IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW MEXICO ____________________
EVELINE MCCOMBS,
Plaintiff,
v. Case No.: 1:22-cv-00662-MLG-KK
DELTA GROUP ELECTRONICS, INC.,
Defendant.
MEMORANDUM OPINION AND ORDER GRANTING DEFENDANT’S MOTION TO DISMISS PURSUANT TO FEDERAL RULE OF CIVIL PROCEDURE 12(b)(1)
This matter comes before the Court on Defendant Delta Group Electronic, Inc.’s Motion to Dismiss Plaintiff Eveline McCombs’ First Amended Complaint. Doc. 15. The motion seeks dismissal of McCombs’ claims stemming from an alleged data breach of Delta’s computer systems. Following briefing and a motion hearing on the issue, the Court concludes McCombs has failed to allege that she has suffered an injury in fact that is fairly traceable to Delta, and therefore lacks standing to pursue her claims. Fed. R. Civ. P. 12(b)(1). The Court does not address Delta’s Federal Rule of Civil Procedure 12(b)(6) arguments. BACKGROUND1 A. Relevant Facts McCombs was employed by Delta from 2019 to 2022, and in connection with her employment, McCombs provided Delta with personal identifying information (PII)2 and financial information. Id. An unknown cybercriminal hacked Delta’s computer systems and accessed data
1 The following facts are drawn from McCombs’ amended complaint. Doc. 13.
2 McCombs’ amended pleading identifies this PII as “names, Social Security numbers, driver’s license numbers, and financial account numbers.” Doc. 13 ¶ 1. that included McCombs’, and other employees’, first and last names, Social Security numbers, driver’s license numbers, and financial account numbers. Id. ¶¶ 1, 33; Ex. A. Delta notified McCombs and other employees of the unauthorized access via e-mail on June 17, 2022. Doc. 13 ¶ 19; Ex. A. The letter reported that an “unauthorized actor accessed [Delta’s] systems and
acquired a limited number of files from certain servers between November 2, 2021, and November 5, 2021.” Ex. A at 1. Delta “promptly took steps” to secure the system, engaged a cybersecurity firm to assist, and completed an investigation. Doc. 13 ¶ 38. Delta offered McCombs (and the other affected employees) free credit and identity monitoring services for one year following the breach. Id. McCombs alleges that the compromise of the data will be an “omnipresent threat” for her and the proposed class “for the rest of their lives.” Id. ¶ 64. She avers that unauthorized attempts to access her bank account are likely related to the breach (id. ¶ 98) and that she has experienced a “deluge of spam calls, emails, and texts from cybercriminals seeking to defraud her” which has “induced a heightened level of stress and anxiety.” Id. ¶ 100.
B. McCombs’ Claims Based on the preceding facts, McCombs filed the instant matter. She, individually, and on behalf of each member of the putative class, brings three claims stemming from the alleged data breach. First, McCombs asserts Delta acted negligently in failing to promptly notify the employees of the breach and in failing to provide adequate computer systems and data security practices to safeguard the PII and financial information. Id. ¶¶ 73-100. Second, McCombs asserts Delta breached an implied contract which was created when McCombs and the class members provided Delta their PII and financial information in exchange for Delta’s implementation of adequate data security measures to safeguard the PII. Id. ¶¶ 101-109. Third, McCombs argues Delta was unjustly enriched “by unduly taking advantage of” McCombs and the class members and denying them “the ability to make a rational and informed purchasing decision.” Id. ¶¶ 111, 115. The thrust of this claim for relief is (apparently) that class members provided their PII to Delta in order to purchase products and services, but that these same consumers would not have undertaken these
