United States Court of Appeals For the First Circuit
No. 22-1896
ALEXSIS WEBB, on behalf of herself and all others similarly situated; MARSCLETTE CHARLEY, on behalf of herself and all others similarly situated,
Plaintiffs, Appellants,
v.
INJURED WORKERS PHARMACY, LLC,
Defendant, Appellee.
APPEAL FROM THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MASSACHUSETTS
[Hon. Richard G. Stearns, U.S. District Judge]
Before
Kayatta, Lynch, and Montecalvo, Circuit Judges.
David K. Lietz, with whom Milberg Coleman Bryson Phillips Grossman, PLLC, Raina C. Borrelli, and Turke & Strauss, LLP were on brief, for appellants. Claudia D. McCarron, with whom Jordan S. O'Donnell and Mullen Coughlin LLC were on brief, for appellee.
June 30, 2023 LYNCH, Circuit Judge. Named plaintiffs Alexsis Webb and
Marsclette Charley brought this putative class action against
defendant Injured Workers Pharmacy, LLC ("IWP"), asserting various
state law claims in relation to a January 2021 data breach that
allegedly exposed their personally identifiable information
("PII") and that of over 75,000 other IWP patients. The district
court concluded that the plaintiffs' complaint did not plausibly
allege an injury in fact and dismissed the case for lack of Article
III standing. See Webb v. Injured Workers Pharmacy, LLC, No.
22-cv-10797, 2022 WL 10483751, at *2 (D. Mass. Oct. 17, 2022).
We hold that the complaint plausibly demonstrates the
plaintiffs' standing to seek damages. The plaintiffs press five
causes of action seeking damages, each of which encompasses at
least one of the harms that we hold satisfy the requirements of
Article III standing. The complaint plausibly alleges an injury
in fact as to Webb based on the allegations of actual misuse of
her PII to file a fraudulent tax return. Further, the complaint
plausibly alleges an injury in fact as to both plaintiffs based on
an imminent and substantial risk of future harm as well as a
present and concrete harm resulting from the exposure to this risk.
We also hold that the plaintiffs lack standing to pursue injunctive
relief because their desired injunctions would not likely redress
their alleged injuries. We affirm in part, reverse in part, and
remand for further proceedings.
- 2 - I.
A.
We recount the facts as they appear in the plaintiffs'
complaint and in documents attached to the complaint or
incorporated therein. Hochendoner v. Genzyme Corp., 823 F.3d 724,
728 (1st Cir. 2016).
IWP is a home-delivery pharmacy service registered and
headquartered in Massachusetts. It maintains records of its
patients' full names, Social Security numbers, and dates of birth,
as well as information concerning their financial accounts, credit
cards, health insurance, prescriptions, diagnoses, treatments,
healthcare providers, and Medicare/Medicaid IDs. Much of this
information constitutes PII. See, e.g., United States v.
Cruz-Mercedes, 945 F.3d 569, 572 (1st Cir. 2019). Patients
provided their PII in order to receive IWP's services, and IWP
kept that PII. IWP represented to patients that it would keep
their PII secure.
In January 2021, IWP suffered a data breach. Hackers
infiltrated IWP's patient records systems, gaining access to the
PII of over 75,000 IWP patients, and stole PII including patient
names and Social Security numbers.1 IWP did not discover this
1 IWP stated in a notice letter to potentially impacted patients that "an unknown actor accessed a total of seven . . . IWP e-mail accounts" over a four-month period. The complaint alleges that hackers "infiltrated IWP's patient records systems."
- 3 - breach until May 2021, almost four months later. In the interim,
the hackers were able to continue accessing PII. On learning of
the breach, IWP did not immediately alert its patients. Instead,
it initiated a seven-month investigation and worked to implement
new data security safeguards.
IWP did not begin notifying impacted patients until
February 2022, when it circulated a notice letter. This notice
provided a high-level description of the breach but, in the
plaintiffs' view, did not fully convey its size or scope. The
notice stated that IWP "currently ha[d] no evidence that any
information ha[d] been misused." It also "encourage[d] [patients]
to . . . review[] [their] account statements and monitor[] [their]
credit reports for suspicious activity" and referred patients to
a guidance document on protecting their personal information. IWP
has not offered to provide, at its own expense, credit monitoring
and identity protection services to all impacted patients.
