In re A-Line Staffing Solutions Data Security Incident Litigation
This text of In re A-Line Staffing Solutions Data Security Incident Litigation (In re A-Line Staffing Solutions Data Security Incident Litigation) is published on Counsel Stack Legal Research, covering District Court, E.D. Michigan primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.
Opinion
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION
In re A-LINE STAFFING SOLUTIONS DATA SECURITY INCIDENT LITIGATION Case No. 24-cv-11917
Honorable Robert J. White
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS
This consolidated class-action involves claims against Defendant arising from an alleged data breach involving Plaintiffs’ sensitive information. (See ECF No. 26). Before the Court is Defendant’s motion to dismiss Plaintiff’s amended complaint pursuant to Fed. R. Civ. P. 12(b)(1) and (6). (ECF No. 29). The Parties fully briefed the motion and the Court will decide it without oral argument pursuant to Local Rule 7.1(f)(2). Though the Plaintiffs established Article III standing, their claims are nonetheless dismissed for failure to state a claim under Rule 12(b)(6). I. Background Plaintiffs in this case provided various sensitive, personally-identifying
information (PII) to Defendant through the course of their employment.1 (ECF No. 26, PageID.403, 410-11, 456-62). On June 3, 2024, Defendant discovered a cyberattack resulting in the unauthorized access to its data, including employees’ PII. (ECF No. 26, PageID.403-05, 409-10, 414; see also ECF Nos. 26-2, 26-3).
Defendant publicly acknowledged this data breach for the first time on July 19, 2024, and around this time began notifying impacted individuals, including Plaintiffs, of the breach. (ECF No. 26, PageID.405, 414, 457, 459).
According to Plaintiffs, “the ‘Underground Team’ ransomware group” orchestrated the attack, and “a huge amount of data acquired during the Data Breach ha[s] been leaked.” (ECF No. 26, PageID.404). Plaintiffs relatedly allege that “[o]n or around June 17, 2024, links were published on the dark web to ‘Show files’
acquired during the Data Breach or to ‘Download file listing,’ accompanied by descriptions of the types of information acquired[,] including ‘Employees’ data.’” (ECF No. 26, PageID.404).
1 Defendant is a third-party contracting service; according to Plaintiffs, they were previously employed by Defendant and provided their PII “in the regular course of employment and being contracted out for employment.” (ECF No. 26, PageID.410- 11). Attached to the amended complaint are materially identical notice letters Defendant sent to two named Plaintiffs. (ECF No. 26-2, PageID.502; ECF No. 26-
3, PageID.504). The letters informed Plaintiffs of the breach and proposed steps to “help protect your information” “should you deem it appropriate.” To that end, Defendant offered a year of free credit monitoring and identity-fraud protection
through a third-party vendor. The letters also state: “[a] third-party digital forensic investigation determined that an unauthorized third party compromised your personal information, which could include: full name, Social Security number, date of birth, drivers license, and employment related information.” (ECF No. 26-2,
PageID.502; ECF No. 26-3, PageID.504). Alleging that Defendant failed to appropriately safeguard their PII, Plaintiffs assert claims for negligence, negligence per se, breach of implied contract, unjust
enrichment, breach of fiduciary duty, breach of confidence, and declaratory relief. (ECF No. 26, PageID.473-96). Defendant moves to dismiss, arguing that Plaintiffs (1) lack standing to pursue their claims and (2) fail to allege sufficient facts to establish each claim. (ECF No. 29, PageID.526-50).
II. Legal Standards “Article III standing is a question of subject matter jurisdiction properly decided under [Fed. R. Civ. P.] 12(b)(1).” Am. BioCare Inc. v. Howard & Howard Attys. PLLC, 702 Fed. App’x 416, 419 (6th Cir. 2017) (unpublished). “The plaintiff, as the party invoking federal jurisdiction, bears the burden of establishing [standing].” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). When ruling on a
Rule 12(b)(1) motion, “the court must take the material allegations of the [complaint] as true and construed in the light most favorable to the nonmoving party.” United States v. Ritchie, 15 F.3d 592, 598 (6th Cir. 1994).
Further, to survive a Rule 12(b)(6) motion to dismiss, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Elec. Merch. Sys. LLC
v. Gaal, 58 F.4th 877, 882 (6th Cir. 2023) (“In analyzing a 12(b)(6) motion, the court must construe the complaint in the light most favorable to the plaintiff and accept all allegations as true.”) (cleaned up).
“A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 556). The plausibility standard “does not impose a probability requirement at the pleading
stage; it simply calls for enough fact to raise a reasonable expectation that discovery will reveal evidence of illegal [conduct].” Twombly, 550 U.S. at 556. “But a pleading must go beyond ‘labels and conclusions’ or a mere ‘formulaic recitation of
the elements of a cause of action.’” Thompson v. Bank of Am., N.A., 773 F.3d 741, 750 (6th Cir. 2014) (quoting Twombly, 550 U.S. at 555). Put another way, the complaint’s allegations “must do more than create speculation or suspicion of a
legally cognizable cause of action; they must show entitlement to relief.” League of United Latin Am. Citizens v. Bredesen, 500 F.3d 523, 527 (6th Cir. 2007) (emphasis in original) (citing Twombly, 550 U.S. at 555-56).
III. Analysis A. Standing The Constitution requires that federal courts decide only “cases” and “controversies.” U.S. CONST. art. III, § 2. Accordingly, courts can decide only
“actual, ongoing” disputes between parties. Kentucky v. United States ex rel. Hagel, 759 F.3d 588, 595 (6th Cir. 2014). One component of ensuring courts do not exceed their jurisdiction is standing. If the plaintiff lacks standing, the case is not justiciable and cannot be heard
in federal court. Warth v. Seldin, 422 U.S. 490, 498 (1975). Standing requires that the plaintiff “must have suffered an [1] injury-in-fact [2] that is fairly traceable to the defendant’s conduct and [3] would likely be redressed by a favorable decision
from a court.” Bouye v. Bruce, 61 F.4th 485, 489 (6th Cir. 2023). Here, Defendant argues that Plaintiffs fail to plead a cognizable injury-in-fact that is fairly traceable to the data breach at issue. (ECF No. 29, PageID.528-37). 1. Injury in Fact “To establish injury in fact, a plaintiff must show that he or she suffered ‘an
invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, 578 U.S. at 339 (quoting Lujan v. Defenders of Wildlife, 504 U. S. 555, 560 (1992)). Plaintiffs allege the following injuries in this case: (1) “the compromise of
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION
In re A-LINE STAFFING SOLUTIONS DATA SECURITY INCIDENT LITIGATION Case No. 24-cv-11917
Honorable Robert J. White
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS
This consolidated class-action involves claims against Defendant arising from an alleged data breach involving Plaintiffs’ sensitive information. (See ECF No. 26). Before the Court is Defendant’s motion to dismiss Plaintiff’s amended complaint pursuant to Fed. R. Civ. P. 12(b)(1) and (6). (ECF No. 29). The Parties fully briefed the motion and the Court will decide it without oral argument pursuant to Local Rule 7.1(f)(2). Though the Plaintiffs established Article III standing, their claims are nonetheless dismissed for failure to state a claim under Rule 12(b)(6). I. Background Plaintiffs in this case provided various sensitive, personally-identifying
information (PII) to Defendant through the course of their employment.1 (ECF No. 26, PageID.403, 410-11, 456-62). On June 3, 2024, Defendant discovered a cyberattack resulting in the unauthorized access to its data, including employees’ PII. (ECF No. 26, PageID.403-05, 409-10, 414; see also ECF Nos. 26-2, 26-3).
