WILLIAM F. JUNG, District Judge.
Defendant PDQ is a group of "fast casual" restaurants. Plaintiff was a customer.
Plaintiff filed this data breach litigation immediately after PDQ posted a "Notice to Guests From PDQ" alerting customers of a cyber-attack by a third-party hacker on part of the restaurant's computer-related system from May 19, 2017 until April 20, 2018. (Dkt. 1, ¶ 60). Plaintiff seeks class action status.
PDQ told its customers that credit cards and names may have been hacked and urged them to monitor their credit card accounts and credit reports. (Dkt. 1, ¶ 60). The complaint alleges that "private Customer Data was compromised due to PDQ's . . . failure to properly protect the Customer Data" and "has been exposed to criminals for misuse." (Dkt. 1, ¶¶ 2-3, 9) (emphasis added).
Plaintiff asserts that he purchased food at an affected PDQ on two different occasions using two different reward payment credit cards in October 2017. (Dkt. 1, ¶¶ 28-30). Plaintiff alleges that he contacted the bank, the cards were cancelled, thereby causing him to lose "the opportunity to accrue" rewards. Having to reset the new payment cards on autopay, Plaintiff claims, is an additional "hassle." (Dkt. 1, ¶ 32). He alleges that the hacker "exploited part of [PDQ's] computer-related system and accessed and/or acquired personal information from some of [PDQ's] customers." (Dkt. 1, ¶ 57). The personal information included cardholder names, account numbers, car verification codes, and "pins" for debit cards. (Dkt. 1, ¶ 20).
With respect to the harm suffered, the complaint alleges that PDQ's actions or inaction, and the data breach, placed Plaintiff and putative class members "in imminent, immediate and continuing increased risk of harm from identity theft and identity fraud" which required them to take time to correct. (Dkt. 1, ¶ 80) (emphasis added). Plaintiff continues that PDQ's actions caused "the theft and dissemination into the public domain" of Plaintiff's and the class members' customer data. (Dkt. 1, ¶ 81). Plaintiff seeks damages for suffering and economic loss for "impending injury flowing from potential fraud and identity theft," loss of privacy, the value of their lost time cancelling credit cards, the loss of cash back rewards, and the "stress, nuisance and annoyance of dealing with all such issues resulting from the Data Breach." (Dkt. 1, ¶ 81).
Defendant requests dismissal on two valid grounds: lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1); and failure to state a claim for relief under Rule 12(b)(6).
To meet the pleading standard for standing under Article III, a plaintiff must first allege sufficient facts to show the injury in fact is "concrete and particularized and actual and imminent, not conjectural or hypothetical." See Spokeo v. Robins, ___ U.S. ___, 136 S.Ct. 1540, 1548, 194 L.Ed.2d 635 (2016) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)). The plaintiff bears the burden of establishing injury in fact. FW/PBS, Inc. v. Dallas, 493 U.S. 215, 231, 110 S.Ct. 596, 107 L.Ed.2d 603 (1990). Under a facial attack to standing, as in this case, the allegations of the complaint must be accepted as true. See McElmurray v. Consolidated Government of Augusta — Richmond Cnty., 501 F.3d 1244, 1251 (11th Cir. 2007). "[T]he plaintiff is left with the safeguards similar to those retained when a Rule 12(b)(6) motion to dismiss for failure to state a claim is raised." McElmurray, 501 F.3d at 1251 (citation omitted).
Plaintiff's complaint fails to allege any facts showing he has suffered an injury in fact. He has not alleged "an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical." Spokeo, 136 S. Ct. at 1548 (internal quotations omitted). The "threatened injury must be certainly impending to constitute injury in fact and . . . [a]llegations of possible future injury are not sufficient." Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed2d 264 (2013) (internal quotation marks omitted) (emphasis in original). Plaintiff alleges only speculative, not actual, identity theft. See Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 n.1 (11th Cir. 2012) (finding plaintiffs adequately pled an injury in fact because they alleged "actual" and "not speculative" identify theft); Burrows v. Purchasing Power, LLC, No. 1:12-cv-22800-UU, 2012 WL 9391827, at *2 n.5 (S.D. Fla. Oct. 18, 2012) ("The clear implication [from Resnick] is that . . . a plaintiff who alleges only speculative harm would not have standing[.]").
Plaintiff alleges that his private data was "compromised" and "exposed to" criminals for future misuse. Not once does he allege that his credit cards were used in any way by a thief or that his identity was stolen. He alludes to the "imminent . . . risk of harm" and "impending injury" that he will suffer from potential fraud and identity theft. As to damages, he points to his lost time in alerting his bank of the potential compromise to two credit reward cards, the loss of his cash back reward accrual from the time he cancelled his cards to the time they were reissued, and the inconvenience, hassle, and nuisance of monitoring the situation caused by the data breach. These allegations amount to speculation of future, potential injury at best. De minimus non curat lex.
To the extent Plaintiff alleges in a conclusory fashion that he and other class members have suffered "actual harm" as a result of the data breach, he fails to include any factual specificity regarding the date or nature of any injuries, actual misuse of the credit card information, or the monetary value associated with any such purported misuse of the information. Plaintiff has not identified a single specific, concrete injury in fact that he or anyone else has suffered as a result of any misuse of customer credit card information stemming from the PDQ data breach. Evidence of a data breach, without more, is insufficient to satisfy injury in fact under Article III standing and requires dismissal of the complaint. See, e.g., Stapleton v. Tampa Bay Surgery Ctr., Inc., No. 17-cv-1540-T-30AEP, 2017 WL 3732102, at *3 (M.D. Fla. Aug. 30, 2017) ("Something more than the mere data breach must be alleged before Plaintiffs can show they have a substantial risk of injury."); Torres v. Wendy's Co., 195 F.Supp.3d 1278 (M.D. Fla. 2016) ("Plaintiff's alleged harm is highly speculative based on the facts [potential fraud and future identity theft based on data breach] and the asserted injuries do not appear `certainly impending' under Clapper."); Pankey v. Aetna Life Ins. Co., No. 6:16-cv-1011-Orl-37GJK, 2017 WL 1089330 (M.D. Fla. Mar. 23, 2017) (concluding threats of future harm are too conclusory and speculative to establish standing and citing Torres and Resnick).
Article III standing "limits the judicial power of the United States to the resolution of cases and controversies." Dimaio v. Democratic Nat'l Committee, 520 F.3d 1299, 1301 (11th Cir. 2008) (quoting Valley Forge Christian Coll. v. Ams. United for Separation of Church & State, Inc., 454 U.S. 464, 471, 102 S.Ct. 752, 70 L.Ed.2d 700 (1982) (internal quotation marks omitted). "Standing is a threshold jurisdictional question which must be addressed prior to and independent of a party's claims." Dimaio, 520 F.3d. at 1301. The one named Plaintiff in this class action law suit has not suffered an injury in fact. Plaintiff has alleged no actual theft of personal information or actual misuse of stolen data. His claims are based on fears of hypothetical future harm that are not certainly impending. Consequently, the complaint must be dismissed without prejudice for lack of subject matter jurisdiction.