VERMONT SUPERIOR COURT CIVIL DIVISION Bennington Unit Case No. 24-CV-03972 207 South St Bennington VT 05201 802-447-2700 www.vermontjudiciary.org
Nancy Koziol v. Tri State Area Federal Credit Union
ENTRY REGARDING MOTION Title: Motion to Dismiss (Motion: 1) Filer: John Daniel Prendergast Filed Date: January 10, 2025
This case involves a class action dispute between Plaintiffs and Defendant Tri State Area Federal Credit Union (Tri State) arising after Tri State was subject to a data breach that resulted in a leak of Plaintiffs’ personal information. Tri State filed a Motion to Dismiss on January 10, 2025, arguing that the claims should be dismissed because the Plaintiffs lack standing. On January 24, 2025, Plaintiffs filed a Response in Opposition to Defendant’s Motion to Dismiss. Tri State filed a Reply Memorandum in Support of Defendant’s Motion to Dismiss on February 7, 2025. This Court held a hearing on this matter on March 21, 2025.
The ruling on the motion, for the reasons herein, is:
1. Defendant’s Motion to Dismiss is denied. Facts
The following facts are accepted as true. On May 9 and 10, 2024, Tri State experienced a criminal cyberattack. This breach compromised the Personal Identifying Information (PII) of current and former customers. The compromised PII includes Social Security numbers, dates of birth, and bank or financial account numbers. As a result of the breach, Tri State notified its former and current customers of the attack and that their PII may have been impacted from the cyberattack. Plaintiffs describe their harms resulting from the breach, including having to make reasonable efforts to mitigate the impact of the breach, spending time responding to the dangers from the breach, and the knowledge that the PII could be abused in the future by cybercriminals.
Discussion
I. The Motion to Dismiss is denied because Plaintiffs have alleged actionable harm under the McMorris factors. Tri State moves to dismiss all counts by Plaintiffs for lack of standing. Specifically, Tri State insists that time spent mitigating a data breach and the risk of potential future harm Entry Regarding Motion Page 1 of 5 24-CV-03972 Nancy Koziol v. Tri State Area Federal Credit Union provides no concrete harm to Plaintiffs from the data breach. Plaintiffs maintain that they do have standing based on these facts, and that they have suffered concrete harm that gives them standing to sue Tri State. Since the parties have framed the issue as a standing issue, the Court will analyze whether Plaintiffs have sufficiently alleged a particular injury in fact.1
Under Vermont law, a motion to dismiss should be granted where it is “beyond doubt that there exist no facts or circumstances that would entitle the plaintiff to relief.” Kaplan v. Morgan Stanley & Co., 2009 VT 78, ¶ 7, 186 Vt. 605. In deciding a motion to dismiss, courts assume the truth of factual allegations asserted in the complaint, as well as any reasonable inferences that may follow, and focus their inquiry “on the absence of any facts, reasonable factual inferences, and legal bases for recovery alleged in the complaint, attachments thereto, or to matters the court may judicially notice.” Sprague v. Nally, 2005 VT 85, ¶ 2, 178 Vt. 222 (quoting Gilman v. Maine Mutual Fire Ins. Co., 2003 VT 55, ¶ 20, 175 Vt. 554 (mem.) (internal quotations omitted)). The “purpose of a motion to dismiss is to test the law of the claim, not the facts which support it.” Powers v. Office of Child Support, 173 Vt. 390, 395 (2002) (citing Levinsky v. Diamond, 140 Vt. 595, 600 (1982)). Motions under Rule 12(b)(6) are not favored and rarely granted. Endres v. Endres, 2006 VT 108, ¶ 4, 180 Vt. 640.
Standing is a constitutional doctrine, grounded in the Article III limitation of federal- court jurisdiction to actual cases and controversies. See U.S. Const. art. III, § 2, cl. 1. While the Vermont Constitution lacks equivalent language, the Vermont Supreme Court has adopted federal standing requirements, stating that “[t]he judicial power, as conferred by the Constitution of this State upon this Court, is the same as that given to the Federal Supreme Court by the United States Constitution; that is, the right to determine actual controversies arising between adverse litigants, duly instituted in courts of proper jurisdiction.” In re Constitutionality of House Bill 88, 115 Vt. 524, 529 (1949) (quotations omitted); see also Hous. Our Seniors in Vermont Inc. v. Agency of Com. & Cmty. Dev., 2024 VT 12, ¶ 12.
