Image by Vertigo3d on Getty Images
Hebeh Refaei, Contributing Member 2020-2021Intellectual Property and Computer Law Journal
As online transactions and electronic storage of personal information occur more frequently, especially during the COVID19 pandemic, consumers should consider whether their claims could be heard in court when companies’ privacy protections are inadequate. Global eCommerce transactions increased by 20% from January 2019 through November 2019 and January 2020 through November 2020. By volume, fraud attempts from 2019 and 2020 increased by 1.7%, and by value, fraud attempts increased by 3.4%. One of the fundamental principles of the U.S. court system is that everyone should be allowed to have their day in court. However, a plaintiff must have standing to be able to sue. Under Article III of the U.S. Constitution, federal courts only have jurisdiction over “cases and controversies.” To satisfy the requirements under Article III, a plaintiff must establish standing. The Sixth, Seventh, Ninth, and D.C. Circuits have ruled that an increased risk of identity theft can establish standing to sue an organization that exposed individuals’ personal data to hackers. However, the Second, Third, Fourth, Eighth, and Eleventh Circuits have held that plaintiffs who claim they were harmed by an increased risk of identity theft do not have standing to file a suit against an entity that exposed the plaintiffs to the identity theft. The circuits that reject the existence of standing in these cases fail to fully consider the consequences of these rulings.
Regulation of Credit and Debit Card Data
Credit and debit cards fall under the general term “Payment Card Industry,” or PCI. American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc. founded the Payment Card Industry Security Standards Council, or PCI SSC, to regulate credit and debit card data security. The PCI SSC defines payment cards as any payment card or device that bears the logo of any of the founding members of PCI SSC. PCI SSC develops a security standard called the “Payment Card Industry Data Security Standard,” or PCI DSS. The founding members of PCI SSC enforce this standard. The federal government does not develop or enforce standards that organizations must follow to protect credit and debit cardholder data, but in 2016, the U.S. Federal Trade Commission (FTC) ordered organizations that analyze compliance with PCI DSS to provide the FTC with those organizations’ analysis methodology. Additionally, the Consumer Financial Protection Bureau within the FTC regulates credit card companies and lending organizations but does not currently regulate the protection of cardholder data. The Government Accountability Office, or GAO, is an independent non-partisan agency that collects and analyzes data on how Congress and Federal Agencies spend money. While the GAO analyzed data breaches and recommended that Congress pass federal legislation, neither the GAO nor Congress enforces regulations on organizations that store credit and debit card data for purchases. PCI DSS binds all entities that store, process, or transmit cardholder data.Some of the standard’s requirements include installing a firewall, encrypting cardholder data, regularly updating anti-virus software, and tracking and monitoring access to cardholder data.
Compliance with the PCI DSS is continuously decreasing. The Verizon Forensics Team develops Payment Security Reports, which analyze (1) PCI DSS, (2) organizations that are required to meet the standard, and (3) organizations that are hacked. Of the organizations the Verizon Forensics Team reviewed, 27.9 percent were fully compliant with PCI DSS, which is 8.8 percent less than in 2018. The number of fully compliant organizations also decreased by 5 percent between 2017 and 2018. The Verizon Forensics Team analyzes data breaches and organizations that comply with the PCI DSS and develops annual Payment Security Reports that are publicly accessible. Of the organizations the Verizon Forensics Team investigated, none of the organizations complied with PCI DSS when hackers accessed the organization’s data. Furthermore, “it’s not that hackers are finding novel ways of infiltrating these organizations . . . all the weak points exploited by attackers in PCI compliance breaches were explicitly covered by the PCI DSS.” PCI DSS develops a standard that all organizations that use payment cards must follow. However, the number of organizations that comply with those standards is continuously decreasing and therefore increasing the risk of exposing customer’s data.
