UNITED STATES DISTRICT COURT EASTERN DISTRICT OF KENTUCKY CENTRAL DIVISION (at Lexington)
RODNEY SILVEIRA, individually and ) purportedly on behalf of all others ) similarly situated, ) ) Plaintiff, ) Civil Action No. 5: 25-048-DCR ) V. ) ) COMMERCIAL SPECIALTY TRUCK ) MEMORANDUM OPINION HOLDINGS, LLC, ) AND ORDER ) Defendant. )
*** *** *** *** Plaintiff Rodeny Silveira initiated this action, individually and purportedly on behalf of all others similarly situated, after cybercriminals accessed his sensitive data from Defendant Commercial Specialty Truck Holdings, LLC (“CSTH”). CSTH moved to dismiss insisting the plaintiff lacks Article III standing or, alternatively, for failure to state a claim under Rule 12(b)(6) of the Federal Rules of Procedure. [Record No. 13] CSTH’s motion will be granted in part and denied in part for the reasons that follow. I. Background Silveira was formerly employed by Bridgeport Truck Manufacturing, which was later acquired by CSTH. [Record No. 1 at ¶ 36] Defendant CSTH “is a specialty vehicle manufacturer based in Cynthiana, Kentucky [that] operates through several brands including Continental Micers, E-Z Pack Trucks, One Source Parts, and Dynamic Towing and Manufacturing.” Id. at ¶ 2. On August 13, 2024, CSTH “became aware of suspicious activity occurring within [its] network.” Id. at ¶ 17. It was not until February 11, 2025, that Silveira received a data breach notice explaining that his personal identifiable information and protected health information
(collectively “PII/PHI”) may have been exposed in the breach. Id. at ¶ 36. By then, the PII/PHI was not merely accessed and viewed by cybercriminals but was also downloaded and stolen. Id. at ¶ 18 (explaining in data breach notice that “certain files and folders were copied from the CSTH environment without authorization on or about August 7, 2024”). The notorious ransomware group INC Ransom took credit for the data breach and posted confidential documents from E-Z Pack (a subsidiary of CSTH) to its dark web website. Id. at ¶¶ 30–34. The cybercriminals accessed CSTH’s systems for at least a week before CSTH
uncovered the breach. See id. at ¶¶ 17–18. During that time, the hackers had access to CSTH’s former and current employees PII/PHI, including their names, addresses, Social Security numbers, health insurance information, and medical information. Id. at ¶ 19. Despite the broad swath of data exposed, CSTH waited six months before notifying the individuals affected by the breach. Id. at ¶ 20. Since the data breach, Silveira has seen a “dramatic increase in in spam text messages—
about 20 to 30 per day—purporting to be about loans.” Id. at ¶ 44. He understands this to mean “that his PII has already been placed in the hands of cybercriminals” as he has not taken out any such loans. See id. The data breach has necessitated greater supervision of his personal data and added ongoing stress, fear, and anxiety. Id. at ¶¶ 46–48. Silveira brought this purported class action on behalf of himself and all others similarly situated. He asserts claims against CSTH for negligence (Count I), negligence per se (Count II), breach of implied contract (Count III), breach of implied covenant of good faith and fair dealing (Count IV), invasion of privacy (Count V), unjust enrichment (Count VI), breach of fiduciary duty (Count VII), breach of confidence (Count VIII), violation of Kentucky Consumer Protection Act (Count IX), and declaratory judgment (Count X). [Record No. 1]
The defendant moved to dismiss under Rules 12(b)(1) and (b)(6) of the Federal Rules of Civil Procedure, arguing that the plaintiff lacked standing and failed to state a claim on all counts. [Record No. 13] Silveira voluntarily withdrew his claims for negligence per se, breach of implied covenant of good faith and fair dealing, breach of confidence, and violation of Kentucky Consumer Protection Act. [Record No. 21 at 17 n.4] He also requested leave to amend his Complaint should the Court find any count inadequately pled. Id. at 25. II. Analysis (Subject Matter Jurisdiction)
A. Article III Standing A plaintiff must demonstrate that the court has subject matter jurisdiction to overcome dismissal under Rule 12(b)(1) of the Federal Rules of Civil Procedure. Madison-Hughes v. Shalala, 80 F.3d 1121, 1130 (6th Cir. 1996). The irreducible constitutional minimum for standing requires: (1) “injury in fact,” (2) “a causal connection between the injury and the conduct complained of,” and (3) a likelihood that “the injury will be ‘redressed by a favorable
