Legg v. Leaders Life Insurance Company, 574 F.Supp.3d 985

Plaintiff Robert Legg, a customer of Leaders Life, alleges a November 2020 cyberattack in which folders containing PII (names, DoBs, SSNs/TINs) were accessed; Leaders Life notified him in June 2021 and said there was no indication his specific data was misused.
Legg sued individually and as putative class representative, asserting negligence, breach of implied contract, breach of covenant of good faith and fair dealing (including a Maryland consumer-protection claim for Maryland subclass), deceptive practices, and claims for injunctive and declaratory relief.
Legg does not allege actual identity theft or fraud; he alleges an imminent risk of identity theft, emotional distress, lost time/money spent mitigating, increased phishing emails, and diminution in value/benefit-of-the-bargain losses.
Leaders Life moved to dismiss under Fed. R. Civ. P. 12(b)(1) for lack of Article III standing (and alternatively on other grounds); the court focused on subject-matter jurisdiction.
The court held Legg failed to plausibly allege a concrete, particularized injury in fact (no actual misuse, only speculative future risk and mitigation costs) and thus lacks standing for damages or injunctive relief.
Result: Motion to dismiss granted; First Amended Complaint dismissed without prejudice (Dec. 6, 2021).

Issue	Plaintiff's Argument	Defendant's Argument	Held
Article III standing for damages (injury in fact)	Risk of future identity theft from exposed PII constitutes a concrete injury; increased phishing, mitigation costs, and diminished value suffice	Mere risk without actual misuse is speculative and not a concrete injury	No standing: speculative future risk and mitigation expenses insufficient for damages
Standing for injunctive relief (imminence)	Risk is imminent and substantial, warranting forward-looking relief	Risk is not certainly impending; chain of independent actions makes harm speculative	No standing for injunctive relief: risk not plausibly "certainly impending"
Mitigation costs/time spent	Costs expended to monitor/protect are real harms creating standing	Plaintiffs cannot "manufacture" standing by incurring costs to avoid non-imminent harms	No standing: self-protective expenditures cannot create injury absent imminent risk
Diminution/benefit-of-the-bargain loss	Value of PII diminished; Leaders Life breached its promise to protect data, injuring plaintiff	No allegation that plaintiff attempted to sell PII or paid a premium for data security; no actual diminution shown	No standing: benefit-of-the-bargain and diminution theories inadequately alleged

Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013) (threatened injury must be "certainly impending"; plaintiffs cannot manufacture standing via precautionary costs)
TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021) (mere risk of future harm does not constitute a concrete injury for damages claims; undisclosed/internal harms may not suffice)
Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (Article III injury-in-fact must be concrete and particularized)
Remijas v. Neiman Marcus, LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach plaintiffs alleged substantial risk of future fraud; standing found where facts supported that risk)
Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (no standing where no misuse alleged; future-harm speculation insufficient)
In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) (dismissing for lack of standing where allegations of risk and resale of card data were speculative)
Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021) (conclusory allegations of ongoing risk and cancellation/mitigation costs insufficient without specific misuse)
McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021) (increased risk can be concrete but allegations here were inadequate because exposure was inadvertent and not targeted)
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (standing found where risk of identity theft was plausible and some misuse allegations existed)