When data thieves steal payment card data, consumers suffer no legally cognizable injuries. Card issuers absorb the fraudulent charges and replace the affected cards. Because fraudulent charges are not billed to consumers, they do not show up on consumers’ credit reports or otherwise affect their credit ratings. Moreover, because the thieves end up possessing terminated and useless payment card numbers, they cannot inflict any future harm. Thus, consumers have no need for credit monitoring services – whether for free or otherwise – in the wake of a payment card data breach. With no out of pocket losses, no risk of future losses, and no reasonable basis to expend resources on credit monitoring, a consumer whose payment card data has been stolen has no standing to bring suit in federal court.
Nonetheless, decisions in data breach cases show that confusion on these standing issues persists. One recent example is a decision finding that a consumer has standing to sue Kimpton Hotels in connection with the theft of payment card data from the hotel chain’s payment system between February and July 2016. See Walters v. Kimpton Hotel & Restaurant Group, LLC, No. 16-cv-05387-VC (Apr. 13, 2017). The plaintiff’s amended complaint alleges that the criminals used “malicious software designed to steal credit card data on computers that operate the payment processing systems for Kimpton hotels and restaurants.” Although plaintiff further alleges that Kimpton possessed personally identifiable information about its customers, the data theft pleaded in the amended complaint solely consisted of “collect[ed] payment card data—cardholder name, card number, expiration date and internal verification code.” As Kimpton took pains to point out in its motion to dismiss and reply brief, such payment card information – which does not include addresses, birth dates or Social Security numbers – could not be used to steal the plaintiff’s identity, let alone cause him any financial loss. Because issuers bore the cost of fraud losses and had terminated compromised accounts, Kimpton contended that plaintiff had not suffered any actual loss and lacked any reasonable apprehension that he might suffer a future loss.
Kimpton’s arguments eluded the court. In a terse three-page decision, the court found that plaintiff’s allegation that he engaged in activities to monitor his credit “are sufficient to demonstrate injury for standing purposes.” Misunderstanding the full import of Kimpton’s arguments, the court went on to state that it “respectfully disagrees that a plaintiff must actually suffer the misuse of his data or an unauthorized charge before he has an injury for standing purposes.” The court suggests that there was some reasonable apprehension of future harm merely by virtue of the data thieves’ possession of the stolen card data, notwithstanding that there is zero risk that any terminated account could even be used, let alone harm plaintiff’s credit rating. Based on plaintiff’s gratuitous actions to protect himself against a non-existent threat, the court in Walters found standing to bring a consumer payment card data breach claim.
Walters (and like-minded cases cited therein to support this result) highlight the challenges that some courts face in understanding who may be harmed when a data breach occurs. Such confusion creates incentives for plaintiffs to lard their complaints with generic allegations about the threat of identity theft and how it can harm consumers, in hopes that courts will conflate that unrelated crime with the smash-and-grab tactics of payment card thieves, who steal credit and debit card numbers that will be used for a few quick purchases before the cards are shut down. To avoid such confusion, lawyers defending payment card data breach cases need to consider how to simplify standing issues in their briefing and argument, so as to help courts understand that consumers do not bear the costs of these crimes and, therefore, lack standing to sue.