Data breach cases in federal courts are routinely subjected to dispositive motions that follow a well-trod path: does the plaintiff have Article III standing? Are there other jurisdictional issues, such as sovereign immunity, or the Class Action Fairness Act, at play? Finally, has the plaintiff failed to state a claim for which relief can be granted?

In a recent data breach case, Bohnak v. Marsh & McLennan Companies, Inc., 79 F. 4th 276 (2d Cir. 2023), however, the U.S. Court of Appeals for Second Circuit appears to cut this path short by merging two questions: whether a plaintiff has sufficiently plead both injuries to satisfy standing under Article III as well as cognizable damages in support of their claims. At the motion to dismiss stage, standing is evaluated pursuant to Federal Rule of Civil Procedure 12(b)(1) for lack of subject-matter jurisdiction, while the element of cognizable damages is evaluated pursuant to 12(b)(6) for failure to state a claim.

As set forth below, the two questions are distinct and traditionally have been treated as such within the Second Circuit. Moving forward, the question is whether Bohnak will be an outlier, or a game changer for data breach litigation?