Category: Data Breach Class Actions

By Justin R. Donoho

Duane Morris Takeaways: Data privacy and data breach class action litigation continue to explode.  At the Sedona Conference Working Group 11 on Data Security and Privacy Liability, in Fort Lauderdale, Florida, on November 6-7, 2025, Justin Donoho of the Duane Morris Class Action Defense Group served as a moderator for a panel discussion, “Legislative Drafting Considerations: Lessons from Colorado’s Privacy and AI Law Intersection.”  The working group meeting, which spanned two days and had over 40 participants, produced excellent dialogues on this topic and others including website advertising technologies, judicial perspectives on privacy and data breach litigation, onward transfer of consumer PII in M&A and bankruptcy contexts, venue, forum, and choice of law in privacy and data breach class actions, privacy and data security regulator roundtable, revisiting notice and consent for facial recognition, and application of attorney-client privilege in the cybersecurity context.

The Conference’s robust agenda featured dialogue leaders from a wide array of backgrounds, including government officials, industry experts, federal and state judges, in-house attorneys, cyber and data privacy law professors, plaintiffs’ attorneys, and defense attorneys.  In a masterful way, the agenda provided valuable insights for participants toward this working group’s mission, which is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages.

Justin had the privilege of speaking about lessons from the intersection of the Colorado Privacy Act (CPA) and Colorado AI Act (CAIA) and how these lessons might guide future legislatures when drafting AI and data privacy statutes.  Highlights from his presentation included identifying lessons learned from the intersection of the CPA and CAIA and, among them, discussing some of the human steps a company may perform in using an AI hiring tool to avoid triggering the CPA’s opt-out right in factual scenarios where that right might apply, as those human steps are discussed in his article, “Five Human Best Practices to Mitigate the Risk of AI Hiring Tool Noncompliance with Antidiscrimination Statutes,” Journal of Robotics, Artificial Intelligence & Law, Volume 8, No. 4, July-August 2025.

Finally, one of the greatest joys of participating in Sedona Conference meetings is the opportunity to draw on the wisdom of fellow presenters and other participants from around the globe.  Highlights included:

1. Experts of all stripes presenting a draft opus on advertising technologies that describes ways our laws could move beyond outdated statutes with draconian statutory penalties by focusing instead on any actual harms resulting from such technologies.
2. A lively dialogue among my panelists and other participants dissecting the Colorado Privacy Act, Colorado AI Act, and those statutes’ application to AI hiring tools in an effort to offer guidance to future legislators drafting similar statutes.
3. Federal and state judges offering tips for advocacy when presenting technical cybersecurity and data privacy issues to the court.
4. Panelists with different backgrounds discussing the law regarding when a company that has obtained personal data with consent can and cannot transfer the data in M&A and bankruptcy contexts.
5. Litigators from both sides of the “v.” debating venue, forum, choice of law, MDL, and CAFA issues in the context of privacy and data breach class actions.
6. State regulators discussing their increasing data privacy and cybersecurity departments and priorities for enforcement in these areas. 
7. Data privacy lawyers and experts discussing the evolution of facial recognition technology and the need to tailor notice and consent processes to risks associated with the technologies and use cases involved.
8. Cybersecurity lawyers and experts discussing best practices for maintaining attorney-client privilege when responding to a cybersecurity incident.

Thank you to the Sedona Conference Working Group 11 and its incredible team, the fellow dialogue leaders, the engaging participants, and all others who helped make this meeting in Fort Lauderdale, Florida, an informative and unforgettable experience.

For more information on the Duane Morris Class Action Group, including its Data Privacy Class Action Review e-book, and Data Breach Class Action Review e-book, please click the links here and here.

By Gerald L. Maatman, Jr., Ryan T. Garippo, and Elizabeth G. Underwood

Duane Morris Takeaways: On October 28, 2025, Judge Lewis A. Kaplan of the U.S. District Court for the Southern District of New York granted the People of the State of New York’s (the “State”) motion to remand in New York v. Nat’l Gen. Holdings Corp., No. 25 Civ. 03608, 2025 U.S. Dist. LEXIS 212731 (S.D.N.Y. Oct. 28, 2025).  The State alleged that National General Holdings Corporation violated various state laws related to data protection programs and notifications to affected individuals when data breaches in 2020 and 2021 exposed the corporation’s customer information.  This case reinforces the concept that a plaintiff is indeed the master of the complaint and can strategically craft their complaint to ensure that a case is litigated in state court.

