UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS
CIVIL ACTION NO. 24-10027-GAO
NATHAN HARVEY and NICK DEPROSPO, on behalf of themselves and all others similarly situated, Plaintiffs,
v.
NATIONAL AMUSEMENTS, INC. d/b/a/ SHOWCASE CINEMAS, Defendant.
OPINION AND ORDER March 27, 2025
O’TOOLE, D.J. Plaintiffs Nathan Harvey and Nick Deprospo have brought this putative class action against defendant National Amusements, Inc., d/b/a Showcase Cinemas, asserting claims of negligence, breach of implied contract, unjust enrichment, and invasion of privacy1 stemming from a data breach which may have involved the wrongful use of certain of plaintiffs’ personally identifiable information (“PII”). (Am. Compl. (dkt. no. 22).) National Amusements has moved to dismiss the amended complaint for lack of standing and failure to state a claim. (Mot. to Dismiss (dkt. no. 26).) As detailed below, the motion is GRANTED as to both theories. National Amusements is a movie theatre operator and mass media holding company. The plaintiffs are two former National Amusements employees. As a condition of their employment, the plaintiffs provided National Amusements with PII including their names, dates of birth, financial account information, and Social Security numbers.
1 Plaintiffs voluntarily dismissed their additional claim of negligence per se. (Pls.’ Mem. of Law in Opp’n to Mot. to Dismiss at 2 n.1 (dkt. no. 29).) In December 2022, an unauthorized person accessed the National Amusements data network. Files containing confidential information of employees may have been viewed and/or taken. National Amusements became aware of this data breach on December 15, 2022, and commenced an investigation.
Plaintiffs were informed of the data breach by individualized letters approximately a year later. The letter to Harvey stated that “the following types of information related to [him] could be involved: name, Social Security number, date of birth, and employer assigned identification number.” (Am. Compl. Ex. A.) Deprospo’s letter informed him that his “name, Social Security number, employer assigned identification number, and financial account information” could have been involved in the breach. (Id. Ex. B.) As is evident from these two letters, slightly different PII was impacted for different employees. Harvey and Deprospo each allege that they suffered specific adverse consequences from the data breach. Harvey alleges that he was in the process of purchasing a home when he learned of the data breach and “due to the numerous inquiries and credit issues stemming from the Data
Breach, [he] was removed from the homebuying process.” (Id. ⁋ 66.) He further states that a fraudulent LLC named “Harvey Nathan Paul LLC” was established in his name by an unknown person. He has since received three letters addressed to the LLC. Deprospo alleges that shortly after the breach, an unknown person used his credit card to make several hundred dollars of unauthorized charges, which required him to spend time to “rectify[] the situation” and ultimately he canceled the card. (Id. ⁋ 90.) Deprospo also alleges that he experienced an increase in spam telephone calls, causing him to change his phone number, as well as a high volume of password reset requests for his social media accounts. Plaintiffs filed this putative class action on January 3, 2024, under the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d)(2), seeking class certification, declaratory and injunctive relief, restitution, damages, and attorneys’ fees. Plaintiffs filed a subsequent Amended Complaint on March 29, 2024.
