Court, Explained
U.S. District Court · District of Minnesota
Back to docket
Procedural orderFiled Dec. 19, 2025

Devine v. Integration

Full caption

Robert Devine, on behalf of himself and all others similarly situated v. Horizontal Integration, Inc., doing business as Horizontal Digital and Horizontal Talent

Judge
Jeffrey Bryan
Docket
0:24-cv-04555
Court
U.S. District Court · District of Minnesota
Pages
17

Counsel of record
PLAINTIFF
Strauss Borrelli PLLC2 attorneys
Brittany N. Resch, Raina Borrelli

Counsel of record per CourtListener. Firm names are approximate.

Civil ProcedureMotion to DismissTortCivil Rights
In one sentence

In Devine v. Horizontal Integration, Judge Bryan dismissed a data-breach lawsuit without prejudice because the plaintiff failed to allege that his own personal information was actually disclosed or misused.

Who this affects

Former employees of data-breach victim companies who sue for damages or injunctive relief; plaintiffs in data-breach class actions in the Eighth Circuit who must allege specifically what personal information of theirs was disclosed and how it was concretely harmed, not merely that a breach occurred and their data was potentially at risk.

What happened

In Devine v. Horizontal Integration, Inc. (doing business as Horizontal Digital and Horizontal Talent), former employee Robert Devine sued his employer after hackers accessed company files between July 3 and July 11, 2024, potentially exposing personal information of thousands of current and former employees. Devine brought six claims — negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and violation of a Minnesota consumer-protection statute — on behalf of himself and a proposed class, seeking both money damages and court orders requiring the company to improve its data security.

The central problem the court identified is that the complaint never clearly stated which, if any, of Devine's own personal information was actually stolen. Horizontal's breach notices said that certain files 'may have' contained employee data but did not specify whose information was affected or what type. Without knowing what of Devine's data was taken, the court found that his claimed injuries — increased spam emails, a drop in credit score, emotional distress, wasted time monitoring accounts, and reduced value of his personal data — could not be reliably connected to the breach rather than to unrelated causes.

Judge Jeffrey M. Bryan granted Horizontal's motion to dismiss without prejudice, meaning Devine is not barred from filing an amended complaint if he can allege specific facts about what personal information of his was disclosed and how it harmed him. Because the court dismissed for lack of standing — a requirement that plaintiffs show a real, concrete injury tied to the defendant's conduct — it did not reach the question of whether the six underlying legal claims were otherwise adequately pleaded.

The detailed version

For law students, journalists, and other readers who want the full reasoning

Case
Devine v. Integration · No. 0:24-cv-04555
Judge
Jeffrey M. Bryan
Date
Dec. 19, 2025

Background

Horizontal Integration, Inc. (doing business as Horizontal Digital and Horizontal Talent) is a digital marketing and professional staffing company headquartered in St. Louis Park, Minnesota. Robert Devine, a former Horizontal employee and Minnesota resident, filed this putative class action after Horizontal disclosed a data breach in which third-party hackers accessed or took files from Horizontal's network between July 3 and July 11, 2024. Horizontal notified potentially affected individuals beginning July 24, 2024, and sent a supplemental notice on October 29, 2024 — the notice Devine received. The notices did not specify what type of personal information was affected for any individual. Horizontal reported to state attorneys general that at least 6,345 individuals may have been affected and that the categories of data potentially at risk included names, Social Security numbers, driver's license numbers, financial account numbers, credit and debit card numbers, and health information.

Devine's Amended Complaint asserted six claims on behalf of himself and a proposed class: (I) negligence, (II) negligence per se, (III) breach of implied contract, (IV) invasion of privacy, (V) unjust enrichment, and (VI) violation of the Minnesota Uniform Deceptive Trade Practices Act (MDTPA). He sought both money damages and equitable relief (injunctions and declaratory judgments requiring Horizontal to improve its cybersecurity).

Legal Framework: Article III Standing

Horizontal moved to dismiss under Federal Rule of Civil Procedure 12(b)(1) (lack of subject-matter jurisdiction due to no standing) and 12(b)(6) (failure to state a claim). Standing under Article III of the U.S. Constitution — the provision that limits federal courts to deciding real 'cases or controversies' — requires a plaintiff to clearly allege: (1) a concrete and particularized injury in fact; (2) a causal connection (traceability) between the injury and the defendant's conduct; and (3) that a favorable court ruling would redress the injury. Standing must be demonstrated separately for each form of relief sought.

Because standing is a jurisdictional prerequisite, the court addressed it first and did not reach Horizontal's 12(b)(6) arguments.

