Jenkins v. Associated Wholesale Grocers, Inc.
Filing
22
MEMORANDUM AND ORDER granting 17 Motion to Dismiss. Signed by District Judge Daniel D. Crabtree on 3/5/2025. (mam)
<![CDATA[
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 1 of 30
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF KANSAS
SCOTT JENKINS, individually and on
behalf of all others similarly situated,
Plaintiff,
v.
Case No. 24-4039-DDC-GEB
ASSOCIATED WHOLESALE
GROCERS, INC.,
Defendant.
MEMORANDUM AND ORDER
Plaintiff Scott Jenkins alleges unauthorized third parties accessed his personal identifying
information (PII) in a data breach. According to him, defendant Associated Wholesale Grocers
didn’t maintain secure data systems. Plaintiff asserts a number of claims, on behalf of himself
and a prospective class. Defendants moved to dismiss under Fed. R. Civ. P. 12(b)(1)—arguing
plaintiff lacks standing. They also invoke Rule 12(b)(6)—arguing plaintiff has failed to state a
claim. See Doc. 18 at 1.
Article III standing is complicated in data breach cases. The analyses of courts across the
country reflect as much—revealing differing results turning on nuanced facts. The court
addresses plaintiff’s alleged injuries in the context of the varied authority. The court concludes
plaintiff lacks standing to seek monetary, injunctive, and declaratory relief—at least on the
allegations in the Complaint (Doc. 1). With that conclusion comes another: the court doesn’t
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 2 of 30
have jurisdiction over this dispute. So, the court must dismiss plaintiff’s Complaint.1 Below, the
court explains these decisions, beginning with a brief background.
I.
Background
The following facts are taken from allegations in plaintiff’s Complaint.
The PII
Plaintiff is defendant’s former employee. Doc. 1 at 3 (Compl. ¶ 13). As part of the
hiring process, defendant required plaintiff to provide certain PII. Id. at 4 (Compl. ¶ 21). And
plaintiff relied on defendant to maintain confidentially and secure his PII for business purposes.
Id. (Compl. ¶ 22). Plaintiff, for his part, is careful to avoid sharing his PII. Id. at 15 (Compl.
¶ 72). He stores sensitive documents in secure locations or destroys them. Id. (Compl. ¶ 73).
His usernames and passwords are unique. Id.
All this focus on security matters, plaintiff contends, because PII is highly valuable to
criminal actors. Id. at 12 (Compl. ¶ 57). Unauthorized actors sell PII on the Dark Web, use PII
to apply for government benefits or medical services, and cross-reference PII with other data to
develop detailed dossiers—known as “Fullz packages”—about individuals. Id. at 12–14 (Compl.
¶¶ 58–63).
The Breach
In October 2023, an unknown actor breached defendant’s computer systems. Id. at 1
(Compl. ¶ 1). The breach released the PII of plaintiff (and a putative class). Id. Included in the
breach were plaintiff’s name, Social Security number, and date of birth. Id. at 14 (Compl. ¶ 66).
But it wasn’t until April 2024 that defendant notified plaintiff about the breach. Id. at 5 (Compl.
¶ 26). And when defendant did so, it left some details to the imagination. Defendant didn’t
1
Because of the court’s standing decision, this Order doesn’t address defendant’s 12(b)(6) motion.
2
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 3 of 30
explain the breach’s “root cause[,]” “vulnerabilities exploited,” or “remedial measures” taken to
prevent a future data breach. Id. (Compl. ¶ 28).
Plaintiff asserts defendant’s security procedures weren’t appropriate. Id. (Compl. ¶ 30).
That’s because defendant stored plaintiff’s PII in an unencrypted, Internet-accessible
environment. Id. at 7 (Compl. ¶ 37). And plaintiff outlines a host of preventative measures
defendant could have deployed. Id. at 8–11 (Compl. ¶¶ 45–47).
The Aftermath
After the data breach occurred, plaintiff has faced ongoing worry about when and how
unauthorized actors may use his sensitive information. Id. at 15 (Compl. ¶ 67). Such misuse has
begun already, he alleges. For starters, plaintiff received multiple notifications about
unauthorized purchases on his PayPal account and sign-in attempts to his bank accounts. Id.
(Compl. ¶ 68). Cybercriminals “were able to pose as Plaintiff and hack his financial accounts to
steal his money.” Id. (Compl. ¶ 69). On top of that, plaintiff has received spam calls referencing
falsified illegal actions. Id. (Compl. ¶ 70). These calls “are clearly attempts to use Plaintiff’s PII
to extort him for money or more PII.” Id.
Plaintiff spent 240 hours cleaning up the data breach’s consequences. Id. (Compl. ¶ 71)
(describing time spent “verifying the legitimacy of the Notice of Data Breach, self-monitoring
his accounts, reviewing credit reports, and mitigating fraud and identity theft). And plaintiff also
experiences fear, anxiety, and increased concern for the loss of his privacy. Id. at 16 (Compl.
¶ 74).
Defendant still possesses plaintiff’s PII. Id. at 32 (Compl. ¶ 155). Plaintiff believes
defendant’s security measures are still inadequate, though defendant “publicly denies these
allegations.” Id. at 38 (Compl. ¶ 189).
3
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 4 of 30
The Lawsuit
Plaintiff filed this lawsuit in May 2024, asserting claims of negligence, negligence per se,
invasion of privacy, breach of implied contract, breach of confidence, and breach of fiduciary
duty. Id. at 26–38 (Compl. ¶¶ 116–86). Plaintiff seeks monetary, injunctive, and declaratory
relief. Doc. 1 at 38–39; 40–41 (Compl. ¶¶ 191–92; VII.2–3).
Defendant moved to dismiss the Complaint. Doc. 17. Plaintiff responded. Doc. 20.
But, as defendant emphasizes, plaintiff filed his Response out of time. Doc. 21 at 1. Plaintiff’s
Response was due August 2, 2024. See Doc. 17 (filed July 12, 2024); see also D. Kan. Rule
6.1(d)(1) (requiring parties to file responses to dispositive motions within 21 days after service of
the motion). Plaintiff didn’t file his Response until August 6, 2024. Doc. 20. And a quick
survey of the docket reveals that plaintiff never requested an extension of time. Defendant asks
the court to sanction plaintiff by disregarding plaintiff’s Response. Doc. 21 at 1.
The court has discretion to take such a course. See Curran v. AMI Fireplace Co., 163 F.
App’x 714, 718 (10th Cir. 2006) (concluding district court acted within its discretion in striking
untimely response to summary judgment motion). But because the court concludes plaintiff’s
response doesn’t change the outcome, the court declines to strike it. See Sheldon v. Khanal, No.
07-2112-KHV, 2008 WL 474262, at 2 n.3 (D. Kan. Feb. 19, 2008) (“Although the Court
discourages such tardiness, it notes that these arguments will not materially change the resolution
of plaintiffs’ motion, and the Court therefore briefly considers the arguments.”).
II.
12(b)(1) Legal Standard
Under Rule 12(b)(1), a defendant may move the court to dismiss for lack of subject
matter jurisdiction. Fed. R. Civ. P. 12(b)(1). “Federal courts are courts of limited jurisdiction
and, as such, must have a statutory basis to exercise jurisdiction.” Montoya v. Chao, 296 F.3d
4
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 5 of 30
952, 955 (10th Cir. 2002). “A court lacking jurisdiction cannot render judgment but must
dismiss the cause at any stage of the proceedings in which it becomes apparent that jurisdiction is
lacking.” Basso v. Utah Power & Light Co., 495 F.2d 906, 909 (10th Cir. 1974). The party
invoking federal jurisdiction bears the burden to prove it exists. Kokkonen v. Guardian Life Ins.
