47 (2016). And for a plaintiff to have standing, it must have “(1)
suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of
the defendant, and (3) that is likely to be redressed by a favorable judicial
8 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 9 of 28
decision.” Id. at 1547 (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61, 112
S. Ct. 2130, 2136 (1992)). A plaintiff at the pleading stage, as the party invoking
federal jurisdiction, bears the burden of establishing these elements by alleging
facts that “plausibly” demonstrate each element. Trichell v. Midland Credit
Mgmt., Inc., 964 F.3d 990, 996 (11th Cir. 2020)
Of the three standing elements, Tsao’s allegations implicate only injury. At
the pleading stage, “general factual allegations of injury” are enough. Lujan, 504
U.S. at 561, 112 S. Ct. at 2137. But this does not mean that any allegations of
injury can push a plaintiff across the standing threshold. Rather, a plaintiff must
set forth general factual allegations that “plausibly and clearly allege a concrete
injury,” Thole v. U. S. Bank N.A, 140 S. Ct. 1615, 1621 (2020), and that injury
must be “‘actual or imminent, not conjectural or hypothetical,’” Spokeo, Inc., 136
S. Ct. at 1548 (quoting Lujan, 504 U.S. at 560, 112 S. Ct. at 2136). “[M]ere
conclusory statements[] do not suffice.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129
S. Ct. 1937, 1949 (2009).
This standing framework raises two questions. First, what is a “concrete”
injury? In Spokeo, the United States Supreme Court offered a straightforward
definition: “A concrete injury must be de facto; that is, it must actually exist.”
Spokeo, Inc., 136 S. Ct. at 1548 (quotations omitted). The Supreme Court noted
that, when it uses the term “concrete,” it intends to “convey the usual meaning of
9 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 10 of 28
the term—‘real,’ and not ‘abstract.’” Id. (quoting Webster’s Third New
International Dictionary 472 (1971)). This Court has adhered to that definition,
and we have noted that “[a] concrete injury need be only an ‘identifiable trifle.’”
Salcedo v. Hanna, 936 F.3d 1162, 1167 (11th Cir. 2019) (quoting United States v.
Students Challenging Regul. Agency Proc’s. (SCRAP), 412 U.S. 669, 689 n.14, 93
S. Ct. 2405, 2417 n.14 (1973)) (emphasis added).
Typically, tangible 1 injuries are “concrete.” See Trichell, 964 F.3d at 997.
Tangible injuries can include both straightforward economic injuries, see
Debernardis, 942 F.3d at 1084, and more nebulous injuries, like lost time, see
Salcedo, 936 F.3d at 1173, or the loss of a “fraction of a vote,” id. at 1167 (quoting
SCRAP, 412 U.S. at 689 n.14, 93 S. Ct. at 2417 n.14).
But although many types of injuries may qualify as “concrete,” there is
another restriction on standing: “Where a ‘hypothetical future harm’ is not
‘certainly impending,’ plaintiffs ‘cannot manufacture standing merely by inflicting
harm on themselves.’” Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 931
(11th Cir. 2020) (en banc) (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398,
1 Intangible injuries, such as a mere statutory violation, will sometimes qualify as concrete, but that inquiry depends upon the context of the statutory violation. See Trichell v. Midland Credit Mgmt., Inc., 964 F.3d 990, 997 (11th Cir. 2020). Although intangible injuries are not relevant here, we mention them briefly for the sake of completeness. 10 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 11 of 28
416, 133 S. Ct. 1138, 1151 (2013)). This raises the second question: When is an
injury “actual or imminent” and not just “conjectural or hypothetical?”