Case Background

The State sued Allstate Insurance Company when one of its units, National General Holdings Corporation (the “Defendants”), was involved in two data breaches in 2020 and 2021, exposing nearly 200,000 consumers’ drivers’ license numbers to hackers.  The State alleged that the Defendants failed to protect customers’ sensitive information and did not inform customers that their data was stolen.

Importantly, the complaint did not assert any cause of action under federal law.  Instead, the complaint alleged that the Defendants violated three federal statutes, including the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  The State brought the action against the defendants pursuant to New York State General Business Law (“GBL”) §§ 349, 350, 899-aa, and 899-bb, and New York Executive Law § 63(12).

Based on the inclusion of allegations that they violated federal law, the Defendants removed the action to the U.S. District Court for the Southern District of New York pursuant to 28 U.S.C. §§ 1331 and 1441, invoking the Court’s ability to decide a federal question.  The State, however, moved to remand the case and for attorney’s fees incurred due to the removal.

Magistrate Judge Robert Lehrburger concluded in a report and recommendation that the Court lacked federal subject matter jurisdiction to hear the case because the causes of action (1) were not created by federal law and (2) did not satisfy the standard set forth in Gunn v. Minton, 568 U.S. 251 (2013), and Grable & Songs Metal Products, Inc. v. Darue Engineering & Manufacturing, 545 U.S. 308 (2005) (the “Gunn-Grable” test).  ECF 55.  Under the Gunn-Grable test, federal question jurisdiction exists only when a federal issue is “(1) necessarily raised, (2) actually disputed, (3) substantial, and (4) capable of resolution in federal court without disrupting the federal-state balance approved by Congress.”  Gunn, 568 U.S. at 258.

In his report and recommendation, Magistrate Judge Lehrburger determined that the third element as to whether a federal issue was “substantial” was not satisfied.  This inquiry looks to “the importance of the issue to the federal system as a whole,” not just the issues of one case.  Id. at 260.  In this case, the Defendants argued that the substantiality requirement was met because of the substantial federal interests in data privacy and national security; however, Magistrate Judge Lehrburger found these arguments were unpersuasive and recommended that the Court remand the case but not award attorney’s fees to the State.

The Court’s Opinion

In an opinion written by Judge Lewis Kaplan, the Court agreed with Magistrate Judge Lehrburger’s reasoning and held that the case did not pass the Gunn-Grable test.

The Court determined that Magistrate Judge Lehrburger correctly rejected the Defendants’ argument that the State’s claims satisfy the Gunn-Grable test as to the “substantiality” element.  First, the Court found that the Defendants’ argument as to whether the New York State Attorney General had the authority to enforce the federal GLBA was “entirely inapt” because the complaint did not allege any GLBA claims.  Nat’l Gen. Holdings Corp., 2025 U.S. Dist. LEXIS 212731, at *3.  Second, the Court held that the federal government’s interest in data privacy was insufficient to meet the Gunn-Grable test.  Third, the Court determined that the federal law questions implicated by the state law claims, including whether defendants are insulated from liability under state law if the defendants’ data protection programs and data breach notification procedures were in compliance with federal law, “are inherently fact-intensive and therefore likely would not provide guidance in future cases.”  Id. at *4.

Moreover, the Court also rejected the Defendants’ argument that whether the GLBA preempts the New York Attorney General from bringing the state law claims is a substantial federal question, reasoning that the question was not “necessarily raised” and that preemption is an affirmative defense that may not serve as the basis for subject-matter jurisdiction.  Id. at 4–5.  Finally, the Court held that none of the three exceptions to the well-pleaded complaint rule applied because the Defendants did not assert the first two exceptions, and the third exception would have had to pass the Gunn-Grable test, which it did not.

Implications For Companies

Nat’l Gen. Holdings Corp. serves as a cautionary reminder of the uphill battles that corporate defendants often face to remove to and then keep bet-the-company litigation in federal court.