Co. of Am., 511 U.S. 375, 377 (1994); see also Siloam Springs Hotel, L.L.C. v. Century Sur. Co.,
906 F.3d 926, 931 (10th Cir. 2018) (presuming “no jurisdiction exists absent an adequate
showing by the party invoking federal jurisdiction”).
Rule 12(b)(1) challenges fall into two categories: (1) facial attacks on allegations in the
complaint to challenge their sufficiency and (2) factual attacks on the facts on which subject
matter jurisdiction depends. Holt v. United States, 46 F.3d 1000, 1002–03 (10th Cir. 1995),
abrogated on other grounds by Cent. Green Co. v. United States, 531 U.S. 425, 437 (2001);
Blood v. Labette Cnty. Med. Ctr., No. 22-cv-04036-HLT-KGG, 2022 WL 11745549, at *2 (D.
Kan. Oct. 20, 2022) (explaining the two forms for a motion to dismiss for lack of jurisdiction
under Rule 12(b)(1)). Facial attacks are resolved based solely on the complaint, accepting all the
plaintiff’s allegations as true. Holt, 46 F.3d at 1002.
Defendant here presents just a facial attack in its Motion to Dismiss. See generally Doc.
18. Accordingly, the court accepts plaintiff’s allegations as true. Holt, 46 F.3d at 1002. But, on
a standing challenge raised at the pleading stage, the “court need not accept ‘conclusory
allegations, unwarranted inferences, or legal conclusions.’” Blood, 2022 WL 11745549, at *3
(quoting Brady Campaign to Prevent Gun Violence v. Brownback, 110 F. Supp. 3d 1086, 1092
(D. Kan. 2015)); Hackford v. Babbitt, 14 F.3d 1457, 1465 (10th Cir. 1994) (same).
5
Case 5:24-cv-04039-DDC-GEB
III.
Document 22
Filed 03/05/25
Page 6 of 30
Standing
Article III of the United States Constitution limits federal courts’ jurisdiction to “cases”
and “controversies.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 408 (2013). To present a case
or controversy under Article III, a plaintiff must establish that he has standing to sue. Id.
(citations omitted).
Article III’s standing analysis requires three things: (1) an “injury in fact—an invasion of
a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent,
not conjectural or hypothetical;” (2) “a causal connection between the injury and the conduct
complained of—the injury has to be fairly . . . traceable to the challenged action of the defendant,
and not . . . the result of the independent action of some third party not before the court;” and (3)
that it is “likely, as opposed to merely speculative, that the injury will be redressed by a
favorable decision.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992) (quotation cleaned
up). At “the pleading stage, the plaintiff must clearly allege facts demonstrating each element”
of standing. Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (citation, internal quotation marks,
and ellipsis omitted). And, at the pleading stage, general factual allegations can carry plaintiff’s
burden to establish the elements of Article III standing because the court must “‘presum[e] that
general allegations embrace those specific facts that are necessary to support the claim.’” Lujan,
504 U.S. at 561 (quoting Lujan v. Nat’l Wildlife Fed’n, 497 U.S. 871, 889 (1990)). Plaintiff
“must demonstrate standing for each claim that [he] press[es] and for each form of relief that [he]
seek[s.]” TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021).
A.
Standing Considerations in Data Privacy Cases
Data breach cases present unique Article III standing questions. The issues usually
revolve around the first or second elements of standing: injury in fact and causation. One
6
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 7 of 30
problem in data breach cases is whether plaintiffs have suffered a concrete injury. “To establish
injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected
interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or
hypothetical.’” Spokeo, 578 U.S. at 339 (quoting Lujan, 504 U.S. at 560). “No concrete harm,
no standing.” TransUnion, 594 U.S. at 442.
Another problem is whether plaintiffs can trace their concrete injuries to the data breach
alleged and in a nonspeculative manner. See, e.g., Blood, 2022 WL 11745549, at *5
(emphasizing that plaintiffs must allege “a plausible, non-speculative connection from the stolen
information” to the alleged injury to establish the causation element of standing). Traceability
“requires a plaintiff to ‘allege a substantial likelihood that the defendant’s conduct caused [the]
plaintiff’s injury in fact.’” Masterson v. IMA Fin. Grp., No. 23-2223-HTL-ADM, 2023 WL
8647157, at *3 (D. Kan. Dec. 14, 2023) (quoting Santa Fe All. for Pub. Health & Safety v. City
of Santa Fe, 993 F.3d 802, 814 (10th Cir. 2021)).
Take the first problem—the injury in fact. Some Circuits have concluded that data
breach plaintiffs have sustained injuries in fact because of the breach alone.2 Others have
2
See, e.g., Attias v. Carefirst, Inc., 865 F.3d 620, 628–29 (D.C. Cir. 2017) (concluding plaintiffs
had standing where plaintiffs alleged data breach exposed them to heightened risk of identity theft
because “unauthorized party ha[d] already accessed personally identifying data on [defendant’s] servers,
and it [was] much less speculative—at the very least, it [was] plausible—to infer that this party ha[d] both
the intent and the ability to use that data for ill” and focusing on the “light burden of proof the plaintiffs
bear at the pleading stage”); Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 387–91 (6th Cir.
2016) (concluding plaintiffs had standing where hackers stole plaintiffs’ personal information because
where “data breach targets personal information, a reasonable inference can be drawn that the hackers
will use the victims’ data for . . . fraudulent purposes”); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d
688, 691–95 (7th Cir. 2015) (concluding plaintiffs had standing where hackers stole customer credit card
numbers and explaining “customers should not have to wait until hackers commit identity theft or creditcard fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that
such an injury will occur” (quoting Clapper, 568 U.S. at 410)); Krottner v. Starbucks Corp., 628 F.3d
1139, 1143 (9th Cir. 2010) (concluding plaintiffs had standing where plaintiffs alleged concern about
increased risk of future identity theft because plaintiffs had “alleged a credible threat of real and
immediate harm stemming from the theft of a laptop containing their unencrypted personal data”); In re
Zappos.com, Inc., 888 F.3d 1020, 1024–29 (9th Cir. 2018) (reaffirming Krottner post Clapper).
7
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 8 of 30
concluded the opposite.3 Our Circuit has yet to weigh-in. But district courts across our Circuit
have reached something of a consensus—injury in fact requires actual misuse of the PII. Merely
experiencing a breach won’t suffice.
The court has explained in an earlier decision that misuse of the compromised data is an
important inflection point that explains many of the differing standing results. C.C. v. Med-Data
Inc., No. 21-2301-DDC-GEB, 2022 WL 970862, at *4 (D. Kan. Mar. 31, 2022) (“‘[W]here no
allegations of misuse are present, circuit courts have generally declined to find standing.’”
(quoting Legg v. Leaders Life Ins. Co., 574 F. Supp. 3d 985, 990 (W.D. Okla. 2021))); In re
Progressive Leasing Breach Litig., No. 23-cv-00783-DBB-CMR, 2025 WL 213744, at *9 (D.