In Clapper, the United States Supreme Court addressed whether a group of
plaintiffs—people in the United States whose work required them to engage in
sensitive international communications that may have been the target of
surveillance under a federal statute—suffered an injury in fact because “there [wa]s
an objectively reasonable likelihood that their communications w[ould] be
acquired under [the statute] at some point in the future.” Clapper, 568 U.S. at 401,
133 S. Ct. at 1143. The Supreme Court found no injury—and thus no standing—
because the plaintiffs “merely speculate[d] and ma[de] assumptions about whether
their communications with their foreign contacts w[ould] be acquired” under the
statute. Id. at 411, 133 S. Ct. at 1148. Such speculation was not enough:
“[T]hreatened injury must be certainly impending to constitute injury in fact, . . .
[a]llegations of possible future injury are not sufficient.” Id. at 409, 133 S. Ct. at
1147 (emphasis in original) (quotations omitted). While this standard does not
require a plaintiff to show that it is “literally certain that the harms they identify
will come about,” it, at the very least, requires a showing that there is a “substantial
risk” that the harm will occur. Id. at 414 n.5, 133 S. Ct. at 1150 n.5.
This Circuit recently discussed Clapper’s “high standard for the risk-of-
harm analysis” in the context of speculative allegations of future identity theft.
11 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 12 of 28
Muransky, 979 F.3d at 927. In Muransky, customers of Godiva chocolate stores
alleged violations of the Fair and Accurate Credit Transactions Act (“FACTA”),
claiming that Godiva printed too many digits on credit card receipts and thus
exposed customers to an elevated risk of identity theft. Id. at 922. The injuries
alleged were merely “statutory in nature”—that is, the harm to plaintiffs was
simply that FACTA had been violated. Id. As the litigation wore on, the parties
began to negotiate a settlement, fueled largely by the United States Supreme
Court’s impending decision in Spokeo v. Robins, which would decide whether a
statutory violation alone could confer standing. Id. With Spokeo still outstanding,
the District Court certified the proposed class, approved a settlement between the
parties, and directed notice of the settlement to the class members. Id. at 922–23.
But before the District Court could hold a fairness hearing on the class
settlement, the Supreme Court issued its decision in Spokeo. Id. An objector to
the Godiva settlement argued that the District Court was obliged to determine
whether, in light of Spokeo, plaintiffs had standing to sue for a statutory violation,
but the District Court ignored the issue and approved the settlement. Id. at 923.
This Court, sitting en banc, vacated the District Court’s order approving the
settlement and remanded with instructions to dismiss for lack of standing. Id. at
936. We reasoned, in relevant part, that Muransky’s naked allegations that he and
the class were exposed to an “elevated risk” of identity theft—but not that he and
12 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 13 of 28
the class were ever actually the victims of identity theft—were not enough to
confer standing. Id. at 933. But in an attempt to end run around Spokeo,
Muransky claimed that he suffered a direct injury in fact when he spent time
“destroying or safeguarding” his receipts in an effort to mitigate his risk of future
identity theft. Id. at 931. Citing Clapper, this Court flatly rejected Muransky’s
argument: “Where a ‘hypothetical future harm’ is not ‘certainly impending,’
plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves.’
[] Muransky is no different than the Clapper plaintiffs in this respect—his
management-of-risk claim is bound up with his arguments about actual risk.” Id.
(citing Clapper, 568 U.S. at 416, 422, 133 S. Ct. at 1151, 1155).
From Clapper and Muransky, we can distill two legal principles relevant to
Tsao’s claims. First, a plaintiff alleging a threat of harm does not have Article III
standing unless the hypothetical harm alleged is either “certainly impending” or
there is a “substantial risk” of such harm.2 Clapper, 568 U.S. at 409, 414 n.5, 133
S. Ct. at 1147, 1150 n.5; Muransky, 979 F.3d at 931. Second, if the hypothetical
harm alleged is not “certainly impending,” or if there is not a substantial risk of the
harm, a plaintiff cannot conjure standing by inflicting some direct harm on itself to
2 The Supreme Court indicated that both the “certainly impending” and “substantial risk” standards are applicable in future injury cases, albeit without resolving whether they are distinct. See Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158, 134 S. Ct. 2334, 2341 (2014). As a result, we discuss both throughout this opinion. 13 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 14 of 28
mitigate a perceived risk. Clapper, 568 U.S. at 416, 422, 133 S. Ct. at 1151, 1155;
Muransky, 979 F.3d at 931. With these two principles in mind, we turn to Tsao’s
claims.
