Opinion
CIV-23-99-R
10-19-2023
KATHLEEN CARR, individually and on Behalf of all similarly situated persons, Plaintiff, v. OKLAHOMA STUDENT LOAN AUTHORITY; and NELNET SERVICING, LLC, Defendants.
ORDER
DAVID L. RUSSELL, UNITED STATES DISTRICT JUDGE
Before the Court is Defendant Nelnet Servicing, LLC's Motion to Dismiss [Doc. 30] Plaintiffs' Amended Class Action Complaint [Doc. 22] pursuant to Fed.R.Civ.P. 12(b)(6). Plaintiffs filed a Response [Doc. 42], and Defendants thereafter filed a Reply [Doc. 44]. The motion is now ripe for adjudication. This Court GRANTS Defendant's Motion to Dismiss in part and DENIES the Motion in part for the reasons below.
I. Background
Plaintiffs Carr, Killory, and Powell bring this case individually and on behalf of others similarly situated regarding a data breach related to student loan services they received from Defendants Oklahoma Student Loan Authority (“OSLA”) and Nelnet Servicing, LLC. Doc. 22 at 2, ¶ 2-3. Plaintiffs allege their personally identifiable information (“PII”) was obtained by malicious actors in 2022 via a data breach of Nelnet's technology platform. Id. at 3, ¶ 5. Plaintiffs' exposed PII included their names, addresses, email addresses, phone numbers, and Social Security numbers. Id. at 13-14, ¶ 41. Plaintiffs claim both Defendants, Nelnet and OSLA, acted negligently in protecting the PII Defendants had been provided. Id. at 3, ¶ 8. Specifically, Plaintiffs bring the following causes of action against Nelnet: negligence [Id. at 66-68], negligence per se [Id. at 68-71], breach of third-party beneficiary contract [Id. at 74-75], declaratory and injunctive relief [Id. at 75-77], and invasion of privacy [Id. at 80-83]. Defendant Nelnet moves to dismiss Plaintiffs' suit for failure to state a claim. Doc. 42 at 1-2.
References to specific paragraphs of the Complaint [Doc. 22] will include a page number and a paragraph number, as some paragraph numbers were inadvertently duplicated.
II. Legal Standard
“To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Fed.R.Civ.P. 8(a)(2) (“A pleading that states a claim for relief must contain . . . a short and plain statement of the claim showing that the pleader is entitled to relief ....”). While a complaint “need only give the defendant fair notice of what the claim is and the grounds upon which it rests,” Khalik v. United Air Lines, 671 F.3d 1188, 1191-92 (10th Cir. 2012) (ellipsis, internal quotation marks, and citations omitted), “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678. “Thus, the mere metaphysical possibility that some plaintiff could prove some set of facts in support of the pleaded claims is insufficient; the complainant must give the court reason to believe that this plaintiff has a reasonable likelihood of mustering factual support for these claims.” Ridge at Red Hawk, L.L.C. v. Schneider, 493 F.3d 1174, 1177 (10th Cir. 2007). The court must draw on its “experience and common sense” when evaluating whether a claim is plausible in a specific context. Iqbal, 556 U.S. at 663-64.
III. Discussion
Plaintiffs bring six claims against Nelnet. Two sound in negligence, and the Court denies Nelnet's motion in respect to these. The Court also denies Nelnet's motion to dismiss the breach of contract claim and the declaratory and injunctive relief claim. Plaintiffs' final two claims are based in the general tort of invasion of privacy; the Court grants Nelnet's motion to dismiss these claims.
At the outset, the Court recognizes the likelihood of choice of law determinations being necessary in this case. As Nelnet notes, however, choice of law analysis is a fact intensive process which this Court is ill-equipped to engage in at this early stage of litigation. Doc. 30 at 4 n.3. The Court agrees. See, e.g., Fed. Ins. Co. v. Indeck Power Equip. Co., No. CIV-15-491, 2016 WL 3676803 at *2 (W.D. Okla. July 7, 2016) (collecting cases finding a choice of law determination is premature at the motion to dismiss stage).
