throbber
Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 1 of 16 PageID #:735
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF ILLINOIS
`EASTERN DIVISION
`
`
`)
`KYLIE S., ANTHONY P., ANNA S., and
`GENA W., on behalf of themselves and as )
`parents and guardians of their minor
`)
`children, K.S., J.P., K.P., D.C., M.C., J.C.,
`)
`Z.W., and C.W., and on behalf of all
`)
`similarly-situated individuals,
`)
`)
`)
`)
`)
`)
`) Judge John Z. Lee
`)
`)
`)
`)
`
`v.
`
`
`
`
`
`
`
`
`
`PEARSON PLC, NCS PEARSON, INC,
`and PEARSON EDUCATION, INC., d/b/a
`PEARSON CLINICAL ASSESSMENT,
`
`
`
`
`
`
`
`Defendants.
`
`
`
`
`
`Plaintiffs,
`
`
`
`
`
`
`
`19 C 5936
`
`
`
`MEMORANDUM OPINION AND ORDER
`
`Pearson PLC, NCS Pearson, Inc., and Pearson Education, Inc. (collectively
`
`“Pearson”) operate AIMSweb, an educational testing platform that stores students’
`
`names, emails, and birthdays, among other information. In 2018, hackers slipped
`
`past Pearson’s defenses and gained access to the data hosted on AIMSweb. No
`
`credit cards, social security numbers, health records, or other sensitive information
`
`was compromised, and none of the affected students have reported fraudulent
`
`charges or other fallout attributable to the data breach.
`
`Believing that Pearson neglected to implement security measures that would
`
`have thwarted the hackers, a group of Illinois and Colorado parents initiated this
`
`putative class action. At this stage, Pearson has moved to dismiss the complaint.
`
`Because Plaintiffs have not established Article III standing, the motion is granted.
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 2 of 16 PageID #:736
`
`I.
`
`Background1
`
`
`A.
`
`
`
`The AIMSweb Platform
`
`Pearson PLC publishes educational materials. Am. Compl. ¶ 13, ECF No. 11.
`
`Pearson Education, Inc., one of Pearson PLC’s subsidiaries, supplies testing
`
`services. Id. ¶ 14. NCS Pearson, Inc., another subsidiary, develops educational
`
`software. Id. ¶ 15.
`
`
`
`Working together, these entities oversee AIMSweb, a “digital education
`
`technology assessment platform licensed to schools and school districts.” Id. ¶ 35.
`
`As part of the curriculum, schools that license the platform instruct their students
`
`to complete tests on AIMSweb. Id. ¶ 36. To do so, students must share “their first
`
`and last names, dates of birth, email addresses, unique student identification
`
`numbers, home addresses and telephone numbers.” Id. ¶ 38. In a privacy policy
`
`that covers AIMSweb, Pearson accepted “full responsibility for the information we
`
`hold” and promised to “protect [student] privacy at all times.” Id. ¶ 58.
`
`B. The Data Breach
`
`
`
`Sometime in late 2018, hackers penetrated AIMSweb’s defenses and gained
`
`access to the data stored on the platform. Am. Compl. ¶ 1. But it was not until
`
`early 2019, when the FBI detected the incident, that Pearson realized that
`
`AIMSweb had been compromised. Id. ¶ 41.
`
`
`In analyzing a motion to dismiss, the court “accept[s] as true all well-pleaded factual
`1
`allegations and draw[s] all reasonable inferences in favor of the plaintiff.” Heredia v.
`Capital Mgmt. Servs., L.P., 942 F.3d 811, 814 (7th Cir. 2019).
`
`
`2
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 3 of 16 PageID #:737
`
`
`
`In a preliminary analysis, the FBI estimated that the intruders could have
`
`accessed information related to roughly 900,000 students at about 13,000 schools.
`
`Id. The disclosed data included “first name, last name, and in some instances . . .
`
`date of birth and/or email address,” along with students’ “unique student
`
`identification numbers.” Id. ¶ 47.
`
`
`
`About four months after the FBI discovered the problem, Pearson issued a
`
`public notice acknowledging that a data breach had occurred. Id. ¶¶ 43, 46.
