Cancelled Credit Cards: Substantial Risk of Future Injury as a Basis for Standing in Data Breach Cases
Cancelled Credit Cards: Substantial Risk of Future Injur y as a Basis for Standing in Data Breach Cases
Jennifer Wilt 0
0 Southern Methodist University
SUBSTANTIAL
RISK
OF
FUTURE INJURY
AS A BASIS FOR
STANDING IN
DATA
BREACH
CASES
Jennifer Wilt*
IEighth Circuit deepened the circuit split on the issue of whether the
N In re SuperValu, Inc. (subsequently referred to as Alleruzzo), the
substantial risk of future identity theft is sufficient to establish the
injury-in-fact prong of standing.1 In Clapper v. Amnesty Int’l USA, the
Supreme Court addressed substantial risk of injury as a basis for
standing.2 The Court held that the future injury alleged in the complaint was
insufficient for standing because it “relie[d] on a highly attenuated chain
of possibilities.”3 Several circuits, coming to varying conclusions, have
applied Clapper in data breach cases to determine whether the increased
risk of future identity theft is sufficient to satisfy the injury-in-fact
requirement.4 In Alleruzzo, the court applied Clapper to hold that fifteen of
the named plaintiffs had not alleged a substantial risk of future identity
theft sufficient for standing.5 The Eighth Circuit was correct in its holding
because limiting the application of substantial risk as a basis for standing
simplifies the analysis and prevents generalized claims from making it
into the courts. Particularly in the context of data breaches, limitations
must be placed on the standing doctrine to prevent wasting judicial
resources.
In the summer of 2014, retail grocery stores operated by SuperValu
suffered two cyberattacks on their computer network that processed
customers’ payments.6 As a result of the breaches, hackers gained access to
customers’ names, credit or debit card numbers, card expiration dates,
card verification value codes, and personal identification numbers.7 The
plaintiffs were customers who shopped at SuperValu stores using a credit
* J.D. Candidate, SMU Dedman School of Law, May 2019; M. Ed. University of
North Texas, May 2015; B.A. University of Oklahoma, December 2011. The author would
like to thank everyone who supported her decision to attend law school.
1. See 870 F.3d 763, 769 (8th Cir. 2017).
2. See 568 U.S. 398, 401 (2013).
3. Id. at 410.
4. Alleruzzo, 870 F.3d at 769.
5. Id. at 771.
6. Id. at 765–66.
7. Id. at 766.
or debit card.8 Fifteen of the sixteen named plaintiffs alleged substantial
risk of future identity theft, claiming that they had spent time
determining if their cards were compromised and monitoring account
information.9 Only one plaintiff alleged a fraudulent charge following the
breach.10
The customers affected by the data breaches alleged that SuperValu
had failed to adequately protect customers’ card information and failed
to conform to best practices and industry standards for merchants
accepting payment by credit or debit card.11 As a result, the plaintiffs were
exposed to the “imminent and real possibility of identity theft.”12 The
district court granted SuperValu’s motion to dismiss based on the
plaintiffs’ failure to allege an injury in fact sufficient for standing.13 In
determining standing, the district court considered the sixteen named
plaintiffs’ claims collectively and concluded that a single fraudulent
charge alleged by only one plaintiff was insufficient.14 The plaintiffs
appealed this decision based on their theory of substantial risk of future
identity theft.15
On appeal, the Eighth Circuit affirmed the dismissal of the fifteen
named plaintiffs who alleged only the substantial risk of future identity
theft and reversed the dismissal of the named plaintiff who alleged a
fraudulent charge on his account.16 The Eighth Circuit affirmed the
dismissal of the claims alleging substantial risk of future injury for two
primary reasons. First, the allegations that plaintiffs’ information had been
misused were too speculative.17 In supporting their theory of injury, the
plaintiffs alleged that illegal websites were selling their information and
that their financial institutions were attempting to mitigate the risk, which
the court rejected as a basis for standing.18 Second, the court determined
that the theft of plaintiffs’ credit or debit card information did not create
a substantial risk of future injury, and the costs of mitigating any
supposed risk were insufficient to create an injury in fact.19
In analyzing the issue of substantial risk, the court emphasized the
absence of risk where the stolen information merely consists of credit card
information.20 Since this information alone cannot be used to open new
accounts, there is little risk that anyone will use the stolen information to
commit any fraud.21 Despite the relatively low bar for standing at the
8. Id. at 767.
9. Id.
10. Id.
11. Id. at 766.
12. Id.
13. Id. at 767.
14. Id. at 768.
15. Id. at 768–69.
16. Id. at 774.
17. Id. at 770.
18. Id.
19. Id. at 770–71.
20. Id.
21. Id. at 770.
2018]
pleading stage, the court reasoned that “[i]t is (...truncated)