Case Information
IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF OKLAHOMA ROBERT LEGG, individually and on behalf )
Of himself and all others similarly situated, )
)
Plaintiff, ) v. ) CIV-21-655-D
)
LEADERS LIFE INSURANCE COMPANY, )
)
Defendant. )
ORDER
Before the Court is Defendant Leaders Life Insurance Company’s Motion to Dismiss Plaintiff’s First Amended Complaint [Doc. No. 11]. The motion seeks dismissal of Plaintiff’s claims pursuant to Fed.R.Civ.P 12(b)(1) and 12(b)(6), or in the alternative an order striking certain allegations pursuant to Fed.R.Civ.P. 12(f). Plaintiff has responded in opposition [Doc. No. 12] and Defendant has replied [Doc. No. 13]. As explained below, Plaintiff has failed to plausbily plead that he has suffered an injury in fact and he therefore lacks standing to pursue his claims.
BACKGROUND
This putative class action involves a data breach at Defendant Leaders Life Insurance Company. Plaintiff, a customer of Leaders Life, alleges that in late November 2020, a third-party intentionally accessed and removed folders containing personal identifying information from Leaders Life’s computer systems. at ¶ 19. Among the information allegedly obtained was customer names, dates of birth, social security numbers, and tax identification numbers. at ¶¶ 5, 21. In June 2021, nearly seven months after the data breach, Leaders Life sent Plaintiff a letter informing him of the cyberattack. The letter explained that “certain folders on our system may have been accessed or removed from our systems without authorization,” “one or more of the potentially impacted folders included protected information related to individuals,” and “there is no indication that your specific information was accessed or misused.” at ¶ 21. Nevertheless, Plaintiff alleges that his personal identifying information is “now in the hands of cybercriminals who will use their PII [personal identifying information] to commit fraud and identity theft.” at ¶ 23.
Plaintiff brings five claims on behalf of himself and a putative class against Leaders Life as a result of the data breach. First, he asserts that Leaders Life acted negligently in failing to protect Plaintiff’s information or provide adequate data security. Second, he asserts that Leaders Life breached an implied contract obligating it to provide adequate data security. Relatedly, his third claim asserts that Leaders Life breached an implied covenant of good faith and fair dealing when it engaged in acts or omissions that have been declared to be unfair trade practices. Fourth, he asserts that Leaders Life engaged in deceptive practices in violation of the Maryland Consumer Protection Act, Md. Code Ann., Com. Law § 13-301. Last, Plaintiff asserts a claim for declaratory and injunctive relief based on Leaders Life’s past failure to comply with its contractual obligations and duties of care and inability to prevent future cyberattacks.
Crucially, Plaintiff does not allege that he or any other class member has been the victim of identity theft or fraud. Instead, he describes his injuries as including “an imminent, immediate, and continuing risk of harm from identity theft and fraud.” at ¶ 72. Plaintiff further alleges that the “threat of fraud and identity theft” has caused “increased emotional distress and anxiety” as well as a loss of time and money spent addressing and attempting to mitigate the consequences of the data breach. at ¶ 75.
Defendant moves to dismiss under Fed.R.Civ.P. 12(b)(1), arguing that Plaintiff has failed to plead an injury in fact and therefore lacks standing to bring his claims.
STANDARD OF DECISION
Federal courts are courts of limited jurisdiction. Article III of the Constitution
“confines the federal judicial power to the resolution of ‘Cases’ and ‘Controversies.’”
TransUnion LLC v. Ramirez
, __ U.S. __,
As the party invoking federal jurisdiction, the plaintiff bears the burden of
establishing the three elements for standing.
Spokeo, Inc.
, 578 U.S. at 338
.
When
considering standing in the context of a motion to dismiss, the Court “must accept as true
all material allegations of the complaint, and must construe the complaint in favor of the
complaining party.”
S. Utah Wilderness All. v. Palma
, 707 F.3d 1143, 1152 (10th Cir.
2013) (quotation omitted). But even “at the pleading stage, the plaintiff must
‘clearly...allege facts demonstrating’ each element.”
