UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION
GREGORY POLKOWSKI, on behalf of himself and all others similarly situated,
Plaintiff, Case No. 2:25-cv-10516
v. Hon. Brandy R. McMillion United States District Judge JACK DOHENY COMPANIES, INC.,
Defendant. __________________________________/
OPINION AND ORDER GRANTING DEFENDANT’S MOTION TO DISMISS (ECF NO. 11)
Plaintiff Gregory Polkowski (“Plaintiff”) filed the instant class action suit, on behalf of himself and all other similarly situated persons, against Defendant Jack Doheny Companies, Inc. (“Defendant” or “JDC”) for violations of his privacy rights stemming from his personally identifiable information (“PII”) being compromised in a data breach Defendant experienced in March 2024 (hereinafter, “the Data Breach”). ECF No. 11, PageID.73. The heart of Plaintiff’s allegations is that the Data Breach was a result of Defendant’s failure to adequately protect Plaintiff’s PII. See ECF No. 1, PageID.1-2. Because of JDC’s failure, Plaintiff’s PII was exfiltrated and published on the dark web. Id. at PageID.11. Since having his PII compromised in the Data Breach, Plaintiff has suffered numerous injuries, including, inter alia, diminution in the value of his PII, ongoing threat of imminent and impending injury, and the cost of identity protection and credit monitoring services to mitigate these
future harms. Id. at PageID.12. JDC filed a Motion to Dismiss Plaintiff’s Class Action Complaint on the grounds that Plaintiff lacks Article III standing and fails to state a claim. See ECF
No.11. The Motion is fully briefed, and the Court held a Motion Hearing on October 3, 2025. See ECF Nos. 12, 13, 15. For the reasons below, the Court GRANTS Defendant JDC’s Motion to Dismiss. ECF No. 11. I.
JDC is a Michigan corporation that “provide[s] . . . utility, construction, pipeline, oil and gas services, and equipment to municipalities and customers throughout the United States and Canada.” ECF No. 1, PageID.2. Operation of the
Defendant’s business requires the Defendant to collect and store its current and former employees’ PII, including full legal names, dates of birth, social security numbers, tax information, payroll statements, government identification numbers, banking or financial information, and other “personnel-related information.” Id. at
PageID.2, 5-6. The Defendant’s privacy policy assures that JDC “implement[s] security measures designed to maintain the security” of the PII it collects and that such “security measures are implemented both during transmission of Personal Information and once received.” Id. at PageID.5 (citing https://teamjdc.com/policy- statement/).
The February 2024 Cyber Attack On March 28, 2024, JDC discovered “suspicious activity and login attempts on its network.” ECF No. 11, PageID.73. In December 2024, a subsequent
investigation into the scope of the Data Breach revealed that cyber attackers had compromised the network sometime in February 2024, extracting sensitive information from JDC’s systems, which later appeared on the dark web. Id. at PageID.73, 78. JDC informed the Plaintiff and the proposed class of the Data Breach
on January 24, 2025, and offered to provide them with credit monitoring and identity protection-related services for up to 2 years, which the Plaintiff declined. ECF No. 1, PageID.6-7; ECF No. 1-1, PageID.42. The notice letter stated that there was no
evidence that any of the named plaintiff’s nor the proposed class’s data had been misused but advised them “to remain vigilant against incidents of identity theft and fraud, such as by regularly reviewing your account statements with all of your financial institutions” and to monitor their credit reports. ECF No. 1-1, PageID.43.
On behalf of himself and the proposed class, Plaintiff alleges he sustained numerous injuries as a result of his PII being compromised; the specific allegations of the named Plaintiff can be found in the Complaint.1 ECF No. 1, PageID.10-38. Importantly, on October 16, 2024, the Plaintiff was notified by Capital One that his
Social Security number was found on the dark web on September 30, 2024, and he has “experienced a dramatic increase in phishing emails” since the Data Breach. Id. at PageID.11. Plaintiff has yet to independently purchase credit monitoring services
as a result of this breach but anticipates doing so for future mitigation purposes. Id. at PageID.12-13. The Current Action Plaintiff filed the instant suit on February 21, 2025, almost one month after
JDC notified him and the proposed class of the breach. See ECF No. 1. Plaintiff brings six claims against JDC: Negligence (Count I); Negligence Per Se (Count II); Breach of Fiduciary Duty (Count III); Breach of Implied Contract (Count IV);
Invasion of Privacy – Intrusion Upon Seclusion (Count V); Unjust Enrichment (Count VI). See id. JDC filed its Motion to Dismiss on May 2, 2025, arguing that Plaintiff lacks Article III standing and fails to state a claim as to any of his six counts.
1 These alleged injuries include: (a) identity theft and fraud; (b) the compromise, disclosure, theft, and unauthorized use of Plaintiff’s and Class Members’ PII; (c) an increase in phishing emails; (d) time, effort, and monetary costs associated with the detection and prevention of identity theft, and mitigation of his injuries; (e) imminent and impending injury arising from the substantially increased risk of fraud, misuse, or identity theft; (f) emotional distress in the form of fear, anxiety, sleep disruption, and stress related to the theft and compromise of his PII; (g) damages to and diminution in the value of his PII; (h) loss of privacy; and (i) loss of benefit of bargain. ECF No. 1, PageID.10-14. See ECF No. 11. The motion was fully briefed, and the Court heard oral argument on Friday, October 3, 2025. ECF No. 15.2 The Motion is now ripe for decision.
