Florida District Court Dismisses Wendy’s Data Breach Class Action for Lack of Standing

ORDER

This cause comes before the Court on the following:

1. The Wendy’s Company’s Motion to Dismiss Plaintiff’s Class Action Complaint (Doc. 27), filed April 4, 2016;

2. Plaintiff’s Opposition to Defendant’s Motion to Dismiss (Doc. 35), filed April 28, 2016; and

3. The Wendy’s Company’s Reply Brief in Further Support of its Motion to Dismiss Plaintiff’s Complaint (Doc. 50), filed May 20, 2016.

Upon consideration, Wendy’s motion is due to be granted. However, Plaintiff will be given an opportunity to amend his Complaint.

I. BACKGROUND

This putative class action stems from Plaintiff’s, Jonathan Torres, allegations that Defendant, The Wendy’s Company (“Wendy’s”), failed to adequately secure and safeguard his and other customers’ financial information. (Doc. 1). Plaintiff alleges that hackers used malicious malware to gain access to the computer systems at Wendy’s locations throughout the United States and stole copies of Wendy’s customers’ privateinformation, specifically their payment card data (“PCD”) and their personal identifiable information (“PII”). (Id. ¶ 2). On January 3, 2016, Plaintiff visited a Wendy’s restaurant in Orlando, Florida and purchased food using his debit card. (Doc. 6, ¶ 6). Shortly thereafter, his credit union contacted him to inform him that his debit card had been used to make purchases at Sport’s Authority in the amount of $200 and Best Buy in the amount of $377.74. (Id.). Plaintiff informed his credit union that the charges were unauthorized and reported the theft to police. (Id.). On January 27, 2016, Wendy’s announced in a press release that it had discovered malicious malware on its payment processing system. (Id. ¶ 21).

Plaintiff alleges that his debit card number was stolen due to the data breach at Wendy’s. (Id.). He states that when a consumer makes a purchase at Wendy’s using a debit or credit card, Wendy’s retains PCD related to that card, including the card holder’s name, the account number, the expiration date, the card verification value (CVV), and the PIN data for the debit card. (Id. ¶ 12). Wendy’s then sends this information to a third party for payment completion. (Id.). Plaintiff claims that the breach at issue here ultimately took place because Wendy’s maintains an insufficient and inadequate system to protect its customers’ private information. (Id. ¶ 29). He alleges that, as a result of his private information being stolen, he faces years of constant surveillance and monitoring of his financial and personal records. (Id. ¶ 38). Specifically, Plaintiff alleges that he has been placed at an “imminent, immediate, and continuing risk of harm from identity theft and identity fraud, requiring [him and class members] to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives” including having to alert their credit reporting agencies, contact their financial institutions, modify financial accounts, and closely review and monitor their credit reports and accounts for unauthorized activity.” (Id. ¶ 41).

On February 8, 2016, Plaintiff filed his putative Class Action Complaint. Count I alleges a claim for breach of implied contract. Count II alleges a claim for negligence. Finally, Count III alleges a claim under Florida’s Deceptive and Unfair Trade Practices Act. Defendant now moves to dismiss Plaintiff’s Class Action Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). In its motion, Wendy’s argues that the Class Action Complaint should be dismissed because Jonathan Torres—the only named Plaintiff in this action—has failed to allege a cognizable injury-in-fact and that he therefore lacks Article III standing to pursue this case. In the alternative, Wendy’s argues that the Class Action Complaint should be dismissed for failing to state a claim upon which relief can be granted.

II. DISCUSSION

Standing to bring and maintain a lawsuit is a fundamental component of a federal court’s subject matter jurisdiction. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1146 (2013). Challenges to standing therefore attack the court’s subject matter jurisdiction to adjudicate the parties’ dispute. Stalley ex rel. United States v. Orlando Reg’l Healthcare Sys., Inc., 524 F.3d 1229, 1232 (11th Cir. 2008) (per curiam). The plaintiff bears the burden of proving standing, which requires a three-part showing: (1) the plaintiff suffered or will imminently suffer an injury-in-fact; (2) a causal connection exists between this injury and the defendant’s conduct; and (3) the plaintiff’s injury is likely to be redressed by a favorable decision. Mulhall v. UNITE HERE Local 355, 618 F.3d 1279, 1286 (11th Cir. 2010) (subsequent history omitted).