Spokeo
,
DISCUSSION
Data breaches of the type alleged here are becoming ubiquitous in our increasingly
digital society and, unsurprisingly, are also becoming the subject of a growing amount of
litigation. But does the mere fact that a data breach occurred necessarily mean that a
customer has suffered a concrete injury, or is something more required? The Tenth Circuit
has not had occasion to resolve this precise issue, but several other circuits have. After
reviewing these decisions, the Court will summarize two relevant Supreme Court opinions
–
Clapper v. Amnesty Int'l USA
,
A. Relevant Circuit Court Decisions
The Fourth, Sixth, Seventh, Ninth, and District of Columbia Circuits have all found
standing for a plaintiff who alleged he was the victim of a data breach. The earliest case is
Remijas v. Neiman Marcus, LLC
,
The District of Columbia Circuit likewise found standing in a data breach case because “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.” Attias v. Carefirst, Inc ., 865 F.3d 620, 629 (D.C. Cir. 2017). Again, however, Attias included an allegation that two of the named plaintiffs had suffered identity theft as a result of the breach. at 626 n.2.
The Fourth Circuit similarly found that the plaintiffs had standing to bring claims
following a data breach where the plaintiffs alleged that they had “already suffered actual
harm in the form of identity theft and credit card fraud.”
Hutton v. Nat'l Bd. of Examiners
which included fraudulent charges on a credit card for one of the named representatives
but not the other, and the future risk of fraud were sufficient to confer standing. An earlier
Seventh Circuit decision,
Pisciotta v. Old Nat. Bancorp
,
in Optometry, Inc
.,
Finally, in
Krottner v. Starbucks Corp
.,
Notably, all of the circuit court cases “conferring standing after a data breach based
on an increased risk of theft or misuse included at least some allegations of actual misuse.”
Tsao v. Captiva MVP Rest. Partners, LLC
, 986 F.3d 1332, 1340 (11th Cir. 2021).
Conversely, where no allegations of misuse are present, circuit courts have generally
declined to find standing. In
Reilly v. Ceridian Corp
.,
rely on speculation that the hacker: (1) read, copied, and understood their
personal information; (2) intends to commit future criminal acts by misusing
the information; and (3) is able to use such information to the detriment of
Appellants by making unauthorized transactions in Appellants' names.
Unless and until these conjectures come true, Appellants have not suffered
any injury; there has been no misuse of the information, and thus, no harm.
at 42.
The Eighth Circuit addressed standing in the context of a data breach in
In re
SuperValu, Inc
.,
More recently, the Eleventh Circuit addressed standing in the context of a data
breach in
Tsao v. Captiva MVP Rest. Partners, LLC
,
Last, the Second Circuit dismissed a data breach case for lack of standing in McMorris v. Carlos Lopez & Assocs., LLC , 995 F.3d 295 (2d Cir. 2021). There , the defendant’s employee accidentally sent an email that contained personal identifying information of current and former employees. Id. at 298. The parties reached a settlement before the defendant’s motion to dismiss was resolved, but the district court dismissed the case for lack of standing. at 298-299. The Second Circuit affirmed, holding that a mere increased risk of identity theft can be a concrete injury, but that the allegations in this case were insufficient because the data was not intentionally targeted or misused in anyway. at 303-304. [6]
B. Relevant Supreme Court Decisions
Most cases declining to find standing in the data breach context rely on Clapper v. Amnesty Int'l USA , 568 U.S. 398 (2013). Clapper involved a group of plaintiffs whose work allegedly required them to engage in sensitive communications that might be subject to surveillance under a federal statute. Id. at 406. The Supreme Court held that the plaintiffs did not have standing to enjoin the enforcement of the statute because a “‘threatened injury must be certainly impending to constitute injury in fact,’” and “‘[a]llegations of possible future injury’ are not sufficient.” Id. at 409 (quotation omitted) (alterations in original). Under this standard, an “objectively reasonable likelihood” that a future injury will come to pass is inadequate. at 410. Further, a plaintiff cannot establish an imminent future injury for standing purposes when they “rel[y] on a highly attenuated chain of possibilities” or “speculation about the decisions of independent actors.” at 410-414.
Clapper also held that measures the plaintiffs took to protect themselves from possible, future surveillance did not confer a present injury in fact. at 415-416. On this point, the Supreme Court explained that
Respondents’ contention that they have standing because they incurred certain costs as a reasonable reaction to a risk of harm is unavailing—because the harm respondents seek to avoid is not certainly impending. In other words, respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.
