North Carolina Federal Dismisses Class Action Based On No Injury Stemming From Bojangles Data Breach

Duane Morris Takeaways: On September 30, 2025, in Dougherty, et al. v. Bojangles' Restaurants, Inc., No. 25-CV-00065, 2025 U.S. Dist. LEXIS 194879 (W.D.N.C. Sept. 30, 2025), Judge Kenneth D. Bell of the U.S. District Court for the Western District of North Carolina dismissed a class action alleging violations of numerous state torts and the North Carolina Unfair and Deceptive Trade Practices Act following an alleged cyberattack on Bojangles. The Court held the former employees of the fast-food chain failed to plausibly allege a concrete injury, and therefore, lacked Article III standing. The Court reasoned that Plaintiffs' theory of an "ongoing threat of identity theft" without any actual harm was not enough to sustain a concrete injury.

The decision illustrates that the mere possibility of future harm, without any actual harm, is not enough to plausibly allege an injury-in-fact for purposes of Article III standing. Further, building on U.S. Supreme Court precedent, the decision highlights the requirements of traceability where plaintiffs cannot identify any harm connected to the transfer of personal information to a data breach defendant.

Case Background

Bojangles Restaurants, Inc. ("Bojangles") was the alleged victim of a cyberattack in February 2024. Id. at *5. In November of that same year, Bojangles sent a notice to those who may have been impacted, stating "that certain files were viewed and downloaded by an unknown actor between February 19, 2024 and March 12, 2024." Id.

In January 2025, after receiving the notice from Bojangles, Alexis Dougherty and eight other former employees ("Plaintiffs"), filed a putative class action complaint against Bojangles. Id. at *2. Plaintiffs alleged that Bojangles gathers various types of sensitive information from its employees, including names, addresses, Social Security numbers, driver's license information, etc., and that Bojangles failed to implement "reasonable cybersecurity safeguards or protocols." Id. at *4-5. Notably, however, Plaintiffs did not identify any sensitive information they provided to Bojangles, except for some Plaintiffs who alleged they provided their Social Security number or that Bojangles' notice identified their Social Security number. Id. at *6.

Plaintiffs asserted two different theories of injury. Eight of the nine Plaintiffs did not allege any identity theft or data misuse; rather, they claimed injury based on "the threat of harm" from a potential sale of their information on the Dark Web, an uptick in spam calls, "diminution in value" of their personal information, time spent mitigating the potential impacts of the cyberattack, and emotional distress. Id. The remaining plaintiff alleged fraudulent charges on his debit card but did not allege that he provided the card number to Bojangles as part of his employment. Id. at *6.

Bojangles moved to dismiss for lack of subject-matter jurisdiction and for failure to state a claim upon which relief can be granted. Bojangles argued that eight of the Plaintiffs failed to allege a concrete injury without an actual misuse of their personal information, and that the remaining plaintiff's alleged debit card fraud is not fairly traceable to the data breach.

The Court's Opinion

In a 10-page opinion, Judge Kenneth D. Bell granted Bojangles' motion to dismiss for lack of subject-matter jurisdiction without reaching the merits of Plaintiffs' claims.

The Court held that Plaintiffs failed to plausibly allege Article III standing. Judge Bell explained that Plaintiffs' allegations "only describ[e] the possibility of future harm that is inherent in every data security incident, but cannot support the Article III standing necessary to pursue a federal lawsuit." Id. at *7. There was no dispute that Plaintiffs' personal information may have been impacted by the data breach, but the potential threat of resulting damages failed to plausibly allege a concrete injury that is fairly traceable to the data breach. Id. at *6-7.

The U.S. Supreme Court's decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), governed the opinion. There, the named plaintiff on behalf of a putative class alleged that TransUnion, a credit reporting agency, violated the Fair Credit Reporting Act by failing to use reasonable procedures before placing a misleading alert in his credit file that labeled him as a potential terrorist, among other comparable threats. Id. at 419-21. The Supreme Court held that only class members whose credit reports had been provided to third-party businesses had suffered a concrete injury, and that the mere existence of misleading alerts in one's own credit file did not cause such an injury. Id. at 417, 435.

Applying TransUnion to the facts at hand, Judge Bell reasoned that "Plaintiffs' allegations of harm as a consequence of the Data Breach fall squarely in the 'might be a problem' rather than the 'is already a problem' category." Dougherty, 2025 U.S. Dist. LEXIS 194879,at *12. Therefore, Plaintiffs' theory of an ongoing threat of identity theft or other data misuse failed to plausibly allege any actual harm, such as an attempt to open credit card accounts or otherwise steal information. Id. at *12-13. Further, most of the Plaintiffs did not identify any personal information that they personally provided to Bojangles, defeating any traceability argument. Judge Bell similarly dismissed Plaintiffs' varied attempts to establish standing based on an uptick in spam calls, diminution in value of personal information, time spent mitigating the "potential impact" of the data breach, and emotional distress. Id. at 13-14. None of these harms constitute a concrete injury.

Judge Bell also dismissed the claims of the one Plaintiff who allegedly noticed fraudulent charges on his debit card, because he did not allege those charges were fairly traceable to the breach. Because the Plaintiff did not allege that he provided his debit card number to Bojangles as part of his employment, there was no way to connect those charges to the alleged breach. Thus, although those charges may constitute an injury-in-fact, they were insufficient on traceability grounds.

Implications For Companies

Dougherty illustrates the pleading requirements established in TransUnion, and the powerful tool that they can be in dismantling a nationwide data breach class action.

What's more, the court in Dougherty seemed to take for granted that every class member must suffer an actual injury for each of their claims, even at the pleading stage in the litigation. Id. at *9 ("Therefore, following TransUnion, it is clear that to recover damages from Defendant, every class member must have Article III standing for each claim that they press requiring proof that the challenged conduct caused each of them a concrete harm") (quotations omitted). This signal may be a favorable sign that Judge Bell agrees with the "sleeping lion" noted by Justice Kavanaugh in Lab. Corp. of Am. Holdings v. Davis, 605 U.S. 327 (2025) – i.e., whether "a federal court may . . . certify a damages class that includes both injured and uninjured members." Id. at 328 (Kavanaugh, J., dissenting). For now, however, the Court left that issue until another day.

Nonetheless, if corporate counsel's organizations are facing a class action seeking damages stemming from an alleged data breach, corporate counsel should consider their ability to attack Article III standing on all fronts, not only as to the named plaintiffs, but also as to the class. If successful, other organizations may be able to make an early exit from a data breach class action on the theory that plaintiffs cannot plausibly allege an actual injury from the future possibility of their data misuse, much like the defendant in Dougherty.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.