Learn About the Law
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
MELISSA DOGA AND JOSEPH MARTIN, INDIVIDUALLY AND ON BEHALF OF ALL OTHERS SIMILARLY SITUATED v. STATE OF LOUISIANA, DEPARTMENT OF PUBLIC SAFETY AND CORRECTIONS, OFFICE OF MOTOR VEHICLES
Plaintiffs, Melissa Doga, Joseph Martin, and Noah Gines, individually and on behalf of all other similarly situated persons (“plaintiffs”), appeal the trial court's judgment sustaining the peremptory exception raising the objections of no cause of action and no right of action 1 filed by defendant, State of Louisiana, Department of Public Safety and Corrections, Office of Motor Vehicles (“OMV”). For reasons that follow, we reverse.
FACTS AND PROCEDURAL HISTORY
On June 21, 2023, plaintiffs, persons who have received drivers’ services from OMV, filed a petition against OMV. According to the petition, around June 6, 2023, OMV's information security team detected unusual activity involving its computer network and discovered that an unauthorized party had gained access to its customers’ “Sensitive Information,” which includes that of plaintiffs. In the petition, plaintiffs alleged that OMV posted on its website and distributed to the media a press release notifying Louisiana residents with a state-issued driver's license, ID, or car registration that their data, including their names, addresses, social security numbers, birthdates, heights, eye colors, driver's license numbers, vehicle registration information, and handicap placard information (“Sensitive Information”), had been exposed to cyber hackers. In the notice, OMV explained that it “is one of a still undetermined number of government entities, major businesses and organizations to be affected by the unprecedented MOVEit data breach.” OMV described MOVEit as a third-party data transfer service used to send large files. OMV noted that MOVEit is used nationwide and worldwide, including by OMV, and indicated that reports regarding newly-discovered exposure of sensitive data were rapidly emerging.
According to the petition, after the data breach, OMV directed Louisiana residents to “1. Prevent Unauthorized New Account Openings or Loan and Monitor Your Credit[;] 2. Change All Passwords[;] 3. Protect Your Tax Refund and Returns with the Internal Revenue Service[;] 4. Check your Social Security Benefits[;] and 5. Report Suspected Identify Theft.” In the petition, plaintiffs further alleged that “C10p, a cybercriminal network, claimed to have started exploiting the MOVEit vulnerability on May 27, 2023.” Plaintiffs asserted that from May 27, 2023 onward the hackers had the opportunity “to obtain, sell, and misuse customers’ Sensitive Information without their knowledge[.]”
Plaintiffs averred that due to OMV's lax data security, approximately six million OMV customers had the most sensitive details of their lives and identities stolen by malicious cybercriminals. Plaintiffs further averred that C10p threatened to post the Sensitive Information on the dark web and may have posted some of the stolen information there. Therefore, plaintiffs asserted the data breach compromised plaintiffs’ Sensitive Information and placed plaintiffs in an immediate and continuing risk of harm from fraud, identify theft, and related harm caused by the data breach. Plaintiffs further asserted that due to the data breach, they were forced to continue to undertake time-consuming and often costly efforts to mitigate the actual and potential harm caused by the data breach's exposure of their Sensitive Information.
Plaintiffs asserted that OMV was negligent because it had a duty to reasonably safeguard its customers’ data by implementing reasonable data security measures to protect against data breaches because of the foreseeable harm to plaintiffs triggered by inadequate security. Plaintiffs alleged OMV required them to provide nonpublic Sensitive Information to obtain drivers’ services. OMV collected, created, and maintained plaintiffs’ Sensitive Information for that purpose.
Plaintiffs also sought a declaratory judgment that under common law, Louisiana Database Security Breach Notification Law (“LDSBNL”), La. R.S. 51:3074, and the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45, OMV owed a legal duty to plaintiffs to reasonably protect and secure their Sensitive Information; to provide timely notice of the data breach; to continue to protect and secure their Sensitive Information; and to continue to provide timely notice of data breaches.
On October 2, 2023, OMV filed exceptions of no right of action and no cause of action. OMV contended that plaintiffs had no standing and, therefore, no right of action because plaintiffs had not “suffered any harm related to the MOVEit data incident nor [could] they allege harm.” OMV further contended that plaintiffs failed to allege a cause of action against it because plaintiffs “failed to allege actual damages as a result of the MOVEit incident, which is fatal to their claims for both negligence and declaratory relief.”
Plaintiffs filed their first amended petition on January 4, 2024. In the petition, plaintiffs reurged the allegations made in the original petition, but also added plaintiff Noah Gines, set out a comprehensive list and explanation of OMV's purported duties and how OMV breached those duties, and alleged breach of confidence.2 The allegations concerning OMV's duties and how OMV allegedly breached those duties were predicated on state and federal statutes and on articles written by cybersecurity experts. Plaintiffs further set forth an in-depth list of the damages they allegedly sustained as a consequence of the data breach.
