Takeaway: Former FBI Director Robert Mueller once famously said, “There are only two types of companies: those that have been hacked and those that will be.” These days cyberattacks seem to happen all the time. And when a company discloses an attack, class action litigation is sure to follow. In Bracy v. Americold Logistics LLC, No. 1:23-CV-5743-TWT, 2025 WL 552676 (N.D. Ga., Feb. 19, 2025), the district court resolved the typical set of issues presented by a data breach defendant on a Rule 12 motion to dismiss. Cases like Bracy demonstrate that, although a court may be skeptical about many of the claims alleged in the data breach context, class action plaintiffs often can survive Rule 12 challenges to Article III standing and negligence claims where the allegations identify an intentional attack by a cyber-criminal.
The Bracy plaintiffs alleged that Americold Logistics, “a global leader in temperature-controlled warehousing and logistics,” was the victim of a cyberattack on its network servers. 2025 WL 552676, at *1. The “Cactus Gang,” a cybercriminal ransomware enterprise, “claimed responsibility for the cyberattack,” which involved the exfiltration of the private data of close to 130,000 individuals, including individuals who had been employed by and who had applied for employment with Americold. Id. According to plaintiffs’ allegations, the Cactus Gang’s “modus operandi is to sell unencrypted private information on the dark web.” Id. This attack on Americold resulted in the alleged compromise of Social Security and driver’s license numbers, passport information, medical information, and other forms of private information. Id. at *3.
Lamont Bracy and other named plaintiffs filed a putative class action, alleging that Americold had failed to properly safeguard their (and the putative class’s) private information. They alleged claims for negligence, negligence per se, breach of implied contract, unjust enrichment, violations of Georgia’s Unfair and Deceptive Trade Practices Act (GUDTPA), and Declaratory Judgment. Id. at *4-10. They also alleged a derivative fee-shifting claim under Georgia’s all-purpose fee-shifting statute, O.C.G.A. § 13-6-11. Id. at *8.
Americold moved to dismiss all the claims in the complaint, on standing grounds and for failure to state a claim. The district court granted the motion to dismiss in substantial part, but two claims survived.
On the issue of Article III standing, the district court ruled that the named plaintiffs and the putative class had standing at the threshold stage of the litigation, given the risk of future harm. Id. at *2-3. Given that “the Plaintiffs allege[d] that the data was exfiltrated by a cybercriminal ransomware gang whose modus operandi is selling private information on the dark web” (id. at *1), the court had little trouble in concluding that the plaintiffs had Article III standing “by virtue of the risk of future harm and mitigation efforts.” Id. at *4.
The negligence count survived for a similar reason, given that “the Georgia Supreme Court [has] recognized a cognizable injury where a criminal theft of the plaintiffs’ data allegedly put them at an imminent and substantial risk of identity theft.” Id. (citations omitted).
The negligence per se claim failed, however, because the statutory violation on which the claim was based – a violation of Section 5 of the FTC Act – did not apply to the plaintiff or the putative class, given that “plaintiffs who are not consumers or competitors are not within the class of persons protected by Section 5 of the FTC Act.” Id. at *5 (citations omitted).
The breach of implied contract and unjust enrichment claims also failed, given that plaintiffs had failed to plausibly allege the essential element of mutual assent to support their implied contract claim (id. at *6), and also failed to allege that they had conferred some sort of benefit to Americold by disclosing their private information, as required for an unjust enrichment claim (id. at *7-8).
As for the GUDTPA claim, an essential element of that statutory claim is that a plaintiff will likely be damaged in the future by an unfair trade practice, and plaintiffs failed to plausibly allege that element. Id. at *9.
The district court also allowed the declaratory judgment claim to survive, rejecting the arguments that the Declaratory Judgment Act does not provide an independent cause of action, that the damages claims precluded equitable claims, and that the declaratory action was duplicative of the declarations that necessarily would attend to rulings on plaintiffs other claims. Id. at *10.
Finally, the derivative fee-shifting claim survived, given plaintiffs’ allegations that Americold was aware of severe cybersecurity deficiencies but nevertheless failed address those security issues, thereby causing the breach and supporting a showing of bad faith under O.C.G.A. § 13-6-11. Id. at *8.