II. JDC moved to dismiss under Federal Rule of Civil Procedure 12(b)(1) or under Rule 12(b)(6) in the alternative. Fed. R. Civ. P. 12(b)(1), (6). A motion under
12(b)(1) challenges a court’s subject-matter jurisdiction over claims presented. Fed. R. Civ. P. 12(b)(1). Such a motion attacks jurisdiction either facially or factually. United States v. Ritchie, 15 F.3d 592, 598 (6th Cir. 1994). Defendant challenges the Court’s subject-matter jurisdiction under a facial attack and a factual attack. See
generally ECF No. 11, PageID.77-85. A facial challenge requires the Court to accept as true the allegations in the pleadings and to construe them in the light most favorable to the nonmoving party. Id. A factual attack is a challenge to the factual
existence of subject matter jurisdiction. Gen. Ret. Sys. of City of Detroit v. Snyder, 822 F. Supp. 2d 686, 693 (E.D. Mich. 2011). There is no presumption of truthfulness
2 In his Complaint, Plaintiff requested that the Court grant him and the proposed class leave to amend “to conform to the evidence produced at trial.” ECF No. 1, PageID.39. That request is not properly before the Court. Under the Federal Rules of Civil Procedure, “[a] request for a court order must be made by motion.” Fed. R. Civ. P. 7(b)(1). Courts in this Circuit have consistently held that a party seeking to amend its pleading must file a separate motion for leave to amend and attach the proposed amended complaint, rather than embed the request within another filing. See, e.g., Sturgill v. Am. Red Cross, 114 F.4th 803, 811 (6th Cir. 2024); New Light Church Outreach & Worship Centers, Inc. v. Impact Network, Inc., No. 2:24-cv-12898, 2025 WL 1938761, at *5 (E.D. Mich. Apr. 1, 2025) (explaining that “a response is not the proper vehicle for seeking to amend a complaint”); Odom v. Corizon, Inc., No. 1:14-cv-606, 2015 WL 1525456, at *1 (W.D. Mich. Apr. 2, 2015) (“A party who wishes to amend his complaint must file a motion and a proposed amended complaint, rather than simply make a request for amendment.”). The same principle applies here. Accordingly, the Court declines to consider Plaintiff’s improper request. as to Plaintiff’s Complaint and “the court is free to weigh the evidence and satisfy itself as to the existence of its power to hear the case.” Id. (quoting Ritchie, 15 F.3d
at 598). The burden remains with the Plaintiff to establish that jurisdiction exists. Shepherd v. Cancer & Hematology Centers of W. Michigan, P.C., No. 1:22-cv-734, 2023 WL 4056342, at *5 (W.D. Mich. Feb. 28, 2023) (citing Rogers v. Stratton
Indus. Inc., 798 F.2d 913, 915 (6th Cir. 1986) (per curiam)). In reviewing a 12(b)(6) motion, the Court “accept[s] all of the complaint’s factual allegations as true and determine[s] whether these facts sufficiently state a plausible claim for relief.” Fouts v. Warren City Council, 97 F.4th 459, 464 (6th
Cir. 2024) (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555-56 (2007)). The Court “must ‘construe the complaint in the light most favorable to the plaintiff, accept all well-pleaded factual allegations as true, and examine whether the
complaint contains sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.’” Norris v. Stanley, 73 F.4th 431, 435 (6th Cir. 2023) (citations and internal quotation marks omitted). Facial plausibility requires a plaintiff to “plead[] factual content that allows the court to draw the reasonable
inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). III. JDC moves to dismiss Plaintiff’s Complaint for failure to establish Article III
standing and failure to state a claim as to any of their six counts. See generally ECF No. 11. Standing goes to a court’s subject matter jurisdiction. Myslivecek v. FCA US LLC, No. 5:21-cv-10346, 2022 WL 17904526 (E.D. Mich. Dec. 23, 2022). The
Court is bound to consider the standing question first, as “the Rule 12(b)(6) challenge becomes moot if this court lacks subject matter jurisdiction.” Gen. Ret. Sys., 822 F. Supp. 2d at 693 (quoting Moir v. Greater Cleveland Regional Transit Authority, 895 F.2d 266, 269 (6th Cir. 1990)).
A. PLAINTIFF DOES NOT HAVE ARTICLE III STANDING To establish standing, a plaintiff must satisfy three elements: (1) the plaintiff must have suffered an injury that is “(a) concrete and particularized and (b) actual
or imminent, not conjectural or hypothetical;” (2) there must be a causal connection between the injury and the conduct complained of such that it is “fairly traceable to the challenged action of the defendant”; and (3) it must be likely that a favorable decision will redress the injury. See Carman v. Yellen, 112 F.4th 386, 399 (6th Cir.
