Second Circuit Weighs in on Data Breach Standing

In a post on February 14, 2017, we wrote regarding the Fourth Circuit’s decision in Beck v. McDonald (848 F.3d 262, 268 (4th Cir. 2017)), a case in which the Court found that an increased risk of future identity theft was insufficient to confer constitutional standing on a plaintiff seeking to bring an action arising from a data breach in which personal information was stolen. We also noted that although a circuit split on this issue remained (with the First and Third Circuits in agreement with that conclusion, and the Sixth, Seventh, and Ninth Circuits in disagreement), it seemed likely that as the case law evolved, the Fourth Circuit’s analysis in Beck would become the predominant way that courts look at the issue. A recent Summary Order from the Second Circuit in the matter of Whalen v. Michaels Stores, Inc., No. 16-260 (L), 2017 WL 1556116 (2d. Cir. May 2, 2017) lends support to that conclusion.

The facts of Whalen are straightforward. The plaintiff (Whalen) made credit card purchases at a Michael’s store in December, 2013. Whalen’s complaint alleged that in January, 2014, her credit card was physically presented for payment, on two separate occasions, in Ecuador, and that after learning of those charges, she cancelled the card. In Late January, 2014, Michael’s issued a press release stating that there had been a possible data breach of its system, apparently involving theft of customers’ credit card and debit card data. The company announced that it was investigating the breach, and advised customers to monitor their credit accounts and be vigilant about unauthorized charges. On April 17, 2014, in another press release, Michael’s confirmed the existence and scope of the data breach, noting that there was no evidence that other customer personal information, such as name, address or PIN, was at risk. Whalen subsequently sued, asserting claims for breach of an implied contract and for violation of New York General Business Law § 349. The District Court dismissed Whalen’s claims for lack of standing, concluding that she had failed to allege a cognizable injury from the exposure of her credit card information. An appeal followed.

On appeal, the Second Circuit affirmed, finding that Whalen failed to allege an injury that was “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and re-dressable by a favorable ruling.” (Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1147 (2013)). In particular, the Circuit noted that Whalen’s theories of injury (that her credit card information was stolen and used twice in attempted fraudulent purchases; that she faces a risk of future identity fraud; and that she has lost time and money resolving the attempted fraudulent charges and monitoring her credit) could not be considered a concrete injury suffered from the attempted fraudulent purchases. The Court noted: “she never was either asked to pay, nor did pay, any fraudulent charge. And she does not allege how she can plausibly face a threat of future fraud, because her stolen credit card was promptly canceled after the breach and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.” In addition, Whalen did not plead any specifics about any time or effort that she herself has spent monitoring her credit.

As was the case in Beck, the Second Circuit’s decision makes sense. Here, the compromised credit card was canceled. There were no allegations that any fraudulent charges were actually incurred on the card. There were no allegations that any other personal information was taken in the breach. In fact, the allegations of the purported injury were so sparse, that is likely that the Complaint would have been dismissed under the more lenient “threated injury” standard applied in the Sixth, Seventh and Ninth Circuits. In those Circuits, a plaintiff can plead a concrete injury that will satisfy Article III standing by generally alleging that their personal information was stolen, that they face an increased risk of future harm, and that and they incurred costs mitigating the risk. Here, Whalen does not appear to have satisfied even general allegations of an increased risk of future identity theft: she did not allege than any personal information (other than the credit card number, which was cancelled) was stolen, nor did she allege that she suffered any credit monitoring (or other) costs relating to the breach.

Now, seven Circuits have spoken on the issue, with four of them indicating that there should be a heightened pleading requirement for Article III standing, and three deciding the other way. So the question remains: will class action counsel be forum shopping these cases in the future, or will the Supreme Court settle the issue one and for all. As with most things, time will tell.