IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS
TORIANA PATTERSON, individually and on behalf of all others similarly situated,
Plaintiff,
vs. Case No. 25-CV-02221-EFM-TJJ
ASSOCIATED WHOLESALE GROCERS, INC.,
Defendant.
MEMORANDUM AND ORDER Plaintiff Toriana Patterson alleges that her personal identifying information (“PII”) was hacked in a data breach. She accuses her former employer, Defendant Associated Wholesale Grocers, Inc., of failing to maintain a secure data system. She brings this action on behalf of herself and a prospective class asserting claims for negligence, negligence per se, and breach of implied contract. This matter comes before the Court on Defendant’s Motion to Dismiss Class Action Complaint (Doc. 11). Defendant argues that the case must be dismissed because Plaintiff lacks standing or, in the alternative, because the Complaint fails to state a claim. Because the Court finds that Plaintiff lacks standing, the Court grants Defendant’s Motion for lack of subject matter jurisdiction under Rule 12(b)(1). I. Factual and Procedural Background1 A. The Data Breach Plaintiff is a former employee of Defendant, a national grocery wholesaler. As part of her employment, Plaintiff was required to give Defendant her PII, including her name, date of birth, email address, physical address, Social Security number, and financial account information.
Plaintiff relied on Defendant to keep her PII confidential, securely maintained, and to make only authorized disclosures of her information. Plaintiff is very careful about not sharing her PII. She stores sensitive documents in secure locations and uses unique passwords and usernames. On October 6 and 7, 2023, an unknown hacker accessed Defendant’s systems, releasing Plaintiff’s (and other class members’) PII. Defendant, however, did not notify Plaintiff of the data breach until almost six months later. On April 1, 2024, Defendant sent a Notice Letter to Plaintiff advising her that an unauthorized actor accessed Plaintiff’s sensitive information. The Notice Letter, which Plaintiff attached to the Complaint, states that after learning of the data breach, Defendant confirmed the security of its systems, reviewed the relevant data for sensitive
information, and investigated the relevant information that may be impacted. It also notified federal law enforcement and governmental regulators of the incident and is reviewing its policies and procedures to reduce the likelihood of a future breach. Plaintiff alleges that Defendant was negligent and did not use reasonable security procedures and practices sufficient to protect the sensitive information it was storing for Plaintiff and class members. Plaintiff further alleges that Defendant failed to properly maintain and safeguard its computer systems and data. According to Plaintiff, Defendant knew or should have
1 The facts are taken from Plaintiff’s Class Action Complaint. known that its computer systems were a target for cybersecurity attacks. In support of these allegations, Plaintiff cites several internet accessible articles warning that cybercriminals (1) target big companies like Defendant, (2) leak PII on the dark web, and (3) often threaten to release stolen data. Plaintiff also outlines steps Defendant could have taken to prevent and detect ransomware attacks.
B. Plaintiff’s Stolen PII Plaintiff alleges that her identity has been stolen because of the data breach. Shortly after the breach, Plaintiff began receiving telephone calls from loan companies and creditors claiming that she took out loans and owed money on them. Plaintiff did not, however, take out these loans or authorize anyone else to do so. Plaintiff has spent approximately 35 hours dealing with the release of her PII, through verifying the legitimacy of the Notice Letter, self-monitoring her accounts, reviewing credit reports, and mitigating fraud and identity theft. Plaintiff also experiences fear and anxiety associated with future identity theft and the loss of her privacy.
