Michael Bauer v. Fincantieri Marine Group, LLC

• Court: Court of Appeals of Wisconsin
• Decided: November 18, 2025
• Docket: 2024AP001882
• Status: Unpublished

Opinion

COURT OF APPEALS DECISION NOTICE DATED AND FILED This opinion is subject to further editing. If published, the official version will appear in the bound volume of the Official Reports. November 18, 2025 A party may file with the Supreme Court a Samuel A. Christensen petition to review an adverse decision by the Clerk of Court of Appeals Court of Appeals. See WIS. STAT. § 808.10 and RULE 809.62.

Appeal No. 2024AP1882 Cir. Ct. No. 2024CV124

STATE OF WISCONSIN IN COURT OF APPEALS DISTRICT III

MICHAEL BAUER, BONNIE BAUER, NOAH PEARSON, BOBBI SILKWORTH, CRISTA COTTRELL, THERESA LAFOND AND JAMES LAFOND,

PLAINTIFFS-APPELLANTS,

V.

FINCANTIERI MARINE GROUP, LLC,

DEFENDANT-RESPONDENT,

ABC INSURANCE COMPANY AND STARR INSURANCE HOLDINGS D/B/A STARR INDEMNITY & LIABILITY CO.,

DEFENDANTS.

APPEAL from an order of the circuit court for Brown County: MARC A. HAMMER, Judge. Affirmed.

Before Stark, P.J., Hruz, and Gill, JJ. No. 2024AP1882

¶1 STARK, P.J. Michael Bauer, Bonnie Bauer, Noah Pearson, Bobbi Silkworth, Crista Cottrell, Theresa LaFond, and James LaFond (collectively, the Employees) appeal from a circuit court order granting Fincantieri Marine Group, LLC’s (FMG) motion to dismiss the Employees’ multiple contract and tort claims.1 The Employees’ claims are based on a ransomware attack on FMG’s computer systems, which resulted in certain employees’ personally identifiable information and/or personal health information being accessed and/or acquired by an unauthorized third party or parties. However, the Employees do not allege in their complaint that the breach of their sensitive information resulted in identity theft, fraud, or any other misuse of the data.

¶2 The circuit court dismissed the complaint, concluding that the Employees lacked standing to assert their negligence claim and that they otherwise failed to state a claim on their remaining causes of action. The Employees challenge the dismissal on appeal. Under the circumstances of this case, we conclude that the Employees lack standing to assert any of their claims against FMG because the possibility of future identity theft is not sufficiently imminent. For the reasons that follow, we affirm dismissal of the Employees’ complaint.

BACKGROUND

¶3 On April 12, 2023, FMG, an American shipbuilder of government and commercial vessels, discovered a cyberattack on its computer systems, and it determined that its current and former employees’ sensitive information may have

1 The named plaintiffs-appellants in this class action lawsuit are “individuals who were previously employed or currently employed” by FMG and had their personal information accessed during a data breach. The plaintiffs-appellants seek to certify two subclasses in this case: those individuals affected by the data breach living in Wisconsin and Michigan.

2 No. 2024AP1882

been viewed or collected by an unauthorized third party or parties. FMG notified the affected individuals of the data breach on January 5, 2024. The notice explained that the personal information impacted in the data breach included “individuals’ names, … date of birth, Social Security number, diagnosis information, health insurance information, full face picture, medical account number, and/or claim or complaint number.” The notice further stated that “[u]pon learning of this incident, we immediately secured our environment, investigated to determine the nature and scope of the incident, and notified law enforcement” and that FMG had “implemented additional technical safeguards to help prevent a similar incident in the future.” Finally, FMG offered “impacted individuals access to complimentary credit monitoring and identity protection services through Experian.”

¶4 On January 25, 2024, the Employees brought this class action lawsuit against FMG. The complaint alleges claims for negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of the implied covenant of good faith and fair dealing, breach of a third-party beneficiary contract, and for declaratory and injunctive relief.