B.
We begin with Tsao’s theory that he has Article III standing because he
faces a “substantial risk of identity theft, fraud, and other harm in the future as a
result of the data breach.” Although this Circuit has not addressed the issue head-
on, a number of our sister circuits have, and they are divided. On the one hand, the
Sixth, Seventh, Ninth, and D.C. Circuits have all recognized—at the pleading
stage—that a plaintiff can establish injury-in-fact based on the increased risk of
identity theft. See Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017);
Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 387–89 (6th Cir. 2016);
Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694–95 (7th Cir. 2015);
Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010); Pisciotta v.
Old Nat’l Bancorp, 499 F.3d 629, 633–34 (7th Cir. 2007). On the other hand, the
Second, Third, Fourth, and Eighth Circuits have declined to find standing on that
theory. See Beck v. McDonald, 848 F.3d 262, 273–76 (4th Cir.), cert. denied sub
nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017); Whalen v. Michaels Stores, Inc., 689
F. App’x 89, 90–91 (2d Cir. 2017); In re SuperValu, Inc., 870 F.3d 763, 770–72
14 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 15 of 28
(8th Cir. 2017); Reilly v. Ceridian Corp., 664 F.3d 38, 42–44 (3d Cir. 2011). 3 Of
course, we are not bound by any of these cases, but a brief overview of their
reasoning is helpful.
Generally speaking, the cases conferring standing after a data breach based
on an increased risk of theft or misuse included at least some allegations of actual
misuse or actual access to personal data. In Attias, two plaintiffs alleged that they
suffered identity theft when their anticipated tax refunds went missing. Attias, 865
F.3d at 626 n.2. In Galaria, plaintiffs alleged that their data was accessed and had
“already been stolen” by “ill-intentioned criminals.” Galaria, 663 F. App’x at 388.
In Remijas, plaintiffs alleged that personal data had “already been stolen” and that
“9,200 cards [] experienced fraudulent charges.” Remijas, 794 F.3d at 692–94.
And in Krottner, at least one plaintiff alleged that someone “attempted to open a
bank account in his name.” Krottner, 628 F.3d at 1142.
3 It is worth noting that the First Circuit appears to have gone both ways on this issue. In Anderson v. Hannaford Bros., 659 F.3d 151, 162–67 (1st Cir. 2011), the First Circuit declined to question whether victims of a data breach—who alleged 1,800 instances of credit-card fraud— had standing to sue. But when analyzing Anderson in a different data breach case, the First Circuit drew the distinction between instances where confidential data has actually been accessed and case where data might be accessed. Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) The Court held that, in the latter scenario, the “theoretical possibility” of access to confidential data “simply does not rise to the level of a reasonably impending threat.” Id. at 79. Since Katz, other Circuits have interpreted First Circuit law to preclude standing based on allegations of future identity theft unaccompanied by criminal activity involving the stolen information, see Beck, 848 F.3d at 273, as have district courts within the First Circuit, see Hartigan v. Macy’s, Inc., No. CV 20-10551-PBS, 2020 WL 6523124, at *3 (D. Mass. Nov. 5, 2020). 15 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 16 of 28
The outlier among the cases conferring standing is Pisciotta, 499 F.3d at
634. There, plaintiffs brought a class action against a bank after its website was
hacked, alleging that the bank failed to adequately secure the personal information
it solicited (including names, addresses, birthdates, and social security numbers)
when consumers applied for banking services on its website. Id. at 631. The
named plaintiffs did not allege any actual misuse or access to their data, but the
Seventh Circuit found standing nonetheless: “[T]he injury-in-fact requirement can
be satisfied by a threat of future harm or by an act which harms the plaintiff only
by increasing the risk of future harm that the plaintiff would have otherwise faced,
absent the defendant’s actions.” Id. at 634.