Utah Jan. 16, 2025) (cataloguing data privacy cases and concluding “misuse is generally
necessary [for] standing”).4 Honing in on this inflection point, many district courts in the Tenth
Circuit “have predicted that [our] Court of Appeals will require actual misuse of stolen data to
3
See O’Leary v. TrustedID, Inc., 60 F.4th 240, 244 (4th Cir. 2023) (“[W]e’ve held that being
subjected to a data breach isn’t in and of itself sufficient to establish Article III standing without a
nonspeculative, increased risk of identity theft.”); McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d
295, 301, 303–05 (2d Cir. 2021) (noting “that plaintiffs may establish standing based on an increased risk
of identity theft or fraud following the unauthorized disclosure of their data” but ultimately concluding
plaintiffs lacked standing because they “never alleged that their data was intentionally targeted or
obtained by a third party,” failed to allege their data “was in any way misused,” and likewise failed to
allege “that the PII was intentionally taken by an unauthorized third party or otherwise misused”); Tsao v.
Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1340–44 (11th Cir. 2021) (concluding plaintiffs’
alleged harms of substantial future risk of identity theft, proactive mitigation costs, and conclusory
allegations of unauthorized charges failed to confer standing); In re SuperValu, Inc., 870 F.3d 763, 769–
70 (8th Cir. 2017) (concluding plaintiffs lacked standing when plaintiffs alleged that “illicit websites
[were] selling their Card Information to counterfeiters and fraudsters, and that plaintiffs’ financial
institutions [were] attempting to mitigate their risk” because the allegations were “speculative” and
“fail[ed] to allege any injury ‘to the plaintiff[s]’” (quoting Friends of the Earth, Inc. v. Laidlaw Env’t
Servs. (TOC), Inc., 528 U.S. 167, 181 (2000))).
4
For a detailed assessment of cases addressing whether a plaintiff must allege actual misuse, see In
re Progressive, 2025 WL 213744, at *3–9. A minority of courts have concluded a plaintiff has standing
even absent allegations of actual misuse. See Bohnak v. Marsh & McLennan Cos., 79 F.4th 276, 289 (2d
Cir. 2023) (concluding plaintiff sufficiently alleged a substantial likelihood of future harm, even absent
allegations of actual identity theft or other misuse).
8
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 9 of 30
find that plaintiffs have standing[.]” Stern v. Academy Mortg. Corp., No. 24-cv-00015-DBBDAO, 2025 WL 239036, at *3 (D. Utah Jan. 17, 2025); Owen-Brooks v. DISH Network Corp.,
No. 23-cv-01168-RMR-SBP, 2024 WL 4338133, at *7–8 (D. Colo. Aug. 23, 2024), report and
recommendation adopted 2024 WL 4333660 (D. Colo. Sept. 27, 2024) (joining sister courts “in
predicting that the Tenth Circuit will require data breach plaintiffs to allege actual misuse of
their stolen data . . . to find that they have standing to bring claims for damages. . . . [and]
injunctive relief” (emphasis in original)); cf. Blood, 2022 WL 11745549, at *7 (“[M]ultiple
Circuits have held that without actual misuse of stolen information, plaintiffs lack standing to
bring claims because their injuries are not concrete, particularized, or imminent.”). The court
agrees with these sister courts—actual misuse generally is necessary to establish an injury in
fact.
To put a finer point on it, actual misuse establishes a past harm—when a cybercriminal
already has employed a plaintiff’s PII for his own ends. But when it comes to PII, there’s also
the question of future harm—that is, if a plaintiff’s PII is “out there,” so to speak, a bad actor
could use it at any point. The court addresses future harm separately, in a bit. It requires a
slightly different analysis (one that includes, but doesn’t end with actual misuse). For now, the
court trains its attention on plaintiff’s alleged harms to determine if any establish an injury in
fact.
Plaintiff alleges four kinds of injury: (1) actual identity theft and the risk of future
identity theft; (2) fear and anxiety; (3) lost time, annoyance, and inconvenience from mitigation
efforts; and (4) loss of privacy. Doc. 1 at 15–16 (Compl. ¶¶ 68–75).5 Each of these injuries
5
Because a “‘putative class action can proceed as long as one named plaintiff has standing[,]’” the
court evaluates just the injury allegations specific to plaintiff. Masterson, 2023 WL 8647157, at *2 n.2
(quoting In re SuperValu, Inc., 870 F.3d at 768).
9
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 10 of 30
allegedly supports a claim for damages. Plaintiff also requests declaratory and injunctive relief.
Recall that plaintiff “must demonstrate standing for each claim that [he] press[es] and for each
form of relief that [he] seek[s.]” TransUnion, 594 U.S. at 431 (emphasis added). To assess
whether plaintiff has standing, the court evaluates each of his alleged injuries supporting
damages. Then, the court addresses whether plaintiff has standing to seek injunctive and
declaratory relief.
B.
Damages
The court structures its standing analysis about damages as follows: First, the court
evaluates plaintiff’s alleged injuries premised on identity theft and fraud. These injuries
subdivide into two categories—past and future identity theft. And each category merits a
slightly different analysis. So, the court first addresses allegations of past identity theft,
completing both the injury-in-fact and causation standing analyses. After completing that
analysis, the court turns to future identity theft. It explains the three-part test employed when a
court analyzes standing based on future identity theft allegations, and then conducts that analysis.
As preview of the result, the court concludes that plaintiff doesn’t have standing to seek damages
premised on either past or future identity theft.
Then, the court assesses whether plaintiff has damages standing premised on emotional
distress, lost time, or lost privacy injuries. Again, the answer is no for all three.
1.
Past and Prospective Identity Theft and Fraud
Plaintiff alleges he “has had his identity stolen or attempts” at stealing his identity. Doc.
1 at 15 (Compl. ¶ 68). And he alleges that facing “imminent and impending injury arising from
the substantially increased risk of fraud, identity theft, and misuse” of his data. Id. at 16 (Compl.
¶ 75). Start with plaintiff’s alleged past identity theft.
10
Case 5:24-cv-04039-DDC-GEB
a.
Document 22
Filed 03/05/25
Page 11 of 30
Past Identity Theft
Three allegations of identity theft appear in plaintiff’s Complaint. First, plaintiff alleges
that because of the data breach, he received a number of spam calls. Id. at 15 (Compl. ¶ 70).
Those calls, he asserts, were “clearly attempts to use Plaintiff’s PII to extort him for money or
more PII.” Id. Second, he alleges unauthorized actors attempted to sign in to his bank accounts.
Id. (Compl. ¶ 68). And, third, he alleges that cybercriminals “were able to pose as Plaintiff and
hack his financial accounts to steal his money[,]” including making unauthorized purchases on
his PayPal account. Id. (Compl. ¶¶ 68–69). The first and second of these allegations don’t
qualify as misuse constituting injuries in fact. The third is misuse constituting an injury in fact.
But on that third allegation—as the court shows, below—plaintiff’s standing theory runs out on
causation.
i.
Injury in Fact
Begin with plaintiff’s allegation that he received an increased number of spam calls
attempting to extort him. Our court has concluded that increased spam calls after a data breach
are not an injury in fact. Blood, 2022 WL 11745549, at *6 (“[T]he alleged inconvenient
disruptions (such as spam calls, texts, and emails) do not constitute an injury in fact.”); see also
Legg, 574 F. Supp. 3d at 993 (“[T]he receipt of phishing emails, while perhaps ‘consistent with’
data misuse, does not ‘plausibly suggest’ that any actual misuse of Plaintiff’s personal
identifying information has occurred.” (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 557
(2007)); In re Practicefirst Data Breach Litig., No. 21-CV-00790 (JLS/MJR), 2022 WL 354544,
at *5 n.8 (W.D.N.Y. Feb. 2, 2022) (collecting cases and explaining “even if plaintiffs had shown
that they received an increase in spam because of this data breach, the Court would still find
11
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 12 of 30
these allegations insufficient to allege injury in fact”). Spam calls are annoying. But an
annoyance isn’t an actual and concrete injury.
