Devine v. Integration

Case: Robert Devine v. Horizontal Integration, Inc., d/b/a Horizontal Digital and Horizontal Talent, No. 24-CV-4555 (JMB/DLM), U.S. District Court, District of Minnesota. Judge: Jeffrey M. Bryan. Decision date: December 19, 2025.

PROCEDURAL POSTURE Defendant Horizontal Integration moved to dismiss the Amended Complaint under Federal Rule of Civil Procedure 12(b)(1) (lack of subject-matter jurisdiction — specifically, Article III standing) and Rule 12(b)(6) (failure to state a claim upon which relief can be granted). The court granted the motion on standing grounds without prejudice, meaning Devine may file an amended complaint if he can cure the deficiencies identified. The court did not reach the Rule 12(b)(6) merits.

FACTUAL BACKGROUND Horizontal is a digital marketing and staffing firm headquartered in St. Louis Park, Minnesota. Devine is a former Horizontal employee and Minnesota resident. Between July 3 and July 11, 2024, third-party hackers accessed or took files from Horizontal's network (the 'Data Breach'). Horizontal detected the intrusion on approximately July 9, 2024, engaged cybersecurity specialists, and identified at least 6,345 potentially affected individuals. Types of personal information potentially at risk included names, Social Security numbers, driver's license numbers, financial account information, credit/debit card numbers, and health information, according to filings with state attorneys general in New Hampshire, Texas, and Maine.

Horizontal began notifying potentially affected individuals on or about July 24, 2024. A supplemental notice was sent on October 29, 2024, to additional identified individuals, including Devine. The notice did not specify what type of personal information each recipient's data included; it offered free credit monitoring through Experian to those whose information may have been impacted.

Devine alleged post-breach harms: (1) a spike in spam and scam emails; (2) an email purportedly from Experian warning of excessive unauthorized credit inquiries; (3) a drop in his credit score; (4) anxiety, sleep disruption, stress, fear, and frustration; (5) time and costs spent monitoring accounts and credit reports; (6) diminution in value of his personal information (PII/PHI); and (7) lost benefit of his bargain with Horizontal.

The Amended Complaint asserted six counts on behalf of Devine and a putative class: negligence (Count I), negligence per se (Count II), breach of implied contract (Count III), invasion of privacy (Count IV), unjust enrichment (Count V), and violation of the Minnesota Uniform Deceptive Trade Practices Act (Count VI).

LEGAL FRAMEWORK Article III of the U.S. Constitution limits federal courts to deciding actual 'cases or controversies.' To satisfy this requirement, a plaintiff must establish standing by clearly alleging: (1) an injury in fact that is concrete, particularized, and actual or imminent (not speculative); (2) a causal connection ('traceability') between the injury and the defendant's conduct; and (3) redressability — that a favorable ruling would likely remedy the injury. Standing is a jurisdictional threshold the court must assess before addressing the merits of any claim.

RULING ON EQUITABLE RELIEF Devine sought injunctive and declaratory relief requiring Horizontal to adopt adequate cybersecurity measures to prevent future breaches. For equitable (forward-looking) relief, injury can include the risk of future harm, but only if that risk is 'sufficiently imminent and substantial.' The court found the Amended Complaint's allegations — that cybercriminals could perpetuate new breaches because Horizontal employee credentials were on the dark web (conceded in briefing to have been present before the breach), and that Devine remained at risk as long as Horizontal failed to adopt best practices — were conclusory and speculative. They did not establish a 'certainly impending' or 'substantial risk' of a future breach specific to Horizontal. The court dismissed the equitable relief requests for lack of standing.

RULING ON MONETARY RELIEF — SEVEN HARM CATEGORIES

1. Disclosure of Private Information: The court acknowledged that disclosure of private information constitutes a cognizable concrete injury. However, the Amended Complaint identified only categories of data potentially at risk for Horizontal employees generally; it did not allege what specific information belonging to Devine was actually accessed or taken. Without such particularized allegations, no concrete or particularized injury from loss of privacy was established.

2. Imminent Risk of Identity Theft: Devine argued his PII/PHI disclosure created an imminent risk of identity theft. The court rejected this on two grounds: (a) the complaint did not specify what of Devine's information was disclosed; and (b) even if it had, the complaint contained no allegation that Devine's data had been misused in any way. Distinguishing Perry v. Bay & Bay Transp. Servs. (where plaintiff alleged specific data misuse including being scammed out of $500) and Thomas v. Pawn Am. (where some plaintiffs alleged actual identity theft), the court found Devine's allegations insufficient.

3. Time, Effort, and Costs Incurred Monitoring Accounts: Devine alleged he spent time and money monitoring accounts and expected future costs. The court held that plaintiffs cannot manufacture standing by spending time protecting against a speculative threat that is not 'certainly impending.' Because no substantial and imminent risk of identity theft had been established, the monitoring expenses were responses to a purely hypothetical future harm.

4. Spike in Spam Emails: The court noted a circuit split on whether increased spam constitutes injury in fact in data breach cases. It declined to resolve that question, instead dismissing this category on traceability grounds: the complaint did not allege that Devine's email address was among the data stolen; the complaint did not describe the content of the spam emails to link them to the breach; and the sole timing allegation ('in the aftermath of the Data Breach') was insufficient to establish that the spam was caused by the breach rather than by other independent sources.

5. Harm to Credit: The complaint alleged that 'shortly after' the breach Devine received an email purportedly from Experian about excessive credit inquiries and that 'following' the breach his credit score dropped. The court found these allegations failed the traceability requirement: temporal proximity alone does not establish causation, and credit scores and credit inquiries can change for many unrelated reasons.

6. Diminished Value of PII/PHI and Lost Benefit of the Bargain: The complaint alleged diminution in value of Devine's personal information and loss of the benefit of his bargain with Horizontal. The court found these allegations conclusory: no monetary value was assigned to the PII/PHI; no specific information was identified as stolen; and no facts were alleged showing how or why the value decreased (e.g., no allegation that Devine attempted to sell his data and received less). The 'lost benefit of bargain' theory also failed because cases supporting it involved actual misuse of plaintiff data — absent here.

7. Emotional Distress: The complaint alleged anxiety, sleep disruption, stress, fear, and frustration. The court found these allegations not fairly traceable to the Data Breach without underlying allegations that Devine's own PII/PHI was disclosed and actually misused. Citing SuperValu, Clapper, and Pawn, the court held that emotional harm tied only to speculative future fears does not confer standing.

DISPOSITION The court granted the motion to dismiss without prejudice. Because it concluded Devine lacked Article III standing for all relief sought, it did not address Horizontal's alternative Rule 12(b)(6) failure-to-state-a-claim arguments. Devine may potentially amend his complaint to add the missing factual allegations — primarily, identification of what specific personal information of his was taken and what, if any, misuse resulted.