Alexsis Webb is a former IWP patient who received
services from IWP between 2017 and 2020. She is a resident of
Ohio. In February 2022, IWP notified her that her PII had been
compromised in the data breach. As a result, Webb allegedly "fears
for her personal financial security and [for] what information was
The plaintiffs appear to agree that the "initial attack vector" was into IWP employee email accounts but contend that this allowed the hackers to access additional system information.
- 4 - revealed in the [d]ata [b]reach," "has spent considerable time and
effort monitoring her accounts to protect herself from . . .
identity theft," and "is experiencing feelings of anxiety, sleep
disruption, stress, and fear" because of the breach. Webb's PII
was used to file a fraudulent 2021 tax return, and she has
"expended considerable time" communicating with the Internal
Revenue Service ("IRS") to resolve issues associated with this
false return.
Marsclette Charley is a current IWP patient who has
received services from IWP since 2016. She is a resident of
Georgia. Like Webb, she became aware in February 2022 that her
PII had been compromised in the breach. She called IWP to confirm
that her information was stolen, but IWP's representatives would
not provide her with specific details as to what types of
information were accessed. As a result of the breach, Charley
allegedly "fears for her personal financial security," "expends
considerable time and effort monitoring her accounts to protect
herself from . . . identity theft," and "is experiencing feelings
of rage and anger, anxiety, sleep disruption, stress, fear, and
physical pain."
B.
On May 24, 2022, Webb and Charley filed a class action
complaint against IWP in the U.S. District Court for the District
of Massachusetts, invoking the court's jurisdiction under the
- 5 - Class Action Fairness Act of 2005 ("CAFA"), 28 U.S.C. § 1332(d).
The complaint asserts state law claims for negligence, breach of
implied contract, unjust enrichment, invasion of privacy, and
breach of fiduciary duty.2 The complaint seeks damages, an
injunction "[e]njoining [IWP] from further deceptive and unfair
practices and making untrue statements about the [d]ata [b]reach
and the stolen PII," other injunctive and declaratory relief "as
is necessary to protect the interests of [the] [p]laintiffs and
the [c]lass," and attorneys' fees. It seeks to certify a class of
U.S. residents whose PII was compromised in the data breach.
On August 9, 2022, IWP moved to dismiss the complaint on
two bases: under Federal Rule of Civil Procedure ("Rule") 12(b)(1),
for lack of Article III standing, and under Rule 12(b)(6), for
failure to state a claim as to each of the complaint's asserted
claims. The plaintiffs opposed the motion.
On October 17, 2022, the district court granted IWP's
motion and dismissed the case under Rule 12(b)(1). Webb, 2022 WL
10483751, at *2. The court concluded that the plaintiffs lacked
Article III standing because their complaint did not plausibly
allege an injury in fact. Id. As to the complaint's allegation
that a fraudulent tax return was filed in Webb's name, the court
2 The complaint also asserts a state law claim for negligence per se. The plaintiffs agreed to voluntarily dismiss this claim in their district court briefing.
- 6 - reasoned that the complaint did not sufficiently allege a
connection between the data breach and this false return. See id.
at *2 n.4. As to the complaint's other allegations, the court
reasoned that the potential future misuse of the plaintiffs' PII
was not sufficiently imminent to establish an injury in fact and
that actions to safeguard against this risk could not confer
standing either. See id. at *2. Because it dismissed the case
under Rule 12(b)(1), the court did not reach IWP's Rule 12(b)(6)
arguments. Id. at *1 n.2.
This timely appeal followed.
II.
The plaintiffs' complaint must meet standing
requirements based on Article III of the Constitution, which limits
"[t]he judicial Power" to "Cases" and "Controversies." U.S. Const.
art. III, § 2, cl. 1; see In re: Evenflo Co., Inc., Mktg., Sales
Pracs. & Prods. Liab. Litig., 54 F.4th 28, 34 (1st Cir. 2022).
