January 23, 2022

New York federal court dismisses data breach putative class action on standing grounds

On January 19, the United States District Court for the Southern District of New York ruled in favor of Bonobos, Inc., a New York-based men’s clothing store, granting Bonobos’ motion to dismiss for lack of standing.

The case arose out of a $170 purchase in June 2013, for which the plaintiff, Cooper, was required to enter personal information such as shipping address and telephone number, as well as his credit card information.  In August 2020, a hacking group stole information stored on the cloud by Bonobos.  The information included the home addresses, telephone numbers, email addresses, IP addresses, and encrypted passwords of approximately 7 million customers, as well as the last four digits of their credit cards.  Five months later, in January 2021, Bonobos informed customers of the breach, and Cooper filed a class action complaint in federal court the same month, claiming that Bonobos had acted with negligence, had been unjustly enriched, and had violated Section 349 of the New York General Business Law.  Bonobos moved to dismiss for lack of standing.

The court’s opinion focused on the first of the three established elements of standing – injury in fact.  An injury in fact must be a concrete and particularized, actual or imminent invasion of a legally protected interest. If the injury is threatened rather than actual, then the plaintiff must demonstrate that there is a substantial risk that the harm will occur.  Relying on the Second Circuit’s recent decision in McMorris v. Carlos Lopez &Assocs., LLC, 995 F.3d 295 (2d Cir. 2021), the court considered three non-exhaustive factors that bear on whether the risk of harm stemming from a data breach is sufficiently concrete, particularized, and imminent:  was the breach connected with a targeted attempt to obtain data, has any of the stolen data already been misused, and is the exposed data particularly sensitive – for example social security numbers and dates of birth.   Here, the court concluded that Cooper could not establish standing based on an increased risk of identity theft or fraud in the future, because the type of data that was exposed was not susceptible to misuse.  Since the stolen data included partial, not complete, credit card numbers, no birthdates or social security numbers, and encrypted passwords likely exclusive to the consumers’ Bonobos accounts, the district court held that, “Put simply, given the nature and age of the data, the likelihood that its exposure would result in harm to Cooper is too remote to support standing.”

The court dismissed Cooper’s claim without prejudice, but also without leave to amend because further amendment would be futile. 

Judgment | Opinion and Order