Standing for Equitable Relief

Devine sought injunctions requiring Horizontal to implement adequate cybersecurity measures. For future-harm claims, a plaintiff must show a 'sufficiently imminent and substantial' risk. The court found the Amended Complaint fell short because it offered only conclusory speculation — e.g., that hackers could launch new breaches using credentials on the dark web, and that Devine remained at risk as long as Horizontal held his data — without allegations establishing that Horizontal was particularly likely to suffer another breach. Devine also conceded in briefing that the encrypted passwords referenced in the complaint appeared on the dark web before the breach. The court noted that Horizontal 'faces much the same risk of future cyberhacking as virtually every holder of private data' (quoting Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023)), and that accepting this level of generalized risk as sufficient would expose virtually every company to similar injunctive demands. The court dismissed the equitable relief requests for lack of standing.

Standing for Monetary Relief — Seven Alleged Harms

1. Disclosure of Private Information Devine argued his personal identifying information (PII) and protected health information (PHI) were disclosed in the breach. The court acknowledged that disclosure of private information can be a concrete injury under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021). However, the Amended Complaint alleged only that certain categories of data were potentially affected for some employees; it did not identify what specific information of Devine's was actually accessed or taken. The court distinguished Perry v. Bay & Bay Transp. Servs., Inc., 650 F. Supp. 3d 743 (D. Minn. 2023) and Thomas v. Pawn Am. Minn., LLC, 2022 WL 3159874 (D. Minn. 2022), where plaintiffs specifically identified their own disclosed information.

2. Imminent Risk of Identity Theft For the same reason — the complaint did not allege what of Devine's data was taken — the court found no adequate basis to claim a future risk of identity theft traceable to the breach. The complaint also lacked any allegation that Devine's PII/PHI had been misused in any way.

3. Time, Effort, and Costs of Self-Protection Devine alleged he spent time monitoring his accounts and credit reports and anticipated future expenses. The court applied the rule from Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013) and Alleruzzo v. SuperValu, Inc. (In re SuperValu), 870 F.3d 763 (8th Cir. 2017): a plaintiff cannot manufacture standing by taking protective steps in response to a purely speculative threat. Because the court found no substantial and imminent risk of harm established, any protective time and money Devine spent was in response to speculation, not a real threat.

4. Spike in Spam and Scam Emails Devine alleged he received a surge in spam emails after the breach. The court noted a circuit split on whether increased spam constitutes injury in fact in data breach cases, but declined to resolve it because the complaint failed on traceability regardless. The court found: (a) the complaint did not allege that Devine's email address was among the data stolen; (b) the breach notices did not specify what data was taken for any individual; (c) the complaint described none of the email content, making it impossible to connect the emails to the breach; and (d) the only timing allegation was that the spike occurred 'in the aftermath of the Data Breach,' which courts have found insufficient to establish causation.

5. Harm to Credit Devine alleged he received an email purportedly from Experian stating his credit report had been subject to excessive unauthorized inquiries, and that his credit score dropped after the breach. The court found these injuries were not 'fairly traceable' to the breach because credit scores and inquiries can change for many independent reasons, and temporal proximity alone is insufficient.

6. Diminished Value of PII/PHI and Lost Benefit of the Bargain Devine alleged his personal data lost monetary value and that he lost the benefit of his employment bargain with Horizontal. The court found these allegations too conclusory: the complaint did not state the monetary value of Devine's data before the breach, did not identify what specific data was affected, and contained no facts explaining how the breach diminished its value (for example, no allegation that he tried to sell his data and received less). The court also rejected the 'lost benefit of the bargain' theory, noting that unlike cases Devine cited, the complaint here alleged no actual misuse of PII/PHI and no allegation that his data had material economic value in connection with any service Horizontal provided.

7. Emotional Distress Devine alleged anxiety, sleep disruption, stress, fear, and frustration about his financial security and about what data was exposed. The court acknowledged that emotional harm caused by knowledge of an actual data disclosure can establish standing, citing TransUnion and Pawn. But because the complaint did not adequately allege that Devine's own PII/PHI was disclosed or that he faces a substantial risk of identity theft, his emotional distress remained tied to hypothetical future harm rather than a concrete injury traceable to the breach.

Disposition

Judge Bryan granted Horizontal's motion to dismiss without prejudice. The dismissal is without prejudice, meaning Devine may file a new or amended complaint if he can allege specific facts about which of his personal data was disclosed and how that disclosure caused him concrete harm. The court expressly declined to address Horizontal's 12(b)(6) arguments (failure to state a claim on the merits of each cause of action) because the standing deficiency was dispositive.

The authoritative version

Read the full 17-page opinion on CourtListener, the free public archive maintained by the Free Law Project.

Open opinion PDF →
Summary written with AI assistance. See how summaries are made. Spot something wrong? Tell us.