The U.S. Court of Appeals for the Second Circuit recently upheld the dismissal of a class action lawsuit involving a data breach of credit card information. The data breach, without more, failed to create an injury sufficient for purposes of Article III standing.
The named plaintiff had made purchases at defendant-retailer’s store via credit card. Shortly thereafter, unauthorized parties attempted to use plaintiff’s credit card information to make purchases in Ecuador, causing the plaintiff to promptly cancel her credit card. According to a press release issued by the defendant confirming that a data breach occurred, no other personally identifying information, such as birth dates or Social Security numbers of its customers was stolen. Plaintiff did not allege that any fraudulent charges were actually incurred on the card, or that she incurred any liability as a result of the attempted fraudulent purchases. Plaintiff also did not plead any specific facts regarding any time or effort monitoring her credit as a result of the breach. The complaint only alleges: “consumers must expend considerable time” on credit monitoring; and “the Class suffered additional damages based on the opportunity cost and value of time that [she] and the Class have been forced to expend to monitor their financial and bank accounts.”
The district court dismissed the lawsuit for lack of standing, since plaintiff had not suffered any injury. The court explained plaintiff did not incur any actual charges on her credit card. Plaintiff also failed to allege any specific facts about time or money spent in monitoring her credit as a result of the breach.
On appeal, the Second Circuit affirmed the district court in an unpublished opinion. In response to plaintiff’s argument that she faces the future risk of identity theft, the Court explained that claims of future harm must be “certainly impending” and not purely speculative to support standing. Here plaintiff failed to show any risk of future harm since there was no evidence or allegations that other personal information was stolen, and her credit card was promptly cancelled.
However, the Court did not completely foreclose the possibility of a plaintiff suing in the wake of a data breach where the plaintiff did not incur any fraudulent charges. As the Court noted, the plaintiff did not seek leave to her complaint to include more “concrete” allegations of harm, such specific facts regarding any time or effort that she personally spent monitoring her credit.
The case is Whalen v. Michaels Stores, Inc.