2024). Defendant alleges Plaintiff lacks standing because he fails to establish any concrete injury that will “survive scrutiny under Rule 12(b)(1).” ECF No. 11,
PageID.77. Specifically, Defendant argues that Plaintiff lacks an actual injury because he has not adequately alleged misuse of his PII resulting in fraud or loss of value, and that he cannot show actual injuries because he cannot demonstrate that
any misuse of his PII was fairly traceable to the Data Breach or a resulting injury. Id. at PageID.77-81. Defendant further asserts that Plaintiff’s alleged injuries regarding the threat of potential future harm fail where, as here, binding precedent
does not confer standing for non-imminent future harms; and, lastly, that Plaintiff’s injuries fall short under a factual attack because he did not incur his mitigation costs reasonably. Id. at PageID.81-85. JDC’s challenges are both facial and factual attacks on Plaintiff’s standing, and the Court will address both sets of challenges in
turn. 1. JDC’s Facial Attacks on Plaintiff’s Standing Fail “A facial attack on the subject-matter jurisdiction alleged in the complaint
questions merely the sufficiency of the pleading.” Enriquez-Perdomo v. Newman, 54 F.4th 855, 861 (6th Cir. 2022). When considering a facial attack, the Court will “take the allegations in the complaint as true” and assess whether those allegations establish jurisdiction. Id. Here, Defendant claims Plaintiff insufficiently pleaded
actual injury by offering only conclusory allegations of identity theft and loss in value of PII, and by alleging future harms that are not certainly impending. ECF No. 11, PageID.77-78, 81-83. The Court disagrees. i. Plaintiff Has Sufficiently Pleaded Cognizable Injuries Plaintiff alleged the following injuries in his Complaint: (1) appearance of his
Social Security number on the dark web; (2) “a dramatic increase in phishing emails purporting to be about car insurance;” (3) present and ongoing anxiety, sleep disruption, stress, fear, and frustration; (4) loss of privacy; (5) damage to and
diminution of value of his PII; and (6) loss of benefit of bargain. ECF No. 1, PageID.10-12, 15. JDC contests that the Complaint adequately alleges misuse of Plaintiff’s PII resulting in fraud or loss in value. ECF No. 11, PageID.77. JDC argues that the Plaintiff has not pled enough to survive a facial attack as to these
injuries because he does not make a “specific allegation of fact” showing support for such a claim, nor does he adequately allege a fraud or theft-related injury caused by the Data Breach. See id. While Plaintiff has clearly established that his PII was
misused when it was stolen in the Data Breach and when his Social Security number was posted on the Dark Web, Defendant is not wrong to point out that Plaintiff’s allegations fall short of showing that any such misuse of his PII has already resulted in fraud or identity theft. Nonetheless, the Court finds that, for purposes of a facial
challenge to standing, the dark web posting of Plaintiff’s Social Security number, combined with the increase in phishing emails and other alleged harms, is sufficiently concrete and particularized to constitute cognizable injuries. Actual Injuries As this Court previously held in In re Flagstar Dec. 2021 Data Sec. Incident
Litig., “[i]ncreases in the number of scam and phishing calls, texts, and emails are cognizable injuries.” 2024 WL 5659583, at *5 (E.D. Mich. Sept. 30, 2024). Here, as there, Plaintiff “ha[s] sufficiently alleged this injury.” Id.; see also ECF No. 1 PageID.11.
Loss of benefit of the bargain is also a cognizable injury for standing purposes. See In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447 (D. Md. 2020), Lochridge v. Quality Temp. Servs., Inc., No. 22-cv-12086, 2023 WL
4303577, at *3 (E.D. Mich. June 30, 2023). Where there was “an explicit or implicit contract for data security based on [defendant’s] privacy statements, that they had placed a significant value in data security, and that had they known the truth about [defendant’s] data security practices they would have paid less[,]” or not at all, courts
have found cognizable injury sufficient to establish standing. Marriott, 440 F. Supp. 3d at 464-66. Plaintiff claims that he and the proposed class provided their PII to Defendant in exchange for employment, with the reasonable understanding that
Defendant would use a portion of the funds from their employment to pay for adequate cybersecurity. ECF No. 1, PageID.29-30. But Plaintiff mischaracterizes the nature of his bargain with Defendant. JDC’s employees do not provide Defendant with their PII in exchange for employment; they perform their employment duties in exchange for employment
(and compensation) pursuant to a valid employment agreement. Defendant does not retain any benefit by collecting and storing Plaintiff’s PII. In fact, any supposed benefit from the collection of Plaintiff’s PII would flow back to the Plaintiff and the
class when JDC uses their PII to deduct the proper amount in taxes from their paychecks or issue their paychecks to the correct bank account. Therefore, Plaintiff has not sufficiently alleged injury as to any loss of benefit of the bargain. Loss of Privacy is also a cognizable injury—where the information was
viewed by an unauthorized person or publicly disclosed, and a concrete or particularized injury arose from the loss. See In re Practicefirst Data Breach Litig., No. 1:21-cv-00790-JLS-MJR, 2022 WL 354544, at *7-8 (W.D.N.Y. Feb. 2, 2022),
report and recommendation adopted, No. 1:21-cv-00790-JLS-MJR, 2022 WL 3045319 (W.D.N.Y. Aug. 1, 2022). Here, Plaintiff has alleged that his PII was published on the dark web, and due to that publication, he suffered concrete harm. See e.g., ECF No. 1, PageID.11 (“Following the Data Breach, on October 16, 2024,
he received a notification from Capital One that his Social Security number had been found on the Dark Wb [sic] on September 30, 2024 . . . . since the Data Breach, Plaintiff has experienced a dramatic increase in phishing emails purporting to be about car insurance.”).3
In In Re Flagstar, this Court held that diminution in value of PII is a cognizable injury if the claimant loses the “ability to avail themselves of the digital economy or parts of the financial sector.” 2024 WL 5659583, at *5. There, certain
plaintiffs were able to allege such a loss by demonstrating that their credit scores were negatively impacted by the data breach. Id. JDC argues that Plaintiff does not allege such losses in their Complaint, and the Court agrees. ECF No. 11, PageID.78. Plaintiff in this case only alleges that his PII lost monetary value due to the mere fact
that it was compromised and published by bad actors. Without more, the Court concludes that this is not a cognizable injury for standing purposes.
