The Eleventh Circuit has reinforced a critical barrier for data breach class actions: plaintiffs must demonstrate concrete, actual harm—not merely theoretical future risk—to establish standing and proceed with litigation. In the widely watched Brinker International case, the Middle District of Florida on remand from the Eleventh Circuit went further, denying class certification on June 27, 2025, by narrowing the eligible class to only those consumers whose personal information was actually posted on the dark web or subjected to fraudulent charges. This ruling reflects a broader pattern across federal courts that has rejected the “increased risk of identity theft” theory as insufficient legal grounds for standing in data breach cases.
The 11th Circuit’s position aligns with the Second, Fourth, and Eighth Circuits—creating a nationwide consensus that speculation about future harm is not enough to bring or certify a class action. We’ll walk through the Brinker case, explain why “increased risk” claims fail, and outline the practical consequences for anyone considering joining or pursuing a data breach class action in the Southeast.
Table of Contents
- What Is the Concrete Harm Standard in Data Breach Cases?
- Why “Increased Risk of Identity Theft” Is No Longer Viable
- The Brinker Case—How the Standard Works in Practice
- How This Standard Affects Class Certification and Your Rights
- The PostTransUnion Landscape and Defendants’ Advantage
- What Counts as Concrete Harm Under Current 11th Circuit Rules
- The Future of Data Breach Litigation in the Eleventh Circuit
What Is the Concrete Harm Standard in Data Breach Cases?
The concrete harm standard is not new, but the Eleventh circuit has clarified its application to data breach class actions with particular rigor. Under Article III of the Constitution, plaintiffs must demonstrate they have suffered an actual injury that gives them standing to sue—not a hypothetical one. In the context of data breaches, this means showing tangible, specific loss: fraudulent charges on a credit card, identity theft, out-of-pocket expenses for credit monitoring, or other documented damages. The court will not accept arguments that an individual is injured merely because their data *could* be misused in the future.
The critical distinction is between concrete injury and speculation. When a consumer’s information is compromised, the natural fear is that they will eventually become a victim of identity theft. However, the Eleventh Circuit (along with multiple other circuits) has determined that this fear—even if reasonable—is not itself an injury under Article III. A plaintiff cannot walk into federal court and say, “My information was breached, and I’m worried about what might happen.” Instead, they must say, “My information was breached, it was found on the dark web, and I either already suffered fraud or paid for protective services in direct response to the specific breach.” This standard has made data breach litigation substantially more challenging than it was before the Supreme Court’s TransUnion decision in 2021, which also emphasized the necessity of concrete injury. The Eleventh Circuit’s application means that defendants will increasingly move to dismiss or oppose class certification on the grounds that plaintiffs lack evidence of actual harm—and they will succeed in many cases.
Why “Increased Risk of Identity Theft” Is No Longer Viable
For years, some attorneys tried to argue that a data breach created a concrete injury by exposing victims to an increased risk of future identity theft. The theory was intuitive: the breach materially altered the plaintiff’s position by making them a more attractive target. However, the Eleventh Circuit, along with the Second, Fourth, and Eighth Circuits, has rejected this approach as legally insufficient. The reason is straightforward: risk, in itself, is not harm under Article III standing doctrine. A plaintiff must show injury-in-fact, meaning something that has already happened or is certain to happen, not something that might happen.
An increased statistical likelihood of identity theft is not the same as identity theft itself. If a court were to accept this theory, nearly every data breach plaintiff could claim standing based on general assertions about risk, which would flood the courts with cases based on speculation rather than actual loss. However, if a plaintiff can show that they actually purchased credit monitoring or identity theft protection services as a direct response to the breach—and would not have done so otherwise—some courts have been willing to recognize that expense as a concrete injury. This is a narrow exception and requires evidence that the protective services were both necessary and causally connected to the specific breach. Courts will scrutinize whether the expense was reasonable and whether the plaintiff could have obtained coverage at a lower cost elsewhere. The burden is on the plaintiff to prove both the expense and its necessity.
The Brinker Case—How the Standard Works in Practice
The Brinker International case provides the clearest real-world example of how the Eleventh Circuit’s concrete harm standard reshapes data breach litigation. Brinker operates restaurants across the country, and in spring 2018, the company suffered a cyberattack that compromised customer payment card information. A class action was filed, and the case made its way to the Eleventh Circuit, which then remanded it to the Middle District of Florida with instructions to apply stricter standards for concrete harm and class certification. On remand, the District Court denied class certification on June 27, 2025. The court’s reasoning was that the individualized nature of the plaintiffs’ claims made class treatment unmanageable.
