- within Litigation and Mediation & Arbitration topic(s)
- in Asia
- in Asia
- within Litigation, Mediation & Arbitration, Transport and Privacy topic(s)
Duane Morris Takeaway:This week's episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associates Ryan Garippo and Andrew Quay with their analysis of a North Carolina federal court decision dismissing a data breach class action.
Check out today's episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Samsung Podcasts, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, and YouTube.
Episode Transcript
Jerry Maatman: Thank you, loyal blog listeners and readers, for joining us for this week's episode of the Class Action Weekly Wire. I'm Jerry Maatman, a partner at Duane Morris, and joining me today are my colleagues Ryan Garippo and Andrew Quay. Thanks for being here.
Ryan Garippo: Thanks for having me, Jerry. Glad to be here.
Andrew Quay: Glad to be here, Jerry, thanks.
Jerry: Today, we're going to dive into a ruling that came down in September from the Western District of North Carolina. The court dismissed a data breach class action in a lawsuit captioned Dougherty v. Bojangles Restaurants, Inc. What was this case about?
Ryan: Well, Jerry, this case stems from a data breach that allegedly hit Bojangles, the fast-food chain, in February of 2024. The company notified potentially affected individuals later that year. And in response, nine former employees filed a putative class action claiming that Bojangles failed to implement proper cybersecurity protections.
Andrew: The plaintiffs brought, really, a mixed bag of claims, including state tort claims, a claim under the North Carolina Unfair and Deceptive Trade Practices Act, others as well. The core issue at hand was whether they had standing under Article III of the Constitution to bring the lawsuit in federal court.
Jerry: In terms of harm, what were the plaintiffs alleging in terms of their so-called injury in fact?
Ryan: Well, that's the key, Jerry. Alleging is the key fact there. Eight out of the nine plaintiffs did not allege that there was any actual misuse of their data. They claimed that they were harmed due to the possibility of future risks, such as identity theft, sales of their information on the dark web, increased spam calls, emotional distress, the value of their personal data going down in the future, but nothing that was actually affecting them right now.
Andrew: And the ninth plaintiff claimed he noticed fraudulent charges on his debit card, but crucially, he didn't allege that he ever gave that card number to Bojangles as part of his employment. The court thereby determined that even if this fraudulent charge established an injury, that injury was not traceable to the data breach at hand.
Jerry: In terms of the analysis of the court, I know it leaned heavily on the U.S. Supreme Court's seminal ruling in 2021 in TransUnion v. Ramirez, and that encapsulated a standing analysis. How did TransUnion impact the court in North Carolina in terms of its decision to ultimately dismiss this lawsuit?
Andrew: Well, in TransUnion, the named plaintiff on behalf of a putative class alleged that TransUnion, which is a credit reporting agency, violated the Fair Credit Reporting Act by failing to use reasonable procedures for placing a misleading alert in his credit file that labeled him as actually a potential terrorist, among other comparable threats. The Supreme Court held that only class members whose credit reports had actually been provided to third-party businesses had suffered concrete injury, that the mere existence of misleading alerts in one's own credit file did not cause such an injury. So, if your data is compromised, but never actually used, maybe never even seen, you do not have a concrete injury.
Ryan: Yeah, and that's exactly what happened here. The court said that the plaintiffs' claims fell into the might-be-a-problem category, as opposed to the is already-a-problem category. So, in other words, if there wasn't any actual type of misuse, such as someone attempting to open a credit card or steal their identity tied to the data breach. The court determined that the harm was just too speculative and dismissed the claims alleging fraudulent debt credit card usage as well, because as to that specific component, there was no allegation that it was actually traceable to Bojangles. So, either the plaintiffs had suffered no harm at all, or there was no traceability and failed on that prong in the alternative.
Jerry: It's a very interesting outcome. Since the court never reached the underlying legal claims in terms of fault for the data breach, what does this mean for plaintiffs overall across the country in asserting injuries purportedly suffered in a data breach situation?
Andrew: The court ruled that every class member must show concrete injury, even at the pleading stage. And that's a major procedural signal for future data breach class actions. Plaintiffs must show real-world harm, and if they can't show actual misuse of data, or link that alleged misuse back to the defendant, courts should shut these cases down early, just like here.
Ryan: Yeah, and importantly, it gives defense counsel an important strategic roadmap – you can attack Article III standing. Now, here it was just for the named plaintiffs, but there's language which suggests that this should be applied to the entire putative class, and which sort of harkens back to the Supreme Court's dissent from denial of certiorari in LabCorp v. Davis, which hints at bigger questions about whether classes with uninjured class members can even be certified at all. Now, that issue was left for a different day, but here we're not even going to get to see it because the court knocked this class action out at the pleading stage.
Jerry: Seems to me the Bojangles ruling certainly is a reminder that standing is anything but a formality and can be a very powerful tool by defense counsel and a corporation facing data breach class action litigation, a way to knock the socks off the lawsuit before you even get to the class certification issue, and gives the defendant, in these circumstances, a very strong argument for dismissal.
Well, those are great insights, Andrew and Ryan, and thanks for being with us today and breaking down the ruling, and thank you to our listeners for tuning in to this week's episode of the Class Action Weekly Wire. As always, subscribe to our blog and stay tuned in for the latest trends in class action law.
Andrew: Thanks for having me on the podcast, Jerry, and thank you to our listeners.
Ryan: Thank you, everyone.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
