Eleventh Circuit Denies Article III Standing Based on Future Harm from Data Breach


By: Matt Foree

The United States Court of Appeals for the Eleventh Circuit recently held that future harm from a data breach does not provide Article III standing to a plaintiff. By doing so, the Eleventh Circuit weighed in on the ongoing debate among the circuit courts. The case is Tsao v. Captiva MVP Rest. Partners, LLC, which can be found here

In Tsao, the plaintiff raised claims individually and on behalf of a class against a restaurant following a data breach that exposed the restaurant’s customers’ personal financial information. The case dealt with the concept of Article III standing, which concerns a person’s ability to file suit in federal court. Under Article III of the Constitution, the jurisdiction of a federal court is limited to cases and controversies. To satisfy the case or controversy requirement, a plaintiff must have standing to sue. For a plaintiff to have standing, he must have suffered an injury in fact, that is fairly traceable to the challenged conduct of the defendant, and that is likely to be redressed by a favorable judicial decision. 

The plaintiff in Tsao did not allege injury based on misuse of personal information or based on identity theft occurring as a result of the data breach. Instead, he raised two general theories of standing. First, he argued that he could suffer future injury from misuse of the personal information disclosed during the cyber-attack, even though he had not yet, and that this risk of misuse alone was enough to satisfy the standing requirement. Then he argued that he has already suffered some concrete, particularized mitigation injuries including lost time, lost rewards points, and loss of access to accounts, that are sufficient to confer standing.

As part of its analysis, the Eleventh Circuit considered recent case law and distilled two legal principles relevant to the plaintiff’s claims. First, it determined that a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either certainly impending or there is a substantial risk of such harm. Second, if the hypothetical harm alleged is not certainly impending or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on himself to mitigate a perceived risk. 

With these principles in mind, the Eleventh Circuit began by considering plaintiff’s theory that he had Article III standing because he faced a substantial risk of identity theft, fraud, and other harm in the future as a result of the data breach. The Eleventh Circuit considered the opinions of its sister circuits, which are divided. It recognized that on the one hand, the Sixth, Seventh, Ninth, and D.C. Circuits have all recognized at the pleading stage that a plaintiff can establish injury in fact based on the increased risk of identity theft. On the other hand, it recognized that the Second, Third, Fourth, and Eighth Circuits have declined to find standing on that theory.

After considering the decisions of its sister circuits, the Eleventh Circuit determined that plaintiff did not meet his burden to show that there was a substantial risk of harm or that such harm is certainly impending. As part of its decision, it underscored three key considerations. First, it recognized that it recently held that conclusory allegations of an elevated risk of identity theft are not enough to confer standing. Second, it held that the plaintiff only offered vague, conclusory allegations that members of the class suffered a debt and actual misuse of their personal data, i.e., unauthorized charges, but conclusory allegations of injury were not enough to confer standing. Finally, plaintiff canceled his credit cards following disclosure of the breach, effectively eliminating the risk of credit card fraud in the future. Therefore, the Eleventh Circuit determined that evidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing, such that it follows that plaintiff did not have standing based on an increased risk of identity theft.

The Eleventh Circuit then turned to plaintiff’s claim that he suffered actual, present injuries in his efforts to mitigate the risk of identity theft caused by the data breach. It determined that it is well established that plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending. It determined that the mitigation costs plaintiff alleged are inextricably tied to his perception of the actual risk of identity theft following the data breach. Therefore, it found that plaintiff could not conjure standing by inflicting injuries on himself to avoid an insubstantial, non-eminent risk of identity theft. 

In sum, the Eleventh Circuit held that plaintiff lacked Article III standing because he could not demonstrate a substantial risk of future identity theft or that identity theft is certainly impending and also because he could not manufacture standing by in current cost and anticipation of non-eminent harm.  By doing so, the court upheld the dismissal of plaintiff’s claims.  Importantly, this decision contributes to the disagreement among the circuit courts as to whether future harm resulting from a data breach can form the basis of a lawsuit in federal court.

If you have questions or would like more information, please contact Matt Foree at