An identical fate befalls plaintiff’s allegations theorizing that unauthorized actors have
tried to access his bank accounts. Plaintiff never pleads that hackers succeeded in their sign-in
attempts. See generally Doc. 1. He just alleges that he received “multiple notifications” that
unknown actors had tried to sign-in into his account. Id. at 15 (Compl. ¶ 68). Courts have
concluded that receiving notice about attempted logins doesn’t constitute an injury in fact. See
De Medicis v. Ally Bank, No. 21 Civ. 6799 (NSR), 2022 WL 3043669, at *6 (S.D.N.Y. Aug. 2,
2022) (“Plaintiff still fails to establish that he suffered a concrete, particularized injury because
the alleged [email account access] attempts were all unsuccessful.”); Kim v. McDonald’s USA,
LLC, No. 21-cv-05287, 2022 WL 4482826, at *5 (N.D. Ill. Sept. 27, 2022) (emphasizing that no
plaintiff alleged identity theft, and that “notifications that an individual attempted to log in to his
email” weren’t sufficient (quotation cleaned up)). The unsuccessful sign-in attempts don’t
qualify as actual and concrete injuries here.
Plaintiff’s allegations about financial hacks and purchases fare far better—at least on the
injury in fact prong. Recall that plaintiff asserts cybercriminals stole his money by hacking his
financial accounts and making unauthorized PayPal purchases. Doc. 1 at 15 (Compl. ¶¶ 68–69).
Responding, defendant argues that plaintiff’s allegations merely reflect attempts at stealing his
identity. Doc. 18 at 10. In defendant’s view, plaintiff’s Complaint suggests he was “reimbursed
for any fraudulent transaction, if any actual transaction occurred.” Id. And, because plaintiff
doesn’t allege an out-of-pocket loss, defendant suggests, it’s not plausible that his identity was
stolen. Id. But plaintiff needn’t allege an out-of-pocket loss to establish an injury in fact.
TransUnion, 594 U.S. at 425 (recognizing that physical, monetary, and “[v]arious intangible
12
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 13 of 30
harms” are sufficiently concrete injuries). Our court already has declined to adopt a theory
similar to defendant’s argument here, concluding that a data breach plaintiff needn’t plead
financial harm to show actual injury. Masterson, 2023 WL 8647157, at *4 n.4 (rejecting
argument “that neither [named plaintiff] has shown an actual injury because neither pleaded that
they actually paid the unauthorized charges”). Unauthorized purchases are actual misuses of a
plaintiff’s PII constituting injuries in fact. Blood, 2022 WL 11745549, at *5 (concluding
unauthorized bank fees constitute concrete injuries); In re Progressive, 2025 WL 213744, at
*12–13 (concluding named plaintiffs had alleged actual injury sufficiently from unauthorized
charges on debit card); Masterson, 2023 WL 8647157, at *4 (assuming that fraudulent debit card
charges were concrete and actual injuries). This court reaches the same conclusion here.
Plaintiff plausibly has alleged an injury in fact based on his PayPal and financial hacks.
Having established an injury in fact, the court next evaluates whether plaintiff has alleged
a causal link between the data breach and plaintiff’s injury.
ii.
Causation
To establish the requisite causal link, a plaintiff plausibly must allege an injury that’s
“fairly traceable” to the data breach. Clapper, 568 U.S. at 409 (internal quotation marks and
citation omitted). And those allegations can’t involve a “speculative chain of possibilities[.]” Id.
at 414; Masterson, 2023 WL 8647157, at *3 (same). In other data privacy cases, courts
(including this one) have found causation missing when a plaintiff fails to explain how the PII
disclosed in the data breach connects to the injury alleged. For example, in Blood v. Labette
County Medical Center, our court concluded data breach plaintiffs had failed to plead the
causation element of standing. 2022 WL 11745549, at *5. There, like here, a data breach
allegedly disclosed plaintiffs’ names and Social Security numbers. Id. at *1. And while
13
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 14 of 30
plaintiffs had alleged an injury in fact—unauthorized charges on their bank accounts—they
never pleaded “facts suggesting how the mere possession of their Social Security numbers and
names would enable someone to make unauthorized charges on an existing account[.]” Id. at *5.
“To assume someone could have done so with the allegedly stolen information . . . requires a
level of speculation and conjecture this Court is unwilling to accept.” Id.; see also Fernandez v.
Leidos, Inc., 127 F. Supp. 3d 1078, 1086 (E.D. Cal. Aug. 28, 2015) (concluding attempts to open
bank accounts and access plaintiff’s email not fairly traceable to data breach because stolen data
tapes didn’t include bank account information and email addresses). Instead, to survive a
standing challenge, plaintiff must allege the PII disclosed in this data breach was misused, or
otherwise show a nonspeculative connection between this data breach and the misuse.
So, how do plaintiff’s causation allegations fare here? Plaintiff never pleads allegations
that, if true, trace how unauthorized actors could use the disclosed PII (his name, Social Security
number, and date of birth) to make unauthorized PayPal purchases or steal his money. But he
does explain how cybercriminals develop “complete dossiers on individuals”—known as Fullz
packages—by cross-referencing stolen PII with other stolen PII or publicly available data. Doc.
1 at 13–14 (Compl. ¶¶ 61–64). According to plaintiff, creating Fullz packages “means that
stolen PII from the Data Breach can easily be used to link and identify it to Plaintiff’s and the
Class’s phone numbers, email addresses, and other unregulated sources and identifiers.” Id. at
14 (Compl. ¶ 63). And, plaintiff concludes, “[t]hat is exactly what is happening to Plaintiff[,]”
making it “reasonable for any trier of fact . . . to find that Plaintiff’s and the Class’s stolen PII is
being misused, and that such misuse is fairly traceable to the Data Breach.” Id. (Compl. ¶ 64).
But this causation argument is speculative on two fronts. First, plaintiff speculates that
unknown cybercriminals took his PII from this data breach and compiled along with other
14
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 15 of 30
information to create a Fullz package. Second, he implicitly speculates that the Fullz package
included plaintiff’s financial and PayPal account information, information decidedly not part of
this data breach. Plaintiff never alleges that his PayPal or bank account information was
involved in another data breach or was otherwise publicly available. In fact, he explains that he
“stores any documents containing his sensitive PII in safe and secure locations” and “diligently
chooses unique usernames and passwords for his various online accounts.” Id. at 15 (Compl.
¶ 73). Plaintiff’s causation theory simply describes Fullz packages as a concept. And then his
theory jumps to the conclusion that the information disclosed in the data breach enabled
unauthorized actors to access his financial accounts.
Blanket explanations about the development of Fullz packages don’t suffice to plead
causation. See Masterson , 2023 WL 8647157, at *5, *5 n.7 (concluding plaintiffs hadn’t
established causation where plaintiff never alleged defendant possessed the misused data or
“explain[ed] how the combination of PII . . . taken in the data breach . . . combined with
‘unregulated data’ . . . can lead to the misuse alleged, let alone how that misuse is traceable to
[defendant]”); Zerbe v. IMA Fin. Grp., No. 24-2026-HLT-GEB, 2024 WL 3677395, at *6 (D.
