Consumer protection – Standing – Data breach
U.S. District Court
Mass. Lawyers Weekly Staff//April 8, 2025//
Where a complaint has been filed over a data breach, the plaintiffs have established standing to pursue damages, as they sufficiently allege that instances of actual misuse and efforts to protect themselves against future misuse are traceable to the data disclosure, but the plaintiffs lack standing to pursue injunctive and declaratory relief, as they have not plausibly alleged that the threat of future harm is redressable by the prospective relief that they seek.
“Before the court in this data-breach action is Defendants’ Motion to Dismiss [Doc. No. 48] Plaintiffs’ Consolidated Class Action Complaint [Doc. No. 45] for lack of standing and failure to state a claim for relief. For the reasons set forth below, the court denies the Motion as to Plaintiffs’ claims for violation of the Driver’s Privacy Protection Act (“DPPA”), 18 U.S.C. §2724, and violation of Massachusetts General Laws, Chapter 93A (“Chapter 93A”), and grants the Motion as to Plaintiffs’ negligence, invasion-of-privacy, and declaratory judgment claims. …
“MAPFRE argues that Plaintiffs fail to plausibly allege standing. It asserts that the forms of financial fraud that the Plaintiffs allege cannot be committed with a driver’s license number, and that without plausible allegations of actual misuse, the allegations that Plaintiffs face a risk of future harm is insufficient to confer standing. …
“As explained below, the court finds Plaintiffs have alleged standing to pursue damages where they have alleged a plausible connection between the financial fraud they have suffered and the Data Disclosure, and where they have alleged costs incurred in response to an imminent and substantial risk of future identity fraud. However, Plaintiffs have not plausibly alleged that the threat of future harm is redressable by the prospective relief that they seek. Consequently, they lack standing to pursue the injunctive and declaratory relief identified in the Amended Complaint. …
“Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023), controls whether Plaintiffs have adequately alleged an injury in fact. …
“Here, as detailed below, the Amended Complaint likewise includes plausible allegations that some data exposed in the Data Disclosure has been misused. Based on those allegations and others demonstrating that the Data Disclosure was the result of a targeted attack to obtain Plaintiffs’ sensitive PI, all Plaintiffs face an imminent and substantial risk of future identity fraud such that their mitigation efforts constitute concrete injuries. …
“In sum, the Amended Complaint sufficiently alleges injuries in fact. The Amended Complaint includes plausible allegations that some PI stolen in the Data Disclosure has already been misused. It also plausibly alleges a substantial and imminent risk of future fraud stemming from the Data Disclosure such that Plaintiffs’ mitigation constitutes a present injury in fact. …
“Plaintiffs lack standing to pursue the prospective relief they seek because such relief will not redress the injury that they allege. …
“In short, the imminent injury Plaintiffs do allege — a heightened risk of future identity theft stemming from the Data Disclosure — is not redressable by an order requiring MAPFRE to improve their data security. And Plaintiffs do not plausibly allege an imminent future injury — a heightened risk of future data breaches — that such an order would redress. Therefore, Plaintiffs lack standing to pursue the declaratory and injunctive relief that they seek. …
“… Because Plaintiffs’ Amended Complaint sufficiently alleges a knowing disclosure for a purpose not permitted under 18 U.S.C. §2721(b), Plaintiffs have stated a DPPA claim. …
“The economic loss doctrine bars Plaintiffs’ negligence claim. Plaintiffs claim for damages based on lost property in the form of compromised PI does not satisfy the property damage requirement. … Further, assuming the fraudulent credit and debit card activity or the delay in receiving unemployment benefits caused monetary harm, Plaintiffs cannot recover damages for that harm where they have not alleged personal injury or property damage associated with such financial loss. For the same reason, Plaintiffs cannot recover damages for effort and costs associated with mitigating the effects of the Data Disclosure.
“Plaintiffs’ allegations of ‘anxiety, emotional distress,’ alarm, and stress associated with the Data Disclosure and mitigation efforts are insufficient to overcome the economic loss doctrine. … Courts have found allegations of ‘palpable emotional distress’ sufficient to satisfy the ‘personal injury’ exception to the economic loss doctrine. … ‘Palpable emotional distress,’ however, requires some physical manifestation. … Here, Plaintiffs have not alleged any physical manifestations of their emotional distress. Accordingly, in the absence of allegations of physical injury or property damage, their negligence claim may not proceed. …
“Plaintiffs’ allegations are sufficient for their Chapter 93A claim to proceed. First, Plaintiffs have alleged conduct — MAPFRE’s use of a website feature that it knew could lead to dissemination of Plaintiffs’ personal information without accompanying security measures — that at least arguably violates Plaintiffs’ DPPA rights and right to privacy. Second, the Amended Complaint alleges that MAPFRE implemented this feature for the purpose of increasing insurance sales, i.e. in the conduct of commerce. … Third, as explained above, the Amended Complaint alleges actual misuse of some PI and risk mitigation costs, which are injuries distinct from the mere invasion of Plaintiffs’ protected rights. … Fourth, the Complaint sufficiently alleges that Plaintiffs’ injuries are a result of MAPFRE’s implementation of the auto-populate feature. …
“Plaintiffs fail to state an invasion-of-privacy claim here. Although the Amended Complaint alleged MAPFRE’s actions enabled third parties to obtain Plaintiffs’ PI, it does not allege that MAPFRE disseminated their PI. …
“For the foregoing reasons, Defendants’ Motion to Dismiss [Doc. No. 48] is denied as to Counts I (violation of the Driver’s Privacy Protection Act) and III (violation Chapter 93A) and granted as to Counts II (Negligence), IV (Invasion of Privacy), and V (Declaratory Relief).”
In re MAPFRE Data Disclosure Litigation (Lawyers Weekly No. 02-203-25) (29 pages) (Talwani, J.) (Civil Action No. 1:23-cv-12059-IT) (March 31, 2025).
Click here to read the full text of the opinion.
Related Articles
Verdicts & Settlements
- Injury during baby’s adenoidectomy leads to stroke
- Construction worker’s hand caught in cement mixer
- Worker trapped in freezer, dies during steam cleaning
- Pedestrian, 69, hit by motor vehicle while in crosswalk
- Four-vehicle pileup leaves driver with spinal cord injury
- Nursing home staff blamed for kidney-failure death
- Pharmacy’s late delivery blamed for patient’s death
- Man, 25, drowns after swimming lesson at fitness club
Opinion Digests
- Jurisdiction – Forum selection clause – Non-signatory
- Criminal – Responsibility
- Attorneys – Lien
- Landlord and tenant – Default judgment
- Zoning – Constructive grant – Comprehensive permit
- Fraud – False Claims Act – Settlement share
- Civil practice – Discovery – Cybersecurity