Although it is not uncommon for a corporation to prefer “federal courts because it fears a corporate defendant . . . will not get a fair trial in state court,” the road to get there is not always guaranteed.  See, e.g., Hosein v. CDL West 45th Street, LLC, No. 12 Civ. 06903, 2013 WL 4780051, at *3 (S.D.N.Y. June 12, 2013).  As on display here, the Nat’l Gen. Holdings Corp. opinion shows that corporate defendants may not even get to litigate in a federal forum even when there are allegations that they violated federal law.

As a result, corporate counsel should be aware that relying on a state law claim involving an embedded federal issue, as the basis for federal subject-matter jurisdiction, may not be successful in 100% of cases, but it may be worth a chance to attempt to remove the case to federal court if it is the company’s only opportunity to obtain a fair trial.

By Gerald L. Maatman, Jr., Brett Bohan, and Andrew Quay

Duane Morris Takeaways: On October 22, 2025, in Doe, et al. v. Veradigm Inc., No. 25-CV-10147, 2025 U.S. Dist. LEXIS 207942 (N.D. Ill. Oct. 22, 2025), Judge Mary M. Rowland of the U.S. District Court for the Northern District of Illinois granted plaintiffs’ motion to proceed under a pseudonym in a class action alleging violations of the Electronic Communication Privacy Act and the California Invasion of Privacy Act, and negligence for improper disclosure of plaintiffs’ protected health information (“PHI”).  The Court held that the potential harm to the plaintiffs in revealing their identities exceeded the likely harm from concealment because revealing their identities would exacerbate the very harm plaintiffs sought to remedy.

The decision illustrates the delicate balancing that courts apply when deciding whether to allow plaintiffs to proceed anonymously, particularly when faced with allegations of improper disclosure of highly sensitive personal information including test results, doctor’s notes, and medical treatment information.  When plaintiffs’ reasons for proceeding anonymously implicate the same reasons they brought the lawsuit, like in Veradigm, the scales are demonstrably tipped in favor of proceeding under a pseudonym.

Case Background

In August 2025, plaintiffs, proceeding under the pseudonyms “Jane Doe,” “Janet Doe,” and “John Doe,” filed a class action lawsuit against Veradigm alleging improper disclosure of their PHI to Google via Google’s online marketing systems.  Id. at *1.  Plaintiffs contended that the disclosure would make them particularly vulnerable if their true names were revealed, as the publication of their names together with improperly released PHI would make them a “prime target” for identity theft, fraud and financial loss, stigma, and similar threats.  Id. at *2.

Plaintiffs’ initial motion to proceed under a pseudonym was denied without prejudice for failing to address recent Seventh Circuit precedent, Doe v. Loyola Univ. Chicago, 100 F.4th 910 (7th Cir. 2024), and Doe v. Blue Cross & Blue Shield United of Wis., 112 F.3d 869, 872 (7th Cir. 1997).  Id at *1.  In Loyola, the expelled plaintiff sought to proceed anonymously where he was accused of engaging in non-consensual sexual activity with another student.  100 F.4th at 912.  In Blue Cross, the plaintiff requested anonymity out of fear that the litigation might result in the disclosure of his psychiatric records.  112 F.3d at 872.  The Seventh Circuit indicated that it was inappropriate to allow the plaintiffs to proceed under fictitious names.  See id.; Loyola, 100 F.4th at 914.

In their renewed motion in the case at hand, plaintiffs argued that Loyola and Blue Cross could be distinguished because, rather than concealing embarrassing information flowing from their own conduct, plaintiffs seek to prevent additional intrusions into their own private affairs.  Veradigm, 2025 U.S. Dist. LEXIS 207942at *2.  Plaintiffs agreed to reveal their true identities to Veradigm pursuant to a protective order to allow Veradigm to investigate their claims.  Id. at *4-5.

The Court’s Opinion

The Court agreed that the sensitive information in Loyola and Blue Cross was “tangential” to the respective Title IX and ERISA claims, whereas in the case at bar “the injury litigated against is the same interest Plaintiffs seek to protect through pseudonyms: disclosure of Plaintiffs’ PHI.”  Id. at *4.  Furthermore, there could be no prejudice to Veradigm where the plaintiffs agreed to reveal their true identities under a protective order to allow Veradigm to investigate their claims.  Id. at *4-5.  Therefore, although the use of fictitious names is generally disfavored in federal court, the harm to plaintiffs in revealing their identities exceeded the likely harm from concealment, and the Court granted plaintiffs’ motion to proceed under a pseudonym.