Defendant still possesses Plaintiff’s PII. Plaintiff believes Defendant’s security measures are still inadequate. Defendant, however, denies these allegations. C. The Litigation Plaintiff filed this lawsuit in April 2025 on behalf of herself and a class of individuals whose information was compromised in the data breach. She asserts claims of negligence, negligence per se, and breach of implied contract. She seeks monetary damages and declaratory and injunctive relief. This is not the first action filed in this District arising out of Defendant’s data breach. Plaintiff’s counsel previously filed a similar lawsuit captioned Jenkins v. Associated Wholesale Grocers, Case no. 5:24-cv-04039-DDC-GEB. Defendant moved to dismiss the complaint in Jenkins on the bases that the plaintiff did not adequately allege standing and that he failed to state a claim. The Court concluded that the plaintiff lacked standing and therefore dismissed the case.2 Like in Jenkins, Defendant now moves to dismiss this case for lack of subject matter jurisdiction or for failure to state a claim. Given the substantial similarity between the allegations
in Jenkins and those asserted in Plaintiff’s Complaint, Jenkins is extensively cited throughout this Order. II. Legal Standard Defendant moves for dismissal under both Rule 12(b)(1) (lack of subject matter jurisdiction) and Rule 12(b)(6) (failure to state a claim). The Court does not reach Defendant’s 12(b)(6) arguments and thus only recites the 12(b)(1) standard below.3 Under Rule 12(b)(1), a defendant may move to dismiss a claim for lack of subject-matter jurisdiction.4 Federal courts are courts of limited jurisdiction, and a presumption exists against exercising jurisdiction over a case.5 The party asserting jurisdiction bears the burden of establishing its existence.6 Thus, the Court may exercise jurisdiction only when specifically
2 Jenkins, 2025 WL 708574, at *15 (Mar. 5, 2025). 3 A standing challenge is an attack on the Court’s subject matter jurisdiction and is analyzed under Rule 12(b)(1). See Hill v. Vanderbilt Cap. Advisors, LLC, 702 F.3d 1220, 1224 (10th Cir. 2012) (“Our court has repeatedly characterized standing as an element of subject matter jurisdiction.”). 4 Fed. R. Civ. P. 12(b)(1). 5 See In re Syngenta AG MIR 162 Corn Litig., 61 F.4th 1126, 1170 (10th Cir. 2023) (citations omitted). 6 Id. at 1171. authorized to do so and must dismiss a claim if it becomes apparent at any stage of the proceedings that it lacks jurisdiction.7 Rule 12(b)(1) arguments take two forms: (1) a facial attack on the sufficiency of complaint’s allegations as to the court’s jurisdiction or (2) a factual attack on the facts upon which subject matter is based.8 This case involves a facial attack, and therefore, the Court must view the
factual allegations in the Complaint as true.9 III. Analysis A. Legal Requirements for Article III Standing Article III standing is a threshold question central to the Court’s subject matter jurisdiction.10 To establish standing, a “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”11 The plaintiff bears the burden to show standing exists.12 At the pleading stage, general factual allegations suffice.13 However, a court need not accept “conclusory allegations, unwarranted inferences, or legal conclusions.”14
7 Siloam Springs Hotel, LLC v. Century Sur. Co., 906 F.3d 926, 931 (10th Cir. 2018). 8 Baker v. USD 229 Blue Valley, 979 F.3d 866, 872 (10th Cir. 2020). 9 Id. (citing Pueblo of Jemez v. United States, 790 F.3d 1143, 1148 n.4 (10th Cir. 2015)). 10 United States v. McVeigh, 106 F.3d 325, 334 (10th Cir.1997) (citation omitted). 11 Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560- 61 (1992)). 12 Id. (citing FW/PBS, Inc. v. Dallas, 493 U.S. 215, 231 (1990)). 13 Lujan, 504 U.S. at 561. 14 Brady Campaign to Prevent Gun Violence v. Brownback, 110 F. Supp. 3d 1086, 1092 (D. Kan. 2015) (quoting Hackford v. Babbit, 14 F.3d 1457, 1465 (10th Cir. 1994)). The first element, injury in fact, covers “an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.”15 An imminent injury is one that is “certainly impending” or one for which there is a “substantial risk” the harm will occur.16 The risk of future harm, however, is not sufficient to confer standing.17 The second element, an injury that is fairly traceable to the defendant, requires “a causal
connection between the injury and the conduct complained of—the injury has to be fairly . . . traceable to the challenged action of the defendant, and not . . . the result of the independent action of some third party not before the court.”18 A plaintiff cannot show that an injury is “fairly traceable” by alleging “a speculative chain of possibilities.”19 The third element—redressability—requires that the injury is “likely” to be “redressed by a favorable decision.” Defendant does not challenge this element of standing in its Motion. Therefore, the Court will not examine it here. Data breach cases have raised unique standing issues for the federal courts. These issues primarily arise as to the injury in fact and traceability elements of standing. For example, some
courts have held that data breach plaintiffs allege an injury in fact simply because of the data
