In Tsao v. Captiva MVP Rest. Partnres, Ltd. Liab. Co., No. 18-14959, 2021 U.S. App. LEXIS 3055 (11th Cir. Feb. 4, 2021), the Court of Appeals for the 11th Circuit held that a data theft victim had no Articile III standing.
We begin with Tsao’s theory that he has Article III standing because he faces a “substantial risk of identity theft, fraud, and other harm in the future as a result of the data breach.” Although this Circuit has not addressed the issue head-on, a number of our sister circuits have, and they are divided. On the one hand, the Sixth, Seventh, Ninth, and D.C. Circuits have all recognized—at the pleading stage—that a plaintiff can establish injury-in-fact based on the increased risk of identity theft. See Attias v. Carefirst, Inc., 865 F.3d 620, 629, 431 U.S. App. D.C. 273 (D.C. Cir. 2017); Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 387-89 (6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694-95 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 633-34 (7th Cir. 2007). On the other hand, the Second, Third, Fourth, and Eighth Circuits have declined to find standing on that theory. See Beck v. McDonald, 848 F.3d 262, 273-76 (4th Cir.), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307, 198 L. Ed. 2d 728 (2017); Whalen v. Michaels Stores, Inc., 689 F. App’x 89, 90-91 (2d Cir. 2017); In re SuperValu, Inc., 870 F.3d 763, 770-72 (8th Cir. 2017); Reilly v. Ceridian Corp., 664 F.3d 38, 42-44 (3d Cir. 2011). Of course, we are not bound by any of these cases, but a brief overview of their reasoning is helpful. Generally speaking, the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or actual access to personal data. . . .
We are persuaded by the reasoning of the Eighth Circuit in SuperValu, and the facts of that case map closely to the facts of this one. Here, as the plaintiffs did in SuperValu, Tsao has alleged that hackers may have accessed and stolen customer credit card data “including the cardholder name, the account number, expiration date, card verification value (‘CVV’), and PIN data for debit cards.” And here, just like the plaintiffs in SuperValu, Tsao cites to the 2007 GAO Report on data breaches in support of his theory that the PDQ hack may result in future identity theft. But we, like the Eighth Circuit in SuperValu [*23] , believe the GAO Report actually demonstrates why there is no “substantial risk” of identity theft here. Tsao has not alleged that social security numbers, birth dates, or driver’s license numbers were compromised in the PDQ breach, and the card information allegedly accessed by the PDQ hackers “generally cannot be used alone to open unauthorized new accounts.” GAO Report at 30. So, based on the GAO Report, it is unlikely that the information allegedly stolen in the PDQ breach, standing alone, raises a substantial risk of identity theft.
The Court of Appeals also held that the Plaintiff’s mitigation efforts did not confer standing.
It is well established that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper, 568 U.S. at 416, 133 S. Ct. at 1151; see also Muransky, 979 F.3d at 931 (citing Clapper and stating the same). In Muransky, this Court held that a plaintiff’s mitigation costs—there, “additional time destroying or safeguarding his receipt”—were insufficient to confer standing because there was no substantial risk of identity theft. Muransky, 979 F.3d at 931. Although we noted that allegations of “wasted time” could sometimes “state a concrete harm for standing purposes,” we noted that Muransky’s “management-of-risk claim [wa]s bound up with his arguments about actual risk,” id. at 930-31 (quotations and citations omitted). As a result, Muransky’s “assertion of wasted time and effort necessarily r[ose] or f[ell] along with” the Court’s determination of whether there was a substantial risk of harm. Id. at 931. So too here. The mitigation costs Tsao alleges are inextricably tied to his perception of the actual risk of identity theft following the PDQ data breach. Tsao, by his own admission, voluntarily cancelled his credit cards, and the three types of harm he has identified flowed from that cancellation. By cancelling his cards, he voluntarily forwent the opportunity to accrue cash back or rewards points on those cards. By cancelling his cards, he voluntarily restricted access to his preferred payment cards. And by cancelling his cards, he voluntarily spent time safeguarding his accounts. Tsao HN13 cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft. To hold otherwise would allow “an enterprising plaintiff . . . to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Clapper, 568 U.S. at 416, 133 S. Ct. at 1151. The law does not permit such a result.