Tsao v. Captiva MVP Rest. Partners, LLC

• Decision Date: 04 February 2021
• Docket Number: No. 18-14959,18-14959
• Citation: 986 F.3d 1332
• Parties: I Tan TSAO, individually and on behalf of all others similarly situated, Plaintiff-Appellant, v. CAPTIVA MVP RESTAURANT PARTNERS, LLC, A Florida Limited Liability Company doing business as PDQ, Defendant-Appellee.
• Court: U.S. Court of Appeals — Eleventh Circuit

986 F.3d 1332

I Tan TSAO, individually and on behalf of all others similarly situated, Plaintiff-Appellant,

v.CAPTIVA MVP RESTAURANT PARTNERS, LLC, A Florida Limited Liability Company doing business as PDQ, Defendant-Appellee.

No. 18-14959

United States Court of Appeals, Eleventh Circuit.

February 4, 2021

James J. Rosemergy, Carey Danis & Lowe, St. Louis, MO, Steven William Teppler, Mandelbaum Salsburg, PC, Roseland, NJ, Francis J. Flynn, The Law Office of Francis J. Flynn, Jr., Los Angeles, CA, Jeffrey J. Lowe, Jeffrey J. Lowe, P.C., Clayton, MO, for Plaintiff-Appellant.

Marie A. Borland, Robert A. Shimberg, Hill Ward & Henderson, PA, Tampa, FL, for Defendant-Appellee.

Before JORDAN, TJOFLAT, and TRAXLER,^* Circuit Judges.

TJOFLAT, Circuit Judge:

I Tan Tsao seeks to bring a number of claims against PDQ—a restaurant he patroned—following a data breach that exposed PDQ customers’ personal financial information. Tsao's appeal presents two questions. First, did Tsao have standing to sue based on the theory that he and a proposed class of PDQ customers are now exposed to a substantial risk of future identity theft, even though neither Tsao nor the class members have suffered any misuse of their information? Second, and alternatively, were Tsao's efforts to mitigate the risk of future identity theft a present, concrete injury sufficient to confer standing? For both questions, we conclude the answer is no, and we accordingly affirm the District Court's order dismissing the case without prejudice.

I.

PDQ is a group of fast casual restaurants that sells chicken tenders, chicken nuggets, salads, and sandwiches. Like most restaurants today, PDQ accepts payment through a point of sale system where customers can insert credit or debit cards to pay for their meal. When customers pay with a debit or credit card, PDQ collects some data from the cards, including the cardholder's name, the account number, the card's expiration date, the card verification value code ("CVV"), and PIN data for debit cards. PDQ then stores this data in its point of sale system and transmits the information to a third party for processing and for completion of the payment.

Beginning on May 19, 2017, a hacker exploited PDQ's point of sale system and gained access to customers’ personal data—the credit and debit card information—through an outside vendor's remote connection tool. PDQ later became aware of the breach, and on June 22, 2018, it posted a notice to customers that it had "been the target of a cyber-attack." The notice stated that "[a]ll PDQ locations in operation" between May 19, 2017, and April 20, 2018, were affected by the attack, and the notice listed the customers’ personal information that "may have been accessed": cardholder names, credit card numbers, card expiration dates, and CVVs. Because of the nature of the breach, PDQ stated that it "was not possible to determine the identity or exact number of credit card numbers or names that were accessed or acquired during" the cyber-attack. The notice repeatedly made clear that PDQ customers’ information "may" have been accessed.

In October 2017—during the data breach period—plaintiff Tsao made at least two food purchases at a PDQ restaurant in Pinellas, Florida, using two different cards. On October 8, he paid with a Wells Fargo Home Rebate card, and on October 31, he paid with a Chase Sapphire Reserve card. Both of these cards offer Tsao the ability to accrue points or rebates by making certain types of purchases—gas, dining, groceries, and travel, just to name a few. The Chase card also requires Tsao to pay an annual fee of $450.00. Because Tsao made purchases at PDQ during the breach period, the credit card data from these cards may have been accessed by hackers. So, when Tsao learned of the possible breach in 2018, he contacted both Chase and Wells Fargo and cancelled his cards.

Less than two weeks after PDQ's announcement of the cyber-attack, Tsao filed a class action complaint (the "Complaint") in the Middle District of Florida on behalf of a nationwide class, or alternatively, a separate Florida class. The Complaint lists a variety of injuries that PDQ customers allegedly suffered as a result of the cyber-attack, including "theft of their personal financial information," "unauthorized charges on their debit and credit card accounts," and "ascertainable losses in the form of the loss of cash back or other benefits." Tsao asserts that he and the class members "have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives." The Complaint also includes some general information from the Federal Trade Commission and Government Accountability Office about the risks associated with cyber-attacks and lists a few noteworthy data breaches involving the restaurant industry.

