Leonard v. McMenamins Inc

• Court: District Court, W.D. Washington
• Decided: September 2, 2022
• Docket: 2:22-cv-00094
• Status: Unknown

Opinion

6 UNITED STATES DISTRICT COURT 7 WESTERN DISTRICT OF WASHINGTON AT SEATTLE 8

9 ANDREW LEONARD, NICHOLAS DEGRASSE, JAMES FRAZIER, AND No. 2:22-cv-00094-BJR 10 CHARLES FRYE, individually and on behalf of all others similarly situated, ORDER DENYING DEFENDANT’S 11 MOTION TO DISMISS 12 Plaintiffs, v. 13 MCMENAMINS, INC., 14 Defendant. 15

16 I. INTRODUCTION 17 Plaintiffs Andrew Leonard, Nicholas deGrasse, James Frazier, and Charles Frye 18 (“Plaintiffs”) bring this putative class action against Defendant McMenamins, Inc. (“Defendant” 19 20 or “McMenamins”), asserting various causes of action arising from a data breach McMenamins 21 experienced in December 2021. Presently before the Court is Defendant’s motion to dismiss 22 Plaintiffs’ Amended Complaint (“Motion” or “Mot.,” Dkt. 19) pursuant to Rule 12(b)(1) of the 23 Federal Rules of Civil Procedure. Plaintiffs oppose the Motion. Having reviewed the pleadings, 24 the record of the case, and the relevant legal authorities, the Court DENIES the Motion. The 25 Court’s reasoning is set forth below. 26

ORDER - 1 1 II. BACKGROUND1 2 A. Factual Background 3 Plaintiffs’ allegations relevant to the present motion are straightforward. On December 30, 4 2021, McMenamins2 posted a notice on its website announcing that, on December 12, 2021, it had 5 suffered a ransomware attack in which cybercriminals “installed malicious software on the 6 company’s computer systems” that temporarily prevented the company from accessing the 7 information contained in those systems. Id. ¶ 29. According to the notice, the attack also enabled 8 9 the hackers to steal the company’s human resources and payroll data files, which contained a 10 variety of personally identifiable information (“PII”) belonging to past and present employees. Id. 11 The compromised PII included the following information: “name, address, telephone number, 12 email address, date of birth, race, ethnicity, gender, disability status, medical notes, performance 13 and disciplinary notes, Social Security number, health insurance plan election, income amount, 14 and retirement contribution amounts.” Id. 15 16 Plaintiffs are current and former employees of McMenamins who provided the company 17 with PII as a condition of their employment. AC ¶¶ 8, 12, 16, 20.3 In January 2020, deGrasse 18 detected several unauthorized charges to his credit card account. Id. ¶ 14. Although deGrasse’s 19 credit card company ultimately never billed him for those fraudulent charges, he spent 20 approximately one-and-a-half hours disputing them and activating a new credit card. Id. 21