decision.’” Carman v. Yellen, 112 F.4th 386, 399 (6th Cir. 2024) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)). For injury in fact, a plaintiff must demonstrate “a concrete and particularized, actual or imminent invasion of a legally protected interest.” Lujan, 504 U.S. at 555. Various intangible harms such as reputational harm, disclosure of private information, and intrusion upon seclusion also can constitute concrete harms. TransUnion LLC v. Ramirez, 594 U.S. 413, 425 (2021) (citations omitted). “‘The party invoking federal jurisdiction’ must establish these elements commensurate with the burden of proof required at each stage of a litigation.” Carman, 112 F.4th at 399 (quoting Lujan, 504 U.S. at 561). For example, the burden at the pleading stage only requires
a plaintiff to “plausibly assert standing.” Christian Healthcare Centers, Inc. v. Nessel, 117 F.4th 826, 842 (6th Cir. 2024) (citing Ass’n of Am. Physicians & Surgeons v. FDA, 13 F.4th 531, 543–44 (6th Cir. 2021)). Whereas “at the summary judgment stage, such a party can no longer rest on . . . mere allegations, but must set forth by affidavit or other evidence specific facts” to show standing. Clapper v. Amnesty Int’l USA, 568 U.S. 398, 412 (2013) (citations and quotations omitted). When a defendant mounts a facial challenge to subject matter jurisdiction based on a lack of standing, the court treats “the allegations in those pleadings as
true” and construes all reasonable inferences in the plaintiff’s favor. Christian Healthcare Centers, Inc., 117 F.4th at 842 (citing Ass’n of Am. Physicians & Surgeons, 13 F.4th at 543– 44; Parsons v. U.S. Dep’t of Justice, 801 F.3d 701, 710 (6th Cir. 2015)). Defendant CSTH makes a facial attack to the plaintiff’s standing to bring these claims. [Record No. 13] It argues that the Complaint fails to assert an Article III injury which is fairly traceable to CSTH’s conduct. More specifically, CSTH insists that Silveira does not establish
a sufficient injury for the alleged increase in spam text messages, time and effort spent monitoring his accounts, risk of future identity theft, violation of privacy, and diminution in the value of his personal information. Id. at 4–10. It further contends that Silveira does not show traceability from its conduct for any of the above alleged injuries. Id. at 10–11. But Silveira insists he has Article III standing because he has “suffered presently felt harm fairly traceable to the Data Breach including fraudulent misuse of the PHI/PII unauthorizedly disclosed, invasion of [his] privacy rights, diminution in value of the data, lost time, and emotional distress, as well as risk of imminent future harm.” [Record No. 21 at 2] He reiterates that cybercriminals have already stolen his data by CSTH’s own admission. Id. at 1. In any event, he asserts that the nature of the breach causes him to face a continuing
“substantial risk of identity theft.” Id. at 5. Regarding traceability, Silveira contends that CSTH’s failure to properly secure its sensitive data and timely notify the victims show that these injuries are traceable to CSTH’s actions and inactions. Id. at 8. The United States Court of Appeals for the Sixth Circuit addressed a similar standing issue in the context of a data breach in Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016). There, hackers broke into Nationwide’s data stores and dispersed personal information from over one million customers and potential customers. The panel reversed the
district court’s dismissal on standing grounds and held that “allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage.” Id. at 388. Here, the plaintiff makes both assertions. [Record No. 1 at ¶¶ 51, 54] The United States Supreme Court’s decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), does not change this result. In TransUnion, the Court considered whether
consumers with misleading alerts on their credit report had standing to sue the offending credit bureau. The alerts were based on false information indicating the plaintiffs were potentially included in a list of individuals who posed a national security threat. The Supreme Court held that “[t]he risk of future harm on its own [wa]s not enough to support Article III standing for their damages claim.” Id. at 415 (emphasis added). However, it also concluded that the release of the false information sufficiently resembled the harm “traditionally recognized as providing a basis for a lawsuit in American courts—namely, the reputational harm associated with the tort of defamation.” Id. at 432. Thus, members of the class who faced the dissemination of that information to third parties had standing, while consumers who merely received the misleading alerts did not.