Though the Seventh Circuit’s opinion appears to sweep broadly on its face,
we are hesitant to read too closely into Pisciotta in light of two considerations.
First, Pisciotta is a pre-Clapper decision, and thus it is unclear if the Seventh
Circuit would have (or could have) reached the same conclusion with the benefit of
the Supreme Court’s opinion. Second, none of the Seventh Circuit data breach
cases that followed Pisciotta—including Remijas, 794 F.3d at 693, Lewert v. P.F.
Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Dieffenbach v.
Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018)—even cite the case, suggesting
that Pisciotta should not weigh too heavily in our analysis.
16 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 17 of 28
Other Circuits have declined to find standing on an “elevated risk of identity
theft” theory where the plaintiffs failed to allege any actual misuse of class
members’ personal information. The Second Circuit, for example, distinguished a
breach of credit-card-specific data from a breach of other forms of personal
information in Whalen v. Michaels Stores, Inc., 689 F. App’x at 90. In Whalen,
Michaels Stores publicly announced a breach of card data, and Whalen filed suit
alleging that her card—which was used at Michaels during the breach period—had
been “physically presented for payment” at two locations in Ecuador, though no
charges were actually incurred. Id. To show standing, Whalen pointed to the two
attempts to use her cards in Ecuador, the “risk of future identity fraud,” and the lost
time and money she spent resolving the attempted fraudulent purchases. Id. But
the Second Circuit held that Whalen failed to allege a concrete injury because (1)
Whalen never paid, nor was asked to pay, for the attempted fraudulent charges in
Ecuador; (2) she did not identify a threat of future fraud, as her stolen credit card
had already been canceled and no other identifying information was stolen; and (3)
the complaint did not allege that she expended any time or money to monitor her
financial data. Id. at 90–91.
Similarly, in Reilly v. Ceridian Corp.—a pre-Clapper decision—a class of
law firm employees brought a putative class action against a payroll processing
firm (Ceridian) asserting various claims related to an increased risk of identity theft
17 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 18 of 28
and costs to monitor credit activity after Ceridian suffered a security breach. See
664 F.3d at 40. After the breach, Ceridian sent letters to the potential identity theft
victims, informing them of the breach: “[S]ome of your personal information . . .
may have been illegally accessed by an unauthorized hacker. . . . [T]he information
accessed included your first name, last name, social security number and, in
several cases, birth date and/or the bank account that is used for direct deposit.”
Id. (alterations in original). Although the plaintiffs argued that the breach left them
at an “increased risk of identity theft,” they did not allege any actual misuse of
personal information. Id. at 40–41 The Third Circuit, relying on Lujan, 504 U.S.
at 561, 112 S. Ct. at 2136–37, and Whitmore v. Arkansas, 495 U.S. 149, 155, 110
S. Ct. 1717, 1722–23 (1990), found that the plaintiffs’ alleged injuries were
hypothetical and relied on speculation, and thus they were not “imminent” or
“certainly impending.” Reilly, 664 F.3d at 43. As a result, the plaintiffs did not
have standing. Id.
The Fourth Circuit has likewise rejected the “increased risk of future identity
theft” theory in the context of a data breach. In Beck v. McDonald, a class of
veterans who received medical treatment and health care at a South Carolina
Veterans Affairs Medical Center brought actions alleging violations of various
federal statutes following two data breaches at the Medical Center. 848 F.3d at
266. The plaintiffs sought to establish Article III standing based on (1) the harm
18 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 19 of 28
from the increased risk of future identity theft and (2) the cost of measures to
protect against it. Id. at 266–67. The Fourth Circuit, distinguishing Remijas and
Krottner on the ground that those cases included allegations of actual misuse,
found that the plaintiffs’ alleged injury from the elevated risk of identity theft was
“too speculative”: “[E]ven after extensive discovery, the Beck plaintiffs have
uncovered no evidence that the information contained on the stolen laptop has been
accessed or misused or that they have suffered identity theft, nor, for that matter,
that the thief stole the laptop with the intent to steal their private information.” Id.