National Amusements has moved to dismiss the amended complaint on two bases: under Federal Rule of Civil Procedure 12(b)(1), for lack of Article III standing, and under Rule 12(b)(6), for failure to state a claim as to each of the complaint’s claims. Plaintiffs fail to allege sufficient facts to establish standing. Specifically, they have not asserted facts supporting their claims that their identified injuries are traceable to the National Amusements data breach. Rule 12(b)(1) requires a court to assess whether the court has subject matter jurisdiction over the claimed injuries. Fed. R. Civ. P. 12(b)(1). Dismissing a case for “lack of standing is functionally equivalent to a dismissal for lack of jurisdiction.” Hochendoner v. Genzyme Corp., 823 F.3d 724, 728 (1st Cir. 2016). “[P]laintiffs bear the burden of demonstrating that they have standing.” TransUnion LLC v. Ramirez, 594 U.S. 413, 430–31 (2021). In
determining whether a plaintiff has met this burden, a court “takes all well-pleaded facts in the complaint as true and indulge[s] all reasonable inferences in [plaintiff’s] favor.” Dantzler, Inc. v. Empresas Berrios Inventory & Operations, Inc., 958 F.3d 38, 46–47 (1st Cir. 2020) (internal quotation marks omitted). “[P]laintiffs must demonstrate standing for each . . . form of relief they seek.” TransUnion, 594 U.S. at 431. To establish standing, a plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). The traceability requirement “does not require a tort-like showing of proximate causation.” Conservation L. Found., Inc. v. Acad. Express, LLC, 129 F.4th 78, 90 (1st Cir. 2025) (citing Lexmark Int’l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014) (“Proximate causation is not a requirement of Article III standing, which requires only that the plaintiff’s injury be fairly traceable to the defendant’s conduct.”)). For standing in the data breach context, injuries are fairly traceable
if the defendant’s “actions led to the exposure and actual or potential misuse of the plaintiffs’” personal information. See Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 377 (1st Cir. 2023). Both plaintiffs have failed to establish standing for damages and injunctive relief because they have not demonstrated that their injuries are fairly traceable to the specific data breach at issue. The most significant allegations here concern the plaintiffs’ claimed injuries that involve what case law refers to as “actual misuse” of their PII, Webb, 72 F.4th at 373, in this case, the alleged unauthorized credit card charges for Deprospo and the fraudulent LLC for Harvey.2 Deprospo attempts to conform his injury to the injury in Webb, a data breach case where the court found that plaintiff had standing because the plaintiff had a fraudulent tax return filed
using her stolen information. 72 F.4th at 373. In that case, the plaintiff alleged her Social Security number was stolen, a necessary element to file a tax return. Id. at 369–70. While the Court must draw all reasonable inferences in favor of the plaintiff, it is not reasonable to infer that Deprospo’s unauthorized credit card charges occurred because of the National Amusements data breach.
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS
CIVIL ACTION NO. 24-10027-GAO
NATHAN HARVEY and NICK DEPROSPO, on behalf of themselves and all others similarly situated, Plaintiffs,
v.
NATIONAL AMUSEMENTS, INC. d/b/a/ SHOWCASE CINEMAS, Defendant.
OPINION AND ORDER March 27, 2025
O’TOOLE, D.J. Plaintiffs Nathan Harvey and Nick Deprospo have brought this putative class action against defendant National Amusements, Inc., d/b/a Showcase Cinemas, asserting claims of negligence, breach of implied contract, unjust enrichment, and invasion of privacy1 stemming from a data breach which may have involved the wrongful use of certain of plaintiffs’ personally identifiable information (“PII”). (Am. Compl. (dkt. no. 22).) National Amusements has moved to dismiss the amended complaint for lack of standing and failure to state a claim. (Mot. to Dismiss (dkt. no. 26).) As detailed below, the motion is GRANTED as to both theories. National Amusements is a movie theatre operator and mass media holding company. The plaintiffs are two former National Amusements employees. As a condition of their employment, the plaintiffs provided National Amusements with PII including their names, dates of birth, financial account information, and Social Security numbers.
1 Plaintiffs voluntarily dismissed their additional claim of negligence per se. (Pls.’ Mem. of Law in Opp’n to Mot. to Dismiss at 2 n.1 (dkt. no. 29).) In December 2022, an unauthorized person accessed the National Amusements data network. Files containing confidential information of employees may have been viewed and/or taken. National Amusements became aware of this data breach on December 15, 2022, and commenced an investigation.
