Angus v. Flagstar Bank, FSB
4:22-cv-11385
| E.D. Mich. | Sep 30, 2024Background
- Plaintiffs, a class of Flagstar Bancorp customers, alleged their personal information (PII) was compromised in a major data breach in December 2021 affecting 1.5 million people.
- Plaintiffs assert that Flagstar failed to implement adequate data security, leading to exfiltration, ransom demands, and possible exposure of PII on the dark web.
- Flagstar announced the breach in June 2022 and offered affected customers credit monitoring, but claimed no observed misuse of data.
- Plaintiffs filed a consolidated class action alleging injuries such as fraud, identity theft, mitigation costs, lost privacy, and diminished PII value.
- Flagstar moved to dismiss for lack of Article III standing and failure to state a claim; the court addressed both factual and facial attacks on standing and merits of various tort and statutory claims.
- The court granted dismissal on most claims but found standing for future harm, and allowed only the California Consumer Privacy Act (CCPA) claim to proceed (Count IX).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III Standing | Injury includes risk of future harm and mitigation expenses post-breach | No actual or concrete injury; risk is speculative | Standing for future harm only |
| Causation/Traceability | Injuries stem from Flagstar's failure to protect PII | Harms not traceable—other breaches, no direct link | Insufficient traceability for most |
| Negligence/Common Law Claims | Duty to protect PII and breach led to damages | No cognizable damages under state law | Dismissed under state law |
| Statutory Claims (Various States) | State statutes support claims for breach/delay/injury | No standing or damages under statutes without causation | Dismissed except CCPA (Count IX) |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (plausibility standard for pleading sufficiency)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (plausible claim for relief required on 12(b)(6))
- TransUnion LLC v. Ramirez, 594 U.S. 413 (injury must be concrete for Article III standing)
- Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (substantial risk of identity theft confers standing post-breach)
- Hill v. Sears, Roebuck & Co., 492 Mich. 651 (elements of Michigan negligence claim)
- Miller-Davis Co. v. Ahrens Const., Inc., 495 Mich. 161 (elements of Michigan contract claim)