Kan. Aug. 6, 2024) (concluding in companion case to Masterson that the Fullz package
allegations weren’t sufficient to show “how the combination of some stolen data with
unspecified other data available on the internet results in an injury traceable to [defendant]”);
Doe v. Mission Essential Grp., No. 23-cv-3365, 2024 WL 3877530, at *7 (S.D. Ohio Aug. 20,
2024) (noting in traceability analysis that “[a]lthough [plaintiff] insists that the PII possibly
accessed in the Data Incident” may combine “with other sources to create ‘Fullz’ packages that
can be sold or used to commit fraud[,]” that allegation relies “upon speculation about the actions
15
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 16 of 30
of independent actors in combining the PII with information” from other sources). Plaintiff here
doesn’t “fairly trace” the alleged data breach to Fullz package misuse.6
Because plaintiff’s alleged instances of past identity theft don’t qualify either as injuries
in fact or as fairly traceable to the data breach, plaintiff hasn’t shown the all-important “actual
misuse” required to plead standing. See Blood, 2022 WL 11745549, at *8 (concluding the court
had “no sufficient allegations of data misuse” when each allegation of misuse failed as either an
injury in fact or as fairly traceable to the data breach). Next, the court considers whether
plaintiff’s future identity theft allegations can qualify as an injury in fact.
b.
Risk of Future Identity Theft and Fraud
Plaintiff takes his identity theft and fraud allegations one step further, alleging he faces
“imminent and impending injury arising from the substantially increased risk of fraud, identity
theft, and misuse resulting from [his] PII, especially his Social Security number, being placed in
the hands of unauthorized third parties and possibly criminals.” Doc. 1 at 16 (Compl. ¶ 75).
Defendant argues that these allegations merely speculate about future events and conduct of
unknown third parties, which undercut plaintiff’s risk of future harm. Doc. 18 at 11.
Before the court applies case law to evaluate plaintiff’s allegations of future risk, the
court clarifies an important, orienting principle: Risk of future identity theft alone doesn’t confer
standing for damages claims. TransUnion, 594 U.S. at 437 (finding mere risk of future harm—
without showing the risk had materialized—doesn’t suffice to confer standing for damages
claims). So, one might ask, why should the court evaluate that risk here? A cognizable risk of
6
Plaintiff identifies three out-of-circuit cases accepting allegations about Fullz packages as
plausible explanations of traceability. See Doc. 20 at 10 (first citing Fox v. Iowa Health Sys., 399 F.
Supp. 3d 780, 792 (W.D. Wis. 2019); then citing Flores v. Aon Corp., 242 N.E. 3d 340, 354 (Ill. App. Ct.
2023); and then citing In re GEICO Customer Data Breach Litig., No. 21-CV-2210-KAM-SJB, 2023 WL
4778646, at *6–7 (E.D.N.Y. July 21, 2023)). The court doesn’t find these cases persuasive on the facts
alleged here, given our court’s rejection of a similar theory in other cases.
16
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 17 of 30
future harm may suffice for plaintiff to allege a past injury in fact based on his emotional distress
and mitigation efforts. See below § III.B.2–3. The court evaluates plaintiff’s standing based on
those alleged injuries later in this Order. But, first, the court examines the threshold question:
whether plaintiff has alleged sufficiently a risk of future identity theft.
Other Circuits have developed a three-factor test to determine “when the risk of future
misuse of PII following a data breach is imminent and substantial.” Webb v. Injured Workers
Pharmacy, LLC, 72 F.4th 365, 375 (1st Cir. 2023). Those three factors are:
(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt
to obtain the data; (2) whether any portion of the dataset has already been misused,
even if the plaintiffs themselves have not yet experienced identity theft or fraud;
and (3) whether the type of data that has been exposed is sensitive such that there
is a high risk of identity theft or fraud.
McMorris, 995 F.3d at 303.7 These factors aren’t exclusive. Id. And, in the First
Circuit’s view, they aren’t “necessarily determinative[.]” Webb, 72 F.4th at 375. “[B]ut they do
provide guidance.” Id.
Our court also has evaluated these three factors—even after concluding a plaintiff’s
failure to allege misuse “alone puts plaintiff on shaky standing grounds.” F.S. v. Captify Health,
Inc., No. 23-1142-DDC-BGS, 2024 WL 1282437, at *4 (D. Kan. Mar. 26, 2024). The court
takes the same approach again, here. It concludes plaintiff hasn’t shown an imminent risk of
future identity theft.
i. Targeted Attempt
First, consider whether the breach resulted from an intentional, targeted effort. To be
sure, “all cyber-attacks involve some degree of intentional conduct just by the very nature of the
7
The First, Second, and Third Circuits all consider these three factors. See Webb, 72 F.4th at 375–
77; Bohnak, 79 F.4th at 283 (reaffirming three McMorris factors post-TransUnion); Clemens v.
ExecuPharm Inc., 48 F.4th 146, 153–54, 157 (3d Cir. 2022).
17
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 18 of 30
attack.” In re Samsung Data Sec. Breach Litig., No. 23-md-03055, 2025 WL 271059, at *6
(D.N.J. Jan. 3, 2025) (internal quotation marks and citation omitted). But a clearly “intentional
breach makes standing more likely.” Alonzo v. Refresco Beverages US, Inc., No. 23-22695 (GC)
(JBD), 2024 WL 4349592, at *5 (D.N.J. Sept. 30, 2024) (citing McMorris, 995 F.3d at 301).
Here, plaintiff attaches the data breach letter distributed by defendants to his Complaint.8
See Doc. 1-1 at 2 (Pl. Ex. 1). The letter repeatedly used the passive voice to explain the data
breach incident: “[T]here was unauthorized access to [defendant’s] network” and “certain files
and folders were viewed or taken without authorization[.]” Id. Plaintiff interprets this language
to mean that “cybercriminals obtained everything they needed to commit identity theft and wreak
havoc on the financial and personal lives of thousands of individuals[.]” Doc. 1 at 2 (Compl.
¶ 8). But that interpretation seems like a leap, given the information provided in defendant’s
letter. And there’s no indication plaintiff has any other information to support his conclusory
allegation. Cf. Deevers v. Wing Fin. Servs., LLC, No. 22-CV-550-CVE-JFJ, 2023 WL 6133181,
at *5 (N.D. Okla. Sept. 19, 2023) (explaining that it’s “unclear” whether plaintiffs sufficiently
alleged a targeted attack because they just had alleged unauthorized parties could access client
records and defendant identified unauthorized access, but plaintiffs didn’t “allege that a specific
third party actor stole information, or that a known third party targeted” the systems). The court
thus acknowledges the possibility of a targeted attack by cybercriminals, as plaintiff alleges, but
doesn’t unqualifiedly accept it as true. See Blood, 2022 WL 11745549, at *3 (explaining that “a
court need not accept conclusory allegations” as true at the pleading stage (quotation cleaned
8
“Exhibits attached to a complaint are properly treated as part of the pleadings for purposes of
ruling on a motion to dismiss.” Tal v. Hogan, 453 F.3d 1244, 1264 n.24 (10th Cir. 2006) (evaluating
plaintiff’s exhibits in ruling a 12(b)(6) motion). A facial 12(b)(1) challenge proceeds under the “same
standards” as a 12(b)(6) motion to dismiss. Muscogee (Creek) Nation v. Okla. Tax Comm’n, 611 F.3d
1222, 1227 n.1 (10th Cir. 2010).
18
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 19 of 30
up)). And so, the first factor slightly favors finding an injury in fact from plaintiff’s future
identity theft allegations.
ii.
Misuse
Second, the test directs courts to consider whether plaintiff has alleged any portion of the
dataset was misused. As established above, plaintiff’s alleged misuses fall short of the mark
because they don’t qualify either as injuries in fact or as fairly traceable to the data breach. So,
this factor significantly cuts against finding a “certainly impending” future injury. Clapper, 568
U.S. at 409 (quotation cleaned up).
