In re Brinker Data Incident Litig., No. 3:18-cv-686-J-32MCR, 2019 U.S. Dist. LEXIS 128573 (M.D. Fla. Aug. 1, 2019), Judge Corrigan allowed a data-breach class action to proceed. Hackers accessed Brinker’s data network and installed malware on point-of-sale (“POS”) systems at many Chili’s restaurants, which Brinker owns, develops, operates, and franchises. Brinker publicly announced the breach on May 12, 2018, stating: ”On May 11th, 2018, we learned that payment card information of some of our Guests who visited certain Chili’s® Grill & Bar corporate-owned restaurants have been compromised in a data incident. Currently, we believe the data incident was limited to between March — April 2018; however, we continue to assess the scope of the incident.”. The District Court found actual damages sufficient to meet the Spokeo standard.
Here, Plaintiffs Green-Cooper, Thomas, Sanders, Summers, and Franklin had unauthorized charges on their cards. (Doc. 39 ¶¶ 29, 30, 32, 5, 44-45). As a result of needing to replace their compromised cards, Green-Cooper, Sanders, and Franklin lost the ability to accrue cash back or point rewards. (Doc. 39 ¶¶ 28, 33, 46). Except for Lang and Alamillo, all Plaintiffs spent time disputing fraudulent charges, cancelling their credit or debit cards, monitoring their accounts for additional fraudulent activity, or placing fraud alerts on their credit files. (Doc. 39 ¶¶ 29, 30, 32, 33, 35, 45, 49). As alleged, these are personalized, concrete injuries that are neither “conjectural [n]or hypothetical.” Lujan, 504 U.S. at 560.
The District Court also held that the threat of future harm was insufficient to justify standing for those who had not suffered actual injury.
Two named plaintiffs, Lang and Alamillo, failed to allege actual injuries and attempt to allege only future injuries. The extent of Lang’s allegations are this: “Lang dined at a Chili’s location in San Jose, California on April 1, 2018, paying for his purchases with a debit card. . . . On May 21, 2018, Chili’s notified Mr. Lang that his PII was at risk as a result of the Data Breach.” (Doc. 39 ¶ 37-38). Alamillo alleges that he received an email from Chili’s informing him of the breach, he “has spent time and will continue to spend time monitoring his financial accounts for fraudulent activity[,]” and that the twelve months of free credit monitoring required him to provide his payment card information and to take affirmative steps to cancel the service after the twelve months to avoid being charged. (Doc. 39 ¶¶ 40-42). Whether these minimal allegations are sufficient to confer standing presents a closer call. An increased risk of future harm is, in some circumstances, sufficient for standing. See Clapper, 568 U.S. at 414 n.5. To constitute a concrete injury, the risk of future harm must be certainly impending—not merely possible—and cannot be too speculative. Id. at 409-10; see also City of Miami Gardens v. Wells Fargo & Co., No. 18-13152, 2019 U.S. App. LEXIS 22570, 2019 WL 3423228, at *6 (11th Cir. July 30, 2019) (finding that “[t]he delinquency of a single loan did not establish a certainly impending risk that the City [would] lose property-tax revenues or be forced to increase municipal spending to remediate blight.”). In Clapper, the plaintiffs alleged that a government surveillance program was unconstitutional. 568 U.S. at 407. The plaintiffs alleged that their jobs required privileged communications with people who might be subject to surveillance and that such surveillance would compromise the plaintiffs’ ability to do their jobs. Id. at 405-07. However, the Supreme Court found that the plaintiffs’ “objectively reasonable likelihood that their communications with foreign contacts [would] be intercepted . . . at some point in the future” was too speculative. Id. at 410. Although the Supreme Court acknowledged that a harm need not be “literally certain” to occur, and that standing can be sufficient “based on a ‘substantial risk’ that the harm will occur,” the plaintiffs lacked any knowledge about the government’s targeting practices and their allegations rested on a speculative chain of events that was not “certainly impending.” Id. 410, 414 n.5. In the data breach context, this Court looks with favor on Judge Scriven’s analysis in In re 21st Century Oncology Customer Data Sec. Breach Litig., No. 8:16-MD-2737-MSS-AEP, 2019 U.S. Dist. LEXIS 87498, 2019 WL 2151095, at *6 (M.D. Fla. Mar. 11, 2019) (compiling cases and determining that the “circuit split” on future harm standing in data breach cases is based on differing facts and not a disagreement of the law). In 21st Century Oncology, Judge Scriven parsed out three factors commonly relied upon in circuit court opinions determining whether a plaintiff has an injury in fact from the threat of future identity theft. Id. The first factor is the motive of the third-party who received the sensitive information. Id. In cases where the plaintiffs alleged a criminal motive by hackers, the court was more likely to find a concrete injury. Id. The second factor is the type of information. 2019 U.S. Dist. LEXIS 87498, [WL] at *7. Where the compromised information contains PII—social security numbers, driver’s license numbers, birthdates, etc.—the threat of future identity theft is much greater. Id. Third, is there evidence that a third-party has already accessed or fraudulently used the compromised information. 2019 U.S. Dist. LEXIS 87498, [WL] at *8. Allegations that the information has already been misused support a finding of an injury in fact. Id. Lang’s and Alamillo’s allegations are insufficient to demonstrate [*22] a future risk of harm beyond a speculative level. See id.; (Doc. 39 ¶ 37-38). Neither Lang nor Alamillo allege a “substantial risk” or “heightened risk” of future harm. See Clapper, 568 U.S. at 414 n.5; Muransky, 922 F.3d at 1188. Looking at the three factors developed in 21st Century Oncology, they fail to allege an injury in fact. Although the first factor—the motive of the hackers—supports Lang and Alamillo, the other two factors—the type of information stolen and whether it has been misused—do not. See 21st Century Oncology, 2019 U.S. Dist. LEXIS 87498, 2019 WL 2151095, at *6-8. Lang and Alamillo do not allege that their information was actually compromised—only that it is at risk. Although Lang alleges that his “PII” was involved, which could include social security numbers, driver’s license numbers, and the like, according to his own complaint this is not the type of information that Brinker collected. (Doc. 39 ¶ 64 (stating that Brinker collects the cardholder name, card number, expiration date, and CVV or PIN)). Lastly, Lang and Alamillo’s information, if even compromised, has not been misused. See 21st Century Oncology, 2019 U.S. Dist. LEXIS 87498, 2019 WL 2151095, at *6-8. Thus, the three factors do not support finding an injury in fact for standing based on future harm. See id. Additionally, Alamillo’s allegation that “he has spent time and will continue to spend time monitoring his accounts for fraudulent activity” does not constitute an injury in fact for standing. See Clapper, 568 U.S. at 409-10; (Doc. 39 ¶ 41). Monitoring one’s accounts for fraudulent activity is something many individuals do, regardless of whether they have been informed their information is at risk. And because the information collected is less likely to lead to identity theft than other types of information and it has not actually been misused, the threat of future injury, although possible, is not “certainly impending.” See Clapper, 568 U.S. at 409-10; (Doc. 39 ¶ 41). Lang and Alamillo’s minimal allegations assert only speculative future harm that does not rise to an Article III injury in fact. See Clapper, 568 U.S. at 410-414; City of Miami Gardens, 2019 U.S. App. LEXIS 22570, 2019 WL 3423228, at *6. Because the other named plaintiffs have sufficiently alleged actual injuries, the Court declines to address whether they have also alleged a sufficient future injury.