Last week, in Tsao v. Captiva MVP Restaurant Partners, LLC (Captiva), the U.S. Court of Appeals for the 11th Circuit held that data breach claims arising from increased risk of future identity theft and potential mitigation effort costs, WITHOUT any evidence of actual data misuse or harm, did not satisfy Article III standing. This decision marks the 11th Circuit’s joining of several other Circuit courts that a plaintiff must establish evidence of harm to satisfy standing requirements. To date, the 1st, 2nd, 3rd, 4th and 8th Circuits have also held that plaintiffs may not establish Article III injury-in-fact based on increased risk of harm.

In the Captiva case, the plaintiff’s payment card data were not actually misused following a data breach and therefore the plaintiff did not present an injury-in-fact sufficient to establish standing. Tsao’s complaint only alleged future risk of identity theft because hackers MIGHT have accessed his payment card information and losses for mitigation efforts such as cancelling his potentially affected credit card account and the lost benefits related to that cancellation, such as loss of reward points. However, the court held that plaintiffs may not manufacture standing in this manner.

The decision can be found here 2021 WL 381948 (11th Cir. Feb. 4, 2021).

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.