Defendant publicly acknowledged this data breach for the first time on July 19, 2024, and around this time began notifying impacted individuals, including Plaintiffs, of the breach. (ECF No. 26, PageID.405, 414, 457, 459).
According to Plaintiffs, “the ‘Underground Team’ ransomware group” orchestrated the attack, and “a huge amount of data acquired during the Data Breach ha[s] been leaked.” (ECF No. 26, PageID.404). Plaintiffs relatedly allege that “[o]n or around June 17, 2024, links were published on the dark web to ‘Show files’
acquired during the Data Breach or to ‘Download file listing,’ accompanied by descriptions of the types of information acquired[,] including ‘Employees’ data.’” (ECF No. 26, PageID.404).
1 Defendant is a third-party contracting service; according to Plaintiffs, they were previously employed by Defendant and provided their PII “in the regular course of employment and being contracted out for employment.” (ECF No. 26, PageID.410- 11). Attached to the amended complaint are materially identical notice letters Defendant sent to two named Plaintiffs. (ECF No. 26-2, PageID.502; ECF No. 26-
3, PageID.504). The letters informed Plaintiffs of the breach and proposed steps to “help protect your information” “should you deem it appropriate.” To that end, Defendant offered a year of free credit monitoring and identity-fraud protection
through a third-party vendor. The letters also state: “[a] third-party digital forensic investigation determined that an unauthorized third party compromised your personal information, which could include: full name, Social Security number, date of birth, drivers license, and employment related information.” (ECF No. 26-2,
PageID.502; ECF No. 26-3, PageID.504). Alleging that Defendant failed to appropriately safeguard their PII, Plaintiffs assert claims for negligence, negligence per se, breach of implied contract, unjust
enrichment, breach of fiduciary duty, breach of confidence, and declaratory relief. (ECF No. 26, PageID.473-96). Defendant moves to dismiss, arguing that Plaintiffs (1) lack standing to pursue their claims and (2) fail to allege sufficient facts to establish each claim. (ECF No. 29, PageID.526-50).
II. Legal Standards “Article III standing is a question of subject matter jurisdiction properly decided under [Fed. R. Civ. P.] 12(b)(1).” Am. BioCare Inc. v. Howard & Howard Attys. PLLC, 702 Fed. App’x 416, 419 (6th Cir. 2017) (unpublished). “The plaintiff, as the party invoking federal jurisdiction, bears the burden of establishing [standing].” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). When ruling on a
Rule 12(b)(1) motion, “the court must take the material allegations of the [complaint] as true and construed in the light most favorable to the nonmoving party.” United States v. Ritchie, 15 F.3d 592, 598 (6th Cir. 1994).
Further, to survive a Rule 12(b)(6) motion to dismiss, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Elec. Merch. Sys. LLC
v. Gaal, 58 F.4th 877, 882 (6th Cir. 2023) (“In analyzing a 12(b)(6) motion, the court must construe the complaint in the light most favorable to the plaintiff and accept all allegations as true.”) (cleaned up).
“A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 556). The plausibility standard “does not impose a probability requirement at the pleading
stage; it simply calls for enough fact to raise a reasonable expectation that discovery will reveal evidence of illegal [conduct].” Twombly, 550 U.S. at 556. “But a pleading must go beyond ‘labels and conclusions’ or a mere ‘formulaic recitation of
the elements of a cause of action.’” Thompson v. Bank of Am., N.A., 773 F.3d 741, 750 (6th Cir. 2014) (quoting Twombly, 550 U.S. at 555). Put another way, the complaint’s allegations “must do more than create speculation or suspicion of a
legally cognizable cause of action; they must show entitlement to relief.” League of United Latin Am. Citizens v. Bredesen, 500 F.3d 523, 527 (6th Cir. 2007) (emphasis in original) (citing Twombly, 550 U.S. at 555-56).
III. Analysis A. Standing The Constitution requires that federal courts decide only “cases” and “controversies.” U.S. CONST. art. III, § 2. Accordingly, courts can decide only
“actual, ongoing” disputes between parties. Kentucky v. United States ex rel. Hagel, 759 F.3d 588, 595 (6th Cir. 2014). One component of ensuring courts do not exceed their jurisdiction is standing. If the plaintiff lacks standing, the case is not justiciable and cannot be heard
in federal court. Warth v. Seldin, 422 U.S. 490, 498 (1975). Standing requires that the plaintiff “must have suffered an [1] injury-in-fact [2] that is fairly traceable to the defendant’s conduct and [3] would likely be redressed by a favorable decision
from a court.” Bouye v. Bruce, 61 F.4th 485, 489 (6th Cir. 2023). Here, Defendant argues that Plaintiffs fail to plead a cognizable injury-in-fact that is fairly traceable to the data breach at issue. (ECF No. 29, PageID.528-37). 1. Injury in Fact “To establish injury in fact, a plaintiff must show that he or she suffered ‘an
invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, 578 U.S. at 339 (quoting Lujan v. Defenders of Wildlife, 504 U. S. 555, 560 (1992)). Plaintiffs allege the following injuries in this case: (1) “the compromise of
their PII”; (2) the “loss of value of their PII” that was improperly accessed; (3) “ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach”; (4)
“the anxiety and fear that their PII . . . may be disclosed to the entire world”; and (5) the “substantial risk” of (i.e., the potential future harm from) (a) losses from fraud (like identity theft) and (b) being the target of phishing schemes and similar efforts. (ECF No. 26, PageID.454-56). They also allege that the data breach caused “injury
and ascertainable losses in the form of loss of the benefit of [the parties’] bargain” for Defendant “to safeguard and protect [Plaintiffs’] information.” (ECF No. 26, PageID.403, 407, 478-79). And Plaintiffs claim the “[l]oss of privacy suffered as a
result of the Data Breach.” (ECF No. 26, PageID.436). Plaintiffs relatedly allege that (1) “Plaintiffs and Class Members have spent and will continue to spend significant amounts of uncompensated time to monitor their financial accounts, medical accounts, sensitive information, credit score, and records for misuse”; and (2) “Plaintiffs and Class Members may also incur out-of- pocket costs for implementing protective measures such as purchasing credit
monitoring [services]. . . .” (ECF No. 26, PageID.454-55). In addition to these general allegations, the amended complaint asserts that named Plaintiff Maria Diaz “has suffered actual injury” as a result of the data breach
from (1) the compromise and reduction in value of her PII; (2) “lost time and opportunity costs, annoyance, interference, and inconvenience”; and (3) “anxiety and increased concerns due to the loss of her privacy and the substantial risk of fraud and identity theft.” (ECF No. 26, PageID.458). And Diaz allegedly “suffered
imminent and impending injury” from “the substantially increased risk of fraud, identity theft, and misuse of her PII” because of the breach. (ECF No. 26, PageID.458). Plaintiffs relatedly allege that Diaz, after receiving notice of the
breach, (1) “has been forced to spend time dealing with and responding to the direct consequences of the Data Breach, which include spending time on the telephone calls, researching the Data Breach, verifying the authenticity of the Notice Letter, exploring credit monitoring and identity theft insurance options, and self-monitoring
her accounts”; and (2) “has taken the necessary preventative measures in an effort to mitigate the risk of any potential instances of identity theft of fraud, to review financial statements and identity theft protection reports to preemptively detect and
deter actual instances of identity theft or fraud.” (ECF No. 26, PageID.457). The amended complaint alleges that named Plaintiff Charles Viviani suffered these same “actual” and “imminent” injuries as Diaz, and that Viviani took similar
action after receiving notice of the data breach to investigate the breach and proactively monitor his accounts and information for fraud. (ECF No. 26, PageID.460-62). Plaintiffs also allege that Viviani “has had to close numerous
accounts”—a bank account and PayPal account, specifically—“due to fraud and misuse of his PII.” (ECF No. 26, PageID.459-60). As an initial matter, both Plaintiffs and Defendant cite Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016) (unpublished), as instructive to
resolve this issue. As in the present case, the plaintiffs in Galaria filed class-action claims related to a data breach of the defendant’s computer network that included the plaintiffs’ personal information. Id. at 385. The Court further summarized the
pertinent facts as follows: In support of their claims, Plaintiffs allege that there is an illicit international market for stolen data, which is used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards. Identity thieves may also use a victim’s identity when arrested, resulting in warrants issued in the victim’s name. According to the complaints, the Nationwide data breach created an “imminent, immediate and continuing increased risk” that Plaintiffs and other class members would be subject to this kind of identity fraud. Plaintiffs cite a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%. Plaintiffs allege that victims of identity theft and fraud will “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of- pocket expenses and $1,513 in total economic loss. To mitigate this risk, Plaintiffs “have suffered, and will continue to suffer” costs—both “financial and temporal”—that include “purchasing credit reporting services, purchasing credit monitoring and/or internet monitoring services, frequently obtaining, purchasing and reviewing credit reports, bank statements, and other similar information, instituting and/or removing credit freezes and/or closing or modifying financial accounts.” The complaints seek damages for, among other things, the increased risk of fraud; expenses incurred in mitigating risk, including the cost of credit freezes, insurance, monitoring, and other mitigation products; and time spent on mitigation efforts.