3 On October 31, 2025, Plaintiff filed a Motion for Leave to File Notice of Supplemental Authority. ECF No. 17. The Court granted the motion via text-only order and now considers the applicability of the facts and holding in Rodriguez v. CRG Lynwood LLC to the instant case. 2025 WL 2700614 (E.D. Mich., 2025). While the Court agrees that there are factual similarities between this case and Rodriguez, there are several things that also make it distinguishable. First, we hold that the Plaintiff alleged a facially plausible injury for loss of privacy for similar reasoning as applied in Rodriguez. See 2025 WL 2700614, at *10. We likewise reached the same conclusion in Flagstar as well. See In re Flagstar, 2024 WL 5659583, at *5 (holding that the loss of privacy resulting from inclusion upon seclusion is a cognizable injury where a plaintiff suffered a concrete, particularized injury due to the unauthorized or public disclosure of their PII). However, this case is notably distinguishable because the defendants in Rodriguez did not present a factual challenge to the plaintiff’s standing, as JDC did here. Compare Rodriguez, 2025 WL 2700614 at *2 with ECF No.11. As discussed infra, under a factual attack on the merits, JDC’s extrinsic evidence defeats the Plaintiff’s standing at the traceability prong for all present and future injuries allegedly flowing from the Data Breach. And all of Plaintiff’s claims, particularly his Invasion of Privacy claim, fail on the merits under Rule 12(b)(6). As such, Plaintiff’s Notice of Supplemental Authority, while persuasive, does not change the Court’s disposition of this Motion. Future Harm JDC argues that, under Clapper and Buchholz, future harm is not a cognizable
injury sufficient to confer standing if the harm is not “certainly impending.” ECF No. 11, PageID.82; see also Buchholz v. Meyer Njus Tanick, PA, 946 F.3d 855, 865 (6th Cir. 2020); Clapper v. Amnesty Int’l USA, 568 U.S. 398, 410 (2013). JDC
further asserts that this Court previously erred in following Galaria on this issue under similar facts, as it deviates from binding precedent in holding that reasonably incurred costs associated with mitigating the substantial risk of future harm were a cognizable injury. See In re Flagstar, 2024 WL 5659583, at *6 (relying on Galaria
v. Nationwide Mutual Insurance Company, 663 F. App’x 384 (6th Cir. 2016)). JDC contends that the immediacy requirement in Clapper cannot be overcome, and as such, the Plaintiff fails to state a cognizable injury. ECF No. 11, PageID.82. The
Court declines to accept JDC’s argument. While considering Clapper in reaching its decision, the court in Galaria found that “there is no need for speculation [as to the certainty of impending future harm] where Plaintiffs allege that their data has already been stolen and is now in the hands
of ill-intentioned criminals.” Galaria, 663 F. App’x at 388. The Court again finds Galaria instructive as it is analogous to the instant data breach case. The Court, therefore, will again follow that decision here and finds that Plaintiff has sufficiently pled a cognizable injury as to future harm, as he alleges that his data is already on the dark web. ECF No. 1, PageID.11.
2. JDC’s Factual Attacks as to Plaintiff’s Standing Succeed as to All Claimed Injuries JDC has presented evidence to undermine Plaintiff’s ability to establish standing. In so doing, JDC initiates a factual attack on Plaintiff’s standing. A factual attack is a challenge to the factual existence of subject matter jurisdiction. Gen. Ret. Sys., 822 F. Supp. 2d at 693. There is no presumption of truthfulness as to Plaintiff’s
complaint, and “the court is free to weigh the evidence and satisfy itself as to the existence of its power to hear the case.” Id. at 693 (quoting Ritchie, 15 F.3d at 598). And the burden remains with the Plaintiff to establish that jurisdiction exists. Shepherd, 2023 WL 4056342, at *5.
Plaintiff argues that the Court “should engage in a factual inquiry regarding the complaint’s allegations only when the facts necessary to sustain jurisdiction do not implicate the merits of the plaintiff’s claim.” ECF No. 12, PageID.118 (quoting
Gentek Bldg. Prod., Inc. v. Sherwin-Williams Co., 491 F.3d 320, 330-31 (6th Cir. 2007)). Plaintiff contends that because the traceability inquiry implicates the causation element of Plaintiff’s common law claims, the Court should find that
jurisdiction exists and consider the objection a direct attack on the merits of the plaintiff’s claim, or, in the alternative, allow jurisdictional discovery on the matter. ECF No. 12, PageID.118, 120 (quoting Genteck, 491 F.3d at 330-31). The Court also decided this identical issue in In re Flag Star and maintains the position it held there:
[T]he question of subject matter jurisdiction and the merits will “normally be considered intertwined where the same statute provides both the basis of federal court subject matter jurisdiction and the cause of action.” Moore v. Lafayette Life Ins. Co., 458 F.3d 416, 444 (6th Cir. 2006) (emphasis added). This Court has held that the intertwinement rule does not apply when the “factual dispute does not go to an element of a federal statute providing the court with jurisdiction.” Myslivecek v. FCA US LLC, No. 21-10346, 2022 WL 17904526, at *6-7 (E.D. Mich. Dec. 23, 2022) (holding the intertwinement rule did not apply because plaintiffs’ underlying claims were “all state law claims, and the Class Action Fairness Act [was] the basis for the court’s jurisdiction”). The Court finds that the intertwinement rule from Genteck does not apply here because the basis for this court’s jurisdiction is the Class Action Fairness Act, not any of the Plaintiff’s common law claims. ECF No. 52, PageID.545. Thus, the Court will consider Flagstar’s factual attack.
