By Gerald L. Maatman, Jr., Rebecca S. Bjork, and Ryan Garippo
Duane Morris Takeaways: On April 23, 2026, in Hall v. Bitcoin Depot, Inc., Case No. 25-CV-04317 (N.D. Ga. Apr. 23, 2026), Judge William Ray of the U.S. District Court for the Northern District of Georgia dismissed a putative class action alleging that users of Bitcoin Depot’s cryptocurrency ATMs were at significant risk of identity theft and attendant personal, social and financial harms due to a data breach. The District Court held that the Named Plaintiff did not properly plead a cognizable injury sufficient to confer Article III standing to sue, due to not pleading any specific misuse of his data. The decision clarifies the legal standards within the Eleventh Circuit regarding standing requirements in data breach class action cases, thus providing helpful and nuanced guidance for defendants facing similar lawsuits. This is especially true because the dismissal was granted without prejudice, affording the Named Plaintiff an opportunity to cure his defective pleading and potentially setting the stage for further litigation on this issue.
Case Background
Quincey Hall sued Bitcoin Depot, Inc. in federal court in the Northern District of Georgia on behalf of a putative class of consumers who used the company’s cryptocurrency ATMs. Id. at 2. After a data breach occurred affecting the ATMs, approximately 26,000 individuals’ personally identifiable information was exposed online. Id. After being notified by Bitcoin Depot that his information was amongst that involved in the breach, Hall filed his class action lawsuit as a “proposed representative of a class of individuals ‘impacted by [Bitcoin Depot’s] failure to safeguard, monitor, maintain and protect’ their personal information prior to the data breach.” Id.
Hall’s Complaint alleged that because of the data breach, he and the putative class members are “at [a] significant risk of identity theft and various other forms of personal, social and financial harm.” Id. at 3. He alleged that Bitcoin Depot is liable for common law tort and contract claims, as well as for violations of the Georgia Uniform Deceptive Trade Practices Act and he sought both monetary damages and injunctive relief. Id.
Bitcoin Depot filed a motion to dismiss under Rule 12(b)(6) based both on a failure to state a claim and for lack of standing to sue under Article III of the Constitution. Id.
The Court’s Decision
Judge Ray granted Bitcoin Depot’s motion to dismiss the complaint and he did so without prejudice, allowing the Named Plaintiff an opportunity to correct his defective pleading. Id. at 10. The court’s analysis of the legal requirements for standing in data breach cases is clarifying because it demonstrates that nuance matters when considering whether the injury-in fact requirement for Article III standing is properly pled.
First, the court explained that to constitute a case or controversy within the meaning of Article III, the plaintiff must have standing to sue (id. at 3), and in the context of a class action lawsuit “only one named plaintiff must have standing as to any particular claim in order for it to advance.” Id. at 5 (citation omitted).
Second, the court explained that to demonstrate standing, a named plaintiff must show that “[he] has suffered ‘an injury in fact that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical[.]’” Id. Furthermore, when seeking damages specifically, the court explained that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm.” Id. (quoting TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021). And for injunctive relief, too, the named plaintiff must establish that there is a “substantial risk that, in the near future, they will suffer an injury.” Id.
Third, the court applied these standards to the allegations in the Named Plaintiff’s complaint and held that those allegations were insufficient to establish Article III standing. Hall had only pled a risk of identity theft and the resulting potential adverse impacts on him and putative class members. He had not pled any facts that his specific information had been leaked to known criminal dark websites that in similar circumstances have survived motions to dismiss in data breach cases. Id. at 9 (citing, inter alia, Green-Cooper v. Brinker, Int’l., Inc., 73 F. 4th 883, 889 (11th Cir. 2023).) In short, the Named Plaintiff had failed to allege that there was any misuse of his stolen identity data, and that was fatal to his pleading under the established rules for Article III standing.
Implications For Data Breach Class Action Defendants
Data breach class actions are abundant, as corporate counsel working in this space know. As such, it is crucial for all to have an understanding of the possible defenses available at the pleading stage to reduce litigation risk and force potentially meritless claims to a second round of pleading and motion to dismiss practice. Understanding how district courts analyze nuances in plaintiffs’ pleadings relating to this important area of the law – Article III standing – is critical to launching a successful defense to any such claims.