transactions if they had been aware of claimed vulnerabilities in Delta’s cybersecurity. Id. ¶¶ 111- 18. McCombs seeks monetary damages and injunctive relief for herself and the proposed class. Id. at 24-25. McCombs’ claimed damages include the following: “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use” of her PII and financial information; id. ¶ 95, diminution of value of her PII; id. ¶ 21, “lost time, annoyance, interference, and inconvenience”; id. ¶ 22, and “anxiety and increased concerns for the loss of privacy.” Id. McCombs also points this Court to two instances of supposed realized harm: several unauthorized attempts to access her bank account by an unknown actor and a purported increase in spam communications. Id. ¶¶ 98, 100. McCombs argues that the lost time,
unauthorized attempts to access her bank account, and increased number of spam communications are all cognizable injuries.3 Id. at 6. McCombs also alleges general future risks of harm associated with identity theft, but these have yet to materialize. Id. ¶ 23. Indeed, McCombs concedes that the alleged fraudulent activity “may not come to light for years” and highlights “a generalized threat of future harm.” Id. ¶¶ 63,
3 McCombs does not address Delta’s arguments about her diminution in value claims or her annoyance, inconvenience, and anxiety claims. See Addams v. Applied Medico-Legal Sols. Risk Retention Grp., Inc., No. CV 21-952, 2022 U.S. Dist. LEXIS 72286, at *8 (D.N.M. Apr. 20, 2022) (noting that when a party files “an opposition to a dispositive motion and addresses only certain arguments raised by the defendant, a court may treat those arguments that the plaintiff failed to address as conceded” (alteration omitted)). See Doc. 24 at 2-3. 98. Nevertheless, McCombs believes her PII “may end up for sale on the dark web” or may lead to “targeted marketing,” and she is “left to speculate” about the possible future impacts of the breach. Id. ¶¶ 44-45. B. Delta’s Defenses
In its motion to dismiss, Delta first argues McCombs has not alleged an injury in fact to confer standing because she only alleges speculative future harm. Doc. 15 at 6-8. To the extent McCombs has identified some adverse impact resulting from the data breach, Delta argues that McCombs cannot “manufacture” standing by spending time attempting to mitigate harm following the data breach. Delta further claims that any alleged harm cannot be fairly traced to the data breach and McCombs therefore lacks standing to bring her claims. Id. at 2. Alternatively, Delta argues that if even if McCombs has standing, her complaint should be dismissed under Rule 12(b)(6) for failure to state a claim. Id. ANALYSIS A. McCombs’ Standing under Article III
Under Article III of the United States Constitution, a plaintiff is required to have standing to bring their claims. See TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2200 (2021); Brady Campaign to Prevent Gun Violence v. Brownback, 110 F.Supp.3d 1086, 1091 (D. Kan. 2015) (“One of several doctrines reflecting Article III’s case-or-controversy limitation on the judicial power is the doctrine of standing.”). “[T]he elements of standing are not mere pleading requirements but rather an indispensable part of the plaintiff's case.” Colo. Outfitters Ass’n v. Hickenlooper, 823 F.3d 537, 544 (10th Cir. 2016) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992)). To demonstrate Article III standing, the plaintiff must establish three elements. First, the plaintiff must have suffered an injury in fact—an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical. Second, there must be a causal connection between the injury and the conduct complained of—the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court. Third, it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.
Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) (internal quotation marks, brackets, and citations omitted). The plaintiff “bears the burden of establishing these elements,” which at the pleading stage means the plaintiff must “allege facts demonstrating each element.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (citations omitted). A party may move to dismiss a complaint for lack of standing under Rule 12(b)(1) for failure to establish subject matter jurisdiction. Hill v. Vanderbilt Cap. Advisors, LLC, 702 F.3d 1220, 1224 (10th Cir. 2012) (noting that standing is “repeatedly characterized” as an element of subject matter jurisdiction). A moving party’s Rule 12(b)(1) challenge may be presented in one of two forms: “(1) facially attack[ing] the complaint’s allegations as to the existence of subject matter jurisdiction, or (2) go[ing] beyond allegations contained in the complaint by presenting evidence to challenge the factual basis upon which subject matter jurisdiction rests.” Merrill Lynch Bus. Fin. Servs., Inc. v. Nudell, 363 F.3d 1072, 1074 (10th Cir. 2004) (quoting Maestas v. Lujan, 351 F.3d 1001, 1013 (10th Cir. 2003)). “When evaluating a plaintiff’s standing at the stage of a motion to dismiss on the pleadings, ‘both the trial and reviewing courts must accept as true all material allegations of the complaint and must construe the complaint in favor of the complaining party.’” S. Utah Wilderness All. v. Palma, 707 F.3d 1143, 1152 (10th Cir. 2013) (quoting Warth v. Seldin, 422 U.S. 490, 501 (1975)). Delta’s motion to dismiss is a facial attack on this Court’s subject matter jurisdiction, and so this Court herein presumes all material allegations in McCombs’ amended complaint as true and construes those averments in her favor. The Court focuses on the first two elements of standing—an injury in fact and a causal connection—to resolve Delta’s motion to dismiss. To establish an injury in fact, McCombs must show that she suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” See Lujan, 504 U.S. at
560 (internal quotation marks omitted). A “particularized” injury means that it “must affect the plaintiff in a personal and individual way.” Spokeo, 578 U.S. at 339. For an injury to be “concrete,” it “must actually exist” and be real. Id. at 340. Further, the “threatened injury must be certainly impending to constitute injury in fact.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) (emphasis in original) (quotations omitted). B. Standing and data breach litigation Data breach cases present unique and modern issues related to standing, especially concerning allegations of future fraud, identity theft, or other misappropriation of PII. Some circuit courts have concluded that data breach victims have sustained an injury in fact, but in nearly all instances, the allegations included the actual misuse of the data accessed. See Remijas v. Neiman
Marcus, LLC, 794 F.3d 688, 697 (7th Cir. 2015) (conferring standing in class action involving data breach including credit card numbers and fraudulent charges); Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 391 (6th Cir. 2016) (holding plaintiffs had standing for claims against an insurance company after a cyberattack exposed PII and instances of attempted fraud); Attias v. Carefirst, Inc., 865 F.3d 620, 630 (D.C. Cir. 2017) (finding standing because of nature of data taken and two named plaintiffs having suffered identity theft); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (conferring standing based on imminent risk of identity theft and misuse of a plaintiff’s personal data); In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018) (same). By contrast, other circuit courts have concluded that data breach victims’ claims do not sustain an injury in fact where there is no allegation of misuse of the data and the plaintiff relies on the inherent harm of the breach and access to their PII to make their claims. See Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011) (concluding that “[i]n data breach cases where no
misuse is alleged . . . there has been no injury”); In re SuperValu, Inc., 870 F.3d 763, 770 (8th Cir. 2017) (dismissing case for lack of standing because allegations that “illicit websites are selling their Card Information to counterfeiters and fraudsters” were “speculative” and “fail[ed] to allege any injury ‘to the plaintiffs’”); Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1344 (11th Cir. 2021) (concluding there was no standing because conclusory allegations of a continuing risk of identity theft “without specific evidence of some misuse of class members’ data” did not establish a concrete injury) (emphasis in original); McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303-04 (2d Cir. 2021) (concluding plaintiffs lacked standing because they did not allege “their PII was subject to a targeted data breach or . . . was misused”). However, “[s]ince the Clapper decision, a majority of the lower federal courts addressing ‘lost data’ or potential identity
theft cases in which there is no proof of actual misuse or fraud have held that plaintiffs lack standing to sue the party who failed to protect their data.” Bradford C. Mank, Data Breaches, Identity Theft, and Article III Standing: Will the Supreme Court Resolve the Split in the Circuits, 92 Notre Dame L. Rev. 1323, 1324 (2017). Without current guidance from the Tenth Circuit, other district courts in this circuit have followed the majority view concluding that a plaintiff does not suffer an injury in fact where their PII is accessed through a data breach but no direct harm results. See Legg v. Leaders Life Ins. Co., 574 F. Supp. 3d 985, 988 (W.D. Okla. 2021) (holding plaintiff’s allegations showed “there is a non-imminent risk of possible future injury following the data breach” and were insufficient to confer standing); C.C. v. Med-Data Inc., No. 21-2301, 2022 WL 970862 (D. Kan. Mar. 31, 2022) (concluding plaintiff did not “allege any particularized facts to corroborate the fear” of fraud or identity theft and the plaintiff could not “rely on the assumption that the ‘criminals . . .’ will misuse the data”); Blood v. Labette Cnty. Med. Ctr., No. 22-04036, 2022 U.S. Dist. LEXIS 191922, at *7
(D. Kan. Oct. 20, 2022) (concluding that “[n]one of the named plaintiffs adequately alleges standing to pursue the claims” despite alleging costs associated with bank fees, identity verification, and loss of time). C. McCombs has not sufficiently alleged injuries that are fairly traceable to the breach. The Court begins by considering McCombs’ allegations of unrealized, potential risks of harm associated with identity theft, including an “imminent and impending injury arising from the substantially increased risk” of future harm. Doc. 13 ¶ 23. McCombs believes her PII “may end up for sale on the dark web” or may lead to “targeted marketing,” and she is “left to speculate” about the possible future impacts of the breach. Id. ¶¶ 44, 45. As her amended complaint indicates, the alleged fraudulent activity “may not come to light for years.” Id. ¶ 63.