Id. at 386-87 (citations omitted). Addressing the injury-in-fact element of standing, the Sixth Circuit stated that “where plaintiffs seek to establish standing based on an imminent injury, . . . [the] threatened injury must be certainly impending to constitute injury in fact, and allegations of possible future injury are not sufficient.” Id. at 388 (cleaned up; emphasis in original; quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013)). “However, the Supreme Court has also ‘found standing based on a substantial risk that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm,’ even where it is not ‘literally certain the harms they identify will come about.’” Id. (quoting Clapper, 568 U.S. at 414 n. 5). Applying these principles, the Galaria Court concluded that the plaintiffs sufficiently pled a cognizable injury in fact: Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation. Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of “possible future injury” or “objectively reasonable likelihood” of injury that the Supreme Court has explained are insufficient. Clapper, 133 S. Ct. at 1147-48. There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.
Thus, although it might not be “literally certain” that Plaintiffs’ data will be misused, id. at 1150 n. 5, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable. Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps. And here, the complaints allege that Plaintiffs and the other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts. Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non- imminent harm.” Id. at 1155. Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.
Id. at 388-89. First and foremost, Galaria’s allegations concerning future harm from fraud and the plaintiffs’ mitigation efforts essentially track the facts of the present case.
Defendant argues, however, that Galaria is distinguishable from the facts here because “Plaintiffs make no allegation that their specific Private Information has been published.” (ECF No. 29, PageID.529). According to Defendant, this case
therefore lacks the critical allegation “that [Plaintiffs’] data has already been stolen and is now in the hands of ill-intentioned criminals.” See Galaria, 663 F. App’x at 388. The Court disagrees. Contrary to Defendant’s argument, Galaria relied on the “theft of [the
plaintiffs] personal data” to establish injury in fact, not on any alleged actual publication or misuse of the information. See id. at 388; see also id. (“it might not be ‘literally certain’ that Plaintiffs’ data will be misused [in the future]”); id. at 389-
90 (distinguishing another case because “Plaintiffs [here] allege . . . the intentional theft of their data”). And accepting the allegations as true and construing all reasonable inferences in Plaintiffs’ favor, they plausibly allege the intentional theft of their PII.
Indeed, the two notice letters attached to the complaint state that “an unauthorized third party compromised your personal information. . . .” (ECF No. 26- 2, PageID.502; ECF No. 26-3, PageID.504) (emphasis added). The amended
complaint otherwise alleges that Plaintiffs provided their PII to Defendant, a ransomware group maliciously accessed Defendant’s data, and “Plaintiffs’ and Class Members’ sensitive and confidential Private Information” was “accessed and
exfiltrated by unauthorized criminal actors.” (ECF No. 26, PageID.408, 412-15; see also PageID.414 (“it is plausible and likely that Plaintiffs’ Private Information was stolen in the Data Breach”)).
Further, though Plaintiffs do not identify any publication of their specific PII, they allege that a large amount of the information stolen during the data breach has already been leaked. See Silveira v. Commer. Specialty Truck Holdings, LLC, No. 25-048, 2025 U.S. Dist. LEXIS 155058 at *7-8 (E.D. Ky. Aug. 12, 2025) (theft of
the plaintiff’s information evidenced in part by “[a] post on the dark web containing confidential documents from [the defendant]’s subsidiary.”); Savidge v. Pharm-Save, Inc., 727 F. Supp. 3d 661, 687 (W.D. Ky. 2024) (“while actual misuse is not
necessary to support a finding of imminence, the very point of this factor is that past misuse makes it more likely that the stolen data will be misused in the future”); see also Webb v. Injured Workers Pharm., LLC, 72 F.4th 365, 376 (“That at least some information stolen in a data breach has already been misused also makes it likely
that other portions of the stolen data will be similarly misused.”). Under these circumstances, it is certainly plausible that Plaintiffs’ specific PII was stolen during the breach, even if their information has not yet been published or otherwise misused.2 And per Galaria, “[t]here is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-
intentioned criminals.” 663 F. App’x at 388. Accordingly, as in Galaria, the Court concludes here that, where Plaintiffs’ PII was stolen by malicious actors, their allegations of a substantial risk of harm from fraud, identity theft, and the like,
together with their reasonably incurred mitigation costs, suffice to establish cognizable injury in fact at this stage.3 This decision is not only consistent with Galaria, but also numerous cases within this circuit applying Galaria to find cognizable Article III injury under similar
facts. See Silveira, 2025 U.S. Dist. LEXIS 155058 at *7-8 (“The facts presented here
2 Going beyond Galaria, Plaintiffs do implicitly allege at least some misuse given that Viviani has had to close numerous financial accounts due to “fraud and misuse of his PII.” (ECF No. 26, PageID.459-60); see also Lochridge v. Quality Temp. Servs. Inc., No. 22 -12086, 2023 U.S. Dist. LEXIS 113794, at *12-13 (E.D. Mich. June 30, 2023) (allegations that the plaintiff “had a financial account fraudulently opened using his personal information and had a loan fraudulently applied for using his information” “further support a finding that [he] has met the injury in fact requirement”). 3 Although Plaintiffs’ characterization of the breach and the data stolen may not bear out in discovery, it is plausible from the known facts and reasonable inferences therefrom. Further, although the Court finds that Plaintiffs adequately allege Article III injury for the purposes of standing, whether Plaintiffs sufficiently allege compensable damages with respect to their various claims is “a different question” that the Court will address under Rule 12(b)(6). See Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021); see also Hicks v. State Farm Fire & Cas. Co., 965 F.3d 452, 463 (6th Cir. 2020) (“As the Supreme Court has reminded, one must not confuse weakness on the merits with absence of Article III standing.”) (cleaned up). The same applies concerning the related but distinct issues of traceability and causation. concerning standing are on all fours with Galaria. Silveira alleges that his PII/PHI has already been stolen by hackers, as evidenced by CSTH’s own admission and
INC Ransom’s post on the dark web containing confidential documents from E-Z Pack, CSTH’s subsidiary.”); In re Numotion Data Incident Litig., No.24-00545, 2025 U.S. Dist. LEXIS 4509, at *13-14 (M.D. Tenn. Jan. 9, 2025) (“As in Galaria,
the plaintiffs in this case allege that the defendant’s computer servers were accessed by ‘notorious’ criminals and that this breach put them and putative class members at substantial risk of identity theft and fraud. They allege that they and putative class members have taken concrete measures to protect themselves from future harm.