`
`Pearson assured customers that it “do[es] “not have any evidence that th[e]
`
`information has been misused.” Id. ¶ 48. “[A]s a precaution,” however, it “offer[ed]
`
`to compensate victims in the form of one year of complimentary credit monitoring
`
`services.” Id. ¶¶ 48–49.
`
`C. Plaintiffs’ Claims
`
`
`
`Based on Pearson’s failure to prevent the data breach, Plaintiffs assert a
`
`dozen different common law and statutory claims. They accuse Pearson of common
`
`law negligence, negligence per se, breach of an express contract, breach of an
`
`implied contract, unjust enrichment, and intrusion upon seclusion. They also allege
`
`that Pearson violated the Illinois Personal Information and Protection Act, 815 Ill.
`
`Comp. Stat. § 530/1 et seq.; Illinois Consumer Fraud and Deceptive Business
`
`Practices Act, 815 Ill. Comp. Stat. § 505/1, et seq.; Illinois Uniform Deceptive Trade
`
`Practices Act, 815 Ill. Comp. Stat. § 510/1, et seq.; Colorado Security Breach
`
`Notification Act, Colo. Rev. Stat. §§ 6-1-716, et seq.; Colorado Consumer Protection
`
`3
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 4 of 16 PageID #:738
`
`Act, Colo. Rev. Stat. §§ 6-1-101, et seq.; and Colorado Student Data Transparency
`
`and Security Act, Colo. Rev. Stat. §§ 22-16-101, et seq.
`
`For its part, Pearson maintains that the complaint should be dismissed for
`
`lack of subject-matter jurisdiction, want of personal jurisdiction, and failure to state
`
`a claim. The Court’s analysis begins—and, in this case, ends—with the question of
`
`subject-matter jurisdiction.
`
`II. Legal Standard
`
`Under Federal Rule of Civil Procedure 12(b)(1), a defendant may move to
`
`dismiss claims over which a federal court lacks subject-matter jurisdiction.
`
`See Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir.
`
`2009); Perry v. Vill. of Arlington Heights, 186 F.3d 826, 829 (7th Cir. 1999). In
`
`analyzing a Rule 12(b)(1) motion, courts accept as true all well-pleaded facts, draw
`
`all reasonable inferences in the plaintiff’s favor, and look beyond the jurisdictional
`
`allegations to evidence submitted on the issue of subject-matter jurisdiction. See St.
`
`John’s United Church of Christ v. City of Chi., 502 F.3d 616, 625 (7th Cir. 2007).
`
`III. Analysis
`
`Pearson contends that Plaintiffs lack standing to bring this suit. It is well-
`
`established that “[s]tanding is an essential component of Article III’s case-or-
`
`controversy requirement.” Apex Digital, Inv. v. Sears, Roebuck & Co., 572 F.3d 440,
`
`443 (7th Cir. 2009).
`
`To support standing, a claimant must allege: “(1) an injury in fact, (2) that is
`
`fairly traceable to the challenged conduct of the defendant, and (3) that is likely to
`
`4
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 5 of 16 PageID #:739
`
`be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct.
`
`1540, 1547 (2016). “[A] plaintiff, as the party invoking federal jurisdiction, bears
`
`the burden of establishing these elements.” Id. (citation omitted). At issue here is
`
`whether Plaintiffs have adequately pleaded an injury-in-fact.
`
`An injury-in-fact refers to a particularized and concrete, actual or imminent
`
`invasion of a legally-protected interest. See Lujan v. Defenders of Wildlife, 504 U.S.
`
`555, 560 (1992). “For an injury to be ‘particularized,’ it ‘must affect the plaintiff in a
`
`personal and individual way.’” Spokeo, 136 S Ct. at 1548 (citation omitted). For an
`
`injury to be “concrete,” it must “actually exist.” Id. “This does not mean, however,
`
`that [a] risk of real harm cannot satisfy the requirement of concreteness.” Id. at
`
`1549. So long as the plaintiff faces “a substantial risk” of injury, the concreteness
`
`component is present. Hummel v. St. Joseph Cty. Bd. of Comm’rs, 817 F.3d 1010,
`
`1019–20 (7th Cir. 2016) (citation omitted).