For plaintiffs to establish standing, they must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” The plaintiff “bears the burden of establishing these elements by alleging facts that ‘plausibly’ demonstrate each element.” The facts can be general factual allegations that “plausibly and clearly alleged a concrete injury,” and the injury must be “actual or imminent, not conjectural or hypothetical.” Tangible injuries, which include economic injuries and lost time, are actual or imminent.For hypothetical future harm to satisfy the “actual or imminent” requirement, the hypothetical future harm must be “certainly impending” or a “substantial risk” of the harm must exist. If the harm “is not ‘certainly impending’ or there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.”
While there are numerous cases from all of the circuits considering this standing issue, this article will focus on four cases. The cases are from the Seventh, Ninth, Eighth, and Eleventh Circuits. The Seventh Circuit, in Remijas v. Neiman Marcus Group, and Ninth Circuit, in Zappos.com v. Stevens, held an increased risk of identity theft can establish standing. The remaining two cases are from the Eighth and Eleventh Circuits. The Eighth Circuit, in Alleruzzo v. SuperValu, Inc., and the Eleventh Circuit, in Tsao v. Captive MVP Restaurant Partners, held that plaintiffs alleging an increased risk of identity theft cannot establish standing. The Seventh and Ninth Circuits more thoroughly consider the impact breaches of cardholder data have on consumers.
Analyses of Cases
Remijas v. Neiman Marcus Group
The Seventh Circuit held an increased risk of identity theft is enough to establish standing in Remijas v. Neiman Marcus Group. Between July 16, 2013, and October 30, 2013, hackers attacked Neiman Marcus’s storage of customers’ credit and debit card information. Neiman Marcus was aware of the cyberattack in December 2013 but did not announce it to the public until January 10, 2014. The plaintiffs filed a class action against Neiman Marcus. The plaintiffs argued that they lost time and money fixing the fraudulent charges and protecting themselves from future identity theft. The plaintiffs also claimed that they lost money purchasing items from Nieman Marcus because they would not have purchased those items if they knew of Neiman Marcus’s inadequate cybersecurity. The plaintiffs then argued they “lost control over the value of their personal information.” Additionally, the plaintiffs claimed, “two imminent injuries: an increased risk of future fraudulent charges and greater susceptibility to identity theft.”
The complaint alleged the customers’ personal data had been stolen and 9,200 plaintiffs had fraudulent charges on their credit and debit cards and they received reimbursement for the fraudulent charges. The plaintiffs also argued that the cyberattack made them more susceptible to identity theft and future fraudulent charges that would not be reimbursed. The court explained that the Supreme Court held a plaintiff can have standing if there is a “substantial risk” that the harm is likely to occur. The court found there was a “substantial risk” that the harm is likely to occur because the hackers stole and used the credit card information. Therefore, “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” A GAO Report concluded that hackers could hold personal information for one year or longer before it is used to commit identity theft, and if hackers post the personal information online, it could be used for years. The court concluded that because future harm is “certainly impending” or there is a “substantial risk” that harm will occur, the plaintiffs suffered an injury in fact. To establish a plaintiff has suffered an injury in fact, the injury must be “(a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.”
The court also explained that the plaintiffs’ injuries are “fairly traceable” to the data breach at Neiman Marcus. Tort common law shifts the burden “to the defendants to prove their negligent actioners were not the “but-for” cause of the injury.”Because Neiman Marcus admitted that 350,000 credit and debit cards may have been stolen and warned the customers of the risk, the plaintiffs’ injuries are fairly traceable to Neiman Marcus.
Lastly, the court explained that a judicial opinion can redress the plaintiffs’ injuries despite past fraudulent charges being reimbursed because this does not protect the plaintiffs from future harm, such as future mitigation expenses. Companies have different reimbursement policies and they correct fraudulent charges on credit cards differently than debit cards, which would harm some plaintiffs if future fraudulent charges or identity thefts occur. The plaintiffs proved they suffered an injury in fact because the plaintiffs established the future harm was “certainly impending” or there was a “substantial risk” the harm would occur. Furthermore, the plaintiff’s harm was fairly traceable to Neiman Marcus, because of Neiman Marcus’s actions after the data breach. Finally, a court ruling would redress the plaintiffs’ injuries because a court ruling could provide relief for future harm. The plaintiffs had standing to sue Neiman Marcus because all the elements necessary to establish standing existed in this case.
