Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Kimbriel v. Abb, Inc.

United States District Court, E.D. North Carolina, Western Division

October 1, 2019

RICKEY KIMBRIEL and PAULA KIMBRIEL, individually, and on behalf of all others similarly situated, Plaintiffs,



         This matter is before the Court on defendants' motion to dismiss plaintiffs' complaint. [DE 15]. Plaintiffs have responded and the motion is now ripe for disposition. Plaintiffs have also filed a consent motion [DE 22] for leave to file excess pages. For the reasons that follow, defendants' motion to dismiss [DE 15] is GRANTED and plaintiffs' complaint is DISMISSED. The consent motion [DE 22] is DENIED.


         Plaintiff Rickey Kimbriel has been a machine operator at defendant Baldor Electric Company ("Baldor") since 2015. DE 1, ¶ 20. Baldor is a subsidiary of defendant ABB, Inc., an industrial technology company incorporated in Delaware with its principal place of business in Cary, North Carolina. Id. ¶¶ 14, 21. Rickey and his wife, Paula Kimbriel, have participated in ABB's health benefits plan ("the Plan") since Rickey joined the company. Id. ¶ 12. When joining the Plan, Ricky and Paula provided sensitive personal data, including full legal names, addresses, birth dates, and social security numbers, which were stored in the Plan's database along with other information such as their plan member ID, and were accessible through certain ABB employee email accounts. Id. ¶¶ 25-27. ABB also had Rickey's checking account information for purposes of direct deposit. Id. ¶ 24.

         On or about August 25, 2017, certain ABB employees' emails were hacked through a phishing scheme, resulting in the compromise of personally identifiable information ("PII") associated with the Plan. Id. ¶¶ 28-29, Ex. A. Rickey was first notified of the hack at an employee meeting at the end of August 2017. Id. ¶ 28. On September 7, 2017, ABB sent out a formal notice informing affected employees of the hack, stating that Rickey and his dependent's sensitive PII associated with the plan, specifically names, addresses, plan member IDs, birth dates, and social security numbers, may have been exposed. Id. ABB represented it would pay for identity monitoring services and encouraged affected employees to take additional cautionary steps, including placing a fraud alert with the Federal Trade Commission and a security freeze on their credit files. Id. ¶ 40. The PII of the Plan's 17, 996 participants was compromised by the breach. Id. " ¶ 5.

         In response to the security breach, Rickey Kimbriel stopped making 401(k) contributions, resulting in additional taxes that would have otherwise been deferred. Id. ¶ 41. On February 13, 2019, a credit-monitoring service notified Paula Kimbriel of five unauthorized credit inquiries with banking institutions in four different states. Id. ¶ 42.

         Plaintiffs Rickey and Paula Kimbriel bring this putative class action on behalf of all the nearly 18, 000 victims of the ABB security breach. They assert seven[1] claims for relief. They allege that defendants' data security practices and disclosures to employees after the breach violated the North Carolina Unfair & Deceptive Trade Practices Act, N.C. Gen. Stat § 75-1.1. Id. ¶¶60-70. They allege defendants' breached a fiduciary duty by not properly safeguarding the information. Id. ¶¶ 71-76. They further allege additional claims under negligence, negligence per se, bailment, breach of contract, and breach of implied contract. Id. ¶¶77-90; 91-97; 98-103; 104-07; 108-18.

         Defendants have moved to dismiss all of plaintiffs' causes of action under both Rule 12(b)(1) and Rule 12(b)(6) of the Federal Rules of Civil Procedure. [DE 15]. Defendants argue plaintiffs lack standing under Article III to bring this action because they have not alleged injury-in-fact. Defendants also argue that, even if plaintiffs do have standing to pursue their claims, they fail to state a claim on which relief can be granted.


         Defendants' motion to dismiss

         Defendants have moved to dismiss plaintiffs' complaint for lack of subject-matter jurisdiction under Rule 12(b)(1). "Subject-matter jurisdiction cannot be forfeited or waived and should be considered when fairly in doubt." Ashcroft v. Iqbal, 556 U.S. 662, 671 (2009) (citation omitted). "Article III of the Constitution limits federal courts' jurisdiction to certain 'Cases' and 'Controversies.'" Clapper v. Amnesty Int'l USA, 568 U.S. 398, 408 (2013). "One element of the case-or-controversy requirement is that plaintiffs must establish that they have standing to sue." Id. (internal quotations omitted). In a class action, the Court "analyze[s] standing based on the allegations of personal injury made by the named plaintiffs." Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017). To establish standing, plaintiffs must show they have suffered an injury-in-fact-an injury that is "concrete, particularized, and actual or imminent[.]" Clapper, 568 U.S. at 409. The injury-in-fact must be "fairly traceable to the challenged action[, ] and redressable by a favorable ruling." Id. Threatened injuries cannot be speculative, but "must be certainly impending." Id.

         Plaintiffs claim the following injuries or threatened injuries: (1) loss of opportunity to control their PII; (2) diminution of the value of their PII; (3) compromise/publication of their PII; (4) out-of-pocket costs associated with the prevention, detection, recovery and remediation from identity theft or fraud; (5) Opportunity cost-lost wages and productivity-associated with their efforts to address and mitigate actual and future consequences of the breach; (6) delay in receipt of tax monies; (7) unauthorized use of stolen PII; (8) continued risk to their PII; and (9) current and future costs of time, money, and effort. DE 1, ¶ 45. They also make a general assertion of "monetary losses, lost time, anxiety and emotional distress." Id.

         Plaintiffs' complaint must be dismissed because this Court lacks subject-matter jurisdiction over plaintiffs' claims. Despite their list, plaintiffs' have not alleged that they have suffered a concrete injury, or that one is certainly impending, because they fail to allege a sufficient factual basis from which to conclude that their hacked PII has actually been used, or will be used, in identity theft or fraud.

         This case sits between two recent decisions, Beck v. McDonald,848 F.3d 262 (4th Cir. 2017) and Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018), both of which address injury-in-fact in the data privacy context. Beck was a consolidated appeal of two cases involving data breaches at the Williams Jennings Bryan Dorn Veterans Affairs Medical Center. 848 F.3d at 266. The cases involved compromised PII from a computer and boxes of pathology reports that were either lost or stolen. Id. at 267-68. The plaintiffs' asserted injuries were "increased risk of future identity theft" and "costs of protecting against" identity theft. Id. at 273. The court held that the plaintiffs did not have standing because, critically, they could neither show that their data was actually used nor allege enough plausible facts to show that threatened future harms were "certainly impending." Id. at 275. In contrast, the plaintiffs in Hutton were victims of credit card fraud after their personal information was stolen in a data breach of the National Board of Examiners in Optometry ("NBEO"). 892 F.3d at 616-17. The court interpreted Beck as emphasizing that the "mere compromise of personal ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.