Recent United States Supreme Court cases have solidified a plaintiff’s standing requirements. In Clapper v. Amnesty International, the Supreme Court held that injuries that are not “certainly impending” cannot confer standing. 568 U.S. at 410. The Supreme Court reiterated that “[a]llegations of possible future injury” or an “objectively reasonable likelihood” of future injury are insufficient to confer standing and inconsistent with established precedent. Id. at 409- 10 (emphasis in original). When a party’s claim relies on “a highly attenuated chain of possibilities,” that claim “does not satisfy the requirement that threatened injury must be certainly impending.” Id. at 410. See also Summers v. Earth Island Institute, 555 U.S. 488, 495-96 (2009) (rejecting standing premised on a “chance” the at-issue regulations would affect a plaintiff); Lujan, 504 U.S. at 564 (“Such ‘some day’ intentions—without any description of concrete plans, or indeed even any specification of when the someday will be—do not support a finding of the ‘actual of imminent’ injury that our cases require.”). The Supreme Court’s decision in TransUnion LLC v. Ramirez further clarified the point
made in Clapper. 141 S. Ct. 2190 (2021). In explaining its decision, the Court found persuasive the defendant’s argument that the “mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210-11. “[I]f an individual is exposed to a risk of future harm, time will eventually reveal whether the risk materializes in the form of actual harm. If the risk of future harm materializes and the individual suffers a concrete harm, then the harm itself, and not the pre- existing risk, will constitute a basis for the person’s injury and for damages.” Id. at 2211. In other words, as the Court bluntly put it, “[n]o concrete harm, no standing.” Id. at 2200. Following TransUnion, the mere possibility of a potential unrealized injury, without more, does not confer standing. Id. at 2211-13. See also Lujan v. Defs. of Wildlife, 504 U.S. 555, 563 (1992) (“the ‘injury
in fact’ test requires more than an injury to a cognizable interest. It requires that the party seeking review be himself among the injured.”) (quotation marks and citations omitted). Against the weight of this legal authority, McCombs asks this Court to credit the possibility that McCombs’ PII will be used by an unknown cybercriminal to potentially commit fraud or identity theft. This falls well short of what is required under binding precedent. McCombs has not demonstrated that the risk of this future harm has manifested. That is, McCombs has not shown an injury from the theft of her PII. Likewise, the complaint does not allege facts showing a targeted attempt or clear intent to obtain McCombs’ PII for its future use. Indeed, over a year has passed since the data breach and McCombs fails to allege that any of the compromised PII—whether hers or that of the proposed class—has been misused. McCombs’ allegations lie almost entirely in the future, and they are premised on potential illegal activity yet to be committed (and which may never be committed) by an unknown third party. McCombs’ alleged injuries are too speculative to invoke this Court’s jurisdiction. Cooper v. Bonobos, Inc., No. 21-cv-854, 2022 U.S. Dist. LEXIS
9469, at *2 (S.D.N.Y. Jan. 19, 2022) (dismissing claims arising from a data breach because “given the age and nature of the data, the risk of identity theft or fraud is too remote to constitute injury in fact”). Next, the Court looks to the harm McCombs claims she has already incurred including the following: “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use” of her PII and financial information; Doc. 13 ¶ 95, diminution of value of her PII; id. ¶ 21, “lost time, annoyance, interference, and inconvenience”; id. ¶ 22, and “anxiety and increased concerns for the loss of privacy.” Id. Further, McCombs argues she is entitled to damages stemming from lost time attending to closing her old bank account and trying to mitigate potential future harm by “verifying the legitimacy and impact