In re Flagstar, 2024 WL 5659583, at *8. Here, the Court finds JDC’s factual attack persuasive and accordingly denies Plaintiff’s request for jurisdictional discovery based on the Court’s belief that any such discovery would be futile. As evidence that Plaintiff lacks standing to pursue his claims, JDC presents: a declaration from Jason Elmore (“the Elmore Declaration”), the Chief Executive Officer of Tuearis Cyber, LLC (“Tuearis”). ECF No. 11-1, PageID.98. JDC enlisted Tuearis’ and Elmore’s services after the Plaintiff filed his Complaint to investigate the allegations he set forth, specifically, the extent to which Polkowski’s alleged injuries are traceable to the Data Breach. Id. at PageID.99. As a preliminary matter, Plaintiff challenges this Court’s ability to rely on the Declaration of Jason Elmore. In reviewing evidence presented on a factual challenge
to standing, the Court “has broad discretion with respect to what evidence to consider in deciding whether subject matter jurisdiction exists, including evidence outside of the pleadings, and has the power to weigh the evidence and determine the effect of
that evidence on the court’s authority to hear the case.” Shepherd, 2023 WL 4056342, at *4 (quoting Ohio Nat. Life Ins. Co. v. United States, 922 F.2d 320 (6th Cir. 1990). As the court in Shepherd held, where the “Plaintiff has given the Court no reason to doubt the authenticity of [declarant’s] declaration, nor has she raised
any argument that the declaration contains false assertions,” the Court may rely on the evidence in the declaration when evaluating whether it has jurisdiction. Shepherd, 2023 WL 4056342, at *5. Here, Plaintiff argues the declaration should
not be given any weight because it is “unreliable, unsubstantiated, and self-serving,” and “provides no foundation or support for its statements.” ECF No. 12, PageID.119-120. Nonetheless, “these allegations do not give the Court reason to doubt the authenticity of the declaration.” In re Flagstar, 2024 WL 5659583, at *8.
Plaintiff claims Elmore “does not purport to be one of the ‘outside cybersecurity experts’ referenced in JDC’s Breach Notice . . . does not claim to have personal knowledge of the Data Breach, and does not claim to have reviewed a
forensic report.” See ECF No. 12, PageID.119. Still, Elmore’s declaration was based on “his review of relevant records relating to the Cyber Incident, publically[sic] available records, and his specialized cybersecurity experience,”
which the Court finds sufficient. See ECF No. 11, PageID.144; ECF No. 11-1, PageID.98-101. Plaintiff also failed to provide further justification at the October 3 hearing on the Motion to persuade the Court otherwise, or to cause the Court to
believe that jurisdictional discovery would not be futile. Therefore, the Court may consider this evidence when determining standing. i. Plaintiff Cannot Survive JDC’s Factual Attack as to the Traceability of Their Alleged Actual and Future Harms Defendant argues, and the Court agrees, that extrinsic evidence shows Plaintiff cannot prove misuse of his PII that is fairly traceable to the Data Breach. ECF No. 11, PageID.78. Defendant also challenges whether Plaintiff alleges facts
showing a resulting injury or that he reasonably incurred mitigation costs, even if Galaria does provide “a viable avenue to demonstrate cognizable injury.” ECF No. 11, PageID.84.
First, JDC offers evidence that the phishing emails purporting to be about car insurance, which Plaintiff complained of, cannot be attributed to the Data Breach because the Plaintiff’s Gmail account “was disclosed in at least five previous and
unrelated data breaches dating back as far as 2018 and as recently as 2024.” ECF No. 11-1, PageID.100-101. Next, JDC provides evidence that Plaintiff cannot show that any alleged mitigation costs were reasonably incurred, as required by Galaria, because he declined the free credit monitoring services; and “[m]oreover, there is no mention in the Complaint that Plaintiff actually incurred out of pocket mitigation
costs, making it distinguishable from the injuries deemed cognizable in Galaria and In re Flagstar.” ECF No.11, PageID.84. The Court agrees on both points and finds Defendant’s traceability argument persuasive with respect to the actual and future
harms alleged by the Plaintiff. In response to JDC’s factual attack, Plaintiff challenges the sufficiency of the evidence JDC presents. See generally ECF No. 12. Plaintiff suggests that Elmore does not provide enough information in the Declaration to establish that he had
sufficient “personal knowledge” to evaluate the Data Breach in relation to Polkowski’s claims, asking the Court to “disregard[] it at the pleadings stage.” ECF No. 12, PageID.118-120.
Here, as in In re Flagstar, Plaintiff has offered no affirmative evidence to support his argument that his injuries are fairly traceable to the data breach. Without more, Plaintiff is asking this Court to rely on the factual allegations in his Complaint alone; but “[i]n a factual attack, the allegations in the complaint are not afforded a
presumption of truthfulness. . . .” Shepherd, 2023 WL 4056342, at *2. Instead, “the court weighs competing evidence to determine whether subject matter jurisdiction exists[,]” and without pointing to any evidence of his own, the Court finds Plaintiff
cannot meet his burden. Id.; see also De Angelis v. Nat’l Ent. Grp., LLC, No. 2:17- cv-00924, 2018 WL 11316612, at *6 (S.D. Ohio July 25, 2018) (“Because the question [is] a factual issue, [plaintiff] cannot meet her burden of proving standing
without pointing to any evidence of her own.”). Given the contents of the Elmore Declaration, the holding in Galaria, and this Court’s holding in In re Flag Star, the Court takes issue with the idea that it should find standing exists due to cognizable
injuries that very narrowly survived a facial attack, where that Defendant has shown that Plaintiff cannot reasonably attribute any such injuries to the Defendant. Polkowski makes these claims after declining the Defendant’s offer to pay for credit monitoring and identity protection services for up to 2 years. At the October
3 hearing, Plaintiff suggested the Court allow jurisdictional discovery to establish that the Defendant’s mitigation services are insufficient. Notably, Defendant offered these services out of an abundance of caution, without any evidence that Polkowski’s
PII had been used to commit fraud or identity theft. Plaintiff makes no allegations that his credit card number was stolen, that his credit was negatively impacted, or that he has otherwise been a victim of fraud or identity theft. Further, Plaintiff has not claimed that he actually incurred any mitigation costs
to date, but rather that he may incur them at some unknown point in the future for some unspecified period of time. ECF No. 1, PageID.12. In both Galaria and Flagstar, all of the Plaintiffs for whom the courts granted standing based on
mitigation costs had actually paid out of pocket for such services, and they further demonstrated that those injuries were fairly traceable to the Defendant. 663 F. App’x at 386-387; 2024 WL 5659583, at *5. Plaintiff has done neither here.
Even if the Court authorized jurisdictional discovery to examine traceability further, it would likely be futile. This is supported by the reasons previously stated, in addition to the fact that Plaintiff fails to state a claim upon which relief can be
granted under Federal Rule of Civil Procedure 12(b)(6). While failure to establish standing is sufficient for dismissal, for completeness, the Court will continue its 12(b)(6) analysis, which further illustrates why Plaintiff’s claims are insufficient for relief as alleged.
B. PLAINTIFF FAILS TO STATE A CLAIM AS TO ALL COMMON LAW CLAIMS The Court finds that Michigan law applies to Plaintiff’s tort and contract claims under Michigan’s choice-of-law rules. Hummel v. Teijin Auto. Techs., Inc., No. 2:23-cv-10341, 2023 WL 6149059, at *3 (E.D. Mich. Sept. 20, 2023) (“[A] federal court . . . must apply the choice-of-law rules of the forum state.”) (finding
Michigan tort and contracts law applied in a comparable data breach case). At the outset, the Court notes that Defendant’s 12(b)(6) motion prevails, in large part, based on a single argument: Plaintiff’s claims for negligence, breach of fiduciary duty,
breach of implied contract, and invasion of privacy fail under Michigan law. See generally ECF Nos. 11, 13. In Michigan, negligence, breach of fiduciary duty, and breach of implied contract all require damages based on a present injury. Doe v. Henry Ford Health
Sys., 865 N.W.2d 915, 921 (2014); Abdelmaguid v. Dimensions Ins. Grp., LLC, -- Mich. App. --, 2024 WL 500679, at *5 (2024). Defendant correctly notes that speculative damages are precluded in breach of implied contract claims. Doe, 865
N.W.2d at 922. The Complaint does not allege a cognizable injury, as for Counts I– IV, in the form of an invasion of privacy under Michigan law. Id. While the Complaint alleges Plaintiff’s PII has been published on segments of the dark web, this is only a cognizable injury for the purposes of Article III standing. Michigan
courts reject such an injury where the plaintiff does not allege a present injury to “credit or identity.” Doe, 865 N.W.2d at 921; see also Nyman v. Thomson Reuters Holdings, Inc., 942 N.W.2d 696, 705 (2019), (declining to hold that “the invasion of
privacy in and of itself damaged the plaintiff and the other patients whose information had been disclosed.”); Rakyta v. Munson Healthcare, 2021 WL 4808339, at *5 (Mich. Ct. App. 2021) (holding that “the unauthorized viewing of confidential information does not by itself reduce the value of the information.”).
It is clear, the fact that PII is posted to the dark web, while unsettling, cannot be remedied under Michigan law because disclosure of stolen information alone is not a present injury if no actual identity theft resulted from the disclosure. For this
reason, Polkowski’s claims are distinguishable from Kingen v. Warner Norcross + Judd LLP, 2023 WL 11965363 (W.D. Mich. 2023), contrary to Plaintiff’s arguments otherwise. See generally ECF No. 12. The Plaintiff ignores that the Court in Kingen
distinguished Doe and Ratyka because, as is true here, those plaintiffs only alleged a risk of future harm. See id. at *5 (“Absent some such indication of present injury to her credit or identity, it is clear that these damages for credit monitoring were
incurred in anticipation of possible future injury.”). Consequently, all five of Plaintiff’s remaining claims fail for this reason. i. Negligence (Count I) To state a negligence claim, Plaintiff must establish that “(1) the defendant
owed the plaintiff a legal duty, (2) the defendant breached the legal duty, (3) the plaintiff suffered damages, and (4) the defendant’s breach was a proximate cause of the plaintiff's damages.” Hummel, 2023 WL 6149059, at *5 (quoting Hill v. Sears,
Roebuck & Co., 492 Mich. 651, 660 (2012)). “Companies have a duty to take reasonable precautions” to protect users’ PII “due to the reasonably foreseeable risk of danger of a data breach incident.” Lochridge, 2023 WL 4303577, at *6 (E.D. Mich. June 30, 2023) (internal quotations omitted). JDC also has this duty to its
employees. Here, Plaintiff alleges that JDC breached its duty by failing to: “exercise reasonable care in handling and securing the personal information and PII of Plaintiff
and the proposed class[,]” and “provide reasonably timely notice of the Data Breach” to Polkowski and the proposed class.” ECF No. 1, PageID.25-26. Despite the information asymmetry regarding what JDC did to secure Plaintiff’s PII, this Court
has found that mere recitation of industry standards and conclusory statements are insufficient to survive a motion to dismiss. In re Flagstar, 2024 WL 5659583, at *11 (citing Plaintiffs’ Amended Complaint, ECF No. 52, PageID.578, 639); see also
Hummel, 2023 WL 6149059, at *6-7 (holding that plaintiffs’ allegation—that defendant could have prevented the breach by securing and encrypting the folders containing plaintiffs’ PII—was sufficient to survive a motion to dismiss). Plaintiff, however, does not allege in his Complaint that Plaintiff’s PII was
not encrypted whatsoever, as was the case in Hummel and In re Flagstar. Instead, Plaintiff offered a conclusory assertion that Defendant failed to “sufficiently encrypt” their PII, without further specifying how or why JDC’s encryption fell short
of industry standards. ECF No. 1, PageID.74. Even full compliance with industry standards does not necessarily guarantee complete security against cyberattacks; so without more, the Court cannot plausibly conclude that Defendant breached its duty to the Plaintiff. Plaintiff also alleges failure to provide reasonably timely notice as
a reason for the breach. Even though the Court acknowledged a duty to provide timely notice in Flagstar, it never held that delayed notice alone supports a negligence claim. Under Michigan law, Polkowski’s “delayed notice” theory cannot survive a Rule 12(b)(6) motion because he has not alleged that the delay itself caused a
present, compensable injury such as successful identity theft or financial loss. Lochridge, 2023 WL 4303577, at *6 (“Michigan law has recognized that ‘damages ‘incurred in anticipation of possible future injury rather than in response to present
injuries,’ are not cognizable under Michigan law” for negligence or breach of contract) (citing Doe v. Henry Ford Health Sys., 865 N.W.2d, at 921 (2014)). The Court finds that Plaintiff fails to allege cognizable injury under Michigan law, and thus, fails to state a claim. So, even if Plaintiff had standing, the Court would have
granted JDC’s Motion to Dismiss as to Count I. ii. Negligence Per Se (Count II) Plaintiff originally brought a claim for Negligence Per Se, but later voluntarily
withdrew that per se claim without prejudice. The court notes that “negligence per se is not an independent cause of action.” Abnet v. Coca-Cola Co., 786 F. Supp. 2d 1341, 1345 (W.D. Mich. 2011). So, because the negligence claim fails, so too would the negligence per se claim.
iii. Breach of Fiduciary Duty (Count III) To establish a claim for breach of fiduciary duty, a plaintiff must prove (1) that JDC owed a fiduciary duty to Plaintiff and the proposed class; (2) that JDC
breached that duty; and (3) that Plaintiff suffered damages caused by JDC’s breach. Brooks Williamson & Assocs., Inc. v. Braun, No. 357170, 2022 WL 1508992 at *5 (Mich. Ct. App. May 12, 2022). A fiduciary relationship arises from the “reposing
of faith, confidence, and trust and the reliance of one on the judgment and advice of another.” Petroleum Enhancer, LLC v. Woodward, 690 F.3d 757, 765 (6th Cir. 2012) (quoting Teadt v. Lutheran Church Mo. Synod, 237 Mich. App. 567, 603
(Mich. App. 1999)). A breach of fiduciary duty arises when a person in a position of influence and confidence abuses that influence or betrays that confidence. Teadt, 237 Mich. App. at 581. Handling an employee’s personal information does not create a fiduciary
relationship. Delphi Automotive PLC v. Absmeier, 167 F.Supp.3d 868, 884 (E.D. Mich. 2016). Courts require a relationship of “faith, confidence, and trust” where one party exercises dominant influence or control over another’s affairs. Highfield
Beach v. Sanderson, 954 N.W.2d 231, 247 (2020). Merely holding or managing information as part of an administrative relationship does not rise to that level. Accordingly, the Plaintiff’s breach of fiduciary duty claim fails. iv. Breach of Implied Contract (Count IV)
The elements to state a claim for an implied contract are the same three elements necessary to state an express contract claim. A plaintiff must allege facts sufficient to show: “(1) there was a contract, (2) the other party breached the
contract, and (3) this breach resulted in damages to the party claiming breach.” Johnson v. Westfield Ins. Co., No. 2:19-cv-11213, 2019 WL 3456808, at *2 (E.D. Mich. July 31, 2019) (citing Miller-Davis Co. v. Ahrens Const., Inc., 495 Mich. 161,
178 (2014)). An implied contract “may arise from [the parties’] conduct, language, or other circumstances evidencing their intent to contract.” Lochridge, 2023 WL 4303577, at *7 (citing Featherston v. Steinhoff, 226 Mich. App. 584 (1997)). An
implied contract must still “satisfy the elements of mutual assent and consideration.” Hummel, 2023 WL 6149059, at *8 (quoting Mallory v. City of Detroit, 181 Mich. App. 121, 127 (1989)). JDC, here, contests Plaintiff’s ability to adequately allege mutual assent and breach. See ECF No. 58, PageID.720-722.