¶5 In particular, the Employees assert that FMG failed to “properly secure and safeguard sensitive and confidential personally identifiable information.” The Employees further claim that, “[a]s a direct and proximate result of” the data breach, they are

facing ongoing, imminent, impending threats of identity theft crimes, fraud, scams, and other misuses of their [p]ersonal [i]nformation; ongoing monetary loss and economic harm; loss of value of privacy and confidentiality of the stolen [p]ersonal [i]nformation; illegal sales of the compromised [p]ersonal [i]nformation; mitigation expenses and time spent on credit monitoring; identity theft

3 No. 2024AP1882

insurance costs; credit freezes/unfreezes; expense and time spent on initiating fraud alerts and contacting third parties; decreased credit scores; lost work time; and other injuries.

However, in the complaint, none of the Employees allege that any identity theft or data misuse has actually occurred.

¶6 As a result, FMG filed a motion to dismiss, arguing that the Employees’ complaint should be dismissed for lack of standing because they “cannot point to a legally protected interest that suffered an injury.” According to FMG, the Employees “can point to no evidence that their information was accessed or misused in any way; rather, their primary argument is that they face ‘ongoing, imminent, impending threats of’” “identity theft at some unknown time in the future.” FMG argued that the Employees “offer[ed] zero facts to suggest any such harm is truly imminent or substantially likely to occur.”

¶7 Based on the parties’ briefs, the circuit court issued a thorough and well-reasoned written decision granting FMG’s motion to dismiss. The court concluded, based on its review of both binding and persuasive legal authority, that “[i]t is clearly not the case, as [the Employees] have declared, that a ‘threat of future identity theft’ alone is sufficient to establish standing.” According to the court, it had not been presented with a case that “would support a finding of standing in this matter absent some allegation that identity theft or misuse of protected information has actually already occurred such that future, related harms like those alleged in [the Employees’] complaint are sufficiently imminent under the law.” As a result, the court determined that the Employees did not have standing to bring their negligence action.

¶8 On a distinct, but related basis, the circuit court further determined that the Employees had failed to state a claim for relief on their remaining causes

4 No. 2024AP1882

of action. Specifically, the court observed that the Employees “seem to have abandoned their negligence per se claim in failing to rebut FMG’s arguments in briefing.” On the claims for breach of an express and an implied contract, the court reiterated that the Employees had “alleged unduly speculative, future harms that [also] cannot serve as the basis for a breach of contract claim.” The court dismissed the Employees’ unjust enrichment claim because the Employees “conferred no benefit to FMG when they provided FMG with their personal information.”

¶9 The circuit court also dismissed the breach of fiduciary duty claim, noting that under Wisconsin law, an employer-employee relationship does not create a fiduciary duty and finding that the “complaint alleges no facts that demonstrate the existence of a special relationship between [the Employees] and FMG.” On the causes of action for breach of third-party beneficiary contract and breach of the covenant of good faith and fair dealing, the court found that the Employees had “not established the existence of a valid contract between [the Employees] and FMG which would impose an obligation of the sort that is relevant to their underlying claim.” Finally, the court found that claims for both declaratory and injunctive relief were inappropriate under the circumstances. The Employees appeal.

DISCUSSION

¶10 We resolve this case based entirely on whether the Employees have standing to bring their claims. Although the circuit court narrowed its conclusion on standing to the Employees’ negligence claim specifically, we conclude that the Employees lack standing to pursue all of their claims based on their failure to allege an injury in fact or an interest that will be injured. See Blum v. 1st Auto &

5 No. 2024AP1882

Cas. Ins. Co., 2010 WI 78, ¶27 n.4, 326 Wis. 2d 729, 786 N.W.2d 78 (explaining that we may affirm the circuit court on other grounds).

¶11 “Whether a party has standing is a question of law that we review independently.” Friends of the Black River Forest v. Kohler Co., 2022 WI 52, ¶10, 402 Wis. 2d 587, 977 N.W.2d 342 (citation omitted). Under Wisconsin law, we determine whether a party has standing by considering the following:

(1) whether the party whose standing is challenged has a personal interest in the controversy (sometimes referred to in the case law as a “personal stake” in the controversy); (2) whether the interest of the party whose standing is challenged will be injured, that is, adversely affected; and (3) whether judicial policy calls for protecting the interest of the party whose standing has been challenged.

