Opinion
Civil Action 23-cv-10999-ADB
09-20-2024
MEMORANDUM AND ORDER
ALLISON D. BURROUGHS, U.S. DISTRICT JUDGE
Plaintiffs in this consolidated class action assert several claims against Defendants Alvaria, Inc. (“Alvaria”) and Carrington Mortgage Services, LLC (“Carrington,” and, collectively, “Defendants”) relating to a data breach that occurred in March 2023. See generally [ECF No. 29 (“Amended Complaint” or “Am. Compl.”)]. Before the Court is Defendants' motion to dismiss all claims. [ECF No. 38]. Because Plaintiffs have failed to adequately plead standing, the motion is GRANTED.
I. BACKGROUND
The following facts are taken from the Amended Complaint, the factual allegations of which are assumed to be true when considering a motion to dismiss. See Ruivo v. Wells Fargo Bank, N.A., 766 F.3d 87, 90 (1st Cir. 2014). As it may on a motion to dismiss, the Court has also considered “documents incorporated by reference in [the complaint], matters of public record, and other matters susceptible to judicial notice.” Giragosian v. Ryan, 547 F.3d 59, 65 (1st Cir. 2008) (quoting In re Colonial Mortg. Bankers Corp., 324 F.3d 12, 20 (1st Cir. 2003)).
A. Factual Background
Alvaria is a workforce and management call center technology and solution company that provides “services to Carrington, which is the current owner of Plaintiffs' home mortgages.” [Am. Compl. ¶ 1]. In providing loan and financial services, Carrington collects personal information from customers, including names, email addresses, usernames, passwords, social security numbers, phone numbers, mailing addresses, financial information and histories, employment information, drivers' license information, insurance information, and marital statuses. [Id. ¶ 22]. Carrington's contract with Alvaria authorizes Alvaria to receive and store Carrington customers' data, including names, mailing addresses, social security numbers, loan information, and other related information. [Id. ¶¶ 22, 25].
On March 9, 2023, third party hackers breached Alvaria's data system and procured Plaintiffs names, mailing addresses, telephone numbers, loan numbers, current loan balances, and the last four digits of their Social Security numbers (the “Data Breach”). [Am. Compl. ¶ 2]. Alvaria provided notice to impacted customers on April 26, 2023 and offered twenty-four months of free credit monitoring. [Id. ¶ 36; ECF No. 1-1. Plaintiffs are seven individuals whose information was implicated in the Data Breach. [Am. Compl. ¶¶ 13-19]. Neither Carrington nor Alvaria have disclosed the total number of customers and clients impacted by the Data Breach nationwide. [Id. ¶ 4].
In determining the motion to dismiss, the Court may consider the letter Alvaria sent to Plaintiffs regarding the Data Breach because “[its] authenticity ... [is] not disputed by the parties” and it is “central to plaintiffs' claim[s].” Watterson v. Page, 987 F.2d 1, 3 (1st Cir. 1993). Plaintiff Nulf's initial Complaint attached this letter, [ECF No. 1-1], and Defendants provided a clearer copy of the letter with their motion to dismiss, [ECF No. 39-1].
B. Procedural History
On May 5, 2023, named plaintiff Brian Nulf filed a class action complaint against Defendants, alleging counts of negligence, negligent misrepresentation, and unjust enrichment. [ECF No. 1]. On June 28, 2023, Nulf and the named plaintiffs in five related actions(collectively, “Plaintiffs”) filed a motion to consolidate their cases pursuant to Federal Rule of Civil Procedure 42(a). [ECF No. 12]. The Court granted this motion on July 14, 2023, [ECF No. 23], and Plaintiffs filed their omnibus amended complaint on August 14, 2023, [Am. Compl.], alleging twelve counts. Defendants moved to dismiss on October 13, 2023 for lack of jurisdiction and failure to state a claim. [ECF No. 38]. Plaintiffs opposed the motion to dismiss on November 17, 2023. [ECF No. 44]. Defendants filed a reply brief on December 15, 2023, [ECF No. 49], and Plaintiffs filed a notice of supplemental authority on March 26, 2024. [EF No. 50].
Cronin v. Alvaria, Inc., No. 1-23-cv-11007-ADB; Pharr v. Alvaria, Inc., No. 1:23-cv-11053-AK; Cerda v. Alvaria, Inc., No. 1:23-cv-11088-AK; Scifo v. Alvaria, Inc., No. 1:23-cv-11143-ADB; and Smith v. Alvaria, Inc., No. 1:23-cv-11205-ADB.
Specifically, the Complaint brings the following counts: negligence (Count I), negligence per se (Count II), breach of contract (Count III), breach of implied contract (Count IV), breach of third-party beneficiary contract (Count V), breach of fiduciary duty (Count VI), unjust enrichment/quasi contract (Count VII), declaratory and injunctive relief (Count VIII), violation of the California Consumer Privacy Act of 2018 (Count IX), violation of the California Unfair Competition Law (Count X), and violations of Massachusetts General Laws 93A (Count XI and Count XII). [Am. Compl. ¶¶ 68-185]. Count V is brought only against Defendant Alvaria. [Id. ¶¶ 114-121].
II. STANDARD OF REVIEW
On a motion to dismiss for failure to state a claim pursuant to Rule 12(b)(6), the Court must accept as true all well-pleaded facts, analyze them in the light most favorable to the plaintiff, and draw all reasonable inferences from those facts in favor of the plaintiff. United States ex rel. Hutcheson v. Blackstone Med., Inc., 647 F.3d 377, 383 (1st Cir. 2011). Additionally, “a court may not look beyond the facts alleged in the complaint, documents incorporated by reference therein and facts susceptible to judicial notice.” MIT Fed. Credit Union v. Cordisco, 470 F.Supp.3d 81, 84 (D. Mass. 2020) (citing Haley v. City of Bos., 657 F.3d 39, 46 (1st Cir. 2011)). “[A] complaint must provide ‘a short and plain statement of the claim showing that the pleader is entitled to relief[,]'” Cardigan Mt. Sch. v. N.H. Ins. Co., 787 F.3d 82, 84 (1st Cir. 2015) (quoting Fed.R.Civ.P. 8(a)(2)), and set forth “factual allegations, either direct or inferential, respecting each material element necessary to sustain recovery under some actionable legal theory,” Pitta v. Medeiros, 90 F.4th 11, 17 (1st Cir. 2024) (quoting Gagliardi v. Sullivan, 513 F.3d 301, 305 (1st Cir. 2008)). Although detailed factual allegations are not required, a complaint must set forth “more than labels and conclusions,” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007), and “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice,” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Rather, a complaint “must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Id. (quoting Twombly, 550 U.S. at 570).
III. DISCUSSION
The doctrine of standing is rooted in Article III of the Constitution, which confines federal courts to the adjudication of actual “cases” and “controversies.” See U.S. Const. art. III, § 2, cl. 1; Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992); TransUnion LLC v. Ramirez, 594 U.S. 413, 424 (2021) (“[A] federal court may resolve only ‘a real controversy with real impact on real persons.'”) (quoting Am. Legion v. Am. Humanist Assn., 588 U.S. 29, 34 (2019)). Standing consists of three elements: “[t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (quoting Lujan, 504 U.S. at 560-61), as revised (May 24, 2016). Where, as here, the question of standing is based on the pleadings, Plaintiffs “bear[ ] the burden of establishing sufficient factual matter to plausibly demonstrate [its] standing to bring the action,” Hochendoner v. Genzyme Corp., 823 F.3d 724, 731 (1st Cir. 2016), taking all of the facts (and any inferences that follow) in the plaintiff's favor. Gustavsen v. Alcon Labs, Inc., 903 F.3d 1, 7 (1st Cir. 2018) (quoting Katz v. Pershing, LLC, 672 F.3d 64, 70-71 (1st Cir. 2012)).
“That a suit may be a class action . . . adds nothing to the question of standing, for even named plaintiffs who represent a class ‘must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.'” Spokeo, 578 U.S. at 338 n.6 (2016) (quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 40 n.20 (1976)).
Defendants argue that Plaintiffs lack standing to pursue their claims because they “are unable to establish any plausible (i.e., concrete and particularized) injury that would be traceable to the ransomware attack.” [ECF No. 39 at 13-20]. Plaintiffs respond that their allegations of substantial risk of future harm are sufficient to establish standing, that this substantial risk is fairly traceable to Defendants, and, alternatively, that their additional allegations of injury (namely, lost time and mitigation damages, increased spam communications, and emotional distress) confer standing. [ECF No. 44 at 10].
To establish injury in fact, a plaintiff must demonstrate “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560 (internal quotations omitted). “Various intangible harms can ... be concrete[,] includ[ing] ... disclosure of private information[ ] and intrusion upon seclusion.” TransUnion, 594 U.S. at 425 (citations omitted). As to imminence, ‘“[allegations of possible future injury' are not sufficient.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). That said, “[a]n allegation of future injury may suffice if the threatened injury is ‘certainly impending,' or [if] there is a ‘” substantial risk” that the harm will occur.'” Reddy v. Foster, 845 F.3d 493, 500 (1st Cir. 2017) (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)). Where the alleged injury requires a lengthy chain of assumptions, including “guesswork as to how independent decisionmakers will exercise their judgment,” the injury is too speculative to be “certainly impending.” Clapper, 568 U.S. at 413-14.
A. Actual Misuse
In the context of a data breach, the First Circuit recently made clear that actual misuse of a plaintiff's data is sufficient to show concrete injury for the purposes of Article III standing, provided that plaintiffs have sufficiently pleaded that this actual misuse “result[ed] from [the] data breach.” Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 374 (1st Cir. 2023). In assessing “actual misuse,” the First Circuit in Webb considered several facts pled by Webb which made it plausible that the actual misuse of her data (namely, filing a fraudulent tax return) resulted from the data breach. Id. at 375-76. These included the “obvious temporal connection” between the two incidents, that plaintiff Webb pleaded that she was “very careful” about sharing her personally identifiable information (“PII”), and that she “never knowingly transmitted unencrypted PII over the internet or any other unsecure source.” Id. at 374. The First Circuit's discussion in Webb about the complaint asserting facts sufficient to show a causal connection to “actual misuse,” in other words, requiring that the misuse be plausibly tied to the underlying data breach, is consistent with Article III's traceability element, which “requires the plaintiff to show a sufficiently direct causal connection between the challenged action and the identified harm.” Katz v. Pershing, LLC, 672 F.3d 64, 71 (1st Cir. 2012). This causal connection need not be proximate, Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014), but it also “cannot be overly attenuated.” Katz, 672 F.3d at 71 (quoting Donahue v. City of Bos., 304 F.3d 110, 115 (1st Cir. 2002).
Here, Plaintiffs allege “actual misuse” in various forms, including an unauthorized debit card charge, “unusual and unauthorized attempts to use or access” social media accounts (specifically, a Facebook account and an Apple ID), and increases in spam and phishing calls and emails. [Am. Compl. ¶¶ 13-19]. Plaintiffs offer, however, no more than conclusory allegations and speculation regarding how those instances of misuse are traceable to the Data Breach, which are insufficient to carry their burden as to demonstrating standing. Hochendoner, 823 F.3d at 731 (1st Cir. 2016) (“[A]t the pleading stage, the plaintiff bears the burden of establishing sufficient factual matter to plausibly demonstrate his standing to bring the action. Neither conclusory assertions nor unfounded speculation can supply the necessary heft.”); Taylor v. UKG, Inc., 693 F.Supp.3d 87, 94 (D. Mass. 2023) (at pleading stage, the Court “must separate the complaint's factual allegations (which must be accepted as true) from its conclusory legal allegations (which need not be credited)”) (internal quotation omitted).
Plaintiff Smith alleges she experienced actual misuse based on the fact that “in or around March or April 2023, she was denied an increase on her Macy's credit card without explanation.” [Am. Compl. ¶ 15]. The Court does not consider Macy's denial of a credit increase to be an instance of “actual misuse” of Plaintiff Smith's data. The allegation contains no facts to support that an independent actor accessed or used any of Plaintiff Smith's data; in fact, the only actor in the allegation is Macy's, who, for reasons unknown, denied a credit increase. Moreover, even assuming this denial of a credit increase did constitute actual misuse, without more, the Court does not view the denial in credit limit as fairly traceable to the information disclosed in the Data Breach as it requires several attenuated logical leaps - namely, that a malicious actor, using Plaintiff Smith's data without her knowledge after acquiring it in the Data Breach, so deteriorated her credit that Macy's denied an increase. See Katz, 672 F.3d at 71. In the absence of more facts to make those logical leaps less tenuous, the Court does not view the denial of a credit increase as enough to establish Article III standing.
Specifically, regarding the unauthorized debit card charge, Plaintiffs do not allege that debit card information or bank account information was disclosed in the Data Breach, and they provide no explanation for how the disclosure of Carrington loan numbers and balances, telephone numbers, mailing addresses, and the last four digits of Social Security numbers could be parried into unauthorized debit purchases. See generally [Am. Compl.]. Without more, the conclusory allegation that the disclosure of this information, unrelated to debit accounts or activity, led to unauthorized debit charges cannot be considered fairly traceable to Defendants. In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 2032 (D.D.C. 2014) (finding unauthorized credit and debit charges not traceable to data breach where stolen information included “names, Social Security Numbers, addresses, dates of birth, phone numbers,” but plaintiffs provided “no plausible explanation for how the thief would have acquired their banking information”); see, e.g., Burger v. Healthcare Mgmt. Sols., LLC, No. RDB-23-1215, 2024 WL 473735, at *6 (D. Md. Feb. 7, 2024) (finding unauthorized charges on credit card could not be fairly traced to defendants when plaintiff did not “allege that her credit card information itself was disclosed,” even when plaintiff did allege that her bank account information was disclosed). Moreover, the plaintiff who experienced the unauthorized debit card, Plaintiff Cronin, had already disclosed his name, mailing address, loan number and balance as of July 2018, and the last four digits of his Social Security number in various public filings in advance of the Data Breach, which undercuts the notion that use of this data is plausibly connected to the Data Breach. Cf, Webb, 72 F.4th at 374 (considering fact that plaintiff Webb did not otherwise disclose her information in drawing inference that misuse resulted from data breach).
In their motion to dismiss, Plaintiffs included a copy of Plaintiff Cronin's mortgage, which is publicly available from the Recorders Office in Pennsylvania and includes his name, mailing address, Carrington loan number, and loan balance as of July 2018, [ECF No, 39-13], Defendants also included a copy of his Chapter 13 bankruptcy filings, which include his name and the last four digits of his Social Security number, [ECF No, 39-12], The Court takes judicial notice of these records, McKenna v, Wells Fargo Bank, N,A,, No, 10-10417, 2011 WL 1100160, at *1 n,6 (D, Mass, Mar, 21, 2011) (taking judicial notice of mortgage “because it is recorded in the Barnstable [County] Registry of Deeds” for purposes of ruling on a motion to dismiss); see Bostwick v, 44 Chestnut St,, No, 17-CV-12409, 2019 WL 1396408, at *4 (D, Mass, Mar, 27, 2019) (“The Court may take judicial notice of proceedings in other courts, including state courts,”) (collecting cases).
Similarly, Plaintiffs provide no explanation for how the disclosed information could have facilitated changes in social media passwords or an increase in spam emails, particularly when email addresses, passwords, and social media handles were not part of the Data Breach, Burger, 2024 WL 473735, at *6 (finding that “generic allegation of increased spam calls and emails, if an injury at all, fails to plausibly show that [the] alleged injuries were the result of Defendant's conduct,” particularly where plaintiff had not alleged “that her email address was compromised as part of the data breach”) (internal quotation omitted); McCombs v, Delta Grp, Elecs,, Inc,, 676 F, Supp, 3d 1064, 1074 (D,N,M, 2023) (“Spam calls, texts, and e-mails have become very common in this digitized world, and a number of courts have declined to confer standing when considering an increase in spam communications.”) (collecting cases). Without more, these allegations are not fairly traceable to Defendants' conduct.
Once again, as part of their motion to dismiss, Defendants attached public records indicating that, for the individual plaintiffs who allege that they have experienced this misuse, much of their information was already public in advance of the Data Breach, cutting against the inference that the misuse is traceable to the Data Breach. For example, Plaintiffs Collins and Collins are alleged to have experienced “unusual and unauthorized” social media activity as a result of the Data Breach. Defendants' motion to dismiss includes copies of their Partial Claims Mortgage, [ECF No. 39-14], and Loan Modification Agreement, [ECF No. 39-15], available as public records from the County Clerk/Recorder Office in Sacramento County, California and subject to judicial notice. McKenna, 2011 WL 1100160, at *1 n.6. These records, executed in 2022, contain Plaintiffs' name, mailing address, loan number, and loan balance as of January 1, 2022. See generally [ECF Nos. 39-14; 19-15]. Thus, only their telephone numbers, their loan balances between January 1, 2022 and the Data Breach, and the last four digits of their Social Security numbers were not public before the Data Breach, and both are at best tenuously related to social media activity.
B. Risk of Future Identity Theft
In the absence of actual misuse, to have standing, a plaintiff in a data breach case must plead that the risk of future harm resulting from the data breach “is sufficiently imminent and substantial,” and then also “plausibly allege a separate concrete, present harm caused by the plaintiffs' exposure to this risk of future harm.” Webb, 74 F.4th at 375-376 (cleaned up). In determining whether a plaintiff has alleged a sufficiently imminent and substantial risk of harm, the First Circuit considers several factors, including (1) whether the data at issue was “deliberately taken by thieves intending to use the information to their financial advantage,” (2) whether any other plaintiffs have shown actual misuse of their data, increasing the risk that all plaintiffs will face the same, and (3) the sensitivity of the information. Id. at 375. “In contrast, the risk of future misuse may be lower where the stolen data is less sensitive, . . . such as basic publicly available information, or data that can be rendered useless to cybercriminals.” Id. at 376 (internal quotations omitted). “[T]hese considerations are neither exclusive nor necessarily determinative, but they do provide guidance.” Id. at 375.
As to the first factor, Plaintiffs have pleaded that “a malicious actor” gained unauthorized access to their data and that “[u]pon information and belief, the actors, viewed, copied, and exfiltrated substantial amounts of Plaintiffs' and the Class's PII” [Am. Compl. ¶¶ 32-33]. This factor leans in favor of standing because “[i]t stands to reason that data compromised in a targeted attack is more likely to be misused.” Webb, 72 F.4th at 375. Plaintiffs fail, however, to plead facts sufficient to support any of the other relevant factors. More specifically, as discussed infra, Plaintiffs have not shown that any alleged actual misuse after the Data Breach was fairly traceable to the breach. They also have not established the information stolen was particularly sensitive, especially given that, as Defendants outline in their motion to dismiss and related exhibits, the vast majority of Plaintiffs' stolen information was already publicly available before the breach. Webb, 74 F.4th at 376.
That said, the letter Alvaria sent Plaintiffs makes clear that the attack at issue was a ransomware attack, [ECF No. 1-1], which can, in some cases, cut against standing, given that “the primary purpose of [which] is the exchange of money for access to data, not identity theft.” In re Practicefirst Data Breach Litig., No. 1:21-CV-00790, 2022 WL 354544, at *5 (W.D.N.Y. Feb. 2, 2022), report and recommendation adopted, No. 21-CV-790, 2022 WL 3045319 (W.D.N.Y. Aug. 1, 2022). Plaintiffs here have not pleaded facts to indicate whether Alvaria paid the ransom or whether there is any indication that their data was actually published on the dark web. See generally [Am. Compl.]; cf. Clemens v. ExecuPharm Inc., 48 F.4th 146, 157 (3d Cir. 2022) (finding plaintiffs subject to ransomware attack established standing when facts supported that attacker “launched a sophisticated phishing attack to install malware, encrypted the data, held it for ransom, and published it”). Given that Plaintiffs have pleaded that their data was subject to a third-party attack and that the data could be valuable on the dark web, taking all facts in the light most favorable to Plaintiffs on a motion to dismiss, the Court will consider this factor as weighing in favor of standing.
C. Other Harms
Plaintiffs additionally argue that they have adequately alleged harm based on the costs of taking steps to protect their credit (“mitigation damages”) and time lost responding to the data breach. [ECF No. 44 at 15-16]. To the extent that Plaintiffs raise these alleged damages to demonstrate that “the complaint ... plausibly allege[s] a separate concrete, present harm caused ‘by . . . exposure to a risk of future harm,'” to, in turn, “establish standing to pursue damages” based on that future risk, Webb, 72 F.4th at 376 (quoting TransUnion, 594 U.S. at 436) (alterations omitted), this is also unavailing. Plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper, 568 U.S. 398 at 416; Katz, 672 F.3d at 79 (rejecting costs associated with “purchase[ ] [of] identity theft insurance and credit monitoring services to guard against a possibility, remote at best, that her nonpublic personal information might someday be pilfered” as an injury in fact because “[w]hen an individual alleges that her injury is having to take or forebear from some action, that choice must be premised on a reasonably impending threat.”). Where, as here, Plaintiffs have not shown an imminent risk of identity theft, prophylactic costs to mitigate such a risk do not constitute an independent injury sufficient to support standing. See Hartigan v. Macy's, Inc., 501 F.Supp.3d 1, 6 (D. Mass. 2020) (“[A]lthough a data breach occurred, [plaintiff] alleges no misuse of his or any class member's data. [Plaintiff's] purchase of credit monitoring services thus was not ‘premised on a reasonably impending threat' and does not constitute injury-in-fact.” (quoting Katz, 672 F.3d at 79)). This is also true of time spent responding to a data breach where no real or imminent threat of data misuse exists. Cf. Webb, F.4th at 377 (“Because this alleged injury [of lost time] was a response to a substantial and imminent risk of harm, this is not a case where the plaintiffs seek to manufacture standing by incurring costs in anticipation of non-imminent harm.”) (internal quotation omitted); In re LastPass Data Sec. Incident Litig., No. 22-12047, 2024 WL 3580646, at *5 (D. Mass. July 30, 2024) (“Plaintiffs have plausibly shown they face a real and imminent threat of misuse of their data, so their lost time constitutes injury in fact.”).
Plaintiffs also plead an “increase in target spam and phishing communications” and “emotional distress” as additional injuries sufficient to establish Article III standing. For the reasons discussed supra, the increase in spam communications is not fairly traceable to the Data Breach and thus does not establish standing. Regarding emotional distress, only two Plaintiffs offer (identical) conclusory statements to establish their emotional harm, see [Am. Compl. ¶ 18-19 (“Mr. Collins has experienced anxiety, stress, and lost sleep following notice of the Data Breach.”)], and the Amended Complaint speculates that “[v]ictims of identity theft can also suffer emotional distress, blackmail, or other forms of harassment in person or online.” [Am. Compl. ¶ 44]. Without more, “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice” to establish standing. Iqbal, 556 U.S. at 678.
Although the parties do not argue it in their motion to dismiss briefing, the Amended Complaint also requests declaratory or injunctive relief, [Am. Compl. ¶¶ 139-146]; as such, this Court will address briefly whether Plaintiffs have pleaded standing to seek injunctive relief. In support of their claim for injunctive relief, Plaintiffs allege that Defendants' actions with respect to safeguarding Plaintiffs' data “were inadequate and unreasonable and, upon information and belief, remain inadequate and unreasonable.” [Am. Compl. ¶ 141]; see also [Am. Compl. ¶ 38 (“Defendants failed to implement reasonable measures to prevent the Data Breach[.]”)]. They also allege that Alvaria experienced another data breach in 2022. [Am. Compl. ¶ 34]. “Naturally, an injunction requiring [defendants] to improve its cybersecurity systems cannot protect the plaintiffs from future misuse of their PII by the individuals they allege now possess it. Any such relief would safeguard only against future breach.” Webb, 72 F.4th at 378. Plaintiffs, however, offer little support for the notion that any such future breach will occur, and the notice they received in fact indicates that “[u]pon discovery of the incident, [Defendant Alvaria] immediately secured [its] networks, implemented measures to further improve the security of [its] systems . . . initiated an investigation of the incident with the assistance of forensic experts, and notified the Federal Bureau of Investigation (“FBI”),” [ECF No. 1-1], which cuts against any inference that Defendants' “prior data breach might make a future data breach more likely.” Webb, 72 F.4th at 378. As such, Plaintiff's allegations are insufficient to establish standing to pursue injunctive relief.
IV. CONCLUSION
Accordingly, Defendants' motion to dismiss, [ECF No. 38], is GRANTED without prejudice.
SO ORDERED.