Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

Second Circuit Holds Purported Class Action Plaintiff Failed to Establish Article III Standing in Data Breach Case

Courts Privacy/Cyber Risk & Data Security


In a summary order handed down May 2, the Second Circuit Court of Appeals held that a plaintiff in a purported class action lacked Article III standing to bring claims against a retailer for breach of an implied contract and for violation of New York General Business Law § 349 arising out of a data breach of the retailer’s systems. See Whalen v. Michaels Stores, Inc., __ Fed. App’x __, Nos. 16-260, 16-352 (2d Cir. May 2, 2017). The consumer-plaintiff had made purchases with her credit card at one of the defendant’s stores, and following the data breach, her credit card was physically presented to pay for two unauthorized charges in Ecuador. The fraudulent charges occurred on consecutive days, with the plaintiff canceling her card on the same day as the second charge. The defendant offered 12 months’ credit monitoring and there was no indication that personally identifying information such as plaintiff’s date of birth or social security number was stolen. Plaintiff argued that she was injured by: (i) the theft of her credit card information and the two fraudulent-purchase attempts, (ii) the risk of future identity fraud, and (iii) the time and money she spent resolving the attempted fraudulent charges and monitoring her credit.

Citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), the court concluded that plaintiff did not allege a concrete and particularized injury sufficient to confer Article III standing. As to plaintiff’s first argument, the Court reasoned that she was never “asked to pay, nor did pay, any fraudulent charge.” As to the second argument, the Court stated that there was no threat of future fraud because the plaintiff’s stolen credit card was “promptly canceled,” and “no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.” The third argument was likewise inadequate because the plaintiff “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”

The court also noted that these shortcomings distinguished the plaintiff from plaintiffs in other data breach cases held to have adequately established Article III standing. See Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App’x 384 (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015).

Share page with AddThis