The facts presented here concerning standing are on all fours with Galaria. Silveira alleges that his PII/PHI has already been stolen by hackers, as evidenced by CSTH’s own admission and INC Ransom’s post on the dark web containing confidential documents from E-Z Pack, CSTH’s subsidiary. This injury is concrete since there “is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill- intentioned criminals.” Galaria, 663 F. App’x at 388. And because the defendant raises a facial attack to standing, the Court takes the plaintiff’s pleadings as true. Further, at the motion
to dismiss stage, “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.” Id. The undersigned makes such an inference here. Likewise, Silveira has satisfied traceability. Like the plaintiffs in Galaria, he alleges his injuries are fairly traceable to CSTH’s failure to protect his PII/PHI from cybercriminals. [Record No. 21 at 6–8]; Galaria, 663 F. App’x at 390. “Although hackers are the direct cause
of [his] injuries, the hackers were able to access [his] data only because [CSTH] allegedly failed to secure the sensitive personal information entrusted to its custody.” Galaria, 663 F. App’x at 390. Further, CSTH’s failure to timely notify Silveira of the breach prevented him from taking remedial action sooner, which further demonstrates traceability. Silveira has standing under Galaria. And because an intentional data breach perpetrated by criminals is distinct from the negligent dissemination of a false credit report by a “legitimate credit reporting company,” the undersigned joins the courts that conclude the Supreme Court’s decision in TransUnion did not abrogate Galaria. See Brickman v. Maximus, Inc., No. 2:21-CV-3822, 2022 WL 16836186, at *4 (S.D. Ohio May 2, 2022) (“In any event, the Sixth Circuit has not yet reconsidered Galaria in light of TransUnion. This Court is bound
to follow relevant precedent from the Sixth Circuit unless and until the Sixth Circuit decides to revisit that precedent.”). B. Class Action Fairness Act Although federal courts are courts of limited subject matter jurisdiction, they have a virtually unflagging obligation to hear and decide cases within their jurisdiction. Sprint Communications, Inc. v. Jacobs, 571 U.S. 69, 77 (2013) (citation omitted). The Class Action Fairness Act provides that federal “district courts shall have original jurisdiction of any civil
action in which the matter in controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs, and is a class action in which—(A) any member of a class of plaintiffs is a citizen of a State different from any defendant.” 28 U.S.C. § 1332(d)(2). A district court may, however, “in the interests of justice” and considering the “totality of the circumstances, decline to exercise jurisdiction . . . over a class action in which greater than one-third but less than two-thirds of the members of all proposed plaintiff classes . . . and the primary defendants
are citizens of the State in which the action was originally filed.” 28 U.S.C. § 1332(d)(3). Defendant CSTH argues that even if the Court determines the plaintiff has standing, it should decline to exercise jurisdiction under the exception provided in 28 U.S.C. § 1332(d)(3). [Record No. 13 at 12] In making this argument, CSTH attempts to expand the scope of that exception. And it concedes that the plaintiffs have sufficiently pled an action under the CAFA, meaning this Court has original jurisdiction. [Record No. 13 at 12] The exception provides that a court may decline jurisdiction “over a class action in which greater than one-third but less than two-thirds of the members of all proposed plaintiff classes in the aggregate and the primary defendants are citizens of the State in which the action
was originally filed.” 28 U.S.C. § 1332(d)(3) (emphasis added). But here, the plaintiffs originally filed this action in federal court. [Record No. 1] The plain text of this exception makes clear that it does not apply under these circumstances because this matter was not first filed in a state court. The factors courts consider when deciding whether to decline jurisdiction further support this construction: “whether the claims asserted will be governed by laws of the State in which the action was originally filed”; “whether the class action has been pleaded in a
manner that seeks to avoid Federal jurisdiction”; “whether the action was brought in a forum with a distinct nexus with the class members, the alleged harm, or the defendants”; and “whether the number of citizens of the State in which the action was originally filed in all proposed plaintiff classes in the aggregate is substantially larger[.]” 28 U.S.C. § 1332(d)(3)(A)–(E) (emphasis added). There simply is no basis to apply this exception (the relief under which is remand, not dismissal as CSTH seeks).
