Free Newsletter
Data breach suit dismissed for standing, causation
Virginia Lawyers Weekly//July 25, 2023//
Listen to this articleWhere persons suing over a data breach largely lacked standing because they had not suffered any injuries, and the one person who had standing failed to connect his alleged injury to the data breach, the suit was dismissed.
Background
This matter comes before the court on a motion to dismiss filed by Elephant Insurance Company, Elephant Insurance Services LLC and Platinum General Agency. The plaintiffs allege that Elephant did not adequately protect their personal information, or PI, and that, in a data breach, malicious actors viewed and copied their Pl. The plaintiffs bring a consolidated class action suit, asserting various claims arising from this data breach.
Standing
The heightened risk of future identity theft, without more, does not constitute an injury-infact because a “threatened injury must be certainly impending to constitute an injury-in-fact.” Although the plaintiffs closely monitor their credit reports and financial accounts, none have alleged misuse of their PI. None have pleaded facts to support their allegations of certainly impending identity theft.
Moreover, to find a threatened injury, the court must assume that the thief targeted Elephant for the PI it contained, then selected the named plaintiffs’ PI from millions of other records has begun combining the purloined PI with PI obtained from other sources to create a full profile and will imminently and successfully attempt to use that information to steal the plaintiffs’ identities. The Fourth Circuit had previously rejected an even shorter chain of possibilities to deny the plaintiffs standing on a claim of heightened risk of identity theft.
Only two of the named plaintiffs have alleged identity theft. Cardenas and Holmes report receiving notifications from a credit monitoring service that their driver’s license numbers appeared on the dark web. Because these plaintiffs have not alleged any misuse of their PI or resulting harm from their driver’s license numbers appearing on the dark web, this alleged injury simply echoes the claim of heightened risk of identity theft. These plaintiffs have not adequately pleaded an injury-in-fact.
Only Holmes has sufficiently pleaded an injury-in-fact. Holmes also avers that he suffers “significant fear, anxiety, and stress” resulting from the data breach. Shaw too suffers “significant fear, anxiety, and stress.” Neither plaintiff expands upon these conclusory allegations of emotional distress. Because the plaintiffs plead only “bare assertion of emotional injury,” they have not pleaded an injury-in-fact.
The plaintiffs also claim the data breach caused their PI to diminish in value. They allege no facts to explain how their PI lost value and instead only repeat conclusory statements: the plaintiffs “have suffered and will continue to suffer … loss of value of their Pl.” On a 12(b)(1) motion, courts have declined to find diminution of value in PI as an injury-in-fact when plaintiffs make only barebones assertions. Finally, the plaintiffs’ time spent paying close attention to their financial documents following the data breach does not constitute an injury-in-fact.
Causation
Holmes alleges that he “began experiencing an uptick in spam text and telephone calls that he attributes to this Data Breach.” He asserts he never requested an insurance quote from Elephant and alleges that an unauthorized actor used the online quote tool to retrieve his PI. The plaintiffs do not allege that the PI in this data breach included cell phone numbers. To the extent Holmes claims a loss of privacy due to the “uptick in spam text and telephone calls,” he has not pleaded any facts that causally connect this uptick in spam to Elephant.
Injunctive relief
The plaintiffs allege, without factual support, that “[t]he risk of another such disclosure is real, immediate, and substantial.” Because the plaintiffs have made only conclusory statements and have not articulated a sufficiently imminent and substantial risk of another Elephant data breach, the court finds the plaintiffs lack standing to seek declaratory and injunctive relief.
Defendants’ motion to dismiss granted.
Holmes v. Elephant Insurance Company, Case No. 3:22-cv-487, June 26, 2023. EDVA at Richmond (Gibney). VLW 023-3-371. 12 pp.
Verdicts & Settlements
- Woodshop incident leads to amputation of fingers — $1.3M settlement
- Motorcyclist’s foot amputated in collision — $7M settlement
- Contractor rear-ended on interstate on way to wedding — $825,000 settlement
- Man suffers back injury in crash with out-of-state driver — $530,000 settlement
- Driver crossed center line, struck 89-year-old’s vehicle — $1.2M settlement
- Jury returns defense verdict in favor of gastroenterologist
- Teens killed in T-bone collision with officer — $3.1M settlement
- Man sustained subdural hematoma in rear-end collision —$1.15M settlement
- Adequate anesthesia not provided during C-section — $2.5M verdict
- Tenant fell ill from mold in apartment — $588,000 verdict
- Woman suffers nerve injury, pain after dental procedure — $550,000 settlement
- Driver struck child exiting school bus — $750,000 settlement
Opinion Digests
- Suit over historic mansion and estate dismissed
- Former employee’s claims survive motion to dismiss
- Equal Pay Act doesn’t apply to applicant
- Court rejects invocation of attorney-client privilege
- Evidence supported competency determination
- Appellees had power to remove business manager
- No continuance after witnesses failed to appear
- No actual or constructive eviction in warranty case
- Gas distribution pipeline exempt from ZBA regulation
- Improper venue in air pollution regulation matter
- No benefits awarded in unemployment comp case
- No immunity for judge who personally oversaw search