Foley-Ciccantelli v. Bishop’s Grove Condo. Ass’n, 2011 WI 36, ¶5, 333 Wis. 2d 402, 797 N.W.2d 789. The law of standing is liberally construed. Krier v. Vilione, 2009 WI 45, ¶20, 317 Wis. 2d 288, 766 N.W.2d 517. “To say that the plaintiffs have standing is to say that they have alleged injury in fact, and if they have suffered an injury then damages are available.” Reetz v. Advocate Aurora Health, Inc., 2022 WI App 59, ¶8, 405 Wis. 2d 298, 983 N.W.2d 669 (citation omitted). “Being damaged, however, without more, does not automatically confer standing.” Krier, 317 Wis. 2d 288, ¶20.

¶12 “Unlike in federal courts, which can only hear ‘cases’ or ‘controversies,’ standing in Wisconsin is not a matter of jurisdiction, but of sound judicial policy.” McConkey v. Van Hollen, 2010 WI 57, ¶15, 326 Wis. 2d 1, 783 N.W.2d 855 (footnote omitted). Nevertheless, Wisconsin courts look to federal case law as persuasive authority to resolve questions of standing. Friends of the Black River Forest, 402 Wis. 2d 587, ¶17.

6 No. 2024AP1882

¶13 The Employees allege that they “are at a risk of future injuries such as the increased risk of fraudulent charges and identity theft … because their data has already been stolen,” and they assert that “[t]he threat of this future harm or injury is concrete and proximately caused by FMG’s negligence despite the lack of fraudulent charges or activities to date.” In response, FMG stresses that there are no allegations that any of the Employees have “had his or her identity stolen, suffered any sort of fraud, or had his or her personal data misused in any way.” Thus, explains FMG, the Employees’ “theory of injury is based entirely on the premise” of a speculative, future harm.

¶14 We conclude that the circuit court appropriately determined that the Employees lack standing to bring their negligence claim because they have not alleged any injury, apart from the risk of future harm, as a result of FMG’s data breach. For this same reason, we also conclude that the Employees’ claims against FMG for breach of contract, breach of implied contract, breach of fiduciary duty, breach of the implied covenant of good faith and fair dealing, unjust enrichment, breach of a third-party beneficiary contract, and for declaratory and injunctive relief fail for a lack of standing.2 Based on our review of the

2 We note that the Employees also asserted a claim for negligence per se based on FMG’s alleged failure to meet data security standards set forth in Section 5 of the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act. See Antwaun A. ex rel Muwonge v. Heritage Mut. Ins. Co., 228 Wis. 2d 44, 66-67, 596 N.W.2d 456 (1999) (outlining the elements of a negligence per se claim).

Based on our review of the briefing before the circuit court, we agree with the court and FMG that the Employees abandoned their negligence per se claim by failing to refute FMG’s arguments seeking dismissal of that claim. See State v. Huebner, 2000 WI 59, ¶10, 235 Wis. 2d 486, 611 N.W.2d 727 (“It is a fundamental principle of appellate review that issues must be preserved at the circuit court.”); see also Charolais Breeding Ranches, Ltd. v. FPC Sec. Corp., 90 Wis. 2d 97, 109, 279 N.W.2d 493 (Ct. App. 1979) (noting that arguments not refuted are deemed conceded). We affirm the circuit court’s dismissal of the Employees’ negligence per se claim on this basis.

7 No. 2024AP1882

relevant legal authority, we conclude that the threat of future identity theft or fraud, on its own, is insufficient to establish standing for any claim in this case.

¶15 Both FMG and the Employees rely on Reetz in support of their respective positions. In Reetz, Janet Reetz filed a class action lawsuit against Advocate Aurora Healthcare, Inc., alleging many of the same claims as those asserted by the Employees in this case, based on a data breach of personal information from Advocate Aurora’s systems. See Reetz, 405 Wis. 2d 298, ¶1. As a result of the data breach, 63 employees had their direct deposit information changed to deposit paychecks into the cybercriminal’s account(s), and Reetz specifically “alleged that she suffered $2,700 in fraudulent charges against her bank account and a resulting $600 in insufficient funds and overdraft fees.” Id., ¶¶3, 8. We concluded that Reetz’s allegations were sufficient to establish standing. Id., ¶9. In addition to the alleged fraudulent charges on her bank account and the resulting fees, we credited her claims of time spent addressing the fraud charges on her account, money spent mitigating threats of future fraud, and the threat of future identity theft as sufficient to establish standing. Id., ¶8 (citing Fox v. Iowa Health Sys., 399 F. Supp. 3d 780, 790 (W.D. Wis. 2019)).