IV. Analysis (Sufficiency of Pleadings) In evaluating a motion to dismiss under Rule 12(b)(6), the court must determine whether the complaint alleges “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). The plausibility standard is met “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (quoting Twombly, 550 U.S. at 556). While a complaint need not contain detailed factual allegations, a plaintiff must provide more than mere labels and conclusions, and “a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555. When reviewing a motion under Rule 12(b)(6), the
court must “accept all of plaintiff’s factual allegations as true and determine whether any set of facts consistent with the allegations would entitle the plaintiff to relief.” G.M. Eng’rs & Assoc., Inc. v. West Bloomfield Twp., 922 F.2d 328, 330 (6th Cir. 1990). A. Negligence (Count I) To state a negligence claim under Kentucky law, a plaintiff must show “(1) that the defendant owed the plaintiff a duty of care, (2) that the defendant breached the applicable duty of care, (3) causation, including both cause in fact and proximate cause, and (4) that the
plaintiff was damaged by the breach of the duty of care.” McKenzie v. Allconnect, Inc., 369 F. Supp. 3d 810, 817 (E.D. Ky. 2019) (citation modified). CSTH contends that Silveira cannot show causation, which is a more rigorous standard than that of traceability. [Record No. 13 at 17–18] More specifically, it argues that causation is not sufficiently pled because Silveira “offers no factual allegations establishing that his information was disclosed to cybercriminals” as the notice letter from CSTH only provides that “his information ‘may have
been’ present in the impacted files.” [Record No. 22 at 11] Regarding damages, it claims that Silveira fails to “identify any monetary loss of cost expended or incurred.” Id. at 12. Silveira insists that the disclosure of his private information to cybercriminals was directly caused by CSTH’s failure to employ adequate measures to protect it. [Record No. 21 at 17] Here, the plaintiff’s negligence claim against CSTH meets the pleading standard for causation for the same reasons outlined in the above analysis regarding traceability. Regarding the allegation that Silveira fails to provide facts indicating that his information was actually stolen, he references a significant increase in spam texts messages about purported loans taken out in his name. It is a reasonable inference that his data was implicated and the uptick in messages are a result of cybercriminals attempting to steal (or actually stealing) his identity.