Numotion itself recommended that they take many of these steps in the letters notifying them of the Data Incident. The plaintiffs, in other words, have alleged precisely the type of facts that the Sixth Circuit found were sufficient to plead an
Article III injury in fact in Galaria[.]”) (citations omitted); Viviali v. One Point HR Sols., LLC, No. 24-185, 2025 U.S. Dist. LEXIS 75501, *8 (E.D. Ky. Apr. 21, 2025) (“The facts presented here closely resemble those of Galaria. The plaintiffs experienced an illicit breach and exfiltration of their data and now claim to suffer
(among other things) misuse of their information, emotional distress, lost time and out of pocket costs attempting to mitigate the breach, and a diminution in the value of their personal data. The breach involved significant private personal data, and it
was definitively alleged.”); contra Doe v. Mission Essential Grp., LLC, No. 23-3365, 2024 U.S. Dist. LEXIS 148732 (S.D. Oh. Aug. 20, 2024) (holding the plaintiff lacked Article III standing when a breach was unconfirmed).
Next, Defendant argues that Plaintiffs allegations of a future risk of harm (from fraud, identity theft, etc.) are insufficient to establish an injury in fact under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), because “Plaintiffs fail to allege
a separate independent injury from that alleged risk.” (ECF No. 29, PageID.530). However, the theft/compromise of Plaintiffs’ PII, together with their already- incurred mitigation efforts, constitute sufficient independent injury consistent with the requirements of TransUnion. See Haney v. Charter Foods N., LLC, 747 F. Supp.
3d 1093, 1105-1106 (“Due to a data breach, plaintiffs suffer more than just the risk of future harm from use of their data; even before such use, they have experienced concrete harms such as dissemination of their personal information and reasonably
incurred mitigation costs, as outlined in Galaria. Therefore, Galaria is consistent with TransUnion and still good law.”). Relatedly, to the extent Defendant argues that Galaria is no longer or less applicable following TransUnion, the Court disagrees. See id.; Silveira, 2025 U.S.
Dist. LEXIS 155058 at *9 (“because an intentional data breach perpetrated by criminals is distinct from the negligent dissemination of a false credit report by a ‘legitimate credit reporting company,’ the undersigned joins the courts that conclude
the Supreme Court’s decision in TransUnion did not abrogate Galaria.”); Numotion, 2025 U.S. Dist. LEXIS 4509 at *13 (“TransUnion does not invalidate Galaria. Notably, because the facts as alleged here are virtually identical to those in Galaria,
its conclusions are all the more persuasive.”); Lochridge v. Quality Temp. Servs. Inc., No. 22 -12086, 2023 U.S. Dist. LEXIS 113794, at *11 (E.D. Mich. June 30, 2023) (“Defendant argues that, following the Supreme Court’s decision in TransUnion, the
holding of Galaria is no longer valid. The court disagrees.”) (citation omitted)). “In any event, the Sixth Circuit has not yet reconsidered Galaria in light of TransUnion. This Court is bound to follow relevant precedent from the Sixth Circuit unless and until the Sixth Circuit decides to revisit that precedent.” Brickman v. Maximus, Inc.,
No. 21-3822, 2022 U.S. Dist. LEXIS 205627, at *10 (S.D. Ohio May 2, 2022). In sum, following Galaria and its progeny, the plausible theft/compromise of Plaintiffs’ PII, their allegations of a substantial risk of harm from fraud, identity theft,
and the like, and their reasonably incurred mitigation costs suffice to establish cognizable Article III injury in this case. Defendant next argues that Plaintiff could not have suffered an injury in fact based on any loss of the benefit of the bargain because they “have not pled any facts
to support the allegation that they bargained for a particular level of data security.” (ECF No. 29, PageID.530). However, “[t]he Sixth Circuit has recognized that a plaintiff’s loss of the benefit of [a] bargain with the defendant is a cognizable injury
in fact.” Numotion, 2025 U.S. Dist. LEXIS 4509 at *14-15 (citing Springer v. Cleveland Clinic Emp. Health Plan Total Care, 900 F.3d 284, 287 (6th Cir. 2018)). Plaintiffs allege here that an implied contract existed for Defendant to safeguard their
PII, and Defendant’s breach thereof resulted in numerous cognizable Article III injuries, including those already discussed. Accordingly, the Court concludes that Plaintiffs’ alleged loss of the benefit of this implied contract itself also constitutes a
cognizable injury in fact. To the extent Defendant’s argument is essentially challenging whether Plaintiffs sufficiently allege the elements of mutual agreement, consideration, and/or damages necessary to sustain their breach of contract claim, these issues are more appropriately addressed under Rule 12(b)(6). See infra Section
III.B.2; see also supra footnote 3. The Court also rejects Defendant’s argument that Plaintiffs’ alleged emotional distress is implausible and cannot constitute an Article III injury. In the Sixth Circuit,
“a plaintiff can demonstrate actual harm by alleging emotional distress.” Foster v. Health Recovery Servs., 493 F. Supp. 3d 622, 632 (S.D. Oh. 2020) (citing Huff v. Telecheck Servs., 923 F.3d 458, 463 (6th Cir. 2019)). And at the pleading stage, “this allegation is sufficient to state a claim for an actual injury.” Id.; see also Thompson
v. Equifax Info. Services, LLC, 441 F. Supp. 3d 533, 542-43 (E.D. Mich. 2020) (noting that “while Plaintiff’s allegations of emotional distress may have been sufficient to confer standing at the motion to dismiss stage, on a motion for summary
judgment, [she] must set forth by affidavit or other evidence specific facts which for purposes of the summary judgment will be taken as true.”) (emphasis in original; internal quotation marks and citation omitted).
Defendant seemingly argues that Foster is inapplicable here because “Plaintiffs’ generalized assertions of emotional distress are implausible, particularly in the absence of any imminent risk of fraud.” (ECF No. 29, PageID.533). Critically,
however, the Court already concluded that Plaintiffs plausibly allege the theft of their PII and, therefore, imminent injury via the substantial risk of future harm from fraud and the like. See also Doe, 2024 U.S. Dist. LEXIS 148732 at *17 (“Some courts find that emotional distress can be an injury-in-fact sufficient to confer standing . . . when
there are allegations of actual unauthorized access or disclosure of data.”) (citing Foster). And Foster, which also applied Galaria to decide the injury-in-fact issue, involved materially similar facts as those in the present case. See 493 F. Supp. at
628-29, 631-33. Further, the Court concludes that none of Defendant’s cited out-of- circuit, nonbinding cases nullify the applicability of Foster here. Accordingly, the Court follows Foster and concludes that Plaintiffs’ allegations of emotional distress suffice to establish Article III injury at this early stage.