"The existence of standing is a legal question, which we review de
novo." Evenflo, 54 F.4th at 34 (quoting Kerin v. Titeflex Corp.,
770 F.3d 978, 981 (1st Cir. 2014)). "When reviewing a pre-
discovery grant of a motion to dismiss for lack of standing, we
accept as true all well-pleaded fact[s] . . . and indulge all
reasonable inferences in the plaintiff[s'] favor." Id.
(alterations and omission in original) (internal quotation marks
omitted) (quoting Kerin, 770 F.3d at 981). "[W]e apply the same
- 7 - plausibility standard used to evaluate a motion under Rule
12(b)(6)." Gustavsen v. Alcon Lab'ys, Inc., 903 F.3d 1, 7 (1st
Cir. 2018). At this stage in the proceedings, our analysis focuses
on whether the two named plaintiffs have standing. See id.;
Hochendoner, 823 F.3d at 730, 733-34; 1 W. Rubenstein, Newberg and
Rubenstein on Class Actions §§ 2:1, 2:3 (6th ed. June 2023 update).
"[P]laintiffs bear the burden of demonstrating that they
have standing," TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2207
(2021), and must do so "with the manner and degree of evidence
required at the successive stages of the litigation," id. at 2208
(quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992)).
Plaintiffs "must demonstrate standing for each claim that they
press and for each form of relief that they seek." Id. "To
establish standing, a plaintiff must show an injury in fact caused
by the defendant and redressable by a court order." United States
v. Texas, No. 22-58, slip op. at 4 (U.S. June 23, 2023); see
Evenflo, 54 F.4th at 34.
At issue in this appeal is the "injury in fact"
requirement -- and, in particular, the requirement that this injury
be "concrete." "[T]raditional tangible harms, such as physical
harms and monetary harms" are "obvious[ly]" concrete. TransUnion,
141 S. Ct. at 2204. Intangible harms can also be concrete,
including when they "are injuries with a close relationship to
harms traditionally recognized as providing a basis for lawsuits
- 8 - in American courts," such as "reputational harms, disclosure of
private information, and intrusion upon seclusion." Id.; see also
Spokeo, Inc. v. Robins, 578 U.S. 330, 340-41 (2016). This "inquiry
asks whether plaintiffs have identified a close historical or
common-law analogue for their asserted injury," but "does not
require an exact duplicate." TransUnion, 141 S. Ct. at 2204.
"[A] material risk of future harm can [also] satisfy the
concrete-harm requirement," but only as to injunctive relief, not
damages. Id. at 2210; see id. at 2210-11. To have standing to
pursue damages based on a risk of future harm, plaintiffs must
demonstrate a separate concrete harm caused "by their exposure to
the risk itself." Id. at 2211.
Applying these principles in TransUnion, the Supreme
Court concluded that only a portion of the certified class in that
case had standing to pursue the claim that TransUnion, a credit
reporting agency, had failed to use reasonable procedures in
maintaining its credit files. See id. at 2200, 2208. The class
comprised individuals whose TransUnion credit reports bore alerts
erroneously suggesting that they might be terrorists or other
serious criminals. Id. at 2201-02. The Court held that the 1,853
class members whose credit reports TransUnion disseminated to
third parties had standing, because this injury bore a sufficiently
close relationship to "the reputational harm associated with the
tort of defamation." Id. at 2208. That the credit reports "were
- 9 - only misleading and not literally false" did not defeat standing,
because "an exact duplicate" of a traditionally recognized harm is
not required. Id. at 2209.
However, the remaining 6,332 class members whose credit
reports were not disseminated to third parties lacked standing.
Id. at 2212. The Court first considered whether the mere existence
of misleading alerts in these plaintiffs' internal TransUnion
credit files (absent dissemination) was a concrete injury and
concluded that it was not. See id. at 2209-10. The Court then
rejected the plaintiffs' effort to establish standing for damages
on a risk of future harm theory, reasoning that they had not
demonstrated that they "were independently harmed by their
exposure to the risk itself -- that is, that they suffered some
other injury . . . from the mere risk that their credit reports
would be provided to third-party businesses." Id. at 2211; see
id. at 2210-11. The Court noted that emotional harm might supply
the requisite concrete, present injury but did not reach this
question because the plaintiffs had not claimed any such injury.