`
`In arguing that they suffered an injury-in-fact, Plaintiffs articulate three
`
`distinct theories. First, they submit that the data breach exacerbated their
`
`vulnerability to identity theft. Second, they suggest that the breach reduced the
`
`market value of their data. Finally, they contend that certain statutes dictate that
`
`any disclosure of student records is a legally-cognizable injury, even if no economic
`
`harm results.
`
`
`
`
`
`A.
`
`Increased Risk of Identity Theft
`
`5
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 6 of 16 PageID #:740
`
`Plaintiffs’ primary argument is that the data breach made them easier
`
`targets for identity thieves. In Remijas v. Neiman Marcus Group, LLC, the Seventh
`
`Circuit recognized that a substantial risk of identity theft qualifies as an injury-in-
`
`fact. 794 F.3d 688 (7th Cir. 2015). There, “hackers deliberately targeted Neiman
`
`Marcus in order to obtain [shoppers’] credit card information.” Id. at 693. All told,
`
`the attackers absconded with about 300,000 credit and debit card numbers. Id. at
`
`690. They promptly placed fraudulent charges on 9,000 of the stolen cards. Id.
`
`Under those conditions, the Court of Appeals held that all of the shoppers had
`
`pleaded an injury-in-fact sufficient to survive a Rule 12(b)(1) motion. Id. at 693.
`
`Whether a data breach exposes consumers to a material threat of identity
`
`theft turns on two factors that derive from Remijas: (1) the sensitivity of the data in
`
`question, see, e.g., In re Vtech Data Breach Litig., No. 15 C 10889, 2017 WL
`
`2880102, at *4 (N.D. Ill. July 5, 2017), and (2) the incidence of “fraudulent charges”
`
`and other symptoms of identity theft, see Lewert v. P.F. Chang’s China Bistro, Inc.,
`
`819 F.3d 963, 967 (7th Cir. 2016).2
`
`Particularly relevant here, Vtech applied these factors to a breach that
`
`exposed children’s data. In that case, a toy company disclosed millions of “children’s
`
`names, genders, birthdates” along with their parents’ “email and mailing addresses,
`
`
`2
`At times, Plaintiffs seem to suggest that any data breach, no matter the sensitivity
`of the stolen information or the incidence of identity theft, satisfies Article III. But courts
`in this circuit have repeatedly refused to recognize standing when hackers gained access to
`low-risk information. See, e.g., Vtech, 2017 WL 2880102, at *4 (“Plaintiffs have not shown
`an increased risk of identity theft due to a data breach because they do no allege how the
`stolen data would aid identity thieves[.]”); Unchageri v. Carefirst of Maryland, Inc., No. 16
`C 1068, 2016 WL 8255013, at *3 (C.D. Ill. Nov. 14, 2016) (same).
`
`
`6
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 7 of 16 PageID #:741
`
`IP addresses, download and purchase histories” and other account information.
`
`Vtech, 2017 WL 2880102, at *2. Distinguishing Remijas, the court reasoned that
`
`“the data stolen here did not include credit-card or debit-card information, or any
`
`other information that could easily be used in fraudulent transactions.” Id. at *3–4.
`
`At the same time, the court also found it significant that the breach had not
`
`“resulted in fraudulent charges” or any other “fallout.” Id. “With respect to this
`
`data breach,” the court concluded, “plaintiffs have not plausibly alleged a
`
`substantial risk of harm sufficient to confer standing.”3 Id. at *4.
`
`Similar logic explains why Plaintiffs’ identity-theft theory fails in this case.
`
`What matters most is that the data disclosed here is far less likely to facilitate
`
`identity theft than the credit and debit card numbers at issue in Remijas. As the
`
`Seventh Circuit has observed, “the information stolen from payment cards can be
`
`used to open new cards in the consumer’s name.” Lewert, 819 F.3d at 967 (citing
`
`Remijas, 794 F.3d at 692–93). Here, by contrast, the names, emails, and dates of
`
`birth of registered students cannot “easily be used in fraudulent transactions.”