An analogous decision from the U.S. District Court for the Northern District of California, In Re Meta Pixel Healthcare Litig., No. 22-CV-03580, 2025 U.S. Dist. LEXIS 45310 (N.D. Cal. Mar. 12, 2025), guided the opinion.  There, as in Veradigm, the court considered whether the plaintiffs should be permitted to proceed under pseudonyms where data privacy was at issue.  Id. at *12.  It held that they should, reasoning that requiring the plaintiffs to proceed publicly would “arguably cause a further and greater privacy intrusion” and disclosure may dissuade plaintiffs from bringing privacy cases.  Id.  The court in Veradigm adopted this reasoning when granting plaintiffs’ motion for permission to proceed under a pseudonym.  Veradigm, 2025 U.S. Dist. LEXIS 207942 at *4-5.

Implications for Companies

Veradigm illustrates that, where the privacy of an individual is at issue in a lawsuit, courts may be more inclined to permit plaintiffs to proceed anonymously to avoid intruding further on their privacy. 

Individuals who know that they may be able to avoid disclosing their identities during litigation may feel emboldened to pursue a data privacy lawsuit that they may not have otherwise. 

Therefore, companies should be aware of the risk of additional litigation as the result of plaintiffs being permitted to litigate under pseudonyms.

By Gerald L. Maatman, Jr., Christian Palacios, and Brett Bohan

Duane Morris Takeaways: On August 20, 2025, in Phelps v. Ill. Bone & Joint Inst., LLC, No. 24-CV-08555, 2025 WL 2410341 (N.D Ill. Aug. 20, 2025), Judge Martha Pacold of the U.S. District Court for the Northern District of Illinois granted Defendant Illinois Bone & Joint Institute, LLC’s motion to dismiss for lack of subject matter jurisdiction. The Court held Plaintiff failed to adequately plead Defendant’s citizenship, given its status as a limited liability company; therefore, the Court could not determine whether complete diversity existed between the parties. This ruling illustrates the differences between the general diversity statute under 28 U.S.C. § 1332(a), and the more lenient “minimal diversity” requirement under the Class Action Fairness Act, as well as the consequences of failing to sufficiently plead a limited liability company’s citizenship. 

Case Background

On August 30, 2024, Defendant Illinois Bone & Joint Institute, LLC (“Defendant”) sent a data breach notification letter to its patients, including Plaintiff Alexandra Phelps (“Plaintiff”). Id. at *1. Plaintiff, individually and on behalf of a putative class, filed a lawsuit shortly after receiving the letter alleging negligence, negligence per se, breach of implied contract, and violation of the Illinois Personal Information Protection Act. Id.  

Defendant moved to dismiss the complaint pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure for lack of subject matter jurisdiction. Id. In the motion, Defendant raised two arguments, including: (i) that Plaintiff lacked Article III standing, and (ii) that Plaintiff could not establish diversity jurisdiction under the Class Action Fairness Act (“CAFA”). Id. Although Plaintiff had invoked jurisdiction under the CAFA in her Complaint, she did not respond to Defendant’s CAFA arguments. Id. at 2. Instead, Plaintiff argued that she could “invoke jurisdiction under the general diversity statute, 28 U.S.C. § 1332(a).” Id.

The Court’s Order

The Court determined that the Complaint failed to allege sufficient facts to support diversity jurisdiction.

First, the Court reasoned that Plaintiff’s decision not to respond to Defendant’s CAFA arguments amounted to a concession that Plaintiff could not meet the standards for subject-matter jurisdiction under the statute. Id. However, although Plaintiff had not invoked general diversity jurisdiction in her Complaint, the Court permitted her to raise these arguments because “a complaint’s imperfect statement of the legal theory supporting jurisdiction does not itself defeat jurisdiction.” Id.