at 274. The “mere theft” of the plaintiffs’ data, without something more, required
the consideration of the “attenuated chain of possibilities” rejected by Clapper. Id.
at 275. This theory of harm was simply “too speculative to constitute an injury-in-
fact.” Id. at 274.4
And notably, the Eighth Circuit in In re SuperValu, Inc. found no standing
on an “increased risk of future identity theft” theory, even when a named plaintiff
alleged actual misuse of personal information. 870 F.3d at 769–71. There, a class
of grocery store customers filed suit against SuperValu and other grocery store
owner-operators following two data breaches in which the customers’ financial
4 The Fourth Circuit later found standing in a data breach case where the plaintiffs did allege that hackers “used—and attempted to use—the Plaintiffs’ personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval.” Hutton v. Nat’l Bd. of Exam’rs in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018). There, as we do here, the Fourth Circuit noted the distinction between cases alleging the possibility of misuse of personal information and cases alleging actual misuse. See id. 19 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 20 of 28
information was allegedly accessed and stolen. Id. at 765. The customers alleged
that, as a result of the data breaches, hackers were allowed to gain access to
customers’ “names, credit or debit card account numbers, expiration dates, card
verification value (CVV) codes, and personal identification numbers (PINs).” Id.
at 766. In support of their theory of standing, the customers relied on a June 2007
United States Government Accountability Office (GAO) report on data breaches,
which states that “identity theft” includes “many types of criminal activities,
including fraud on existing accounts—such as unauthorized use of a stolen credit
card number—or fraudulent creation of new accounts—such as using stolen data to
open a credit card account in someone else’s name.” Id. at 770 (citing U.S. Gov’t
Accountability Off., GAO-07-737, Personal Information: Data Breaches are
Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full
Extent is Unknown (2007), http://www.gao.gov/assets/270/262899.pdf (hereinafter
“GAO Report”)). That report points out, however, that compromised credit or
debit card information, without additional personal identifying information,
“generally cannot be used alone to open unauthorized new accounts.” Id. (citing
GAO Report at 30). The Eighth Circuit additionally noted that the GAO report
concludes that “most breaches have not resulted in detected incidents of identity
theft.” Id. at 771 (citing GAO Report at 21).
20 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 21 of 28
In light of the GAO Report’s findings, the Eighth Circuit found that the
plaintiffs failed to demonstrate a substantial risk that they would suffer identity
theft in the future. Id. at 770. The hackers in SuperValu were not alleged to have
stolen social security numbers, birth dates, or driver’s license numbers, and thus,
according to the GAO report, the risk of identity theft was “little to no[ne].” Id.
The Court did find, however, that a lone named plaintiff alleged actual misuse, and
thus that plaintiff had standing based on present, but not future injury. Id. at 772.
We are persuaded by the reasoning of the Eighth Circuit in SuperValu, and
the facts of that case map closely to the facts of this one. Here, as the plaintiffs did
in SuperValu, Tsao has alleged that hackers may have accessed and stolen
customer credit card data “including the cardholder name, the account number,
expiration date, card verification value (‘CVV’), and PIN data for debit cards.”
And here, just like the plaintiffs in SuperValu, Tsao cites to the 2007 GAO Report
on data breaches in support of his theory that the PDQ hack may result in future
identity theft. But we, like the Eighth Circuit in SuperValu, believe the GAO
Report actually demonstrates why there is no “substantial risk” of identity theft
here. Tsao has not alleged that social security numbers, birth dates, or driver’s
license numbers were compromised in the PDQ breach, and the card information
allegedly accessed by the PDQ hackers “generally cannot be used alone to open
unauthorized new accounts.” GAO Report at 30. So, based on the GAO Report, it
21 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 22 of 28
is unlikely that the information allegedly stolen in the PDQ breach, standing alone,
raises a substantial risk of identity theft.