of the Data Breach, exploring credit monitoring and identity theft insurance options, self- monitoring various accounts, and seeking legal counsel[.]” Id. ¶ 20. In Clapper, the Supreme Court rejected the plaintiffs’ contention that they could “establish standing based on the measures that they have undertaken to avoid” the alleged harm, because the injury the plaintiffs sought to avoid was “not certainly impending.” 568 U.S. at 415. In other words, plaintiffs could not “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm.” Id. (citing Pennsylvania v. New Jersey, 426 U.S. 660, 664 (1976) (“No State can be heard to complain about damage inflicted by its own hand.”); National Family Planning & Reproductive Health Assn., Inc., 468 F.3d 826, 831 (D.C. Cir. 2006) (“We have consistently held that self-inflicted harm doesn’t satisfy the basic requirements for standing.”)). Here, the costs McCombs incurred in response to the Delta data breach are a product of her apprehension of speculative future harm. See Clapper, 568 U.S. at 418 (“Because respondents do
not face a threat of certainly impending interception . . . the costs that they have incurred to avoid surveillance are simply the product of their fear of surveillance . . . that such a fear is insufficient to create standing.”). McCombs’ efforts monitoring her accounts and safeguarding her PII are not a defense against a concrete or imminent threat. See Colo. Outfitters Ass’n, 823 F.3d at 544-45 (“[W]hile imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes— that the injury is certainly impending.”) (internal quotation marks omitted) (citations omitted); McMorris, 995 F.3d at 303 (2d Cir. 2021) (explaining that, when plaintiffs “have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury”) (quoting SuperValu, 870 F.3d at 777). Accordingly,
McCombs’ manufactured harm does not give rise to standing. Finally, McCombs points this Court to two instances of realized harm: unauthorized attempts to access her bank account and a purported increase in spam communications. Id. ¶¶ 98, 100. The Court first considers the alleged unauthorized attempts to access McCombs’ bank account with a focus on the remoteness in time between the data breach and alleged unauthorized bank account access. Standing requires a “causal connection” between the harm and the conduct complained of. Lujan, 504 U.S. at 560. In other words, the injury must be “fairly traceable” to the defendant and not the result of “independent action of some third party not before the court.” Id. (internal quotation marks omitted). “[T]o show that an injury is ‘fairly traceable’ to the challenged conduct, a plaintiff must allege ‘a substantial likelihood that the defendant’s conduct caused plaintiff’s injury in fact.’” Santa Fe All. for Pub. Health & Safety v. City of Santa Fe, New Mexico, 993 F.3d 802, 814 (10th Cir. 2021). In general, a defendant is not liable for injuries that are “too remote,”
“purely contingent,” or “indirect[].” Holmes v. Sec. Inv. Prot. Corp., 503 U.S. 258, 268, 271, 274 (1992). Here, in the year and a half since the breach, McCombs has not identified a causal link between the data breach and the alleged unauthorized access to her bank account. Roughly seven months transpired between the data breach on November 2-5, 2021, and McCombs’ closure of the affected bank account sometime after June 2022. Doc. 13 ¶ 4; Doc. 30 at 40:20-25, 41:1-8. Even a year and a half after the breach, McCombs still has not identified the exact date(s) of the alleged, unauthorized attempts to access her account. Moreover, McCombs does not detail the events of the unauthorized access, how difficult it was to close her account, or whether she has had subsequent financial issues.
