Here at CPW, we have covered many decisions addressing the need for Article III standing when pleading a claim in federal court. A recent rare decision out of a district court in the Ninth Circuit dismissed a data event litigation for lack of standing—showing the efficacy of a particular type of motion practice known as a factual attack on plaintiff’s standing. In Burns v. Mammoth Media, Inc., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021), the Court found that an alleged data event did not cause the harms Plaintiff alleged in the complaint, and therefore dismissed the litigation for lack of standing.

Plaintiff is a consumer that downloaded Defendant Mammoth’s mobile “Wishbone” application (“app”), which required creating an account, selecting a username and password, and providing an email address. Shortly after downloading the app, Plaintiff deleted the app but did not delete his account. Four years later, Mammoth informed its customers that it suffered cyberattack and that Wishbone users’ user names, emails, phone numbers, time zone/region, full name, bio, gender, encrypted passwords, and profile pictures may have been compromised. Plaintiff subsequently sued on behalf of himself and a putative class for negligence, declaratory judgment, breach of confidence, violation of California’s Unfair Competition Law, and violations of data breach statutes from thirty-eight different states. Defendant promptly moved to dismiss Plaintiff’s First Amended Complaint for lack of standing.

The Court focused its standing analysis on Plaintiff’s alleged injury in fact and materials offered by Defendant in support of its motion to dismiss under Rule 12(b)(1).

Specifically, Plaintiff alleged that after the Wishbone breach, his Spotify and Reddit accounts were compromised (requiring him to change his passwords). Plaintiff further alleged that he received spam emails and spent three hours changing his passwords, setting up fraud alerts, and reviewing his bank accounts for fraudulent transactions. Lastly, Plaintiff alleged that because his data was stolen, he will experience heightened risk of future identity theft and fraud, lowered credit scores from the fraudulent activity, loss of access to online and financial accounts, and loss of time and enjoyment given the efforts to mitigate or prevent identity theft.

In analyzing Plaintiff’s alleged harm, the Court considered a declaration from Defendant’s Chief Technology Officer (which was submitted in support of Defendant’s Motion to Dismiss for lack of standing). [Note: As the court in Burns explained, “[a]  motion for lack of standing under Rule 12(b)(1) may challenge the court’s jurisdiction facially, based on the legal sufficiency of the claim, or factually, based on the legal sufficiency of the jurisdictional facts.  In a factual challenge—which is what was presented in Burns—the court is not required to accept the allegations of the complaint as true and may consider additional evidence outside of the pleadings.]

The declaration stated that Plaintiff’s compromised information included his name, username, email, date he created his profile, gender, user ID and access token that Mammoth assigned to him, encrypted password, an authorization token, a Facebook ID, a url to an image, country, time zone, Apple idfa, stickers left, and the date last updated. Notably, however, the declaration stated that Plaintiff’s compromised information did not include his birth date, address, social security number, or any financial information (contrary to what Plaintiff alleged in his complaint). Specifically, this declaration refuted Plaintiff’s allegation that his Spotify and Reddit accounts were compromised given that Plaintiff’s compromised information cannot be used to access Spotify, Reddit, or any other account. Plaintiff did not respond to Defendant’s declaration with evidence proving otherwise.

Accepting Defendant’s declaration as true, the Court found that Plaintiff could not establish injury in fact with hypothetical economic harm, let alone an injury that is traceable to Mammoth’s conduct. Thus, because the only evidence before the Court indicated that the Mammoth data breach could not possibly cause the risk of identity theft, fraud, and related harms that Plaintiff alleged in the First Amended Complaint, the Court dismissed the Complaint for lack of standing with leave to amend.

Well, on August 23, 2021, Plaintiff filed a Second Amended Complaint (“SAC”) attaching the Notice of Data Breach as his only exhibit. Stay tuned to find out if Defendant files an additional challenge to Plaintiff’s Article III standing or otherwise moves to dismiss the SAC under Rule 12(b)(6).

For more developments in this area, stay tuned. CPW will be there.