Second, the Court observed that, to satisfy general diversity jurisdiction, Plaintiff must be able to show that Plaintiff is a citizen of a different state than Defendant and “the amount in controversy exceeds $75,000, exclusive of interest and costs.” Id. Under the CAFA, an LLC, like Defendant, is “a citizen of the State where it has its principal place of business and the State under whose laws it is organized.” Id. Under the general diversity statute, on the other hand, an LLC is a citizen “of every state of which any member is a citizen.” Id. The Court concluded that the Complaint did not include any allegations of Defendant’s “member’s identity or citizenship.” Id. As such, the Court could not determine whether “any member is a citizen of the same state as Phelps.” Id. Because the Complaint did not allege facts sufficient for the Court to conclude that “complete diversity between the parties” existed, the Court dismissed the case without prejudice. Id.

In sum, the Court concluded that, to establish diversity jurisdiction, a Complaint must adequately allege the citizenship of all parties. Id.  Plaintiff’s failure to plead the citizenship of all Defendant’s members was, therefore, fatal to her claims. Id. at 3

Implications For Employers

The Court’s ruling in Phelps serves as a reminder of the distinctions between the the CAFA’s minimal diversity jurisdiction requirement and general diversity jurisdiction. While Plaintiff’s Complaint may have included sufficient facts to establish Defendant’s citizenship under the CAFA, the Complaint could not support the more demanding “complete” diversity jurisdiction requirement under 28 U.S.C. § 1332(a). 

This case highlights an important procedural defense available to employers, particularly if the named corporate entity in the litigation is a limited liability company (rather than a traditional corporation, who’s citizenship is tied to its state of incorporation and principal place of business). Employers should take note of a plaintiff’s burden to sufficiently establish federal subject matter jurisdiction at the outset of the litigation, and the accompanying procedural defenses they might avail themselves of when a plaintiff fails to sufficiently plead the jurisdictional prerequisite.

By Gerald L. Maatman, Jr., George J. Schaller, and Bernadette M. Coyle

Duane Morris Takeaways:

On June 30, 2025, in Panighetti, et al. v. Intelligent Business Solutions, Inc., No. 1:23-CV-209, 2025 U.S. Dist. LEXIS 123406 (M.D.N.C. June 30, 2025), Judge Loretta C. Biggs of the U.S. District Court for the Middle District of North Carolina granted Intelligent Business Solution’s (“IBS”) motion to dismiss a data breach class action and found that Plaintiff did not have standing under Article III because he failed to plead a concrete injury. Plaintiff alleged on behalf of himself, and over 11,000 other individuals, that IBS invaded his privacy and negligently failed to protect his personal informal following a data breach in 2022.  

The decision in Panighetti shows a growing trend among federal courts finding claims based on future and/or speculative harm in data breach class actions are insufficient – without any concrete instance of personal information being stolen or misused  –to establish Article III standing. 

Case Background

IBS, a health information company, collects and maintains personal identifiable information and protected health information for healthcare entities.  Plaintiff, a hospital patient that IBS provided services for, alleged that his personal information was part of a 2022 data breach.  Id.  at 1.  Plaintiff further alleged the data breach exposed the names, Social Security numbers, medical treatment information, and health insurance information of an estimated 11,595 individuals.  Id. at 2. 

After IBS became aware of the data breach, it notified impacted individuals.  Plaintiff maintained that by issuing this notification, IBS “created a present, continuing, and significant risk of suffering identity theft.”  Id.  On March 7, 2023, Plaintiff filed suit against IBS, alleging seven causes of action including negligence, invasion of privacy, unjust enrichment, and violation of the North Carolina Unfair Trade Practices Act.  Id.

IBS moved to dismiss and asserted Plaintiff lacked Article III standing to bring his claims.  IBS argued Plaintiff was “not able to plead facts that show there was actual misuse of data that resulted in identity theft, fraud, or another concrete injury-in-fact.” Id. at 4.  Plaintiff countered that he had standing to sue “because the data breach harmed him, will harm him again, and requires him to expend resources mitigating that harm” and that these harms “confer standing” based on Fourth Circuit precedent.  Id.

The Court’s Order

The Court granted IBS’s motion to dismiss.  The Court held Plaintiff failed to establish standing.  The Court reasoned that to proceed with a lawsuit, Article III requires a plaintiff to “demonstrate (1) an injury in fact; (2) causation; and (3) redressability.”  Id. at 5 (citing David v. Alphin, 704 F.3d 327, 333 (4th Cir. 2013)). 

