Judge John Z. Lee of the Northern District issued an opinion on Tuesday granting Pearson’s motion to dismiss regarding the data breach of its AIMSweb testing platform, which allowed hackers to gain access to students’ information; the court granted the motion because the plaintiffs did not establish Article III standing.
The court first considered standing to sue. For Article III standing the plaintiffs must allege: “(1) an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” At issue is whether the plaintiffs have sufficiently pleaded an injury-in-fact. The central argument made by the plaintiffs is that the hack made them more susceptible to and an easier target for identity theft. A material threat of identity theft depends on the sensitivity of the data and the occurrence of fraudulent charges or other elements of identity theft. The court noted that “[w]hat matters most is that the data disclosed here is far less likely to facilitate identity theft that the credit and debit numbers at issue in Remijas…Here, by contrast, the names, emails, and dates of births of registered students cannot ‘easily be used in fraudulent transactions.’” Furthermore, the court stated that even through social engineering, or other means to obtain more information, this would not satisfy Article III standing because the allegations fail to establish that the breach exposed the plaintiffs to a substantial risk. This is further underscored, according to the judge, by the plaintiffs’ failure to identify any consequences of the data breach or point to an instance of identity theft affecting the 900,000 students, which illustrates the minimal damage and danger caused by the data breach.
The court concluded that “the disclosed data is not sensitive enough to materially increase the risk of identity theft.” The court noted that the plaintiffs’ argument that the value of their personal data has been diminished is “‘too speculative’ to confer standing.” The plaintiffs also did not plead a violation of the Family Education Rights and Privacy Act and the Illinois School Student Records Act, despite using these as a cause of action; the statutes also require that students suffer actual damages. Additionally, the court stated that the information in the plaintiffs’ supplemental memorandum does not confer standing. As a result, the plaintiffs failed to demonstrate Article III standing for their failure to sustain that the breach caused economic loss or imminent danger of identity theft or diminished value of the plaintiffs’ data. The complaint was dismissed without prejudice for lack of subject-matter jurisdiction, thus Pearson’s motion to dismiss is granted.
The plaintiffs are represented by Loevy & Loevy. Pearson is represented by Steptoe & Johnson.