Those who tuned in to McGuireWoods’ data breach class action webinar last month know that attacking the plaintiff’s standing can be an effective defense strategy in these cases.  Here’s our analysis of the most recent appellate decision on that issue.

Last Tuesday, the Second Circuit Court of Appeals affirmed the district court’s dismissal of a putative class action filed against a merchant in connection with a data breach of customer information, holding that the cardholder failed to allege sufficient injury to establish standing.

The decision adds yet another data point for practitioners feeling out the boundaries for when the exposure of personal information creates a legal right to sue.

In Whalen v. Michaels Stores, Inc., the plaintiff alleged that shortly after she made in-store purchases with her credit card, her card information was used in Ecuador in attempted purchases of a gym membership and concert tickets.  She cancelled her card upon learning of those attempts, and did not allege those charges were ever approved.

In rejecting the plaintiff’s arguments in favor of standing, the Second Circuit emphasized that she failed to allege that she actually incurred or paid those charges, and also discounted her assertion that she faced risk of future identity fraud—noting that she had already cancelled her card, and failed to allege that her name, birth date, or social security number were among the information stolen.

Notably, the court considered her allegation that she suffered damages “based on the opportunity cost and value of time” that she spent monitoring her account also insufficient to establish injury.  In so holding, the court interpreted the “particularized” component of Article III’s “concrete and particularized injury” requirement to require the plaintiff to plead specifics about the time and effort expended.

The Second Circuit expressly distinguished prior decisions from the Seventh Circuit holding the victims of a data breach alleged sufficient injury to invoke Article III standing.  On a closer review, however, it is not always easy to draw a clean line between the injuries alleged in Whalen and some of those deemed sufficient by the Seventh Circuit.

For example, in Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit held the plaintiffs had sufficiently alleged injury based on an increased risk of future fraudulent charges and identity theft, notwithstanding that the data breach in that case also only involved the theft of card information and not personal information such as social security numbers or birth dates.

Similarly the court in Remijas deemed sufficient allegations that the plaintiffs lost time and money protecting themselves against future identify theft—allegations not dissimilar from those rejected in Whalen.

Although we are yet to arrive at a unified theory of standing in data breach cases, Whalen does provide a helpful piece of line-drawing, illustrating that a plaintiff who does not incur fraudulent charges—and cancels her card before any fraudulent charges are incurred—may have trouble convincing a court that she has suffered sufficient injury from a data breach to confer standing.