Frank Cruz-Alvarez is a Partner with Shook, Hardy & Bacon L.L.P. in the firm’s Miami, FL office, and Britta Stamps Todd  is an Associate in the firm’s Kansas City, Mo office. Mr. Cruz-Alvarez is the WLF Legal Pulse’s Featured Expert Contributor on Civil Justice/Class Actions.


Doubling down on its recent standing holding from Muranksy v. Godiva Chocolatier Inc., 979 F.3d 917 (11th Cir. 2020) (en banc) (see our post on that decision here), the Eleventh Circuit on February 4 held that neither a risk of future identity theft nor efforts to mitigate the risk of future identity theft constitute a concrete injury sufficient to create standing.  While the decision in I Tan Tsao v. Captiva MVP Restaurant Partners, LLC arises from a data breach, skilled litigators will find more broad implications for class actions.

The named plaintiff in Tsao used his credit cards to make two purchases at a restaurant in October 2017. The restaurant later learned that a hacker had exploited its point-of-sale system from May 2017 to April 2018 and issued a notice to customers that it had “been the target of a cyber-attack” and the customers’ personal information “may have been accessed.” That personal information included the cardholder names, credit card numbers, card expiration dates, and CVVs. After learning about the cyber attack, the named plaintiff cancelled both credit cards that he had used at the restaurant and alleged that he “lost the opportunity to accrue” the rewards connected to those cards, lost access to his “preferred accounts,” and “expended time and effort” to deal with the impact of the cyber attack. He then brought a putative class action alleging six causes of action against the restaurant, but the district court dismissed the complaint for lack of standing.

While general factual allegations will survive at the pleading stage, those allegations must “plausibly and clearly allege a concrete injury.” Reiterating the holding from Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Eleventh Circuit pointed out that a “concrete injury” must be real—not abstract, conjectural, or hypothetical. The court also pointed to Clapper v. Amnestry Int’l USA, 568 U.S. 398, 409 (2013), where the Supreme Court concluded that “threatened injury must be certainly impending to constitute injury in fact” but “[a]llegations of possible future injury are not sufficient.” (emphasis in original). Based on Clapper and Muransky, the court deduced a two-part principle: a plaintiff who alleges a threat of harm cannot establish Article III standing unless the hypothetical harm is either “certainly impending” or there is a “substantial risk” of the harm. If the plaintiff cannot establish either of those pieces, the plaintiff cannot then craft standing by inflicting a direct harm on herself to mitigate the hypothetical risk.

Applying those principles to the cyber attack where the named plaintiff’s credit card information “may” have been accessed, the Eleventh Circuit affirmed the district court’s dismissal of the case, further cementing a circuit split on this issue. The Sixth, Seventh, Ninth, and D.C. Circuits have each held that an increased risk of identity theft suffices to establish an injury in fact. The Eleventh Circuit found to the contrary and joined the Second, Third, Fourth, and Eighth Circuits’ conclusion that standing does not exist under this theory. Even in the circuits that found standing, almost all of the cases included some allegations of actual misuse or access to personal data. Importantly here, the named plaintiff did not allege that social security numbers, birth dates, or other personal information was compromised in the data breach. Based on that, the court reasoned, it is unlikely that the information obtained in the cyber attack raises a substantial risk of identity theft. As to future harm, “[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.”

Efforts to mitigate the risk of future harm fare no better. The named plaintiff also attempted to establish standing by arguing that his mitigation efforts constituted an actual, present injury. He specifically pointed to his lost opportunity to accrue rewards on his cancelled credit cards, lost access to his preferred accounts, and the costs associated with the time and energy he expended to prevent identity theft and replace his credit cards. Credit-card reward enthusiasts can surely empathize with the frustration of missing the chance to earn more rewards. But the Eleventh Circuit construed those efforts as an attempt to “manufacture” standing by inflicting harm on himself based on a fear of hypothetical future harm. Rather than being forced to take those steps, the named plaintiff voluntarily engaged in the mitigation efforts and inflicted the “injury” on himself. Citing Clapper, the court determined that a plaintiff cannot choose to make such an expenditure based on a subjective fear, and then cite that effort as a present and concrete injury to establish standing.

Beyond the specific data-breach context, Tsao gives class action defendants further grounds to defeat suits at the outset based on standing. While Muransky focused on pure statutory violations, this latest decision clarifies that hypothetical future harm likewise fails to confer standing on a plaintiff. And mitigation efforts based on fear of a future harm also fall short of the Eleventh Circuit’s standard for an actual, present injury. The reasoning in Tsao could conceivably be extended to any case where a named plaintiff bases her alleged injury on a risk of future harm or effort to prevent a future harm. While the Supreme Court has not teed up any cases on this specific standing point (despite the circuit split), class action practitioners should look forward to the Supreme Court’s decision in Trans Union LLC v. Ramirez later this term for a potential blockbuster opinion on class action standing.