{"id":2470,"date":"2025-10-02T21:01:57","date_gmt":"2025-10-03T01:01:57","guid":{"rendered":"https:\/\/blogs.duanemorris.com\/classactiondefense\/?p=2470"},"modified":"2025-10-02T21:01:58","modified_gmt":"2025-10-03T01:01:58","slug":"north-carolina-federal-dismisses-class-action-based-on-no-injury-stemming-from-bojangles-data-breach","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/classactiondefense\/2025\/10\/02\/north-carolina-federal-dismisses-class-action-based-on-no-injury-stemming-from-bojangles-data-breach\/","title":{"rendered":"North Carolina Federal Dismisses Class Action Based On No Injury Stemming From Bojangles Data Breach"},"content":{"rendered":"
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

By Gerald L. Maatman, Jr., Ryan T. Garippo, and Andrew P. Quay<\/p>\n\n\n\n

Duane Morris Takeaways:<\/em> <\/strong>On September 30, 2025, in Dougherty, et al. v. Bojangles\u2019 Restaurants, Inc., No. 25-CV-00065, 2025 U.S. Dist. LEXIS 194879 (W.D.N.C. Sept. 30, 2025), Judge Kenneth D. Bell of the U.S. District Court for the Western District of North Carolina dismissed <\/a>a class action alleging violations of numerous state torts and the North Carolina Unfair and Deceptive Trade Practices Act following an alleged cyberattack on Bojangles.\u00a0 The Court held the former employees of the fast-food chain<\/em> failed to plausibly allege a concrete injury, and therefore, lacked Article III standing.\u00a0 The Court reasoned that Plaintiffs\u2019 theory of an \u201congoing threat of identity theft\u201d without any actual harm was not enough to sustain a concrete injury.\u00a0<\/em><\/p>\n\n\n\n

The decision illustrates that the mere possibility of future harm, without any actual harm, is not enough to plausibly allege an injury-in-fact for purposes of Article III standing.  Further, building on U.S. Supreme Court precedent, the decision highlights the requirements of traceability where plaintiffs cannot identify any harm connected to the transfer of personal information to a data breach defendant.<\/em><\/p>\n\n\n\n

Case Background<\/strong><\/p>\n\n\n\n

Bojangles Restaurants, Inc. (\u201cBojangles\u201d) was the alleged victim of a cyberattack in February 2024.  Id.<\/em> at *5.  In November of that same year, Bojangles sent a notice to those who may have been impacted, stating \u201cthat certain files were viewed and downloaded by an unknown actor between February 19, 2024 and March 12, 2024.\u201d  Id.<\/em><\/p>\n\n\n\n

In January 2025, after receiving the notice from Bojangles, Alexis Dougherty and eight other former employees (\u201cPlaintiffs\u201d), filed a putative class action complaint against Bojangles.  Id.<\/em> at *2.  Plaintiffs alleged that Bojangles gathers various types of sensitive information from its employees, including names, addresses, Social Security numbers, driver\u2019s license information, etc., and that Bojangles failed to implement \u201creasonable cybersecurity safeguards or protocols.\u201d  Id. at *4-5.<\/em>  Notably, however, Plaintiffs did not identify any sensitive information they<\/em> provided to Bojangles, except for some Plaintiffs who alleged they provided their Social Security number or that Bojangles\u2019 notice identified their Social Security number.  Id.<\/em> at *6.<\/p>\n\n\n\n

Plaintiffs asserted two different theories of injury.  Eight of the nine Plaintiffs did not allege any identity theft or data misuse; rather, they claimed injury based on \u201cthe threat of harm\u201d from a potential sale of their information on the Dark Web, an uptick in spam calls, \u201cdiminution in value\u201d of their personal information, time spent mitigating the potential impacts of the cyberattack, and emotional distress.  Id.<\/em>  The remaining plaintiff alleged fraudulent charges on his debit card but did not allege that he provided the card number to Bojangles as part of his employment.  Id.<\/em> at *6.<\/p>\n\n\n\n

Bojangles moved to dismiss for lack of subject-matter jurisdiction and for failure to state a claim upon which relief can be granted.  Bojangles argued that eight of the Plaintiffs failed to allege a concrete injury without an actual misuse of their personal information, and that the remaining plaintiff\u2019s alleged debit card fraud is not fairly traceable to the data breach.<\/p>\n\n\n\n

The Court\u2019s Opinion<\/strong><\/p>\n\n\n\n

In a 10-page opinion, Judge Kenneth D. Bell granted Bojangles\u2019 motion to dismiss for lack of subject-matter jurisdiction without reaching the merits of Plaintiffs\u2019 claims.<\/p>\n\n\n\n

The Court held that Plaintiffs failed to plausibly allege Article III standing.  Judge Bell explained that Plaintiffs\u2019 allegations \u201conly describ[e] the possibility of future harm that is inherent in every data security incident, but cannot support the Article III standing necessary to pursue a federal lawsuit.\u201d  Id.<\/em> at *7.  There was no dispute that Plaintiffs\u2019 personal information may<\/em> have been impacted by the data breach, but the potential threat of resulting damages failed to plausibly allege a concrete injury that is fairly traceable to the data breach.  Id.<\/em> at *6-7. <\/p>\n\n\n\n

The U.S. Supreme Court\u2019s decision in TransUnion LLC v. Ramirez<\/em>, 594 U.S. 413 (2021), governed the opinion.  There, the named plaintiff on behalf of a putative class alleged that TransUnion, a credit reporting agency, violated the Fair Credit Reporting Act by failing to use reasonable procedures before placing a misleading alert in his credit file that labeled him as a potential terrorist, among other comparable threats.  Id.<\/em> at 419-21.  The Supreme Court held that only class members whose credit reports had been provided to third-party businesses had suffered a concrete injury, and that the mere existence of misleading alerts in one\u2019s own credit file did not cause such an injury.  Id.<\/em> at 417, 435.<\/p>\n\n\n\n

Applying TransUnion<\/em> to the facts at hand, Judge Bell reasoned that \u201cPlaintiffs\u2019 allegations of harm as a consequence of the Data Breach fall squarely in the \u2018might be a problem\u2019 rather than the \u2018is already a problem\u2019 category.\u201d  Dougherty<\/em>, 2025 U.S. Dist. LEXIS 194879,at *12.  Therefore, Plaintiffs\u2019 theory of an ongoing threat of identity theft or other data misuse failed to plausibly allege any actual harm, such as an attempt to open credit card accounts or otherwise steal information.  Id.<\/em> at *12-13.  Further, most of the Plaintiffs did not identify any personal information that they personally provided to Bojangles, defeating any traceability argument.  Judge Bell similarly dismissed Plaintiffs\u2019 varied attempts to establish standing based on an uptick in spam calls, diminution in value of personal information, time spent mitigating the \u201cpotential impact\u201d of the data breach, and emotional distress.  Id.<\/em> at 13-14. None of these harms constitute a concrete injury. <\/p>\n\n\n\n

Judge Bell also dismissed the claims of the one Plaintiff who allegedly noticed fraudulent charges on his debit card, because he did not allege those charges were fairly traceable to the breach.  Because the Plaintiff did not allege that he provided his debit card number to Bojangles as part of his employment, there was no way to connect those charges to the alleged breach.  Thus, although those charges may constitute an injury-in-fact, they were insufficient on traceability grounds.<\/p>\n\n\n\n

Implications For Companies<\/strong><\/p>\n\n\n\n

Dougherty<\/em> illustrates the pleading requirements established in TransUnion<\/em>, and the powerful tool that they can be in dismantling a nationwide data breach class action. <\/p>\n\n\n\n

What\u2019s more, the court in Dougherty <\/em>seemed to take for granted that every class member must suffer an actual injury for each of their claims, even at the pleading stage in the litigation.  Id. <\/em>at *9 (\u201cTherefore, following TransUnion<\/em>, it is clear that to recover damages from Defendant, every class member must have Article III standing for each claim that they press requiring proof that the challenged conduct caused each of them a concrete harm\u201d) (quotations omitted).  This signal may be a favorable sign that Judge Bell agrees with the \u201csleeping lion\u201d noted by Justice Kavanaugh in Lab. Corp. of Am. Holdings v. Davis<\/em>, 605 U.S. 327 (2025) \u2013 i.e.<\/em>, whether \u201ca federal court may . . . certify a damages class that includes both injured and uninjured members.\u201d  Id. <\/em>at 328 (Kavanaugh, J., dissenting).  For now, however, the Court left that issue until another day.<\/p>\n\n\n\n

Nonetheless, if corporate counsel\u2019s organizations are facing a class action seeking damages stemming from an alleged data breach, corporate counsel should consider their ability to attack Article III standing on all fronts, not only as to the named plaintiffs, but also as to the class.  If successful, other organizations may be able to make an early exit from a data breach class action on the theory that plaintiffs cannot  plausibly allege an actual injury from the future possibility of their data misuse, much like the defendant in Dougherty.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

By Gerald L. Maatman, Jr., Ryan T. Garippo, and Andrew P. Quay Duane Morris Takeaways: On September 30, 2025, in Dougherty, et al. v. Bojangles\u2019 Restaurants, Inc., No. 25-CV-00065, 2025 U.S. Dist. LEXIS 194879 (W.D.N.C. Sept. 30, 2025), Judge Kenneth D. Bell of the U.S. District Court for the Western District of North Carolina dismissed … <\/p>\n

Continue reading “North Carolina Federal Dismisses Class Action Based On No Injury Stemming From Bojangles Data Breach”<\/span><\/a><\/p>\n","protected":false},"author":575,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[91,2],"tags":[],"ppma_author":[7,127,147],"class_list":["post-2470","post","type-post","status-publish","format-standard","hentry","category-data-breach-class-actions","category-general"],"authors":[{"term_id":7,"user_id":575,"is_guest":0,"slug":"gmaatman","display_name":"Gerald L. Maatman, Jr.","avatar_url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2022\/09\/maatmangerald-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""},{"term_id":127,"user_id":692,"is_guest":0,"slug":"rgarippo","display_name":"Ryan Garippo","avatar_url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2024\/09\/garipporyan-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""},{"term_id":147,"user_id":742,"is_guest":0,"slug":"aquay","display_name":"Andrew P. Quay","avatar_url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2026\/03\/quayandrew-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/2470","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/users\/575"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/comments?post=2470"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/2470\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/media?parent=2470"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/categories?post=2470"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/tags?post=2470"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/ppma_author?post=2470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}