This leaves us with the risk that the hackers, if they accessed and stole
Tsao’s credit card information, could make unauthorized purchases with his cards
or drain his accounts. But again, the GAO Report suggests that most data breaches
have not resulted in detected incidents of fraud on existing accounts. See id. at 21.
Indeed, the GAO Report reviewed the 24 largest data breaches between January
2000 and June 2005 and found that only 4 of the 24 breaches (roughly 16.667%)
resulted in some form of identity theft, and only 3 resulted in account theft or fraud
(12.5%). Id. at 24–25. Given the low rate of account theft, the GAO Report
simply does not support the conclusion that the breach here presented a
“substantial risk” that Tsao would suffer unauthorized charges on his cards or
account draining.
Of course, we recognize that the GAO Report is over a decade old, and it is
possible that some breaches may present a greater risk of identity theft than others.
But even if we set aside the GAO Report and the reasoning of SuperValu, we
remain unconvinced that Tsao has met his burden to show that the there is a
“substantial risk” of harm, or that such harm is “certainly impending.” Clapper,
568 U.S. at 409, 414 n.5, 133 S. Ct. at 1147, 1150 n.5. Three considerations color
this conclusion.
22 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 23 of 28
First, we recently held in Muransky that conclusory allegations of an
“elevated risk of identity theft”—or, as Tsao puts it, a “continuing increased risk”
of identity theft—“[are] simply not enough” to confer standing. Muranksy, 979
F.3d at 933. Tsao’s allegations about the “increased risk” of identity theft are
supported only by reports defining identity theft, outlining the general risks of
identity theft, or stating that identity thieves have stolen $112 billion in the last six
years. These reports do nothing to clarify the risks to the plaintiffs in this case, and
Tsao’s threadbare allegations of “increased risk” are insufficient to confer
standing.
Second, Tsao offers only vague, conclusory allegations that members of the
class have suffered any actual misuse of their personal data—here, “unauthorized
charges.” But again, conclusory allegations of injury are not enough to confer
standing. See Iqbal, 556 U.S. at 678, 129 S. Ct. at 1949. Of course, as our sister
Circuits have recognized, evidence of actual misuse is not necessary for a plaintiff
to establish standing following a data breach. See, e.g., Beck, 848 F.3d at 275
(stating that district court did not impermissibly require plaintiffs to demonstrate
actual misuse). However, without specific evidence of some misuse of class
members’ data, a named plaintiff’s burden to plausibly plead factual allegations
sufficient to show that the threatened harm of future identity theft was “certainly
impending”—or that there was a “substantial risk” of such harm—will be difficult
23 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 24 of 28
to meet. Cf. Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 n.1 (11th Cir. 2012)
(finding that plaintiffs who suffered “actual” identity theft had standing but noting
that “speculative” identity theft may not be sufficient to confer standing). As the
case law discussed above confirms, most plaintiffs that have failed to offer at least
some evidence of actual misuse of class members’ data have fared poorly in
disputes over standing. See Op. at 14–21.
Third, Tsao immediately cancelled his credit cards following disclosure of
the PDQ breach, effectively eliminating the risk of credit card fraud in the future.
Of course, even if Tsao’s cards are cancelled, some risk of future harm involving
identity theft (for example, the use of Tsao’s name) still exists, but that risk is not
substantial and is, at best, speculative.
In short, Tsao has not alleged either that the PDQ data breach placed him at
a “substantial risk” of future identity theft or that identity theft was “certainly
impending.” Clapper, 568 U.S. at 409, 414 n.5, 133 S. Ct. at 1147, 1150 n.5.
Evidence of a mere data breach does not, standing alone, satisfy the requirements
of Article III standing. It follows that Tsao does not have standing here based on
an “increased risk” of identity theft.
