This week, the U.S. Court of Appeals for the Second Circuit issued an important decision in Whalen v. Michaels Stores, placing the court at the center of the controversy around what allegations are sufficient to establish Article III standing in data breach class actions. In Whalen, the plaintiff alleged that payment card information stolen in a data breach was used in unsuccessful, attempted fraudulent transactions. The payment card owner further alleged that she faced an increased risk of future identity fraud, forcing her to spend time and money resolving the attempted fraudulent charges and monitoring her credit. The court ruled that these allegations did not establish a concrete injury sufficient to confer Article III standing.
Michaels Store, Inc. (“Michaels”) is an arts and craft retail chain. On January 25, 2014, Michaels notified its customers in press release of “possible fraudulent activity on some U.S. payment cards.” The company announced that it was investigating the incident and advised customers to monitor their credit accounts for unauthorized charges. On April 17, 2014, Michaels confirmed the existence of a data breach in another press release. The company reported that hackers had used a “highly sophisticated malware” to retrieve payment card information from the computer systems of Michaels and its subsidiary, Aaron Brothers. However, Michaels also reported that there was no evidence that the hackers had obtained any other customer information, such as names, addresses, or PIN numbers. Michaels estimated that approximately 2.6 million payment cards may have been affected for the period between May 8, 2013 and January 27, 2014. As a result, the company offered free identity protection and credit monitoring services for twelve months to affected customers.
Mary Jane Whalen made purchases with her credit card at a Michaels store on December 21, 2013. On January 14 and 15, 2014, Whalen’s credit card information was used unsuccessfully in two attempted fraudulent transactions in Ecuador. On January 15, 2014, Whalen cancelled her credit card. No other fraudulent transactions were either incurred or attempted on Whalen’s credit card.
On December 2, 2014, Whalen filed a putative class action against Michaels, alleging claims for breach of implied contract and violation of New York General Business Law § 349. On December 28, 2015, the district court dismissed the complaint, finding that Whalen lacked standing because she “neither alleged that she incurred any actual charges on her credit card, nor, with any specificity, that she had spent time and money monitoring her credit.” Whalen v. Michaels Stores, Inc., No. 16-260 (L); 16-335 (XAP), Summary Order, at 3 (2d Cir. May 3, 2017).
The Second Circuit affirmed the district court’s dismissal, concluding that Whalen “alleged no injury that would satisfy the constitutional standing requirements of Article III.”Whalen, at 4. Citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147-48, 1151 (2013), the Second Circuit explained that a plaintiff must allege an injury that is “concrete, particularized, and actual or imminent’ and that a “threatened injury must be certainly impending,” rather than simply speculative. Id. at 3-4. The Second Circuit further elaborated that, under Clapper, a “theory of standing[] which relies on a highly attenuated chain of possibilities[] does not satisfy the requirement threatened injury must be certainly impending.” Id. at 5 (citation omitted).
Turning to Whalen’s factual allegations, the Second Circuit rejected the three theories of injury that Whalen had raised. Whalen had alleged that (1) her credit card information was stolen and used in two attempted fraudulent transactions; (2) she faced a risk of future identity theft; and (3) she had lost time and money resolving the attempted the fraudulent charges and monitoring her credit. The Second Circuit found that “Whalen does not allege a particularized and concrete injury suffered from the attempted fraudulent purchases… she never was either asked to pay, nor did pay, any fraudulent charge. And she does not allege how she can plausibly face a threat of future fraud, because her stolen credit card was promptly canceled after the breach and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.” Id. at 4. The Second Circuit also found that “Whalen pleaded no specifics about any time or effort that she herself ha[d] spent monitoring her credit,” instead relying on the general allegation that the putative class had suffered damages based on “the opportunity cost and value of time” they had been forced to expend to monitor their financial accounts. Id.
Whalen puts the Second Circuit in the middle of a Circuit split concerning what allegations are sufficient to establish Article III standing in data breach class actions. On one end of the spectrum, the Sixth Circuit in Galaria and the Seventh Circuit in Neiman Marcus and P.F. Chang’s have held that plaintiffs can plead a concrete injury that will satisfy Article III by alleging that their personal information was stolen, they face an increased risk of future harm and they have incurred mitigation costs in response to that risk. The Sixth and Seventh Circuits have also held an offer by a company to provide free identity fraud protection and credit monitoring following a data breach can be inferred to establish that the company recognizes that the risk of future harm from the breach is substantial.
On the opposite end of the spectrum, the Second Circuit in Whalen and the Fourth Circuit in Beck have heightened pleading requirements for standing in data breach cases. Plaintiffs in the Second and Fourth Circuits cannot rely on general allegations of increased risk of identity theft from stolen personal information coupled with mitigation costs to establish a concrete injury. Nor can they rely on an offer of free credit monitoring by a company to supplement those otherwise deficient factual allegations. Instead, these plaintiffs must allege actual injuries, such as successful fraud charges based on stolen personal information that creates liability on the part of the payment card owner, to survive a motion to dismiss for lack of standing. This Circuit split is not likely to be resolved if and until the Supreme Court weighs in on the issue.