15 Lujan, 504 U.S. at 560 (internal quotation marks and citations omitted). 16 Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (citation omitted). 17 See TransUnion LLC v. Ramirez, 594 U.S. 413, 435-37 (2021) (discussing whether the plaintiffs had standing based on a risk of future harm). 18 Lujan, 504 U.S. at 560 (internal quotation marks, citations, and brackets omitted). 19 Clapper v. Amnesty Int’l USA, 568 U.S. 398, 410 (2013). breach.20 Other courts have held the opposite.21 The Tenth Circuit has not yet addressed standing in the data breach context. However, as the Court noted in Jenkins, “many district courts in the Tenth Circuit ‘have predicted that [our] Court of Appeals will require actual misuse of stolen data to find that plaintiffs have standing[.]’”22 This Court agrees that “actual misuse generally is necessary to establish an injury in fact.”23
Here, Plaintiff alleges four kinds of injury in her Complaint: (1) past identify theft and the risk of future identity theft; (2) fear and anxiety; (3) lost time, annoyance, and inconvenience due to the breach; and (4) loss of privacy. These injuries allegedly support Plaintiff’s claim for damages. Plaintiff also seeks declaratory and injunctive relief. The Court will first address whether Plaintiff has standing as to her four alleged injuries supporting her damages claim. Then it will address whether Plaintiff has standing as to her request for declaratory and injunctive relief. B. Past and Future Identity Theft The standing analysis differs depending on whether Plaintiff’s allegations of identity theft address past or future harm. The Court first looks at Plaintiff’s allegations of past identity theft,
addressing both the injury in fact and causation analyses. Then, the Court looks to Plaintiff’s allegations of future identity theft to determine whether they constitute an injury in fact. As
20 Jenkins, 2025 WL 708574, at *4 n.2 (citing Attias v. Carefirst, Inc., 865 F.3d 620, 628-29 (D.C. Cir. 2017); Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 387-91 (6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 691-95 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010)). 21 Id. at *4 n.3 (citing O’Leary v. TrustedID, Inc., 60 F.4th 240, 244 (4th Cir. 2023); McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 301, 303–05 (2d Cir. 2021); Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1340-44 (11th Cir. 2021); In re SuperValu, Inc., 870 F.3d 763, 769–70 (8th Cir. 2017)). 22 Id. at *5 (quoting Stern v. Acad. Mortg. Corp., 2025 WL 239036, at *3 (D. Utah Jan. 17, 2025)). 23 Id. explained more fully below, Plaintiff does not have standing to seek damages based on either past or future identity theft. 1. Past Identity Theft Plaintiff alleges that “[s]hortly after the Data Breach, Plaintiff began receiving a number of calls from loan companies and creditors claiming that she took out a loan and owed money on
the loan.” Plaintiff then alleges that “[a]s a result of the Data Breach, Plaintiff has had her identity stolen.” Defendant argues these allegations do not establish an injury in fact that is fairly traceable to the data breach. Defendant offers little, if any, argument as to how Plaintiff’s allegations do not establish an injury in fact. Courts generally consider attempted identity theft, actual or unauthorized charges, unauthorized loan applications, or “hard” inquiries on credit reports to be injuries in fact for standing purposes.24 Here, Plaintiff alleges that someone took a loan out in her name. This constitutes actual misuse of her PII sufficient to satisfy the injury in fact element of standing. The Court next turns to the second element of standing—whether her injury is fairly
traceable to the data breach. In Jenkins, the Court found that the plaintiff did not meet this element because he did not plead allegations that traced how unauthorized actors used the stolen PII (his name, Social Security number, and date of birth) to make unauthorized PayPal purchases or steal his money. Plaintiff argues that her allegations differ from Jenkins because she alleges that her name and social security number were stolen in the data breach, and that this information alone can be used to apply and open loans in another’s name. Plaintiff further alleges that the loans were
24 See Owen-Brooks v. DISH Network Corp., 2024 WL4338133, at *10 (D. Colo. Aug. 23, 2024). opened in her name after the data breach. Thus, Plaintiff contends that she has shown how unauthorized actors could use the disclosed PII to make a loan in her name. Plaintiff’s allegations come far closer to establishing traceability than those asserted in Jenkins. But she still does not plead sufficient facts to connect the data breach to the actual taking out of loans in her name. Plaintiff alleges that she began receiving calls from loan creditors
claiming she took out a loan and owed money on it “shortly after the [d]ata [b]reach.” These allegations only indicate that she received notice of the alleged loans shortly after the breach, not that the loans were taken out after the data breach. Without more specific allegations about when the loan applications were made or when the loan was issued, Plaintiff does not plausibly allege that the identify theft occurred as a result of the data breach. This case is analogous to Owen-Brooks, a data breach case in which one of the plaintiffs alleged that she “recently noticed hard inquiries on her and her husband’s credit report, which they did not authorize.”25 The District of Colorado explained that a hard inquiry occurs when a consumer applies for credit and gives their consent for inquiry.26 Although the plaintiff’s Social
