Duane Morris Class Action Review - 2023 - Report - Page 134
B.
Dispositive Motion Decisions
In certain instances, defendants also derailed class actions at the pleading stage by
raising subject-matter jurisdictional attacks on standing for individual and class claims.
As a strategy that asserts a jurisdictional bar to class certification, it requires the
defendant to show that the individuals bringing the class action fail to allege a concrete
and particularized harm that was caused by the defendant. Courts have not provided
litigants much leeway in how they plead injury and causation in the data breach context,
which is why challenges to a plaintiff’s standing has become the leading challenge in
data breach cases, especially at the motion to dismiss stage. The pay-off for a
successful motion dismissing class claims due to lack of class standing is often
significant for a defendant. It has the potential to eliminate the class claims, which also
avoids the costs of class-wide discovery if the case proceeds forward as a single
plaintiff claim.
For example, in Webb, et al. v. Injured Workers Pharmacy, LLC, 2022 U.S. Dist. LEXIS
189196 (D. Mass. Oct. 17, 2022), the plaintiffs, a group of customers, filed a class
action alleging that the defendant, a prescription delivery company, subjected them to
alleged injuries arising out of a data breach that compromised the personally identifiable
information (“PII”) of over 75,700 customers. The defendant filed a motion to dismiss for
lack of subject-matter jurisdiction pursuant to Rule 12(b)(1) or for failure to state a claim
upon which relief can be granted pursuant to Rule 12(b)(6). The court granted the
motion. It found that the plaintiffs failed to establish that they suffered an actual injury.
The plaintiffs contended that they spent “considerable time and effort” monitoring their
bank accounts and coordinating with the IRS. Id. at *2. The defendant contended that
the plaintiffs only asserted a general increased risk of future harm in the form of
potential identity theft or fraud, which was not sufficient to establish actual injury. The
court agreed with the defendant that the plaintiffs failed to establish a monetary loss, the
misuse of data, or that a third party stole their personally identifiable information. Id. at
*4. The court concluded that only a risk of possible future harm, without more, was not
sufficient to allege an injury in order to confer standing. For these reasons, the court
granted the defendant’s motion to dismiss.
Another illustrative example is In Re USAA Data Securities Litigation, 2022 U.S. Dist.
LEXIS 144562 (S.D.N.Y Aug. 11, 2022). There the plaintiffs, a group of consumers,
brought putative class action against the USAA for negligence, negligence per se, and
deceptive acts and practices under New York law, as well as for claims under Driver’s
Privacy Protection Act (DPPA), based on the USAA’s alleged disclosure of consumers’
driver’s license numbers to non-party cybercriminals. The USAA provides insurance and
financial services to current and former members of the United States military and their
families. The USAA moved to dismiss the class action complaint for lack of subjectmatter jurisdiction and for failure to state a claim. The court denied the motion to
dismiss. The plaintiffs alleged that in the immediate aftermath of the USAA breach,
cybercriminals fraudulently filed a claim for unemployment in a named plaintiff’s name,
and successfully took out an insurance policy from another, unrelated insurance
provider in another named plaintiff’s name. The plaintiffs alleged that they suffered an
injury by way of having to spend valuable time and resources to address the existing
133
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
