Two Years After Webb: First Circuit Courts Find Standing in Data Breach Class Actions
The First Circuit’s 2023 decision in Webb v. Injured Workers Pharmacy, LLC has become a touchstone for courts analyzing Article III standing in data breach class actions. In a previous post, we discussed why Webb revived a previously dismissed data breach class action. Since Webb, the District of Massachusetts repeatedly cited the decision’s reasoning to find lost time and mitigation efforts sufficient to constitute concrete injury—even where plaintiffs did not allege actual misuse of personal information.
Lost Time, But Not Lost Data Value: Webb’s Expansive Yet Limited Examination of Concrete Injury
In Webb, a putative class of patients sued Injured Workers Pharmacy following a data breach that exposed personally identifiable information (PII). Plaintiffs sought both monetary and injunctive relief for alleged misuse of their data and for time spent responding to the breach. The District of Massachusetts dismissed the case for lack of standing.
The First Circuit reversed. Recounting standing requirements, the court noted that, to bring a claim, plaintiffs must plead a concrete injury caused by defendants.
In Webb, these requirements were met. First, the court found that plaintiffs whose data was actually misused plausibly alleged a concrete injury analogous to an invasion of privacy.
As to the plaintiffs whose PII had not been misused, the court held that plaintiffs had standing to seek damages, but for a different reason. The court explained that plaintiffs cannot manufacture standing by spending time or money responding to a data breach when there is no material risk that they will suffer future harm. However, after applying a three-factor test to determine that a material risk of future harm existed, the court held that the time spent by plaintiffs responding to the data breach constituted a concrete injury, as otherwise the time would have been used for profitable purposes. The court did not reach the question of whether a diminution in value of PII was a separate, concrete injury.
Webb’s reasoning has since become the foundation for standing in dozens of subsequent data breach cases.
Seventy Citations Later: Webb’s Influence in Data Breach Litigation
In the two years since Webb, the case has made waves. Webb has been cited more than seventy times in federal decisions, including by federal appellate courts. Within the First Circuit, of the nineteen cases citing to Webb that determine issues of standing at the motion to dismiss stage, roughly two-thirds of decisions determined plaintiffs had pleaded a sufficient injury-in-fact.
Within data breach class actions, the Webb decision has been even more impactful. Of the thirteen data breach cases citing to Webb in the First Circuit that determine standing issues, eight cases confer standing onto plaintiffs. The trend signals a durable shift toward recognizing intangible or mitigation-based harms as sufficient for standing—at least at the pleading stage
Courts Remain Skeptical of Lost Data Value But Recognize Lost Time Injuries
Recent district court decisions applying Webb show inconsistent treatment of alleged injuries. Two theories dominate: (1) diminished value of personal data, and (2) lost time spent responding to the breach.
The theory of diminished value argues that because plaintiffs can sell their PII to companies in the market, plaintiffs lose their data’s value when it is exposed in a data breach. Similarly, the lost time theory argues that by responding to a data breach, plaintiffs lose the value of that time which they would have otherwise put toward productive endeavors.
Courts have largely rejected the “diminished value” theory, finding it too speculative where plaintiffs do not allege that they ever attempted to sell their PII. In two cases discussing the diminished value theory, Priddy v. Zoll Medical Corporation, In re MAPFRE Data Disclosure Litigation, and Taylor v. UKG, Inc., courts refused to recognize diminished value of PII as an injury, in part because plaintiffs never pleaded that they “attempted to sell their Private Information.” In contrast, at the motion to dismiss stage in In re: MOVEit Customer Data Security Breach Litigation, discussed in a previous post, the court accepted the lost value of personal data as among other alleged harms sufficient to satisfy the injury requirement for standing.
By contrast, courts have credited lost time as injury-in-fact when plaintiffs pleaded that the time would have been used for some “other productive use” and mitigation efforts responded to a real and imminent threat of actual misuse. In some cases, plaintiffs have not been required to identify what the lost time would have been used for or that the time would have been used for profitable purposes, even though the First Circuit has noted in Webb that the loss of personal time might not constitute a tangible injury. Examples of decisions holding that lost time is sufficient to establish injury for standing include In re: MOVEit Customer Data Security Breach Litigation, In re MAPFRE Data Disclosure Litigation, In re LastPass Data Security Incident, and Shea v. American International College, a recent decision that will be discussed in more depth in a forthcoming post. In contrast, the court in Priddy v. Zoll Medical Corporation applied a more exacting standard under applicable Pennsylvania law, that “allegations of lost time are insufficient without allegations that plaintiffs lost any money as a result of that lost time.” Highlighting that lost time injury cannot be speculative, the court in Scifo v. Alvaria, Inc. held that alleged time spent responding to a data breach could not support standing “where no real or imminent threat of data misuse exists.”
Practical Implications for Data Breach Defendants and Their Counsel
The post-Webb landscape underscores a critical shift: motions to dismiss for lack of standing are no longer a sure path to early resolution in data breach class actions in the First Circuit. Even where plaintiffs allege only minimal harm, courts have accepted lost time and mitigation efforts as concrete injuries sufficient to keep claims alive. For defendants, that means fewer early exits and a greater need to focus on litigation strategy beyond the threshold stage.
Early case assessment and documentation remain key. Defendants should assume that standing challenges may not dispose of the case and should prepare for discovery from the outset. Preserving contemporaneous evidence of cybersecurity controls, incident response steps, and communications about mitigation can be key to framing causation and damages defenses later in the case.
Tailored, strategic briefing still matters. Although Webb embraced an expansive analysis, it has not eliminated opportunities for dismissal. Defendants can distinguish speculative future harm from imminent risk, emphasize the absence of actual misuse, and leverage state-specific doctrines that define injury narrowly. Courts remain receptive to targeted defense arguments that vague and conclusory allegations of “lost time” are insufficient without allegations of monetary loss.
For businesses, prevention is the first defense. Updating incident response plans, privacy notices, and data retention policies to reduce the need for consumer mitigation efforts can weaken the foundation for future standing arguments. Demonstrating proactive risk mitigation can strengthen defenses in litigation.
* * *
Thank you to firm summer associate Benjamin Parsons for his contribution to this post.