While some cases conclude misuse isn’t an essential part of the test, sister district courts
in the Tenth Circuit emphasize the vitality of misuse to the standing calculus. In fact, some don’t
evaluate the other two factors at all and concentrate solely on actual misuse at the future harms
stage, as well. Compare Bohnak, 79 F.4th at 289 (“[A known misuse of information] allegation
is not necessary to establish that an injury is sufficiently imminent to constitute an injury in
fact.”); with Masterson, 2023 WL 8647157, at *8 (emphasizing the importance of actual misuse
in risk of future injuries analysis to show a data breach injury is concrete, particularized, or
imminent without evaluating other two factors); and Deevers, 2023 WL 6133181, at *5–6
(applying three factors and explaining “the majority of courts, including district courts in this
circuit, have concluded that plaintiffs must allege actual misuse . . . to demonstrate they face an
imminent risk of fraud”). Indeed, our court has required some form of actual misuse to show an
imminent and substantial risk of future harm in data privacy cases. See Blood, 2022 WL
11745549, at *7–8 (evaluating plaintiff’s allegations of actual misuse and whether those
allegations support an injury in fact based on risk of future identity theft); see also In re Equifax
Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247, 1263 (11th Cir. 2021), cert. denied sub
19
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 20 of 30
nom. Huang v. Spector, 142 S. Ct. 431 (2021) (finding plaintiffs plausibly had alleged an injury
in fact because some plaintiffs already had their identities stolen already and the “the allegations
of some Plaintiffs that they have suffered injuries resulting from actual identity theft support the
sufficiency of all Plaintiffs’ allegations that they face a risk of identity theft” (emphasis in
original)). This factor—a weighty one for district courts in our Circuit—significantly undercuts
plaintiff’s future-risk-of-identity-theft argument.
iii.
Sensitive Data
Third, consider whether data exposed in the breach is susceptible to fraud. Plaintiff
alleges his name, Social Security number, and date of birth were exposed in the breach. Doc. 1
at 14 (Compl. ¶ 66). This data is precisely the type of sensitive, high-risk information
susceptible to fraud. McMorris, 995 F.3d at 302 (“Naturally, the dissemination of high-risk
information such as Social Security numbers and dates of birth—especially when accompanied
by victims’ names—makes it more likely that those victims will be subject to future identity theft
or fraud.”). This factor favors a conclusion that plaintiff has alleged a sufficient injury in fact.
As the First Circuit explained, the three factors “are neither exclusive nor necessarily
determinative, but they do provide guidance.” Webb, 72 F.4th at 375. Next, the court evaluates
one last factor before deciding whether plaintiff has alleged a “certainly impending” risk of
future identity theft. See Clapper, 568 U.S. at 409 (quotation cleaned up).
iv.
Miscellaneous Consideration
Aside from allegations of identity theft, plaintiff attempts to show imminence by citing a
plethora of research and reports about identity theft crimes and data breaches. See Doc. 1 at 12–
14, 17 (Compl. ¶¶ 57–63, 81). But this court already has rejected this approach, concluding it
doesn’t establish a cognizable risk of future harm. See Med-Data Inc., 2022 WL 970862, at *7
20
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 21 of 30
(finding that plaintiffs hadn’t pleaded “any particularized facts to corroborate” fear of future
identity theft and “research and reports about identity theft crimes” don’t suffice to show a risk
of future harm); Legg, 574 F. Supp. 3d at 993 (finding that plaintiff “relies on reports that
describe the general risks of identity theft, explain how personal information can be sold on illicit
internet cites, and identify other data breaches” but those reports “‘do nothing to clarify the risks
to the plaintiffs in this case’” (quoting Tsao, 986 F.3d at 1343)). Simply put, the referenced
reports don’t persuade the court that the threatened injury is “certainly impending.” Clapper,
568 U.S. at 409 (quotation cleaned up).
At bottom, the court concludes plaintiff hasn’t alleged a risk that future identity theft is
imminent. While the data’s sensitivity favors an injury in fact conclusion, the court isn’t
convinced plaintiff’s allegations about cybercriminals and a targeted attack move beyond the
conclusory stage. And the alleged misuse factor—arguably the most important factor—strongly
disfavors concluding that plaintiff has alleged a sufficient injury in fact. Finally, plaintiff’s
attempt to lean into research and reports doesn’t help his cause. Without the alleged misuse, his
threats of future identity theft are too speculative to confer standing.
But even if one assumes plaintiff had alleged sufficiently a risk of future identity theft,
that risk wouldn’t confer standing for damages automatically. That’s because, recall, future
identity theft alone doesn’t suffice as an injury in fact for damages. TransUnion, 594 U.S. at
436–37. But sometimes, a risk of future harm can couple with other harms to create a cognizable
injury in fact supporting damages. Plaintiff seeks damages from two harms that fit this bill:
emotional distress and mitigation efforts. So, the court evaluated plaintiff’s future injury
allegations as a potential companion to establish standing under emotional distress and
21
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 22 of 30
mitigation efforts. The court’s conclusion—that plaintiff hadn’t alleged a future risk of identity
theft—thus dooms plaintiff’s emotional distress and mitigation injuries.
2.
Emotional Distress
Plaintiff alleges he experienced fear and anxiety from the loss of his privacy. Doc. 1 at
16 (Compl. ¶ 74). And, he alleges, he will continue suffering emotional distress. Id. (Compl.
¶ 79). Defendant responds, contending that this emotional distress won’t support standing unless
plaintiff also has alleged an impending risk of future identity theft or actual misuse of the PII
disclosed in the data breach. Doc. 18 at 13. Defendant is correct—emotional distress plus actual
misuse or certainly impending future harm can qualify as an injury in fact. Masterson, 2023 WL
8647157, at *7 (“[T]here are no allegations of misuse tied to [defendant]. And, . . . there is no
risk of future harm that is certainly impending or substantial. Based on this, Plaintiffs’ barebones allegations of emotional distress are not sufficient to confer standing.”). Plaintiffs can’t
“manufacture standing merely by inflicting harm on themselves[.]” Clapper, 568 U.S. at 416.
Absent allegations of actual misuse or an imminent threat of future harm, emotional distress
allegation can’t qualify as a present or future harm sufficient for standing.
His next asserted injury suffers the same fate.
3.
Lost Time from Mitigation Efforts
Plaintiff alleges he spent 240 hours mitigating the data breach’s consequences. Doc. 1 at
15 (Compl. ¶ 71). In those hours, he verified the legitimacy of the Notice of Data Breach, selfmonitored his accounts, reviewed his credit reports, and otherwise “mitigat[ed] fraud and identity
theft.” Id. But mitigation time constitutes a concrete injury only if it’s “based on a threat of
future injury that is certainly impending.” Blood, 2022 WL 11745549, at *6 (concluding
mitigation time not an injury in fact after concluding plaintiffs hadn’t alleged fraud injuries fairly
22
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 23 of 30
traceable to the data breach); Legg, 574 F. Supp. 3d at 994 (“[W]hile it may have been
reasonable to take some steps to mitigate the risks associated with the data breach, those actions
cannot create a concrete injury where there is no imminent threat of harm.”); Stern, 2025 WL
239036, at *7 (“Plaintiffs’ fear about misuse of their PII is not certainly impending harm, as no
Plaintiff has alleged that their data is actually available on the dark web or otherwise has been
transmitted to others for imminent use.”). Without actual misuse or a certainly impending threat
of future injury, plaintiff again “manufacture[s] standing merely by inflicting harm on [himself]
based on [his] fears of hypothetical future harm[.]” Clapper, 568 U.S. at 416. That’s not
sufficient to constitute an injury in fact—for past mitigation efforts or future ones.