The Court likewise rejects Defendant’s argument that Plaintiffs’ alleged loss of privacy cannot constitute an Article III injury. Citing various out-of-circuit cases, Defendant asserts that Plaintiffs’ allegations fail to establish an injury in fact because
they (1) “fail to demonstrate any concrete or particularized injury associated with the alleged disclosure of their Private Information” and (2) “allege no concrete or particularized injury associated with the alleged disclosure of their PII beyond the
mere assertion of loss of privacy, which is palpably insufficient.” (ECF No. 29, PageID.534-35 (quotation marks and citations omitted). Contrary to Defendant’s argument, however, Plaintiffs sufficiently assert the aforementioned concrete,
particularized injuries under Galaria and its progeny. See also Foster, 493 F. Supp. 3d at 633 (“disclosure of plaintiff’s sensitive medical information to a third party— even where, as here, that third party is a hacker—constitutes an invasion of privacy”); Lochridge, 2023 U.S. Dist. LEXIS 113794 at *4, 6-13 (finding injury in
fact where the plaintiff alleged in part to have suffered a loss of privacy resulting from the data breach); contra In re Manpower of Lansing, Mi, Data Breach Litig., No. 25-956, 2026 U.S. Dist. LEXIS 97053, at *15 (W.D. Mich. Mar. 19, 2026)
(“Loss of privacy could be an injury, but merely having PII viewed by third parties is insufficient.”4). Lastly, Defendant cites Lochridge, 2023 U.S. Dist. LEXIS 113794, for the position that Plaintiffs fail to plead any cognizable injury regarding the diminution
in value of their PII. The Court agrees. The district court in Lochridge specifically
4 Unlike cases where PII was only made accessible to and/or viewed by a third party, Plaintiffs allege here that a third party criminal enterprise actually stole their PII and has already shared some employee information from the data breach on the dark web. stated that “a diminution in value of [the plaintiff’s] private information as a result of the data breach” did not “suffice[] as an independent injury in fact sufficient to
confer standing” because the plaintiff “d[id] not allege any specific facts showing he planned to sell his information, just that it must have decreased in value because of the data breach.” Id. at *13 n. 2. Though Lochridge concedes that this requirement
is not universally applied among different courts and Plaintiffs cite out-of-circuit authority requiring only general allegations describing the value of and market for information at issue, the Court follows Lochridge for the sake of consistency within this district.
Following Lochridge, the Court here similarly concludes that the alleged lost value of Plaintiffs’ PII cannot constitute independent Article III injury absent additional allegations that Plaintiffs attempted to sell their information. Accordingly,
Plaintiffs fail to state that they suffered any cognizable Article III injury from the diminished value of their PII and fail to establish standing on this issue. 2. Traceability Defendant argues that Plaintiffs’ alleged injuries are not fairly traceable to its
conduct because “Plaintiffs have failed to plead that their alleged injuries were caused by the Data Incident.” (ECF No. 29, PageID.535). Addressing traceability, the Sixth Circuit in Galaria stated as follows: Plaintiffs sufficiently allege that their injuries are fairly traceable to Nationwide’s conduct. For example, Plaintiffs allege that Defendants failed “to establish and/or implement appropriate administrative, technical and/or physical safeguards to ensure the security and confidentiality of Plaintiff’s and other Class Members’ [data] to protect against anticipated threats to the security or integrity of such information.” Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation.
663 F. App’x at 390 (citations omitted; alteration in original). Similarly here, Plaintiffs allege that Defendant failed to (1) “secure and safeguard” Plaintiffs’ and putative plaintiffs’ PII, (2) “implement adequate and reasonable cybersecurity procedures and protocols necessary to protect clients’ PII,” (3) “take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” (4) “take standard and reasonably available steps to prevent the Data Breach,” (5) “properly train its staff and employees on proper security measures,” and (6) “properly monitor the computer network and systems that housed the Private Information.” (ECF No. 26, PageID.403, 406, 408). According to Plaintiffs, the data breach “was a direct result” of Defendant’s failures. (ECF No. 26, PageID.406). Again, the facts of this case are virtually identical to those in Galaria. Accordingly, as in Galaria, the Court concludes here that Plaintiffs’ injuries are fairly traceable to Defendant’s purported lax security and failure to adequately protect its employees’ PII. See also Silveira, 2025 U.S. Dist. LEXIS 155058 at *8-9 (“Silveira has satisfied traceability. Like the plaintiffs in Galaria, he alleges his
injuries are fairly traceable to CSTH’s failure to protect his [PII] from cybercriminals.”); Lochridge, 2023 U.S. Dist. LEXIS 113794 at *13-14 (traceability satisfied where “Plaintiff has reasonably argued that his alleged injuries were caused
by Defendant's failure to secure their computer system, leading to the cyberattack”); Numotion, 2025 U.S. Dist. LEXIS 4509 at *15-15 (traceability satisfied under Galaria where “[t]he plaintiffs allege that the defendant’s lax security measures—in particular, the failure to encrypt Private Information—enabled the criminal third
parties to break into the system and access the information”); Haney, 747 F. Supp. 3d at 1107 (traceability satisfied under Galaria where “Plaintiffs allege that Defendants’ ‘failure to properly secure and safeguard’ Plaintiffs’ personal
information led to the information being compromised in the breach”). Plaintiffs, in sum, allege sufficient facts to establish Article III standing.5 The amended complaint is therefore not subject to dismissal for lack of subject matter jurisdiction under Rule 12(b)(1).
5 Defendant does not challenge the redressability element of standing. B. Failure to State a Claim The parties agree that Michigan law governs Plaintiffs’ various claims. The
Court now addresses each claim in turn. 1. Negligence and Negligence Per Se First, regarding negligence per se, it is well-established that Michigan law “does not subscribe to [that] doctrine” as an independent tort. Candelaria v. B.C.
Gen. Contrs., Inc., 236 Mich. App. 67, 82 (1999); see also Abnet v. Coca-Cola Co., 786 F. Supp. 2d 1341, 1345 (W.D. Mich. 2011). The Michigan Supreme Court instead views the “violation of a statute” as establishing “a prima facie case from
which a jury may draw an inference of negligence.” Zeni v. Anderson, 397 Mich. 117, 122 (1976); see also Klanseck v. Anderson Sales & Serv., Inc., 426 Mich. 78, 86 (1986) (“The fact that a person has violated a safety statute may be admitted as evidence bearing on the question of negligence . . . evidence of violation of a penal
statute creates a rebuttable presumption of negligence.”). Accordingly, the Court dismisses Plaintiffs’ Count II asserting standalone claims of negligence per se and addresses only whether Plaintiffs plausibly allege claims of general negligence.