To the extent that CSTH challenges the apparent lack of monetary damages pled, “Kentucky law allows recovery in tort ‘of damages for mental anguish,’” which Silveira claims. Savidge v. Pharm-Save, Inc., 2017 WL 5986972, *3 (W.D. Ky. 2017) (quoting Gill v. Burress, 382 S.W.3d 57, 64 (Ky. App. 2012)); [Record No. 1 at ¶ 48]. B. Breach of Implied Contract (Count III) Contracts may be implied in fact or implied by law. Stotts v. Skipworth, No. 2006-CA- 001567-MR, 2008 WL 399315, at *2 (Ky. App. Feb. 15, 2008). A contract may be implied in
fact “from the acts or circumstances which according to the ordinary course of dealing and the common understanding of men shows a mutual intent to contract.” Rider v. Combs, 256 S.W.2d 749, 749 (Ky. 1953) (citation omitted). This is so because “‘no man is to be made a debtor without his knowledge or assent or under circumstances where he had no reason to expect that such is his position or liability.’” Id. (quoting Kellum v. Browning’s Adm’r, 231 Ky. 308, 21 S.W.2d 459 (1929)). Therefore, the parties’ behavior may be relevant in finding
an implied contract. Stotts, 2008 WL 399315, at *2 (“A contract implied in fact is a true contract, shown by evidence of facts and circumstances from which a meeting of minds concerning the mutual promises may be reasonably deduced.”) (citations omitted). Contracts implied by law are not based on any actual agreement between the parties. Fayette Tobacco Warehouse Co. v. Lexington Tobacco Bd. of Trade, 299 S.W.2d 640, 643 (Ky. 1956). Rather, this is a judicially created doctrine designed to permit recovery in situations where justice requires that a remedy be provided as if a contract had been made. Id. at 643–44. Stated differently, a contract is implied at law when a court determines “the circumstances of the case are such that a contract should be implied to allow the plaintiff recovery.” Normandy Farm, LLC v. Kenneth McPeek Racing Stable, Inc., 701 S.W.3d 129,
136 (Ky. 2024). The defendant asserts that Silveira’s breach of implied contract claim falls short because it fails to allege “the essential elements of a contract.” [Record No. 13 at 19 (citing BDT Prods., Inc. v. Lexmark Int’l, Inc., 274 F.Supp.2d 880, 886–87 (E.D. Ky. 2003))] But the case it cites deals with a contract implied in fact and does not address those implied by law. See id. The Court need not resolve whether Silveira sufficiently pleads a breach of contract implied in fact1 because the plaintiff presents a scenario where implying a contract in law is
appropriate. Specifically, he claims that CSTH collected and maintained the PII/PHI of current and former employees as a condition of their employment. [Record Nos. 1 at ¶¶ 14–15, 128 and 21 at 20] And those employees understood that CSTH would employ reasonable measures to protect their sensitive information. [Record Nos. 1 at ¶ 131 and 21 at 20] Where, as here, an employer requires an employee to provide such information, and the employer allegedly fails to secure that information “a contract should be implied to allow the plaintiff recovery.”
Normandy Farm, LLC, 701 S.W.3d at 136. C. Invasion of Privacy, Intrusion upon Seclusion (Count V) To state an invasion of privacy intrusion upon seclusion claim, a plaintiff must allege “an [intentional] intrusion by the defendant; that is highly offensive to a reasonable person; into some matter in which a person has a legitimate expectation of privacy.” Pearce v.
1 The Court finds persuasive plaintiff’s cited cases where other courts found contracts implied in fact under very similar circumstances to those presented here. [Record No. 21 at 19–20] Whitenack, 440 S.W.3d 392, 401 (Ky. App. 2014). Further, “a defendant’s actions may be intentional when the defendant acts with such reckless disregard for the privacy of the plaintiff that the actions rise to the level of being an intentional tort.” Bowen v. Paxton Media Grp.,
LLC, No. 5:21-CV-00143-GNS, 2022 WL 4110319, at *7 (W.D. Ky. Sept. 8, 2022) (citing McKenzie, 369 F. Supp. 3d at 819). The defendant challenges Silveira’s pleadings concerning whether it acted with the requisite “intention” (i.e., “reckless disregard”) for an invasion of privacy tort. [Record Nos. 13 at 21 and 22 at 13–14] It contends Silveira’s assertions that CSTH failed to maintain the sensitive data and comply with reasonable standards for handling the data lack the necessary specificity. [Record No. 22 at 14] It also claims that he cannot show “intrusion by the
