Tsao v. Captiva MVP Rest. Partners, LLC

Tsao v. Captiva MVP Rest. Partners, LLC

Opinion

 [*1334]  TJOFLAT, Circuit Judge:

I Tan Tsao seeks to bring a number of claims against PDQ—a restaurant he patroned—following a data breach that exposed PDQ customers' personal financial information. Tsao's appeal presents two questions. First, did Tsao have standing to sue based on the theory that he and a  [*1335]  proposed class of PDQ customers are now exposed to a substantial risk of future identity theft, even though neither Tsao [**2]  nor the class members have suffered any misuse of their information? Second, and alternatively, were Tsao's efforts to mitigate the risk of future identity theft a present, concrete injury sufficient to confer standing? For both questions, we conclude the answer is no, and we accordingly affirm the District Court's order dismissing the case without prejudice.

PDQ is a group of fast casual restaurants that sells chicken tenders, chicken nuggets, salads, and sandwiches. Like most restaurants today, PDQ accepts payment through a point of sale system where customers can insert credit or debit cards to pay for their meal. When customers pay with a debit or credit card, PDQ collects some data from the cards, including the cardholder's name, the account number, the card's expiration date, the card verification value code ("CVV"), and PIN data for debit cards. PDQ then stores this data in its point of sale system and transmits the information to a third party for processing and for completion of the payment.

Beginning on May 19, 2017, a hacker exploited PDQ's point of sale system and gained access to customers' personal data—the credit and debit card information—through an outside vendor's [**3]  remote connection tool. PDQ later became aware of the breach, and on June 22, 2018, it posted a notice to customers that it had "been the target of a cyber-attack." The notice stated that "[a]ll PDQ locations in operation" between May 19, 2017, and April 20, 2018, were affected by the attack, and the notice listed the customers' personal information that "may have been accessed": cardholder names, credit card numbers, card expiration dates, and CVVs. Because of the nature of the breach, PDQ stated that it "was not possible to determine the identity or exact number of credit card numbers or names that were accessed or acquired during" the cyber-attack. The notice repeatedly made clear that PDQ customers' information "may" have been accessed.

In October 2017—during the data breach period—plaintiff Tsao made at least two food purchases at a PDQ restaurant in Pinellas, Florida, using two different cards. On October 8, he paid with a Wells Fargo Home Rebate card, and on October 31, he paid with a Chase Sapphire Reserve card. Both of these cards offer Tsao the ability to accrue points or rebates by making certain types of purchases—gas, dining, groceries, and travel, just to name a few. The [**4]  Chase card also requires Tsao to pay an annual fee of $450.00. Because Tsao made purchases at PDQ during the breach period, the credit card data from these cards may have been accessed by hackers. So, when Tsao learned of the possible breach in 2018, he contacted both Chase and Wells Fargo and cancelled his cards.

Full case includes Shepard's, Headnotes, Legal Analytics from Lex Machina, and more.