To establish standing, plaintiffs must “at an irreducible minimum demonstrate the following constitutional elements: (1) injury in fact, (2) causation, and (3) redressability.” Hinesburg Sand & Gravel Co. v. State, 166 Vt. 337, 341 (1997). Plaintiffs must allege sufficient facts to establish standing “[o]n the face of the complaint.” Town of Cavendish v. Vt. Pub. Power Supply Auth., 141 Vt. 144, 147–48 (1982). Here, Tri State asserts that there is no injury in fact present.
To satisfy this initial burden, a plaintiff must demonstrate that there is “an actual controversy between the parties.” Id. “Otherwise, the judgment would be no more than an advisory opinion, which we lack the constitutional power to render.” Parker v. Town of Milton,
1 This Court doubts that “standing” is the correct legal framework for determining whether a plaintiff has a valid action against a credit union for damages resulting from a data breach. Vermont cases have repeatedly emphasized that the “standing” doctrine serves the purpose of enforcing “the separation of powers between the three different branches of government by confining the judiciary to the adjudication of actual disputes and preventing the judiciary from presiding over broad-based policy questions that are properly resolved in the legislative arena.” Parker v. Town of Milton, 169 Vt. 74, 76–77 (1998); accord Housing Our Seniors in Vermont Inc. v. Agency of Commerce & Community Development, 2024 VT 12, ¶ 21; Paige v. State, 2018 VT 136, ¶ 8, 209 Vt. 379; Turner v. Shumlin, 2017 VT 2, ¶ 10, 204 Vt. 78. Entry Regarding Motion Page 2 of 5 24-CV-03972 Nancy Koziol v. Tri State Area Federal Credit Union 169 Vt. 74, 77 (1998). The existence of an actual controversy “turns on whether the plaintiff is suffering the threat of actual injury to a protected legal interest, or is merely speculating about the impact of some generalized grievance.” Town of Cavendish, 141 Vt. at 147.
There is no Vermont caselaw directly on point on standing for future harm of class action plaintiffs resulting from a data breach. That said, the Vermont Supreme Court has adopted the federal three-part test for standing and has frequently cited federal standing precedents when deciding Vermont cases involving adequate and independent state law grounds. See Ferry v. City of Montpelier, 2023 VT 4, ¶ 14, 217 Vt. 450. While not obliged to follow federal standing rules, this Court can look to analogous federal caselaw as persuasive authority. Id. ¶ 15–17. Tri State relies on analogous federal caselaw in its Motion. So, while not bound by the Second Circuit, this Court will look at the analogous federal caselaw since the parties have framed the issue and their arguments on federal caselaw.
The Second Circuit has held that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data,” even where no such misuse of the data has yet occurred. McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 300–01 (2d Cir.
Free access — add to your briefcase to read the full text and ask questions with AI
VERMONT SUPERIOR COURT CIVIL DIVISION Bennington Unit Case No. 24-CV-03972 207 South St Bennington VT 05201 802-447-2700 www.vermontjudiciary.org
Nancy Koziol v. Tri State Area Federal Credit Union
ENTRY REGARDING MOTION Title: Motion to Dismiss (Motion: 1) Filer: John Daniel Prendergast Filed Date: January 10, 2025
This case involves a class action dispute between Plaintiffs and Defendant Tri State Area Federal Credit Union (Tri State) arising after Tri State was subject to a data breach that resulted in a leak of Plaintiffs’ personal information. Tri State filed a Motion to Dismiss on January 10, 2025, arguing that the claims should be dismissed because the Plaintiffs lack standing. On January 24, 2025, Plaintiffs filed a Response in Opposition to Defendant’s Motion to Dismiss. Tri State filed a Reply Memorandum in Support of Defendant’s Motion to Dismiss on February 7, 2025. This Court held a hearing on this matter on March 21, 2025.