22 23 24 1 The facts recited below are taken from Plaintiffs’ Amended Complaint (“AC,” Dkt. 18). For the purposes of the 25 present motion, the Court takes the factual allegations in the Amended Complaint as true. 2 McMenamins owns a chain of brewpubs, breweries, music venues, historic hotels, and theater pubs in Oregon and 26 Washington, employing tens of thousands of people throughout those states. AC ¶ 28. 3 Leonard, deGrasse, and Frazier are former employees (AC ¶¶ 8, 12, 16), and Frye is a current employee (id. ¶ 20). ORDER - 2 1 B. Procedural Background 2 On August 9, 2021, Leonard filed this lawsuit as a class action “on behalf of individuals 3 employed by McMenamins between January 1, 1998 and December 12, 2021 who had their 4 sensitive PII accessed by unauthorized parties due to inadequate network security in a ransomware 5 attack on McMenamins’ IT systems on or around December 12, 2021.” Dkt. 1 ¶ 2. In the 6 Amended Complaint, which adds deGrasse, Frazier, and Frye as plaintiffs, Plaintiffs assert 7 numerous causes of action arising from what Plaintiffs allege was Defendant’s failure to maintain 8 9 adequate network security measures as necessary to protect Plaintiffs’ PII. See generally AC. 10 Specifically, Plaintiffs assert claims for (1) negligence, (2) breach of contract, (3) breach of implied 11 contract, (4) unjust enrichment, (5) breach of fiduciary duty, (6) breach of confidence, (7) bailment, 12 (8) violation of the Washington Consumer Protection Act (“CPA”), RCW § 19.86 et seq., and 13 (9) declaratory relief. AC ¶¶ 130-234. On May 27, 2022, Defendant moved to dismiss the 14 Amended Complaint on the ground that Plaintiffs lack Article III standing to assert their claims. 15 16 Plaintiffs opposed the Motion (“Opposition” or “Opp.,” Dkt. 20), and Defendant replied (“Reply” 17 or “Rep.,” Dkt. 23). 18 III. LEGAL STANDARD 19 “[T]hose who seek to invoke the jurisdiction of the federal courts must satisfy the threshold 20 requirement imposed by Article III of the Constitution by alleging an actual case or controversy.” 21 City of Los Angeles v. Lyons, 461 U.S. 95, 101 (1983). “[T]o satisfy Article III’s standing 22 requirements, a plaintiff must show (1) it has suffered an ‘injury in fact’ that is (a) concrete and 23 24 particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly 25 traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely 26 speculative, that the injury will be redressed by a favorable decision.” Friends of the Earth, Inc.

ORDER - 3 1 v. Laidlaw Env’t Servs., Inc., 528 U.S. 167, 180-81 (2000) (citing Lujan v. Defenders of Wildlife, 2 504 U.S. 555, 560-61 (1992)). “The party invoking federal jurisdiction bears the burden of 3 establishing standing.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting 4 Clapper v. Amnesty Int’l USA, 568 U.S. 398, 411-12 (2013)). 5 IV. DISCUSSION 6 Plaintiffs’ claims seek two types of relief: (1) retrospective damages resulting from the 7 theft of their PII, and (2) prospective injunctive relief requiring Defendant to strengthen its data 8 9 security systems and procedures.4 Defendant contends that Plaintiffs lack Article III standing to 10 assert either type of claim. See Mot. at 5-12. The Court reviews Defendant’s arguments in turn. 11 A. Whether Plaintiffs Have Standing to Assert Their Damages Claims 12 In the Motion, Defendant contends that Plaintiffs lack standing to assert their claims for 13 damages because the harm they allege – the threatened misuse of their PII resulting from the data 14 breach – is too “speculative” and “hypothetical” to constitute an injury-in-fact. See Mot. at 5-11. 15 16 Plaintiffs, in response, point to three separate harms they contend constitute injuries-in-fact: 17 (1) the “increased risk” of identity theft resulting from the data breach, “requiring them to take 18 mitigatory action they otherwise would not have to take” (see Opp. at 8-12); (2) “the diminution 19 in value of the Private Information belonging to Plaintiffs and the Class that remains in the 20 possession and control of Defendant” (see id. at 12); and (3) the “actual misuse” of deGrasse’s PII 21 by cybercriminals (see id. at 5, 11). 22 23 24 25 4 Specifically, Plaintiffs seek damages as part of their claims for unjust enrichment, breach of fiduciary duty, breach 26 of confidence, and bailment (AC ¶¶ 187, 195, 206, 214); injunctive relief as part of their claim for declaratory relief (id. ¶ 227); and both damages and injunctive relief as part of their claims for negligence, breach of contract, breach of implied contract, and violation of the CPA (id. ¶¶ 147-48, 158, 178-179, 223). ORDER - 4 1 The Court begins with Plaintiffs’ allegations as to the increased risk of identity theft created 2 by the data breach. Plaintiffs argue that there is a “vast body of controlling Ninth Circuit 3 precedent” that supports standing based on such allegations. See Opp. at 5-6. Plaintiffs point 4 specifically to Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) and In re Zappos.com, 5 Inc., 888 F.3d 1020 (9th Cir. 2018). In Krottner, which involved the theft of a laptop from 6 Starbucks containing its employees’ unencrypted personal information, the Ninth Circuit held that 7 the plaintiffs’ “increased risk of future identity theft” constituted a “credible threat of real and 8 9 immediate harm” that sufficed to establish an injury-in-fact. Krottner, 628 F.3d at 1142-43. In 10 Zappos.com, which involved a data breach suffered by an online retailer, the Ninth Circuit found, 11 given the sensitivity of the stolen customer PII and indications that hackers had attempted to use 12 it, that the plaintiffs had “alleged an injury in fact based on a substantial risk that the [] hackers 13 will commit identity fraud.” In re Zappos.com, 888 F.3d at 1028-29. The parties dispute whether 14 Plaintiffs’ allegations are sufficient to establish an injury-in-fact under Krottner and Zappos.com 15 16 given the specific facts of those cases. See, e.g., Opp. at 5-7; Rep. at 7-8. This Court, however, 17 need not take a position on the applicability of those cases because the theory Plaintiffs draw from 18 them – that the threat of identity theft posed by a data breach, without more, can constitute an 19 injury-in-fact – is no longer viable under the Supreme Court’s more recent decision in TransUnion 20 LLC v. Ramirez, 141 S. Ct. 2190 (2021). 21 In TransUnion, the Supreme Court reviewed whether two classes of plaintiffs had alleged 22 a “concrete harm” sufficient to confer standing to assert a damages claim against a credit reporting 23 24 agency, TransUnion, for including false information in their credit files. TransUnion, 141 S. Ct. 25 26