See id. at 2211 & n.7.
III.
We begin with Webb's standing to pursue damages. We
conclude that the complaint plausibly alleges a concrete injury in
fact as to Webb based on the plausible pleading that the data
- 10 - breach resulted in the misuse of her PII by an unauthorized third
party (or third parties) to file a fraudulent tax return.3
Our data security precedents support the conclusion that
actual misuse of PII may constitute an injury in fact. In Katz v.
Pershing, LLC, 672 F.3d 64 (1st Cir. 2012), we concluded that the
named plaintiff lacked standing to sue as to her state law consumer
protection claims that the defendant had employed inadequate data
security practices. See id. at 69-70. We stated that
"[c]ritically, the complaint [did] not contain an allegation that
[her] nonpublic personal information ha[d] actually been accessed
by any unauthorized user" -- let alone subsequently misused -- but
rather "rest[ed] entirely on the hypothesis that at some point an
unauthorized, as-yet unidentified, third party might access her
data and then attempt to purloin her identity." Id. at 79. The
alleged harm in that case was not "impending" because it was
"unanchored to any actual incident of data breach." Id. at 80.
And the plaintiff could not manufacture standing by incurring
mitigation costs in the absence of an impending harm. See id. at
3 The claims asserted in the plaintiffs' complaint all arise from the IWP data breach, and neither party argues that the standing inquiry differs with respect to any claim. Accordingly, we treat the claims together throughout our analysis. See TransUnion, 141 S. Ct. at 2213-14 (assessing standing for "intertwined" claims together); Evenflo, 54 F.4th at 35 (similar); Clemens v. ExecuPharm Inc., 48 F.4th 146, 156-59 (3d Cir. 2022) (employing same underlying standing analysis for contract, tort, and "secondary contract" claims in data breach case).
- 11 - 79. We distinguished the case from those "in which confidential
data actually has been accessed through a security breach and
persons involved in that breach have acted on the ill-gotten
information." Id. at 80 (emphasis added).4
We hold that the complaint's plausible allegations of
actual misuse of Webb's stolen PII to file a fraudulent tax return
suffice to state a concrete injury under Article III. This
conclusion accords with the law of other circuits. See, e.g., In
re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247,
1262 (11th Cir. 2021) (identifying both "identity theft and damages
resulting from such theft" as concrete injuries); Attias v.
CareFirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017) ("Nobody doubts
that identity theft, should it befall one of these plaintiffs,
would constitute a concrete and particularized injury.").
4 Our decision in Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011), is also instructive. To be clear, Anderson did not concern Article III standing. It did, however, discuss the types of harms that can arise out of data misuse following a data breach. Id. at 162-67. In that case, we reversed the district court's dismissal of certain state law claims because the plaintiffs' alleged mitigation costs were incurred in response to a serious data breach and actual misuse of PII and were thus "reasonable" and "constitute[d] a cognizable harm under Maine law." Id. at 154, 164; see id. at 162-67. The data breach involved "the deliberate taking of credit and debit card information by sophisticated thieves" and the "actual misuse" of this information to "run up thousands of improper charges across the globe." Id. at 164; see id. at 154. We concluded that "[t]he [plaintiffs] were not merely exposed to a hypothetical risk, but to a real risk of misuse." Id. at 164.
- 12 - The district court concluded that the complaint did not
plausibly allege a connection between the data breach and the
filing of the false tax return. See Webb, 2022 WL 10483751, at *2
n.4. We disagree. In our view, the complaint plausibly alleges
a connection between the actual misuse of Webb's PII and the data
breach. In applying the plausibility standard required at the
motion to dismiss stage, we "[must] draw on [our] judicial
experience and common sense . . . [and] read [the complaint] as a
whole." Evenflo, 54 F.4th at 39 (alterations and omission in
original) (internal quotation marks omitted) (quoting
García-Catalán v. United States, 734 F.3d 100, 103 (1st Cir.