¶16 We agree with the circuit court and FMG that Reetz does not support a conclusion that a threat of future identity theft alone is sufficient to establish standing in Wisconsin. The circuit court drew an apt distinction between Reetz, which was a “data breach identity theft case,” and this case, which is merely a data breach case. Reetz does not support the proposition that the entirely prospective and hypothetical risk of identity theft—or the expenditures undertaken to guard against that hypothetical risk—are sufficient to establish standing under Wisconsin law.

8 No. 2024AP1882

¶17 Central to our decision in this case is the fact that the Employees do not allege in their complaint that anyone has fallen victim to identity theft, fraud, or any other type of digital scam.3 Neither do the Employees allege that they have been subjected to phishing emails, spam phone calls, or “blackmail from nefarious actors concerning the disclosure of their medical records.” They also do not allege that any of the stolen information was found on the “dark web.” In their complaint, the Employees merely allege an “increased risk” of these things happening. Thus, all of the Employees’ alleged injuries are possible future harms or related to the threat of those future harms.

¶18 Under the circumstance here, in order for the Employees to establish standing—in other words, an injury to a party’s interest that judicial policy calls for protecting, see Foley-Ciccantelli, 333 Wis. 2d 402, ¶5—the Employees must allege sufficiently present or imminent future harm demonstrated, in this case, by asserting that the data subject to the breach has already been accessed and misused by a third party in some way, see Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) (explaining “that ‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘[a]llegations of possible future injury’ are not sufficient” (alteration in original; citation omitted)); see also Hennekens v. Hoerl, 160 Wis. 2d 144, 152-53, 465 N.W.2d 812 (1991) (“Actual damage is harm that has already occurred or is reasonably certain to occur in the future,” “not the mere

3 FMG notes that the data breach occurred in April 2023, and “[b]y the time [the Employees] replied to FMG’s motion to dismiss in the [c]ircuit [c]ourt, a year had passed.” See Beck v. McDonald, 848 F.3d 262, 275 (4th Cir. 2017) (“‘[A]s the breaches fade further into the past,’ the Plaintiffs’ threatened injuries become more and more speculative.” (citation omitted)); McCombs v. Delta Grp. Elecs., Inc., 676 F. Supp. 3d 1064, 1072 (D.N.M. 2023) (“[O]ver a year has passed since the data breach and McCombs fails to allege that any of the compromised [personal information]—whether hers or that of the proposed class—has been misused.”).

9 No. 2024AP1882

possibility of future harm.” (footnote omitted)). Speculation about future identity theft, which may or may not occur as a result of a data breach that occurred more than two years ago, is insufficient.

¶19 The Employees argue that our conclusion above lacks support under federal law. Although the Employees concede that “Wisconsin and the [Seventh] Circuit [Court of Appeals] do[] not have a case on all fours” with this case, they present several cases for our review, which they assert provide persuasive authority that the risk of future identity theft is sufficient to establish standing. Specifically, the Employees argue that Fox; Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015); and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), “clearly define what happens in future harm cases related to data breaches” and “are highly persuasive and instructive that the risk of future identity theft is sufficient to establish standing.”

¶20 For example, in Fox, the plaintiffs alleged that hackers obtained private health information and personal identifying information, leading to attempted identity theft, fraudulent charges, and scam communications. Fox, 399 F. Supp. 3d at 787-89. The District Court for the Western District of Wisconsin concluded that the plaintiffs had “alleged facts sufficient to establish an objectively reasonable likelihood of future identity theft,” citing the theft of Social Security numbers, the provision of identity-theft protection services, and the plaintiffs’ experiences of fraud attempts and spam communications. Id. at 790-91.

¶21 In Remijas, a cyberattack against Neiman Marcus disclosed information related to 350,000 customers’ credit cards, and 9,200 of those cards had been used fraudulently. Remijas, 794 F.3d at 690. The Seventh Circuit held that the increased risk of identity theft constituted a substantial risk of harm

10 No. 2024AP1882

sufficient for standing. Id. The court also emphasized the aggravation and time lost addressing fraudulent charges as concrete injuries. Id. at 692.

¶22 Finally, in Lewert, a restaurant data breach exposed credit and debit card information. Lewert, 819 F.3d at 965. The Seventh Circuit, relying on Remijas, found standing based on the substantial risk of harm from the breach, fraudulent charges experienced by one plaintiff, and mitigation expenses incurred. Lewert, 819 F.3d at 966-67.