ORDER - 5 1 at 2201-02.5 The first class included plaintiffs whose reports had been disseminated to third-party 2 businesses, while the second class included plaintiffs whose reports had not been so disseminated. 3 Id. at 2208-09. In reviewing whether the plaintiffs had alleged a concrete harm, the court reasoned 4 that, “[c]entral to assessing concreteness is whether the asserted harm has a ‘close relationship’ to 5 a harm traditionally recognized as providing a basis for a lawsuit in American courts.” Id. at 2200. 6 The court further explained that, while the most obvious concrete injuries are “traditional tangible 7 harms, such as physical harms and monetary harms,” concrete injuries can also include “intangible 8 9 harms” such as “reputational harms, disclosure of private information, and intrusion upon 10 seclusion.” Id. at 2204. With these principles in mind, the court held that the first class’s members 11 had alleged a concrete injury because the harm they suffered – the dissemination of inaccurate 12 credit reports to third-party creditors – bore “a ‘close relationship’ to the harm associated with the 13 tort of defamation.” Id. at 2209. 14 The court, on the other hand, found that the second class’s members had not alleged a 15 16 concrete harm. Given that those plaintiffs’ inaccurate credit files were never disseminated, they 17 “advance[d] a separate argument based on an asserted risk of future harm.” Id. at 2210 (emphasis 18 in original). Specifically, they argued that “the existence of misleading OFAC alerts in their 19 internal credit files exposed them to a material risk that the information would be disseminated in 20 the future to third parties and thereby cause them harm.” Id. The court rejected the argument, 21 finding “persuasive” the defendant’s argument that “in a suit for damages, the mere risk of future 22 harm, standing alone, cannot qualify as a concrete harm – at least unless the exposure to the risk 23 24

25 5 Specifically, the plaintiffs claimed that TransUnion violated the Fair Credit Reporting Act by including alerts in their credit files incorrectly indicating that they were on the Treasury Department’s Office of Foreign Assets Control 26 (“OFAC”) list of terrorists, drug traffickers, and other serious criminals. TransUnion, 141 S. Ct. at 2201-02.