On February 27, 2024, OMV filed subsequent exceptions of no right of action and no cause of action. In the exceptions, OMV argued that plaintiffs Ms. Doga and Mr. Martin have no standing and no right of action because “they have not suffered any harm related to the MOVEit data incident nor can they allege harm[,]” but instead they allege “that they are at ‘increased risk’ of identify theft at some unknown point in the future.” OMV further argued that plaintiffs failed to allege a cause of action against it. OMV asserted that plaintiffs’ negligence, breach of confidence, and declaratory judgment claims do not assert a cause of action against OMV. OMV contended that plaintiffs are unable to allege actual damages, as a result of the MOVEit incident, which is fatal to their claims. OMV further contended that plaintiffs failed to allege how OMV breached any duty or caused any damages, when cybercriminals attacked MOVEit software owned and managed by Progress, which is fatal to plaintiffs’ negligence claim.
OMV further argued that plaintiffs failed to plead a valid cause of action for breach of confidence as there was no allegation that plaintiffs and OMV entered into an express or implied agreement limiting the use or disclosure of information. OMV noted that plaintiffs conceded that C10p, a cybercriminal network, exploited the MOVEit vulnerability and accessed information and, therefore, OMV did not disclose plaintiffs’ information. Additionally, OMV argued that plaintiffs failed to allege a cause of action for declaratory judgment.
Plaintiffs filed a response to OMV's exceptions on April 29, 2024. In the response, plaintiffs contended that OMV's exception of no right of action should be overruled because they plead that they sustained actual economic damages, and OMV's exception of no cause of action should be overruled because they sufficiently alleged their cause of action. Plaintiffs further contended they sufficiently plead negligence by alleging in their amended petition a range of statute-derived duties that OMV breached, including OMV's duties to safeguard and prevent unauthorized disclosure of Sensitive Information under the FTC Act and the LDSBNL and by alleging damages and causation. Plaintiffs argued they sufficiently plead breach of confidence and plead declaratory judgment.
On May 3, 2024, OMV filed a reply brief in which it reiterated its prior arguments set forth in the peremptory exceptions. On May 6, 2024, the trial court held a hearing on the exceptions. After each side presented arguments, the trial court sustained the exceptions. On May 13, 2024, the trial court signed a judgment sustaining the exceptions. On May 20, 2024, the trial court issued written reasons for judgment, wherein it adopted the case law and argument as cited and presented in OMV's memoranda in support. The court found it had no authority outside what is statutorily mandated and OMV notified “the public within a reasonable period as the law provides for 60 days and notice by [OMV] occurred within 20 days and notice was widespread.” The May 13, 2024 judgment is the subject of the instant appeal.
ASSIGNMENTS OF ERROR
Plaintiffs assign error to the following:
1. The trial court erred in sustaining OMV's peremptory exception of no cause of action and dismissing all claims asserted in the Amended Petition because the court failed to accept Plaintiffs’ well-pled allegations as true.
2. The trial court erred in sustaining OMV's peremptory exception of no right of action against Plaintiffs Doga and Martin because OMV failed to meet its evidentiary burden to prove that those Plaintiffs either had no interest in the subject matter of the suit or they lacked the legal capacity to proceed.
3. The trial court erred in failing to articulate the grounds for sustaining OMV's exceptions and erred in failing to allow Plaintiffs an opportunity to amend their pleading to attempt to cure the grounds for the objections raised by the exceptions pursuant to [La. Code. Civ. P. art. 934].
NO CAUSE OF ACTION
As used in the context of the peremptory exception, a “cause of action” refers to the operative facts which give rise to the plaintiff's right to judicially assert the action against the defendant. Terrebonne Parish Consolidated Government v. Louisiana Department of Natural Resources, 2021-0486 (La. App. 1st Cir. 12/30/21), 340 So.3d 940, 943. The function of an exception of no cause of action is to test the legal sufficiency of the petition by determining whether the law affords a remedy on the facts alleged in the pleading. Peremptory exceptions raising the objection of no cause of action present legal questions, which are reviewed using the de novo standard of review. The court reviews the petition and accepts well-pleaded allegations of fact as true. No evidence may be introduced at any time to support or controvert the objection that the petition fails to state a cause of action. La. Code Civ. P. art. 931; Reyer v. Milton Homes, LLC, 2018-05 80 (La. App. 1st Cir. 2/25/19), 272 So.3d604, 607.
