CPW recently covered Tsao v. Captiva MVP Rest. Partners, LLC where the Eleventh Circuit aligned itself with others that “declined to find standing on an ‘elevated risk of identity theft’ theory where the plaintiffs failed to allege any actual misuse of class members’ personal information.” Well, Tsao is already having a significant impact on data breach litigations. Last week a federal court issued a report and recommendation denying a plaintiff’s motion for preliminary approval of a class action settlement reached with defendant. Hymes v. Earl Enters. Holdings, 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021). Why? Based upon Tsao, the court found there were “substantial questions” regarding whether Plaintiffs in the case had standing. Because it is a threshold requirement that a named plaintiff in a putative class action proceeding in federal court meets the requirements of Article III standing, the court found it was unable to grant preliminary settlement approval. Read on below.
There is a long-running Court of Appeals split regarding what injuries in the data breach context suffice for purposes of Article III standing. In data breach litigations, plaintiffs will often allege that they have been harmed by the mere disclosure of their personal information (“PI”). This is so even when plaintiffs have not had fraudulent charges placed on their account, been victims of identity theft, or suffered any other concrete harm. This is because, plaintiffs (and their lawyers) say, they are at an increased risk of future harm as a result of their PI being disclosed in a data breach.
The Second, Third, Fourth, Eighth and Eleventh Circuit Court of Appeals have held, consistent with the Supreme Court’s rulings in Lujan and Clapper, that plaintiffs bringing such claims lack Article III standing, an essential prerequisite to litigating in federal court. The Eleventh Circuit recently adopted this approach, holding in Tsao v. Captiva MVP Rest. Partners, LLC, that a plaintiff in a data breach litigation had failed to allege a concrete and particularized injury that was actual or imminent. 2021 U.S. App. LEXIS 3055 (11th Cir. Feb. 4, 2021).
At the Eleventh Circuit, the Tsao plaintiff argued that he had standing because he “could suffer future injury from misuse of the personal information disclosed during the cyber-attack (though he has not yet), and this risk of misuse alone is enough to satisfy the standing requirement.” Tsao, 2021 U.S. App. LEXIS 3055, at *9 (emphasis in original). The Tsao plaintiff also argued that he had standing because “he has already suffered some ‘concrete, particularized’ mitigation injuries—for example, lost time, lost rewards points, and loss of access to accounts—that are sufficient to confer standing.” Id. The Eleventh Circuit rejected both arguments. As the Court stated, “[g]enerally speaking, the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or actual access to personal data.” Id. at *14.
Which brings us to Hymes. There, Plaintiffs alleged that Defendant (which operates several restaurant chains nationwide) failed to “exercise reasonable care in securing and safeguarding its customers’ sensitive personal information (SPI), including the names, payment card numbers, payment card expiration dates, and payment card security codes.” The Defendant had previously disclosed that approximately 2.15 million payment card numbers of customers were stolen from its restaurants, including some restaurants in California, and placed on the dark web for sale as a result of a data breach. Plaintiffs asserted the following claims against Defendant: breach of implied contract, negligence, negligence per se, unjust enrichment, breach of confidence, and violations of Florida and California consumer protection and privacy laws.
Following litigation, the parties reached a settlement that included Defendant agreeing to establish a settlement fund of $650,000.00. Class members, consisting of those whose SPI had been disclosed in the data breach, were entitled to seek reimbursement for documented out of pocked expenses (up to $5,000, per class member) to be paid from the settlement fund. Plaintiff filed an unopposed motion for preliminary approval of the settlement, which the court refused.
Why? As the court noted, Plaintiffs’ alleged injuries track those of the plaintiff in Tsao—loss of opportunities to use the cash back and rewards programs and of the credit card itself as a result of the data breach. The court faulted the parties for not addressing Plaintiffs’ standing in seeking approval of the settlement, particularly as Plaintiffs’ counsel in this case were also involved in the Tsao litigation. However, the court did not close the door completely on signing off on the settlement down the road. It invited the parties to submit supplemental briefing on the issues addressed in the court’s decision (including whether Plaintiffs had standing in light of Tsao).
Time will tell whether Plaintiffs in Hymes will be able to salvage their settlement and obtain preliminary court approval. More broadly, it can be expected that the Eleventh Circuit’s adoption of a defendant-friendly standing standard in data breach litigations will continue to impact other pending and future filed cases. For this, and other developments in data privacy, CPW will be there. Stay tuned.