ORDER - 6 1 of future harm itself causes a separate concrete harm.” Id. at 2210-11 (emphasis in original). The 2 court reasoned, in relevant part: 3 Here, the [] plaintiffs did not demonstrate that the risk of future harm materialized – that is, that the inaccurate OFAC alerts in their internal TransUnion credit files 4 were ever provided to third parties or caused a denial of credit. Nor did those 5 plaintiffs present evidence that the class members were independently harmed by their exposure to the risk itself – that is, that they suffered some other injury (such 6 as an emotional injury) from the mere risk that their credit reports would be provided to third-party businesses. Therefore, the [] plaintiffs’ argument for 7 standing for their damages claims based on an asserted risk of future harm is unavailing. 8 9 Id. at 2211. 10 This Court, applying TransUnion, rejects Plaintiffs’ argument that their increased risk of 11 identity theft constitutes an injury-in-fact. See I.C. v. Zynga, Inc., No. 20-cv-01539, 2022 WL 12 2252636, at *11 n.15 (N.D. Cal. Apr. 29, 2022) (“[I]n light of TransUnion’s rejection of risk of 13 harm as a basis for standing for damages claims, the Court questions the viability of Krottner and 14 Zappos’s holdings finding standing on this very basis.”). As with the second class in TransUnion, 15 Plaintiffs do not adequately allege that the risk of identity theft has materialized in any respect. 16 17 While Plaintiffs allege that unauthorized charges were placed on deGrasse’s credit card (AC ¶ 14), 18 it is implausible that this resulted from, or was connected to, the data breach. In particular, 19 Plaintiffs do not allege that their credit card information was ever provided to McMenamins, that 20 a new credit card was opened in deGrasse’s name using compromised PII, or anything otherwise 21 indicating the use or attempted use of that PII. See, e.g., Bass v. Facebook, Inc., 394 F. Supp. 3d 22 1024, 1036 (N.D. Cal. 2019) (“Either the facts do not trace to the data breach at all or are so 23 24 common the infinite possibilities forecloses plausibility.”). 25 Nor do Plaintiffs articulate any “independent harm” caused by their exposure to the alleged 26 risk of identity theft. See TransUnion, 141 S. Ct. at 2210-11. Although Plaintiffs point to the