The exception is triable on the face of the petition and any attached documents. The pertinent inquiry is whether, in the light most favorable to the plaintiff, and with every doubt resolved in the plaintiff's favor, the petition states any valid cause of action for relief. The burden of demonstrating that a petition fails to state a cause of action is upon the mover. Terrebonne Parish Consolidated Government, 340 So.3d at 944.
On appeal, plaintiffs argue that the trial court erred by sustaining OMV's exception of no cause of action because plaintiffs’ allegations were sufficient to state a cause of action for negligence, breach of confidence, and declaratory judgment. Plaintiffs further argue that the trial court erred by failing to accept as true plaintiffs’ well-pleaded allegations of specific duties OMV owed plaintiffs regarding data security in general and OMV's use of the MOVEit software specifically.
OMV, on the other hand, argues that the trial court did not err by sustaining the peremptory exception of no cause of action because plaintiffs did not sufficiently plead negligence, breach of confidence, or declaratory judgment. OMV further contends that Ms. Doga and Mr. Martin failed to plead damages.
Negligence
The violation of a statute or regulation does not automatically, in and of itself, impose civil liability. Instead, civil liability is imposed only if the act in violation of the statute is the legal cause of damage to the other. The courts conduct the negligence duty-risk analysis to determine whether liability arises as a result of a statutory violation. Bass v. DISA Global Solutions, Inc., 2020-0071 (La. App. 1st Cir. 12/30/20), 318 So.3d 909, 921, writ denied, 2021-00147 (La. 3/23/21), 313 So.3d 273.
For liability to attach under a duty-risk analysis, a plaintiff must prove five separate elements: (1) the defendant had a duty to conform his conduct to a specific standard of care (or the defendant owed a duty of care to the plaintiff) (the duty element); (2) the defendant failed to conform his conduct to the appropriate standard (or breached the requisite duty) (the breach element); (3) the defendant's substandard conduct was a cause-in-fact of the harm or the plaintiff's injuries (the cause-in-fact element); (4) the risk of harm was within the scope of protection afforded by the duty breached (the scope of the duty, scope of protection, or legal cause element); and (5) actual damages (damages element). A negative answer to any of the inquiries of the duty-risk analysis results in a determination of no liability. Landers v. USIC Locating Services, Inc., 2020-0890 (La. App. 1st Cir. 4/26/21), 324 So.3d 1070, 1073-74. OMV argued that plaintiffs failed to sufficiently plead breach, causation, and damages; therefore, we focus on those elements.
Breach of Duty
Plaintiffs assert they plead OMV breached statute-derived duties, which included the duty to safeguard and prevent unauthorized disclosure of Sensitive Information under the LDSBNL, La. R.S. 51:3071, and Section 5 of the FTC Act. Whether there was a breach of the duty owed is a question of fact or a mixed question of law and fact. Farrell v. Circle K Stores, Inc., 2022-00849 (La. 3/17/23), 3 59 So.3d 467, 474. It is only well-pleaded allegations of fact that are accepted as true. The adjective “well-pleaded” refers to properly pleaded allegations conforming to the system of fact pleading embodied in the Louisiana Code of Civil Procedure. It does not include allegations deficient in material detail, conclusory factual allegations, or allegations of law. Foster v. Bias, 2022-0329 (La. App. 1st Cir. 12/22/22), 358 So.3d 520, 536, writ denied, 2023-00090 (La. 3/28/23), 358 So.3d 503. LDSBNL, La. R.S. 51:3074, governs the protection of personal information. It provides in pertinent part:
A. Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
․
C. Any person that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall, following discovery of a breach in the security of the system containing such data, notify any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
D. Any agency or person that maintains computerized data that includes personal information that the agency or person does not own shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of security of the system.
E. The notification required pursuant to Subsections C and D of this Section shall be made in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach, consistent with the legitimate needs of law enforcement, as provided in Subsection F of this Section, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. When notification required pursuant to Subsections C and D of this Section is delayed pursuant to Subsection F of this Section or due to a determination by the person or agency that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system, the person or agency shall provide the attorney general the reasons for the delay in writing within the sixty day notification period provided in this Subsection. Upon receipt of the written reasons, the attorney general shall allow a reasonable extension of time to provide the notification required in Subsections C and D of this Section.
․
G. Notification may be provided by one of the following methods:
(1) Written notification.
(2) Electronic notification, if the notification provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001.
(3) Substitute notification, if an agency or person demonstrates that the cost of providing notification would exceed one hundred thousand dollars, or that the affected class of persons to be notified exceeds one hundred thousand, or the agency or person does not have sufficient contact information. Substitute notification shall consist of all of the following:
(a) E-mail notification when the agency or person has an e-mail address for the subject persons.