2013)). We must also "indulge all reasonable inferences in the
plaintiff[s'] favor." Id. at 34 (alteration in original) (internal
quotation marks omitted) (quoting Kerin, 770 F.3d at 981).
There is an obvious temporal connection between the
filing of the false tax return and the timing of the data breach.
Further, the complaint's allegation that Webb's PII was "used by
an unauthorized individual" to file a false tax return is made in
the context of allegations relating to harms Webb has suffered
because of the data breach. The complaint also alleges that Webb
is "very careful about sharing her PII," "has never knowingly
transmitted unencrypted PII over the internet or any other
unsecured source," and stores documents containing her PII in a
secure location. The obvious inference to be drawn from these
- 13 - allegations is that the criminal or criminals who filed the false
tax return obtained Webb's PII from the IWP data breach, not from
some other source. And the complaint alleges that, as a result of
the data breach and IWP's conduct, the plaintiffs "have suffered
or are at an increased risk of suffering . . . [d]elay in receipt
of tax refund monies . . . [and the] [u]nauthorized use of stolen
PII." These general allegations provide further support for a
plausible connection. See In re: SuperValu, Inc., Customer Data
Sec. Breach Litig., 870 F.3d 763, 772 (8th Cir. 2017) (holding
that, at the motion to dismiss stage, a complaint's "'general
allegations embrace[d] those specific facts . . . necessary to
support' a link between [a plaintiff's] fraudulent charge and the
data breaches" (quoting Bennett v. Spear, 520 U.S. 154, 168
(1997))).
We reject IWP's argument that the alleged actual misuse
is not itself a concrete injury absent even more resulting harm to
Webb. As described above, we agree with those courts that consider
actual misuse of a plaintiff's PII resulting from a data breach to
itself be a concrete injury. See, e.g., Equifax, 999 F.3d at 1262;
Attias, 865 F.3d at 627. And beyond that, applying a TransUnion
analysis, this alleged actual misuse is closely related to the
tort of invasion of privacy based on appropriation of another's
name or likeness, which "protect[s] . . . the interest of the
individual in the exclusive use of his own identity, in so far as
- 14 - it is represented by his name or likeness, and in so far as the
use may be of benefit to him or to others." Restatement (Second)
of Torts § 652C cmt. a (Am. L. Inst. 1977); see id. § 652C cmt. b
(noting that while some states have "limited . . . liability [by
statute] to commercial uses of the name or likeness," the general
rule is "not limited to commercial appropriation"); see also 141
S. Ct. at 2204.
Charley's standing to pursue damages is more difficult.
The complaint does not allege actual misuse of Charley's PII.
Nonetheless, we conclude that, in light of the plausible
allegations of some actual misuse, the complaint plausibly alleges
a concrete injury in fact based on the material risk of future
misuse of Charley's PII and a concrete harm caused by exposure to
this risk.5 This analysis is equally applicable to Webb and
provides an independent basis for our conclusion that the complaint
plausibly demonstrates standing as to Webb.
5 The plaintiffs do not argue that the exposure of their PII in the breach was itself an intangible harm sufficient to confer standing -- for example, by analogy to the torts of breach of confidence or invasion of privacy based on public disclosure of private information. Cf. TransUnion, 141 S. Ct. at 2209 (analyzing similar "initial question" before turning to the plaintiffs' risk of future harm theory). Accordingly, we do not consider this question. And to the extent the plaintiffs seek to establish standing based on an alleged "diminution [in] value" of their PII, they have waived this argument by raising it for the first time in their reply brief. See, e.g., United States v. Abdelaziz, No. 22-1129, 2023 WL 3335870, at *41 n.36 (1st Cir. May 10, 2023).
- 15 - 1.
"[A] material risk of future harm can satisfy the
concrete-harm requirement," at least as to injunctive relief, when
"the risk of harm is sufficiently imminent and substantial."
TransUnion, 141 S. Ct. at 2210; see also Susan B. Anthony List v.