ORDER - 7 1 “time and energy” they must now expend to monitor their accounts (see Opp. at 8), the Supreme 2 Court has made clear that plaintiffs “cannot manufacture standing merely by inflicting harm on 3 themselves based on their fears of hypothetical future harm that is not certainly impending.” 4 Clapper, 568 U.S. at 416 (“If the law were otherwise, an enterprising plaintiff would be able to 5 secure a lower standard for Article III standing simply by making an expenditure based on a 6 nonparanoid fear.”). Here, in the absence of any indication that hackers have attempted to misuse 7 Plaintiffs’ PII, and given that the data breach was caused by ransomware6 – which was allegedly 8 9 intended, at least in part, simply to prevent McMenamins from accessing its computer systems 10 (see AC ¶ 29) – Plaintiffs have not adequately alleged that identity theft is “certainly impending.” 11 Further, while Plaintiffs allege that they have suffered “[a]nxiety and distress resulting [from] fear 12 of misuse of their Private Information” (id. ¶ 116), “[a] perfunctory allegation of emotional 13 distress, especially one wholly incommensurate with the stimulant, is insufficient to plausibly 14 allege constitutional standing.” Maddox v. Bank of New York Mellon Tr. Co., N.A., 19 F.4th 58, 15 16 66 (2d Cir. 2021).7 As such, consistent with TransUnion, the increased risk of identity theft 17 allegedly faced by Plaintiffs cannot constitute a concrete harm sufficient for standing. See Zynga, 18 2022 WL 2252636, at *9 (“[I]n light of TransUnion, the Court concludes that mere compromise 19 of personal information, without more, fails to satisfy the injury-in-fact element in the absence of 20 an identity theft.”); see also Ewing v. MED-1 Sols., LLC, 24 F.4th 1146, 1152 (7th Cir. 2022) 21 (“TransUnion makes clear that a risk of future harm, without more, is insufficiently concrete to 22 permit standing to sue for damages in federal court.”). 23 24 6 A ransomware attack is “an attack using a malicious software designed to deny access to a computer system until a 25 ransom is paid.” Karter v. Epiq Sys., Inc., No. SACV2001385, 2021 WL 4353274, at *1 (C.D. Cal. July 16, 2021). 26 7 The Amended Complaint also references “[o]ut-of-pocket costs” for the “prevention, detection, recovery and remediation from identity theft or fraud.” AC ¶ 116. However, the Amended Complaint does not allege that Plaintiffs have actually paid any such costs, and in all events, such costs would be insufficient for standing under Clapper. ORDER - 8 1 Nevertheless, Plaintiffs have alleged an injury-in-fact based not on the risk of future 2 identify fraud created by the data breach, but on the actual harm resulting from the theft of 3 Plaintiffs’ PII itself. As noted above, TransUnion instructs courts, in determining whether 4 plaintiffs have suffered a concrete harm, to inquire as to whether plaintiffs allege a harm bearing 5 “a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in 6 American courts.” TransUnion, 141 S. Ct. at 2209. As Plaintiffs point out, TransUnion 7 specifically identifies the “disclosure of private information” as such a harm that “can [] be 8 9 concrete.” Id. at 2204; see Opp. at 5. Indeed, the Supreme Court and the Ninth Circuit have 10 recognized on numerous occasions that “[v]iolations of the right to privacy have long been 11 actionable at common law.” Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017); see 12 U.S. Dep’t of Just. v. Reps. Comm. For Freedom of Press, 489 U.S. 749, 763 (1989) (“both the 13 common law and the literal understandings of privacy encompass the individual’s control of 14 information concerning his or her person”). 15 16 The Court finds that Plaintiffs have adequately alleged a harm bearing a “close 17 relationship” to the harm associated with the tort of “disclosure of private information.” One 18 commits that tort when he “gives publicity to a matter concerning the private life of another … if 19 the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and 20 (b) is not of legitimate concern to the public.” Restatement (Second) of Torts § 652D; see also 21 Purcell v. Am. Legion, 44 F. Supp. 3d 1051, 1061 (E.D. Wash. 2014) (articulating same cause of 22 action under Washington law). Here, Plaintiffs allege that a variety of their “highly sensitive” 23 24 personal and financial information was compromised and stolen by cybercriminals in the data 25 breach. See supra at 2. Each of Plaintiffs allege that he “greatly values his privacy” and “would 26 not have given his PII to McMenamins if he had known that it was going to maintained in