Security number was one of the types of PII involved in the data breach (and thus could be used to apply for credit), the court found that the plaintiff’s allegations failed for lack of traceability because she did not allege when the hard inquiries actually occurred.27 Because she only alleged
25 Id. at *11. 26 Id. 27 Id. that she noticed the hard inquiries after the data breach, the district court found her allegations too speculative to meet the causation element of standing.28 Similarly, in another case in the District of Kansas, Blood v. Labette County Medical Center,29 the plaintiffs asserted that when they filed their taxes, they received notice from the IRS that their Social Security numbers had issues.30 The plaintiffs alleged that they experienced harm
because they had to prove their identity before the IRS processed their tax returns.31 The Court found that although the plaintiffs’ Social Security numbers were involved in both the tax submission and the data breach, the plaintiffs failed to plead facts suggesting that the IRS problem was traceable to the defendant’s action.32 The Court reasoned that only the plaintiffs could have alleged the nature of the tax issues, whether the tax issues involved one or both of their Social Security numbers, or whether there was a typographical error in one of the numbers.33 Thus, the plaintiffs’ allegations were too speculative to establish standing. Like the plaintiffs in Blood, Plaintiff is in the only party in a position to know when the loan was taken out, what information was used to obtain the loan, or when the phone calls began
occurring. Furthermore, despite knowing that Defendant challenges this allegation, Plaintiff has
28 Id. 29 2022 WL 11745549 (D. Kan. Oct. 20, 2022). 30 Id. at *5. 31 Id. 32 Id. 33 Id. not moved to amend her Complaint to indicate that she is willing to provide more detail.34 As one district court recently explained, “[i]n today’s society, an individual’s PII and PHI [protected health information] can be stolen in myriad ways, often without the individual’s knowledge. Data breaches and other forms of data theft are so prevalent that it is seemingly impossible to trace the misuse of personal information to one particular breach.”35 While the Court does not require more
than Iqbal and Twombly at this stage of the litigation, it does require more than conclusory and speculative allegations. Plaintiff fails to plausibly allege that the loans taken out in her name are traceable to the data breach. Overall, Plaintiff has not shown the “actual misuse” required to plead standing. She does not establish that her past identity theft is fairly traceable to the data breach.36 The Court next considers whether Plaintiff’s allegations of future identity theft qualify as an injury in fact. 2. Future Identity Theft and Fraud Plaintiff alleges that she “has suffered imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse.” Defendant argues that this
allegation alone is not sufficient to establish an injury in fact. The Court agrees. The United States Supreme Court has held that an allegation of future injury only suffices if the threatened injury is “certainly impending” or there is “‘a substantial risk’ that the harm will
34 See id. at *6 (noting that the plaintiffs knew that the defendant challenged their allegations as to whether they conferred traceability, and the plaintiffs did not move to amend their complaint or otherwise state that they would provide more detail). 35 Williams v. Bienville Orthopaedic Specialists, LLC, 737 F. Supp. 3d 411, 425 (S.D. Miss. 2024), appeal dismissed sub nom. Williams v. Bienville Orthopaedic Specialists, LLC, 2024 WL 5330715 (5th Cir. Sept. 6, 2024). 36 See Blood, 2022 WL 11745549, at *8 (finding no significant allegations of “data misuse” when each allegation of misuse failed as an injury in fact or as fairly traceable to the data breach). occur.37 Generally, “‘[a]llegations of possible future injury’ are not sufficient.”38 In Jenkins, the Court applied a three-factor test used by the First, Second, and Third Circuits to determine whether the plaintiff’s future injuries were imminent and substantial.39 Those three factors are: (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.40
The Court in Jenkins noted that while the factors are neither exclusive nor “necessarily determinative,” they do offer guidance.41 This Court follows Jenkins and employs these three factors here as well. First, the Court considers whether the breach resulted from an intended, targeted effort. Here, Plaintiff alleges that “unauthorized access to [Defendant’s] network” resulted in “certain files and folders [being] viewed without authorization.” Additionally, the Notice Letter states that Plaintiff and class members should take steps to protect themselves from identity theft and fraud. These allegations mirror the allegations the Court considered in Jenkins. And, after considering these allegations, the Court in Jenkins found that there was “the possibility of a targeted attack by cybercriminals” but did not “unqualifiedly accept it as true.” This Court agrees with that finding.