¶23 FMG counters that in each of these cases, at least one plaintiff alleged actual misuse of data, which made the risk of future harm sufficiently imminent and concrete. See Fox, 399 F. Supp. 3d at 789 (noting that the “plaintiffs ha[d] been victims of attempted identity theft and fraud as well as scam phone calls and emails” and that one plaintiff “discovered a suspicious charge on his credit card”); Remijas, 794 F.3d at 691 (relating that multiple plaintiffs experienced fraudulent charges); Lewert, 819 F.3d at 965 (noting that one plaintiff had four fraudulent transactions on his credit card).4 FMG argues that the absence of demonstrated data misuse in the present case distinguishes it from these precedents.

¶24 The Employees disagree, arguing that “[w]hether there was already identity theft was not a dispositive fact in [the courts’] analys[e]s” in Fox,

4 The Employees also rely heavily on Linman v. Marten Transport, Ltd., No. 22-CV-204, 2023 WL 2562712 (W.D. Wis. Mar. 17, 2023). In that case, Scott Linman provided his personal information to Marten Transport on a job application, which was stored on Marten’s servers and later compromised in a data breach. Id. at *1. Importantly, Linman alleged that his debit card information was “used by unauthorized third parties.” Id. After noting that the facts in the case were similar to Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), the court ultimately determined that Linman had standing to sue. Linman, 2023 WL 2562712, at *3.

11 No. 2024AP1882

Remijas, and Lewert. That assertion, however, ignores that the courts in those cases were not asked to resolve the question of whether the plaintiffs had standing absent any demonstrated identity theft. The fact that the above-mentioned courts did not address an issue—i.e., standing absent identity theft—that did not exist in those cases is not dispositive of our review here. Standing derives from the nature and immediacy of the claimed injury, meaning that it is a fact-specific inquiry and legal precedent cannot be applied blindly.

¶25 Furthermore, as FMG identifies, after Fox, Lewert, and Remijas were decided, the United States Supreme Court decided TransUnion LLC v. Ramirez, 594 U.S. 413 (2021). TransUnion involved a claim that the credit reporting agency “failed to use reasonable procedures to ensure the accuracy of their credit files” in violation of the Fair Credit and Reporting Act and that some of the misleading credit reports were disclosed to third parties. Id. at 417. The Court determined that the plaintiffs whose reports were not disclosed did not suffer a concrete harm, even though they faced a risk of future disclosure. Id. at 435-37. Because there was no evidence in the record to “establish[] a serious likelihood of disclosure” of those reports, the Court reasoned that “we cannot simply presume a material risk of concrete harm.” Id. at 438. Thus, the Court held that the risk of future harm, standing alone, cannot constitute an injury-in-fact for Article III purposes in a lawsuit seeking damages. See id. 435-38.

¶26 In the wake of the Court’s TransUnion decision, the Seventh Circuit has recognized that “TransUnion marked a shift in the Court’s standing jurisprudence.” Dinerstein v. Google, LLC, 73 F.4th 502, 516 (7th Cir. 2023); see also Ewing v. MED-1 Sols., LLC, 24 F.4th 1146, 1152 (7th Cir. 2022) (“TransUnion makes clear that a risk of future harm, without more, is insufficiently concrete to permit standing to sue for damages in federal court.”).

12 No. 2024AP1882

Subsequent cases have applied TransUnion to data breach claims, emphasizing the need for allegations of actual data misuse to establish standing. See, e.g., Pulliam v. West Tech. Grp., LLC, No. 23-CV-159, 2024 WL 356777, at *7 (D. Neb. Jan. 19, 2024) (stating that plaintiffs’ “claims of a substantial risk of future injury due to [a] data breach are either conclusory or speculative”); Kim v. McDonald’s USA, LLC, No. 21-CV-05287, 2022 WL 4482826, at *5 (N.D. Ill. Sept. 27, 2022) (dismissing claims for lack of standing where “none of the [p]laintiffs have alleged that they, in fact, fell victim to a phishing scam or otherwise had their identities stolen”); Legg v. Leaders Life Ins. Co., 574 F. Supp. 3d 985, 993 (W.D. Okla. 2021) (“Given the holding in TransUnion, it is far from clear that any case finding a concrete injury based merely on an abstract risk of future identity theft following a data breach is still good law, at least with respect to a claim for damages.”).

