In the latest decision on Article III standing in a data breach case, the U.S. Court of Appeals for the Second Circuit ruled that a credit card holder – who neither pleaded specific facts about the time or effort spent monitoring her credit after a data breach, nor sought leave to amend her complaint to do so – lacked standing to pursue a putative class action against Michael Stores, Inc. In a Summary Order issued earlier this week, the court affirmed the dismissal of claims related to a cyber-attack on the specialty retailer that affected 2.6 million credit cards and exposed payment card information.
In her complaint, plaintiff Mary Jane Whalen alleged that, the day after making purchases on her credit card at a Michaels store, her card was used twice for unauthorized purchases in Ecuador. She cancelled her credit card the following day and did not allege that she was liable for any fraudulent charges but claimed that she faced an increased risk of future identity fraud and has lost time and money resolving fraudulent charges and monitoring her credit. The Second Circuit held that these allegations fell short of satisfying the “concrete and particularized” injury requirement of Article III in order to have standing to sue.
The lawsuit arose after a cyber-attack in early 2014. In a series of press releases, the company disclosed that “highly sophisticated malware” was used to compromise payment card information but confirmed that “[t]here is no evidence that other customer personal information, such as name, address or PIN, was at risk….” The company offered 12 months of identity protection and credit monitoring to affected customers.
In her complaint, the plaintiff asserted claims for breach of implied contract and violation of New York General Business Law Section 349 (“Deceptive acts and practices”). The district court dismissed the complaint because plaintiff “neither alleged that she incurred any actual charges on her credit card, nor, with any specificity, that she had spent time and money monitoring her credit."
Affirming the dismissal, the Second Circuit held that plaintiff did not allege “a particularized and concrete injury suffered from the attempted fraudulent purchases … she never was either asked to pay, nor did pay, any fraudulent charge.” In addition, the court noted that there were no allegations as to how she could face the risk of future fraud since her credit card was cancelled shortly after the breach and there was no allegation that personally identifiable information such as her social security number or birth date had been compromised in the data breach. And, her complaint “alleges only that ‘consumers must expend considerable time’ on credit monitoring” but plaintiff did not put forth any specific allegations as to her alleged lost opportunity cost and value of time expended to monitor her financial affairs as a result of the breach.
This ruling adds to the mix of federal appeals court cases on precisely what allegations are sufficient to establish Article III standing in a data breach complaint. In both the Sixth and Seventh Circuits (which we have reported on here), panels have held that plaintiffs can plead a concrete injury by alleging that their personal information has been compromised, that they face an increased risk of future fraud and have incurred expenses as a result. These cases have also held that the offer of free credit card monitoring after a breach suggests that there is a risk of future injury. Other courts including the Fourth Circuit (which we have reported on here) have taken a tougher view of standing and require specific allegations as to actual injuries.
We will continue to follow the development of these cases.