Driehaus, 573 U.S. 149, 158 (2014); Clapper v. Amnesty Int'l USA,
568 U.S. 398, 414 n.5 (2013).
Many of the same factors we have considered in other
data breach cases inform our conclusion as to standing in this
case. Plaintiffs face a real risk of misuse of their information
following a data breach when their information is deliberately
taken by thieves intending to use the information to their
financial advantage -- i.e., exposed in a targeted attack rather
than inadvertently. And the actual misuse of a portion of the
stolen information increases the risk that other information will
be misused in the future.
We stress that these considerations are neither
exclusive nor necessarily determinative, but they do provide
guidance. See, e.g., McMorris v. Carlos Lopez & Assocs., LLC, 995
F.3d 295, 302 (2d Cir. 2021) ("[D]etermining standing is an
inherently fact-specific inquiry . . . ."). These considerations
accord with other circuits' approach to determining when the risk
of future misuse of PII following a data breach is imminent and
substantial. The Second Circuit considers:
- 16 - (1) whether the plaintiffs' data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
Id. at 303; see also id. at 300-03 (explaining the relevance of
these factors).6 The Third Circuit also considers these factors.
See Clemens v. ExecuPharm Inc., 48 F.4th 146, 153-54, 157 (3d Cir.
2022). Both circuits emphasize that these factors are "non-
exhaustive." McMorris, 995 F.3d at 303; Clemens, 48 F.4th at 153.
Other circuits look to similar considerations. See McMorris, 995
F.3d at 300-03 (collecting cases and synthesizing principles).
It stands to reason that data compromised in a targeted
attack is more likely to be misused. See Anderson, 659 F.3d at
164; see also, e.g., McMorris, 995 F.3d at 301; Clemens, 48 F.4th
at 153; Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388
(6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688,
693 (7th Cir. 2015); In re Zappos.com, Inc., Customer Data Sec.
Breach Litig., 888 F.3d 1020, 1029 n.13 (9th Cir. 2018); In re:
6 McMorris and many of the other circuit cases discussed below were decided before TransUnion. Nevertheless, we think the factors the Second Circuit listed remain relevant to assessing the risk of future PII misuse. See Clemens v. ExecuPharm Inc., 48 F.4th 146, 153-54, 157 (3d Cir. 2022) (citing McMorris and applying similar factors post-TransUnion).
- 17 - U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 58-
59 (D.C. Cir. 2019) ("OPM").
That at least some information stolen in a data breach
has already been misused also makes it likely that other portions
of the stolen data will be similarly misused. See Anderson, 659
F.3d at 164; see also, e.g., McMorris, 995 F.3d at 301-02;
Remijas, 794 F.3d at 693-94; Zappos.com, 888 F.3d at 1027 n.7;
OPM, 928 F.3d at 58-59.
And the risk of future misuse may be heightened where
the compromised data is particularly sensitive. "Naturally, the
dissemination of high-risk information such as Social Security
numbers and dates of birth -- especially when accompanied by
victims' names -- makes it more likely that those victims will be
subject to future identity theft or fraud." McMorris, 995 F.3d at
302; see also Clemens, 48 F.4th at 154; OPM, 928 F.3d at 49, 59;
Attias, 865 F.3d at 628. In contrast, the risk of future misuse
may be lower where the stolen data is "less sensitive, . . . such
as basic publicly available information, or data that can be
rendered useless to cybercriminals." McMorris, 995 F.3d at 302;
see also Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332,
1343 (11th Cir. 2021) (emphasizing fact that plaintiff did not
allege that his Social Security number or date of birth were
compromised in data breach); SuperValu, 870 F.3d at 770-71
(similar).
- 18 - We hold that the totality of the complaint plausibly
alleges an imminent and substantial risk of future misuse of the
plaintiffs' PII. The complaint alleges that the data breach was
the result of an attack by "cybercriminals" who "infiltrated IWP's
patient records systems" and "stole[] PII." These hackers were,
by IWP's own admission, able to compromise multiple employee email
accounts and to remain undetected for almost four months. The
complaint further alleges that at least some of the stolen PII has
already been misused to file a fraudulent tax return in Webb's
name. And the complaint alleges that the stolen PII "include[s]
. . . patients' names and [S]ocial [S]ecurity numbers." We do not
hold that individuals face an imminent and substantial future risk
in every case in which their information is compromised in a data
breach. But on the facts alleged here, the complaint has plausibly
demonstrated such a risk.
