475 F.Supp.3d 841
N.D. Ill.2020Background
- Defendants (Pearson entities) operate AIMSweb, an education-assessment platform that stores students’ names, emails, dates of birth, student IDs, and contact information.
- In late 2018 hackers accessed AIMSweb; FBI estimated ~900,000 students at ~13,000 schools potentially affected.
- No credit-card numbers, Social Security numbers, health records, or reported fraudulent charges have been linked to the breach.
- Parents of affected students filed a putative class action alleging negligence, contract claims, unjust enrichment, intrusion upon seclusion, and violations of various Illinois and Colorado statutes.
- Pearson moved to dismiss for lack of subject-matter jurisdiction (among other grounds); the court’s ruling turns on Article III standing—specifically whether plaintiffs pleaded a concrete, particularized injury-in-fact.
- The court dismissed the complaint without prejudice for lack of Article III standing but granted leave to file a second amended complaint.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing (injury-in-fact) | Breach created a concrete injury via increased risk of identity theft, loss of value of personal data, and statutory violations | Plaintiffs allege only speculative risks; no actual misuse or damages; statutes cited do not independently create standing here | No standing; complaint dismissed without prejudice |
| Increased risk of identity theft | Exposure of names, DOBs, emails and student IDs materially increases identity-theft risk | Data lacks the sensitivity (e.g., payment card/SSN) that materially facilitates fraud; no reported identity-theft incidents | Risk too speculative; no injury-in-fact based on identity-theft theory |
| Diminution in market value of personal data | Plaintiffs claim data has lost market value because it may be sold on black market | No allegations that hackers sold or attempted to sell the data; plaintiffs never sold their data or claimed market transactions | Too speculative to establish concrete economic injury |
| Statutory violations as standalone injury | Statutes (FERPA, ISSRA, PIPA, Colorado breach law) create legal harms from disclosure | FERPA does not create private rights; ISSRA and PIPA require actual damages (no statutory or nominal damages); Colorado law gives no private cause of action | Statutory theories do not supply Article III standing here |
Key Cases Cited
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (payment-card breach and widespread fraudulent charges can support standing)
- Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (sensitivity of compromised data important to standing analysis)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (Article III injury requires concrete and particularized injury)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (speculative chain of future events insufficient for injury-in-fact)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing requires actual or imminent invasion of a legally protected interest)
- Diedrich v. Ocwen Loan Servicing, LLC, 839 F.3d 583 (7th Cir. 2016) (distinguishing statutory damages statutes from those requiring actual injury for standing)
- Gonzaga Univ. v. Doe, 536 U.S. 273 (2002) (FERPA nondisclosure provisions do not create enforceable individual rights)
- Hummel v. St. Joseph Cty. Bd. of Comm’rs, 817 F.3d 1010 (7th Cir. 2016) (risk of harm can be concrete where substantial and imminent)