To establish injury-in-fact, the plaintiff must demonstrate that he holds “a legally cognizable interest that has been or is imminently at risk of being invaded.” Id. at 1286. At the pleading stage, this requirement is not particularly onerous and will be satisfied by “general factual allegations of injury resulting from [Defendant’s] conduct.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). However, such injury must be “certainly impending to constitute injury in fact” and “‘[a]llegations of possible future injury’ are not sufficient.” Clapper, 133 S. Ct. at 1147 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)).

A. Actual Monetary Loss

This case presents the issue of when, exactly, the loss or theft of an individual’s data becomes a concrete injury for purposes of establishing standing. Wendy’s first argues that because Plaintiff has not suffered an out-of-pocket loss, he does not have standing to bring this lawsuit. Wendy’s contends that while Plaintiff experienced two fraudulent charges on his debit card, Plaintiff does not allege that those charges went unreimbursed by his credit union, or that he suffered any additional unreimbursed costs in connection with the alleged fraudulent charges. Plaintiff, on the other hand, argues that his injuries amount to actual identity theft which he asserts is sufficient to confer standing.

The Eleventh Circuit, to date, has not directly addressed the extent of injury that a consumer who is a purported victim of a data breach must allege to survive a motion to dismiss based on lack of standing. However, the Eleventh Circuit has considered the related topic of identity theft. In Resnick v. AvMed, Inc., the Eleventh Circuit held that where a plaintiff experiences actual identity theft and suffers monetary damages as a result, such harm is sufficient to satisfy the injury-in-fact element of standing. 693 F.3d 1317, 1323 (11th Cir. 2012). In Resnick, two laptop computers containing customers’ sensitive health information were stolen from the defendant’s corporate office. Id. at 1322. The information included the customers’ Social Security numbers, names, addresses, and phone numbers. Id. The defendant corporation had not taken steps to secure the laptops which were later sold to a third-party. Id. Two of the named plaintiffs became the victims of actual identity theft. Id. One plaintiff’s information was used to open bank accounts and credit cards in her name which were later used to make fraudulent charges. Id. Additionally, her home address was changed with the U.S. Postal Service. Id. A second plaintiff’s information was used to open a brokerage account in her name which was subsequently overdrawn. Id.

The Resnick Court swiftly concluded:

Whether a party claiming actual identity theft resulting from a data breach has standing to bring suit is an issue of first impression in this Circuit. Plaintiffs allege that they have become victims of identity theft and have suffered monetary damages as a result. This constitutes an injury in fact under the law.

Id. at 1323; see also Burrows v. Purchasing Power, LLC, No. 1:12-cv-22800-UU, 2012 WL 9391827, at *2 (S.D. Fla. Oct. 18, 2012) (following Resnick and holding that plaintiff had standing where his PII was used to file a false federal income tax return in his name).1

While “actual identity theft” was not explicitly defined in Resnick, other district courts have concluded that mere fraudulent charges on debit or credit cards do not rise to the level of actual identity theft sufficient to establish standing. See, e.g., Whalen v. Michael Stores, Inc., No. 14-CV-7006(JS)(ARL), 2015 WL 9462108, at *3, 5 (E.D.N.Y. Dec. 28, 2015) (holding that there was no actual injury or monetary loss where the plaintiff experienced an attempted fraudulent charge on his credit card which was ultimately not approved), appeal filed, No. 16-352 (2d Cir. Feb. 5, 2016); Burton v. MAPCO Express, Inc., 47 F. Supp. 3d 1279, 1281, 1285 (N.D. Ala. 2014) (holding that there was no actual injury or monetary loss where the plaintiff experienced several fraudulent charges on his credit card which were later reimbursed); In re Barnes & Noble Pin Pad Litig., No. 12-CV- 8617, 2013 WL 4759588, at *6 (N.D. Ill. Sept. 3, 2013) (holding that there was no actual injury or monetary loss where the plaintiff experienced a fraudulent charge on her credit card which was later reimbursed).