The ruling on the motion, for the reasons herein, is:
1. Defendant’s Motion to Dismiss is denied. Facts
The following facts are accepted as true. On May 9 and 10, 2024, Tri State experienced a criminal cyberattack. This breach compromised the Personal Identifying Information (PII) of current and former customers. The compromised PII includes Social Security numbers, dates of birth, and bank or financial account numbers. As a result of the breach, Tri State notified its former and current customers of the attack and that their PII may have been impacted from the cyberattack. Plaintiffs describe their harms resulting from the breach, including having to make reasonable efforts to mitigate the impact of the breach, spending time responding to the dangers from the breach, and the knowledge that the PII could be abused in the future by cybercriminals.
Discussion
I. The Motion to Dismiss is denied because Plaintiffs have alleged actionable harm under the McMorris factors. Tri State moves to dismiss all counts by Plaintiffs for lack of standing. Specifically, Tri State insists that time spent mitigating a data breach and the risk of potential future harm Entry Regarding Motion Page 1 of 5 24-CV-03972 Nancy Koziol v. Tri State Area Federal Credit Union provides no concrete harm to Plaintiffs from the data breach. Plaintiffs maintain that they do have standing based on these facts, and that they have suffered concrete harm that gives them standing to sue Tri State. Since the parties have framed the issue as a standing issue, the Court will analyze whether Plaintiffs have sufficiently alleged a particular injury in fact.1
Under Vermont law, a motion to dismiss should be granted where it is “beyond doubt that there exist no facts or circumstances that would entitle the plaintiff to relief.” Kaplan v. Morgan Stanley & Co., 2009 VT 78, ¶ 7, 186 Vt. 605. In deciding a motion to dismiss, courts assume the truth of factual allegations asserted in the complaint, as well as any reasonable inferences that may follow, and focus their inquiry “on the absence of any facts, reasonable factual inferences, and legal bases for recovery alleged in the complaint, attachments thereto, or to matters the court may judicially notice.” Sprague v. Nally, 2005 VT 85, ¶ 2, 178 Vt. 222 (quoting Gilman v. Maine Mutual Fire Ins. Co., 2003 VT 55, ¶ 20, 175 Vt. 554 (mem.) (internal quotations omitted)). The “purpose of a motion to dismiss is to test the law of the claim, not the facts which support it.” Powers v. Office of Child Support, 173 Vt. 390, 395 (2002) (citing Levinsky v. Diamond, 140 Vt. 595, 600 (1982)). Motions under Rule 12(b)(6) are not favored and rarely granted. Endres v. Endres, 2006 VT 108, ¶ 4, 180 Vt. 640.
Standing is a constitutional doctrine, grounded in the Article III limitation of federal- court jurisdiction to actual cases and controversies. See U.S. Const. art. III, § 2, cl. 1. While the Vermont Constitution lacks equivalent language, the Vermont Supreme Court has adopted federal standing requirements, stating that “[t]he judicial power, as conferred by the Constitution of this State upon this Court, is the same as that given to the Federal Supreme Court by the United States Constitution; that is, the right to determine actual controversies arising between adverse litigants, duly instituted in courts of proper jurisdiction.” In re Constitutionality of House Bill 88, 115 Vt. 524, 529 (1949) (quotations omitted); see also Hous. Our Seniors in Vermont Inc. v. Agency of Com. & Cmty. Dev., 2024 VT 12, ¶ 12.
To establish standing, plaintiffs must “at an irreducible minimum demonstrate the following constitutional elements: (1) injury in fact, (2) causation, and (3) redressability.” Hinesburg Sand & Gravel Co. v. State, 166 Vt. 337, 341 (1997). Plaintiffs must allege sufficient facts to establish standing “[o]n the face of the complaint.” Town of Cavendish v. Vt. Pub. Power Supply Auth., 141 Vt. 144, 147–48 (1982). Here, Tri State asserts that there is no injury in fact present.
To satisfy this initial burden, a plaintiff must demonstrate that there is “an actual controversy between the parties.” Id. “Otherwise, the judgment would be no more than an advisory opinion, which we lack the constitutional power to render.” Parker v. Town of Milton,
1 This Court doubts that “standing” is the correct legal framework for determining whether a plaintiff has a valid action against a credit union for damages resulting from a data breach. Vermont cases have repeatedly emphasized that the “standing” doctrine serves the purpose of enforcing “the separation of powers between the three different branches of government by confining the judiciary to the adjudication of actual disputes and preventing the judiciary from presiding over broad-based policy questions that are properly resolved in the legislative arena.” Parker v. Town of Milton, 169 Vt. 74, 76–77 (1998); accord Housing Our Seniors in Vermont Inc. v. Agency of Commerce & Community Development, 2024 VT 12, ¶ 21; Paige v. State, 2018 VT 136, ¶ 8, 209 Vt. 379; Turner v. Shumlin, 2017 VT 2, ¶ 10, 204 Vt. 78. Entry Regarding Motion Page 2 of 5 24-CV-03972 Nancy Koziol v. Tri State Area Federal Credit Union 169 Vt. 74, 77 (1998). The existence of an actual controversy “turns on whether the plaintiff is suffering the threat of actual injury to a protected legal interest, or is merely speculating about the impact of some generalized grievance.” Town of Cavendish, 141 Vt. at 147.
There is no Vermont caselaw directly on point on standing for future harm of class action plaintiffs resulting from a data breach. That said, the Vermont Supreme Court has adopted the federal three-part test for standing and has frequently cited federal standing precedents when deciding Vermont cases involving adequate and independent state law grounds. See Ferry v. City of Montpelier, 2023 VT 4, ¶ 14, 217 Vt. 450. While not obliged to follow federal standing rules, this Court can look to analogous federal caselaw as persuasive authority. Id. ¶ 15–17. Tri State relies on analogous federal caselaw in its Motion. So, while not bound by the Second Circuit, this Court will look at the analogous federal caselaw since the parties have framed the issue and their arguments on federal caselaw.
The Second Circuit has held that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data,” even where no such misuse of the data has yet occurred. McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 300–01 (2d Cir. 2021) (“[R]equiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court's recognition that ‘[a]n allegation of future injury may suffice’ to establish Article III standing ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’ ”) (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)); see Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 289 (2d Cir. 2023)). The Second Circuit has set forth a non-exclusive set of three factors for courts to consider in determining whether “an increased risk of identity theft or fraud” qualifies as an injury in fact in each case:
(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data;
(2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and
(3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
McMorris, 995 F.3d at 303.
The first factor supports a finding of standing because Plaintiffs have alleged that the breach was the result of a targeted cyberattack conducted by cybercriminals. This Court finds that this data breach qualifies as a “targeted attempt to obtain the data” and satisfies the first McMorris factor.
The second factor does not support a finding of standing. Plaintiffs have not alleged in their Complaint that any portion of the leaked PII has been misused yet. Rather, they aver that
Entry Regarding Motion Page 3 of 5 24-CV-03972 Nancy Koziol v. Tri State Area Federal Credit Union future harm from the breach is inevitable. Thus, the second factor favors dismissal for a lack of standing.
The third factor weighs in Plaintiffs’ favor. The leaked PII includes Social Security numbers, financial account numbers, and the names of Plaintiffs. The Second Circuit has acknowledged that Social Security numbers are “high-risk” and sensitive information making victims more vulnerable to “future identity theft or fraud.” McMorris, 995 F.3d at 302; see Bohnak, 79 F.4th at 289 (noting that Social Security numbers are “exactly the kind of information that gives rise to a high risk of identity theft ... [and] among the worst kind of personal information to have stolen because they may be put to a variety of fraudulent uses and are difficult for an individual to change”). Moreover, the Complaint includes allegations of financial account numbers being leaked, which can also be used by cybercriminals to carry out identity theft or fraud. This factor favors Plaintiffs.
While Plaintiffs have not shown that the second factor supports standing, the Second Circuit has held that doing so is not necessary if the other factors are met. Specifically, in Bohnak, the Second Circuit held that a data breach victim had standing even where “she ha[d] not alleged any known misuse of information in the dataset accessed in the hack.” Bohnak, 79 F.4th at 289. The Bohnak court found that the plaintiff had plausibly alleged standing where the first and third factors were otherwise satisfied, as is the case here. Id. at 288–89. Accordingly, Plaintiffs have alleged a sufficiently substantial risk of future identity theft and fraud to confer standing at the motion to dismiss stage.
II. TransUnion does not bar Plaintiffs’ claims for lacking standing because Plaintiffs have alleged more than the risk of future harm.
Tri State points to the 2021 United States Supreme Court decision in TransUnion to contend that Plaintiffs have not alleged standing. In that case, the Court found that the risk of future harm is insufficient, by itself, to confer standing. See TransUnion LLC v. Ramirez, 594 U.S. 413, 435 (2021). Plaintiffs’ claim is distinguishable from that decision. Here, Plaintiffs, in addition to potential future harm, have alleged harm from time spent monitoring accounts and attempting to mitigate the effects of the data breach.
Indeed, TransUnion recognized that concrete harm may be intangible, particularly where it bears a close relationship to harms traditionally recognized as providing a basis for lawsuits. Those include disclosure of private information and intrusion upon seclusion. Id. at 425. The Second Circuit observed in Bohnak that, “[s]ignificantly, the [TransUnion] Court concluded that the publication of false information ... was itself enough to establish a concrete injury; it did not take further steps to evaluate whether those third parties used the information in ways that harmed the class members.” Bohnak, 79 F.4th at 284–85.
Bohnak applied TransUnion in a class action alleging release of the representative plaintiff’s name and Social Security number to an unauthorized third party. Id. at 281. The Court found that, as in TransUnion, “the core injury here – exposure of Bohnak's private PII to unauthorized third parties – bears some relationship to a well-established common-law analog: public disclosure of private facts.” Id. at 285. The Court further concluded that such core injury Entry Regarding Motion Page 4 of 5 24-CV-03972 Nancy Koziol v. Tri State Area Federal Credit Union “falls squarely within the scope of an intangible harm the Supreme Court has recognized [in TransUnion] as concrete.” Id. at 286.
Following on TransUnion’s discussion of separate, concrete harms, Bohnak next found that the plaintiff had suffered such harms “as a result of the risk of future harm occasioned by the exposure of her PII.” Id. Bohnak specifically cited the plaintiff's allegations of “ ‘out-of-pocket expenses associated with the prevention, detection, and recovery from identify theft,’ and ‘lost time’ and other ‘opportunity costs’ associated with attempting to mitigate the consequences of the data breach.” Id. The Court held that “[t]hese separate and concrete harms foreseeably arising from the exposure of Bohnak’s PII to a malign outside actor, giving rise to a material risk of future harm, independently support standing.” Id.
Here, similarly, Plaintiffs’ PII was exposed to third parties after a cyberattack. The PII is now in the hands of cybercriminals and poses a threat of imminent danger and subjects the Plaintiffs to increased risk of identity theft. Further, Plaintiffs have asserted that they have lost time and have had to take steps to mitigate the impact of the PII leakage. This is a real, and not merely theoretical, controversy that does not involve idle speculation about the impact of a generalized grievance. See Turner v. Shumlin, 2017 VT 2, ¶ 11, 204 Vt. 78 (noting that, to show standing, a plaintiff must “present a real—not merely theoretical—controversy involving the threat of actual injury to a protected legal interest rather than merely speculating about the impact of some generalized grievance”).
This Court concludes that Plaintiffs have sufficiently pled standing in their Complaint. Accordingly, the Motion to Dismiss is denied.
ORDER
Tri State’s Motion to Dismiss is denied because it has not shown that Plaintiffs lack standing at the motion to dismiss stage.
The motion is DENIED. Signed electronically March 25, 2025 pursuant to V.R.E.F 9(d).
_________________________________________ David Barra Superior Court Judge
Entry Regarding Motion Page 5 of 5 24-CV-03972 Nancy Koziol v. Tri State Area Federal Credit Union