defendant” because he merely pleads on information and belief that his sensitive data were dispersed. [Record No. 13 at 22] But, Silveira insists that this count is sufficiently pled. [Record No. 21 at 22] The plaintiff’s claim passes muster. “Courts have repeatedly held that being aware of the risk of data breaches and failing to implement appropriate policies is sufficient to state a claim for intrusion upon seclusion.” Lurry v. PharMerica Corp., No. 3:23-CV-297-RGJ, 2024
WL 2965642, at *6 (W.D. Ky. June 12, 2024). CSTH’s argument that the plaintiff cannot show an intrusion because he cites no facts indicating his sensitive data were actually disseminated is a nonstarter. Here, it was the defendant that notified the plaintiff that his data may have been subject to a breach. Silveira’s lack of specific information regarding if and how his PII/PHI was affected is not fatal to his claim. Presumably, that information will come out during discovery. D. Unjust Enrichment (Count VI) “Under Kentucky law, unjust enrichment is “(1) a benefit conferred upon the defendant at the plaintiff’s expense; (2) a resulting appreciation of the benefit by the defendant; and (3)
an inequitable retention of the benefit without payment for its value.” Bowen, 2022 WL 4110319, at *8 (citation modified) (citing Marcus & Millichap Real Est. Inv. Brokerage Co. v. Skeeters, 395 F. Supp. 2d 541, 557 (W.D. Ky. 2005)). CSTH insists that Silveira’s clam fails because “providing his personal information to CSTH is not a sufficient benefit to support a claim for unjust enrichment.” [Record No. 13 at 22] But Silveira cites Lurry v. PharMerica Corporation, No. 3:23-CV-297-RGJ, 2024 WL 2965642, at *7 (W.D. Ky. June 12, 2024), where the court found that a plaintiff conferred a benefit to a defendant “by performing labor
in connection with employment” and Bowen v. Paxton Media Group, LLC, 2022 WL 4110319, at *8 (W.D. Ky. Sept. 8, 2022) where the court noted the defendant was “enriched by the savings in costs that should have been reasonably expended to protect the PII.” [Record No. 21 at 23] Like the plaintiffs in those similar actions, Silveira has sufficiently pled this claim. E. Breach of Fiduciary Duty (Count VII) “A fiduciary relationship is one ‘founded on trust or confidence reposed by one person
in the integrity and fidelity of another and which also necessarily involves an undertaking in which a duty is created in one person to act primarily for another’s benefit in matters connected with such undertaking.’” McKenzie, 369 F. Supp. 3d at 822 (quoting ATC Distrib. Grp., Inc. v. Whatever It Takes Transmissions & Parts, Inc., 402 F.3d 700, 715 (6th Cir. 2005)). Kentucky law provides that a fiduciary duty involves a party “who has expressly undertaken to act for the plaintiff’s primary benefit.” Flegles, Inc. v. TruServ Corp., 289 S.W.3d 544, 552 (Ky. 2009) (citing Steelvest, Inc. v. Scansteel Service Center, Inc., 807 S.W.2d 476 (Ky. 1991)). CSTH asserts that “there are no Kentucky cases that stand for the proposition that CTH
owed Plaintiff a fiduciary duty to protect his data.” [Record No. 13 at 23] The undersigned agrees. And because Silveira did not respond to this challenge, the Court need not delve further. [See Record No. 21.] To be sure, the McKenzie court held that an employer had no fiduciary duty to secure the data of its employees absent an express undertaking of that duty. 369 F. Supp. 3d at 823. F. Declaratory Judgment and Injunctive Relief (Count X) The Declaratory Judgment Act provides: “any court of the United States, upon the filing
of an appropriate pleading, may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.” 28 U.S.C. § 2201(a). In deciding whether exercising jurisdiction is appropriate, a court weighs the following factors: (1) whether the declaratory action would settle the controversy; (2) whether the declaratory action would serve a useful purpose in clarifying the legal relations in issue; (3) whether the declaratory remedy is being used merely for the purpose of “procedural fencing” or “to provide an arena for a race for res judicata;” (4) whether the use of a declaratory action would increase friction between our federal and state courts and im-properly encroach upon state jurisdiction; and (5) whether there is an alternative remedy which is better or more effective.
