The U.S. Court of Appeals for the Second Circuit recently affirmed the dismissal of a “data breach” lawsuit against a retailer, holding that the plaintiff lacked standing for failure to allege a cognizable injury.

A copy of the opinion in Whalen v. Michaels Stores, Inc. is available at: Link to Opinion.

The plaintiff made credit card purchases at a retail store and, two weeks later, her credit card information was fraudulently presented to make purchases in a foreign country. The plaintiff immediately cancelled her credit card and the fraudulent charges were not incurred on the card, nor was she liable for them.

Shortly thereafter, the retailer issued a press release concerning a possible data breach in its computer system that involved the theft of customers’ credit card and debit card data and later confirmed the breach. The retailer offered 12 months of identity protection and credit monitoring services to affected customers.

The plaintiff sued the retailer alleging breach of implied contract and New York’s deceptive business practices act, N.Y. General Business Law § 349, and the retailer filed a motion to dismiss.

The trial court granted the motion to dismiss holding that the plaintiff’s allegations did not establish Article III standing because she did not incur any actual charges on her credit card and she did not allege with any specificity that she had spent time or money monitoring her credit to prevent identity theft or fraudulent credit activity. The plaintiff appealed from the dismissal.

On appeal, the Second Circuit explained that Article III standing requires that a plaintiff allege an injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”

The plaintiff’s theory of liability asserted that she faced a risk of future identity fraud, and that she had lost time and money resolving attempted fraudulent charges and monitoring her credit. The Second Circuit found that such a “future injury” had to be “certainly impending,” not speculative.

The Court pointed out that the plaintiff’s credit card had been cancelled, such that no further fraudulent charges were possible, and that none of her personal identifying information, such as her birth date or Social Security number were alleged to be stolen; such future identity theft was not alleged.

In addition, the plaintiff admitted that she had not paid any fraudulent charges, and she did not allege any specific facts about the time or effort she purportedly spent monitoring her credit. Instead, the Court noted, she made general allegations about consumers expending “considerable time” on credit monitoring to avoid fraud and asserted class damages and did not seek leave to amend her complaint to add more specific allegations to sustain her claims.

The Second Circuit found the plaintiff’s allegations insufficient to establish concrete, particularized injury, and therefore that the plaintiff failed to achieve Article III standing.

The Court noted that the plaintiff’s lack of sufficient allegations distinguished her complaint from other retailer data breach cases, such as Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), in which the personal information of the class members was stolen such that a risk of future identity theft was possible, and the named plaintiffs asserted specific factual injuries concerning their expenses to monitor their credit reports for fraudulent activity. In each of those cases, the Seventh Circuit found that the plaintiffs had established Article III standing as their allegations supported the conclusion that their future informational injuries were “certainly impending.”

Accordingly, the trial court’s order granting the defendant retailer’s motion to dismiss was affirmed.