To state a claim for negligence in Michigan, the operative complaint must plausibly allege that “(1) the defendant owed the plaintiff a legal duty, (2) the defendant breached the legal duty, (3) the plaintiff suffered damages [injury], and (4) the defendant’s breach . . . cause[d] . . . the plaintiff’s damages.” Hill v. Sears, Roebuck & Co., 492 Mich. 651, 660 (2012). “[I]n Michigan, the injury complained of in a negligence action must be an actual, present injury.” Doe v. Henry Ford
Health Sys., 308 Mich. App. 592, 600 (2014) (citation omitted). “It is a present injury, not fear of an injury in the future, that gives rise to a cause of action under negligence theory.” Henry v. Dow Chem. Co., 473 Mich. 63, 73 (2005) (emphasis in
original). Further, “[i]n a negligence action, a plaintiff must establish both factual . . . and legal causation.” Ray v. Swager, 501 Mich. 52, 64 (2017). Factual causation “requires showing that ‘but for’ the defendant’s actions, the plaintiff’s injury would not have occurred.” Id. at 63. “If factual causation cannot be established, then
proximate cause, that is, legal causation, is no longer a relevant issue.” Id. at 64. The Court recently dismissed Michigan negligence claims in a similar data breach case to that here. See In re Grede Holdings LLC Data Breach Litig., No. 25-
10831, 2026 U.S. Dist. LEXIS 29721 (E.D. Mich. 2026). Addressing the element of damages, Grede stated: Insofar as Plaintiffs allege to have suffered injuries associated with the “risk” or “imminent threat” of future harm, those damages are not cognizable under Michigan law because they “are wholly derivative of a possible, future injury rather than an actual, present injury.” Henry, 473 Mich. at 78 (emphasis in original); see also Doe, 308 Mich. App. at 601.
Nor can state negligence law remedy the asserted injuries that appear to be “actual” and “present.” For instance, Michigan does not recognize plaintiffs’ current “loss of privacy” or the “publication” of their personal identifying information alone as forms of compensable injury. See Nyman v. Thomson Reuters Holdings, Inc., 329 Mich. App. 539, 553, 942 N.W.2d 696 (2019) (rejecting the theory that “the release of information itself” or the “the invasion of privacy in and of itself damaged the plaintiff and the other patients whose information had been disclosed” in a data breach). The same goes for the other “actual” and “present” harms alleged in the consolidated class action complaint. See Rakyta v. Munson Healthcare, No. 354831, 2021 Mich. App. LEXIS 5905, at *13-14 (Mich. Ct. App. Oct. 14, 2021) (holding that “the unauthorized viewing of confidential information does not by itself reduce the value of the information.”); see id. at *14 (rejecting the argument that “allegations of damages arising from emotional distress or anxiety about a potential future injury were sufficient to save a claim from summary disposition.”).
What is more, the consolidated class action complaint contains no allegations that plaintiffs themselves are victims of identity theft or fraud; that they incurred “financial costs . . . due to actual identity theft”; or that they incurred any “loss of time . . . due to actual identity theft.” (ECF No. 16, PageID.210, ¶ 121; see also PageID.237-38, ¶ 204). Higgins, at most, maintains that “a fraudulent charge was made to [his] bank account” on February 27, 2025 - nearly a month after the alleged data breach. (Id., PageID.177, ¶ 22). And McCorvey claims that he “experienced a sharp uptick in suspicious spam calls and texts using his Private Information compromised in the Data Breach.” (Id., PageID.181, ¶ 37). But neither incident raises a plausible inference that they are victims of “actual identity theft or fraud.” (Id., PageID.210, ¶ 121; see also PageID.237-38, ¶ 204).
So, taken together, none of the averments in the consolidated class action complaint plausibly establish that plaintiffs suffered “actual” and “present” injuries. See Polkowski[ v. Jack. Doheny Co., Inc., No. 25-10516], 2025 U.S. Dist. LEXIS 217278, at *23 [(E.D. Mich. Nov. 4, 2025)] (holding that the “disclosure of stolen information alone is not a present injury if no actual identity theft resulted from the disclosure.”).
Id. at *6-8. Next, Grede concluded that causation was also lacking: Plaintiffs cannot satisfy the factual causation prong. Even if the Court presumed that the fraudulent bank charge and the unsolicited spam communications qualify as “actual” and “present” injuries, the consolidated class action complaint omits any plausible allegations that “but for” the data breach those injuries “would not have occurred.” Ray, 501 Mich. at 63; see also Tumminello v. Father Ryan High Sch., Inc., 678 F. App’x 281, 288 (6th Cir. 2017) (affirming dismissal of a state law negligence claim where the complaint contained insufficient allegations to plausibly establish causation). And the alleged temporal proximity between the data breach, the fraudulent bank charge, and the unsolicited spam communications is insufficient to plausibly establish a causal link. See Lund v. Travelers Indem. Co. of Am., No. 330212, 2016 Mich. App. LEXIS 2427, at *18 (Mich. Ct. App. Dec. 29, 2016) (“Showing only a temporal relationship is generally insufficient to create a fact issue on a necessary causal link between a plaintiff’s accidental injury and subsequent complaints and treatments.”); see also Craig[ v. Oakwood Hosp.], 471 Mich. [67, 93 (2004)] (“It is axiomatic in logic and in science that correlation is not causation.”).
Because the consolidated class action complaint lacks sufficient allegations of “actual” and “present” damages, as well as factual causation, plaintiffs cannot “nudge” their negligence claim “across the line from conceivable to plausible.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S. Ct. 1955, 167 L. Ed. 2d 929 (2007) (cleaned up).
Id. at *8-9. The Court on May 7, 2026, directed the parties to file supplemental briefing “addressing, specific to negligence claims under Michigan law, (1) how, if at all, the facts of this case materially differ from those in the Court’s prior ruling in [Grede]; and (2) whether Grede’s analysis controls in this case or is otherwise distinguishable.” Defendant argues that Plaintiffs’ allegations here are materially identical to, if not more speculative and hypothetical than, those deemed implausible and insufficient to state a negligence claim in Grede, and that dismissal is therefore warranted. (ECF No. 34, PageID.620-23).
According to Plaintiffs, however, Grede is distinguishable because the allegations specific to Plaintiff Viviani’s closed accounts “reveal[] a systematic misuse of information that was absent in Grede.” (ECF No. 35, PageID.627-28).
Plaintiffs argue further that they allege more than the mere temporal proximity deemed insufficient to establish causation in Grede because “Plaintiffs here have exhaustively shown how Defendant was targeted by a ransomware group with the precise intent of acquiring and publishing Plaintiffs’ and Class Members’
information on the dark web to be misused.” (ECF No. 35, PageID.628). The extensive fraud that Plaintiff Viviani has suffered following the data breach confirms the causal nexus between these events; systematic misuse of his personal and financial information, such that he has been forced to close multiple financial accounts—and had to do so multiple times. The allegations materially differ from Grede’s and plausibly establish misuse of stolen financial information rather than isolated or purely speculative future harm.
Id. Plaintiffs also ask the Court to follow numerous other cases within this circuit that advanced negligence claims on allegations similar to, if not weaker than, those here. (ECF No. 35, PageID.629-31). Ultimately, even accepting that Plaintiffs have established present injury compensable under Michigan law via actual fraud or misuse of Plaintiff Viviani’s stolen PII,6 their allegations fail to plausibly establish that such injury was caused by the data breach at issue.
In Grede, the plaintiffs alleged in relevant part that named plaintiff Higgins “suffered actual misuse of his [PII] in the form of identity theft and fraud.” “Specifically, after the Data Breach on February 27, 2025, a fraudulent charge was
made to Plaintiff Higgins’ bank account.” (Docket No. 25-10831, ECF No. 16, PageID.177). The operative complaint also stated: The fraudulent charge to Plaintiff Higgins’ bank account is traceable to the Data Breach because: (i) Plaintiff Higgins is unaware of ever being a victim of any other data breach; (ii) the fraudulent charge to his account occurred after the Data Breach on February 27, 2025; (iii) Plaintiff Higgins’ Social Security number was stolen in the Data Breach, which can be used to commit credit card fraud; and (iv) the ransomware group, Cactus, stole Plaintiff’s Private Information (including his Social Security number) and has disclosed such information on the dark web.