Grand Trunk W. R.R. Co. v. Consol. Rail Corp., 746 F.2d 323, 326 (6th Cir. 1984). But “[b]efore considering the factors jurisdictional requirements must be met.” Bowen, 2022 WL 4110319, at *9 (citing Larry E. Parrish, P.C. v. Bennett, 989 F.3d 452, 457 (6th Cir. 2021)). “Importantly, to establish standing when an alleged injury is a future injury, ‘the plaintiff must demonstrate that the threatened injury is certainly impending or there is a substantial risk that the harm will occur.’” See Lochridge v. Quality Temp. Servs., Inc., No. 22-CV-12086, 2023 WL 4303577, at *8 (E.D. Mich. June 30, 2023) (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)).
CSTH contends that the plaintiff’s allegations fail to clear this hurdle because he “alleges no facts allowing this claim to proceed,” and, in any event, he lacks standing. [Record No 13 at 25] Conversely, Silveira insists that he has standing and has stated a claim because he has shown his “threatened injury is certainly impending or there is a substantial risk that the harm will occur.” [Record No. 21 at 27] More specifically, he asserts that CSTH’s protective and remedial actions post-breach are insufficient to protect his sensitive information from being compromised again. Id. at 24.
But other district courts within this circuit have rejected similar arguments. See, e.g., Lochridge, 2023 WL 4303577, at *8 (rejecting declaratory and injunctive claims where the plaintiff had “not alleged any facts tending to show that a second data breach is currently impending or there is a substantial risk that one will occur”); Cahill v. Mem’l Heart Inst., LLC, No. 1:23-CV-168, 2024 WL 4311648, at *16 (E.D. Tenn. Sept. 26, 2024) (“Plaintiffs do not allege specific facts regarding currently impending or substantial risk of another cyberattack
on Defendant[.]”); Hummel v. Teijin Auto. Techs., Inc., No. 23-CV-10341, 2023 WL 6149059, at *14 (E.D. Mich. Sept. 20, 2023) (“By failing to allege any facts, which would suggest Defendant is at risk for a second cyberattack, Plaintiff has failed to meet the jurisdictional requirements of this relief.”). The undersigned agrees. Other than asserting that “injunctive relief is necessary to ensure that CSTH patches the holes in its deficient data security,” the plaintiff does not provide sufficient justification for declaratory or injunctive relief. [Record No. 21 at 24] However, such relief is likely futile because the horses (Silveira’s PII/PHI) are already out of the barn (allegedly stolen by cybercriminals). Apparently attempting to bolster his claim for declaratory relief, the plaintiff argues that CSTH provided a sanitized and inadequate notice to victims of the breach. And,
therefore, declaratory relief is proper to compel the defendant to supplement its notice to include that INC Ransom took credit for the breach. [Record No. 21 at 25] But even assuming this was an adequate injury, it is nowhere in the Complaint and was raised for the first time in response. A major hurdle here for Silveira is that declaratory relief at this juncture would not redress his risk of future injuries (a hypothetical second breach of his data held by CSTH) that he claims. As he alleges, cybercriminals have already stolen his data and posted it on the dark
web. Because those horses are long gone, declaratory relief would do little, if anything, to redress his injuries. And his request for leave to amend his Complaint will be denied. Strayhorn v. Wyeth Pharms., Inc., 737 F.3d 378, 400 (6th Cir. 2013) (explaining “plaintiffs are responsible for pleading their cause of action and are not entitled to an advisory opinion from the Court informing them of the deficiencies of the complaint and then an opportunity to cure those deficiencies”) (citation modified).
V. Conclusion Based on the foregoing analysis and discussion, it is hereby ORDERED that Defendant Commercial Specialty Truck Holdings, LLC’s Motion to Dismiss [Record No. 13] is GRANTED, in part, and DENIED, in part, consistent with this Memorandum Opinion and Order. Dated: August 12, 2025.
: al 4 Danny C. Reeves, District Judge oS I) United States District Court □ Eastern District of Kentucky
-17-