Takeaway: We have written a number of articles about standing issues arising in data breach class actions. See, e.g., Data breach class actions: Third Circuit sets out parameters for Article III injury-in-fact (Oct. 27, 2022). The District of Massachusetts recently added to this line of cases in Webb v. Injured Workers Pharmacy, Inc., No. 22-10797-RGS, 2022 WL 10483751 (D. Mass. Oct. 17, 2022), where the district court dismissed a putative class action for failure to allege an Article III injury-in-fact.
In Webb, Injured Workers Pharmacy, Inc. (“IWP”), a pharmaceutical home delivery service, discovered in May 2021 that it had been hacked months earlier in a data breach that compromised the personally identifiable information (“PII”) of more than 75,000 of its customers, including social security numbers. The compromised PII included data belonging to current IWP customer Alexsis Webb and former IWP customer Marsclette Charley.
Webb and Charley filed a putative class action against IWP in the District of Massachusetts for injuries allegedly caused by the breach. They alleged claims for negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, further alleging that they suffered “anxiety, sleep disruption, stress, and fear” and were forced to spend “considerable time and effort” monitoring their financial accounts. 2022 WL 10483751, at *1. Webb also alleged that she spent “hours” dealing with the Internal Revenue Service about a 2021 income tax return that an unauthorized individual had filed in her name. Id. In terms of monetary damages, they alleged actual injury in the form of “damages to and diminution in the value of [their] PII,” which they estimated was worth at least $1,000 on the “Dark Web.” Id.
IWP moved to dismiss their complaint for lack of standing under Federal Rule 12(b)(1) and for failure to state a claim under Federal Rule 12(b)(6). Applying the rule that a 12(b)(1) motion should be resolved before a 12(b)(6), the district court determined that plaintiffs did not allege any “concrete and particularized injuries that are actual or imminent” and dismissed the complaint. 2022 WL 10483751, at *1-2.
Citing the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez, 141 S. Ct 2190, 2211 (2021), the court observed that “[i]n a suit for damages, the mere risk of future harm, without more, cannot establish Article III standing.” 2022 WL 10483751, at *2. And, quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 416 (2013), the court noted that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on . . . hypothetical future harm.” 2022 WL 10483751, at *2.
Reviewing the allegations of the complaint, the court ruled that it did not allege any identifiable harm, in that there was no allegation of monetary loss, data misuse, or that someone stole the PII. Regarding Webb’s tax return, there was no plausible allegation connecting the breach to that return, “only conjecture that a connection may exist.” Id. at *2 n.4. Regarding the allegations going to the value of their PII, the district court said it was not clear how the alleged diminution in the PII’s “black market value” inflicted an injury on plaintiffs. Id. at *2 n.5. The court ruled there was no alleged injury-in-fact, concluding: “Plaintiffs’ alleged injuries rest entirely on the future possibility that an unauthorized third party will, at some undetermined time, misuse their PII.” Id. at *2.