(b) Conspicuous posting of the notification on the Internet site of the agency or person, if an Internet site is maintained.
(c) Notification to major statewide media.
H. Notwithstanding Subsection G of this Section, an agency or person that maintains a notification procedure as part of its information security policy for the treatment of personal information which is otherwise consistent with the timing requirements of this Section shall be considered to be in compliance with the notification requirements of this Section if the agency or person notifies subject persons in accordance with the policy and procedure in the event of a breach of security of the system.
․
J. A violation of a provision of this Chapter shall constitute an unfair act or practice pursuant to R.S. 51:1405(A).
Pursuant to the LDSBNL, La. R.S. 51:3075, “[a] civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information.” (Emphasis added).
Furthermore, Section 5 of the FTC Act states “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45(a)(1).
In support of their claims, plaintiffs rely on the Federal District Court's decision in Merrell v. 1st Lake Properties, Inc., 717 F. Supp.3d 512 (E.D. La. 2024). In Merrell, 717 F. Supp.3d at 515, the plaintiff—a tenant at a property owned by the defendant, a developer and property manager—was notified that personal identifying information the plaintiff submitted to the defendant had been accessed during a data breach of the defendant's business. As a result of the data breach, the plaintiff became the victim of three incidents of identity theft. The plaintiff subsequently filed a class action lawsuit in state court, but the matter was removed to federal court where the defendant filed a motion to dismiss the state court petition. Merrell, 717 F. Supp.3d at 515-16.
In an amended complaint filed in the Federal District Court, the plaintiff alleged negligence under Louisiana law and the LDSBNL. Regarding the negligence claim, “the amended complaint added citations to various provisions of the LDSBNL and Section 5 of the [FTC] Act, which [the] plaintiff [contended] sufficiently articulate standards supporting the duty element of a negligence claim under Louisiana law.” Merrell, 717 F. Supp.3d at 516. The defendant moved to dismiss the negligence claim under Federal Rule of Civil Procedure 12(b)(6) and to strike the LDSBNL claim under Federal Rule of Civil Procedure 12(f). Merrell, 717 F. Supp.3d at 516.
The Court found the LDSBNL articulated sufficient standards of conduct to satisfy the requirements for a duty under Louisiana negligence law. Merrell, 717 F. Supp.3d at 517. Pointing to the legislative findings, the Court noted the Legislature defined the scope of the risk that the LDSBNL was designed to protect against, including the privacy and financial security of individuals caused by widespread collection of personal information and the risks created by the failure to timely notify victims of identity theft. Merrell, 717 F. Supp.3d at 518. The Court further found the “plaintiff's allegations [were] encompassed within the scope of the risks that the statute was designed to protect against.” Merrell, 717 F. Supp.3d at 518. After noting the specific duties imposed by the LDSBNL, the Court found that the plaintiff's citations to the LDSBNL provided some law to support the claim that the defendant owed him a duty. Merrell, 717 F. Supp.3d at 518.
The Court further found “that [the] plaintiff's reference to Section 5 of the FTC Act sufficiently support[ed] the duty element of a claim for negligence under Louisiana law.” Merrell, 717 F. Supp.3d at 520. The Court pointed out that “the Louisiana Legislature has codified the principle that a failure to ‘implement and maintain reasonable [data] security procedures and practices’ constitutes ‘an unfair act or practice’ for purposes of the Louisiana Unfair Trade Practices Act (“LUTPA”).” Merrell, 717 F. Supp.3d at 519, citing La. R.S. 51:3074(A) & (J). The court further noted that “Louisiana courts have recognized that the LUTPA ‘was modeled after the ․ FTC Act ․ and the two acts share the same goals: to protect consumers and to foster competition.’ Further, the LUTPA and the FTC Act ‘prohibit the same types of ․ conduct.’ ” Merrell, 717 F. Supp.3d at 519. (Citations omitted).
In the instant matter, plaintiffs contend they plead OMV breached statute-derived duties pursuant to the FTC Act and the LDSBNL. Plaintiffs argue that the trial court overlooked the amended petition's citation and discussion of the LDSBNL and how OMV violated the statute. Plaintiffs further argued that OMV breached industry-based duties. OMV, on the other hand, contends plaintiffs failed to plead any breach of duty. OMV asserts that there is no allegation in the petition that its computer systems were infiltrated by cybercriminals. OMV insists that this case involves a breach of MOVEit, which is owned by Progress and plaintiffs elected not to name Progress as a defendant.
In the amended petition, plaintiffs alleged that OMV “had non-delegable duties to safeguard Sensitive Information entrusted to it by Plaintiffs and Class Members[.]” Plaintiffs asserted, “those duties included, but were not limited to, a duty to transfer any Sensitive Information to vendors according to cybersecurity industry standards and protocols and a duty to supervise and audit its vendors and the means by which those vendors store and transfer the Sensitive Information.”