(Id. at PageID.177-78 (footnote omitted)). The Grede plaintiffs relatedly alleged that a second named plaintiff “experienced a sharp uptick in suspicious spam calls and texts using his [PII] compromised in the Data Breach, and believes this to be an attempt to secure additional information from or about him.” (Id. at PageID.181).
6 It is essentially conceded that the remaining injuries Plaintiffs allege in the amended complaint unrelated to any actual fraud or misuse of PII (such as emotional distress or the risk of future identity theft) cannot independently constitute a present injury compensable under Michigan negligence law. Presented with these facts, this Court in Grede concluded that the complaint lacked “any plausible allegations” that the fraudulent bank charge and unsolicited
spam communications would not have occurred but for the data breach at issue, reasoning in particular that temporal proximity “is insufficient to plausibly establish a causal link.” Grede, 2026 U.S. Dist. LEXIS 29721 at *8-9. Presented with
analogous facts here, the Court follows Grede and concludes that Plaintiffs’ allegations supporting factual causation are similarly implausible. Specifically, Plaintiffs here allege that: Plaintiff Viviani has had to close numerous accounts due to fraud and misuse of his PII. For instance, Plaintiff Viviani has twice had to close his PayPal account due to fraudulent transactions. Plaintiff Viviani has likewise had to close his bank account for this same reason.
(ECF No. 26, PageID.459-60). They also allege as follows: Prior to this Data Breach, Plaintiff Viviani had taken steps to protect and safeguard his PII including monitoring his very PII closely, due to certain private information that Plaintiff Viviani protects closely. He has not knowingly transmitted his PII over unsecured or unencrypted internet connections. Plaintiff Viviani stores all documents containing his PII in a safe and secure location. Moreover, he diligently chooses unique usernames and passwords for the online accounts that he has.
(ECF No. 26, PageID.461). Plaintiffs otherwise generally allege that “[a]s a result of the Data Breach, Plaintiffs and Class Members have been exposed to actual fraud and identity theft . . . .” (ECF
No. 26, PageID.409; see also id. at PageID.436, 454-55). As an initial matter, the amended complaint does not specifically assert that the fraud and misuse that forced Viviani to close his accounts resulted from the
particular data breach at issue. Rather, Plaintiffs merely allege that such fraud and misuse occurred at some unspecified point, presumably after the data breach, with the implication that this would not have occurred but for the breach. Accordingly, the complaint, like that in Grede, essentially relies on mere temporal proximity and
correlation, which do not suffice to plausibly establish the element of causation for negligence claims. Moreover, to the extent Viviani allegedly took steps to protect his PII prior to
the data breach, this is analogous to the aforementioned allegations concerning traceability in Grede. Similarly, while Plaintiffs mostly rely on Defendant having been targeted by a ransomware group with the specific, malicious intent of acquiring and misusing Plaintiffs’ and putative plaintiffs’ PII as facts distinguishable from
Grede and beyond the mere temporal proximity at issue in that case, the plaintiffs in Grede made similar yet unavailing allegations. (See, e.g., Docket No. 25-10831, ECF No. 16, PageID.171 (“Cactus ransomware is a double extortion ransomware
which not just demands for a ransom but also leaks the victim’s private data if they refuse to pay the ransom”) (cleaned up); id. at PageID.174 (“The ransomware group, Cactus, targeted and obtained Plaintiffs’ and Class Members’ Private Information
from Defendant’s network because of the data’s value in exploiting and stealing identities.”; “Plaintiffs’ and Class Members’ Private Information was stolen and is available for sale on the dark web”)). Because similar allegations did not raise a
plausible inference of causation in Grede, the same is true here. Lastly, to the extent Plaintiffs urge the Court to follow other cases within this circuit that advanced negligence claims on allegations similar to those here, the Court is not obligated to follow unpublished authority and finds their treatment of
causation unpersuasive. The Court ultimately concludes that Plaintiffs’ allegations in this case are too speculative and conclusory to plausibly establish this element. Accordingly, Plaintiffs’ Count I is dismissed.
2. Breach of Implied Contract Under Michigan law, the breach of an implied contract comprises the same elements as the breach of an express contract. See Borg-Warner Acceptance Corp. v. Dep’t of State, 169 Mich. App. 587, 590 (1988), rev’d on other grounds, 433 Mich.
16 (1989). The non-breaching party must plausibly show (1) the existence of a contract, (2) the other party breached the contract, and (3) the party asserting the breach of contract suffered damages because of the breach. Miller-Davis Co. v.
Ahrens Const., Inc. (On Remand), 296 Mich. App. 56, 71 (2012). An implied contract must satisfy the following elements: (1) the presence of parties competent to contract; (2) a proper subject matter; (3) consideration; (4) mutuality of
agreement; and (5) mutuality of obligation. Calhoun Co. v. Blue Cross & Blue Shield of Mich., 297 Mich. App. 1, 13 (2012). Here, even assuming the existence of a mutuality of agreement between the
parties—i.e., that Plaintiffs provided their PII to Defendant “in exchange for employment and an implied assurance that the PII would be sufficiently protected”—Plaintiffs cannot point to an independent source of consideration for this promise beyond their “express employment relationship.” Polkowski v. Jack.
Doheny Co., Inc., No. 25-10516, 2025 U.S. Dist. LEXIS 217278, at *28 (E.D. Mich. Nov. 4, 2025); see also Belle Isle Grill Corp. v. City of Detroit, 256 Mich. App. 463, 478 (2003) (stating that “a contract will be implied only if there is no express contract
covering the same subject matter.”). Because Plaintiffs’ “provision of PII was merely incidental to their employment,” it “cannot serve as consideration for a separate agreement to safeguard that data.” Polkowski, 2025 U.S. Dist. LEXIS 217278, at *28. For this
reason, Plaintiffs fail to state a plausible claim for relief under an implied contractual theory. Plaintiffs’ Count III is therefore dismissed. 3. Unjust Enrichment A Michigan unjust enrichment claim requires the plaintiff to plausibly
demonstrate “(1) the receipt of a benefit by defendant from plaintiff, and (2) an inequity resulting to plaintiff because of the retention of the benefit by defendant.” Deschane v. Klug, 344 Mich. App. 744, 753 (2022) (quotation omitted). “Not all
enrichment is unjust in nature.” Karaus v. Bank of N.Y. Mellon, 300 Mich. App. 9, 23 (2012). The “key to determining whether enrichment is unjust is determining whether a party unjustly received and retained an independent benefit.” Id.; see also Landstar Express Am., Inc. v. Nexteer Auto. Corp., 319 Mich. App. 192, 205 (2017).
In the employment setting, the benefit received must be independent from the consideration underlying an existing employer-employee relationship. The benefit received cannot be “incidental to the parties’ employment relationship.” Polkowski,
2025 U.S. Dist. LEXIS 217278, at *30; see also Meisner Law Group P.C. v. Weston Downs Condo. Ass’n., 321 Mich. App. 702, 726 (2017) (“For . . . unjust enrichment to apply, there must not be an express contract between the parties covering the same subject matter.”).
