A federal court in North Carolina dismissed a putative data breach class action against Bojangles because the plaintiffs failed to show that there was an actual or imminent misuse of their personal information as a result of the breach.  Dougherty v. Bojangles’ Restaurants, Inc., 2025 WL 2810673 (W.D.N.C. Sept. 30, 2025).

The named plaintiffs—former Bojangles employees—sought monetary damages and injunctive relief on behalf of a putative class of current and former employees whose personal information was allegedly exposed during a cyberattack on Bojangles’ computer systems.  Notably, the plaintiffs did not allege that their data was actually misused as a result of the cyberattack.  Instead, they claimed injuries from (i) the threat of having their information sold on the dark web, (ii) an alleged increase in spam calls, (iii) a claimed diminution in the value of personal information, (iv) time spent purportedly mitigating the impact of the breach, and (v) emotional distress. 

Applying the Supreme Court’s decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), the court found none of these claimed injuries sufficient to confer Article III standing.  The court held that the plaintiffs had to allege actual or imminent misuse of their personal information as a result of the data breach in order to have standing to sue.  Fear of identity theft was not sufficiently concrete to meet this standard.  And as for the other claimed injuries—such as increased spam calls—the plaintiffs did not sufficiently allege that they occurred as a result of the data breach.  Accordingly, without a concrete injury traceable to the alleged data breach, the court found that the plaintiffs lacked standing to bring their claims and dismissed the case.

The court’s decision joins a growing number of cases holding that, in data breach cases, plaintiffs have to allege an actual or imminent misuse of their personal information in order to have Article III standing to sue.