Zappos.com v. Stevens
In Zappos.com v. Stevens, the Ninth Circuit held plaintiffs who had claims based on a cybersecurity attack, but not any illegal activity that followed the attack, had standing to sue the organization that exposed the plaintiffs to the cybersecurity attack. The plaintiffs brought a class action suit against Zappos.com after a data leak exposed the plaintiff’s names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information to hackers. A class of plaintiffs filed suit the same day Zappos.com notified them of the breach and claimed they were at an increased risk of identity fraud or theft.
The Ninth Circuit Court of Appeals previously held in Krottner v. Starbucks Corp. that an increased risk of identity theft is sufficient to establish standing. However, the Ninth Circuit Court of Appeals decided Krottner before the U.S. Supreme Court case Clapper v. Amnesty International USA. Therefore, the Ninth Circuit Court of Appeals had to consider whether Krottner remained good law after the Supreme Court decided Clapper. In Clapper, the Supreme Court held plaintiffs lack standing when there is a “speculative multi-link chain of inferences.” When determining whether there was a “speculative multi-link chain of inferences,” the Court considered how many independent actions would have to occur before a plaintiff would be injured. In Krottner, there was not a “speculative multi-link chain of inferences” because the hackers had direct access to the personal information. Additionally, the Court’s analysis in Clapper was rigorous because the facts of the case implicated national security and separation of powers concerns. The Court also reemphasized that an injury must be “certainly impending” or that there must be a “substantial risk” of injury.
Ultimately, the Ninth Circuit differentiated Krottner from Clapper and found the plaintiffs in Krottner would have satisfied the standing elements Clapper required. Additionally, Krottner did not implicate national security concerns. In Zappos.com, the court found there was a “substantial risk” of injury because the hackers could have used the plaintiffs’ personal and account information to commit identity fraud or theft. The Zappos.com plaintiffs also satisfied the other elements of standing, so the court held the plaintiffs had standing to sue an organization that did not adequately protect consumer data, which led to an increased risk of identity theft.
Alleruzzo v. SuperValu, Inc.
The Eighth Circuit considered whether plaintiffs had standing to sue for an increased risk of identity theft in Alleruzzo v. SuperValu, Inc. While the Eighth Circuit ultimately held the plaintiffs had standing to sue an organization responsible for a data breach, the court found an increased risk of future identity theft could not satisfy standing requirements. The plaintiffs in Alleruzzo filed a class action suit after hackers accessed the plaintiffs’ credit and debit card data by attacking Supervalu’s computer network that processed payments. The plaintiffs argued the data breach exposed them “to an imminent and real possibility of identity theft.” The court concluded the hackers accessed and stole the plaintiffs’ credit and debit card information, but that the plaintiffs did not allege the hackers used the information or committed account fraud. Furthermore, the court relied on a GAO report that stated credit and debit card information could not be used to open fraudulent accounts, which is a type of identity theft that is more likely to harm consumers. The court found the GAO report does not support the plaintiffs’ claim that credit and debit card fraud is likely to cause substantial future harm. Therefore, the plaintiffs did not satisfy the standing requirement.
The court concluded that an increased risk of future identity theft was not enough to establish standing in this case.However, if at least one plaintiff in the class action has standing, then the whole class has standing. Because the one plaintiff had standing, the court found the entire class had standing. One of the plaintiffs alleged a hacker made a fraudulent charge on his card. This fraudulent charge constitutes identity theft, which is enough to establish standing. While identity theft can establish standing in the Eleventh Circuit, an increased risk of future identity theft cannot satisfy standing.
