Earlier this week, in the context of a data incident involving a health care company, an Arizona federal court determined that plaintiffs had Article III standing but then went on to dismiss plaintiffs’ claims for failure to state a claim, although it granted plaintiffs leave to amend.  Griffey v. Magellan Health, 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021).  Of interest to those involved in data breach litigation, the Court found that allegations of risk of future harm were sufficient to satisfy the injury-in-fact requirement for Article III standing even though it found these same allegations could not support the injury requirement of a negligence claim.  The Court then dismissed the remaining claims, finding that plaintiffs’ conclusory allegations that defendant’s systems were inadequate simply because a data event occurred failed to state a claim.

Plaintiffs alleged three categories of injury:  (1) potential risk of future harm, including harm to plaintiffs’ personal information; (2) attempted fraud; and (3) out-of-pocket expenses to protect their personal information.  The Court began with a standing analysis, focusing on whether plaintiffs alleged an injury-in-fact for purposes of Article III standing.  Citing Ninth Circuit data breach cases and the Supreme Court’s recent decision in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), the Court determined that plaintiffs’ allegations that their personal information was stolen causing potential risks of future harm was “certainly impending” and therefore sufficient to satisfy Article III’s injury-in-fact requirement.

Next, the Court addressed defendant’s argument that plaintiffs failed to sufficiently allege causation or damages for purposes of their negligence claim.  The Court found that the plaintiffs who only alleged future injuries did not sufficiently allege causation, but those that alleged attempted fraud or out-of-pocket expenses did sufficiently allege causation for purposes of Rule 12(b)(6).  As to damages, the Court held that plaintiffs who allege only a potential risk of future harm or attempted fraud have not alleged cognizable injuries for a negligence claim.  “Threats of future harm, on their own, are not cognizable negligence injuries.”  Similarly, the Court found that alleging that a plaintiff’s personal information has diminished in value is not enough because a plaintiff must show both the existence of a market for his or her personal information and an impairment of his or her ability to participate in that market.  Here, plaintiffs have shown neither.  The Court found that the “dark web” is not a legitimate market by which individuals sell their information.  As to the plaintiffs who alleged out-of-pocket expenses on credit monitoring, the Court found that they failed to allege that the identity monitoring services offered by defendant were inadequate such that the plaintiffs’ out-of-pocket expenses were reasonable and necessary.  Accordingly, the Court dismissed the negligence claim but gave plaintiffs leave to amend.

The Court also dismissed the unjust enrichment and breach of contract claims because plaintiffs failed to allege facts supporting the elements of each of these claims, instead including only conclusory allegations that because there was a data breach, defendant’s data security must have been inadequate.  The Court then addressed plaintiffs’ state-law consumer protection claims (asserted under a number of different states’ laws).  The Court addressed whether the heightened pleading requirements of Fed. R. Civ. P. 9(b) applied because the claims sounded in fraud, but then ultimately concluded that regardless of the standard that applied under the various state law statutes, plaintiffs’ allegations failed because allegations “that a system was inadequate because a negative result occurred [are] conclusory.”  The Court also found that plaintiffs failed to state a claim under other specific requirements of the state law statutes, but again granted leave to amend to address such shortcomings.

This case demonstrates that just because a data incident occurred does not mean that plaintiffs automatically can go forward with a case.  Conclusory, ipse dixit allegations are not sufficient.  While the case is helpful for defendants in data breach litigation, the Court did provide a pretty good road map for what a plaintiff needs to plead to get beyond a motion to dismiss in a data breach case.  However, the question remains whether the plaintiffs here can make such factual allegations.  Stay tuned.