Plaintiffs were informed of the data breach by individualized letters approximately a year later. The letter to Harvey stated that “the following types of information related to [him] could be involved: name, Social Security number, date of birth, and employer assigned identification number.” (Am. Compl. Ex. A.) Deprospo’s letter informed him that his “name, Social Security number, employer assigned identification number, and financial account information” could have been involved in the breach. (Id. Ex. B.) As is evident from these two letters, slightly different PII was impacted for different employees. Harvey and Deprospo each allege that they suffered specific adverse consequences from the data breach. Harvey alleges that he was in the process of purchasing a home when he learned of the data breach and “due to the numerous inquiries and credit issues stemming from the Data
Breach, [he] was removed from the homebuying process.” (Id. ⁋ 66.) He further states that a fraudulent LLC named “Harvey Nathan Paul LLC” was established in his name by an unknown person. He has since received three letters addressed to the LLC. Deprospo alleges that shortly after the breach, an unknown person used his credit card to make several hundred dollars of unauthorized charges, which required him to spend time to “rectify[] the situation” and ultimately he canceled the card. (Id. ⁋ 90.) Deprospo also alleges that he experienced an increase in spam telephone calls, causing him to change his phone number, as well as a high volume of password reset requests for his social media accounts. Plaintiffs filed this putative class action on January 3, 2024, under the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d)(2), seeking class certification, declaratory and injunctive relief, restitution, damages, and attorneys’ fees. Plaintiffs filed a subsequent Amended Complaint on March 29, 2024.
National Amusements has moved to dismiss the amended complaint on two bases: under Federal Rule of Civil Procedure 12(b)(1), for lack of Article III standing, and under Rule 12(b)(6), for failure to state a claim as to each of the complaint’s claims. Plaintiffs fail to allege sufficient facts to establish standing. Specifically, they have not asserted facts supporting their claims that their identified injuries are traceable to the National Amusements data breach. Rule 12(b)(1) requires a court to assess whether the court has subject matter jurisdiction over the claimed injuries. Fed. R. Civ. P. 12(b)(1). Dismissing a case for “lack of standing is functionally equivalent to a dismissal for lack of jurisdiction.” Hochendoner v. Genzyme Corp., 823 F.3d 724, 728 (1st Cir. 2016). “[P]laintiffs bear the burden of demonstrating that they have standing.” TransUnion LLC v. Ramirez, 594 U.S. 413, 430–31 (2021). In
determining whether a plaintiff has met this burden, a court “takes all well-pleaded facts in the complaint as true and indulge[s] all reasonable inferences in [plaintiff’s] favor.” Dantzler, Inc. v. Empresas Berrios Inventory & Operations, Inc., 958 F.3d 38, 46–47 (1st Cir. 2020) (internal quotation marks omitted). “[P]laintiffs must demonstrate standing for each . . . form of relief they seek.” TransUnion, 594 U.S. at 431. To establish standing, a plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). The traceability requirement “does not require a tort-like showing of proximate causation.” Conservation L. Found., Inc. v. Acad. Express, LLC, 129 F.4th 78, 90 (1st Cir. 2025) (citing Lexmark Int’l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014) (“Proximate causation is not a requirement of Article III standing, which requires only that the plaintiff’s injury be fairly traceable to the defendant’s conduct.”)). For standing in the data breach context, injuries are fairly traceable
if the defendant’s “actions led to the exposure and actual or potential misuse of the plaintiffs’” personal information. See Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 377 (1st Cir. 2023). Both plaintiffs have failed to establish standing for damages and injunctive relief because they have not demonstrated that their injuries are fairly traceable to the specific data breach at issue. The most significant allegations here concern the plaintiffs’ claimed injuries that involve what case law refers to as “actual misuse” of their PII, Webb, 72 F.4th at 373, in this case, the alleged unauthorized credit card charges for Deprospo and the fraudulent LLC for Harvey.2 Deprospo attempts to conform his injury to the injury in Webb, a data breach case where the court found that plaintiff had standing because the plaintiff had a fraudulent tax return filed
