The Wendy's Company ("Wendy's") has
won dismissal of the consumer class action lawsuit filed against it in the wake
of its widely reported data breach. Judge Paul G. Byron of the Middle District
of Florida found that plaintiff Jonathan Torres had failed to plead a
cognizable injury-in-fact and therefore lacked standing to pursue his case.
Judge Byron dismissed the case without prejudice and allowed plaintiff to amend
his complaint. See Order, Torres v. The Wendy's Company, No. 6:16-cv-00210
(M.D. Fla. Jul. 15, 2016) (ECF 70) ("Order").
Torres was the only named plaintiff in the original complaint. He alleged that
his debit card number was stolen during the data breach at Wendy's. According
to Mr. Torres, he used his debit card to buy food at a Wendy's restaurant in
Orlando. Shortly thereafter, his debit card number was used to make purchases
at Sports Authority and Best Buy in an aggregate amount of approximately $600.
Mr. Torres informed his credit union that these charges were unauthorized.
Torres did not plead any out-of-pocket loss from these unauthorized charges,
presumably because he was reimbursed by his credit union. Instead, Mr. Torres
alleged that the theft of his information placed him at an "imminent,
immediate, and continuing risk of harm from identity theft and identity
fraud." Order at 2-3 (citing Compl. ¶ 41). Mr. Torres further claimed that
this required him to "take the time and effort to mitigate the actual and
potential impact" of the data breach on his life, including having to
alert credit monitoring agencies and financial institutions, modify financial
accounts, and monitor credit reports and accounts for unauthorized activity.
Byron began his analysis of the standing issue by noting that a legally
cognizable injury-infact must be "certainly impending." Order at 4
(quoting Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 1147 (2013)). The
threat of future harm cannot be speculative, and allegations of possible future
injury are not sufficient. Id. Thus, the question facing the court was
"when, exactly, the loss or theft of an individual's data becomes a
concrete injury for purposes of establishing standing." Order at 4.
court first turned to plaintiff's allegations regarding the two unauthorized
charges. Noting that the Eleventh Circuit had found standing in a case where
the plaintiff alleged actual identity theft and monetary loss, Judge Byron
considered whether the two fraudulent charges constituted actual identity
theft. While he suggested that they did not, he found that even if they did,
Mr. Torres had "not alleged any monetary harm stemming from the two
fraudulent charges." Order at 6. Accordingly, Judge Byron found that, with
respect to these charges, plaintiff had not pled injury-in-fact sufficient to
Byron next turned to plaintiff's allegation that he faced an imminent threat of
future harm. He noted that, since Clapper, the majority of courts have found
that the risk of future harm is insufficient to confer standing absent
allegations that the harm is "certainly impending." Order at 7. While
Mr. Torres alleged that he was at risk of future identity theft and fraud, the
court found that risk to be too speculative to establish standing. Id. at 9. In
so finding, the court distinguished Remijas v. Neiman Marcus Group LLC, 794
F.3d 688, 694 (7th Cir. 2015). Remijas involved fraudulent charges to more
9,200 customer credit cards. In contrast, only Mr. Torres was alleged to have
been affected by the Wendy's breach, and he had not pointed to any further
fraudulent charges since the initial two charges to his debit card account. Id.
Judge Byron found that plaintiff's costs to mitigate the effects of the data
beach and obtain money from his account did not confer standing. The court
noted that "plaintiffs cannot manufacture standing merely by inflicting
harm on themselves based on their fears of hypothetical future harm that is
certainly not impending." Order at 9 (quoting Clapper, 133 S. Ct. at
1551). As Judge Byron noted, the cost to mitigate the risk of future harm does
not constitute an injury-in-fact unless the future harm being mitigated against
is itself imminent. Id. at 9.
a result, Judge Byron found that Mr. Torres had not adequately pled Article III
standing. He noted that the alleged harm is "highly speculative based on
the facts and the asserted injuries do not appear certainly impending under
Clapper." Order at 10. The court therefore dismissed the class action
complaint. However, the court gave Mr. Torres a chance to cure the deficiencies
in his complaint, if possible, in an amended pleading.
July 29, 2016, Mr. Torres filed an amended complaint, attempting to bolster his
original allegations of harm and adding six new plaintiffs. See Amended Class
Action Complaint, Torres v. The Wendy's Company, No. 6:16-cv-00210 (M.D. Fla.
July. 29, 2016) (ECF 71) ("Amended Complaint"). In the Amended
Complaint, Mr. Torres claims that the unauthorized expenses he allegedly
incurred as a result of the data breach temporarily drained funds from his
debit card account, causing him to miss two child support payments and default
on an electric bill. But he still does not claim any out-of-pocket loss as a
consequence of the data breach, other than a $3 late fee assessed by his
electric company. See Am. Compl. at ¶¶ 11, 82(j).
for the six new plaintiffs, none of them claim any out-of-pocket loss.
Plaintiffs allege that each of the new plaintiffs had fraudulent charges on
their debit and credit cards shortly after they used those cards to purchase
food at a Wendy's restaurant. See id. at ¶¶ 12-21. But they do not allege that
those losses went unreimbursed. Instead, they mostly claim that, as a result of
these fraudulent charges, they spent time cancelling their cards and dealing
with their financial institutions, suffered embarrassment and inconvenience,
and, in one instance, had to cut a vacation short. Id. at ¶¶ 13, 15, 17, 21,
also claim, that, while waiting for their cards to be reissued, they were
prevented from making purchases they otherwise would have made (id. at ¶¶ 14,
15, 20, 21, 92(j)), and that some of them "lost" cash-back rewards or
points that they would have received on those purchases (id. at ¶¶ 13, 17, 20,
82(j)). Plaintiffs do not provide any details concerning these missed purchases
and do not, with one exception, quantify their lost rewards. The one set of
plaintiffs to do so, Mr. and Mrs. Jackson, claim that they lost $7.88 in
forgone cash back awards while waiting for a replacement card to be issued. Id.
at ¶ 13.
further claim that they face future harm from the theft of their information.
See id. at ¶ 78. They allege that "[w]ithout detailed disclosure to
Wendy's customers, consumers, including Plaintiffs and Class members, have been
left exposed, unknowingly and unwittingly, for at least nine months to
continued misuse and ongoing risk of misuse of their personal information
without being able to take necessary precautions to prevent imminent
harm." Id. at ¶ 66. Plaintiffs claim that thieves are already using
customer information "stolen from Wendy's" to commit "actual fraud,"
and suggest that further fraudulent activity "may not come to light for
years." Id. at ¶ 71.
intends to move to dismiss the Amended Complaint, and the court will have to
consider whether plaintiffs' allegations are now sufficient to confer standing.
While Mr. Torres has bolstered the allegations contained in the original
complaint and added six new plaintiffs, plaintiffs do not appear to have plead
"any out-of-pocket losses that the current case law is willing to
recognize." Order at 9. Thus, the court's decision is likely to turn on
whether plaintiffs have showed that they face a risk of future harm that is
certainly impending, rather than speculative.