Even assuming that Plaintiff’s two fraudulent charges would satisfy the Resnick Court’s definition of actual identity theft, Plaintiff has not alleged any monetary harm stemming from the two fraudulent charges. Plaintiff has not alleged that the two fraudulent charges went unreimbursed by his credit union and has experienced no additional actual harm since then. Following Resnick and the majority of district courts that have addressed this issue, the Court finds that Plaintiff has not alleged that he experienced actual harm sufficient to establish injury-in-fact.

B. Future Harm

Plaintiff argues that he and his putative class members also have standing based on the imminent threat of future harm. Here, Plaintiff alleges that he is at risk of “imminent and certainly impending injury flowing from potential fraud and identity theft” by virtue of having his personal information stolen. (Doc. 1, ¶ 42(b)). He additionally alleges that hesuffered “the loss of use of and access to [his] account funds and costs associated with the inability to obtain money from [those] accounts.” (Id. ¶ 42(j)).

Wendy’s contends that speculative future harm cannot confer standing on Plaintiff. Specifically, Wendy’s argues that even though Plaintiff alleges that he is at risk of future identity theft and fraud, the risk is too remote to establish standing. In Clapper, the United States Supreme Court held that to establish standing when alleging future harm, the injury must be “certainly impending to constitute injury in fact” and “‘[a]llegations of possible future injury’ are not sufficient.” 133 S. Ct. at 1147 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). While the Supreme Court has acknowledged “imminence is . . . a somewhat elastic concept,” the plaintiff must provide more than “allegations of possible future injury.” Id. at 114 (internal quotation marks omitted). While Clapper was not a data breach case, its analysis is particularly applicable in such cases where the plaintiff’s sole allegation of harm is that he is in imminent danger of future harm by virtue of his identity having be stolen.

The majority of courts post-Clapper have rejected the threat of future harm in data breach cases as insufficient to confer standing absent allegations that harm is “certainly impending.” See, e.g., Whalen, 2015 WL 9462108, at *5; In re Zappos.com, Inc., 108 F. Supp. 3d 949, 958–59 (D. Nev. 2015); Green v. eBay, Inc., No. 14-1688, 2015 WL 2066531, at *6 (E.D. La. May 4, 2015); Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 344 (M.D. Pa. 2015). For these courts, one influential factor is the number of plaintiffs in the class action who experienced fraudulent charges. For example, the court in In reSuperValu, Inc. held that plaintiffs did not have standing where only one of the named plaintiffs experienced a single unauthorized charge on his credit card following the alleged data breach. No. 14-MD-2586 ADM/TNL, 2016 WL 81792, at *5–6 (D. Minn. Jan. 7, 2016).

Plaintiff counters that he is at an increased risk of future identity theft because his personal data was stolen. (Doc. 1, ¶ 42(b)). Plaintiff relies on the holding in Remijas v. Neiman Marcus Group, LLC to establish that this future harm is enough to confer standing on him. 794 F.3d 688, 694 (7th Cir. 2015). In Remijas, 350,000 credit cards were exposed to malware, of which 9,200 were known to have been used fraudulently. Id. at 690. The Seventh Circuit held that the plaintiffs had standing where they demonstrated a substantial risk of future harm that was certainly impending. Id. at 694. It was of no moment that the plaintiffs “were later reimbursed [for the fraudulent charges] and that the evidence [did] not yet indicate that their identities (as opposed to the data) [had] been stolen,” because “there [were] identifiable costs associated with the process of sorting things out.” Id. The Remijas Court went on to state that the plaintiffs should “not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Id. at 693 (quoting Clapper, 133 S. Ct. at 1147). Thus, the time and money the plaintiffs spent in resolving the fraudulent charges, as well as the increased risk of future fraudulent credit and debit card purchases and future identity theft, were sufficient to confer standing on the plaintiffs.2

This case is distinguishable from Remijas because in that case, over 9,200 customers’ credit cards experienced fraudulent charges following the breach. Id. at 690. In the instant case, it is unclear the size of the Data Breach and how many other customers were affected. The Class Action Complaint indicates that, to date, only Plaintiff was affected by the Data Breach, and he has not asserted any out-of-pocket losses that current case law is willing to recognize. Moreover, Plaintiff has only experienced two fraudulent charges on his card in January 2016 and has not reported any fraudulent charges since that time.