Last up, the final injury allegation to support damages—lost privacy.
4.
Lost Privacy
Plaintiff alleges defendant “affirmatively and recklessly disclosed” plaintiff’s PII to
“unauthorized third parties.” Doc. 1 at 31 (Compl. ¶ 147). And defendant’s “reckless and
negligent failure to protect Plaintiff and Class Members’ PII constitutes an intentional
interference with [their] interest in solitude or seclusion . . . [in a manner] that would be highly
offensive to a reasonable person.” Id. at 31–32 (Compl. ¶ 149). Based on these allegations, the
court interprets plaintiff’s lost privacy claim here as one sounding in the intrusion upon seclusion
tort. So, the court next evaluates whether these intrusion upon seclusion allegations confer
standing.
Remember, standing requires an injury that is both actual or imminent, and concrete.
Lujan, 504 U.S. at 560. The court has referenced many cases that—when evaluating commonly
alleged data breach injuries—fail to distinguish between those two injury-in-fact requirements.
But when evaluating a lost privacy harm, the distinction comes into focus. While a plaintiff may
23
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 24 of 30
allege an actual loss of privacy resulting from a data breach, that doesn’t mean their asserted
injury is concrete. So, the court’s analysis now must focus on the concreteness of plaintiff’s
alleged lost privacy.9
The Supreme Court has clarified that concrete injuries are those with “a close relationship
to a harm traditionally recognized as providing a basis for a lawsuit in American courts.”
TransUnion, 594 U.S. at 424 (quotation cleaned up). And to identify such a traditionally
recognized harm, the Supreme Court has looked to the Restatement of Torts. Id. at 432
(referencing the Restatement when assessing whether the alleged injury bore a “close
relationship to a harm traditionally recognized as providing a basis for a lawsuit in American
courts” on the concrete harm requirement (internal quotation marks and citation omitted)). The
Restatement outlines four, traditionally distinct privacy torts: (1) intrusion upon seclusion; (2)
appropriation of name or likeness; (3) public disclosure of private facts; and (4) false light
publicity. See Restatement (Second) of Torts § 652A (Am. L. Inst. 1977) (October 2024
Update). As TransUnion explained, “disclosure of private information, and intrusion upon
seclusion” may constitute concrete, intangible harms. 594 U.S. at 425.10 The court evaluates
9
As a case in point, plaintiff here focused his briefing on whether his loss of privacy injury was
actual or imminent. See Doc. 20 at 5 (“‘To sustain an injury based on loss of privacy, other courts have
required some allegation that personal information has been viewed of exposed in a way that would
facilitate easy, imminent access.’” (quoting Masterson, 2023 WL 8647157, at *7)); In re Sci. Applications
Int’l Corp. Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 28–29 (D.D.C. 2014) (concluding invasion
of privacy didn’t satisfy imminence requirement when plaintiff hadn’t alleged their PII was viewed or
“exposed in a way that would facilitate easy, imminent access”).
Taking plaintiff’s allegations as true, the court assumes an actual or imminent loss of privacy
injury under the definitions used in these cases. Nonetheless, his loss of privacy allegations still don’t
establish injury in fact because they aren’t concrete, as the court explains in this section.
10
In the data breach context, courts—including ours—have evaluated loss of privacy for standing
purposes by comparison to the public disclosure of private facts tort. See Med-Data, Inc., 2022 WL
970862, at *9 (“Plaintiff’s alleged loss of privacy damages here arise from her invasion of privacy tort
claim—specifically, the tort of public disclosure of private information.” (quotation cleaned up)); In re
Practicefirst Data Breach Litig., 2022 WL 354544, at *8 (“[E]ven if plaintiffs could plead facts sufficient
24
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 25 of 30
whether plaintiff’s alleged lost privacy injury here establishes standing because of its close
relationship to the intrusion upon seclusion tort.
The Restatement provides:
One who intentionally intrudes, physically or otherwise, upon the solitude or
seclusion of another or his private affairs or concerns, is subject to liability to the
other for invasion of his privacy, if the intrusion would be highly offensive to a
reasonable person.
Restatement (Second) of Torts § 652B (Am. L. Inst. 1977) (October 2024 Update) (emphasis
added). “[O]ne who suffers an intrusion upon his solitude or seclusion, under § 652B, may
recover damages for the deprivation of his seclusion.” Id. § 652H cmt. a. “While plaintiffs are
not required to prove the elements for a common-law analogue in order to secure standing, they
must demonstrate that the harm posed by the theft of their information bears a close relationship
to these traditionally recognized harms.” I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034, 1049 (N.D.
Cal. 2022) (quotation cleaned up).
Here, plaintiff’s intrusion upon seclusion claim falls short of the requisite close
relationship because intent is absent. According to plaintiff, defendant “acted with a knowing
to allege the tort of public disclosure of private information, the Court would still find a lack of subject
matter jurisdiction here. Indeed, this theory of standing has been rejected in the data breach context
where, like in this case, plaintiffs have failed to demonstrate any concrete or particularized injury
associated with the disclosure.”).
Our court also has emphasized that, in a claim for public disclosure of private facts, “loss of
privacy, in and of itself, is not a concrete harm that can provide the basis for Article III standing.” MedData Inc., 2022 WL 970862, at *10. So, even if the court construed plaintiff’s claim as one for public
disclosure of private facts, plaintiff hasn’t alleged actual harm fairly traceable to the data breach. So, loss
of privacy wouldn’t confer standing.
Nonetheless, the court construes plaintiff’s claim as one of intrusion upon seclusion. Doc. 1 at
31–32 (Compl. ¶ 149) (alleging defendant’s conduct intentionally interfered with plaintiff’s “interest in
solitude or seclusion”); Doc. 20 at 14 (responding to motion to dismiss invasion of privacy claim by
recounting the elements of an intrusion upon seclusion claim). And so, this section engages in an
intrusion upon seclusion analysis.
25
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 26 of 30
state of mind when it permitted the Data Breach because it knew its information security
practices were inadequate.” Id. at 32 (Compl. ¶ 150). But as defendant emphasizes, plaintiff
can’t “tie any alleged privacy invasion to [defendant] rather than the criminal cyberattackers.”
Doc. 18 at 12. Plaintiff doesn’t allege defendant intentionally permitted a third party to intrude
his seclusion. He simply alleges defendant knew its security systems were inadequate, and
therefore “permitted the Data Breach[.]” Doc. 1 at 32 (Compl. ¶ 150). But the intrusion upon
seclusion tort traditionally permitted recovery only when the defendant intentionally had invaded
the plaintiff’s private affairs. Even viewing plaintiff’s nonconclusory allegations in the light
most favorable to him, he hasn’t alleged an intentional invasion by defendant.
The court thus concludes plaintiff’s harm resulting from the data breach doesn’t bear a
close relationship to the type of harm contemplated under the intrusion upon seclusion tort. See
Zynga, 600 F. Supp. 3d at 1050 n.10 (deciding standing on other grounds but noting that “it is
doubtful whether [plaintiffs] can show that Zynga (whom plaintiffs sue for negligence) directly
harmed them in a way that is analogous to the harm from intentional intrusion upon seclusion”
because plaintiffs alleged a third-party stole their PII (emphasis in original)). Plaintiff’s loss of
privacy injury—even if actual and imminent—isn’t concrete and thus doesn’t suffice as an injury
in fact.