According to the petition, OMV breached a litany of duties, which consisted of the following:
(1) Failing to design, implement, monitor, and maintain reasonable network safeguards against foreseeable threats; (2) failing to design, implement, and maintain reasonable data retention policies; (3) failing to adequately train staff on data security; (4) failing to comply with industry-standard data security practices; (5) failing to warn Plaintiff and Class Members of Defendant's inadequate data security practices; (6) failing to encrypt or adequately encrypt the Sensitive Information; (7) failing to recognize or detect that its network had been compromised and accessed in a timely manner to mitigate the harm; (8) failing to utilize widely available software able to detect and prevent this type of attack; (9) failing to transfer any Sensitive Information to vendors according to cybersecurity industry standards and protocols; (10) failing to supervise and audit its vendors and the means by which those vendors store and transfer the Sensitive Information; (11) failing to supervise and audit its vendors to ensure that they configurated, maintained, and regularly tested the cybersecurity environment in which Plaintiffs’ and Class Members’ [Sensitive] Information was stored and transferred, including the MOVEit Transfer application and any other MOVEit or file transfer products that were employed for those purposes; and (12) otherwise failing to secure the hardware using reasonable and effective data security procedures free of foreseeable vulnerabilities and data security incidents.
Plaintiffs also alleged that OMV violated LDSBNL by failing to use reasonable measures to protect plaintiffs’ Sensitive Information, by not complying with applicable industry standards, and by failing to give timely and sufficient notice of the data breach to plaintiffs. Plaintiffs asserted that OMV waited over two weeks after the data breach to announce the breach online, and waited over seven weeks to email affected persons for whom it had email addresses.
While Merrell is not binding on this court, we find the Federal District Court's analysis therein to be instructive. Like the Court in Merrell, we find that plaintiffs’ citation to the LDSBNL and Section 5 of the FTC Act provides statutory law to support their claim that OMV owed them a duty “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” La. R.S. 51:3074(A); see also Holmes v. Lea, 2017-1268 (La. App. 1st Cir. 5/18/18), 250 So.3d 1004, 1015. As found by the Court in Merrell, the LDSBNL and Section 5 of the FTC Act articulate sufficient standards of conduct to satisfy the requirements for a duty under Louisiana negligence law and plaintiffs’ allegations are encompassed within the scope of the risks that the LDSBNL was designed to protect against. Based on our review of the amended petition, we find that plaintiffs sufficiently alleged that OMV's violation of the LDSBNL and Section 5 of the FTC Act—by failing to use reasonable measures to protect plaintiffs’ Sensitive Information and by not complying with applicable industry standards—constitute a breach of OMV's duties under those statutes. Furthermore, we find OMV's argument that plaintiffs failed to allege OMV breached its duty because MOVEit is owned by Progress and not OMV is a defense on the merits and should not be considered at this time. Furthermore, the first amended petition does not establish the relationship between Progress and OMV or name Progress as the owner. For this additional reason, OMV's argument regarding Progress cannot be considered on the exception of no cause of action.
Cause in fact
A party's conduct is a cause in fact of the harm if it was a substantial factor in bringing about the harm. The act is a cause in fact in bringing about the injury when the harm would not have occurred without it. While a party's conduct does not have to be the sole cause of the harm, it is a necessary antecedent essential to an assessment of liability. A cause in fact determination is a factual one that is governed by the manifest error standard of review. Legal cause, on the other hand, presents a legal question, and requires a proximate relation between the actions of a defendant and the harm which occurs, and such relation must be substantial in character. Bellanger v. Webre, 2010-0720 (La. App. 1st Cir. 5/6/11), 65 So.3d 201, 207-08, writ denied, 2011-1171 (La. 9/16/11), 69 So.3d 1149.
In the amended petition, plaintiffs alleged that as a result of OMV's unreasonable and inadequate data security practices, they are currently and continually at risk of identity theft and have suffered numerous actual and concrete injuries and damages. Plaintiffs alleged that OMV's actions have resulted in plaintiffs suffering: invasion of privacy, out of pocket costs, loss of time and productivity, loss of benefit of the bargain, and diminution of value of their Sensitive Information.
We find based on the allegations in the amended petition that plaintiffs have sufficiently alleged that due to OMV's negligent data security practices, they are continuously at risk of identity theft and have incurred out of pocket expenses.
Damages
Our review of the jurisprudence indicates the issue presented herein, although not res nova in Louisiana state courts, is fairly limited; therefore, we shall look to federal case law for guidance. See Young v. State, 2022-0477 (La. App. 1st Cir. 11/4/22), 3 55 So.3d 657, 661-62. To establish standing under Article III of the United States Constitution, “a plaintiff must demonstrate (i) that she has suffered or likely will suffer an injury in fact, (ii) that the injury likely was caused or will be caused by the defendant, and (iii) that the injury likely would be redressed by the requested judicial relief.” Food and Drug Administration v. Alliance for Hippocratic Medicine, 602 U.S. 367, 380, 144 S.Ct. 1540, 1555, 219 L.Ed.2d 121 (2024). The United States Supreme Court has recognized, “certain harms readily qualify as concrete injuries under Article III.” The Court explained “[t]he most obvious are traditional tangible harms, such as physical harms and monetary harms.” TransUnion LLC v. Ramirez, 594 U.S. 413, 425, 141 S.Ct. 2190, 2204, 210 L.Ed.2d 568 (2021). Other Federal Courts recognize “[i]ntangible harms can also be concrete, including when they ‘are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,’ such as ‘reputational harms, disclosure of private information, and intrusion upon seclusion.’ ” Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 3 65, 3 72 (1st Cir. 2023). Nevertheless, “Article III standing requires a concrete injury even in the context of a statutory violation.” TransUnion, 594 U.S. at 426, 141 S.Ct. at 2205.
In McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295, 303 (2d Cir. 2021), the Federal Court held:
[C]ourts confronted with allegations that plaintiffs are at an increased risk of identity theft or fraud based on an unauthorized data disclosure should consider the following non-exhaustive factors in determining whether those plaintiffs have adequately alleged an Article III injury in fact: (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
In Clemens v. ExecuPharm Inc., 48 F.4th 146, 150-51 (3d Cir. 2022), the plaintiff, a former employee of the defendant, sued the defendant for negligence, negligence per se, and breach of implied contract after hackers accessed the defendant's servers and stole current and former employees’ sensitive information, including that of plaintiff. There, the Federal Appellate Court found that the plaintiff's alleged risk of identity theft or fraud was sufficiently imminent. Clemens, 48 F.4th at 159. The Court held “in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms.” Clemens, 48 F.4th at 155-56.
In the instant case, with respect to the damages, in the first amended petition, plaintiffs alleged that as a consequence of the data breach, they sustained the following damages:
(a) invasion of privacy; (b) “out of pocket” costs incurred mitigating the materialized risk and imminent threat of identity theft; (c) loss of time and loss of productivity incurred mitigating the materialized risk and imminent threat of identity theft; (d) “out of pocket costs” incurred due to actual identity theft risk; (e) loss of time incurred due to actual identity theft; (f) loss of time due to increased spam and targeted marketing emails; (g) the loss of benefit of the bargain (price premium damages); (h) diminution of value of their Sensitive Information; and (i) the continued risk to their Sensitive Information, which remains in [OMV's] possession, and which is subject to further breaches, so long as [OMV] fails to undertake appropriate and adequate measures to protect Plaintiffs’ ․ Sensitive Information.
Plaintiffs further alleged that on July 3, 2023, a debit card linked to Mr. Gines’ checking account was used to make fraudulent purchases totaling $492.51, and on January 1, 2024, a debit card linked to a second checking account belonging to Mr. Gines was used to make fraudulent purchases totaling $517.97. Furthermore, according to the petition, Mr. Gines has not been reimbursed for the fraudulent charges.
Regarding Ms. Doga and Mr. Martin, it is alleged that Ms. Doga and Mr. Martin suffered damages to and diminution in the value of their Sensitive Information—a form of intangible property that they entrusted to OMV, which was compromised by the data breach. They also contend they lost their benefit to bargain by paying for driver services that failed to provide data security that was promised. Finally, as a consequence of the data breach, plaintiffs assert they suffered lost time, annoyance, interference, inconvenience, and developed anxiety and increase concerns for the loss of privacy.
Applying the factors set forth in McMorris, plaintiffs have stated a concrete injury. First, plaintiffs have alleged that as a consequence of a cyber-attack on the MOVEit software, their Sensitive Information was obtained by a third party-C10p, cybercriminals. Second, plaintiffs alleged that Mr. Gines’ Sensitive Information was used when debit cards linked to two of his accounts were used to make fraudulent purchases and he has not been reimbursed for the fraudulent purchases. See McMorris, 995 F.3d at 301-02 (“allegations that other customers whose data was compromised in the same data breach had reported fraudulent charges on their credit cards helped establish that the plaintiffs were at a substantial risk of future fraud.”). Third, plaintiffs alleged that their names, addresses, social security numbers, birthdates, heights, eye colors, driver's license numbers, vehicle registration information, and handicap placard information had been exposed to cyber hackers. “[T]he dissemination of high-risk information such as Social Security numbers and dates of birth—especially when accompanied by victims’ names—makes it more likely that those victims will be subject to future identity theft or fraud.” McMorris, 995 F.3d at 302. For the foregoing reasons, we find plaintiffs sufficiently plead damages.
Accordingly, we conclude that based on the foregoing, plaintiffs have stated a cause of action for negligence. Since we find the amended petition stated a cause of action for negligence, we pretermit consideration of whether the amended petition stated a cause of action for breach of confidence and declaratory judgment. “If the petition states a cause of action as to any ground or portion of the demand, the exception of no cause of action generally should be overruled.” Everything on Wheels Subaru, Inc. v. Subaru South, Inc., 616 So.2d 1234, 1236 (La. 1993); RLC Trucking, L.L.C. v. Williams, 2023-0985 (La. App. 1st Cir. 4/19/24), 2024 WL 1697466, *2 (unpublished). Therefore, the trial court erred in sustaining the exception no cause of action, and we now reverse that portion of the judgment.
NO RIGHT OF ACTION
The peremptory exception raising the objection of no right of action tests whether the plaintiff has any interest in judicially enforcing the right asserted. The exception does not raise the question of the plaintiff's ability to prevail on the merits nor the question of whether the defendant may have a valid defense. La. Code Civ. P. art. 927(A)(6); Pearce v. Lagarde, 2020-1224 (La. App. 1st Cir. 10/7/21), 330 So.3d 1160, 1166-67, writ denied, 2022-00010 (La. 2/22/22), 333 So.3d 446. The party raising the exception of no right of action bears the burden of proof. Three Rivers Commons Condominium Association v. Grodner, 2016-0067 (La. App. 1st Cir. 5/10/17), 220 So.3d 776, 780, writ denied, 2017-0974 (La. 4/2/18), 248 So.3d 315. To prevail on a peremptory exception pleading the objection of no right of action, the defendant must show that the plaintiff does not have an interest in the subject matter of the suit or legal capacity to proceed with the suit. Pearce, 330 So.3d at 1167.
If the pleadings fail to disclose a right of action, the claim may be dismissed without evidence. However, if the pleadings state a right of action, the defendant may introduce evidence to controvert the pleadings. The plaintiff likewise may introduce evidence to controvert any objections. La. Code Civ. P. art. 931; Reyer, 272 So.3d at 608. However, in the absence of evidence to the contrary, the averments of fact in the pleadings will be taken as true. Three Rivers Commons Condominium Association, 220 So.3d at 780. Where doubt exists regarding the appropriateness of an exception of no right of action, it is to be resolved in favor of the plaintiff. Pearce, 330 So.3d at 1167. Only a person who has a real and actual interest can bring an action, unless otherwise provided by law. La. Code Civ. P. art. 681.
Plaintiffs Ms. Doga and Mr. Martin argue they plead sufficient injury by alleging they suffered because of OMV's negligence and breach of confidence and they were entitled to declaratory relief. Plaintiffs Ms. Doga and Mr. Martin indicate that the trial court adopted OMV's arguments regarding the value of their losses. Plaintiffs Ms. Doga and Mr. Martin, therefore, assert that the trial court improperly examined the merits and failed to follow the proper standard for an exception of no right of action.
OMV, on the other hand, argues the trial court properly sustained its peremptory exception raising the objection of no right of action with respect to plaintiffs Ms. Doga and Mr. Martin because they did not plead any damages. OMV asserts, “[n]ot only do Doga and Martin plead no facts explaining how the value of their [Sensitive Information] decreased as a result of the MOVEit incident, but they are also unable to cite to any controlling authority that holds that any alleged diminution in the value of [Sensitive Information] constitute an injury giving rise to standing under Louisiana law.”
In Bradix v. Advance Stores Company, Inc., 2017-0166 (La. App. 4th Cir. 8/16/17), 226 So.3d 523, relied on by OMV, the plaintiff, a former employee of the defendant, received a letter notifying him of a data breach of the employee's information to an unauthorized third party. “The information included employees’ names, social security numbers, 2015 gross wages, and the state where each employee paid income tax.” Bradix, 226 So.3d at 526. The defendant recommended that the former and current employees that were affected by the data breach review the information contained in the letter and remain vigilant. The defendant also provided free identity protection services for two years. Bradix, 226 So.3d at 526.
In Bradix, the plaintiff argued that the trial court erred by finding he lacked standing and sustaining the defendant's exception of no right of action. He further argued federal jurisprudence provided him with a cause of action and he should not have to wait until a third party illegally uses his personal information to his detriment before being permitted access to court. Bradix, 226 So.3d at 527-29.
The Fourth Circuit noted that the plaintiff alleged he suffered the following damages: including but not limited to potential identity theft, loss of credit, loss of opportunity for credit, denial of credit applications and severe stress and anxiety associated with the months or years it will take to clear up the defendant's “mess.” Bradix, 226 So.3d at 528. The court pointed out that the plaintiff did not allege that someone successfully stole his identity. Instead he alleged, “his information was contained in the information stolen from [the defendant] and that he may become a victim of identity theft at some point in the future.” Bradix, 226 So.3d at 528. The plaintiff asserted “he suffered anxiety as a result of the breach, and that he discovered two unauthorized credit checks.” Bradix, 226 So.3d at 528. The court pointed out that the plaintiff “did not contend either that his credit score was negatively impacted or show that the unauthorized credit checks were related to the breach at [the defendant].” Bradix, 226 So.3d at 528.
The Fourth Circuit concluded that the plaintiff failed to allege a particular injury, and found that the injury the plaintiff alleged was too abstract such that its opinion on the matter would have been advisory. Accordingly, the court observed that the plaintiff's theoretical injuries were predicated on the contingency of a third party using his information in the future and found the plaintiff lacked “a justiciable controversy and standing.” Bradix, 226 So.3d at 529.
We recognize that “[t]he possibility of future injury is not sufficient to establish standing.” Bednyak v. Financial Risk Mitigation, Inc., 739 F. Supp.3d 353, 368 (E.D. La. 2024) (citing Clapper v. Amnesty International USA, 568 U.S. 398, 409, 133 S.Ct. 1138, 1147, 185 L.Ed.2d 264 (2013)). However, “courts have been more likely to conclude that plaintiffs have established a substantial risk of future injury where they can show that at least some part of the compromised dataset has been misused—even if plaintiffs’ particular data subject to the same disclosure incident has not yet been affected.” McMorris, 995 F.3d at 301.
In the instant matter, neither party introduced evidence at the hearing on the exceptions. Therefore, we accept as true the allegations in the amended petition. In the amended petition, plaintiffs alleged that plaintiff Mr. Gines experienced fraudulent charges on his bank account when an unauthorized debit card was linked to his account and he had not been reimbursed for those charges. Therefore, although plaintiffs Ms. Doga and Mr. Martin have not alleged they have experienced identity theft, the allegations in the amended petition do allege that at least some part of the compromised dataset has been misused. As such, they have alleged more than the possibility of future injury.
Because plaintiffs Ms. Doga and Mr. Martin sufficiently alleged actual injuries and, therefore, have sufficiently alleged a real and actual interest in the matter, Bradix is distinguishable from the facts of the instant case, and the cases relied upon by the defendants, as it did not involve a situation where some portion of the plaintiff's dataset was used. Accordingly, the trial court erred by sustaining the exception of no right of action, and we now reverse that portion of the judgment.
Furthermore, because we find that the trial court erred in sustaining OMV's exceptions of no cause of action and no right of action, we pretermit discussion of the third assignment of error.
CONCLUSION
For the foregoing reasons, we reverse the trial court's May 13, 2024 judgment, sustaining the State of Louisiana, Department of Public Safety and Corrections, Office of Motor Vehicles’ peremptory exceptions of no cause of action and no right of action. This matter is remanded to the trial court for further proceedings. Costs of this appeal, in the amount of $1,547.00, are assessed against defendant, the State of Louisiana, Department of Public Safety and Corrections, Office of Motor Vehicles.
REVERSED AND REMANDED.
FOOTNOTES
1. We note that Louisiana Code of Civil Procedure article 922 recognizes only three exceptions: the declinatory exception, the dilatory exception, and the peremptory exception. While a peremptory exception pleading the objections of no cause of action and no right of action are at issue, see La. Code Civ. P. art 927(A)(5) and (6), for brevity, we refer to the exceptions as exceptions of no cause of action and no right of action.
2. Plaintiffs also alleged breach of fiduciary duty, but withdrew the claim. There is no order in the record dismissing this cause of action, but plaintiffs are not pursuing it and did not oppose OMV's exception as to this cause of action.
FIELDS, J.
Thank you for your feedback!
As the largest network of trusted legal brands, we help firms build authority across the platforms consumers and AI systems rely on most. Our network helps attorneys strengthen visibility, credibility, and preference where legal decisions begin.
Docket No: 2024 CA 1116
Decided: July 11, 2025
Court: Court of Appeal of Louisiana, First Circuit.
Search our directory by legal issue
Enter information in one or both fields (Required)
Harness the power of our directory with your own profile. Select the button below to sign up.
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Search our directory by legal issue
Enter information in one or both fields (Required)