If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.
establish a concrete injury because the plaintiff was never asked to pay for any fraudulent charges and her stolen credit card was promptly cancelled. Id . at 90.
Id. at 416. In sum, the Supreme Court held “that respondents lack Article III standing because they cannot demonstrate that the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” Id. at 422.
Relying on the risk of a future injury to show standing was further curtailed in TransUnion LLC v. Ramirez , 141 S. Ct. 2190 (2021), which postdates all of the circuit court opinions discussed above. There, a class of plaintiffs sued TransUnion under the Fair Credit Report Act for maintaining inaccurate credit reports. Id. at 2200. For a subset of plaintiffs, TransUnion actually provided the inaccurate reports to third-party businesses. Id. For the remaining plaintiffs, TransUnion only maintained the inaccurate credit reports in their internal system and never provided the information to third parties. Id. Those plaintiffs, the Supreme Court held, did not have standing to sue for a statutory violation of the Fair Credit Reporting Act because “the mere presence of an inaccuracy in an internal credit file, if it is not disclosed to a third party, causes no concrete harm.” at 2210.
The Supreme Court also considered whether the mere risk of future disclosure of the inaccurate credit reports constitutes a separate concrete injury. Citing to Clapper , the Supreme Court explained that “a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” But where a plaintiff brings “a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210-2211.
Applying these principles, the Supreme Court held that the plaintiffs whose reports were undisclosed did not suffer a concrete injury because they “did not demonstrate that the risk of future harm materialized” and they were not “independently harmed by their exposure to the risk itself.” Id. at 2211. The Supreme Court further explained that in addition to the “fundamental problem with their argument based on the risk of future harm, the plaintiffs did not factually establish a sufficient risk of future harm to support Article III standing.” Id. at 2211-2212. Although the plaintiffs “claimed that TransUnion could have divulged their misleading credit information to a third party at any moment,” the Supreme Court held that the plaintiffs had not demonstrated a sufficient likelihood that the inaccurate information would be released. at 2212.
The Supreme Court then reiterated that “the risk of future harm on its own does not support Article III standing for the plaintiffs’ damages claim.” at 2213. Given the holding in TransUnion , it is far from clear that any case finding a concrete injury based merely on an abstract risk of future identity theft following a data breach is still good law, at least with respect to a claim for damages.
C. Analysis of Plaintiff’s Allegations
In this action, Plaintiff seeks injunctive relief and damages based not on any actual fraud or identity theft that occurred as a result of the data breach, but on the risk that fraud or identity theft may occur in the future. But as explained in TransUnion, the risk of future harm alone cannot support standing for a damages claim.
As to his request for injunctive relief, in order to show a concrete injury, Plaintiff
must plausibly plead that the risk of future harm as a result of the data breach is imminent,
meaning it is “certainly impending.”
Clapper
, 568 U.S. at 409. Unlike the majority of
circuit court cases that have found a concrete injury following a data breach, Plaintiff here
does not allege that any misuse of the data has occurred. The closest Plaintiff comes to
alleging misuse is a statement that there has been a “dramatic increase in the amount and
frequency of phishing emails he has been receiving over the last few months.” Compl. ¶
53. But the receipt of phishing emails, while perhaps “consistent with” data misuse, does
not “plausibly suggest” that any actual misuse of Plaintiff’s personal identifying
information has occurred.
Bell Atl. Corp. v. Twombly
,
Without any actual misuse of the data, Plaintiff relies on reports that describe the
general risks of identity theft, explain how personal information can be sold on illicit
internet sites, and identify other data breaches. But “[t]hese reports do nothing to clarify
the risks to the plaintiffs in this case.”
Tsao
, 986 F.3d at 1343. Further, according to
Plaintiff’s own allegations, the likelihood of identity theft occurring is relatively small:
“nearly one out of four data breach notification recipients
becomes
a victim of identity
fraud.” Compl. ¶ 27 (emphasis in original). Assuming the truth of this allegation, a less
than 25% chance that some form of identity fraud could occur at some unknown, future
date can hardly be described as “certainly impending” or a “substantial risk.”