2.
To establish standing to pursue damages, the complaint
must also plausibly allege a separate concrete, present harm caused
"by [the plaintiffs'] exposure to [this] risk [of future harm]."
TransUnion, 141 S. Ct. at 2211. We conclude that the complaint
has done so based on the allegations of the plaintiffs' lost time
spent taking protective measures that would otherwise have been
- 19 - put to some productive use.7 See Compl. ¶¶ 13, 56 (alleging
"opportunity costs" and "lost wages" associated with "the time and
effort expended addressing . . . future consequences of the [d]ata
[b]reach").
The complaint alleges that both plaintiffs spent
"considerable time and effort monitoring [their] accounts to
protect [themselves] from . . . identity theft." The complaint
elsewhere identifies the harms of lost time as "[l]ost opportunity
costs and lost wages." The loss of this time is equivalent to a
monetary injury, which is indisputably a concrete injury. See id.
at 2204; see also Dieffenbach v. Barnes & Noble, Inc., 887 F.3d
826, 828 (7th Cir. 2018) (Easterbrook, J.) (recognizing that the
opportunity cost of "one's own time needed to set things straight"
following a data breach "can justify money damages, just as [it]
support[s] standing"); In re: Gen. Motors LLC Ignition Switch
Litig., 339 F. Supp. 3d 262, 307 (S.D.N.Y. 2018) ("[T]he
overwhelming majority of states adhere to the view that lost-time
damages are the equivalent of lost earnings or income.").8 We join
7 The complaint does not allege that Webb or Charley purchased identity theft insurance or credit monitoring services or incurred similar mitigation costs. See TransUnion, 141 S. Ct. at 2204; see also, e.g., Clemens, 48 F.4th at 156; Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018). 8 Because we conclude that the complaint plausibly alleges the loss of time that would otherwise have been put to profitable use, we do not consider whether the loss of personal time is either a tangible injury or an intangible injury with a "close historical
- 20 - other circuits in concluding that time spent responding to a data
breach can constitute a concrete injury sufficient to confer
standing, at least when that time would otherwise have been put to
profitable use. See, e.g., Clemens, 48 F.4th at 158; Hutton v.
Nat'l Bd. of Exam'rs in Optometry, Inc., 892 F.3d 613, 622 (4th
Cir. 2018); Galaria, 663 F. App'x at 388-89; Lewert v. P.F. Chang's
China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016); Equifax,
999 F.3d at 1262.
Because this alleged injury was a response to a
substantial and imminent risk of harm, this is not a case where
the plaintiffs seek to "manufacture standing by incurring costs in
anticipation of non-imminent harm." Clapper, 568 U.S. at 422; see
also, e.g., McMorris, 995 F.3d at 303; Hutton, 892 F.3d at 622.
C.
The complaint's allegations also satisfy the
traceability and redressability standing requirements. The
complaint alleges that IWP's actions led to the exposure and actual
or potential misuse of the plaintiffs' PII, making their injuries
fairly traceable to IWP's conduct. See Evenflo, 54 F.4th at 41;
Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S.
118, 134 n.6 (2014) ("Proximate causation is not a requirement of
or common-law analogue." TransUnion, 141 S. Ct. at 2204; cf. Gen. Motors LLC, 339 F. Supp. 3d at 307 ("[M]ost states do not treat lost personal time as a compensable form of injury.").
- 21 - Article III standing, which requires only that the plaintiff's
injury be fairly traceable to the defendant's conduct."). "And
monetary relief would compensate [the plaintiffs] for their
injur[ies], rendering the injur[ies] redressable." Evenflo, 54
F.4th at 41.
D.
Defendants do not contend that the plaintiffs' ability
to pursue emotional distress as a specific category of damages
presents an independent Article III standing issue even after
plaintiffs have shown an actual injury supporting their claim for
damages generally under each cause of action, and for good reason.