Here, the amended complaint does not assert that Plaintiffs provided their PII to Defendant as a benefit independent and apart from the consideration already supporting their employment relationship. Instead, Plaintiffs allege that they were
required to provide their PII as a condition of contracting for employment through Defendant. Thus, any benefit Defendant may have “received from maintaining or using” plaintiffs’ personal identifying information “was merely incidental to the
parties’ employment relationship.” Polkowski, 2025 U.S. Dist. LEXIS 217278, at *30; see also Johnson v. Nice Pak Prods., 736 F. Supp. 3d 639, 652 (S.D. Ind. 2024) (dismissing Indiana law unjust enrichment claim because the plaintiffs failed to
allege in a data breach case that “Defendants benefited from the PII information other than as incidental to benefitting from Plaintiffs’ compensated labor”); McLaughlin v. Taylor Univ., No. 23-00527, 2024 U.S. Dist. LEXIS 172249, at *27 (N.D. Ind. Sep. 23, 2024) (same).
Absent this showing—that the PII plausibly conferred an independent benefit on Defendant—the unjust enrichment claims (Plaintiffs’ Count IV) cannot succeed and must be dismissed.
4. Breach of Fiduciary Duty To successfully plead a breach of fiduciary duty under Michigan law, the plaintiff must plausibly establish (1) the existence of a fiduciary duty, (2) a breach of that duty, and (3) damages caused by the breach of duty. Highfield Beach v.
Sanderson, 331 Mich. App. 636, 666 (2020). “[A] fiduciary relationship arises from the reposing of faith, confidence, and trust and the reliance of one on the judgment and advice of another.” Teadt v. St. John’s Evangelical Church, 237 Mich. App. 567,
580-581 (1999). “A person in a fiduciary relation to another is under a duty to act for the benefit of the other with regard to matters within the scope of the relation.” Id. at 581.
An employer-employee relationship will not typically “give rise to a fiduciary relationship unless the employee is a high-level employee, or a specific agency relationship exists.” Brooks Williamson & Assocs. v. Braun, No. 357170, 2022 Mich.
App. LEXIS 2698, at *16 (Mich. Ct. App. May 12, 2022) (quotation omitted); see also Bradley v. Gleason Works, 175 Mich. App. 459, 463 (1989) (noting a lack of Michigan authority for the principle “that an employer-employee relationship is fiduciary in nature”). “High-level employees include those such as corporate
officers and members of corporate boards of directors.”7 Brooks Williamson, 2022 Mich. App. LEXIS 2698, at *16 (citation omitted). Because Plaintiffs do not claim to have acted as “high-level” employees, or
that they ever maintained a special agency relationship with Defendant, they fail to plausibly establish that Defendant owed them a fiduciary duty under Michigan law. And without this showing, the breach of fiduciary claims (Plaintiffs’ Count V) cannot withstand Rule 12(b)(6) dismissal.
7 Even in this circumstance, the fiduciary obligation usually runs from the high-level employee to the company—not the other way around. See, e.g., Prod. Finishing Corp. v. Shields, 158 Mich. App. 479, 485 (1987) (stating that “[a] corporate officer or director is under a fiduciary obligation not to divert a corporate business opportunity for his own personal gain.”); see also Angstrom Aluminum Castings, LLC v. Reed, No. 358611, 2023 Mich. App. LEXIS 1171, at *6 (Mich. Ct. App. Feb. 16, 2023) (same). 5. Breach of Confidence A breach of confidence claim involves “the unconsented, unprivileged
disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship.” Eickenroth v. Roosen, Varchetti & Olivier, PLLC, No. 20-11647, 2021 U.S. Dist. LEXIS 62114, at *12 (E.D. Mich. Mar. 31, 2021)
(emphasis added). Critically, courts have repeatedly found the disclosure element lacking under circumstances like those here. See Foster, 493 F. Supp. 3d at 636 (allegations “that a third party has exploited Defendant’s security weakness to access the information without Defendant’s authorization” “are not sufficient to state a
claim for breach of confidence because Defendant did not commit an intentional or unintentional act of disclosure”); In re Flagstar December 2021 Data Sec. Incident Litig., No. 22-11385, 2024 U.S. Dist. LEXIS 242644, at *40 (E.D. Mich. Sep. 30,
2024) (“Plaintiffs fail to allege any facts demonstrating that Flagstar did anything to make their PII known to the public. The actors ‘making’ their PII known to the public are the cyber attackers, not Flagstar. . . . Because Plaintiffs fail to allege facts demonstrating that Flagstar disclosed Plaintiffs’ confidential information, the Court
grants Flagstar’s motion to dismiss Count IV.”). Like in these cases, a third party allegedly stole Plaintiffs’ PII due to Defendant’s purportedly insufficient security practices rather than any affirmative disclosure by Defendant. Accordingly, Plaintiffs’ claims for breach of confidence (Count VI) are dismissed.
6. Declaratory Relief Plaintiffs’ Count VII seeks a declaration and/or injunction requiring Defendant to “implement and maintain reasonable security measures.” (ECF No. 26,
PageID.495). Plaintiffs assert that Defendant still possesses their PII and has not remedied the vulnerabilities leading to the data breach at issue, they “remain at imminent risk that additional compromises of their Private Information will occur in the future,” and “[t]he risk of another such breach is real, immediate, and
substantial.” (ECF No. 26, PageID.493-94). However, courts within this district have dismissed virtually identical claims when based on the future risk of a second data breach. See Lochridge, 2023 U.S.
Dist. LEXIS 113794 at *22-23 (“While, as discussed above, Plaintiff may have alleged a sufficient risk of future identity theft as a result of the previous data breach, he has not alleged any facts tending to show that a second data breach is currently impending or there is a substantial risk that one will occur. . . . Defendant argues that
Plaintiff cannot seek injunctive relief designed to prevent a future breach, only relief that would address the breach that already occurred. The court agrees. Viewing the facts in the light most favorable to Plaintiff, he has failed to meet the jurisdictional
requirements to bring a claim for declaratory or injunctive relief.”); Hummel v. Teijin Auto. Techs., Inc., No. 23-10341, 2023 U.S. Dist. LEXIS 167438, at *39 (E.D. Mich. Sep. 20, 2023) (same).
And to the extent Plaintiffs allege that there is a substantial and immediate risk of another data breach, the amended complaint lacks sufficient facts to plausibly support this conclusory position. See Hall v. Centerspace, LP, No. 22-2028, 2023
U.S. Dist. LEXIS 83438, at *10-11 (D. Minn. May 12, 2023) (court found no risk of a second data breach where the plaintiff failed to suggest “[defendant] is currently being targeted by hackers, or that something about their operations makes them uniquely vulnerable to incursions”). Accordingly, Plaintiffs’ Count VII is dismissed.
* * * For the reasons given, the Court ORDERS that Defendant’s motion to dismiss (ECF No. 29) is GRANTED.
IT IS FURTHER ORDERED that all Plaintiffs’ claims are DISMISSED WITHOUT PREJUDICE pursuant to Fed. R. Civ. P. 12(b)(6).
Dated: May 27, 2026 s/Robert J. White Robert J. White United States District Judge
Related
Cite This Page — Counsel Stack
In re A-Line Staffing Solutions Data Security Incident Litigation, Counsel Stack Legal Research, https://law.counselstack.com/opinion/in-re-a-line-staffing-solutions-data-security-incident-litigation-mied-2026.