Judge John Z. Lee of the Northern District issued an opinion on Tuesday granting Pearson’s motion to dismiss regarding the data breach of its AIMSweb testing platform, which allowed hackers to gain access to students’ information; the court granted the motion because the plaintiffs did not establish Article III standing.
Defendants Pearson PLC, NCS Pearson, Inc. and Pearson Education, Inc. provide and develop education and educational testing materials. They operate AIMSweb, “an educational testing platform that stores students’ names, emails, and birthday, among other information.” Specifically, “[i]n 2018, hackers slipped past Pearson’s defenses and gained access to the data hosted on AIMSweb.” However, “[n]o credit cards, social security numbers, health records, or other sensitive information was compromised, and none of the affected students have reported fraudulent charges or other fallout attributable to the data breach.” While the incident occurred in 2018, Pearson did not realize that the platform had been compromised until the FBI detected the incident in 2019. The FBI estimated that 900,000 students at 13,000 schools could have been affected. Illinois and Colorado parents filed the putative class-action lawsuit because they “[b]eliev[ed] that Pearson neglected to implement security measures that would have thwarted the hackers.” In its privacy policy, Pearson took “full responsibility for the information” collected and held and it promised to protect students’ privacy. The plaintiffs alleged a dozen different claims against Pearson, such as common law negligence, breach of an express contract, and unjust enrichment as well as various Illinois and Colorado claims. Pearson argued that the complaint should be dismissed for lack of subject-matter jurisdiction, want of personal jurisdiction, and failure to state a claim.
The court first considered standing to sue. For Article III standing the plaintiffs must allege: “(1) an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” At issue is whether the plaintiffs have sufficiently pleaded an injury-in-fact. The central argument made by the plaintiffs is that the hack made them more susceptible to and an easier target for identity theft. A material threat of identity theft depends on the sensitivity of the data and the occurrence of fraudulent charges or other elements of identity theft. The court noted that “[w]hat matters most is that the data disclosed here is far less likely to facilitate identity theft that the credit and debit numbers at issue in Remijas…Here, by contrast, the names, emails, and dates of births of registered students cannot ‘easily be used in fraudulent transactions.’” Furthermore, the court stated that even through social engineering, or other means to obtain more information, this would not satisfy Article III standing because the allegations fail to establish that the breach exposed the plaintiffs to a substantial risk. This is further underscored, according to the judge, by the plaintiffs’ failure to identify any consequences of the data breach or point to an instance of identity theft affecting the 900,000 students, which illustrates the minimal damage and danger caused by the data breach.
The court concluded that “the disclosed data is not sensitive enough to materially increase the risk of identity theft.” The court noted that the plaintiffs’ argument that the value of their personal data has been diminished is “‘too speculative’ to confer standing.” The plaintiffs also did not plead a violation of the Family Education Rights and Privacy Act and the Illinois School Student Records Act, despite using these as a cause of action; the statutes also require that students suffer actual damages. Additionally, the court stated that the information in the plaintiffs’ supplemental memorandum does not confer standing. As a result, the plaintiffs failed to demonstrate Article III standing for their failure to sustain that the breach caused economic loss or imminent danger of identity theft or diminished value of the plaintiffs’ data. The complaint was dismissed without prejudice for lack of subject-matter jurisdiction, thus Pearson’s motion to dismiss is granted.
The plaintiffs are represented by Loevy & Loevy. Pearson is represented by Steptoe & Johnson.