¶27 Based on our review of the above authorities, we are persuaded that the risk of future harm and the actions taken to protect against that risk, as alleged by the Employees in this case, remain too attenuated and speculative to confer standing to pursue their claims, absent a demonstration that identity theft or data misuse has already occurred. Without allegations of any previous identity theft or data misuse suffered by themselves or any other members of the class, the Employees have failed to allege sufficiently imminent or certainly impending future injury. Cf. Attias v. CareFirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017) (“Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury.”). Here, the Employees have established only a “mere possibility of future harm.” See Hennekens, 160 Wis. 2d at 153; see also Tietsworth v. Harley-Davidson, Inc., 2004 WI 32, ¶17, 270 Wis. 2d 146, 677 N.W.2d 233 (“Actual damage is harm that has already occurred

13 No. 2024AP1882

or is ‘reasonably certain’ to occur in the future. Actual damage is not the mere possibility of future harm.” (citations omitted)).

¶28 We pause to further discuss the Employees’ claims for declaratory and injunctive relief. The power of courts to issue a declaratory judgment is found under the uniform declaratory judgments act, pursuant to which a circuit court “shall have power to declare rights, status, and other legal relations whether or not further relief is or could be claimed.” WIS. STAT. § 806.04(1) (2023-24). “A court must be presented with a justiciable controversy before it may exercise its jurisdiction over a claim for declaratory judgment.” Olson v. Town of Cottage Grove, 2008 WI 51, ¶28, 309 Wis. 2d 365, 749 N.W.2d 211; see also Milwaukee Dist. Council 48 v. Milwaukee County, 2001 WI 65, ¶37, 244 Wis. 2d 333, 627 N.W.2d 866 (discussing the standard to apply to determine whether there is a justiciable controversy). “Injunctive relief may be granted in aid of a declaratory judgment.” Lewis v. Young, 162 Wis. 2d 574, 581, 470 N.W.2d 328 (Ct. App. 1991). “To obtain injunctive relief, a party must generally show: (1) sufficient probability that future conduct will violate a right and cause injury; (2) that the injury will be irreparable; and (3) that no adequate remedy exists at law for the injury.” Teague v. Schimel, 2017 WI 56, ¶122, 375 Wis. 2d 458, 896 N.W.2d 286.

¶29 The Employees argue that “[a] declaratory judgment does not require that an injury is suffered before seeking relief and [the Employees] have sufficiently proven the threat of future harm.” See Milwaukee Dist. Council 48, 244 Wis. 2d 333, ¶41. However, even if FMG was negligent by failing to adequately protect the Employees’ data, the Employees have not sufficiently alleged that they face an imminent risk of future harm as a result of the data breach in this case.

14 No. 2024AP1882

¶30 We agree with the circuit court that “it is unclear how the injunction that [the Employees] seek would have any effect on the harm that [they] fear may result from the data breach itself” because their “personal information has already been illicitly accessed”; therefore, “no present change in FMG’s policies and practices can put the genie back in the bottle.” The Employees acknowledge that FMG has already “taken some measures to contain the breach,” which finds support in the notice FMG provided to the Employees, but they essentially request that the court order FMG take additional mitigation action. The Employees do not explain, however, how requiring FMG to implement new data security practices would protect against the future risk of the data that was already subject to the data breach being misused. See Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 378 (1st Cir. 2023) (“[A]n injunction requiring [the defendant] to improve its cybersecurity systems cannot protect the plaintiffs from future misuse of their [personal information] by the individuals they allege now possess it.”). Any such relief would safeguard only against a future breach.

¶31 Beyond their conclusory statements alleging an increased risk of a future breach, which are undermined by the Employees’ recognition that FMG has already taken some action to prevent further data breaches, the Employees do not and cannot allege that FMG is subject to a different or an increased risk of a cyberattack as compared to other organizations. As the First Circuit Court of Appeals explained, “If that risk were deemed sufficiently imminent to justify injunctive relief, virtually every company and government agency might be exposed to requests for injunctive relief like the one the plaintiffs seek here.” Id.

