The U.S. Court of Appeals for the Second Circuit ruled on May 3 that a plaintiff who claimed that her credit card information was stolen in a data breach, but who failed to point to any particular out-of-pocket expense or inconvenience, does not have Article III standing to sue. In summarily affirming the dismissal of plaintiff’s complaint, the Second Circuit explained that amorphous fear of an increased threat of identity theft is not sufficient to create standing. The Second Circuit also held that, where a data breach has exposed only credit card information, and the plaintiff cancels the credit card, there is no plausible risk of future harm sufficient to confer standing.
Bloomberg reported earlier this year that 2016 saw a 40 percent year-over-year increase in the number of data breaches, with worldwide spending on data security services rising from $68.2 billion in 2015 to $73.7 billion in 2016. Those figures do not include litigation costs, which have ballooned as data breaches have become a routine basis for litigation. The Second Circuit’s decision provides defendants with some relief. The decision will not affect lawsuits in which plaintiffs can show an actual injury stemming from a breach, but it shows that claims based on breaches that result in no financial loss to the consumer and where the consumer is not at imminent risk of future harm are unlikely to survive a standing challenge, at least in federal courts in the Second Circuit (New York, Connecticut, and Vermont).
The decision also adds momentum to the trend of recent cases holding that no standing arises from the mere loss of credit card information.
The defense was led by a cross-office team from Sidley’s office in Dallas and its Washington cybersecurity group, working together with Sidley lawyers in New York and Chicago.