C.
We turn now to Tsao’s claims that he has suffered actual, present injuries in
his efforts to mitigate the risk of identity theft caused by the data breach.
24 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 25 of 28
Following notice of the PDQ data breach, Tsao notified Wells Fargo and
Chase to cancel his credit cards and, in his words, “proactively t[ook] steps to
mitigate the damage done by PDQ’s mistakes.” As a result of these mitigation
efforts, Tsao claims that he has suffered three distinct injuries: (1) lost opportunity
to accrue cash back or rewards points on his cancelled credit cards, (2) costs
associated with detection and prevention of identity theft in taking the time and
effort to cancel and replace his credit cards; and (3) restricted account access to his
preferred payment cards. Tsao’s mitigation efforts are not enough to confer
It is well established that plaintiffs “cannot manufacture standing merely by
inflicting harm on themselves based on their fears of hypothetical future harm that
is not certainly impending.” Clapper, 568 U.S. at 416, 133 S. Ct. at 1151; see also
Muransky, 979 F.3d at 931 (citing Clapper and stating the same). In Muransky,
this Court held that a plaintiff’s mitigation costs—there, “additional time
destroying or safeguarding his receipt”—were insufficient to confer standing
because there was no substantial risk of identity theft. Muransky, 979 F.3d at 931.
Although we noted that allegations of “wasted time” could sometimes “state a
concrete harm for standing purposes,” we noted that Muransky’s “management-of-
risk claim [wa]s bound up with his arguments about actual risk,” id. at 930–31
(quotations and citations omitted). As a result, Muransky’s “assertion of wasted
25 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 26 of 28
time and effort necessarily r[ose] or f[ell] along with” the Court’s determination of
whether there was a substantial risk of harm. Id. at 931.
So too here. The mitigation costs Tsao alleges are inextricably tied to his
perception of the actual risk of identity theft following the PDQ data breach. Tsao,
by his own admission, voluntarily cancelled his credit cards, and the three types of
harm he has identified flowed from that cancellation. By cancelling his cards, he
voluntarily forwent the opportunity to accrue cash back or rewards points on those
cards. By cancelling his cards, he voluntarily restricted access to his preferred
payment cards. And by cancelling his cards, he voluntarily spent time
safeguarding his accounts. Tsao cannot conjure standing here by inflicting injuries
on himself to avoid an insubstantial, non-imminent risk of identity theft. To hold
otherwise would allow “an enterprising plaintiff . . . to secure a lower standard for
Article III standing simply by making an expenditure based on a nonparanoid
fear.” Clapper, 568 U.S. at 416, 133 S. Ct. at 1151. The law does not permit such
a result.
IV.
We hold that Tsao lacks Article III standing because he cannot demonstrate
that there is a substantial risk of future identity theft—or that identity theft is
certainly impending—and because he cannot manufacture standing by incurring
26 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 27 of 28
costs in anticipation of non-imminent harm. Accordingly, we affirm the District
Court’s order dismissing the case without prejudice for lack of standing.
AFFIRMED.
27 USCA11 Case: 18-14959 Date Filed: 02/04/2021 Page: 28 of 28
JORDAN, Circuit Judge, concurring in the judgment.
Given our recent decision in Muransky v. Godiva Chocolatier, Inc., 979 F. 3d
917 (11th Cir. 2020) (en banc)—a decision from which I dissented—I concur in the
judgment. I note only that the court here, rather than viewing Mr. Tsao’s allegations
favorably, necessarily engages in a value-laden and normative inquiry concerning
the question of “substantial risk” at the motion-to-dismiss stage. That to me is
problematic for a number of reasons, see id. at 964-70 (Jordan, J., dissenting), but
Muransky apparently has sanctioned such an analytical approach. Hopefully the
Supreme Court will soon grant certiorari in a case presenting the question of Article
III standing in a data breach case.