On the first element, the Court explained that Plaintiff must show he “suffered an invasion of a legally protected interest which is concrete, particularized, and actual or imminent.”  Id.  Plaintiff argued that he was injured because the breach: “(1) exposed his medical records, thus invading his privacy; (2) exposed information criminals can use to commit fraud and steal his identity; (3) required him to spend resources to mitigate the risk; and (4) caused him to suffer from anxiety, sleep disruption, stress, fear, and frustration.”  Id.   Relying on Fourth Circuit precedent, the Court rejected Plaintiff’s argument that he was injured because of the data breach because nowhere in the pleadings did Plaintiff claim that he was a victim of identity theft or fraud, that risk of future theft was “certainly impending,” or provide instances of his personal information being exploited.  Further, spending resources to mitigate the increased risk caused by the breach, where there was no misuse of data, was too speculative to confer standing.

Turning to Plaintiff’s claims of emotional harm, the Court opined that although the Supreme Court took no position on whether emotional harm confers standing in TransUnion v. Ramirez, Fourth Circuit precedent, in Beck, rejected a Plaintiff’s claims that “emotional upset” and “fear of future identity theft and financial fraud” was sufficient to confer standing.  Id. at 8 (quoting Beck v. McDonald, 848 F.3d. 262 (4th Cir. 2017).  Accordingly, the Court dismissed Plaintiff’s claims of emotional harm as “bare assertions of possible or potential harm.”  Id.

Implications For Companies

Standing remains an effective defense for companies to challenge putative class actions at the responsive pleading stage especially, whereas here, Plaintiff failed to assert facts demonstrating harm stemming from a data breach.

Panighetti shows that data breach plaintiffs cannot rely on speculative injuries based on future harm to satisfy Article III standing requirements.  However, companies asserting an Article III standing defense must consider the possibility of a class action plaintiff refiling in state court when determining whether to challenge standing in federal court. 

By Gerald L. Maatman, Jr., Justin Donoho, George J. Schaller, Ryan T. Garippo

Duane Morris Takeaways: In Mahoney, et al. v. The Allstate Corp, et al., 25-CV-01465 (N.D. Ill. Feb. 11, 2025), Plaintiffs Michael Mahoney and Scott Schultz (collectively, “Plaintiffs”) filed a putative class action lawsuit asserting Allstate, and its subsidiary Arity, illegally obtained personal driving data of 40 million policyholders through third-party mobile application software.  The case is pending in the U.S. District Court for the Northern District of Illinois before Judge Steven C. Seeger.This is the third lawsuit in a series of lawsuits alleging class-wide allegations based on Allstate’s alleged data collection practices.  See Sims et al. v. The Allstate Corp. et al., 1:25-CV-00407 (N.D. Ill. Jan. 14, 2025) (alleging data collection through third party application Sirius XM); see also Arellano et al. v. The Allstate Corp. et al., 1:25-CV-01256, (N.D. Ill. Feb. 5, 2025) (alleging data collection through third party applications Life360, GasBuddy, and Fuel Rewards). 

Mahoney, Sims, and Arellano, represent a triumvirate of data privacy class actions centered on allegations of improper data collection through third-party applications.  Companies will be well-served monitor these cases for their novel assertions in trending data privacy litigation.

Complaint Allegations

Michael Mahoney resides in San Francisco, California, and he downloaded the GasBuddy application in 2011 to “find competitive gas prices.”  Mahoney, 25-CV-01465, ECF No. 1 § III ¶ 14 (N.D. Ill. Feb. 11, 2025).  Scott Schultz resides in Highland Park, Illinois, and he downloaded the GasBuddy application in 2021 and used it “in his own and other people’s vehicles to find competitive gas prices.”  Id. § III ¶ 15.

Plaintiffs collectively allege that Allstate and its subsidiary Arity (collectively, “Defendants”) “conspired to collect drivers’ geolocation data and movement data from mobile devices, in-car devices, and vehicles.”  Id. § IV ¶ 7.  Plaintiffs allege Defendants designed a software development kit that could be integrated into third-party mobile applications such as “Routely, Life360, GasBuddy, and Fuel Rewards.”  Id.  § IV ¶ 8.  Plaintiffs further allege Defendant advertised that they “collect data ‘every 15 seconds or less’ from 40 million ‘active mobile connections’ and ‘derive[] unique insights that help insurers, developers, marketers, and communities understand and predict driving behavior at scale.”  Id. § IV ¶ 24.