37 Susan B. Anthony List, 573 U.S. at 158 (quoting Clapper, 568 U.S. at 414 n.5). 38 Clapper, 568 U.S. at 409 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). 39 Jenkins, 2025 WL 708574, at *9 n.7 (citing McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303 (1st Cir. 2021); Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 375 (1st Cir. 2023); Clemens v. ExecuPharm Inc., 48 F.4th 146, 153-54, 157 (3d Cir. 2022)). 40 McMorris, 995 F.3d at 303. 41 Jenkins, 2025 WL 708574, at *9 (quoting Webb, 72 F.4th at 375). Therefore, this factor weighs slightly in favor of finding an injury in fact as to Plaintiff’s future identity theft allegations. The second factor focuses on whether the plaintiff alleges that any portion of the dataset was misused. For district courts in the Tenth Circuit, this factor is the most important.42 Indeed, some district courts focus solely on this factor when analyzing future harms.43 Here, Plaintiff’s
allegations fall short because, as discussed above, she does not allege actual misuse. This factor weighs heavily against Plaintiff. Third, the Court considers whether the data exposed in the breach is susceptible to fraud. Plaintiff alleges that her name, date of birth, and Social Security number were exposed in the breach. This PII is the type of information that is susceptible to fraud.44 Thus, this factor weighs in favor of finding that plaintiff sufficiently alleges an injury in fact. In sum, the Court concludes that Plaintiff does not allege a risk that future identity theft is imminent. Although Plaintiff’s PII is susceptible to fraud, courts in this District more strongly consider whether Plaintiff alleges actual misuse that is fairly traceable to the data breach.45 And
Plaintiff has not met her burden in this instance. Becaue the risk of future harm is no more than an
42 Id. at *10. 43 Id. (citations omitted); see also Masterson v. IMA Fin. Grp., Inc., 2023 WL 8647157, at *8 (emphasizing the importance of actual misuse in risk of future injuries analysis to show a data breach injury is concrete, particularized, or imminent without evaluating other two factors); Blood, 2022 WL 11745549, at *7-8 (evaluating the plaintiff’s allegations of actual misuse and finding that because the plaintiff did not allege an injury in fact that was fairly traceable, the plaintiff’s allegations of risk of future injury did not confer standing). 44 McMorris, 995 F.3d at 302 (“Naturally, the dissemination of high-risk information such as Social Security numbers and dates of birth—especially when accompanied by victims’ names—makes it more likely that those victims will be subject to future identity theft or fraud.”). 45 Jenkins, 2025 WL 708574, at *10. “attenuated chain of possibilities,” Plaintiff’s allegations of future identity theft do not confer standing.46 C. Emotional Distress Next the Court addresses Plaintiff’s allegations as to her emotional distress. Plaintiff alleges that she has suffered or is at an increased risk of suffering anxiety and emotional distress
because of the data breach. Defendant argues that these allegations do not support standing because Plaintiff does not establish a future risk of identity theft or actual misuse of her data traceable to the breach. Defendant is correct. Emotional distress only confers standing if the plaintiff also alleges actual misuse or imminent threat of future harm.47 As the Court discussed above, Plaintiff does not allege actual misuse or a future impending harm. Therefore, her emotional distress allegations do not confer standing. D. Mitigation Efforts Plaintiff’s alleged mitigation injury similarly fails. Plaintiff alleges that she spent approximately 35 hours dealing with the data breach, including researching and verifying the
legitimacy of the Notice Letter, self-monitoring her accounts, reviewing her accounts, and mitigating fraud and identity theft. She further alleges that she is at an increased risk of suffering “[o]ut-of-pocket costs associated with the prevention, detection, recovery, and remediation form identity theft or fraud.” Mitigation time, however, “constitutes a concrete injury only if it [is] ‘based on a threat of future injury that is certainly impending.’”48 A plaintiff cannot “manufacture
