An Ohio federal district court recently dismissed for lack of subject matter jurisdiction a class action complaint asserting claims arising from a data breach experienced by defendant Associated Materials, LLC.  See Marlin v. Associated Materials, LLC, 2024 WL 2319115 (N.D. Ohio May 22, 2024).

In April 2023, Associated Materials, a manufacturer of vinyl windows and other building products, allegedly experienced a ransomware attack that halted production at several of its facilities.  According to the complaint, the threat actor infiltrated its information network, accessing the names, addresses, phone numbers, dates of birth, Social Security numbers, and health insurance information of thousands of individuals.  Plaintiffs James Marlin and Clarence Oliver, employees of Associated Materials, along with Plaintiff Jaclyn Marlin, connected to the defendant only as the spouse of James Marlin, asserted claims for negligence, breach of implied contract, and breach of the implied covenant of good faith and fair dealing.

The court dismissed the complaint with prejudice because Plaintiffs were unable to show a concrete injury sufficient to confer Article III standing.  At the outset, Plaintiffs failed to plausibly allege that they had experienced identity theft or fraud as a result of the breach.  Although Plaintiff Oliver claimed that he had suffered credit card fraud, he could not show that the incident was causally connected to the breach because there were no allegations that his credit card information had been compromised.  Plaintiffs also claimed that the risk of future identity theft or fraud constituted a concrete injury, but the court found this theory of standing foreclosed by the Supreme Court’s decision in TransUnion LLC v. Ramirez, which held that the “mere risk of future harm, standing alone, cannot qualify as a concrete harm.”  594 U.S. 413, 436 (2021).

The court likewise found Plaintiffs’ remaining claimed injuries insufficient to establish standing.  Plaintiffs sought to establish a concrete injury based on “intangible” privacy harms, which they argued bore a close resemblance to the traditional cause of action for public disclosure of private facts; however, the court rejected this argument, reasoning that Plaintiffs had only alleged unauthorized access by a single threat actor, not disclosure to the public at large.  Further, Plaintiffs’ allegations of time spent to mitigate the effects of the breach were too conclusory to show any injury, as were their generalized allegations of annoyance and anxiety.  Finally, the alleged diminution of value of Plaintiffs’ personal data was also insufficient because Plaintiffs did not allege that they ever sought to sell their data. 

This decision should provide support for defendants seeking to defeat similar lawsuits by arguing that the mere risk of future identity theft or fraud following a data breach, without more, is insufficient to establish Article III standing.