defendant’s failure to protect their data constituted negligence and violations of multiple laws, including the FTCA and the CMIA. The defendant moved to dismiss pursuant to Rule 12(b)(1) and Rule 12(b)(6). The court granted the motion in part, dismissing plaintiffs’ claims for negligence per se, implied contract, invasion of privacy, and violation of California’s Unfair Competition Law, and denied it in part, allowing the case to proceed to discovery on the plaintiffs’ negligence and CMIA claims. The court determined that the plaintiffs sufficiently demonstrated standing by offering evidence of their data being misused, which caused them concrete injuries. The defendant next argued that the plaintiffs failed to show a causal link between the data breach and their injuries, and that the alleged injuries were not actual damages. However, the court determined that the plaintiffs’ allegations — such as their personal information being posted on the dark web and resulting in financial losses — were sufficient to meet the causation and damage requirements for negligence. The plaintiffs’ negligence per se claim was based on an alleged violation of the FTCA, which prohibits unfair practices. The defendant contended that this claim should be dismissed because the FTCA does not provide a private right of action. The court agreed that negligence per se could not be a standalone claim but can be used as a theory supporting the negligence claim. The plaintiffs alleged that there was an implied contract requiring the defendant to protect their personal information. The defendant stated that merely sharing information does not create an implied contract to safeguard it. The court agreed. It found that the plaintiffs’ allegations did not establish an implied contract based on the defendant’s conduct, and dismissed the breach of contract claim. As to the invasion of privacy claims, the court explained that under both Pennsylvania and California law, an invasion of privacy claim requires intentional intrusion, and the plaintiffs’ claims against the defendant failed by not properly alleging that the defendant intentionally intruded on their information. Accordingly, the court granted in part and denied in part the defendant’s motion to dismiss. The court granted the defendant’s motion for summary judgment in Austin, et al. v. Fleming, Nolen & Jez, LLP , 2024 U.S. Dist. LEXIS 60696 (S.D. Tex. Apr. 2, 2024). On February 6, 2023, a cybercriminal breached the defendant law firm’s servers and obtained some of its confidential client data. Id. at *1. The cybercriminal then demanded the defendant pay money to avoid the publication of the defendant’s confidential client data on the dark web. Id. After the defendant sent out data breach notice letters to their potentially affected clientele, the named plaintiff, a former client of the defendant, filed a class action complaint against the defendant asserting claims for negligence, breach of confidence, breach of implied contract, and breach of implied covenant of good faith and fair dealing. Id. The defendant moved for summary judgment on the basis that the plaintiff had not, and could not, establish that she had suffered any damages as a result of the data breach. Id. In response, the plaintiff presented an affidavit from a putative class member who had suffered monetary damages due to identity theft. Id. The court ruled that the plaintiff could not rely on a putative class member’s purported damages to support her claims prior to class certification, and as such, any evidence supporting the claims of other class members was “irrelevant.” Id. at *4. As a result, the court only considered the defendant’s motion for summary judgment as it pertained to the plaintiff’s individual claim against the defendant. Id. The court held that none of the following allegations of harm were sufficient for the plaintiff to maintain her claims — “time spent verifying the legitimacy and impact of the data breach, exploring credit monitoring and identity theft insurance options, self-monitoring her accounts and seeking legal counsel regarding her options for remedying and/or mitigating the effects of the data breach.” Id. at *5-6. Accordingly, the court found that because the plaintiff could not show “that she was injured by the data breach” or that “she suffered any damages,” summary judgment was proper. Id. at *6. In Jones, et al. v. Sturm, Ruger & Co., 2024 U.S. Dist. LEXIS 54804 (D. Conn. Mar. 27, 2024), the plaintiffs filed a class action following a data breach of an e-commerce site hosted on a server managed by Freestyle Software, Inc. The breach compromised customers’ PII and payment card data (PCD). The plaintiffs sued Freestyle and Sturm, Ruger & Company, Inc., alleging negligence, breach of contract, and unjust enrichment. The defendants filed motions to dismiss the case for lack of Article III standing and failure to state a claim. The defendants contended that the plaintiffs failed to establish that they suffered sufficient harm and failed to allege plausible claims. As to standing, the court determined that the plaintiffs sufficiently alleged that they suffered concrete, particularized, and imminent injuries in the form of “out of pocket costs by paying a monthly fee for credit and identity protection services,” and lost time and other opportunity costs associated with “attempting to mitigate the consequences of the data breach.” Id. at *11. Accordingly, the court denied the motion to dismiss for lack of standing. The court also ruled that the plaintiffs successfully alleged that the defendants failed to implement proper security measures, leading to the data breach, such that the negligence claim could proceed. As to the breach of contract claim, the plaintiffs argued that the defendants breached an implied contract by
8
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online