In August 2022, Samsung Electronics America experienced a significant data breach that compromised personal data, rendering it susceptible to malicious attacks. This incident led to the filing of 17 lawsuits against the company. By February 2023, these cases were merged into a multidistrict litigation (MDL) before Judge Christine O’Hearn in the District of New Jersey.

The breach exposed a substantial volume of customer data to potential cybercriminals. The lawsuits assert that Samsung exhibited negligence in its data protection protocols, failed to act with due diligence, and did not take appropriate actions to secure customer data or promptly inform customers about the breach.

Last Friday, Judge Christine O’Hearn dismissed the case, determining that plaintiffs’ allegations regarding attempted and actual identity theft could not be directly linked to the compromised information.

Judge O’Hearn noted that federal courts can only consider cases that present genuine disputes where both parties have a vested interest. As the party seeking federal jurisdiction, the plaintiffs are responsible for demonstrating standing. To establish standing, a plaintiff must prove that they have suffered a concrete, particularized, and actual or imminent injury, that this injury is likely attributable to the defendant, and that judicial relief would likely remedy it.

Out of the 41 plaintiffs involved in the case, only four have claimed to have been informed that their personal data is available on the dark web. However, these individuals do not clarify that the specific information obtained from the Samsung breach is present on the dark web, as opposed to data acquired from other sources, such as Social Security numbers and credit card details that were not included in the breach.

Furthermore, an analysis of the type of information that was accessed is “decisively fatal” for the plaintiffs, O’Hearn wrote.

“Put simply, the information the parties now agree was accessed in the data breach—names, addresses, other contact and demographic information, and device information—is not the type of [personal identifying information] that subjects an individual to a heightened risk of identity theft or fraud in any way despite plaintiffs’ repeated attempts to suggest otherwise.”

“Courts routinely have dismissed claims for lack of jurisdiction when the information accessed is similar, or in some cases, even more sensitive to that which plaintiffs allege here because the risk of future harm is far too attenuated or speculative.”