Tsao v. Captive MVP Restaurant Partners
The Eleventh Circuit held an increased risk of identity theft is not enough to establish standing in Tsao v. Captive MVP Restaurant Partners. Tsao filed a class action suit against MVP Restaurant Partners, also called PDQ. When PDQ customers paid with credit and debit cards, PDQ stored the credit card information so a third party could complete the transaction. A hacker accessed the data storage starting May 19, 2017, and ending April 20, 2018. PDQ notified customers of the hack on June 22, 2018. In the complaint, Tsao argued customers were injured by “‘ theft of their personal financial information,’ ‘ unauthorized charges on their debit and credit card accounts,’ and ‘ ascertainable losses in the form of the loss of cashback or other benefits.’” Tsao further argued customers were
placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.
PDQ filed a motion to dismiss, arguing Tsao lacked standing because there was no actual injury to the customers and Tsao could not manufacture standing by inflicting harm on himself when mitigating risk. Tsao then argued he was injured because of lost cashback or reward points, lost time, and restricted card access.
The Eighth Circuit did not find Tsao’s argument persuasive. The court considered opinions from the Second, Third, Fourth, Sixth, Seventh, Eighth, Ninth, and D.C. Circuits when determining whether Tsao had standing. The court relied most on the Eighth Circuit’s reasoning in Alleruzzo. In fact, a report from the GAO Report persuaded both courts. The GAO Report concluded hackers cannot generally use credit and debit card information to open new accounts and that most cyberattacks do not result in identity theft. Additionally, the facts in Alleruzzo are similar to the facts in Tsao because the hackers stole credit and debit card information, but no other personal information, like social security numbers. The plaintiffs in both cases also did not allege actual misuse.
The court also explained that regardless of the GAO Report and the Eighth Circuit’s reasoning, Tsao did not meet the burden of demonstrating that harm is “certainly impending” or that there is a “substantial risk” of harm for three reasons.First, the Eleventh Circuit Court of Appeals held in Muransky that an elevated or continuing increased risk of identity theft alone is not enough to establish standing, so Tsao’s allegations of increased risk are not enough to establish standing. Second, Tsao only made vague, conclusory allegations that anyone in the class suffered actual misuse of their personal data, and conclusory statements are not enough to establish standing. Third, the court found Tsao lacked standing was that he immediately canceled his credit cards, which dramatically decreased any chance of future harm. For those three reasons, the court concluded Tsao did not have standing to sue PDQ.
Furthermore, the court explained that Tsao’s alleged injuries of lost cashback or rewards points, lost time, and restrictions on credit cards were not enough to establish standing. “It is well established that plaintiffs ‘cannot manufacture standing by merely inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’” The plaintiff could not harm himself by taking action to protect himself against hypothetical future harm; therefore, the harm, in this case, was not certainly impending and the plaintiff cannot establish standing. The court held Tsao did not establish standing under Article III of the U.S. Constitution because the hypothetical harm was not “certainly impending” and there was not a “substantial risk” of the harm occurring and a plaintiff cannot self-inflict harm to manufacture standing.
The Sixth, Seventh, Ninth, and D.C. Circuits properly held an increased risk of identity theft can establish standing. The Second, Third, Fourth, Eighth, and Eleventh Circuits wrongly decided an increased risk of identity theft cannot satisfy standing. These circuits did not fully consider how barring claims of an increased risk of identity theft impacts consumers and safety measures implemented to protect consumer data. Dismissing claims of an increased risk of identity theft allow organizations to be reckless with consumer data and effectively curtail state statutes. Additionally, it incentivizes forum shopping and encourages plaintiffs to do nothing after organizations notify them of a data breach. Courts that hesitate to find that an increased risk of future identity theft establishes standing could limit the future harm standing standard to identity theft and cybersecurity cases.
When consumers cannot file suits against organizations that expose them to identity theft, organizations may be reckless with consumer data. For example, compliance with industry standards has continuously decreased. Organizations that process and store payment information are not prioritizing cybersecurity measures. Consumers are at a greater risk of identity theft as fewer cybersecurity measures are implemented. Additionally, there are no federal regulations that would force organizations to develop cybersecurity measures for payment processing systems. Therefore, one of the only ways consumers could pressure an organization to implement these standards is through lawsuits. Limiting consumers’ ability to hold organizations responsible for their stolen personal data may allow those organizations to be reckless with consumers’ personal data. Organizations will not have to spend time or money on cybersecurity, which could lead to data breaches occurring more frequently.
Furthermore, organizations may be able to avoid compliance with state statutes that regulate cybersecurity standards for payment processing systems. Some states with such statutes are in circuits that have ruled an increased risk of future identity theft does not establish standing. For example, the plaintiffs in Alleruzzo argued the defendant violated state statutes, but the appellate court concluded those plaintiffs did not have standing in federal court. If plaintiffs were to file a class action lawsuit against an organization for exposing their personal data in violation of state law, the case could likely be removed to federal court, where courts could dismiss the case for lack of standing if the federal court is in the Second, Third, Fourth, Eighth, and Eleventh Circuits. The circuit split also incentivizes forum shopping. Large organizations can have locations throughout the country, and when hackers access personal data that organizations store online, those data breaches likely impact consumers across the country. Plaintiffs could choose to bring a suit in a circuit simply because that circuit found an increased risk of identity theft establishes standing.
Additionally, courts that ruled an increased risk of identity theft does not establish standing also found that the plaintiffs could not inflict harm upon themselves by taking remedial measures to avoid fraudulent charges on their credit or debit cards. For example, the Eleventh Circuit found the plaintiffs’ claims of time lost to canceling credit cards were insufficient to establish standing because the plaintiffs inflicted this harm upon themselves. This could incentivize plaintiffs to not take any remedial steps and to simply wait until fraudulent charges are made before filing suit to establish standing.
Courts that found an increased risk of identity theft does not satisfy standing do not consider other causes of identity theft. While the Eleventh Circuit differentiated the theft of credit and debit card information from social security numbers, the Eighth Circuit did not. The theft of social security numbers can be more dangerous than credit and debit card theft because hackers could use social security numbers to get loans or open new credit and debit card accounts. Resolving identity theft when it occurs because of a stolen social security number can be time-consuming and can have long-term effects. Additionally, hackers that have accessed personal data may wait to use the data to commit fraud. Therefore, would individuals who have had their social security numbers stolen be exposed to identity theft for a longer period of time. Of the cases reviewed, the courts that held an increased risk of identity theft cannot establish standing do not fully consider that hackers may wait to use the personal data to commit identity theft. Instead, these courts limit standing to cases where identity theft has already occurred.
Courts should find an increased risk of future identity theft can establish standing. Some courts may be concerned that finding an increased risk of identity theft can establish standing because it would allow plaintiffs with claims of future harms to establish standing in other cases that do not concern identity theft. However, the requirements to establish standing in cases where plaintiffs allege an increased risk of future identity theft could be limited to identity theft and cybersecurity cases. Allowing standing in these cases would encourage organizations to be protective of consumers’ data. Additionally, Clapper states plaintiffs cannot satisfy standing when their claims are based on a “speculative multi-link chain of inferences.” If hackers access consumers’ information, the consumers are at risk for identity theft or identity fraud. There is not a “speculative multi-link chain of inferences” between when hackers access personal data and when those hackers use the personal data to commit identity fraud or theft. The two events are closely related, although they may be distant in time.
One argument against allowing an increased risk of identity theft to establish standing is that the hackers do not necessarily intend to use the payment data. Christina Behan, author of Leaving Class Action Plaintiffs with Too Many Legs to Stand on: The Inconsistent Application of Article III Standing Requirements in Data Breach Cases, argued hackers do not necessarily intend to access the credit and debit card data. She provides an example where hackers were morally opposed to a dating website that connected people interested in extramarital affairs. While the hackers announced they intended to shut down the website, not use the credit and debit card data stored on the website, the hackers nonetheless had access to the consumers’ personal information. The hackers may have objected to the website’s services on moral grounds, but that does not entitle the hackers to access the consumers’ personal information. When the hackers’ threats were ignored, the hackers released the consumers’ personal data, which included, usernames, passwords, email addresses, phone numbers, addresses, credit card information, and transaction records. While the hackers in this case did not intend to use the personal data on their own, leaking the data is how hackers used the personal data. After releasing this data, others could have easily used the information and the data leak likely impacted the consumers’ personal lives. Hackers demanding the website shut itself down because it violated the hackers’ morals is akin to vigilante justice. The proper avenue would be through legislative reform that would prevent the type of dating websites from operating.