ORDER - 9 1 McMenamins’ database without adequate protection.” AC ¶ 11, 15, 19, 23. While these 2 allegations may not state a claim for disclosure of private information,8 Plaintiffs’ alleged harm 3 need only bear a “close relationship” to the harm resulting from that privacy tort. See TransUnion, 4 141 S. Ct. at 2209 (“we do not require an exact duplicate”). 5 Numerous courts, including the Ninth Circuit, have found allegations concerning the 6 interference with plaintiffs’ control over their personal data to be sufficient for standing on account 7 of their injury implicating an “invasion of the historically recognized right to privacy.” See, e.g. 8 9 In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 598 (9th Cir. 2020) (allegations that 10 Facebook interfered with plaintiffs’ ability to “control[] their personal information,” through its 11 data tracking and collection practices, sufficed for standing because “[p]laintiffs have sufficiently 12 alleged a clear invasion of the historically recognized right to privacy”); Al-Ahmed v. Twitter, Inc., 13 No. 21-cv-08017, 2022 WL 1605673, at *7 (N.D. Cal. May 20, 2022) (allegations that Twitter 14 user’s information was compromised sufficed to establish an injury-in-fact because “invasion of 15 16 privacy is a particularized injury sufficient to establish Article III standing”). Further, several 17 district courts in this Circuit and others have specifically found, following TransUnion, that data 18 breach allegations similar to those of Plaintiffs relates a harm sufficiently analogous to the 19 common law tort of “disclosure of private information,” as necessary to qualify as an injury-in- 20 fact. See, e.g., Wynne v. Audi of Am., No. 21-cv-08518, 2022 WL 2916341, at *5 (N.D. Cal. July 21 25, 2022); Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 43 (D. Ariz. 2021); Bohnak v. 22 Marsh & McLennan Cos., Inc., No. 21-cv-6096, 2022 WL 158537, at *5 (S.D.N.Y. Jan. 17, 2022); 23 24 In re USAA Data Sec. Litig., No. 21-cv-5813, 2022 WL 3348527, at *5 (S.D.N.Y. Aug. 12, 2022). 25 26 8 Among other things, it is arguable whether the Plaintiffs’ PII has been “given publicity,” and whether its disclosure to the hackers is “highly offensive to a reasonable person.” ORDER - 10 1 This Court, consistent with those courts and the reasoning in TransUnion, finds that Plaintiffs’ 2 allegations as to the theft and resulting loss of control over their PII bear a sufficiently close 3 relationship to the type of harm protected by that tort. As such, Plaintiffs adequately allege a 4 concrete and actual harm sufficient to plead an injury-in-fact. 5 Accordingly, the Court finds that Plaintiffs have standing to assert their damages claims. 6 Given this finding, the Court declines to review the sufficiency of Plaintiffs’ other alleged harms. 7 B. Whether Plaintiffs Have Standing to Seek Prospective Injunctive Relief 8 9 As noted above, Plaintiffs’ claims for negligence, breach of contract, breach of implied 10 contract, violation of the CPA, and declaratory relief seek, in part, prospective injunctive relief 11 requiring Defendant to undertake various actions to safeguard the PII McMenamins currently 12 possesses.9 Unlike their damages claims based on the past theft of Plaintiffs’ PII, the injunctive 13 relief sought by Plaintiffs concerns continuing actions by Defendant related to its current 14 possession of Plaintiffs’ PII. Defendant argues that Plaintiffs Leonard, deGrasse, and Frazier lack 15 16 standing to seek that relief because they “have failed to allege that (1) they actually will benefit 17 from the relief they seek, and (2) the harm they seek to prevent is imminent and substantial.” Mot. 18 at 11-12. 19 As the Supreme Court explained in TransUnion, “a person exposed to a risk of future harm 20 may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long 21 as the risk of harm is sufficiently imminent and substantial.” TransUnion, 141 S. Ct. at 2210; see 22 Bates v. United Parcel Serv., Inc., 511 F.3d 974, 985 (9th Cir. 2007) (“The plaintiff must 23 24 25 9 For example, Plaintiffs’ claims for negligence and breach of implied contact seek “injunctive relief requiring 26 Defendant to, e.g., (i) strengthen data security systems and monitoring procedures; (ii) submit to future annual audits of those systems and monitoring procedures; and (iii) immediately provide lifetime free credit monitoring to all Class members.” AC ¶¶ 148, 179. ORDER - 11 1 demonstrate that he has suffered or is threatened with a ‘concrete and particularized’ legal harm, 2 coupled with ‘a sufficient likelihood that he will again be wronged in a similar way.’” (citations 3 omitted)). Further, “it must be likely that a favorable judicial decision will prevent or redress the 4 injury.” Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009). 5 Defendant contends that Leonard, deGrasse, and Frazier will not benefit from the 6 injunction they seek because they are former employees, and “McMenamins already has 7 strengthened its security systems.” See Mot. at 11-12. That contention is without merit. First, 8 9 there is no difference between McMenamins’s current and former employees insofar as the 10 company possesses PII belonging to both categories of employees. See, e.g., In re Ambry Genetics 11 Data Breach Litig., 567 F. Supp. 3d 1130, 1141 (C.D. Cal. 2021) (plaintiffs had standing to seek 12 injunctive relief based on allegations that defendants “still possess[ed] [plaintiffs’] private 13 information” and had not announced significant changes to their security system following data 14 breach); see also In re Arby’s Rest. Grp. Inc. Litig., No. 1:17-cv-0514, 2018 WL 2128441, at *14 15 16 (N.D. Ga. Mar. 5, 2018) (“Plaintiffs allege that [company] still possesses their customer data and 17 therefore they have an interest in ensuring its protection from further breaches.”).10 Second, 18 Defendant’s assertion that McMenamins has already strengthened its data security is unsupported 19 and, more importantly, premature at this stage of litigation. See Bell v. Blizzard Ent., Inc., No. 20 2:12-cv-9475, 2013 WL 12063912, at *6 (C.D. Cal. Apr. 3, 2013) (allegations that company 21 suffered past breaches and “has made no additional effort to secure [plaintiffs’] information” were 22 23 24 10 In its Reply, Defendant points to an allegation in the Amended Complaint in which Plaintiffs request “injunctive 25 relief requiring Defendant to employ adequate security practices … to protect McMenamins’s employees’ PII.” AC ¶ 227; see Rep. at 10. According to Defendant, that allegation shows that “Plaintiffs seek injunctive relief solely ‘to 26 protect McMenamins [current] employees’ PII.”’ Rep. at 10 (citing AC ¶ 227). Given the nature of Plaintiffs’ claims and requests for injunctive relief articulated elsewhere in the Amended Complaint, the Court interprets that allegation as seeking relief on behalf of both current and former employees. ORDER - 12 1 sufficient at the pleadings stage “to confer Article III standing as to their request that [company] 2 be forced to take additional security measures”); see also Arby’s, 2018 WL 2128441, at *14 3 (rejecting, as “premature,” defendant’s motion to dismiss argument that plaintiffs had not alleged 4 any facts about company’s “current security posture” demonstrating a risk of future breach). 5 Defendant’s contention that Plaintiffs do not allege a risk of “imminent and substantial” 6 harm also lacks merit. In the Motion, Defendant argues that Plaintiffs fail to adequately allege an 7 imminent and substantial risk of identity theft resulting from hackers’ misuse of the previously 8 9 compromised data. See Mot. at 12. However, as the Opposition points out, Plaintiffs’ request for 10 injunctive relief is based on the “risk of subsequent breaches” of McMenamins’s data security 11 system that would compromise the PII that “is still in Defendant’s possession and control.” Opp. 12 at 15. Defendant, in its Reply, abandons its argument. Given Plaintiffs’ allegations that 13 McMenamins has maintained inadequate data security measures to safeguard its former and 14 current employees’ PII (see AC ¶¶ 37-60), and that McMenamins’s data security system was 15 16 breached in December 2021 (see, e.g., id. ¶ 29), the Court finds that Plaintiffs have alleged an 17 imminent and substantial risk of harm resulting from a future breach and theft of their PII. See 18 Ambry Genetics, 567 F. Supp. 3d at 1141; Bell, 2013 WL 12063912, at *6; see also In re: The 19 Home Depot, Inc., Customer Data Sec. Breach Litig., No. 1:14-md-2583, 2016 WL 2897520, at 20 *4 (N.D. Ga. May 18, 2016) (denying motion to dismiss claim for injunctive relief where plaintiffs 21 alleged that “Defendant’s security measures continue to be inadequate and that they will suffer 22 substantial harm” with respect to “a future breach”). 23 24 Accordingly, the Court finds that Plaintiffs have standing to pursue injunctive relief. 25 26

ORDER - 13 1 Vv. CONCLUSION 2 For the foregoing reasons, the Court rejects Defendant’s arguments that Plaintiffs lack 3 Article III standing to assert their claims. Therefore, Defendant McMenamins’s motion to dismiss 4 (Dkt. 19) is DENIED. ° SO ORDERED. Dated: September 2, 2022

8 Asner eu, 9 Barbara Jacobs Rothstein U.S. District Court Judge 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

ORDER - 14