Duane Morris Class Action Review - 2023 - Report - Page 137
Baron, et al. v. Syniverse Corp., 2022 U.S. Dist. LEXIS 184308 (M.D. Fla. Oct. 7, 2022),
involved a cyberattack and data breach that allegedly exposed mobile phone users’
private communications. The defendant is a global telecommunications company whose
customers include approximately 800 carriers, including AT&T, T-Mobile, and Verizon. It
provides network services, outsources carrier solutions, and messaging solutions to its
carrier customers and processes and routes billions of text messages each year
between different carriers and connects billions of devices to the mobile ecosystem. The
plaintiffs and the class members were mobile phone users who sent and received text
messages during the times relevant to the data breach. Additionally, the plaintiffs sought
to represent customers of the defendant’s customers, namely, AT&T, T-Mobile, and
Verizon, during the times relevant to the data breach. The defendant moved for
dismissal of the class action complaint under Rule 12(b)(1) for lack of Article III standing
and under Rule 12(b)(6) for failure to plead plausible claims for relief. In granting the
defendant’s motion, the court concluded that the defendant’s facial challenge to subjectmatter jurisdiction had merit. In so finding with respect to concrete and actual injury, the
court held that none of the plaintiffs’ alleged harms satisfied the injury-in-fact
requirement for Article III standing. The court ruled that the plaintiffs failed to identify any
misuse of their personal private communications or data and that failure weighed
against finding a substantial risk of imminent injury. Although actual identity theft or
misuse of their data is not required, the court found that the plaintiffs’ failure to allege
either rendered their allegation of possible future harm less plausible. For those
reasons, the court reasoned that the plaintiffs failed to plausibly allege an imminent
future injury sufficient to confer Article III standing. Given the court’s findings as to the
lack of injury, it did not address Article III standing’s causation or traceability
requirements. However, the court stated that even if the plaintiffs plausibly alleged a
concrete actual or imminent injury, their allegation that the defendant’s substandard
security allowed the data to be accessed by unauthorized third parties did not satisfy the
causation or traceability requirements. The court determined that any harm that could
have occurred was arguably caused by a third-party not before the court and, therefore,
was not traceable to the defendant’s alleged conduct. Alternatively, the traceability
between the defendant’s conduct and the injury was also too attenuated. For these
reasons, the court granted the defendant’s motion to dismiss, but allowed the plaintiffs
leave to amend the class action complaint.
In Smallman, et al. v. MGM Resorts International, 2022 U.S. Dist. LEXIS 199399 (D.
Nev. Nov. 2, 2022), the plaintiffs, a group of consumers, filed a data breach class action
alleging that their personally identifiable information was stolen from the defendant. The
plaintiffs’ complaint asserted 13 claims, including claims for negligence; negligent
misrepresentation; breach of implied contract; unjust enrichment; and nine separate
state law violations. The defendant moved to dismiss, and the court granted in part and
denied in part the motion. First, the court opined that lost time alone did not establish
compensable damages. Accordingly, the court dismissed the plaintiffs’ negligence claim
to the extent it alleged damages based solely on lost time, but held that negligence
claims of those plaintiffs who purchased identity protection services may proceed.
Second, the court held that in the absence of a special relationship, the plaintiffs’
negligent misrepresentation claim, to the extent it was based on an omission, failed as a
matter of law. Id. at *24. Accordingly, the court dismissed the plaintiffs’ negligent
136
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
