Wendy's Data Breach Suit Dismissed Where No Monetary Loss Alleged; Amendment Filed

The Wendy's Company ("Wendy's") has won dismissal of the consumer class action lawsuit filed against it in the wake of its widely reported data breach. Judge Paul G. Byron of the Middle District of Florida found that plaintiff Jonathan Torres had failed to plead a cognizable injury-in-fact and therefore lacked standing to pursue his case. Judge Byron dismissed the case without prejudice and allowed plaintiff to amend his complaint. See Order, Torres v. The Wendy's Company, No. 6:16-cv-00210 (M.D. Fla. Jul. 15, 2016) (ECF 70) ("Order").

Mr. Torres was the only named plaintiff in the original complaint. He alleged that his debit card number was stolen during the data breach at Wendy's. According to Mr. Torres, he used his debit card to buy food at a Wendy's restaurant in Orlando. Shortly thereafter, his debit card number was used to make purchases at Sports Authority and Best Buy in an aggregate amount of approximately $600. Mr. Torres informed his credit union that these charges were unauthorized.

Mr. Torres did not plead any out-of-pocket loss from these unauthorized charges, presumably because he was reimbursed by his credit union. Instead, Mr. Torres alleged that the theft of his information placed him at an "imminent, immediate, and continuing risk of harm from identity theft and identity fraud." Order at 2-3 (citing Compl. ¶ 41). Mr. Torres further claimed that this required him to "take the time and effort to mitigate the actual and potential impact" of the data breach on his life, including having to alert credit monitoring agencies and financial institutions, modify financial accounts, and monitor credit reports and accounts for unauthorized activity. Id.

Judge Byron began his analysis of the standing issue by noting that a legally cognizable injury-infact must be "certainly impending." Order at 4 (quoting Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 1147 (2013)). The threat of future harm cannot be speculative, and allegations of possible future injury are not sufficient. Id. Thus, the question facing the court was "when, exactly, the loss or theft of an individual's data becomes a concrete injury for purposes of establishing standing." Order at 4.

The court first turned to plaintiff's allegations regarding the two unauthorized charges. Noting that the Eleventh Circuit had found standing in a case where the plaintiff alleged actual identity theft and monetary loss, Judge Byron considered whether the two fraudulent charges constituted actual identity theft. While he suggested that they did not, he found that even if they did, Mr. Torres had "not alleged any monetary harm stemming from the two fraudulent charges." Order at 6. Accordingly, Judge Byron found that, with respect to these charges, plaintiff had not pled injury-in-fact sufficient to support standing.

Judge Byron next turned to plaintiff's allegation that he faced an imminent threat of future harm. He noted that, since Clapper, the majority of courts have found that the risk of future harm is insufficient to confer standing absent allegations that the harm is "certainly impending." Order at 7. While Mr. Torres alleged that he was at risk of future identity theft and fraud, the court found that risk to be too speculative to establish standing. Id. at 9. In so finding, the court distinguished Remijas v. Neiman Marcus Group LLC, 794 F.3d 688, 694 (7th Cir. 2015). Remijas involved fraudulent charges to more 9,200 customer credit cards. In contrast, only Mr. Torres was alleged to have been affected by the Wendy's breach, and he had not pointed to any further fraudulent charges since the initial two charges to his debit card account. Id.

Finally, Judge Byron found that plaintiff's costs to mitigate the effects of the data beach and obtain money from his account did not confer standing. The court noted that "plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is certainly not impending." Order at 9 (quoting Clapper, 133 S. Ct. at 1551). As Judge Byron noted, the cost to mitigate the risk of future harm does not constitute an injury-in-fact unless the future harm being mitigated against is itself imminent. Id. at 9.

As a result, Judge Byron found that Mr. Torres had not adequately pled Article III standing. He noted that the alleged harm is "highly speculative based on the facts and the asserted injuries do not appear certainly impending under Clapper." Order at 10. The court therefore dismissed the class action complaint. However, the court gave Mr. Torres a chance to cure the deficiencies in his complaint, if possible, in an amended pleading.

On July 29, 2016, Mr. Torres filed an amended complaint, attempting to bolster his original allegations of harm and adding six new plaintiffs. See Amended Class Action Complaint, Torres v. The Wendy's Company, No. 6:16-cv-00210 (M.D. Fla. July. 29, 2016) (ECF 71) ("Amended Complaint"). In the Amended Complaint, Mr. Torres claims that the unauthorized expenses he allegedly incurred as a result of the data breach temporarily drained funds from his debit card account, causing him to miss two child support payments and default on an electric bill. But he still does not claim any out-of-pocket loss as a consequence of the data breach, other than a $3 late fee assessed by his electric company. See Am. Compl. at ¶¶ 11, 82(j).

As for the six new plaintiffs, none of them claim any out-of-pocket loss. Plaintiffs allege that each of the new plaintiffs had fraudulent charges on their debit and credit cards shortly after they used those cards to purchase food at a Wendy's restaurant. See id. at ¶¶ 12-21. But they do not allege that those losses went unreimbursed. Instead, they mostly claim that, as a result of these fraudulent charges, they spent time cancelling their cards and dealing with their financial institutions, suffered embarrassment and inconvenience, and, in one instance, had to cut a vacation short. Id. at ¶¶ 13, 15, 17, 21, 82(h), 82(k).

Plaintiffs also claim, that, while waiting for their cards to be reissued, they were prevented from making purchases they otherwise would have made (id. at ¶¶ 14, 15, 20, 21, 92(j)), and that some of them "lost" cash-back rewards or points that they would have received on those purchases (id. at ¶¶ 13, 17, 20, 82(j)). Plaintiffs do not provide any details concerning these missed purchases and do not, with one exception, quantify their lost rewards. The one set of plaintiffs to do so, Mr. and Mrs. Jackson, claim that they lost $7.88 in forgone cash back awards while waiting for a replacement card to be issued. Id. at ¶ 13.

Plaintiffs further claim that they face future harm from the theft of their information. See id. at ¶ 78. They allege that "[w]ithout detailed disclosure to Wendy's customers, consumers, including Plaintiffs and Class members, have been left exposed, unknowingly and unwittingly, for at least nine months to continued misuse and ongoing risk of misuse of their personal information without being able to take necessary precautions to prevent imminent harm." Id. at ¶ 66. Plaintiffs claim that thieves are already using customer information "stolen from Wendy's" to commit "actual fraud," and suggest that further fraudulent activity "may not come to light for years." Id. at ¶ 71.

Wendy's intends to move to dismiss the Amended Complaint, and the court will have to consider whether plaintiffs' allegations are now sufficient to confer standing. While Mr. Torres has bolstered the allegations contained in the original complaint and added six new plaintiffs, plaintiffs do not appear to have plead "any out-of-pocket losses that the current case law is willing to recognize." Order at 9. Thus, the court's decision is likely to turn on whether plaintiffs have showed that they face a risk of future harm that is certainly impending, rather than speculative.