See
TransUnion
,
At best, then, Plaintiff’s allegations lead to a plausible inference that at some
unknown time in the future, some of the putative class members
may
be the victim of
identity theft or fraud. Even accepting as true Plaintiff’s allegations about the nature of the
breach – that it was an intentional attack by cybercriminals – Plaintiff only pleads facts
showing that there is a non-imminent risk of possible future injury following the data
breach. This is not sufficient to confer standing.
Clapper,
No doubt wary that his allegations of future harm are insufficient to confer standing, Plaintiff additionally alleges that he has suffered an “actual injury” in the form of lost time, money, and annoyance associated with responding to the data breach and monitoring his accounts. See Compl. ¶¶ 58-59, 75. But none of these alleged harms qualifies as a concrete injury for standing purposes.
As explained in
Clapper
, 568 U.S at 416, a plaintiff cannot “manufacture standing”
simply by “incur[ing] certain costs as a reasonable reaction to a risk of harm.” Thus, while
it may have been reasonable to take some steps to mitigate the risks associated with the
data breach, those actions cannot create a concrete injury where there is no imminent threat
of harm.
Tsao,
Plaintiff also asserts that he has suffered an injury in the form of diminution in value
of his personal identifying information because of the data breach. Assuming personal
identifying information has a monetary value, Plaintiff fails to allege that he attempted to
sell his personal information and was forced to accept a decreased price.
See Chambliss v.
Carefirst, Inc,
In a final attempt to establish a concrete injury, Plaintiff asserts that he lost the benefit of his bargain with Leaders Life when he provided his personal identifying information and it was not kept secure. Compl. ¶ 68. Plaintiff has not, however, indicated that he paid any sort of premium in exchange for data security or that the data breach diminished the value of the insurance products he received in return. See id. (finding that “Plaintiffs have not alleged any benefit-of-the-bargain loss that could constitute a cognizable injury in fact.”); see also Remijas , 794 F.3d at 695 (describing plaintiff’s diminution in value and benefit of the bargain theories as “dubious” and refraining from relying on these theories to support standing).
Plaintiff has failed to plausibly allege an actual, present injury that would support his damages claim or an imminent threat of future harm that would support his claim for injunctive relief. Accordingly, he lacks standing to pursue his claims.
CONCLUSION
The Court does not doubt that identity theft is a serious problem that involves a host of negative consequences for victims. But a data breach – even one that was intentional or involved sensitive information – does not necessarily equate to a concrete injury. In reaching this conclusion the Court does not imply that a plaintiff must always wait for identity theft or fraud to materialize before bringing suit based on a data breach, it only holds that the allegations in this case have not plausibly alleged an actual or imminent injury sufficient to establish Article III standing.
Accordingly, Defendant Leaders Life Insurance Company’s Motion to Dismiss Plaintiff’s First Amended Complaint [Doc. No. 11] is GRANTED, and the First Amended Complaint is DISMISSED without prejudice.
IT IS SO ORDERED this 6 th day of December, 2021.
Notes
[1] This particular claim is brought only on behalf of Plaintiff and a proposed subclass of Maryland customers.
[2] Defendant also seeks dismissal under Fed.R.Civ.P. 12(b)(6) and seeks to strike certain allegations under Fed.R.Civ.P. 12(f). It is not, however, appropriate to address these arguments where the Court lacks subject matter jurisdiction over the case. See D.L. v. Unified Sch. Dist. No . 497, 392 F.3d 1223, 1229 (10th Cir. 2004) (explaining that “a determination that the district court lacked jurisdiction over a claim moots any other challenge to the claim, including a different jurisdictional challenge.”).
[3] The Seventh Circuit reached a similar result in
Lewert v. P.F. Chang's China Bistro, Inc
.,
[4] In
Beck v. McDonald
,
[5] Four months after
Tsao
, the Eleventh Circuit decided
In re Equifax Inc. Customer Data
Sec. Breach Litig
.,
[6] In a prior, unpublished decision, the Second Circuit dismissed a data breach case for lack
of standing at the pleading stage even though there were allegations of misuse.
Whalen v.
Michaels Stores, Inc
.,
[7]
TransUnion
was decided following a jury verdict for the plaintiffs.
[8] The Court also rejects Plaintiff’s conclusory allegations that he faces a concrete harm because a second cyberattack at Leaders Life is imminent.