Plaintiff’s other allegations do not aid him in establishing standing. Plaintiff alleges that he suffered “ascertainable losses in the form of out-of-pocket expenses” to mitigate the data breach, (Doc. 1, ¶ 42(f)), and that he incurred “costs associated with [the] inability to obtain money from [his] account.” (Id. ¶ 42(i)). However, plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper, 133 S. Ct. at 1151. The majority of courts in data breach cases have held that “the cost to mitigate the risk of future harm does not constitute an injury in fact unless the future harm being mitigated against is itself imminent.” In re SuperValu, 2016 WL 81792, at *7. Here, it is unclear what these out-ofpocket monetary losses were and how they are related, if at all, to the two fraudulent charges on Plaintiff’s debit card. Additionally, it does not appear that the risk of future harm being mitigated against is imminent. Thus, the cost to mitigate the risk is not sufficient to confer standing based on the Complaint’s allegations.

Plaintiff also alleges that his stolen PII and PCD have now lost value (Doc. 1, ¶ 42(g)), and that he overpayed Wendy’s for products and services purchased during theData Breach (id., ¶¶ (h)). Other courts have similarly rejected these allegations as insufficient injury to confer standing on a plaintiff in a data breach case. As to Plaintiff’s stolen PII and PCD, he alleges that there is an established national and international market for this data. However, Plaintiff does not explain how this information became less valuable after the Data Breach. See Whalen, 2015 WL 9462108, at *4. (“[W]ithout allegations about how her cancelled credit card information lost value, Whalen does not have standing on this ground.”). As to Plaintiff’s allegation that he overpayed for Wendy’s products and services, he asserts that a portion of the price paid was for the costs of reasonable and adequate safeguards and security measures. This claimed harm is without merit. Plaintiff has failed to allege that Wendy’s charges a different price for credit card payments and cash payments. See id.

Based on the foregoing, Plaintiff has not adequately proven Article III standing. Plaintiff’s alleged harm is highly speculative based on the facts and the asserted injuries do not appear “certainly impending” under Clapper. For the aforementioned reasons, the Class Action Complaint must be dismissed for lack of subject matter jurisdiction. However, because Plaintiff has not had an opportunity to amend the Class Action Complaint, and because Plaintiff properly requests leave of Court to do so in his response, the Court will allow Plaintiff to file an Amended Class Action Complaint to cure the deficiencies identified in this Order, if possible.

III. CONCLUSION

Accordingly, it is ORDERED AND ADJUDGED as follows:

1. The Wendy’s Company’s Motion to Dismiss Plaintiff’s Class Action Complaint (Doc. 27) is GRANTED.

2. Plaintiff’s Complaint (Doc. 1) is DISMISSED WITHOUT PREJUDICE.

3. Plaintiff may amend his Complaint on or before July 29, 2016 if appropriate. Failure to file an Amended Complaint by this date will result in the Court closing the case without further notice to the parties.

DONE AND ORDERED in Orlando, Florida on July 15, 2016.

1 The Resnick Court also declined to address whether speculative harm, such as the threat of future identity theft standing alone, would be sufficient to confer standing. Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 n.1. However, in dicta, the Court acknowledged that, in the context of identity theft, some circuit courts of appeal “have found that even the threat of future identity theft is sufficient to confer standing in similar circumstances.” Id.

2 Following Remijas, the Seventh Circuit once again held in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 966–67 (7th Cir. 2016), that the plaintiffs had standing due to their increased risk of fraudulent charges and identify theft from having their data stolen, as well as experiencing fraudulent charges, spending money on a credit monitoring service, and spending time and effort monitoring their financial information to guard against future fraud.