Courts have found that mutual assent is obvious in situations similar to those alleged by Plaintiff here. As the court in Hummel articulated: “It is incredibly difficult to imagine how, in our day and age of data and identity theft, the mandatory
receipt of PII would not imply the recipient’s assent to protect the information sufficiently.” 2023 WL 6149059, at *11 (quoting Castillo v. Seagate Tech., LLC, No. 3:16-cv-01958-RS, 2016 WL 9280242 (N.D. Cal. Sept. 14, 2016)) (internal quotations omitted). And perhaps more intuitively, the court held: “When a person
hands over sensitive information, in addition to receiving a job, good, or service, they presumably expect to receive an implicit assurance that the information will be protected.” Id. at *10 (quoting Castillo, 2016 WL 9280242, at *9). Thus, this Court
finds that the Plaintiff has adequately alleged mutual assent in providing their PII in exchange for employment and an implied assurance that the PII would be sufficiently protected.
However, as to consideration, Plaintiff’s allegations are insufficient. Any purported implied contract would be duplicative of the parties’ express employment relationship and unsupported by independent consideration. Plaintiff’s provision of
PII was merely incidental to their employment and cannot serve as consideration for a separate agreement to safeguard that data. Therefore, any claim for breach of an implied contract fails for lacking adequate consideration. v. Invasion of Privacy – Intrusion Upon Seclusion (Count V)
The three elements establishing Invasion of Privacy by intrusion upon seclusion are: “(1) the existence of a secret and private subject matter; (2) a right possessed by the plaintiff to keep that subject matter private; and (3) the obtaining
of information about that subject matter through some method objectionable to a reasonable man.” Green v. Lansing Automakers Fed. Credit Union, No. 342373, 2019 WL 3812108, at *5 (Mich. Ct. App. Aug. 13, 2019). Michigan courts recognize that the objectionable obtaining of the information must be done by the
defendant whom the plaintiffs are suing. See Meier v. Detroit Diesel Corp., No. 268009, 2006 WL 2089208, at *3 (Mich. Ct. App. July 27, 2006); Szappan v. Meder, No. 1:18-cv-12244, 2020 WL 209746 (E.D. Mich. Jan. 14, 2020). Plaintiff does not allege any facts showing that JDC obtained its PII via an objectionable method. In fact, Plaintiff concedes that he and the proposed class
willingly provided their PII to JDC. ECF No. 1, PageID.10, 30; ECF No. 12, PageID.113. Thus, the Court finds Plaintiff has not stated a claim for Invasion of Privacy.
vi. Unjust Enrichment (Count VI) Plaintiff pleads his unjust enrichment claim in the alternative to his breach of implied contract claim. To state a claim for Unjust Enrichment under Michigan law, a plaintiff must demonstrate “(1) the receipt of a benefit by the defendant from the
plaintiff and (2) an inequity resulting to the plaintiff because of the retention of the benefit by the defendant.” Lochridge, 2023 WL 4303577, at *6. That benefit must come “directly from the plaintiff.” Id. at *7. Mere monetary benefits derived from
the “use of Plaintiffs’ [PII]” are not sufficiently direct from the Plaintiff to satisfy the first prong of an Unjust Enrichment claim. Id. Here, Plaintiff alleges JDC was unjustly enriched when Plaintiff and the proposed class “conferred a monetary benefit on Defendant, by providing Defendant
with their valuable PII,” and Defendant “enriched itself by saving the costs they reasonably should have expended on data security measures to secure Plaintiff’s and Class Members’ PII.” ECF No. 1, PageID.36-37. Any benefit JDC received from
maintaining or using Plaintiff’s PII was merely incidental to the parties’ employment relationship; it cannot be said to have been conferred directly by the Plaintiff. Rather, the alleged benefit, cost savings from underinvesting in cybersecurity, is
derivative of Defendant’s internal business decisions, not a transfer of value from Plaintiff himself. The Court finds Plaintiff’s allegations insufficient to satisfy the directness requirement; therefore, Count VI would fail even if Plaintiff had Article
III standing. Therefore, the Court would dismiss all six counts for failure to state a claim under Michigan law, even if the Plaintiff demonstrated standing to bring those claims under Article III—which he has not.
IV. Based on the foregoing, the Court holds that Plaintiff lacks standing to pursue his claims under Federal Rule of Civil Procedure 12(b)(1). Additionally, he fails to
state any claim upon which relief can be granted under Federal Rule of Civil Procedure 12(b)(6). Accordingly, JDC’s Motion to Dismiss (ECF No. 11) is GRANTED and Polkowski’s Complaint (ECF No. 1) is DISMISSED WITH PREJUDICE.
This is a final order that closes the case. IT IS SO ORDERED. Dated: November 4, 2025 s/Brandy R. McMillion Detroit, Michigan BRANDY R. MCMILLION United States District Judge