The U.S. Court of Appeals for the Eighth Circuit has issued a second opinion in the last few weeks on the “injury-in-fact” necessary for Article III standing in putative class actions involving data breaches. In the most recent case, involving a large retail grocer, the Eighth Circuit found that mere exposure of certain financial information did not constitute an injury sufficiently concrete and imminent to establish Article III standing, but that a single instance of fraudulent charges resulting from such a data breach was sufficient to convey standing for class claims.
In Alleruzzo v. SuperValu, Inc., customers brought a multistate putative class action arising from two data breaches that allowed hackers access to customer payment card information, including names, credit or debit account numbers, expiration dates, card verification value (CVV) codes, and personal identification numbers (PINs). Plaintiffs alleged that, as a result of the data breaches, they were subject to the imminent and real possibility of identity theft. Plaintiffs separately claim that they were injured by being forced to spend time monitoring their accounts. One putative class representative, however, did experience a fraudulent charge to his account as a result of the breach.
To establish Article III standing on the basis of potential future injury, the threatened injury must be “certainly impending” or there must be a “substantial risk” that the harm will occur. The district court dismissed the class complaint, finding that none of the plaintiffs had alleged an injury-in-fact sufficient to establish Article III standing. On appeal, the Eighth Circuit reversed that ruling, in part, finding that, although heightened risk of identity theft was not sufficiently “substantial” to convey standing, the single instance in which a plaintiff experienced a fraudulent charge on his credit card was sufficient.
Focusing on the fact that the card information allegedly stolen did not contain any personally identifying information (“PII”)—social security numbers, birth dates, or driver’s license numbers—the appellate court concluded that there was “little to no risk” that the stolen information could be used to open unauthorized accounts. In response to claims that plaintiffs incurred expense in taking steps to mitigate their risk of identity theft, the court held that plaintiffs’ efforts to protect themselves against such a speculative threat could not alone convey standing.
WBK wrote about the previous Eighth Circuit opinion here.