From the law firm of BakerHostetler:
In data breach litigation, courts generally find plaintiffs have standing such that their complaints may proceed past the pleading stage when it is alleged that sensitive information was impacted and there is an allegation of dark web exposure, misuse or fraud. However, a few courts have recently dismissed proposed data breach class actions despite these factors being alleged.
For example, in Maser v. CommonSpirit Health, a Colorado district court dismissed a proposed data breach class action, finding that the plaintiff failed to allege an injury-in-fact fairly traceable to the data breach despite allegations that she experienced bank fraud and a drop in her credit score. No. 1:23-cv-01073-RM-SBP (D. Colo. Dec. 4, 2024). Because the plaintiff’s bank information was not compromised in the breach and “none of the stolen data fields in and of themselves can enable fraud,” the court held that the alleged harms were not fairly traceable to the breach and, therefore, her other injury allegations were insufficient to support standing. Similarly, an Arizona federal judge recently dismissed a proposed data breach class action, finding the plaintiffs failed to state a claim despite allegations that they suffered various specific damages, such as out-of-pocket losses and attempted or actual identity theft or fraud. Johnson et al. v. Yuma Regional Medical Ctr., No. CV-22-01061-PHX-SMB (D. Ariz. Nov. 15, 2024). The court held that the plaintiffs failed to allege they suffered cognizable injuries as a result of the breach and the defendant’s privacy policy made no promise to absolutely defend against such attacks.
Likewise, the Illinois Supreme Court recently issued its decision in Petta v. Christie Business Holding Co., P.C. affirming the appellate court’s dismissal for lack of standing, even though the plaintiff had alleged that an unauthorized loan application was made in her name using her phone number, city and state sometime after the data breach, because the plaintiff did not allege that any of her private, personally identifiable information (PII), such as her Social Security number, was used in the loan application or that it was impacted in the data breach. 2025 IL 130337 (2025). The court further found that the unsuccessful loan application was not “fairly traceable” to the defendant’s alleged misconduct, given that the information used in the loan application (the plaintiff’s phone number and city) could be found in a publicly available phone directory. Id.
Read more at JDSupra.