failing to adequately protect customers’ information. The court found that the plaintiffs alleged breach of contract and damages. The plaintiffs asserted unjust enrichment as an alternative claim, arguing that the defendants benefited unfairly from the breach. The court declined to dismiss the claim at this stage of the litigation, given the limited factual basis of the claim in the complaint. Finally, the court deferred ruling on whether the limitation of liability clauses in the defendants’ terms of use agreements were enforceable, stating that the issue required further factual development. Accordingly, the court allowed the case to proceed on the negligence, breach of contract, and unjust enrichment claims, and deferred a ruling on the enforceability of certain contract clauses. The plaintiffs, a group of online consumers who make online grocery store purchases, filed a data breach class action in Liau, et al. v. Weee! Inc., 2024 U.S. Dist. LEXIS 30357 (S.D.N.Y. Feb. 22, 2024). Thy asserted claims for violation of consumer protection laws and breach of contract following the defendant’s website being subjected to a data breach after hackers accessed the site. The defendant filed a motion to dismiss pursuant to Rule 12(b)(1) and Rule 12(b)(6), and the court granted the motion. The data breach in question occurred on February 6, 2023, when a hacker named “IntelBroker” uploaded customers’ personal information, including names, email addresses, and phone numbers, to the dark web. The defendant confirmed the breach, stating it affected customers who placed orders between July 12, 2021, and July 12, 2022. The plaintiffs’ data was disclosed in the breach, although payment data and passwords were not compromised. As a result of the breach, plaintiffs alleged that they were subjected to increased costs in monitoring their financial accounts, and that they received numerous spam calls and text messages after the data breach. The plaintiffs specifically alleged that they subscribed to a credit-monitoring service to mitigate the risk of identity theft following the breach. The court found that these alleged injuries did not meet the threshold for Article III standing, and reasoned that the plaintiffs could not manufacture standing simply by inflicting harm on themselves based on hypothetical future harm. The court stated that in order to establish standing, the plaintiffs needed to establish a concrete and particularized injury, and failed to do so. As for the plaintiffs’ allegations regarding spam calls and text messages as a result of the data breach, the court found that this claim also failed to establish standing. The court held that the spam was not fairly traceable to the defendant’s actions, as the plaintiffs did not sufficiently connect the spam messages to the breach. Accordingly, the court found that the plaintiffs lacked Article III standing, and granted the defendant’s motion to dismiss under Rule 12(b)(1). In Weekes, et al. v. Cohen Cleary P.C., 2024 U.S. Dist. LEXIS 47673 (D. Mass. Mar. 15, 2024), the plaintiff brought a class action lawsuit against the defendant, a law firm, alleging that the firm failed to adequately safeguard her PII and PHI following a cyberattack on the firm’s network servers. The attack compromised the data of approximately 12,000 individuals. The plaintiff asserted that the defendant discovered the breach in September but did not notify affected individuals until November, and that the breach occurred as a result of the firm’s data security practices being insufficient. The defendant filed a motion to dismiss pursuant to Rule 12(b)(1) and 12(b)(6), and the court granted in part and denied in part the motion, allowing only the negligence claim to proceed to discovery. First, the court dismissed claims for injunctive relief due to the speculative nature of potential future harm, but allowed the plaintiff to pursue monetary relief based on any plausible allegations of actual identity theft or imminent risk. The plaintiff asserted negligence by the defendant for failing to adequately safeguard her data. The court found that the plaintiff’s allegations of actual misuse of her PII or imminent risk of misuse were sufficient to satisfy the requirements for a negligence claim. However, the court dismissed the plaintiff’s claim for breach of confidence, as there were no allegations in the complaint asserting intentional disclosure of confidential information. The court also dismissed the plaintiff’s claim for breach of implied contract because the complaint did not sufficiently allege mutual assent or consideration necessary to establish an implied contractual relationship. Finally, the court dismissed the plaintiff’s claim based on the implied covenant of good faith and fair dealing, finding that the claim did not give rise to an independent cause of action without a breach of implied contract claim. Accordingly, the court granted in part and denied in part the defendant’s motion to dismiss. In consolidated actions captioned In Re Mondelez Data Breach Litigation, 2024 U.S. Dist. LEXIS 97948 (N.D. Ill. June 3, 2024), the plaintiffs, employees of Mondelez Global LLC (Mondelez) sued Mondelez and Bryan Cave Leighton Paisner, LLP (Bryan Cave) following a data breach detected by Bryan Cave in February 2023. The breach compromised the personal information of 51,100 Mondelez employees. The defendants filed a motion to dismiss the claims pursuant to Rule 12(b)(1) and Rule 12(b)(6). The court granted in part and denied in part the motion, allowing only the negligence claim and implied contract claim to proceed to discovery. Mondelez, based in Chicago, provided employee data to Bryan Cave, a law firm, which was subject to the data breach that
9
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online