`
`Vtech, 2017 WL 2880102, at *4. If anything, the data at issue here is less sensitive
`
`than in Vtech, which featured “passwords” and “secret questions and answers” that
`
`might be used to access other online accounts. Id.
`
`
`
`This is not to say that the data taken from Pearson’s servers could never
`
`enable identity theft. In a tactic that cybersecurity experts call “social engineering,”
`
`
`The Vtech court went on to identify an injury-in-fact based on “benefit-of-the-bargain
`3
`damages resulting from [plaintiffs’] breach of contract claim, because the products they
`received were worth less than the products they were promised.” Id. at *5. Given that
`Plaintiffs never paid for Pearson’s services, that theory is not implicated here, and
`Plaintiffs do not argue otherwise.
`
`7
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 8 of 16 PageID #:742
`
`hackers sometimes collect relatively benign information about consumers and
`
`contact “IT help desk [personnel]” at various companies in an effort to obtain more
`
`sensitive information, such as credit card or social security numbers. Am. Compl.
`
`¶ 24. Under the circumstances alleged in the complaint, however, any theory that
`
`the data would facilitate social engineering depends on a “highly attenuated chain
`
`of possibilities” that “does not satisfy [Article III].” Clapper v. Amnesty Int’l USA,
`
`568 U.S. 398, 410 (2013).
`
`
`
`To see why this is so, it is helpful to put oneself in the shoes of the hackers
`
`responsible for the Pearson breach. They now have a list of students’ names,
`
`birthdays, and email addresses. But they have no way of knowing which students
`
`hold bank or credit card accounts at which company. And, even if the hackers guess
`
`that a specific student patronizes a particular financial institution, they will need to
`
`persuade that institution’s IT staff that they represent the student. Given that
`
`names, birthdays, and emails are not usually viewed as reliable indicators of
`
`identity in and of themselves, that will be a difficult task. Should the hackers
`
`succeed, IT staff may still refuse to disclose sensitive information over the phone,
`
`preferring to send it to the students’ email or physical addresses, over which the
`
`hackers have no control.
`
`As this example illustrates, Plaintiffs’ social engineering theory involves a
`
`“long sequence of uncertain contingencies involving multiple independent actors.”
`
`Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017). In other words, social
`
`engineering only poses a threat if exceptionally determined hackers encounter
`
`8
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 9 of 16 PageID #:743
`
`especially credulous IT personnel. While that combination is theoretically possible,
`
`nothing in the complaint establishes that it exposes Plaintiffs to a substantial risk.
`
`See Whitmore v. Ark., 495 U.S. 149, 158 (1990) (“Allegations of possible future
`
`injury do not satisfy the requirements of Art[icle] III.”).
`
`Plaintiffs’ inability to identify any consequences of the data breach reinforces
`
`that conclusion. More than a year after the breach, Plaintiffs cannot point to a
`
`single instance of identity theft affecting any of the 900,000 members of the
`
`putative class. Am. Compl. ¶ 1. By comparison, the Remijas plaintiffs alleged that
`
`thousands of shoppers had reported fraudulent charges on their credit card
`
`statements. 794 F.3d at 690. And, although Plaintiffs cite an FBI warning that
`
`“collection of student data could have . . . safety implications” for children, they do
`
`not spotlight any safety incident attributable to the Pearson breach. Am. Compl.
`
`¶ 32. Nor do they “allege that the hacker is a predator, or that the hacker
`
`disseminated the information broadly, to predators or anyone else who would harm
`
`the children.” Vtech, 2017 WL 2880102, at *4. Ultimately, Plaintiffs’ failure to
`
`describe any “fallout” underscores the relatively minimal danger posed by the data
`
`breach. Id. at *3–4.
`
`
`
`In resisting that conclusion, Plaintiffs make much of Pearson’s offer to supply
`
`students with free credit monitoring services in the wake of the breach. In Remijas,
`
`the court interpreted a similar offer as an admission that the risk of identity theft
`
`was not “so ephemeral that it can safely be disregarded.” 794 F.3d at 694. Seizing
`
`on that language, Plaintiffs read Remijas as holding that a firm’s provision of
`
`9
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 10 of 16 PageID #:744
`
`identity protection services is enough to establish that a breach poses a material
`
`danger.
