Law Update: Louisiana Courts Continue to Disallow Data Breach Claims Involving Speculative Damages

By Marc Whitfield

When a data breach involving personal information occurs, it is obviously crucial to timely provide the notices required under La. R.S. 51:3074 of the Louisiana Database Security Breach Notification Law. In many cases, the provided notices can, and have, resulted in litigation being filed in connection with the data breach, even if the accessed personal information has not been used by the person that has breached the data system.

However, with the Fourth Circuit’s recent decision in Bradix v. Advance Stores Company, Inc., 226 So. 3d 523 (La. Ct. App. 4th Cir. 2017), courts in Louisiana continue their consistent general trend towards disallowing data breach claims involving only speculative or potential future damages.

After receiving written notice from his employer, indicating that a data breach had occurred and resulted in unauthorized access to employee records, consisting of employees’ names, social security numbers, and other information, an employee, Mr. Bradix, filed a class-action lawsuit against his employer alleging that the employer was liable for negligence and breach of fiduciary duty, among other claims.

The employee alleged that he “suffered anxiety” as a result of the data breach involving his personal information and alleged damages consisting of “potential identity theft, loss of credit, loss of opportunity for credit, denial of credit applications and severe stress and anxiety associated with the months or years it will take to clear up Advance’s mess.” However, no actual identify theft, damage to his credit report or loss of money was alleged.

The case was removed by the employer to federal court in the Eastern District. The federal court granted the employer’s rule 12(b)(1) motion to dismiss for lack of subject matter jurisdiction, finding that the employee lacked standing to assert this claim in federal court because the employee had failed to allege a “certainly impending injury.” Since federal courts can only resolve those cases that involve an actual case or controversy involving existing damages, the federal court concluded that it lacked subject matter jurisdiction to decide the case and remanded it back to state court for it to determine whether Louisiana law provided a remedy.

The state court granted the employer’s exceptions and dismissed the employee’s suit, finding that the employee lacked standing to pursue his legal claims since he had failed to allege any monetary damages or actual loss. On appeal, the Fourth Circuit agreed, finding that the employee failed to allege an actual loss and his alleged injuries were too abstract and theoretical since it was entirely possible that any personal information disclosed during the data breach might never be used to cause damages to the employee.


Specifically, with regard to the plaintiff’s negligence claims, the court found that the duty-risk “analysis requires the plaintiff to prove four distinct elements: (1) existence of a duty owed by the defendant to the plaintiff; (2) a breach of that duty; (3) the breach is a cause in fact of damage; and (4) actual damage was sustained by the plaintiff.” However, the plaintiff was unable to satisfy the fourth element since it requires that the plaintiff sustain actual damages.

Breach Of Fiduciary Duty

Similarly, the court held that a breach of a fiduciary duty claim entitles the plaintiff to recover the damages he or she has sustained. Here, the employee was unable to prove that he had suffered any actual damages as a result of the data breach so the court concluded that the employee did not possess a valid cause of action for a breach of fiduciary duty.


The Bradix case continues a consistent general trend among Louisiana courts to refuse to entertain data breach claims if the claims involve only speculative injuries and possible future damages. To avoid having his or her case dismissed at a preliminary stage, it is clear that anyone asserting a data breach claim in Louisiana will generally be required to plead some form of existing damage or actual loss, and cannot rely upon the possibility of future injuries that will only occur if a third party eventually uses his or her personal information in the future and causes some form of actual loss to the plaintiff.