However, some preliminary choice of law consideration, using the pleadings before the Court, allows the Court to focus its inquiry into Defendant's Motion. The Court will apply Oklahoma's choice of law rules. Pepsi-Cola Bottling Co. of Pittsburg, Inc. v. PepsiCo, Inc., 431 F.3d 1241, 1255 (10th Cir. 2005) (“In a diversity action, we apply the substantive law of the forum state, including its choice of law rules.”). Accordingly, the Court will consider Plaintiffs' tort claims under the laws of Nebraska, Oklahoma, New Jersey, Massachusetts, and Indiana. The Court will evaluate Plaintiffs' contract claim under Nebraska and Oklahoma law. Unless Plaintiffs' claims are implausible under the laws of each of these states, Plaintiffs' claims will be allowed to proceed.
Oklahoma uses the “most significant relationship” test to determine governing law in tort cases. See Brickner v. Gooden, 525 P.2d 632, 637 (Okla. 1974). The four factors weighed, according to their relative importance to the particular case, are (1) the place of the injury; (2) the place the conduct causing the injury took place; (3) the domicile, residence, nationality, place of incorporation, and place of business of the parties; and (4) the place where the relationship, if any, between the parties occurred. Id. Each of the five states can claim a relationship to the suit under these factors. Determining which state has the most significant relationship is imprudent at this stage.
Oklahoma's choice of law rule for contracts is prescribed by statute. 15 O.S. § 162 (“A contract is to be interpreted according to the law and usage of the place where it is to be performed, or, if it does not indicate a place of performance, according to the law and usage of the place where it is made.”). The Court will consider the alleged contract claim under the law of Nebraska, the state the contract was presumably performed in, and Oklahoma, the state in which the contract was presumably made.
As such, it is unnecessary for the Court to address the plausibility of each claim under each state's law. Discussion will be limited to one state in which the claim is plausible; however, this does not mean the claim is necessarily plausible or implausible in the other states.
A. Negligence
Plaintiffs adequately allege the elements of a plausible negligence claim against Nelnet. In Oklahoma, negligence requires (1) a duty of care owed by the defendant to the plaintiff; (2) the failure of the defendant to meet that duty; and (3) an injury proximately caused by that breach of duty. Franklin v. Toal, 19 P.3d 834, 837 (Okla. 2000). Defendant Nelnet argues Plaintiffs fail to plausibly allege this claim because Plaintiffs had no relationship with and never provided their PII to Nelnet; thus, Nelnet was under no duty to safeguard Plaintiffs' PII. Such an argument has no basis in the law of negligence.
The elements of negligence are essentially the same in each of the states. The Court analyzes this claim under Oklahoma law.
Nelnet owed a duty to Plaintiffs, even in the absence of contractual privity, to act reasonably in safeguarding the Plaintiffs' PII. In Oklahoma, a duty need not be created by statute. Wofford v. Eastern State Hosp., 795 P.2d 516, 519 (Okla. 1990). A duty arises when a party “is put in such a position with regard to another that it is obvious that if he did not use due care in his own conduct he will cause injury to the other[.]” Id. It is evident and properly alleged that the exposure of a person's social security number can cause foreseeable injury. Doc. 22 at 15-19, ¶¶ 44-61. Thus, once Nelnet received Plaintiffs' sensitive information, Nelnet was put in a position where harm to Plaintiffs could obviously occur if Nelnet did not reasonably safeguard Plaintiffs' PII.
Numerous courts that have addressed data breaches have found a similar common law duty for the holder of sensitive information to safeguard it, regardless of the data holder's privity with the individual. Plaintiffs cite to many of these cases. Doc. 42 at 7-8; see, e.g., Charlie v. Rehoboth McKinley Christian Health Care Servs., 598 F.Supp.3d 1145, 1154-55 (D.N.M. 2022); In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742 at *15 (D.N.J. Dec. 16, 2021); Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 914 (S.D. Cal. 2020) (finding a common law duty to safeguard personal information was plausible even when defendant was not in privity with plaintiffs).
Nelnet attempts to evade this conclusion by drawing a distinction between how defendants in those cases were tasked with handling PII and how Nelnet merely provided an online portal through which Plaintiffs' PII passed. Doc. 44 at 1-2. It is a distinction without a difference. If Nelnet had access to Plaintiffs' PII such that vulnerabilities in its online portal placed Plaintiffs at risk of foreseeable harm, Nelnet held a duty to Plaintiffs. The Complaint adequately alleges such a duty exists. Doc. 22 at 2-4, 66-68, ¶¶ 3, 5, 10, 146-55. Therefore, Defendant Nelnet's motion to dismiss Plaintiffs' First Cause of Action [Doc. 22 at 66] is DENIED.
B. Negligence Per Se
Plaintiffs allege a plausible claim of negligence per se against Nelnet for violating Section 5 of the Federal Trade Commission Act (“FTC Act”); however, Plaintiffs do not adequately allege a claim of negligence per se for violating the Oklahoma Office of Management and Enterprise Services' Information Security Policies, Procedures, and Guidelines (“InfoSecPPG”). The determining factor in reaching this result is the class of persons the statute and regulations seek to protect. Nelnet points out that a negligence per se cause of action can only proceed under Oklahoma or Indiana law [Doc. 30 at 6] and argues that Plaintiffs' claims cannot proceed in either state. The Court disagrees.
State of Oklahoma Office of Management and Enterprise Services, Information Security Policy, Procedures, Guidelines, Version 1.5, accesshttps://oklahoma.gov/omes/divisions/informationservices/ about-information-services/policy-and-standards.html.
In Oklahoma, a negligence per se claim requires three elements be shown: “(1) the injury must have been caused by the violation; (2) the injury must be of a type intended to be prevented by the statute; and (3) the injured party must be a member of the class intended to be protected by the statute.” McGee v. El Patio, LLC, 524 P.3d 1283, 1286 (Okla. 2023). Plaintiffs succeed in alleging plausible success on this claim with respect to the FTC Act, but they fail with regard to InfoSecPPG.
The fatal flaw for one of Plaintiffs' negligence per se claims is that InfoSecPPG was enacted to protect the State of Oklahoma, not the Plaintiffs. InfoSecPPG was created at the directive of a state statute. 62 O.S. § 34.12(A). It establishes mandatory baseline standards for state agencies and their contractors to protect the information assets of the state. See InfoSecPPG [Doc. 43-1] at 7-9. InfoSecPPG's purpose is repeatedly stated as “protection of the information assets of the State of Oklahoma” and as applying to “State information.” Doc. 43-1 at 7-9. Neither the policies themselves nor InfoSecPPG's originating statute refers to the protection of individuals' information for the sake of the individuals; rather, the statute and policies concern the design of systems protecting “information of the State.” See 62 O.S. § 34.12; Doc. 43-1 at 10. While it could be argued that one of the “information assets” InfoSecPPG protects is PII of people like Plaintiffs, the text of InfoSecPPG indicates only that its data security policies are for the benefit of the State.
Plaintiffs provide no reason to depart from the plain text of InfoSecPPG. As Nelnet points out, Plaintiffs point to no case using InfoSecPPG (or other similar state regulations) for the purposes of demonstrating InfoSecPPG is a sound basis for their negligence per se claim. Plaintiffs provide only that they “were within the class of persons that this statute was designed to protect” without further explanation in their Complaint. Doc. 22 at 70, ¶ 165. This conclusory statement cannot be credited as true. Iqbal, 556 U.S. at 678. Thus, the Court finds InfoSecPPG is not a proper basis for Plaintiffs' Second Cause of Action, and Nelnet's motion to dismiss the claim with respect to InfoSecPPG is GRANTED.
Conversely, Plaintiffs succeed in alleging a plausible negligence per se claim against Nelnet using Section 5 of the FTC Act. Plaintiffs adequately plead they are consumers the FTC Act was designed to protect [Doc. 22 at 69, ¶ 159], suffered harm the statute was designed to prevent [Id. at ¶ 160], and suffered harm because of Nelnet's violation of the statute [Id. at ¶ 161]. Nelnet argues the FTC Act does not provide for a private right of action and, therefore, a negligence per se claim cannot lie. Nelnet cites to cases from foreign jurisdictions holding Section 5 of the Act cannot be the predicate of a negligence per se claim for this reason. However, this would contravene a direct holding of the Oklahoma Supreme Court.
The absence of a private right of action in federal law does not prohibit a state negligence per se claim based upon that law in Oklahoma. In Howard v. Zimmer, Inc., the Oklahoma Supreme Court responded to a certified question by the Tenth Circuit as to whether a federal law, which required that all violations of it and its accompanying regulations be prosecuted in the name of the United States, could form the basis of a negligence per se claim in Oklahoma. 299 P.3d 463, 465 (Okla. 2013). The court answered in the affirmative. Id. It distinguished private enforcement of the federal law from a plaintiff using a violation of the Act to show a breach of the standard of care in a negligence per se action. Id. at 469-71. It allowed a negligence per se claim to proceed as a “parallel claim” to federal enforcement of the law. Id. at 471-73 (citing Medtronic, Inc. v. Lohr, 518 U.S. 470 (1996)).
Here, Plaintiffs seek to use violation of the FTC Act, a federal statute, to show the breach of a standard of care in their negligence per se claim. The Oklahoma Supreme Court has approved such an approach. A district court in the Tenth Circuit has likewise allowed a negligence per se claim to proceed under similar circumstances. See Charlie, 598 F.Supp.3d 1145, 1158-59 (applying New Mexico's law to allow a negligence per se claim founded on Section 5 of the FTC Act to proceed). Accordingly, Nelnet's motion to dismiss Plaintiffs' Second Cause of Action [Doc. 22 at 68] with respect to the FTC Act is DENIED.
C. Breach of Third-Party Beneficiary Contract
Plaintiffs allege a plausible claim that Nelnet breached a contract to which Plaintiffs were third-party beneficiaries. For an unnamed third-party to recover under a contract in Nebraska, “it must appear by express stipulation or by reasonable intendment that the rights and interest of such unnamed parties were contemplated and . . . the right . . . to sue thereon must affirmatively appear from the language of the instrument[.]” Podraza v. New Century Physicians of Nebraska, LLC, 789 N.W.2d 260, 267 (Neb. 2010). The complicating factor in this case is that Plaintiffs, upon information and belief, can only allege the contract exists and contemplates their rights. Regardless, that is enough at this stage.
Applying Nebraska contract law is plausibly appropriate because the alleged breaching party to the contract performed its services in Nebraska. See 15 O.S. § 162.
In Nebraska, it is not necessary that Plaintiff be able to cite actual language from the contract to properly allege a breach of contract claim. In BNSF Ry. Co. v. Seats, Inc., BNSF claimed it was a third-party beneficiary to a contract between General Electric (“GE”) and Seats, Inc. for the installation of seats for engineers in BNSF's locomotives. 361 F.Supp.3d 947, 951 (D. Neb. 2019). BNSF alleged Seats, Inc. entered into a contract with GE to supply seats that were suitable for their intended use and alleged Seats, Inc. expected BNSF to receive the subject seats. Id. at 954. Notably, the court, in ruling on Seats, Inc.'s motion to dismiss BNSF's contract claim, did not have the alleged agreement before it. Id. Despite its absence, the judge determined BNSF had sufficiently alleged it was a third-party beneficiary under the strictures of Podraza and denied the motion. Id.
Likewise, Plaintiffs in this case plead facts that plausibly state a claim they were the intended third-party beneficiaries of services contemplated between Nelnet and OSLA. Plaintiffs state “OSLA hired Nelnet to provide online technology services” that provided Nelnet “access to the PII of Plaintiffs and Class.” Doc. 22 at 2, ¶ 3. Plaintiffs allege the “sole purpose of the technology services Nelnet provided” was to provide a secure customer website portal for Plaintiffs. Id. at 75, ¶ 194. Finally, they plead that proper performance would have prevented their injuries, and thus, Plaintiffs are entitled to sue upon the contract. Id. at ¶¶ 197-99.
Plaintiffs' claim may be tenuous, but, using this Court's “experience and common sense,” it is plausible Plaintiffs have a cause of action as third-party beneficiaries to a contract only Defendants can provide to this Court. Given the plausibility, Plaintiffs' claim must be allowed to proceed. Nelnet may be able to easily disprove this claim at later stages of litigation, if no such contract exists or if its terms so dictate, but dismissal at this stage is premature. Therefore, Nelnet's motion to dismiss Plaintiffs' Fifth Cause of Action [Doc. 22 at 74] is DENIED.
D. Declaratory and Injunctive Relief
Plaintiffs adequately state a claim for declaratory and injunctive relief under the Declaratory Judgment Act (DJA). 28 U.S.C. § 2201. “Basically, the question in each [D]A] case is whether the facts alleged . . . show there is a substantial controversy, between parties having adverse legal interests, of sufficient immediacy and reality to warrant the issuance of a declaratory judgment.” Maryland Cas. Co. v. Pac. Coal & Oil Co., 312 U.S. 270, 273 (1941). The DJA creates an “opportunity, rather than a duty, to grant a new form of relief to qualifying litigants[,]” and this Court is able to, in its discretion, “dismiss an action seeking a declaratory judgment before trial or after all arguments have drawn to a close.” Id. at 288.
Nelnet argues that Plaintiffs are not qualified litigants under the DJA and moves the Court to dismiss the cause of action; this Court disagrees and declines to do so. Nelnet's opposition boils down to two points: (1) the DJA creates only a remedy, not a cause of action; and (2) Plaintiffs fail to identify a forward-looking harm that injunctive relief could remedy. Doc. 30 at 12. Both arguments fail to convince the Court.
Plaintiffs do not rely on the DJA to provide jurisdiction because they validly allege subject matter jurisdiction under 28 U.S.C. § 1332(d). Doc. 22 at 7, ¶ 19. The “Declaratory Judgment Act is not an independent source of federal jurisdiction” because the availability of injunctive relief assumes the prior existence of a judicially remediable right. Schilling v. Rogers, 363 U.S. 666, 677 (1960). Nelnet misapprehends the case it cites to support its argument Plaintiffs' DJA claim is inappropriate. Kraft v. Office of the Comptroller of Currency, 20-CV-04111, 2021 WL 1251393 (D.S.D. Apr. 5, 2021). There, the district court dismissed a plaintiffs' claim under the DJA as a “nonstarter” because the plaintiff attempted to use the DJA as the basis for the federal court's jurisdiction. Id. at *9. In that context, the DJA “creates a remedy, not a cause of action.”
Id. In this case, the DJA serves as a valid cause of action because Plaintiffs' case has subject matter jurisdiction independent of the Act.
Plaintiffs also adequately allege impending future harm injunctive relief could remedy. Plaintiffs allege that Nelnet remains in possession of their PII and that, absent injunctive relief from this Court, their PII remains at risk of further breach and they remain at risk of further harm. Doc. 22 at 76, ¶¶ 202-04. Nelnet does not dispute this in its Motion to Dismiss and argues only that the requested relief “would have no impact on the Data Security Incident that already occurred.” Doc. 30 at 13. Nelnet is right. Prospective relief would not remedy Plaintiffs' alleged injuries. However, injunctive and declaratory relief could prevent further harm if the Plaintiffs' PII is still in Nelnet's possession.
Plaintiffs are qualified to ask this Court for declaratory and injunctive relief because they allege all necessary elements and have a separate basis for subject matter jurisdiction. It is within this Court's discretion to grant this relief if it finds it proper to do so. Nelnet may refute the need for this type of relief at a later stage of litigation. Nelnet's motion to dismiss Plaintiffs' Sixth Cause of Action [Doc. 22 at 75] is DENIED.
E. Invasion of Privacy
The states of Oklahoma, Nebraska, New Jersey, Indiana, and Massachusetts either explicitly or implicitly recognize the tort of invasion of privacy in accord with the four categories defined in the Second Restatement of Torts. See, e.g., McCormack v. Oklahoma Pub. Co., 613 P.2d 737, 740 (Okla. 1980); Whipps Land & Cattle Co. v. Level 3 Commc'ns, LLC, 658 N.W.2d 258, 269-70 (Neb. 2003); Hennessey v. Coastal Eagle Point Oil Co., 609 A.2d 11, 17 (N.J. 1992); Cullison v. Medley, 570 N.E.2d 27, 31 (Ind. 1991); Polay v. McMahon, 10 N.E.3d 1122, 1126-28 (Mass. 2014) (tracing development of Massachusetts case law interpreting a statutory right to privacy and citing the Restatement favorably).Plaintiffs bring a cause of action under two of the Restatement's categories: Intrusion upon Seclusion and Publicity Given to a Private Life. The Court finds Plaintiffs do not state a claim upon which relief can be granted in either category. Accordingly, Nelnet's motion to dismiss is GRANTED with respect to Plaintiffs' Eighth Cause of Action [Doc. 22 at 80].
RESTATEMENT (SECOND) OF TORTS §§ 652A - E (AM. LAW INST. 1977).
The Court finds no material differences in the respective states' laws that varies its analysis. The Court will discuss Plaintiffs' claims using examples from Oklahoma and the Restatement.
i. Intrusion upon Seclusion
Plaintiffs' claim cannot proceed because it is not plausible Nelnet engaged in the intentional conduct required to establish a claim for Intrusion upon Seclusion. To prevail on this claim, Plaintiffs must show (1) a nonconsensual intrusion occurred that (2) was highly offensive to the reasonable person. Gilmore v. Enogex, Inc., 878 P.2d 360, 366 (Okla. 1994); see also Munley v. ISC Fin. House, Inc., 584 P.2d 1336, 1339-40 (Okla. 1978) (“One who intentionally intrudes, physically or otherwise . . . is subject to liability . . . .”). “[A]n intrusion occurs when an actor believes, or is substantially certain, that he lacks the necessary legal or personal permission to commit the intrusive act.” Dubbs v. Head Start, Inc., 336 F.3d 1194, 1221 (10th Cir. 2003) (analyzing Oklahoma's tort of Intrusion upon Seclusion). Furthermore, parties agree that intentional conduct is required for the commission of this tort in all states in which the claim could lie. Doc. 42 at 17.
The only intentional acts Plaintiffs allege Nelnet undertook with respect to Plaintiffs' PII were neither intentionally intrusive nor highly offensive to a reasonable person. Plaintiffs state they “shared PII with Defendants[.]” Doc. 22 at 80, ¶ 220. Thus, Plaintiffs willingly provided Nelnet with their PII. Even if Plaintiffs were unaware Nelnet would end up in possession of their PII, Nelnet could not plausibly have had the requisite belief it had Plaintiffs' PII without “the necessary legal or personal permission.” Dubbs at 1221.
Plaintiffs attempt to ascribe the intentional and highly offensive acts of hackers to Nelnet. Inconsistently, however, Plaintiffs expressly attribute the data breach-the intrusive act-to Nelnet's negligence. Doc. 42 at 20 (“As a result, Nelnet's intentional choice to negligently provide inadequate data security ....”). While Plaintiffs are entitled to pursue alternative theories of the case, Plaintiffs do not plausibly allege the necessary intentional conduct by Nelnet. Accordingly, Plaintiffs' remedy against Nelnet only properly sounds in negligence, not an intentional tort.
ii. Publicity Given to a Private Life
Plaintiffs' claim for Publicity Given to a Private Life fails for similar reasons. Nelnet did not give publicity to Plaintiffs' PII; the unidentified hackers did. The tort has “three constituent elements: (1) publicity (2) which is unreasonable and (3) is given as a private fact.” Eddy v. Brown, 715 P.2d 74, 77 (Okla. 1986). “Publicity . . . means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Id. at 78 (quoting RESTATEMENT (SECOND) OF TORTS § 652D).
Once again, Plaintiffs conflate the malicious actions of the unidentified hackers with the unintentional actions of the Defendant. Nelnet did not communicate Plaintiffs' PII to anyone; it was taken from Nelnet. Plaintiffs plead as much. Doc. 22 at 12-13, ¶¶ 35, 40. They do not allege Nelnet intentionally shared their data with anyone. In fact, Plaintiffs expressly argue Nelnet's negligence is the cause of their PII being accessible on the dark web. Doc. 42 at 21 (“[Plaintiffs'] PII is available to the public due to Nelnet's [] negligence and shortcomings, is on the dark web, and is being used for nefarious purposes.”). Parties dispute whether publication of matter on the dark web is sufficient to satisfy the publicity element of the tort; the Court need not decide whether it is because Nelnet's intentional actions are not the cause of the PII's publication. Plaintiffs' claim sounds in negligence.
IV. Conclusion
Plaintiffs properly state claims against Defendant Nelnet for negligence, negligence per se, breach of third-party beneficiary contract, and declaratory and injunctive relief. Their claims for Intrusion upon Seclusion, and Publicity Given as a Private Fact fail for the reasons set forth above. Accordingly, the Court GRANTS Defendant's Motion to Dismiss with respect to Plaintiffs' Eighth Cause of Action. The Court DENIES Defendant's Motion with respect to Plaintiffs' First, Second, Fifth, and Sixth Causes of Action.
IT IS SO ORDERED.