"It is firmly established in our cases that the absence of a valid
. . . cause of action does not implicate subject-matter
jurisdiction, i.e., the courts' statutory or constitutional power
to adjudicate the case." Steel Co. v. Citizens for a Better
Environment, 523 U.S. 83, 89 (1998). On the appeal before us we
consider only whether the plaintiffs have "demonstrate[d] standing
for each claim that they press and for each form of relief that
they seek." TransUnion, 141 S.Ct. at 2208. Having concluded that
plaintiffs have supported each of their five causes of action for
damages with at least one injury in fact caused by the defendant
and redressable by a court order, we venture no further. Cf.
Attias, 865 F.3d at 626 n.2 (declining to address standing based
on past identity theft because the risk of future identity theft,
- 22 - along with associated mitigation expenses, sufficed to confer
standing); Linman v. Marten Transp., Ltd., No. 22-CV-204-JDP, 2023
WL 2562712, at *3 (W.D. Wis. Mar. 17, 2023) (finding time spent
mitigating the risk of identity theft sufficient for standing and
declining to decide whether other alleged injuries such as
emotional distress are sufficient); TransUnion, 141 S. Ct. at 2211
& n.7. Whether the plaintiffs have stated a claim for damages
specifically arising out of their emotional distress is a question
for IWP's 12(b)(6) motion which, as discussed below, we do not
reach.
IV.
We next consider the plaintiffs' standing to seek
injunctive relief. We conclude that the plaintiffs lack standing
to pursue such relief because their requested injunctions are not
likely to redress their alleged injuries. See Lujan, 504 U.S. at
568-71.
The only allegation in the complaint that injunctive
relief is necessary is that plaintiffs' "PII [is] still maintained
by [IWP] with [its] inadequate cybersecurity system and policies."
Naturally, an injunction requiring IWP to improve its
cybersecurity systems cannot protect the plaintiffs from future
misuse of their PII by the individuals they allege now possess it.
Any such relief would safeguard only against a future breach.
- 23 - But the plaintiffs do not allege that any such future
breach will occur. "Standing for injunctive relief depends on
'whether [the plaintiffs are] likely to suffer future injury.'"
Laufer v. Acheson Hotels, LLC, 50 F.4th 259, 276 (1st Cir. 2022)
(quoting City of Los Angeles v. Lyons, 461 U.S. 95, 105 (1983)).
Here, any available inference that IWP's prior data breach might
make a future data breach more likely is undercut by the
plaintiffs' own allegation that "[f]ollowing the [d]ata [b]reach,
IWP implemented new security safeguards to prevent and mitigate
data breaches -- measures that should have been in place before
the data breach." Instead, IWP faces much the same risk of future
cyberhacking as virtually every holder of private data. If that
risk were deemed sufficiently imminent to justify injunctive
relief, virtually every company and government agency might be
exposed to requests for injunctive relief like the one the
plaintiffs seek here. We decline to hold as much. Because the
plaintiffs have not shown that their requested injunction would
likely redress their alleged injuries, they lack standing to pursue
that form of relief. Cf. Lujan, 504 U.S. at 568-71.
The plaintiffs also request that the district court
"[e]njoin[] [IWP] from further deceptive and unfair practices and
making untrue statements about the [d]ata [b]reach and the stolen
PII." But nowhere do the plaintiffs allege that IWP is likely to
make deceptive statements about that past breach in the future or
- 24 - that any such statements would harm the plaintiffs, particularly
now that they know about the breach. Here, too, the plaintiffs'
requested injunction would have no chance of redressing any alleged
injury, and they lack standing to pursue it.
We do not reach IWP's Rule 12(b)(6) arguments. The
district court did not rule on these arguments, see Webb, 2022 WL
10483751, at *1 n.2, and will have the opportunity to do so in the
first instance on remand, see, e.g., Evenflo, 54 F.4th at 41.
VI.
For the foregoing reasons, we affirm in part, reverse in
part, and remand for further proceedings consistent with this
opinion. No costs are awarded.
- 25 -