Gordon Rees Scully Mansukhani New York Partners Joseph Salvo and John Mills, in collaboration with New York Associate Michael Paulino and Columbus Partner Megan Bosak, successfully secured the dismissal of a data breach putative class action filed in the Court of Common Pleas of Franklin County, Ohio, against the firm’s client, a non-profit organization providing rehabilitation and healthcare treatment-related services.
The plaintiffs alleged that their personally identifiable information and/or protected health information was potentially compromised in a cyberattack impacting the firm’s client in or around June 2024. The plaintiffs claimed that they suffered various injuries, including the future risk of harm and identity theft, lost or diminished value of their information, costs associated with the prevention, detection, and recovery from identity theft, lost opportunity costs, invasion of their privacy, loss of the benefit of the bargain, and emotional distress associated with the loss of control over their information. One plaintiff claimed to have received several notifications of attempted fraudulent bank charges, while another plaintiff claimed to have received an increase in spam calls and texts following the incident.
These facts presented significant challenges at the motion to dismiss stage, especially where many courts have held these allegations sufficient to plead injuries and/or damages for purposes of standing. However, the GRSM team leveraged the controlling legal authority, coupled with the facts surrounding the incident and the nature of information potentially impacted in the incident, to persuade the court that the plaintiffs failed to allege sufficient concrete injuries to establish standing under Ohio law.
In its order, the court held that, even accepting the allegations as true, the plaintiffs do not allege that their information had been misused, that identity fraud occurred, or that any plaintiff suffered unreimbursed financial loss. Additionally, the court went on to hold that emotional distress and mitigation efforts undertaken in response to a speculative risk of future harm fail to establish a present, concrete injury, which requires dismissal since the plaintiffs lack standing. For similar reasons, the court also held that the plaintiffs’ complaint failed to state a claim due to, inter alia, the lack of injuries and/or damages.
The dismissal marks a significant victory for both the client and future organizations that may fall victim to third-party cyberattacks, as well as those facing putative class actions after notifying affected parties in compliance with applicable law, often resulting in multiple such actions. The outcome reflects a strategic, long-term litigation approach that combined aggressive motion practice, thorough factual development, and close coordination with the client, forensic investigators, and incident response counsel, further showcasing the proven track record of GRSM’s Cyber, Privacy & Data Security practice in handling complex, high-stakes data breach class actions nationwide.