For his damages claims, plaintiff hasn’t alleged any injuries in fact fairly traceable to the
data breach. That means he doesn’t have standing to seek damages. But recall that “plaintiffs
must demonstrate standing for each claim that they press and for each form of relief that they
seek (for example, injunctive relief and damages).” TransUnion, 594 U.S. at 431. Having
26
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 27 of 30
addressed plaintiff’s standing to seek damages, the court next must evaluate plaintiff’s standing
to seek injunctive and declaratory relief.11
C.
Injunctive & Declaratory Relief
Remember, a “threatened injury must be certainly impending to constitute an injury in
fact.” Clapper, 568 U.S. at 409 (quotation cleaned up). “Allegations of possible future injury
are not sufficient.” Id. (quotation cleaned up); TransUnion, 594 U.S. at 435 (“[A] person
exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the
harm from occurring, at least so long as the risk of harm is sufficiently imminent and
substantial.”). The “threat of injury must be both real and immediate, not conjectural or
hypothetical.” City of Los Angeles v. Lyons, 461 U.S. 95, 102 (1983) (quotation cleaned up).
In the current case, plaintiff asks the court to declare: (1) defendant owes a duty to secure
the proposed class’s PII; (2) defendant continues to breach that duty by failing to employ
reasonable measures to secure the proposed class’s PII; and (3) these ongoing breaches continue
to cause the proposed class harm. Doc. 1 at 39 (Compl. ¶ 191). And he asks for “corresponding
prospective injunctive relief requiring Defendant to employ adequate security protocols . . . to
protect consumers’ PII.” Id. (Compl. ¶ 192). Has plaintiff alleged an injury in fact sufficient to
seek this injunctive and declaratory relief?
First, an important point about the future injury undergirding this injunctive and
declaratory relief: the injury supporting this relief is not future misuse of the PII already
disclosed in the breach. Instead, it’s the risk that defendant will face another data breach, and
11
The parties didn’t focus much of their efforts on this topic. See Doc. 18 at 15 (briefly explaining
that prospective injunctive relief wouldn’t redress plaintiff’s alleged future risk of identity theft); Doc. 20
at 11–12 (briefly suggesting an ongoing risk of another data breach); id. at 15 (explaining why declaratory
relief is available). The court aligns itself with the parties’ approach and addresses these forms of relief
more briefly.
27
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 28 of 30
release plaintiff’s PII into the world again. See In re Progressive, 2025 WL 213744, at *13
(“Here, the complained of harm supporting an injunction is that [defendant] will experience
another data breach and further compromise Plaintiffs’ PII.”); see also Webb, 72 F.4th at 378
(“[A]n injunction requiring [defendant] to improve its cybersecurity systems cannot protect the
plaintiffs from future misuse of their PII by the individuals they allege now possess it.”). An
injunction couldn’t remedy future misuse of data already in the hands of unknown third parties.
In a strikingly similar situation, the District of Utah recently concluded plaintiffs lacked
standing to seek injunctive relief. In re Progressive concluded that plaintiffs “failed to plausibly
allege that there is a substantial risk of another breach of [defendant’s] systems or that a breach is
certainly impending.” 2025 WL 213744, at *14. To be certain, the plaintiffs had alleged that
defendant stored plaintiffs’ data in an unencrypted, internet-accessible system. Id. And, they
also emphasized, in the wake of the data breach, defendant didn’t remove the PII from that
system or add encryption. Id. What’s more, the plaintiffs alleged, defendant’s security was still
inadequate. Id. But defendant “publicly denie[d] these allegations.” Id. In the court’s view,
though, the complaint’s allegations didn’t show defendant faced a greater risk of a data breach
than “any other entity that holds PII.” Id. The court explained that—if the court concluded these
allegations sufficed to establish an imminent risk of future injury—“‘virtually every company
and government agency might be exposed to requests for injunctive relief like the one the
plaintiffs seek here.’” Id. (quoting Webb, 72 F.4th at 378); see also Hall v. Centerspace, LP, No.
22-cv-2028 (KMM/DJF), 2023 WL 3435100, at *3–4 (D. Minn. May 12, 2023) (concluding
plaintiff fell short of proving a future data breach was imminent—he hadn’t alleged hackers were
presently targeting defendant or otherwise shown defendant was “uniquely vulnerable to
incursions”—so he didn’t have standing to seek injunctive and declaratory relief); cf. In re
28
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 29 of 30
MOVEit Customer Data Sec. Breach Litig., No. 23-md-03083-ADB-PGL, 2024 WL 5092276, at
*3 n.3 (D. Mass. Dec. 12, 2024) (briefly addressing redressability and emphasizing that the
“Court agrees that many of Plaintiffs’ claims for injunctive relief require dismissal because
prospective remedies targeting the named Defendants cannot address the risk of future harm
caused by the Data Breach”).
This case is a close cousin to In re Progressive. Plaintiff here likewise alleges that
defendant “elected to store the unencrypted PII . . . in an Internet-accessible environment[.]”
Doc. 1 at 7 (Compl. ¶ 37). And, according to plaintiff, defendant’s “data security measures
remain inadequate[,]” but defendant “publicly denies these allegations.” Id. at 38 (Compl.
¶ 189). Simply put, plaintiff alleges it doesn’t know of any efforts defendant has made to protect
his sensitive PII in the aftermath of the breach. Id. But the data breach notice—attached to
plaintiff’s Complaint—indicates the company “confirm[ed] the security” of its systems,
“reported this event to federal law enforcement[,]” and was “reviewing [its] policies, procedures,
and processes to reduce the likelihood of a similar future event.” Doc. 1-1 at 2 (Pl. Ex. 1).
These efforts “cut against any inference that defendant’s prior data breach might make a future
data breach more likely.” Scifo v. Alvaria, Inc., No. 23-cv-10999-ADB, 2024 WL 4252694, at
*5 n.10 (D. Mass. Sept. 20, 2024) (quotation cleaned up) (finding plaintiff’s standing to seek
injunctive relief undercut by notice indicating defendant secured its networks, initiated enhanced
security measures, sought forensic investigation assistance, and notified the FBI). The court
finds that plaintiff here hasn’t alleged any more to show a future data breach is “certainly
impending” than plaintiffs in In re Progressive. Clapper, 568 U.S. at 409 (quotation cleaned
up).
29
Case 5:24-cv-04039-DDC-GEB
Document 22
Filed 03/05/25
Page 30 of 30
And so, the court concludes plaintiff lacks standing to seek his requested injunctive and
declaratory relief.
IV.
Conclusion
Taking stock of all plaintiff’s alleged injuries and requested relief, plaintiff doesn’t have
standing to maintain this suit. Plaintiff must support his damages request with an injury in fact.
But at every alleged injury specific to plaintiff, the Complaint’s allegations fall short. Plaintiff
hasn’t alleged actual misuse of his stolen PII that is fairly traceable to the data breach. He hasn’t
shown that the risk of future identity theft and fraud is sufficiently imminent. And his emotional
distress, mitigation costs, and loss of privacy aren’t cognizable injuries in fact. Plaintiff also
lacks standing to seek injunctive and declaratory relief against defendant because he hasn’t
shown another data breach is imminent.
Without standing, there’s no Article III case or controversy before the court. In turn, that
conclusion means that the court lacks subject matter jurisdiction over this action.
IT IS THEREFORE ORDERED THAT defendant’s Motion to Dismiss (Doc. 17) is
granted. Plaintiff’s Complaint is dismissed without prejudice.
IT IS SO ORDERED.
Dated this 5th day of March, 2025, at Kansas City, Kansas.
s/ Daniel D. Crabtree
Daniel D. Crabtree
United States District Judge
30
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
