Privacy & Information Security Law Blog

On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative data breach class action against Michaels Stores, Inc. (“Michaels”). The plaintiff’s injury theories were as follows: (1) the plaintiff’s credit card information was stolen and twice used to attempt fraudulent purchases; (2) the risk of future identity fraud and (3) lost time and money resolving the attempted fraudulent charges and monitoring credit. The plaintiff, however, quickly cancelled her card after learning of the unauthorized charges and did not allege that she was held responsible for any of those charges.

The Second Circuit agreed with the trial court that these injuries were not sufficient to establish Article III standing. The appellate court noted that because the plaintiff was not asked to pay (or did not pay) any fraudulent charges, this alleged injury was neither concrete nor particularized. The Second Circuit also found that the allegation of future identify fraud was not plausible because the plaintiff had cancelled the exposed credit card and no other information needed for identity fraud was stolen in the breach. Finally, the Second Circuit held that the plaintiff’s vague allegations that she and the putative class were injured due to the considerable time and expense of monitoring their financial accounts—with no further facts—lacked the substance and specificity to establish injury for Article III purposes.