Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Krohm v. Epic Games, Inc.

United States District Court, E.D. North Carolina, Western Division

October 1, 2019

ERIC KROHM, individually, and on behalf of others similarly situated, Plaintiff,
EPIC GAMES, INC. Defendant.



         This matter is before the Court on defendant's motion to dismiss plaintiffs complaint for failure to state a claim, or in the alternative, to compel arbitration [DE 28]. Plaintiff has moved to remand [DE 31] and to stay briefing [DE 33]. For the reasons that follow, defendant's motion to dismiss for failure to state a claim [DE 28] is DENIED. Plaintiffs motions to remand [DE 31] and to stay briefing [DE 33] are also DENIED. The case is DISMISSED WITHOUT PREJUDICE for lack of subject-matter jurisdiction.


         Defendant Epic Games is the developer of Fortnite, a popular video game with millions of players in the United States and around the world. DE 1-1, ¶ 18. Plaintiff, like other Fortnite players, was required to create an account in order to play, which entailed providing personally identifiable information ("PII"). Id. ¶ 19. Defendant allegedly promised to maintain appropriate technical safeguards of player data. Id. ¶ 20. Around November 2018, a cybersecurity firm alerted defendant to a vulnerability in Fortnite's system which allowed cyber-criminals and unauthorized parties to access and extract PII, payment information, and other sensitive data associated with Fortnite players' accounts. Id. ¶ 22. Fortnite was allegedly the target of a data hack in the summer of 2018 which affected millions of players' accounts. Id. ¶ 26. Defendant allegedly failed to take measures to cure the cyber vulnerability and to alert customers that their information may have been compromised. Id. ¶¶ 30, 34.

         In response to learning about the cyber vulnerability, plaintiff has taken time and effort to mitigate the risk of identity theft, including changing passwords and paying for credit monitoring services. Id. ¶ 36. Plaintiff has also allegedly experienced mental anguish and anxiety from the fear of identity theft and fraud. Id. ¶ 39.

         Plaintiff brought this putative class action on behalf of the millions of Fortnite account holders potentially affected by the cyber vulnerability. Id. ¶¶ 41, 43. Plaintiff alleges violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, breach of contract, breach of implied contract, and negligence. The suit was originally filed in the Circuit Court of Cook County, Illinois. Defendant removed the case to federal court in Illinois based on the Class Action Fairness Act ("CAFA"), 28 U.S.C. § 1332(d). DE 1. Once in federal court, the case was transferred to this Court pursuant to 28 U.S.C. § 1404(a) because of a forum selection clause in the End User License Agreement ("EULA").

         Defendant has moved to dismiss all of plaintiff s causes of action under Rule 12(b)(6) of the Federal Rules of Civil Procedure, or in the alternative, asks the Court to compel arbitration pursuant to the arbitration provision of the EULA. [DE 28].


         This case involves a peculiar role reversal. Plaintiff, who wants the case returned to Illinois state court, argues that he does not have Article III standing because he has not pled a proper injury-in-fact. Defendant, who removed the case to federal court, argues the opposite. Defendant argues that plaintiff has alleged sufficient injuries for Article III standing, just not the economic damages needed for a cognizable claim under his asserted causes of action.

         "Subject-matter jurisdiction cannot be forfeited or waived and should be considered when fairly in doubt." Ashcroft v. Iqbal, 556 U.S. 662, 671 (2009) (citation omitted). When a plaintiff files suit in state court and the defendant removes to federal court, it is the defendant who bears the burden of demonstrating that the federal court has jurisdiction over the matter. Strawn v. AT & T Mobility LLC, 530 F.3d 293, 296 (4th Cir. 2008). "Article III of the Constitution limits federal courts' jurisdiction to certain 'Cases' and 'Controversies.'" Clapper v. Amnesty Int'l USA, 568 U.S. 398, 408 (2013). One element of the case-or-controversy requirement is standing. Id. (quotations omitted). In a class action, the Court "analyze[s] standing based on the allegations of personal injury made by the named plaintiff." Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017). Standing requires injury-in-fact-an injury that is "concrete, particularized, and actual or imminent[.]" Clapper, 568 U.S. at 409. Threatened injuries cannot be speculative, but "must be certainly impending." Id.

         This case must be dismissed because this Court lacks subject-matter jurisdiction over plaintiffs claims. Plaintiff alleges no Article III injury-in-fact. The mere existence of the data vulnerability does not constitute injury-in-fact. See Beck, 848 F.3d 272-77 (requiring some showing of harm, or certainly impending harm, beyond the mere compromise of the data itself); see also Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 621 (4th Cir. 2018) ("[A] mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft."). Instead, the complaint must allege a sufficient factual basis from which to conclude either that plaintiffs compromised data has been misused, or that it will be misused, such that concrete harms are actual or imminent.

         Here, plaintiffs complaint contains no facts showing, or even suggesting, that his personal data has been used as a result of the cyber vulnerability. See DE 1-1, ¶¶ 1-13, 18-40. For that matter, plaintiffs complaint does not even state that his data was taken, only that defendant's Fortnite had a cyber vulnerability that could have allowed hackers to access his data. Id. Plaintiffs only harms are "time and effort to mitigate the risk of identity theft" and "anxiety and anguish[.]" Id. ¶¶ 36, 39. Anxiety and anguish resulting from data breaches do not confer standing. Beck, 848 F.3d at 272. And without a single fact alleged to show that future harms are certainly impending, the money, time, and effort spent by plaintiff are merely self-imposed harms in response to a speculative threat. See Id. at 276-77. Fortnite allegedly has "tens of millions of active monthly users[.]" DE 1-1 ¶ 1. The threat of future injury is wholly speculative and insufficient for standing.

         Because defendant wants the Court to dismiss the case under Rule 12(b)(6) or compel arbitration, it argues, among other things, that CAFA entitles it to have its case decided by a federal court. Defendant's argument fails. "[T]he requirement of injury in fact is a hard floor of Article III jurisdiction that cannot be removed by statute." Summers v. Earth Island Inst., 555 U.S. 488, 497 (2009). The Court does not have Article III jurisdiction over this case, and therefore can neither dismiss for failure to state a claim nor compel arbitration. The case must be dismissed without prejudice for lack of jurisdiction.

         Motion ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.