46 Clapper, 568 U.S. at 410. 47 Jenkins, 2025 WL 708574, at *11 (citing Masterson, 2023 WL 8647157, at *7). 48 Id. (citing Blood, 2022 WL 11745549, at *6; Legg v. Leaders Life Ins. Co., 574 F. Supp. 3d 985, 994 (W.D. Okla. 2021) (“[W]hile it may have been reasonable to take some steps to mitigate the risks associated with the data breach, those actions cannot create a concrete injury where there is no imminent threat of harm.”); Stern, 2025 WL standing merely by inflicting harm on [herself] based on [her] fears of hypothetical future harm that is not certainly impending.”49 Plaintiff does not allege actual misuse or risk of future harm. Therefore, her time spent mitigating her alleged injuries does not confer standing. E. Loss of Privacy Plaintiff asserts that she has suffered increased concern for the loss of her privacy and that
she has suffered or is at an increased risk of suffering “the compromise and continuing publication of her PII.” Defendant argues that these allegations do not establish a concrete harm and thus, do not confer standing. Plaintiff does not respond to this argument in her opposition brief, and therefore concedes Defendant’s point. However, even if the Court were to analyze these allegations, it would find that they do not establish a concrete harm sufficient to confer standing.50 A privacy injury is “concrete” only if it has “a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts.”51 The Supreme Court generally looks to the Restatement of Torts to identify traditionally recognized harms.52 The Restatement sets forth four privacy torts: “(1) intrusion upon seclusion; (2) appropriation of name or likeness; (3) public disclosure of private facts; and (4) false light publicity.”53 Two of these—public
239036, at *7 (“Plaintiffs’ fear about misuse of their PII is not certainly impending harm, as no Plaintiff has alleged that their data is actually available on the dark web or otherwise has been transmitted to others for imminent use.”)). 49 Clapper, 568 U.S. at 416. 50 As the Court noted in Jenkins, in evaluating a lost privacy harm in a data breach case, the Court must determine whether the harm is both imminent and concrete. Jenkins, 2025 WL 708574, at *12 n.9. Here, the Court undertakes an analysis of whether the alleged loss of privacy is concrete. 51 Jenkins, 2025 WL 708574, at *12 (quoting TransUnion, 594 U.S. at 424). 52 Id. 53 Id. (citing Restatement (Second) of Torts § 652A (Am. L. Inst. 1977) (Oct. 2024 Update)). disclosure of private information and intrusion upon seclusion—may constitute concrete, intangible harms.54 Turning first to the public disclosure of private facts, this theory of standing has been rejected in the data breach context when the plaintiff fails to allege any concrete or particularized injury associated with the disclosure.55 Indeed, this Court has held that “loss of privacy, in and of
itself, is not a concrete harm that can provide the basis for Article III standing.”56 So, even if the Court construes Plaintiff’s claim as one for public disclosure of private facts, Plaintiff does not allege actual harm fairly traceable to the data breach. Thus, Plaintiff does not establish a concrete harm based on this tort. The Court next evaluates whether Plaintiff’s lost privacy injury has a close relationship to the intrusion upon seclusion tort. The Restatement describes this tort as follows: “One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.”57 A plaintiff is not required to prove
the elements of the tort to secure standing, but the plaintiff must show that “the harm posed by the theft of their information bears a close relationship to these traditionally recognized harms.”58
54 Id. (citing TransUnion, 594 U.S. at 425). 55 See id. at *12 n.10 (citing In re PracticeFirst Data Breach Litig., 2022 WL 354544, at *8 (W.D.N.Y. Feb. 2, 2022) (“[T]his theory of standing has been rejected in the data breach context where, like in this case, plaintiffs have failed to demonstrate any concrete or particularized injury associated with the disclosure.”)). 56 C.C. v. Med-Data Inc., 2022 WL 970862, at *10 (D. Kan. Mar. 31, 2022). 57 Jenkins, 2025 WL 708574, at *13 (quoting Restatement (Second) of Torts § 625B (Am. L. Inst. 1977) (Oct. 2024 Update)). 58 Id. (quoting I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034, 1049 (N.D. Cal. 2022) (quotation cleaned up)). Plaintiff’s alleged privacy injury does not have a “close relationship” to the tort of intrusion upon seclusion because she does not allege the requisite level of intent. The intrusion upon seclusion tort only permits recovery when the defendant intentionally invades the plaintiff’s private affairs. Here, Plaintiff alleges that Defendant was “reckless” in “fail[ing] to properly maintain and safeguard its computer systems and data,” but she does not allege that Defendant
