Cancelled Credit Cards: Substantial Risk of Future Injury as a Basis for Standing in Data Breach Cases

SMU Law Review, May 2018

By Jennifer Wilt, Published on 05/21/18

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

https://scholar.smu.edu/cgi/viewcontent.cgi?article=4737&context=smulr

Cancelled Credit Cards: Substantial Risk of Future Injury as a Basis for Standing in Data Breach Cases

Cancelled Credit Cards: Substantial Risk of Future Injur y as a Basis for Standing in Data Breach Cases Jennifer Wilt 0 0 Southern Methodist University SUBSTANTIAL RISK OF FUTURE INJURY AS A BASIS FOR STANDING IN DATA BREACH CASES Jennifer Wilt* IEighth Circuit deepened the circuit split on the issue of whether the N In re SuperValu, Inc. (subsequently referred to as Alleruzzo), the substantial risk of future identity theft is sufficient to establish the injury-in-fact prong of standing.1 In Clapper v. Amnesty Int’l USA, the Supreme Court addressed substantial risk of injury as a basis for standing.2 The Court held that the future injury alleged in the complaint was insufficient for standing because it “relie[d] on a highly attenuated chain of possibilities.”3 Several circuits, coming to varying conclusions, have applied Clapper in data breach cases to determine whether the increased risk of future identity theft is sufficient to satisfy the injury-in-fact requirement.4 In Alleruzzo, the court applied Clapper to hold that fifteen of the named plaintiffs had not alleged a substantial risk of future identity theft sufficient for standing.5 The Eighth Circuit was correct in its holding because limiting the application of substantial risk as a basis for standing simplifies the analysis and prevents generalized claims from making it into the courts. Particularly in the context of data breaches, limitations must be placed on the standing doctrine to prevent wasting judicial resources. In the summer of 2014, retail grocery stores operated by SuperValu suffered two cyberattacks on their computer network that processed customers’ payments.6 As a result of the breaches, hackers gained access to customers’ names, credit or debit card numbers, card expiration dates, card verification value codes, and personal identification numbers.7 The plaintiffs were customers who shopped at SuperValu stores using a credit * J.D. Candidate, SMU Dedman School of Law, May 2019; M. Ed. University of North Texas, May 2015; B.A. University of Oklahoma, December 2011. The author would like to thank everyone who supported her decision to attend law school. 1. See 870 F.3d 763, 769 (8th Cir. 2017). 2. See 568 U.S. 398, 401 (2013). 3. Id. at 410. 4. Alleruzzo, 870 F.3d at 769. 5. Id. at 771. 6. Id. at 765–66. 7. Id. at 766. or debit card.8 Fifteen of the sixteen named plaintiffs alleged substantial risk of future identity theft, claiming that they had spent time determining if their cards were compromised and monitoring account information.9 Only one plaintiff alleged a fraudulent charge following the breach.10 The customers affected by the data breaches alleged that SuperValu had failed to adequately protect customers’ card information and failed to conform to best practices and industry standards for merchants accepting payment by credit or debit card.11 As a result, the plaintiffs were exposed to the “imminent and real possibility of identity theft.”12 The district court granted SuperValu’s motion to dismiss based on the plaintiffs’ failure to allege an injury in fact sufficient for standing.13 In determining standing, the district court considered the sixteen named plaintiffs’ claims collectively and concluded that a single fraudulent charge alleged by only one plaintiff was insufficient.14 The plaintiffs appealed this decision based on their theory of substantial risk of future identity theft.15 On appeal, the Eighth Circuit affirmed the dismissal of the fifteen named plaintiffs who alleged only the substantial risk of future identity theft and reversed the dismissal of the named plaintiff who alleged a fraudulent charge on his account.16 The Eighth Circuit affirmed the dismissal of the claims alleging substantial risk of future injury for two primary reasons. First, the allegations that plaintiffs’ information had been misused were too speculative.17 In supporting their theory of injury, the plaintiffs alleged that illegal websites were selling their information and that their financial institutions were attempting to mitigate the risk, which the court rejected as a basis for standing.18 Second, the court determined that the theft of plaintiffs’ credit or debit card information did not create a substantial risk of future injury, and the costs of mitigating any supposed risk were insufficient to create an injury in fact.19 In analyzing the issue of substantial risk, the court emphasized the absence of risk where the stolen information merely consists of credit card information.20 Since this information alone cannot be used to open new accounts, there is little risk that anyone will use the stolen information to commit any fraud.21 Despite the relatively low bar for standing at the 8. Id. at 767. 9. Id. 10. Id. 11. Id. at 766. 12. Id. 13. Id. at 767. 14. Id. at 768. 15. Id. at 768–69. 16. Id. at 774. 17. Id. at 770. 18. Id. 19. Id. at 770–71. 20. Id. 21. Id. at 770. 2018] pleading stage, the court reasoned that “[i]t is (...truncated)


This is a preview of a remote PDF: https://scholar.smu.edu/cgi/viewcontent.cgi?article=4737&context=smulr

Jennifer Wilt. Cancelled Credit Cards: Substantial Risk of Future Injury as a Basis for Standing in Data Breach Cases, SMU Law Review, 2018, Volume 71, Issue 2,