Early in May, the U.S. Court of Appeals for the Second Circuit in Whalen v. Michaels Stores, Inc., No. 16-260 (L) (2d Cir. May 2, 2017), affirmed the dismissal of a data breach class action brought against Michaels Stores Inc. (Michaels) for failing to sufficiently allege an injury to support standing. This decision is significant because it widens the existing circuit split on what allegations constitute an injury-in-fact, particularly where a plaintiff seeks standing by alleging a substantial risk of harm resulting from a data breach.

Background and Procedural History

In January 2014, Michaels notified its customers of “possible fraudulent activity on some U.S. payment cards” and then later confirmed that hackers obtained information from its systems relating to approximately 2.6 million credit and debit cards. Although Michaels noted that there was no evidence that the hackers retrieved any other customer information (e.g., names, addresses or personal identification numbers), it offered its customers 12 months of free credit monitoring services. Plaintiff learned that she was one of the affected customers after a credit card she used for payment at Michaels was later physically presented twice in Ecuador for attempted payments she did not authorize. Plaintiff did not pay for either charge and canceled her credit card promptly thereafter.

Plaintiff filed a data breach class action in the U.S. District Court for the Eastern District of New York, alleging she suffered actual damages and faces an increased risk of future harm. Yet the court dismissed the class action for lack of standing because Plaintiff did not allege that she suffered any unreimbursed charges. 153 F.Supp.3d 577 (E.D.N.Y. Dec. 28, 2015). Among other things, the court found that Plaintiff did not allege that she was required to pay the charges made in Ecuador, and that any allegations regarding time or money spent to mitigate the data breach did not support an injury-in-fact. The court also found Plaintiff’s allegations of increased risk of future harm to be unavailing because nearly two years had passed and she had not experienced any additional fraudulent charges after she canceled her credit card.

Second Circuit Decision

On appeal, the Second Circuit found that Plaintiff did not satisfy the standard set forth by the Supreme Court in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013), that a plaintiff must allege an injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” The Second Circuit reasoned that Plaintiff “never was either asked to pay, nor did pay, any fraudulent charge.” The Second Circuit also reasoned that Plaintiff did not plead any specifics about the amount of time or money she spent monitoring her credit. Moreover, the Second Circuit found that Plaintiff failed to sufficiently allege a future injury, which must be “certainly impending” and not “simply speculative,” because she promptly canceled her credit card after the breach and did not allege that any other personally identifiable information (PII) was stolen. Although the Second Circuit attempted to distinguish the facts and circumstances in Whalen from those in some of the cases discussed below, its application seemed to deepen the existing split between various circuit courts on what constitutes a substantial risk of harm in data breach class actions.

Circuit Split on Pleading Standard for Substantial Risk of Harm

With Whalen, the Second Circuit joined the First, Third and Fourth Circuits, which also require heightened pleading to establish an injury in data breach class actions when alleging substantial risk of harm. See Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011); Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017); cf. Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) (interpreting risk of harm where no breach occurred but defendant allegedly failed to adequately protect information). These circuits require pleading more than merely the fact that a plaintiff’s PII was stolen to support standing. And neither the Second nor the Fourth Circuit inferred a threat of future harm from an offer to provide free credit monitoring services to affected individuals.

In contrast, both the Sixth and Seventh Circuits have made such an inference. See, e.g., Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). And the Sixth, Seventh and Ninth Circuits have also found that a plaintiff has standing where the data breach allegedly targeted PII and mitigation costs have been incurred. See, e.g., Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).

Because this widening circuit split encourages forum shopping and creates uncertainty about the pleading standard for substantial risk of harm in data breach class actions, it is ripe for review by the Supreme Court.