Based on these alleged injuries, the Complaint claims that PDQ (1) breached an implied contract by failing to safeguard customers’ credit card data (Count I); (2) was negligent in failing to provide adequate security for the credit card data (Count II); (3) was per se negligent because PDQ violated Section 5 of the Federal Trade Commission Act ( 15 U.S.C. § 45 ), which prohibits unfair practices that affect commerce (Count III); (4) was unjustly enriched when it received payments from the customers but failed to provide those customers with adequate data security (Count IV); and (5) violated the Florida Unfair and Deceptive Trade Practices Act by failing to, among other things, maintain "adequate ... data security practices" (Count VI). The Complaint additionally seeks a declaratory judgment stating that "PDQ's existing data security measures do not comply with its contractual obligations and duties of care" and that PDQ, in order to comply with those obligations, is required to implement and maintain a variety of security measures (Count V).

PDQ moved to dismiss the Complaint on August 28, 2018. PDQ argued that the Complaint failed to state a claim under Federal Rules of Civil Procedure 12(b)(1), (b)(6), and (b)(7) "for failure to satisfy Article III standing, to state a claim upon which relief can be granted, and/or for failure to join indispensable parties." On the standing issue, PDQ emphasized that, although customer data may have been "compromised" or "exposed" during the cyber-attack, Tsao failed to identify "a single incident involving an actual misuse of the credit card information, much less any misuse ... causing any of the customers any actual injury" (emphasis in original). Instead, PDQ argued, Tsao's claims were "premised on a fear that his credit card information may be misused at some point in the future," and since he cancelled his cards before any misuse occurred, he was foreclosed from alleging damages. And even if Tsao did incur some out-of-pocket expenses to mitigate the risk of misuse, PDQ claimed that such "manufacture[d] standing" was not enough to satisfy Article III.

Tsao's response to the motion to dismiss focused heavily on three types of injuries he allegedly suffered in his efforts to mitigate the perceived risk of future identity theft: lost cash back or reward points, lost time spent addressing the problems caused by the cyber-attack, and restricted card access resulting from his credit card cancellations. On the first point—the loss of cash back or reward points—Tsao argued that, because he cancelled his Chase and Wells Fargo cards in anticipation of possible misuse, he temporarily "lost the opportunity to accrue" the rewards connected to those cards. And on the latter two points—lost time and restricted account access—Tsao asserted that he "expended time and effort" to cancel his cards and to deal with the impact of the cyberattack, and since he cancelled the cards, he lost access to his "preferred accounts." Importantly, however, Tsao did not point to any specific instances in which his—or any other class member's—identity was stolen, cards were fraudulently charged, or data was misused. Rather, the thrust of Tsao's response was that he had standing (1) because he and the class were at an elevated risk of identity theft, or, alternatively, (2) because he took "proactive[ ]" steps to mitigate the risk of identity theft.

On November 1, 2018, the District Court dismissed Tsao's Complaint without prejudice for lack of standing. The Court noted that although Tsao claimed that his private data was "compromised" and "exposed" to criminals, not once did he allege "that his credit cards were used in any way by a thief or that his identity was stolen." Nor did Tsao identify "a single specific, concrete injury in fact that he or anyone else [ ] suffered as a result of any misuse of customer credit card information." These conclusory allegations of harm, the Court found, were speculative at best, and mere "[e]vidence of a data breach, without more, [was] insufficient to satisfy injury in fact under Article III standing."

This appeal followed. Tsao's briefing mostly retreads the arguments he made below—that he and the class are at an elevated risk of future identity theft and that he lost cash back and rewards point, time, and account access—in an effort to satisfy Article III's standing requirement. But after a careful review of the record and with the benefit of oral argument, we affirm the District Court's dismissal for lack of standing.

II.

Whether plaintiffs have standing to sue is a threshold jurisdictional question that we review de novo. Debernardis v. IQ Formulations, LLC , 942 F.3d 1076, 1083 (11th Cir. 2019). On a facial attack to a complaint for lack of standing, we take the allegations of the complaint as true. McElmurray v. Consol. Gov't of Augusta-Richmond Cty. , 501 F.3d 1244, 1251 (11th Cir. 2007).

III.

Tsao's arguments focus on two general...