Additionally, the website, and other organizations, should have a duty to their consumers to protect consumer data. While the hackers may not have used the data to commit credit card fraud, they released the data which likely harmed the consumers, and the consumers should be able to remedy that by filing suit against the website for failing to protect their data. Furthermore, the courts in Remijas, Zappos.com, Alleruzzo, and Tsao focused heavily on the facts of each case. While an increased risk of identity theft could establish standing generally, courts could continue to consider the facts of each case, and if the hackers in a case make clear they do not intend to use the data, courts could conclude the facts do not satisfy an increased risk of identity theft. The courts finding an increased risk of identity theft can establish standing would protect consumers from organizations that do not protect consumer data.
The Sixth, Seventh, Ninth, and D.C. Circuits properly held an increased risk of identity theft can establish standing, while the Second, Third, Fourth, Eighth, and Eleventh Circuits wrongly decided an increased risk of identity theft cannot satisfy standing. The Second, Third, Fourth, Eighth, and Eleventh Circuits improperly held an increased risk of identity theft cannot satisfy standing. These circuits failed to consider the long-term impacts of identity theft. Furthermore, these rulings allow organizations to be more reckless with consumer data. Courts should find an increased risk of identity theft can satisfy standing to protect consumers.
 Dan Ring & Nidhi Alberti, Global eCommerce Transactions Jump in November Due to Earlier Start of Holiday Shopping Season (Dec. 4, 2020), ACI Universal Payments, available at https://investor.aciworldwide.com/news-releases/news-release-details/global-ecommerce-transactions-jump-november-due-earlier-start.
 Ronald Dworkin, A Matter of Principle (1985).
 I Tan Tsao v. Captive MVP Restaurant Partners, No. 18-14959, 2021 U.S. App. LEXIS 3055, at 9 (11th Cir. 2021).
 Alison Frankel, 11th Circuit Deepens Longstanding Circuit Split on Standing in Data Breach Class Actions (Feb. 4, 2021), Alison Frankel’s On The Case, available at https://today.westlaw.com/Document/I267d1220674411ebbcc19114c7e02753/View/FullText.html?transitionType=Default&contextData=(sc.Default)&firstPage=true.
 PCI Security Standards Council, Glossary, available at https://www.pcisecuritystandards.org/pci_security/glossary#P.
 PCI Security Standards Council, PCI DSS Quick Reference Guide Understanding the Payment Card Industry, 3.2.1, 6 (2018), available athttps://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true&time=1615409800982.
 Andrew Bigart, The Consumer Financial Protection Bureau and Payment Processing, PCI ComplianceGuide.org. (May 15, 2015), available athttps://www.pcicomplianceguide.org/the-consumer-financial-protection-bureau-and-payment-processing/.
 Federal Trade Commission, FTC to Study Credit Card Industry Data Security Auditing (Mar. 17, 2016), available at https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-data-security-auditing.
 Bigart, supra, note 13.
 See GAO, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown, GAO-07-737 (Jul. 5, 2007), available at https://www.gao.gov/products/gao-07-737.
 PCI DSS Quick Reference Guide at 6.
 Id. at 9.
Verizon, 2020 Payment Security Report, 1 Verizon 2020 Data Breach Investigators Report, available athttps://enterprise.verizon.com/resources/factsheets/2020/2020-payment-security-report-fact-sheet.pdf?_ga=2.229669404.1839026167.1615412317-1854370082.1615412317.