¶32 We also separately mention the Employees’ unjust enrichment claim, which differs from their other claims given that damages or an injury are not specifically a required element. See Tri-State Mech., Inc. v. Northland Coll.,

15 No. 2024AP1882

2004 WI App 100, ¶14, 273 Wis. 2d 471, 681 N.W.2d 302 (outlining the elements of an unjust enrichment claim); Management Comput. Servs. v. Hawkins, Ash, Baptie & Co., 206 Wis. 2d 158, 188, 557 N.W.2d 67 (1996) (“[U]njust enrichment is based on equitable principles, with damages being measured by the benefit conferred upon the defendant, not the plaintiff’s loss.”). Here, the Employees lack standing to pursue their unjust enrichment claim because they have not alleged facts demonstrating that they conferred any cognizable benefit upon FMG. Furthermore, the Employees’ complaint asserts what appear to be legal conclusions or speculation rather than factual allegations.

¶33 Wisconsin law requires a direct, material benefit retained by FMG before equity will intervene, and the exchange of routine employment information does not constitute such a benefit. See Reetz, 405 Wis. 2d 298, ¶29 (“To find that a benefit was conferred upon Aurora by Reetz would mean that it was to Aurora’s benefit for Reetz to provide her [personally identifiable information]—rather, at best we could reasonably infer that Aurora needed Reetz’s [information] to comply with federal and state regulations of employers.”). Under the circumstances, we conclude that this claim, which sounds in equity, fails to satisfy the elements necessary to confer standing under Wisconsin law. See Foley-Ciccantelli, 333 Wis. 2d 402, ¶5.

¶34 Therefore, due to the Employees’ overall failure to allege a concrete and particularized injury as a result of the data breach, we conclude that the Employees lack standing to assert any of their claims against FMG. As explained above, and as relevant here, Wisconsin law determines standing by investigating “whether the interest of the party whose standing is challenged will be injured, that is, adversely affected” and “whether judicial policy calls for protecting the interest of the party whose standing has been challenged.” See Foley-Ciccantelli, 333

16 No. 2024AP1882

Wis. 2d 402, ¶5. “When no statute, rule, or constitutional provision directly governs the standing analysis, a court determines these … aspects of standing by examining the facts to determine whether an injured interest exists that falls within the ambit of relevant legal principles that judicial policy calls for protecting.” Id., ¶6. Based on the facts presented in their complaint, the Employees have failed to demonstrate an “injured interest” for any of their claims in this case. See id. Put another way, judicial policy does not support extending protection to a wholly speculative future risk of identity theft, no matter how the Employees attempt to frame the claim. Thus, the Employees lack standing to bring the claims in this case, and the circuit court properly granted FMG’s motion to dismiss.5

By the Court.—Order affirmed.

Not recommended for publication in the official reports.

5 Because we conclude that the Employees lack standing to assert their claims, we need not address whether the Employees failed to state a claim for relief on their asserted causes of action. See Turner v. Taylor, 2003 WI App 256, ¶1 n.1, 268 Wis. 2d 628, 673 N.W.2d 716 (noting that we need not address all issues when the resolution of one of those issues is dispositive).

We note, however, that under the facts of this unique case, the basis for the lack of standing—i.e., a lack of a demonstrated injury or damages—also provides a basis to affirm the circuit court’s conclusion that the Employees failed to state a claim for relief. Most of the claims the Employees assert have an element requiring a showing of an injury, imminent harm, or damages. See Gritzner v. Michael R., 2000 WI 68, ¶19, 235 Wis. 2d 781, 611 N.W.2d 906 (common law negligence); Brew City Redevelopment Grp., LLC v. Ferchill Grp., 2006 WI App 39, ¶11, 289 Wis. 2d 795, 714 N.W.2d 582 (breach of contract); Berner Cheese Corp. v. Krug, 2008 WI 95, ¶40, 312 Wis. 2d 251, 752 N.W.2d 800 (breach of fiduciary duty); Olson v. Town of Cottage Grove, 2008 WI 51, ¶28, 309 Wis. 2d 365, 749 N.W.2d 211 (declaratory judgment requires “justiciable controversy”); Teague v. Schimel, 2017 WI 56, ¶122, 375 Wis. 2d 458, 896 N.W.2d 286 (injunctive relief). For the reasons stated above, the Employees could not and did not plead an injury, imminent harm, or damages.