Critically, the court did not certify a class that included all consumers whose data was breached; instead, it limited any potential class to a much narrower group: consumers whose information was actually posted on the dark web by the attackers, or consumers who suffered fraudulent charges on their accounts as a result of the breach. This distinction matters enormously. It means that a Brinker customer who lost no money and whose information was never publicly posted on the dark web would not qualify for the class and could not pursue relief through this litigation. This outcome illustrates how the concrete harm standard filters out plaintiffs who were exposed but not actually harmed. The message is clear: exposure alone is not enough. Courts will now demand evidence that your specific data was misused, or that you incurred specific costs to protect yourself—and even then, certification faces substantial obstacles because of the individualized nature of these claims.
How This Standard Affects Class Certification and Your Rights
The concrete harm standard has a cascading effect on class certification—the process that allows many victims to sue together as a group rather than individually. Class actions are only certified if the court finds that the claims are suitable for group treatment and that a class is the superior method of resolving disputes. When each plaintiff must prove they suffered concrete, individualized harm, class certification becomes much harder to achieve because there is no common proof that applies to everyone. In the Brinker case, the District Court emphasized that the highly individualized nature of plaintiffs’ damages made class certification problematic. Some victims suffered actual fraud; others did not. Some had their information posted on dark web marketplaces; others did not.
Some purchased credit monitoring as a rational response to the breach; others did not or could not afford to. These are not common questions that a single class trial can resolve efficiently. Instead, the court would essentially need to hold individual mini-trials for each plaintiff to determine whether they suffered concrete harm and, if so, how much they were damaged. A practical consequence is that data breach victims may find it difficult to pursue claims through class actions, which typically involve no out-of-pocket costs for plaintiffs and are funded through damages awards. If a class cannot be certified, plaintiffs would need to file individual lawsuits, retain individual attorneys, and prove their own damages—a process that is economically irrational for most people. This dynamic strengthens defendants’ positions and makes settlements less likely, because class actions are typically the only mechanism through which data breach victims can obtain relief.
The PostTransUnion Landscape and Defendants’ Advantage
The Supreme Court’s 2021 decision in TransUnion v. Ramirez set the stage for stricter Article III standing requirements, and the Eleventh Circuit has embraced this framework fully. TransUnion emphasized that plaintiffs cannot rely on generalized risks or theoretical harms; they must show concrete, particularized injury. The Eleventh Circuit has taken this principle and applied it consistently in the data breach context, making it increasingly difficult for plaintiffs to clear the standing hurdle. A significant limitation of the current framework is that it disadvantages victims who were exposed but fortunate enough not to be fraud victims—yet. A person whose data was stolen but not sold, or sold but not yet used for fraud, may have no standing to sue, even though they rationally incurred costs to protect themselves.
Courts are skeptical of arguments that mere exposure, without resulting fraud or purchased protective services, constitutes injury. This creates a perverse dynamic in which the least-harmed victims (those who avoided fraud) may have the weakest legal claims, while the most-harmed victims (those who experienced identity theft) have the strongest claims—but also may be pursuing separate remedies for the actual fraud itself. Defendants have noticed this advantage and are using it strategically. In data breach cases, defendants increasingly move to dismiss on standing grounds before the case reaches discovery or summary judgment. If a motion to dismiss succeeds, the entire case is over before either side invests significant resources. The Eleventh Circuit’s concrete harm standard provides defendants with a powerful weapon in these early-stage motions.
What Counts as Concrete Harm Under Current 11th Circuit Rules
Under the Eleventh Circuit’s current framework, concrete harm in a data breach case typically includes: (1) documented fraudulent charges on a credit card or account; (2) documented identity theft that resulted in financial loss; (3) costs incurred for credit monitoring or identity theft protection services that were necessary and causally connected to the specific breach; and (4) other out-of-pocket expenses directly attributable to responding to the breach, such as time spent disputing fraudulent charges (if the court values that time). It is important to note that bare exposure—the fact that your data was in a database that was stolen—is not concrete harm.
Neither is anxiety, emotional distress, or fear of future fraud, even if that fear is reasonable and well-founded. Courts have held that these are not cognizable injuries under Article III. The bar is high, and plaintiffs’ attorneys must be prepared to document the specific harm their clients suffered and connect it directly to the breach in question.
The Future of Data Breach Litigation in the Eleventh Circuit
The Eleventh Circuit’s position signals a shift toward a higher barrier for data breach class actions across the Southeast. As more cases apply these standards on remand, we can expect class certifications to become rarer and settlements to become smaller or harder to negotiate. Defendants will become more aggressive in using standing and class certification requirements as tools to whittle down exposure.
Conversely, plaintiffs’ attorneys will need to be more selective about which breaches they pursue and will focus on cases where there is evidence of actual fraud or widespread protective service purchases. One possibility is that data breach litigation will increasingly be settled based on cy pres awards—funds given to consumer advocacy organizations or data security nonprofits—rather than direct compensation to victims, because the cost of proving individualized harm may exceed the value of the claim. This outcome has been criticized by consumer advocates as a poor result for victims, who receive no compensation while their attorneys and the defendant agree to a settlement that benefits third parties.