Standing survives, but claims fail

In Perlaki v. J.B. Poindexter & Co., Inc., a data breach class action, Magistrate Judge Andrew M. Edison of the Southern District of Texas found that the plaintiff had standing to sue under Article III of the United States Constitution but recommended dismissal of the plaintiff’s data breach plaintiff’s claims under Texas law.

The plaintiff voluntarily dismissed his lawsuit before the District Court could decide whether to adopt the recommendation of the Magistrate Judge. However, the Magistrate Judge’s recommendation is a reminder to data breach plaintiffs that courts continue to scrutinize allegations of harm when ruling on a motion to dismiss.

The allegations in the lawsuit

Thomas Perlaki, a former employee of J.B. Poindexter, alleged harm after his personal information was compromised in a data breach.

According to the Magistrate Judge’s Recommendation, the employer was the victim of a data breach in April 2024, and cybercriminals obtained information about its employees and their dependents, including “contact information, social security numbers, dates of birth, and driver’s license numbers.”

Mr. Perlaki alleged that the breach resulted in

“a spike in spam and scam text messages and emails containing suspicious links”; fraudulent attempts to use his credit card; lost time spent monitoring his financial accounts; anxiety, sleep disruption, stress, fear, and frustration; a loss in the value of his [personally identifiable information]; the anticipation of future expenses spent to mitigate his injuries; and an “increased risk of fraud, misuse and identity theft.”

He also alleged that the employer should have done more to protect employees’ information.

The employer asked the Court to dismiss the lawsuit, arguing that Mr. Perlaki did not have standing to sue, and also to dismiss the claims on their merits.

Standing narrowly survives

First, the Magistrate Judge found that Mr. Perlaki’s allegations of an increased risk of identity theft or fraud was not a concrete injury under Article III. He did not allege any actual misuse of his information, sale on the dark web, or even access by known criminal actors. As a result, the Magistrate Judge deemed Mr. Perlaki’s assertions to be speculative and insufficient under the precedent of the U.S. Court of Appeals for the Fifth Circuit—particularly in the wake of the U.S. Supreme Court’s ruling in TransUnion LLC v. Ramirez (which demands a present and tangible injury—not future risk).

Related claims, such as receiving increased spam or being notified of a fraudulent credit card attempt, were also dismissed for lack of traceability and redressability because Mr. Perlaki made no specific allegation tying those events to the data breach or to the employer’s actions.

Second, the Magistrate Judge rejected Mr. Perlaki’s attempt to establish standing based on time that he spent monitoring accounts, as well as his alleged future mitigation costs. According to the Magistrate Judge, wasted time, absent a common law analog, does not qualify as an actionable harm, and speculative future expenses do not constitute present injuries.

Third, Mr. Perlaki’s allegation of diminished value of his personal information also failed. The Magistrate Judge explained that Mr. Perlaki did not allege that he attempted to monetize his personal information, nor did he show that it had been disseminated or devalued in any way. Courts in the Fifth Circuit, the Magistrate Judge noted, are generally skeptical of these theories without commercial facts or third-party use.

Nonetheless, the Magistrate Judge recommended that Mr. Perlaki be found to have standing based on his allegations of emotional distress. Mr. Perlaki alleged concrete emotional harm, including anxiety, sleep disruption, and stress tied to fears over financial insecurity. According to the Magistrate Judge, this type of mental anguish is a recognized injury under Fifth Circuit precedent, and consistent with language from TransUnion (linked above) that suggested emotional harm caused by a plaintiff’s awareness of data exposure may suffice. Based on Mr. Perlaki’s allegations and the Fifth Circuit and Supreme Court precedent, the Magistrate Judge recommended a finding that Mr. Perlaki did have standing to sue.

But no claim survives

Mr. Perlaki’s success was short-lived. Although he demonstrated standing, the Magistrate Judge recommended that his claims be dismissed.

Negligence

Texas law does not permit negligence claims that are based solely on emotional distress injuries unless the plaintiff demonstrates physical injury, malice, or a special relationship. Mr. Perlaki alleged none.

Breach of implied contract

Mr. Perlaki alleged that the employer’s privacy policy and his provision of personal information to the employer created an implied contract to safeguard that information. However, he alleged no economic loss or mitigation expenses—only emotional harm. The Magistrate Judge noted that emotional distress damages are categorically barred under Texas contract law.

Invasion of privacy (intrusion upon seclusion)

In recommending dismissal of Mr. Perlaki’s intrusion upon seclusion claim, the Magistrate Judge emphasized that Mr. Perlaki voluntarily provided his personal information to his employer. Without an intentional intrusion or willful disclosure, there was no basis for the claim. The Magistrate Judge also recommended dismissal of this claim based on Mr. Perlaki’s allegations of inadequate data security or delayed breach notifications. Even if the employer was negligent, these actions did not satisfy the tort’s ”intent” requirement. According to the Magistrate Judge’s recommendation, no reasonable jury could conclude that the employer intruded on Mr. Perlaki’s privacy under Texas law.

Unjust enrichment

Mr. Perlaki alleged that his labor and personal data provided value to the employer Company but that he did not receive adequate data security protection. However, he failed to allege that the Company unjustly retained any benefit.  Mr. Perlaki was paid for his work, and he did not separately pay the employer for data protection. Without a tangible economic benefit wrongfully retained, the Magistrate Judge determined that there was no unjust enrichment.

Breach of fiduciary duty

The Magistrate Judge reiterated the well-settled rule that employer-employee relationships do not create fiduciary duties under Texas law. He also found no evidence of an informal fiduciary relationship, which requires a personal or confidential dynamic beyond an at-will employment arrangement.

Conclusion

Although Mr. Perlaki may have succeeded in demonstrating standing based on emotional distress, the Magistrate Judge nonetheless recommended dismissal of every claim he asserted. As noted above, Mr. Perlaki dismissed his lawsuit before the District Court could decide whether to adopt the Magistrate Judge’s recommendation. The dismissal was “without prejudice,” meaning that Mr. Perlaki can attempt to redraft his allegations to address the points made by the Magistrate Judge and then refile his lawsuit.

Even so, the recommendation highlights a crucial reality for plaintiffs in data breach litigation: standing may open the courthouse door, but without economic loss, demonstrable misuse of data, or intent-based claims, courts are increasingly declining to allow these cases to proceed.

The Constangy Cyber Team regularly defends businesses of all sizes in jurisdictions across the U.S. against data breach class action lawsuits. If you would like more information about our capabilities to defend your organization, please contact us at cyber@constangy.com.

  • Brent  Sedge
    Attorney

    Brent is a member of the Constangy Cyber Team and is based in Dallas, Texas.  He works with our cyber litigation team in defending clients against class action matters arising from data security incidents. He has several years of ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Subscribe

* indicates required
Back to Page