using her stolen information. 72 F.4th at 373. In that case, the plaintiff alleged her Social Security number was stolen, a necessary element to file a tax return. Id. at 369–70. While the Court must draw all reasonable inferences in favor of the plaintiff, it is not reasonable to infer that Deprospo’s unauthorized credit card charges occurred because of the National Amusements data breach. Deprospo has not alleged that he provided National Amusements with the one piece of information necessary to make unlawful use of a credit card—a credit card number. While the letter informing
2 It is not necessary to address the other injuries that the plaintiffs allege, such as emotional injuries, spam emails, and diminution in the value of their PII, because they are not instances of actual misuse of stolen data. This Court is not aware of any instances in the First Circuit where standing in a data breach case has been established absent some “actual misuse” of the stolen data. See, e.g., Taylor v. UKG, 693 F. Supp. 3d 87, 99 (D. Mass. 2023) (collecting cases). Deprospo of the data breach states that his financial account information may have been impacted, there is no indication that the specific breach alleged would have permitted specifically the misuse of credit card numbers. To the contrary, the Attorney General of Massachusetts Data Breach report, which is incorporated in the amended complaint, specifically notes that credit card numbers were
not impacted in the National Amusements data breach. (Am. Compl. ¶ 42 n.6.) The filing of a fraudulent LLC using Harvey’s name also fails the traceability requirement. Harvey does not allege that he provided National Amusements with his mailing address, which, Harvey concedes, is a necessary piece of information to create an LLC. (Pls.’ Mem. in Opp’n to Mot. to Dismiss at 3.) Harvey has also not shown an “obvious temporal connection” between the data breach and the actual misuse of his data, which can sometimes aid in establishing traceability, see Webb, 72 F.4th at 374; In re LastPass Data Sec. Incident Litig., 742 F. Supp. 3d 109, 122 (D. Mass. 2024), because Harvey alleges he received notice of the fraudulent LLC in January 2024, over two years after the data breach occurred. Both plaintiffs have failed to adequately allege specific facts to support a plausible conclusion of actual misuse of their specific data that is fairly
traceable to the data breach at issue. In the absence of any plausible allegation of actual misuse traceable to the specific data breach at issue in this case from either plaintiff, the plaintiffs lack standing for either damages or injunctive relief. Even if plaintiffs had met their burden with respect to standing, they have failed to allege sufficient facts to plausibly state a claim for relief. To survive a motion to dismiss under Rule 12(b)(6), a complaint only needs to allege facts that, taken as true, “state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007); accord Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). A court reviewing a 12(b)(6) motion must accept all factual allegations in the complaint as true and draw all reasonable inferences in the plaintiff’s favor. Langadinos v. Am. Airlines, Inc., 199 F.3d 68, 69 (1st Cir. 2000). Plaintiffs have not sufficiently alleged that the data breach caused the injuries pled. To state a claim for negligence under Massachusetts law, a plaintiff must show “(1) a legal duty owed to
the plaintiff[s] by the defendant; (2) a breach of that duty by the defendant; (3) causation; and (4) actual loss by the plaintiff[s].” Delaney v. Reynolds, 825 N.E.2d 554, 556 (Mass. App. Ct. 2005) (first citing Glidden v. Maglio, 722 N.E.2d 971, 973 (Mass. 2000); and then citing Nelson v. Mass. Port. Auth., 771 N.E.2d 209 (Mass. App. Ct. 2002)). Plaintiffs allege that National Amusements negligently safeguarded their PII. (Am. Compl. ¶ 131.) For the same reasons stated above, plaintiffs have failed plausibly to allege that their actual harms were caused by the National Amusements data breach. See Doull v. Foster, 163 N.E.3d 976, 982 (Mass. 2021) (“It is a bedrock principle of negligence law that a defendant cannot and should not be held liable for a harm unless the defendant caused the harm.”). Similarly, plaintiffs’ claim for breach of an implied contract based on National
