In a recent case, the U.S. Court of Appeals for the 11th Circuit weighed in on an issue that has continued to confound courts: Is there an injury caused by a data breach when victims don’t immediately suffer financial fraud? I wrote on this issue in an article with Professor Danielle Citron in 2018, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018). (Danielle and I have just completed a new piece on Privacy Harms ). In the article, Danielle and I examined the inconsistent and messy cases and attempted to set forth a coherent approach.
The most recent case to weigh in on the issue is Tan Tsao v. Captiva MVP Restaurant Partners, LLC, No. 18-14959 (11th Cir. Feb 4., 2021). PDQ, a fast food chicken restaurant chain, had a data breach where hackers accessed customer credit card data for a period of nearly a year. When the breach was announced, the plaintiff cancelled the credit cards he used at PDQ. In doing so, the plaintiff lost access to his preferred accounts, lost points and rewards, and expended time and effort. The Tsao court concluded that because the plaintiff couldn’t demonstrate that he suffered any credit card fraud, he lacked standing to sue.
In federal court, plaintiffs must demonstrate they they suffered a harm (actual or imminent injury) in order to sue. The plaintiff argued that he lost out on benefits when he cancelled his cards, but the court held that this was “manufactured” harm. The Tsao court relied on Clapper v. Amnesty International, 568 U.S. 398 (2013), where the U.S. Supreme Court held that plaintiffs can’t “manufacture” harm by spending money, time, and effort to protect themselves against surveillance that they couldn’t prove was occurring. Clapper‘s view on “manufactured” harm striking me as manufactured itself — a rather poorly-reasoned cooked-up excuse to deny standing. But the case is there, and it must be navigated around.
The Tsao court made it sound as though the plaintiff was overreacting by cancelling his credit cards — or that he was merely engaging in theatrics:
The mitigation costs Tsao alleges are inextricably tied to his perception of the actual risk of identity theft following the PDQ data breach. Tsao, by his own admission, voluntarily cancelled his credit cards, and the three types of harm he has identified flowed from that cancellation. By cancelling his cards, he voluntarily forwent the opportunity to accrue cash back or rewards points on those cards. By cancelling his cards, he voluntarily restricted access to his preferred payment cards. And by cancelling his cards, he voluntarily spent time safeguarding his accounts. Tsao cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.
But I checked into news stories about the breach, and this is what PDQ said about the breach in its notice:
“If you used a credit card for your purchase at a PDQ restaurant during the breach period, then your credit card number, expiration date, cardholder verification value and or name may have been accessed or acquired by a hacker,” the company said.
Call me crazy and alarmist, but if I were told that my credit card information may have been accessed or acquired by a hacker — including the cardholder verification value (CVV) — I might reasonably conclude that my credit cards were compromised. Had the notification said “don’t worry, be happy, because hackers steal credit card data just to have fun rather than to use it ” then the plaintiff’s reaction might seem unwarranted. When notified that hackers have your credit card data, it’s reasonable to do more than just shrug. The test should be whether a mitigation effort was reasonable. If the answer is yes, then harm isn’t “manufactured.”
Throughout the opinion, the court emphasizes that the notification said that people’s credit card data “may” have been accessed or acquired, but it’s hard to know anything with the certainty of the law of gravity, so good lawyers will always write “may” whenever they can. In my view, this shouldn’t affect how a reasonable normal person should construe the notice.
I am unable to find the full notification, as PDQ has removed the breach notification information from its website, which used to be here. Another account of the notification quotes it as saying that customers “should remain vigilant in reviewing your account statements closely, monitoring free credit reports, and report any unauthorized charges to your card issuer immediately.” These notifications are written by lawyers who are very careful to thread the needle by not misrepresenting the risk yet not working people up into a panic attack. So notifications give vague instructions to people to be “vigilant.” But what if a person prefers to be proactive rather than to just be vigilant, constantly monitoring credit reports and waiting around like a sitting duck for the fraudulent charges to start popping up? Is it unreasonable to be proactive?
In all this, the consumers come out looking like chumps, no matter what they do. Breach notification is a charade, as are court cases like this that treat people like idiots for acting reasonably in response to a breach notification.
There’s now a major circuit split on the issue of data breach harms, so perhaps this means that the U.S. Supreme Court will weigh in. In a concurrence to the Tsao decision, Judge Jordan notes inconsistencies with another 11th Circuit case and states: “Hopefully the Supreme Court will soon grant certiorari in a case presenting the question of Article III standing in a data breach case.” I’m not encouraged by this, as so far the Supreme Court’s standing opinions in Clapper and Spokeo, Inc. v. Robins are quite abysmal — not only are they wrong, but they are confusing (and I’m being generous by using this term). I am not optimistic that more Supreme Court “clarity” about standing will help.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals.