Opinion
Cause No. 1:23CV232-LG-MTP
2024-06-18
Charles WILLIAMS, Amber Cochran, Casey Crosby, Robert Fendley, Guy Schenck, Debbie Slusser, Robert Harris, and Richard Rose, individually and behalf of all others similarly situated, Plaintiffs v. BIENVILLE ORTHOPAEDIC SPECIALISTS, LLC, Defendant
Jonathan Matthew Eichelberger, Eichelberger Law Firm, PLLC, Jackson, MS, Danielle L. Perry, Pro Hac Vice, Lisa A. White, Pro Hac Vice, Mason LLP, Washington, DC, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Raina C. Borrelli, Pro Hac Vice, Strauss Borrelli PLLC, Chicago, IL, for Plaintiff Charles Williams. Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, for Plaintiffs Amber Cochran, Casey Crosby. Robert G. Germany, Germany Law Firm, PLLC, Madison, MS, Daniel Srourian, Pro Hac Vice, Srourian Law Firm, PC, Los Angeles, CA, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, for Plaintiff Robert Fendley. Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Danielle L. Perry, Lisa A. White, Pro Hac Vice, Mason LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, for Plaintiff Guy Schenck. Jonathan Matthew Eichelberger, Eichelberger Law Firm, PLLC, Jackson, MS, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Gary M. Klinger, Pro Hac Vice, Milberg Coleman Bryson Phillips Grossman, PLLC, Chicago, IL, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, Justin C. Walker, Pro Hac Vice, Markovits, Stock & De Marco, LLC, Cincinnati, OH, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, for Plaintiff Debbie Slusser. Justin G. Witkin, Aylstock, Witkin, Kreis & Overholtz, PLLC, Pensacola, FL, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Jeff Ostrow, Pro Hac Vice, Steven Patrick Sukert, Pro Hac Vice, Kopelowitz Ostrow P.A., Fort Lauderdale, FL, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, William Peerce Howard, Pro Hac Vice, The Consumer Protection Firm, PLLC, Tampa, FL, for Plaintiff Robert Harris. Jonathan Matthew Eichelberger, Eichelberger Law Firm, PLLC, Jackson, MS, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, for Plaintiff Richard Rose. Jeffrey S. Moore, Andrew W. Coffman, Phelps Dunbar, LLP, Tupelo, MS, Alfred Paul LeBlanc, Jr., Pro Hac Vice, James Walter Green, Pro Hac Vice, Phelps Dunbar, LLP, Baton Rouge, LA, for Defendant.
Jonathan Matthew Eichelberger, Eichelberger Law Firm, PLLC, Jackson, MS, Danielle L. Perry, Pro Hac Vice, Lisa A. White, Pro Hac Vice, Mason LLP, Washington, DC, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Raina C. Borrelli, Pro Hac Vice, Strauss Borrelli PLLC, Chicago, IL, for Plaintiff Charles Williams. Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, for Plaintiffs Amber Cochran, Casey Crosby. Robert G. Germany, Germany Law Firm, PLLC, Madison, MS, Daniel Srourian, Pro Hac Vice, Srourian Law Firm, PC, Los Angeles, CA, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, for Plaintiff Robert Fendley. Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Danielle L. Perry, Lisa A. White, Pro Hac Vice, Mason LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, for Plaintiff Guy Schenck. Jonathan Matthew Eichelberger, Eichelberger Law Firm, PLLC, Jackson, MS, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Gary M. Klinger, Pro Hac Vice, Milberg Coleman Bryson Phillips Grossman, PLLC, Chicago, IL, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, Justin C. Walker, Pro Hac Vice, Markovits, Stock & De Marco, LLC, Cincinnati, OH, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, for Plaintiff Debbie Slusser. Justin G. Witkin, Aylstock, Witkin, Kreis & Overholtz, PLLC, Pensacola, FL, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Jeff Ostrow, Pro Hac Vice, Steven Patrick Sukert, Pro Hac Vice, Kopelowitz Ostrow P.A., Fort Lauderdale, FL, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, William Peerce Howard, Pro Hac Vice, The Consumer Protection Firm, PLLC, Tampa, FL, for Plaintiff Robert Harris. Jonathan Matthew Eichelberger, Eichelberger Law Firm, PLLC, Jackson, MS, Erik S. Heninger, Heninger Garrison Davis, LLC, Birmingham, AL, Lisa A. White, Pro Hac Vice, Mason, LLP, Washington, DC, Raina C. Borrelli, Strauss Borrelli PLLC, Chicago, IL, for Plaintiff Richard Rose. Jeffrey S. Moore, Andrew W. Coffman, Phelps Dunbar, LLP, Tupelo, MS, Alfred Paul LeBlanc, Jr., Pro Hac Vice, James Walter Green, Pro Hac Vice, Phelps Dunbar, LLP, Baton Rouge, LA, for Defendant. MEMORANDUM OPINION AND ORDER GRANTING DEFENDANT'S MOTION TO DISMISS LOUIS GUIROLA, JR., UNITED STATES DISTRICT JUDGE
BEFORE THE COURT is the [28] Motion to Dismiss filed by Defendant Bienville Orthopaedic Specialists, LLC, in this consolidated, putative class action that arose out of a data breach of Bienville's computer network. Plaintiffs, who are current and former patients of Bienville, have filed a response in opposition to the Motion, and Bienville has filed a reply. After reviewing the submissions of the parties, the record in this matter, and the applicable law, the Court finds that Bienville's Motion to Dismiss should be granted because Plaintiffs have not alleged sufficient facts to demonstrate standing to pursue this lawsuit.
The cause numbers assigned to the member cases are 1:23cv234-LG-MTP, 1:23cv237-LG-MTP, 1:23cv238-LG-MTP, 1:23cv243-LG-MTP, 1:23cv248-LG-MTP, and 1:23cv253-LG-MTP.
BACKGROUND
Bienville provides orthopedic healthcare to patients at five clinics located on the Mississippi Gulf Coast. (Compl. at 6, ECF No. 27). Plaintiffs are patients who provided personal information to Bienville in order to receive medical care. (Id. at 33-50).
On September 1, 2023, Bienville issued a notice that cybercriminals had accessed files in its network that contained the "personally identifiable information" ("PII") and "protected health information" ("PHI") of Plaintiffs and members of the proposed class. The PII and PHI included in the accessed files included patients' names, Social Security numbers, dates of birth, medical information, health insurance information, usernames and passwords, financial account information, and driver's license numbers. (Id. at 2, 9). Plaintiffs attempt to assert the following claims against Bienville, individually and on behalf of all others similarly situated: negligence, unjust enrichment, breach of implied contract, breach of fiduciary duty, and invasion of privacy. They seek declaratory and injunctive relief, monetary damages, pre- and post-judgment interest, attorneys' fees, and expenses. Bienville seeks dismissal of Plaintiffs' Complaint for lack of standing and failure to state a plausible claim for relief.
DISCUSSION
I. ARTICLE III STANDING
In order to preserve the separation of powers, Article III of the United States Constitution limits judicial power to cases and controversies. DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 341-42, 126 S.Ct. 1854, 164 L.Ed.2d 589 (2006); see also U.S. CONST. art. III, § 2, cl. 1. "For there to be a case or controversy under Article III, the plaintiff must have a 'personal stake in the case — in other words, standing.' " TransUnion LLC v. Ramirez, 594 U.S. 413, 423, 141 S.Ct. 2190, 210 L.Ed.2d 568 (2021) (internal quotation marks omitted). In order to establish standing, "a plaintiff must show (i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief." Id. at 423, 141 S.Ct. 2190. In other words, "[i]f the plaintiff does not claim to have suffered an injury that the defendant caused and the court can remedy, there is no case or controversy for the federal court to resolve." Id.
"Every class member must have Article III standing in order to recover individual damages." Id. at 431, 141 S.Ct. 2190. "Where, as here, the movant mounts a facial attack on jurisdiction based only on the allegations in the complaint, the court simply considers the sufficiency of the allegations in the complaint because they are presumed to be true." Lee v. Verizon Commc'ns, Inc., 837 F.3d 523, 533 (5th Cir. 2016) (internal quotation marks omitted). In order to survive a facial attack, the plaintiff must clearly allege facts demonstrating each element of standing. Spokeo, Inc. v. Robins, 578 U.S. 330, 338, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016) (alterations omitted). If the plaintiff fails to establish standing, the plaintiff's claim must be dismissed for lack of jurisdiction pursuant to Fed. R. Civ. P. 12(b)(1). Lewis v. Knutson, 699 F.2d 230, 237 (5th Cir. 1983). In a class action, the named plaintiffs representing a class "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Warth v. Seldin, 422 U.S. 490, 502, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975); see also Braidwood Mgmt., Inc. v. Equal Emp. Opportunity Comm'n, 70 F.4th 914, 924 n.12 (5th Cir. 2023). Because Bienville only challenges the concrete injury in fact and causation elements of standing, the Court limits its analysis to those two standing elements.
A. PLAINTIFFS' CLAIMS FOR MONETARY RELIEF
1. WHETHER PLAINTIFFS HAVE ALLEGED A CONCRETE INJURY-IN-FACT
Bienville first argues that Plaintiffs have failed allege a concrete injury-in-fact. "Concrete injuries include constitutional harms, traditional tangible harms such as 'physical' and 'monetary' harms, and 'various intangible harms,' including 'injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.' " Lutostanski v. Brown, 88 F.4th 582, 586 (5th Cir. 2023) (quoting TransUnion, 594 U.S. at 424, 141 S.Ct. 2190).
The Fifth Circuit has not yet had the opportunity to address the issue of Article III standing in the context of a data breach case, but other circuits have looked to a series of Supreme Court cases concerning intangible injuries for guidance: (1) Clapper v. Amnesty Int'l USA, 568 U.S. 398, 408, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013); (2) Spokeo, Inc. v. Robins, 578 U.S. 330, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016); and (3) TransUnion LLC v. Ramirez, 594 U.S. 413, 141 S.Ct. 2190, 210 L.Ed.2d 568 (2021). In Clapper, the plaintiffs filed a lawsuit seeking a declaration that an amendment to the Foreign Intelligence Surveillance Act was unconstitutional as well as an injunction prohibiting surveillance under that amendment. 568 U.S. at 401, 133 S.Ct. 1138. The plaintiffs claimed that their work "require[d] them to engage in sensitive international communications with individuals who they believe[d] [were] likely targets of surveillance." Id. The plaintiffs argued that they had standing to challenge the amendment because there was an "objectively reasonable likelihood" that their communications with these foreign contacts would be intercepted due to the amendment. Id. at 410, 133 S.Ct. 1138. The Supreme Court rejected this argument because the plaintiffs did not allege an imminent injury that was fairly traceable to the statutory amendment; rather, they submitted a "speculative chain of possibilities" that they would be injured if their foreign contacts were subjected to future surveillance. Id. at 414, 133 S.Ct. 1138. The Supreme Court also rejected the plaintiffs' assertion that they had undertaken "costly and burdensome" measures to avoid surveillance authorized by the FISA amendment. Id. at 415, 133 S.Ct. 1138. It explained that the plaintiffs could not "manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending." Id. at 416, 133 S.Ct. 1138.
In Spokeo, Inc. v. Robins, the plaintiff claimed that Spokeo's "people search engine" disseminated incorrect information about him. 578 U.S. at 333, 136 S.Ct. 1540. The Supreme Court stated, "A 'concrete' injury must be 'de facto'; that is, it must actually exist . . . . When we have used the adjective 'concrete,' we have meant to convey the usual meaning of the term—'real,' and not 'abstract.' " Id. at 340, 136 S.Ct. 1540. Nevertheless, " '[c]oncrete' is not . . . necessarily synonymous with 'tangible.' " Id. When analyzing whether an intangible harm is concrete, "it is instructive to consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts." Id. at 341, 136 S.Ct. 1540. After noting that inaccurate information does not necessarily "cause harm or present any material risk of harm," the Supreme Court remanded the case to the Ninth Circuit for a determination of whether the plaintiff had alleged a concrete injury. Id. at 342-43, 136 S.Ct. 1540.
In the wake of Spokeo and Clapper, an apparent circuit split developed concerning whether plaintiffs claiming injury from a data breach had alleged an injury in fact. See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 691-95 (7th Cir. 2015) (explaining that "customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an 'objectively reasonable likelihood' that such an injury will occur"); but see In re Super-Valu, Inc., 870 F.3d 763, 769-70 (8th Cir. 2017) (plaintiffs lacked standing because they did not allege that their personal information was misused). Meanwhile, the Eleventh Circuit recognized that some data "breaches may present greater risk of identity theft than others," but it held that the plaintiffs' alleged harms of substantial future risk of identity theft, proactive mitigation costs, and conclusory allegations of unauthorized charges failed to confer standing. Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1340-44 (11th Cir. 2021).
The Supreme Court brought more clarity to the issue in TransUnion, which concerned violations of the Fair Credit Reporting Act. In TransUnion, the court determined that plaintiffs who claimed that a credit reporting agency had provided incorrect credit reports to third-party businesses "had demonstrated "concrete reputational harm and thus [had] standing to sue . . . ." 594 U.S. at 417, 141 S.Ct. 2190. However, plaintiffs whose credit files were not provided to third-party businesses did hot have standing to sue. Id. The Court explained that the "presence of an inaccuracy in an internal credit file, if it is not disclosed to a third party, causes no concrete harm." Id. at 434, 141 S.Ct. 2190. Therefore, "the mere risk of future harm" is not a concrete injury in fact. Id. at 436-37, 141 S.Ct. 2190.
Since the TransUnion decision was issued, only a few circuit courts have considered standing in data breach cases. In a Third Circuit case, a plaintiff filed a putative class action after hackers accessed her former employer's servers through a phishing attack. Clemens v. Execupharm, Inc., 48 F.4th 146, 150 (3d Cir. 2022). After learning of the attack, the plaintiff took several measures to protect her financial accounts, including subscribing to credit monitoring services. Id. at 151. She sued her former employer and alleged that she had standing due to these mitigation measures as well as the risk of future identity theft and fraud. Id. The Third Circuit explained:
[A]llegations of future injury suffice if the threatened injury is certainly impending or there is a substantial risk that the harm will occur. A substantial risk means a realistic danger of sustaining a direct injury. While plaintiffs are not required to demonstrate that it is literally certain that the harms they identify will come about, a possible future injury — even one with an objectively reasonable likelihood of occurring — is not sufficient.Id. at 152-53. The Clemens court further held that, pursuant to TransUnion, "a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms." Id. at 155-56. "For example, if the plaintiff's knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury." Id. Based on these considerations, the Third Circuit held that the plaintiff had standing to assert contract, tort, and breach of fiduciary duty claims. Id. at 156.
The First Circuit considered the TransUnion decision in the context of a data breach in Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023). In that case, two plaintiffs — Webb and Charley — brought a putative class action against a home-delivery pharmacy service that experienced a data breach that enabled hackers to gain access to their PII. The plaintiffs claimed that they had spent "considerable time and effort" monitoring their accounts and had experienced emotional distress including stress, fear, and sleep disruption. Id. at 370. The First Circuit held that Webb had alleged a concrete injury in fact "based on the plausible pleading that the data breach resulted in the misuse of her PII by an unauthorized third party . . . to file a fraudulent tax return." Id. at 373. Furthermore, the misuse of Webb's PII to file a fraudulent tax return assisted Charley in demonstrating standing even though her PII had not been misused. Id. at 374.
The Second Circuit addressed the effect of TransUnion on data breach claims in Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276 (2d Cir. 2023). In that case, a plaintiff filed a putative class action alleging that her former employer failed to adequately secure her PII, which was accessed by an "unauthorized actor" who "leveraged a vulnerability in a third party's software." 79 F.4th at 281. Relying on the holding in TransUnion, the court determined that the plaintiff had alleged a concrete injury that was actual or imminent. Id. at 283. The court found that the "exposure of Bohnak's PII to unauthorized third parties—bears some relationship to a well-established common-law analog: public disclosure of private facts." Id. at 285. The plaintiff had suffered separate concrete harms as a result of the risk of future harm in the form of "out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft and lost time and other opportunity costs associated with attempting to mitigate the consequences of the data breach." Id. at 285 (internal quotation marks omitted).
In Green-Cooper v. Brinker Int'l, Inc., the Eleventh Circuit explained, "We typically require misuse of the data cybercriminals acquire from a data breach because such misuse constitutes both a 'present' injury and a 'substantial risk' of harm in the future." 73 F.4th 883, 889 (11th Cir. 2023), cert. denied sub nom. Brinker Int'l, Inc. v. Steinmetz, — U.S. —, 144 S.Ct. 1457, 218 L.Ed.2d 689 (2024) (citing Tsao, 986 F.3d at 1343-44). The plaintiffs' allegations that hackers took credit card data and other personal data from the Chili's restaurant systems and "affirmatively posted that information for sale" on an online marketplace for stolen payment data, constituted misuse. Id. at 886, 889-90. This misuse constituted both a present injury and a substantial risk of future injury, thus satisfying the concrete injury requirement of Article III standing. Id. at 890. The Eleventh Circuit noted that its prior decision in Tsao was consistent with TransUnion. Id. at 890 n.9. As a result, Tsao's holding that "[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing" has not been overturned. Tsao, 986 F.3d at 1344.
In the present case, Plaintiffs allege that cybercriminals had access to their PII and PHI between at least February 3, 2023, and March 5, 2023, when Bienville "detected" the breach. (Compl. at 99, ECF No. 27). Their complaint states, "Given the sensitivity of the [p]rivate [i]nformation involved in this Data Breach, Plaintiffs and Class Members have all suffered damages and will face a substantial risk of additional injuries for the rest of their lives." (Id. at 29). It further asserts:
Plaintiffs and Class Members have suffered or will suffer actual injury as a direct result of the Data Breach. Many victims suffered ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach relating to:(Id. at 32). They state that they have also "suffered anxiety, emotional distress, loss of time, loss of privacy, and are at an increased risk of future harm for the rest of their lives." (Id. at 33).
a. Reviewing and monitoring sensitive accounts and finding fraudulent insurance claims, loans, and/or government benefits claims;
b. Purchasing credit monitoring and identity theft prevention services;
c. Placing "freezes" and "alerts" with reporting agencies;
d. Spending time on the phone with or at financial institutions, healthcare providers, and/or government agencies to dispute unauthorized and fraudulent activity in their name;
e. Contacting financial institutions and closing or modifying financial accounts; and
f. Closely reviewing and monitoring Social Security Number, medical insurance accounts, bank accounts, and credit reports for unauthorized activity for the rest of their lives.
They further claim that their PII and PHI are now "in the hands of cybercriminals" due to the breach and that their private information now has less value as a result of the breach. (Id. at 29-31). According to Plaintiffs, they were also damaged in that they did not receive the "benefit-of-the-bargain" because they "overpaid for a service that was intended to be accompanied by adequate data security that complied with industry standards but was not." (Id. at 31).
Plaintiff Charles Williams alleges that he "has already experienced actual fraud and data misuse following the Data Breach." (Id. at 34). Several unauthorized charges totaling around $17,000 were made on his credit union account in late February 2023. (Id.). "Shortly thereafter, [he] was notified of multiple accounts fraudulently opened in his name with the same credit union." (Id.). According to the Complaint,
[a]ll these actions have taken several hours away from Plaintiff Williams' valuable time that he otherwise would have spent on other activities and opportunities. Moreover, Plaintiff Williams has had to expend his own money in an attempt to address the harms of the Data Breach, including money he spent for gas to travel to and from the bank when he was working to resolve the fraudulent transactions and fraudulently opened accounts.(Id. at 34-35). The breach has allegedly resulted in "anxiety, sleep disruption, stress, fear, and frustration." (Id. at 35).
Plaintiff Robert Fendley claims that "he has already experienced actual data misuse following the Data Breach" because he "began experiencing an influx of spam phone calls" in July or August 2023. (Id. at 37). In one of these calls, a person posing as a Medicare representative had Fendley's name, date of birth, and Medicare number. (Id.). Fendley spent several hours investigating the data breach, replacing his insurance card, obtaining a new Medicare number, and taking other actions in an attempt to mitigate his damages. (Id.). Plaintiffs Guy Schenck and Richard Rose claim that the date breach caused them injury because credit monitoring companies notified them that their private information had been posted on the dark web. (Id. at 39, 49).
"The dark web is an area of the internet accessible only by using an encryption tool. It provides anonymity and privacy online, and perhaps consequently, frequently attracts those with criminal intentions." United States v. Schultz, 88 F.4th 1141, 1143 (5th Cir. 2023) (citing Gareth Owen & Nick Savage, The Tor Dark Net, Global Commission on Internet Governance, Paper Series No. 20, 1 (2015)).
The Court finds that Williams, Schenck, and Rose have alleged a concrete injury sufficient to establish Article III standing to seek monetary damages. See Green-Cooper, 73 F.4th at 889 (holding that allegations that personal information was exposed for theft and sale on the dark web is sufficient to establish an injury in fact). However, Fendley's allegation of an increase in spam phone calls is insufficient to establish an injury in fact. See McCombs v. Delta Grp. Elecs., Inc., 676 F. Supp. 3d 1064, 1074 (D.N.M. 2023) ("Spam calls . . . have become very common in this digitized world, and a number of courts have declined to confer standing when considering an increase in spam communications."); I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034, 1052 (N.D. Cal. 2022) (allegations of "various forms of spam . . . fall short of actual identity theft," particularly where there are no allegations that these attempts were successful); Cooper v. Bonobos, Inc., No. 21-CV-854 (JMF), 2022 WL 170622, at *5 (S.D.N.Y. Jan. 19, 2022) (noting that "[c]ourts have generally rejected the theory that unsolicited calls or emails constitute an injury in fact").
Slusser, Crosby, Cochran, and Harris also have not alleged an injury-in-fact because they have not alleged misuse or actual access of their private information. See Perez v. McCreary, Veselka, Bragg & Allen, P.C., 45 F.4th 816, 824 (5th Cir. 2022) ("[I]f a risk hasn't materialized, the plaintiff hasn't yet been injured."); Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc., 892 F.3d 613, 621-22 (4th Cir. 2018) (noting that "a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft"). The Court further finds that these plaintiffs' claimed mitigation expenses, anxiety, sleeplessness, and other forms of emotional distress are insufficient to establish standing in the absence of allegations of misuse or actual theft of the data. See Tsao, 986 F.3d at 1345 (explaining that a plaintiff "cannot conjure standing . . . by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft"); Baron v. Syniverse Corp., No. 8:21-CV-2349-SCB-SPF, 2022 WL 6162696, at *7 (M.D. Fla. Oct. 7, 2022) ("Absent a showing that the [data breach] is an intangible harm sufficiently concrete to confer standing, Plaintiffs' allegation of emotional harm resulting from the same also fails to confer standing.").
This plaintiff's last name is sometimes spelled "Sulsser" in the Complaint.
Finally, the named plaintiffs' claims of injury-in-fact based on lack of benefit-of-the-bargain and diminished value of private information are not well-taken. See C.C. v. Med-Data Inc., No. 21-2301-DDC-GEB, 2022 WL 970862, at **6-11 (D. Kan. Mar. 31, 2022); Legg v. Leaders Life Ins. Co., 574 F. Supp. 3d 985, 993 (W.D. Okla. 2021). There is no allegation that any of the plaintiffs paid a certain amount of money to Bienville in exchange for protection of their private information or that they intend to sell their private information.
2. WHETHER PLAINTIFFS' ALLEGED INJURIES ARE FAIRLY TRACEABLE TO THE DATA BREACH
Article III standing analysis does not end with a finding that a plaintiff has suffered an injury in fact. Plaintiffs must also plead sufficient facts to establish that the misuse of their private information was fairly traceable to the Bienville data breach. See Whitmore v. Arkansas, 495 U.S. 149, 155, 110 S.Ct. 1717, 109 L.Ed.2d 135 (1990). Since the Court has previously found that only Williams, Schenck, and Rose have asserted an injury-in-fact for Article III purposes, it is only necessary to determine whether these plaintiffs' alleged injuries are fairly traceable to the data breach.
The Fifth Circuit has explained:
Tracing an injury is not the same as seeking its proximate cause. Where, as here, a causal relation between injury and challenged action depends upon the decision of an independent third party[,] standing is not precluded, but it is ordinarily substantially more difficult to establish. To meet [their] burden, Plaintiffs must show at the least that third parties will likely react in predictable ways.Book People, Inc. v. Wong, 91 F.4th 318, 332 (5th Cir. 2024) (cleaned up); Clapper, 568 U.S. 398, 414, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (refusing "to abandon [the Court's] usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors."). A plaintiff cannot establish that an injury is "fairly traceable" by proposing a "speculative chain of possibilities." Clapper, 568 U.S. at 414, 133 S.Ct. 1138.
Bienville argues that the plaintiffs have not satisfied the causation requirement of standing because "[t]he Complaint and relevant jurisprudence establish that data breaches are an every-day occurrence, and thus the private information of virtually every American has been at least exposed to misappropriation or misuse by cyber-criminals." (Def.'s Mem. at 11-12, ECF No. 29). Bienville also alleges that the plaintiffs' "failure to provide any allegation that specific information placed at risk in this particular data breach has been taken or misused is fatal to their Article III standing." (Def.'s Mem. at 21, ECF No. 29). It claims that Williams should have alleged facts linking the unauthorized charges on his credit union account to the private information exposed in the Bienville data breach, and that Schenck and Rose should have provided the date(s) on which their information was posted and/or stated that the information posted was involved in the Bienville data breach. Plaintiffs counter that Bienville's argument is "procedurally premature" because Bienville is attempting "to insert an evidentiary standard at the pleading stage." (Pls.' Resp. at 22, ECF No. 32).
Therefore, the parties' arguments turn on the allegations necessary to withstand a Rule 12(b)(1) standing challenge. Generally, plaintiffs have the burden of stating "a plausible set of facts establishing jurisdiction." Physician Hosps. of Am. v. Sebelius, 691 F.3d 649, 652 (5th Cir. 2012). This plausibility standard is derived from the standards used for resolving Rule 12(b)(6) motions. See Silha v. ACT, Inc., 807 F.3d 169, 174 (7th Cir. 2015); Lane v. Halliburton, 529 F.3d 548, 557 (5th Cir. 2008); White v. Texas, No. 4:23-CV-0925-P, 2023 WL 6578481, at *1 (N.D. Tex. Oct. 10, 2023). "[D]etailed factual allegations" are not required, but an "unadorned, the-defendant-unlawfully-harmed-me accusation" is insufficient. Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). "The plaintiffs factual allegations must support a claim to relief that is plausible on its face and rises above mere speculation." United States ex rel. Steury v. Cardinal Health, Inc., 625 F.3d 262, 266 (5th Cir. 2010). However, a motion to dismiss under Rule 12(b)(1) "should be granted only if it appears certain that the plaintiff cannot prove any set of facts in support of his claim that would entitle him to relief." Williams v. Certain Underwriters at Lloyd's of London, 398 F. App'x 44, 46 (5th Cir. 2010) (quoting Home Builders Ass'n of Miss., Inc. v. City of Madison, 143 F.3d 1006, 1010 (5th Cir. 1998)).
In a data breach case, the District of Minnesota has held that the following allegations were sufficient to satisfy the causation requirement of standing: (1) the defendant failed to secure his private information; (2) its network was subsequently hacked; (3) the plaintiff's private information was stolen by hackers, and (4) the plaintiff became the victim of a bank scam after the data breach. Perry v. Bay & Bay Transp. Servs., Inc., 650 F. Supp. 3d 743, 753 (D. Minn. 2023). This finding was not altered by the defendant's argument that the plaintiff's bank account information was not stolen in the breach because the plaintiff's burden is "relatively modest" at the pleading stage of the litigation. Id.
In addition, the United States District Court for the Eastern District of Louisiana has explained:
Plaintiff has alleged that he does not recall receiving any other notices of data breach, and that his PII was compromised because defendant failed to implement minimum safeguards in contravention of its legal obligation to do so. At this stage, nothing further is required to establish traceability for constitutional purposes.Merrell, 2023 WL 6316257, at *4 (citing Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6, 134 S.Ct. 1377, 188 L.Ed.2d 392 (2014) ("Proximate causation is not a requirement of Article III standing, which requires only that the plaintiff's injury be fairly traceable to the defendant's conduct.")). Other courts have similarly found a defendant's argument that the plaintiff's data may have been stolen in a separate data breach to be "less about standing and more about the merits of causation and damages." In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018); see also Merrell v. 1st Lake Props., Inc., No. CV 23-1450, 2023 WL 6316257, at *4 (E.D. La. Sept. 28, 2023) (rejecting the assertion that a data breach plaintiff's injury is not traceable to the defendant's negligence "because [the] plaintiff's information may have been compromised in another data breach"). These courts reason that the possibility of another breach "does nothing to negate the plaintiffs' standing to sue for the breach in question." Zappos, 888 F.3d at 1029 (quoting Remijas, 794 F.3d at 696).
The United States District Court for the District of Kansas came to the opposite conclusion in a case where "[t]he only link between the data breach and the claimed misuse [was] that the misuse came after the data breach." Masterson v. IMA Fin. Grp., Inc., No. 2:23cv2223-HLT-ADM, 2023 WL 8647157, at *4 (D. Kan. Dec. 14, 2023); see also Blood v. Labette Cnty. Med. Ctr., No. 5:22cv4036, 2022 WL 11745549, at *5 (D. Kan. 2022) ("noting that the plaintiffs, who did not know what personal information, if any, was stolen, [did] not plead any facts suggesting how the mere possession of their Social Security numbers and names would enable someone to make unauthorized charges on an existing account (instead of, for example, opening a new account)"); but see Hutton, 892 F.3d at 623 (holding plaintiffs satisfied the causation requirement of standing with allegations that the defendant organization was the only common source that collected and continued to store the personal information at issue during the relevant time periods).
Plaintiffs allege that cybercriminals had access to their private information in Bienville's network between at least February 3, 2023, and March 5, 2023. (Compl. at 99, ECF No. 27). Williams, Schenck, and Rose assert that they are "very careful about sharing [their] sensitive information." (Id. at 34, 39, 49). Williams and Schenck further state that, "to their knowledge," their private information "has never been exposed in any other data breach." (Id. at 34, 39). "Upon information and belief, Plaintiff Williams attributes [the fraudulent] charges and fraudulent accounts [at his credit union] to the [Bienville] Data Breach." (Id. at 34). The fraudulent charges were made on his credit union account in late February 2023, and additional accounts were opened "shortly thereafter." (Id.) The Court recognizes that " 'information and belief pleadings are generally deemed permissible under the Federal Rules, especially in cases in which the information is more accessible to the defendant." Johnson v. Johnson, 385 F.3d 503, 531 (5th Cir. 2004) (citing 5 Charles Alan Wright & Arthur R. Miller, Federal Practice and Procedure § 1224 (2d ed. 1990)). But here, there is no indication that the circumstances concerning the fraudulent charges and accounts at Williams' credit union are in Bienville's possession; the details are more likely to be in Williams' possession, or at least more accessible to Williams.
As for the other named plaintiffs, Experian notified Schenck "[s]ince the Data Breach" that his private information was posted on the dark web, and (2) Rose was notified by his credit monitoring service that his private information was posted on the dark web in October 2023. (Id. at 39, 49). The Complaint provides no information linking the dark web posts with the Bienville data breach. For example, "Was the PII on the dark web before the breach[,] and were [Plaintiffs] only notified later? And what PII was 'found'? Does it match the PII stolen in the data breach? And is Defendant's database the only place this information was available?" See Blood, 2022 WL 11745549, at *8.
In today's society, an individual's PII and PHI can be stolen in myriad ways, often without the individual's knowledge. Data breaches and other forms of data theft are so prevalent that it is seemingly impossible to trace the misuse of personal information to one particular breach. The mere fact that Williams, Schenck, and Rose experienced misuse of their PII or learned that some of their PII had been stolen after the data breach is insufficient to show that the misuse of their PII is fairly traceable to the Bienville data breach. See Masterson, 2023 WL 8647157, at *4 (the timing of the misuse of PII is insufficient to satisfy the fairly traceable standard).
B. PLAINTIFFS' REQUESTS FOR DECLARATORY AND INJUNCTIVE RELIEF
The Court must separately address whether Plaintiffs have standing to seek declaratory and injunctive relief. See Town of Chester v. Laroe Ests. Inc., 581 U.S. 433, 439, 137 S.Ct. 1645, 198 L.Ed.2d 64 (2017) ("[S]tanding is not dispensed in gross, a plaintiff must demonstrate standing for each claim she seeks to press and for each form of relief that is sought."); see also TransUnion, 594 U.S. at 437, 141 S.Ct. 2190 ("[A] plaintiff's standing to seek injunctive relief does not necessarily mean that the plaintiff has standing to seek retrospective damages."). Plaintiffs' Complaint states, "On information and belief, Plaintiffs allege that Defendant's actions were—and still are—inadequate and unreasonable." (Compl. at 67, ECF No. 27). Plaintiffs claim they therefore "continue to suffer injury from the ongoing threat of fraud and identity theft." (Id. at 68). Plaintiffs ask the Court to enter judgment declaring that:
The Declaratory Judgment Act permits the judiciary to "declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought." 28 U.S.C. § 2201(a).
a. Defendant owed—and continues to owe—a legal duty to use reasonable data security to secure the data entrusted to it;(Id. at 67-68).
b. Defendant has a duty to notify impacted individuals of the Data Breach under the common law and Section 5 of the FTC Act;
c. Defendant breached, and continues to breach, its duties by failing to use reasonable measures to the data entrusted to it; and
d. Defendant's breaches of its duties caused—and continues to cause—injuries to Plaintiffs and Class Members.
Plaintiffs also seek "injunctive relief requiring Defendant to use adequate security consistent with industry standards to protect the data entrusted to it." (Id. at 68). They claim they will suffer irreparable injury and lack an adequate legal remedy if Bienville experiences a second data breach "because many of the resulting injuries are not readily quantified in full and they will be forced to bring multiple lawsuits to rectify the same conduct," and "[a]n injunction would benefit the public by preventing another data breach—thus preventing further injuries to Plaintiffs, Class Members, and the public at large." (Id.).
The Fifth Circuit has explained:
Requests for injunctive and declaratory relief implicate the intersection of the redressability and injury-in-fact requirements . . . . Because injunctive and declaratory relief cannot conceivably remedy any past wrong, plaintiffs seeking injunctive and declaratory relief can satisfy
the redressability requirement only by demonstrating a continuing injury or threatened future injury. That continuing or threatened future injury, like all injuries supporting Article III standing, must be an injury in fact.Stringer v. Whitley, 942 F.3d 715, 720-21 (5th Cir. 2019) (internal quotation marks omitted). In particular, a plaintiff seeking injunctive relief must "show that it is likely, not merely speculative, that a favorable decision will redress the injury-in-fact" and "demonstrate either continuing harm or a real and immediate threat of repeated injury in the future." Gonzalez v. Blue Cross Blue Shield Ass'n, 62 F.4th 891, 901-02 (5th Cir. 2023). Therefore, the pertinent inquiry is whether the future risk of harm is "sufficiently imminent and substantial." TransUnion, 594 U.S. at 435, 141 S.Ct. 2190 (citing Clapper, 568 U. S. at 414, n.5, 133 S.Ct. 1138).
In the present case, Plaintiffs do not have standing to seek declaratory or injunctive relief because they have failed to allege facts "tending to show that a second data breach is currently impending or there is a substantial risk that one will occur." See Hummel v. Teijin Auto. Techs., Inc., No. 2023 WL 6149059, at *14 (E.D. Mich. Sept. 20, 2023); see also Beck v. McDonald, 848 F.3d 262, 277-78 (4th Cir. 2017) ("[T]he most that can be reasonably inferred from the Plaintiffs' allegations regarding the likelihood of another data breach . . . is that the Plaintiffs could be victimized by a future data breach. That alone is not enough."); Brooks v. Peoples Bank, No. 2:23-CV-3043, 732 F.Supp.3d 765, 776 (S.D. Ohio May 6, 2024) ("Plaintiffs have not pleaded facts from which the Court could find that the risk of a second data breach is substantial and imminent.").
IT IS THEREFORE ORDERED AND ADJUDGED that the [28] Motion to Dismiss filed by Defendant Bienville Orthopaedic Specialists, LLC, is GRANTED. This lawsuit is hereby DISMISSED WITHOUT PREJUDICE for lack of jurisdiction.
IT IS FURTHER ORDERED AND ADJUDGED that the Clerk of Court shall file this Memorandum Opinion and Order in each of the following member cases: 1:23cv234-LG-MTP, 1:23cv237-LG-MTP, 1:23cv238-LG-MTP, 1:23cv243-LG-MTP, 1:23cv248-LG-MTP, and 1:23cv253-LG-MTP.
SO ORDERED AND ADJUDGED this the 18th day of June, 2024.