Plaintiffs contend Defendants’ software development kit was “designed to and does collect data” including “Geolocation data and ‘GPS Points,’” “cellphone accelerometer, magnetometer, and gyroscopic data,” “Trip attributes” data (including start and end locations, trip distances, trip duration), “Derived events” data (including acceleration, speeding, distracted driving, crash detection), and “Metadata.”  Id. § IV ¶ 11 (A) – (E).  Plaintiffs further assert that when using these third-party applications “Defendants could collect real-time data on their locations and movements and surreptitiously collect highly sensitive and valuable data directly from Plaintiffs’ mobile phones.”  Id. § IV ¶ 16.

It is also important to note that Plaintiffs maintain that Defendants used their personal data to “develop, advertise, and sell several products and services to third parties, including insurance companies . . .” and used the purchased consumer data for “[Defendants’] own underwriting purposes.”  Id. § IV ¶ 23.  Plaintiffs, ultimately, assert that Defendants real purpose in using this data is for their “own financial and commercial benefit” and to obtain “substantial profit.”  Id. § V ¶ 49.  They ultimately assert via their nine-count Complaint that this technology amounts to a wiretapping of their personal information which entitles them, inter alia, to a sum of “$100 per day per violation or $10,000” per class member whichever is greater.  Id. § V ¶ 51.

Implications For Companies

Although such data collection lawsuits are no longer a new phenomenon, their scope has become far more aggressive as the plaintiffs’ bar continues to look for ways to monetize lawsuits against corporations using such technologies.

Take for example the dilemma presented by Mahoney.  In that case, it is likely that Defendants will have strong defenses to this action.  For example, Plaintiffs admit that Defendants’ purpose in using this technology was to earn “substantial profit.”  Id. § V ¶ 49.  Based on similar allegations, many courts have found that these purposes are insufficient for a plaintiff to avail itself of such wiretapping statutes.  See, e.g., Katz-Lacabe v. Oracle Am., Inc., 668 F. Supp. 3d 928, 945 (N.D. Cal. 2023) (dismissing wiretap claim because defendant’s “purpose has plainly not been to perpetuate torts on millions of Internet users, but to make money.”).

There are, however, enough court rulings that come out in the opposite direction to give a corporate defendant pause.  See, e.g., R.S. v. Prime Healthcare Services, Inc., No. 24-CV-00330, 2025 WL 103488, at *6-7 (C.D. Cal. Jan. 13, 2025) (recognizing the split and siding with the plaintiffs).  And, if Plaintiffs are correct that there are 40 million individuals in the class, and that each class member is entitled to $10,000 at a minimum, then this lawsuit alleges at least $400 billion dollars in liability.  Even if there is a 1% chance of success on these claims, it would suggest that the completely unrealistic figure of $4 billion dollars is on the table.

Corporations in these types of class actions are faced with the difficult choice of settling the claims for an astronomical figure based on the use of technologies which are ubiquitous in nature (like software development kits for mobile applications) or defend a $400 billion lawsuit based on defenses in an area of the law which is not fully developed.  It will be interesting to see how the Mahoney defendants balance these concerns as the case progresses, because many twists and turns lie ahead.

In the meantime, corporate counsel should take the opportunity to evaluate their companies’ data collection and privacy policies to make sure their companies are not easy targets.  If the allegations in Mahoney are any example, the mere threat of one of these lawsuits should be enough to keep corporate counsel up at night.  And, if their companies are ultimately sued in one of these lawsuits, they should ensure that an experienced defense team has its hands on the steering wheel. 

By Gerald L. Maatman, Jr., Justin Donoho, and George J. Schaller

Duane Morris Takeaways: On January 24, 2025, in Petta v. Christie Bus. Holdings Co., P.C., 2025 IL 130337, the Illinois Supreme Court ruled that a plaintiff lacked standing under Illinois law to bring her class action complaint alleging that her social security number and insurance information may have been accessed in connection with a data incident where a medical provider discovered unauthorized access to one of its business email accounts.  The ruling is significant because it shows that data breach claims cannot be brought in Illinois court without specifying actual injury that is fairly traceable to the breach.

Case Background

This case is one of the thousands of data breach class actions filed in the last three years.  In Petta, Plaintiff brought suit against a medical provider.  According to Plaintiff,  she received a letter from the provider titled “Notice of Data Incident” explaining that an unknown third party gained unauthorized access to one of its business email accounts for about a month, in an attempt to intercept a business transaction between the provider and a third-party vendor.  Id. ¶¶ 1, 6.  The letter also stated that “the impacted account MAY have contained certain information related” to Plaintiff’s social security number and medical insurance information but “[t]he unauthorized actor did not have access to [the provider’s] electronic medical record” and there was no “evidence of identity theft or misuse of [Plaintiff’s] personal information.”  Id. ¶ 6 (emphasis in letter).The letter concluded by offering Plaintiff 12 months of credit monitoring and identity protection services at no cost if she wished to enroll.  Id., ¶ 7.

Plaintiff also alleged her “phone number, city, and state [were] used in connection with a loan application … in someone else’s name” and she received multiple calls regarding “loan applications she did not initiate.”  Id., ¶ 9.   

Based on these allegations, Plaintiff alleged claims for negligence and violation of Illinois’ Personal Information Protection Act. 

The trial court dismissed the complaint for lack of a viable legal theory and a bar by the economic loss doctrine.  The Illinois Appellate Court affirmed, but on the basis that the Plaintiff lacked standing to bring the action on behalf of herself and the putative class. 

Plaintiff thereafter appealed to the Illinois Supreme Court. 

The Illinois Supreme Court’s Opinion

The Illinois Supreme Court affirmed and ruled Plaintiff lacked standing and affirmed the dismissal of her complaint on that basis.  Id., ¶ 25.

In Illinois, standing requires an injury in-fact. As a result, the Illinois Supreme Court reasoned that a plaintiff alleging only “a ‘purely speculative’ future injury” and “no ‘immediate danger of sustaining a direct injury’ lacks sufficient interest to have standing.”  Id. ¶ 18 (quoting Chi. Teachers Union, Local 1 v. Bd. of Ed. of Chi., 189 Ill. 2d 200, 206-07 (2000)). 

The Illinois Supreme Court affirmed Plaintiffs’ lack of standing, reasoning that she, and the putative class, faced “only an increased risk that their private personal data was accessed by an unauthorized third party” and that “an increased risk of harm is insufficient to confer standing” in a complaint seeking money damages.  Id., ¶ 21.  The Illinois Supreme Court opined nothing “in the letter suggest[ed] that it is likely the third party did, in fact, take the [private personal] data” and the provider’s investigation revealed that the unauthorized third party was “attempting to intercept a financial transaction, not steal patients’ private personal information.” Id, ¶ 20. 

The Illinois Supreme Court also noted that Plaintiff’s unauthorized loan application related solely to Plaintiff and her complaint did not present any allegations that putative class members had a similar experience regarding a loan application.  Id., ¶ 23.  However, the Illinois Supreme Court declined to answer the question of whether standing must be shown at the outset for the entire putative class and instead focused “solely on [Plaintiff] individually,” finding that “Plaintiff’s allegation regarding the loan application is insufficient to confer standing.”  Id. 

In short, the Illinois Supreme Court concluded that the unsuccessful loan application allegations were not “fairly traceable” to any of the provider’s alleged misconduct and instead were “purely speculative” given there was “no apparent connection between the purported fraudulent loan attempt and the data breach at issue” as the phone number and city information used in the loan application was “readily available” to the public.  Id., ¶ 25(citing 2023 IL App (5th) 220742, ¶ 23).  Therefore, Plaintiff lacked standing to bring her claims.

Implications For Companies

The Illinois Supreme Court’s decision in Petta is a win for companies that suffered a data breach only possibly affecting customers, informed the customers of the breach, and offered to pay for their credit monitoring.  Petta shows that to confer standing under Illinois law, more is required.  Specifically, data breach plaintiffs need to identify actual injury fairly traceable to the breach.