Amusements’ failure to safeguard their private information also fails. A contract can be implied “from the conduct and relations of the parties.” Sullivan v. O’Connor, 961 N.E.2d 143, 153 (Mass. App. Ct. 2012) (quoting LiDonni, Inc. v. Hart, 246 N.E.2d 446 (Mass. 1969)). “A contract implied in fact requires the same elements as an express contract and differs only in the method of expressing mutual assent.” Mass. Eye & Ear Infirmary v. QLT Phototherapeutics, Inc., 412 F.3d 215, 230 (1st Cir. 2005) (citation omitted). Plaintiffs “may rely on policy directives, employee handbooks, and corporate manuals as evidence of an implied-in-fact contract.” In re Shields Health Care Grp., Inc. Data Breach Litig., 721 F. Supp. 3d 152, 162 (D. Mass. 2024) (citing Salvas v. Wal-Mart Stores, Inc., 893 N.E.2d 1187, 1211 (Mass. 2008)). Here, plaintiffs fail to allege sufficient facts, such as commitments made in company documents or policies, evidencing a meeting of the minds or mutual intent to support the purported implied contract terms that they provided their PII “as a condition of employment” and that “[i]n return, Defendant agreed it would not disclose the PII it collects to unauthorized persons,” (Am. Compl. ¶¶ 150–51), or that the
parties implicitly agreed to provide “prompt and adequate notice” of unauthorized access of their personal information, (id. ¶ 153).3 See Longenecker-Wells v. Benecard Servs. Inc, 658 F. App’x 659, 662–63 (3d Cir. 2016) (affirming dismissal of similar claim in a data breach case because plaintiff did not offer any company-specific documents or policies that supported finding an implied contract). Plaintiffs’ claim of unjust enrichment, which is pled in the alternative, also fails. In Massachusetts, to state a claim for unjust enrichment, “a plaintiff ‘must show (1) a benefit conferred upon defendant by plaintiff, (2) an appreciation or knowledge by defendant of the benefit, and (3) that acceptance or retention of the benefit under the circumstances would be inequitable without payment for its value.’” In re Shields, 721 F. Supp. 3d at 165 (quoting Infinity
Fluids Corp. v. Gen. Dynamics Land. Sys., Inc., 210 F. Supp. 3d 294, 309 (D. Mass. 2016)). Here, plaintiffs allege that National Amusements unjustly “benefited from the receipt of Plaintiffs’ and the Class’s PII.” (Am. Compl. ¶ 166.) However, the plaintiffs do not allege that National Amusements gained any benefit from storing the PII, nor did it gain an identified benefit by exposing plaintiffs’ PII to misuse by an unknown person. See In re Arthur J. Gallagher Data Breach
3 The privacy policy plaintiffs rely on, (Am. Compl. ¶ 27 n.5), only applies to information collected in certain manners including through: the Showcase websites, a user “register[ing] for information or content Showcase Cinemas makes available,” downloading certain mobile applications, or electronic communications with Showcase Cinemas. Showcase Cinemas, Privacy Policy, https://www.showcasecinemas.com/privacy-policy/ (last visited Mar. 21, 2025). The plaintiffs do not allege that National Amusements collected their information in any of these ways, and so this policy does not apply. Litig., 631 F. Supp. 3d 573, 592 (N.D. Ill. 2022) (dismissing Illinois unjust enrichment claim for similar reasons). Finally, plaintiffs’ invasion of privacy claim must also be dismissed. Invasion of privacy claims may not pass the motion to dismiss stage if the plaintiff does not plead an intentional act
on the part of the defendant. See In re Shields, 721 F. Supp. 3d at 164 (quoting Nelson v. Salem State Coll., 845 N.E.2d 338, 348 (Mass. 2006)). While not binding, it is instructive that courts in this district have dismissed invasion of privacy claims at this stage when the complaint only alleged that unauthorized third parties, rather than the party tasked with storing their information, disseminated a consumer’s private information. See id. Here, plaintiffs do not allege any intentional dissemination or disclosure of private facts by National Amusements. Rather, they only allege that unidentified third parties accessed and misused their PII. Accordingly, National Amusements’ Motion to Dismiss Plaintiffs’ Amended Class Action Complaint (dkt. no. 26) is GRANTED for the reasons stated above. The case is dismissed. It is SO ORDERED.
/s/ George A. O’Toole, Jr. United States District Judge