`
`But neither Seventh Circuit case law nor common sense support that
`
`conclusion. When the Remijas court analyzed the risk of identity theft, it
`
`repeatedly highlighted the sensitive nature of the compromised data and the actual
`
`incidences of fraudulent charges, much more so than the fact that the defendant
`
`had offered credit monitoring services to its customers. See, e.g., id. at 690, 691,
`
`692. And in subsequent opinions, the Court of Appeals has assessed the threat
`
`posed by data breaches without even mentioning the presence or absence of any
`
`offers to provide credit monitoring. See Lewert, 819 F.3d at 967; Tierney v. Advocate
`
`Health & Hosps. Corp., 797 F.3d 449, 451 (7th Cir. 2015). At most, Seventh Circuit
`
`precedent suggests that the provision of credit monitoring plays a minor part in
`
`standing analysis, not the decisive role Plaintiffs’ envision.
`
`Two practical considerations confirm the wisdom of that approach. First, the
`
`availability of free credit monitoring is an unreliable indicator of risk. The premise
`
`underlying Plaintiffs’ argument is that firms only offer post-breach services when
`
`identity theft poses a serious threat. But firms may have other incentives to offer
`
`such services even when a data breach presents little or no risk, such as the need to
`
`placate and retain customers. According to a report cited in the complaint, for
`
`example, engaging those services has emerged as the “standard” response to data
`
`breaches
`
`in some
`
`industries.
`
` Am. Compl. ¶ 29 n.8 (citing Government
`
`Accountability Office, Data Breaches—Range of Consumer Risks Highlights
`
`10
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 11 of 16 PageID #:745
`
`Limitations
`
`of
`
`Identity
`
`Theft
`
`Services,
`
`at
`
`*11,
`
`https://www.gao.gov/assets/700/697985.pdf.). It follows that the provision of free
`
`services reveals relatively little about the degree of risk created by a breach.
`
`Second, recognizing an injury-in-fact whenever firms supply identity
`
`protection services would create perverse incentives. Most of the time, courts
`
`“exclude[ ] evidence of subsequent remedial measures as proof of an admission of
`
`fault.” Fed. R. Evid. 407, advisory committee’s notes. A contrary rule would
`
`“discourag[e] [defendants] from taking steps in furtherance of added safety.” Id. As
`
`the Third and Fourth Circuits have recognized, similar logic militates against
`
`placing substantial weight on a firm’s decision to offer post-breach services. See In
`
`re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 634 n.12 (3d Cir.
`
`2017); Beck v. McDonald, 848 F.3d 262, 276 (4th Cir. 2017). To do otherwise risks
`
`“disincentiviz[ing] companies from offering [free] services in the wake of a breach.”
`
`Horizon, 946 F.3d at 634 n.12.
`
`
`
`In short, Plaintiffs’ theory fails because the disclosed data is not sensitive
`
`enough to materially increase the risk of identity theft. That none of the affected
`
`students seems to have suffered adverse consequences from the breach confirms
`
`this diagnosis, and Pearson’s provision of credit monitoring services is not a reliable
`
`enough indicator of risk to undermine it. The result is that Plaintiffs cannot
`
`demonstrate Article III standing on this basis.4
`
`
`The complaint also predicts that Plaintiffs will incur mitigation expenses in
`4
`responding to the data breach. Am. Compl. ¶ 66. While that is sometimes sufficient to
`support standing, see Remijas, 794 F.3d at 694, Plaintiffs do not press this argument in
`their response brief, so the Court does not consider it.
`
`11
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 12 of 16 PageID #:746
`
`B. Diminution in Value of Personal Data
`
`
`In the alternative, Plaintiffs assert that the data breach reduced the market
`
`value of their personal information. “[A]n economic market existed for Plaintiffs’
`
`and Class Members’ [data],” their theory goes, and “the value of that data decreased
`
`as a result of its availability on the black market.” Pls.’ Resp. at 12, ECF No. 33.
`
`What is missing from the complaint, however, are any allegations that the Pearson
`
`hackers have attempted to trade the compromised data for anything of value. See,
`
`e.g., In re Yahoo! Inc. Customer Data. Sec. Breach Litig., No. 16-MD-02752-LHK,
`
`2017 WL 3727318, at *14 (N.D. Cal. Aug. 30, 2017) (identifying an injury-in fact
`
`because the complaint “include[d] several examples of hackers selling [personal
`
`identification information] from Yahoo accounts on the dark web”). Nor do
`
`Plaintiffs plead that they have ever sold their data or that they would even consider
`
`doing so. See Am. Compl. ¶ 26; Khan v. Children’s Nat’l Health Sys., 188 F. Supp.
`
`3d 524, 533 (D. Md. 2016). Those deficiencies make this theory “too speculative” to
`
`confer standing. See Clapper, 568 U.S. at 401.
`
`
`
`
`
`12
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 13 of 16 PageID #:747
`
`Standing Based on Statutory Violations
`
`C.
`
`
`Finally, Plaintiffs insist that certain statutes establish that any disclosure of
`
`student data counts as an injury, regardless of whether it leads to economic loss. As
`
`a general rule, legislatures “have the power to enact statutes creating legal rights,
`
`the invasion of which creates standing, even though no injury would exist without
`
`the statute.” Gaylor v. Mnuchin, 919 F.3d 420, 426 (7th Cir. 2019) (citing Sterk v.
`
`Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014)). For a statute to
`
`confer standing, however, a claimant must clear two hurdles. First, he must
`
`“allege[ ] a violation of a legally protected interest” established by the statute.
`
`Sterk, 770 F.3d at 623. Second, he must show that the statute protects a
`
`“substantive” rather than a “procedural” interest. Bryant v. Compass Grp., USA,
`
`Inc., No. 20-1443, 2020 WL 2121463, at *6 (7th Cir. May 5, 2020).
`
`In analyzing the first step, the Seventh Circuit distinguishes between
`
`statutes that award “statutory damages” and those that “require[ ] an actual
`
`injury.” Diedrich v. Ocwen Loan Servicing, LLC, 839 F.3d 583, 589 (7th Cir. 2016).
`
`If the relevant legislation grants statutory damages, courts generally proceed to the
`
`second step. See CS Wang & Assoc. v. Wells Fargo Bank, N.A., 305 F. Supp. 3d 864,
`
`880 (N.D. Ill. 2018) (“[It is] telling, though not dispositive, that [a statute] gives
`
`injured persons the right to sue for . . . statutory damages”). But if the statute calls
`
`for “actual injury,” then “the injury requirement for standing overlaps with the
`
`injury requirement under the statute,” and there is “no need to perform a separate
`
`[analysis]” of statutory standing. Diedrich, 839 F.3d at 589.
`
`13
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 14 of 16 PageID #:748
`
`Plaintiffs falter at the first step. In claiming that they retain a legally-
`
`protected interest in the compromised records, Plaintiffs invoke the Family
`
`Education Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232g, and the Illinois
`
`School Student Records Act (“ISSRA”), 105 Ill. Comp. Stat. § 10/1 et seq. At a
`
`minimum, however, statutory standing demands that the claimant plead a violation
`
`of the cited statute. See Sterk, 770 F.3d at 623. And, while the complaint
`
`elaborates a dozen different causes of action, it does not allege that Pearson ran
`
`afoul of FERPA or ISSRA.
`
`A more fundamental problem is that neither statute treats the disclosure of
`
`student data as an injury unless the plaintiff suffers actual damages. To be sure,
`
`ISSRA empowers “[a]ny person injured by a . . . violation of this Act [to] institute an
`
`action for damages[.]” 105 Ill. Comp. Stat. § 10/9(b). But it goes on to clarify that
`
`“[i]n the case of any successful action . . . [the defendant] is liable to the plaintiff for
`
`the plaintiff’s damages, the costs of the action and reasonable attorneys’ fees,” and
`
`nothing more. Id. § 10/9(c). Because ISSRA limits recovery to “the plaintiff’s
`
`damages,” id., and makes no provision for statutory or nominal damages, the Court
`
`concludes that an claim brought under ISSRA “requires an actual injury.” Diedrich,
`
`839 F.3d at 589.
`
`FERPA is similarly unhelpful to Plaintiffs. Nearly two decades ago, the
`
`Supreme Court held that FERPA’s “nondisclosure provisions fail to confer
`
`enforceable rights.” Gonzaga Univ. v. Doe, 536 U.S. 273, 287 (2002). That means
`
`that FERPA does not “creat[e] legal rights, the invasion of which creates standing.”
`
`14
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 15 of 16 PageID #:749
`
`Gaylor, 919 F.3d at 426; see Kyles v. J.K. Guardian Sec. Servs., Inc., 222 F.3d 289,
`
`294 (7th Cir. 2000) (explaining that statutory standing “depends in great measure
`
`on the particular rights conferred”).
`
`Perhaps anticipating
`
`these problems, Plaintiffs have submitted a
`
`supplemental memorandum. See Supp. Not. at 1–2, ECF No. 55. Although that
`
`memorandum purports to alert this Court to the Seventh Circuit’s recent decision in
`
`Bryant, 2020 WL 2121463, at *5–7, Plaintiffs also use it as an opportunity to raise
`
`arguments they left out of their response brief. Specifically, they claim that
`
`Illinois’s Personal Information Protection Act (“PIPA”), see 815 Ill. Comp. Stat.
`
`§ 530/1, et seq., and Colorado’s Security Breach Notification Act, see Colo. Rev. Stat.
`
`§ 6-1-716, et seq., confer standing.
`
`
`
`Putting aside the procedural dodginess of the filing, neither statute saves
`
`Plaintiffs. For one thing, Remijas determined that PIPA fails to “provide the basis
`
`for finding an injury for Article III standing” because it “requires actual damages.”
`
`794 F.3d at 695–96 (citing People ex rel. Madigan v. United Const. of Am., Inc., 981
`
`N.E.2d 404, 411 (Ill. App. Ct. 2012)). And, like FERPA, the Colorado notification
`
`law does not create a private right of action. See Colo. Rev. Stat. § 6-1-716(g)(4).
`
`Ultimately, then, the injury-in-fact element hinges on whether the breach
`
`caused economic loss by magnifying the danger of identity theft or diminishing the
`
`value of Plaintiffs’ data. Because Plaintiffs have failed to sustain either of those
`
`theories, they cannot support Article III standing.5 As a result, the complaint is
`
`
`As an aside, the Court notes that the District of Minnesota recently dismissed a
`5
`similar case arising from the Pearson data breach because it concluded that the plaintiffs
`
`15
`
`

`

`Case: 1:19-cv-05936 Document #: 66 Filed: 07/28/20 Page 16 of 16 PageID #:750
`
`dismissed without prejudice for lack of subject-matter jurisdiction. See Remijas,
`
`794 F.3d at 690 (“Where federal subject matter jurisdiction does not exist, federal
`
`courts do not have the power to dismiss with prejudice.”) (citation omitted). Given
`
`that Plaintiffs have only amended their complaint once, and that they may be able
`
`to introduce facts that establish standing, the Court will allow them to revise their
`
`allegations a second and final time.
`
`
`
`IV. Conclusion
`
`For the reasons stated above, the motion to dismiss is granted. Pearson’s
`
`motion to strike the class claims [22] and Plaintiffs’ motion to strike certain
`
`declarations submitted by Pearson [32] are denied as moot. If Plaintiffs choose,
`
`they may submit a second amended complaint by August 21, 2020. If they do not do
`
`so, the Court will assume that Plaintiffs no longer wish to pursue this litigation and
`
`will terminate the case.
`
`
`
`IT IS SO ORDERED.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ENTERED 7/28/20
`
`__________________________________
`John Z. Lee
`United States District Judge
`
`
`lacked Article III standing. See George v. Pearson et al., No. 19-cv-2814 (JRT/KMM), 2020
`WL 3642325, at *4 (D. Minn. July 6, 2020) (relying on the Eighth Circuit’s decision in In Re
`Supervalu, Inc., 870 F.3d 763, 771 (8th Cir. 2017)).
`
`16
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket