Appellate panel reverses lower court’s decision in data breach case

KEITH ARNOLD
Special to the Legal News
Published: August 8, 2025

A Franklin County appellate panel determined that a trial court was wrong to dismiss an individual’s complaint which asserted breach of fiduciary duty, among other allegations, when her personal information was exposed during a data breach of the state’s unemployment compensation system.
The Tenth District Court of Appeals panel reversed the Ohio Court of Claims’ dismissal of Jessica Short’s claims against the Ohio Department of Job and Family Services for a lack of standing.
“We find Ms. Short sufficiently alleged concrete, present harms resulting from the data breach,” Tenth District Judge Michael Mentel wrote for the 3-0 panel. “Ms. Short also claimed the injuries she … sustained were directly and proximately caused by defendant’s failure to implement or maintain adequate data security measures for the PII (personally identifiable information) which allowed criminals to hack its systems and steal (her) sensitive and confidential information.”
According to case background, the Department of Job and Family Services issued a news release on July 24, 2023, to alert the public that the unemployment compensation system was the target of hacking effort in which an estimated $189,184 in bogus claims was paid to fraudsters.
Short was notified of the breach by letter on Aug. 25, 2023. The notice informed her that her unemployment account, which included her name, Social Security number, address, occupation and claim and application history, may have been accessed by unauthorized individuals.
The letter assured Short that the agency had corrected the flaw and offered her a complimentary one-year membership in an identity theft protection service as a precaution.
The letter also detailed other precautionary measures, such as fraud alerts and security freezes on credit files and regular reviews of her financial account statements and credit reports, she could take to protect her personal information, summary provided.
Short filed a complaint on Dec. 19, 2023, against the agency on her own behalf and that of a class of similarly situated individuals, asserting claims for negligence, breach of implied contract, breach of fiduciary duty and invasion of privacy.
She stated that she had provided the agency with her PII in order to receive unemployment benefits, and the agency assumed legal and equitable duties to protect and safeguard it.
The woman’s complaint alleged injuries that included unauthorized and fraudulent charges on her bank account, lost time and inconvenience addressing those issues and the threat of future costs and expenses for ongoing credit monitoring as a result of the agency’s conduct.
On Feb. 20, 2024, the agency filed a motion, asking the court to dismiss the case either because the court lacked subject-matter jurisdiction, Short lacked standing, or because she failed to state a claim upon which relief could be granted.
Short filed a memorandum in opposition to the motion to dismiss, summary continued.
The trial court issued a decision and entry granting the agency’s motion to dismiss for lack of standing on June 10, 2023.
In its decision, the court stated it was “reluctant to grant standing where the alleged future injury depends on the actions of an independent third party.”
Short subsequently appealed.
In consideration of the woman’s appeal, the appellate panel considered relevant federal circuit court rulings on the matter.
The judges determined that Short’s circumstance satisfied the following factors outlined in the federal cases:
• Whether the data was compromised as part of a targeted attack intended to obtain the PII;
• Whether some part of the data has been misused, even if the plaintiff’s own data has not; and
• Whether the data is of a type more or less likely to subject the plaintiffs to a perpetual risk of identity theft or fraud once exposed.
“Accepting the factual allegations of the complaint as true and making all reasonable inferences in Ms. Short’s favor, we find Ms. Short alleged an imminent risk of identity theft or fraud resulting from the data breach,” Mentel wrote. “Accordingly, because Ms. Short alleged a concrete, particularized and imminent injury, the risk of identity theft or fraud constituted an injury in fact.”
The panel rejected the agency’s suggestion that because the breach had occurred more than a year earlier any threat was no longer imminent or impending.
“Whether or not Ms. Short suffered identity theft or fraud since filing the complaint is a matter outside of the complaint, and therefore not a proper consideration at this stage of the litigation,” Mentel wrote.
The case was remanded to the Court of Claims for further proceedings consistent with the appellate ruling and the law.
Presiding Judge Terri Jamison and Tenth District Judge Carly Edelstein concurred with Mentel’s opinion.
Copyright © 2025 The Daily Reporter - All Rights Reserved

[Back]

The Akron Legal News • 60 South Summit St. • Akron, Ohio 44308 • Phone: 330-376-0917 • Fax: 330-376-7001