When is it too remote to conclude that harm may still befall McCombs following the data breach? McCombs does not provide an answer. The Court is reluctant to infer a causal connection between the alleged bank account access and the data breach almost a year prior when McCombs fails to sufficiently substantiate her claim. Further, the affected bank account no longer exists, thereby eliminating the possibility of unlawful access to that account. See Engl v. Nat. Grocers by Vitamin Cottage, Inc., No. 15-CV-02129, 2016 U.S. Dist. LEXIS 187733, at *20 (D. Colo. Sep. 21, 2016) (“Once the card was cancelled, its number, expiration date and security code were rendered useless, and consequently there is no risk that [the plaintiff] will be held responsible for future fraudulent purchases made using them.”). For these reasons, the Court concludes that the alleged unauthorized access of McCombs’ bank account is not fairly traceable to the data breach and does not confer standing. Similarly problematic are McCombs’ allegations that she has suffered from increased spam communications following the data breach. Spam calls, texts, and e-mails have become very
common in this digitized world, and a number of courts have declined to confer standing when considering an increase in spam communications. See Legg, 574 F. Supp. 3d at 993 (finding that “the receipt of phishing emails . . . does not ‘plausibly suggest’ that any actual misuse of [the p]laintiff’s personal identifying information has occurred”); Blood, 2022 U.S. Dist. LEXIS 191922, at *15 (reasoning “[t]he alleged inconvenient disruptions (such as spam calls, texts, and emails) do not constitute an injury in fact”); Gordon v. Virtumundo, Inc., No. 06-0204, 2007 U.S. Dist. LEXIS 35544, at *26 (W.D. Wash. May 15, 2007) (plaintiff lacked standing because the harm suffered “must rise beyond the level typically experienced by consumers—i.e., beyond the annoyance of spam”); Travis v. Assured Imaging LLC, No. 20-CV-00390, 2021 U.S. Dist. LEXIS 89129, at *5 (D. Ariz. May 10, 2021) (holding “a dramatic increase in targeted spam phone calls
after the ransomware attack” did not constitute an injury for standing purposes); Cooper, 2022 U.S. Dist. LEXIS 9469 at *16 (finding no injury in fact where plaintiff did not demonstrate that spam texts, calls, and e-mails were “fairly traceable” to the data breach); In re Practicefirst Data Breach Litig., No. 1:21-CV-00790, 2022 U.S. Dist. LEXIS 19272, at *18 n.8 (W.D.N.Y. 2022), adopted by district court, 2022 U.S. Dist. LEXIS 137188 (listing cases finding unsolicited spam insufficient to be an injury in fact). But even if this Court were to depart from the preceding decisional authority, McCombs has not provided a nexus between the data breach and the listed unwanted communications. She does not allege that her contact information (e.g., phone number, e-mail address) were included in the data breach, nor does she detail the content or frequency of the spam communications. Based on the pleadings, no reasonable inference can be drawn to establish a nexus between the data breach and the alleged increase in McCombs’ spam communications. Therefore, the Court will not infer, without some supportive allegations, a causal link between the two. In the end, the Court concludes that McCombs has not met her burden to establish an injury in fact that is fairly traceable to the supposed harm. None of the claimed “imminent and impending” injuries, or risks of harm, are sufficiently concrete to constitute an injury in fact, and her pleadings do not detail facts that would prompt this Court to infer a causal connection between the data breach and her pled harms. Consequently, McCombs lacks standing under Article III. CONCLUSION Since McCombs has failed to allege an injury in fact that is fairly traceable to the data breach, and thereby lacks Article III standing, this Court is without subject matter jurisdiction to further adjudicate McCombs’ case. Without subject matter jurisdiction, the Court cannot address Delta’s Rule 12(b)(6) arguments in their motion to dismiss. See D.L. v. Unified Sch. Dist. No. 497, 392 F.3d 1223, 1229 (10th Cir. 2004) (explaining that “‘a determination that the district court lacked jurisdiction over a claim moots any other challenge to the claim, including a different jurisdictional challenge”); Doc. 15 at 13-20. It is hereby ordered that Delta’s Motion to Dismiss Plaintiff's First Amended Complaint, Doc. 13, is granted. McCombs lacks standing to pursue her claim in federal court.
} uf { / ff orem tN UNITED STATES DISTRICT JUDGE MATTHEW L. GARCIA