On February 4, 2021, the Eleventh Circuit affirmed the dismissal of a customer’s proposed class action lawsuit against a Florida-based fast-food chain, PDQ, over a data breach. The three-judge panel rejected the argument that an increased risk of identity theft was a concrete injury sufficient to confer Article III standing,

In a decision filed September 27, 2010, the U.S. Court of Appeals for the Ninth Circuit reversed a California district court’s refusal to certify a class action alleging violations of the Fair and Accurate Credit Transactions Act (“FACTA”). The Ninth Circuit ruled that none of the three grounds advanced below – the disproportionality between the potential liability and the actual harm suffered, the enormity of the potential damages, or the defendant’s good faith compliance with FACTA after being sued – justified denying class certification on superiority grounds. The Ninth Circuit’s decision narrows, if not eliminates, the potential for disagreement among district courts on an issue that has for some time been a fly in the ointment for class action plaintiffs (and their attorneys) hoping for big paydays on account of harmless technical violations of FACTA.

On February 3, 2010, the U.S. District Court for the Western District of Pennsylvania preliminarily approved a class action settlement between Aramark Sports, LLC and a class of approximately 5,000 customers who made credit or debit card purchases from stores at PNC Park in Pittsburgh, Pennsylvania. If approved, the proposed settlement would resolve allegations made by the plaintiffs that Aramark violated the Fair and Accurate Credit Transactions Act’s (“FACTA”) truncation requirements by electronically printing receipts that contained (a) more than the last 5 digits of the plaintiffs’ credit or debit card numbers and/or (b) the expiration date of such cards.

In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that “plaintiff’s asserted claim of ‘increased-risk-of-harm’ fails to meet the constitutional requirement that a plaintiff demonstrate harm that is ‘actual or imminent, not conjectural or hypothetical.’ Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit.”

A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.”  Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone numbers) had been compromised. A class action law suit quickly followed, and the third settlement attempt was rejected just recently by the court on the grounds that, in the judge’s view, it provided an inadequate remedy for the affected consumers.