 Heath Kath, The Five Biggest PCI Compliance Breaches (Jan. 26, 2021), Go Anywhere, available at https://www.goanywhere.com/blog/the-5-biggest-pci-compliance-breaches.
 Kath, supra, note 22.
 2020 Payment Security Report at 1.
 Id.; Kath, supra, note 22.
 Spokeo, Inc. v. Robins, 136, S. Ct. 1540, 1547 (2016).
 I Tan Tsao v. Captiva MVP Restaurant Partners LLC, No. 18-14959 (11th Cir. 2021), 2021 U.S. App. LEXIS 3055 at 10 (citing Trichell v. Midland Credit Mgmt., Inc, 964 F.3d 990, 996 (11th Cir. 2020).
 Thole v. U.S. Bank N.A., 140 S. Ct. 1615, 1621 (2020).
 Lujan v. Defs. Of Wildlife, 504 U.S. 555, 560 (1992).
 Id. at 11.
 Id. at 12.
 Id. at 14.
 Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).
 In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018).
 794 F.3d and 888 F.3d.
 In re Supervalu, 870 F.3d 763 (8th Cir. 2017).
 870 F.3d and Tsao, 2021 U.S. App. LEXIS 3055.
 794 F.3d 688, 690 (7th Cir. 2015).
 Id. at 692.
 Id. at 693.
 Id. (quoting Clapper, 133 S. Ct. at 1147).
 Id. (quoting Gov’t Accountability Office, GAO-07-737, Report to Congressional Requesters: Personal Information 29 (2007)).
 Id. at 696.
 Stevens v. Zappos.com, Inc., 884 F.3d 893, 896 (9th Cir. 2018).
 794 F.3d at 696.
 Price Waterhouse v. Hopkins, 490 U.S. 228, 263 (1989) (O’Connor, J. concurring).
 Id. at 697.
 Id. at 696.
 Id. at 697.
 Zappos.com, Inc., 884 F.3d at 895, 901.
 Id. at 894-95.
 Id. at 899.
 Id. at 896.
 Id. at 897.
 Id. at 897-98.
 Id. at 898.
 Id. at 898.
 Id. at 899.
 Id. at 900-01.
 Alleruzzo v. SuperValu, Inc., 870 F.3d 763, 765 (8th Cir. 2017).
 Id. at 771, 774
 Id. at 766.
 Id. at 770.
 Id. at 771.
 Id. at 774.
 Id. at 772.
 Id. at 771, 774.
 Tsao, 2021 U.S. App. LEXIS 3055 at 2.
 Id. at 4.
 Id. at 2.
 Id. at 3.
 Id. at 4 (quoting Complaint).
 Id. at 7.
 Id. at 15-20.
 Id. at 20.
 Id. at 21.
 Id. at 22.
 Id. at 24.
 Id. at 25.
 Id. at 26.
 Id. at 28.
 Id. at 27 (quoting Clapper, 568 U.S. at 416).
 Id. at 28.
 2020 Payment Security Report at 1.
 Bigart, supra note 13.
 2020 Payment Security Report at 1.
 See Alleruzzo, 870 F.3d 763.
 870 F.3d 763.
 Tsao, 2021 U.S. App. LEXIS 3055.
 Id. at 27 (quoting Clapper, 568 U.S. at 416).
 Alleruzzo, 870 F.3d 763; Tsao, 2021 U.S. App. LEXIS 3055.
 Ben Luthi, What to Know About the Effects of Identity Theft (Jul. 23, 2019), Experian, available at https://www.experian.com/blogs/ask-experian/how-long-can-the-effects-of-identity-theft-last/.
 Alleruzzo, 870 F.3d 763; Tsao, 2021 U.S. App. LEXIS 3055.
 884 F.3d at 897.
 Luthi, supra note 122.
 884 F.3d at 897.
 Christina Behan, Note: Leaving Class Action Plaintiffs with Too Many Legs to Stand on: The Inconsistent Application of Article III Standing Requirements in Data Breach Cases, 46 Fla. St. U.L. Rev. 169, 185 (2018).