intentionally let cyberattackers intrude on Plaintiff’s seclusion. The Court thus concludes that Plaintiff’s harm resulting from the data breach does not bear a close relationship to the type of harm contemplated under the intrusion upon seclusion tort. Accordingly, Plaintiff’s loss of privacy injury is not concrete and therefore does not constitute an injury in fact. F. Injunctive and Declaratory Relief Next, the Court must address Plaintiff’s standing to seek injunctive and declaratory relief. As noted above, a “threatened injury must be certainly impending to constitute injury in fact.”59 “[A] person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.”60
Plaintiff asks the Court to declare: (1) Defendant owes a legal duty to secure Plaintiff and the proposed class’s PII; (2) Defendant continues to breach this legal duty by failing to employ reasonable measures to secure consumers’ PII; and (3) the ongoing breaches continue to cause Plaintiff and the proposed class harm. Plaintiff also asks for corresponding prospective injunctive relief requiring Defendant to employ adequate security protocols to protect consumers’ PII. The
59 Clapper, 568 U.S. at 409. 60 TransUnion, 594 U.S. at 435. harm supporting this requested relief is based on a potential future data breach of Defendant’s system that further compromises Plaintiff’s and the proposed class’s PII—not on the future misuse of the PII already disclosed in the data breach. In Jenkins, the Court concluded that the plaintiff lacked standing to seek the requested injunctive and declaratory relief because he did not plausibly plead that a future breach was
certainly impending.61 The plaintiff in Jenkins alleged that Defendant stored the PII in an internet accessible environment.62 He further alleged that Defendant’s security measures were inadequate, and that Defendant denied they were such.63 According to the Court, these allegations did not indicate a future imminent breach, but that the plaintiff was unaware of the steps Defendant took to protect the PII after the breach.64 The Court also noted that Defendant’s Notice Letter stated that the company confirmed the security of its systems, reported the event to federal law enforcement, and was reviewing its policies and procedures to reduce the likelihood of a future breach.65 The Court found that “[t]hese efforts cut against any inference that [D]efendant’s prior data breach might make a future data breach more likely.”66 Thus, the Court concluded that the plaintiff did not sufficiently allege that a future breach was “certainly impending.”67
61 Jenkins, 2025 WL 708574, at *15. 62 Id. 63 Id. 64 Id. 65 Id. 66 Id. (internal quotation marks and citation omitted). 67 Id. (quoting Clapper, 569 U.S. at 409). Plaintiff's allegations as to a future data breach mirror the plaintiffs allegations in Jenkins. Plaintiff alleges that “Defendant’s security measures remain inadequate,” and that “Defendant publicly denies these allegations.” Additionally, the Notice of Breach sent to Plaintiff is the same notice that the Court referred to in Jenkins. Because Plaintiff does not make any further allegations than those in Jenkins, the Court concludes that a future data breach is not imminent. Therefore, Plaintiff lacks standing to seek her requested declaratory and injunctive relief. IV. Conclusion Plaintiff has not met her burden to show she has standing to bring her claims. Accordingly, the Court lacks subject matter jurisdiction and must dismiss the case. The Court does not reach Defendant’s arguments as to why Plaintiffs claims fail under Rule 12(b)(6). IT IS THEREFORE ORDERED that Defendant’s Motion to Dismiss Class Action Complaint (Doc. 11) is GRANTED. This case 1s closed. IT ISSO ORDERED. Dated this 12th day of February, 2026.
ERIC F. MELGREN CHIEF UNITED STATES DISTRICT JUDGE
-19-