Summary
finding that the threat of future harm resulting from data breach sufficed to confer standing, where compromised data included plaintiffs' names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification, financial information, credit card numbers, and medical claims information
Summary of this case from Pena v. British Airways, PLC (UK)Opinion
6:15–CV–06569 EAW
2018-01-19
Robin L. Greenwald, Pro Hac Vice, James J. Bilsborrow, Weitz & Luxenberg, P.C., New York, NY, Kathryn Lee Bruns, Stephen G. Schwarz, Hadley L. Matarazzo, Faraci Lange LLP, Rochester, NY, for Plaintiff. Jessica L. Staiger, Pro Hac Vice, Kate Warner, Pro Hac Vice, Luke C. Ruse, Pro Hac Vice, Timothy C. Pickert, Pro Hac Vice, Kirkland & Ellis LLP, Chicago, IL, Mark J. Moretti, Rochester, NY, Jennifer A. Beckage, John G. Schmidt, Jr., Phillips Lytle LLP, Buffalo, NY, Paul G. Karlsgodt, Baker & Hostetler LLP, (Denver) Denver, CO, Karin Scholz Jenson, Baker & Hostetler LLP (NYC), New York, NY, Adam P. Feinberg, Miller & Chevalier Chartered, Washington, DC, Jeffrey J. Harradine, Thomas S. D'Antonio, Ward Greenberg Heller & Reidy LLP, Rochester, NY, for Defendant.
Robin L. Greenwald, Pro Hac Vice, James J. Bilsborrow, Weitz & Luxenberg, P.C., New York, NY, Kathryn Lee Bruns, Stephen G. Schwarz, Hadley L. Matarazzo, Faraci Lange LLP, Rochester, NY, for Plaintiff.
Jessica L. Staiger, Pro Hac Vice, Kate Warner, Pro Hac Vice, Luke C. Ruse, Pro Hac Vice, Timothy C. Pickert, Pro Hac Vice, Kirkland & Ellis LLP, Chicago, IL, Mark J. Moretti, Rochester, NY, Jennifer A. Beckage, John G. Schmidt, Jr., Phillips Lytle LLP, Buffalo, NY, Paul G. Karlsgodt, Baker & Hostetler LLP, (Denver) Denver, CO, Karin Scholz Jenson, Baker & Hostetler LLP (NYC), New York, NY, Adam P. Feinberg, Miller & Chevalier Chartered, Washington, DC, Jeffrey J. Harradine, Thomas S. D'Antonio, Ward Greenberg Heller & Reidy LLP, Rochester, NY, for Defendant.
DECISION AND ORDER
ELIZABETH A. WOLFORD, United States District Judge
INTRODUCTION
By Decision and Order filed February 22, 2017, this Court granted in part and denied in part the defendants' motions to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). (Dkt. 140). Plaintiffs now move to reconsider, pursuant to Federal Rules of Civil Procedure 59(e), 60(b)(1) and (2), and Local Rule of Civil Procedure 7(d)(3), the aspect of the Court's Decision and Order that granted, without prejudice, the Excellus Defendants' motion to dismiss the claims of the four non-misuse Plaintiffs (Matthew Fero, Dwayne Church, Therese Boomershine, and Brenda Caltagarone) pursuant to Rule 12(b)(1). (Dkt. 142). Alternatively, Plaintiffs ask the Court to deny the Excellus Defendants' motion to dismiss plaintiff Matthew Fero's breach of contract and unjust enrichment claim for lack of standing, or provide Plaintiffs "the right to replead jurisdictional facts, or, at a minimum, give Plaintiffs[ ] permission to file a motion for leave to file an amended complaint" pursuant to Federal Rule of Civil Procedure 15(a)(2). (Id. ). The Excellus Defendants oppose Plaintiffs' motion. (Dkt. 156).
As explained in the Court's prior Decision and Order, "Excellus Defendants" refers to all defendants except for Blue Cross and Blue Shield Association.
For the reasons that follow, the Court grants the motion for reconsideration and, upon reconsideration, denies the Excellus Defendants' motion to dismiss pursuant to Rule 12(b)(1) to the extent that it sought dismissal of the non-misuse Plaintiffs' claims. All other aspects of the Court's Decision and Order, including its grant, in part, of the motions filed pursuant to Rule 12(b)(6), remain intact.
BACKGROUND
The factual background and procedural history relevant to this motion are set forth in detail in the Court's prior Decision and Order, with which familiarity is assumed. (Dkt. 140). The Court provides only a brief summary, as well as additional background information as relevant to this motion.
This case arises out of a data breach involving Excellus Health Plan, Inc., a healthcare provider. According to Plaintiffs, on December 23, 2013, hackers gained access to Excellus' computer network systems, which stored the personal information belonging to millions of individuals. (Dkt. 99 (Consolidated Master Complaint at ¶¶ 52, 131, 133) ). During this data breach, the hackers had access to individuals' names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification numbers, financial payment information (including credit card numbers), and medical insurance claims information. (Id. at ¶¶ 1–3, 52, 134). Plaintiffs, who allege various injuries arising out of the data breach, bring a putative class action against eight defendants, including the Excellus Defendants, and assert claims under various federal and state laws.
Following the data breach, several potential victims filed lawsuits alleging various injuries. (Dkt. 9–2 at 3). The Court consolidated the lawsuits, appointed interim lead counsel, and directed Plaintiffs to file a consolidated master complaint. (Dkt. 27; Dkt. 28; Dkt. 80).
On April 15, 2016, Plaintiffs filed the Consolidated Master Complaint ("CMC"). On May 31, 2016, the Excellus Defendants filed a motion to dismiss. (Dkt. 107). Plaintiffs responded in opposition to the Excellus Defendants' motion to dismiss on July 7, 2016. (Dkt. 122). On August 8, 2016, the Excellus Defendants filed a reply in further support of their motion to dismiss. (Dkt. 133). Oral argument was held before the undersigned on September 8, 2016. (Dkt. 139). On February 22, 2017, the Court issued a Decision and Order in which it concluded, inter alia , that certain Plaintiffs—the so-called "non-misuse" Plaintiffs who did not allege that they had suffered any misuse of their personally identifiable information after the data breach—did not allege an injury-in-fact based on the alleged harm of increased risk of identity theft. (Dkt. 140 at 22–23). The Court reasoned that those Plaintiffs' risk of future harm was not certainly impending because none of those Plaintiffs had alleged any misuse in the three years since the data breach began, and that their alleged injuries depended on a chain of possibilities about the actions of independent actors. (See id. ). The Court also pointed out, based on extra-pleading materials submitted by Plaintiffs, that it was unclear whether patient data had been exfiltrated, and, by extension, it was not clear whether cyber attackers breached the Excellus network in order to commit identity fraud. (See id. ). The Court further found that the four non-misuse Plaintiffs' alternative bases for standing were insufficient. (Id. at 24–28). Therefore, the Court granted the Excellus Defendants' motion to dismiss the four non-misuse Plaintiffs (Fero, Church, Boomershine, and Caltagarone) for lack of standing on the basis that they did not allege an injury-in-fact. (Id. at 29). The Court dismissed those plaintiffs' claims without prejudice. (Id. ).
On March 22, 2017, Plaintiffs moved for reconsideration of that portion of the Court's Decision and Order that dismissed the non-misuse Plaintiffs' claims. (Dkt. 142). On May 3, 2017, the Excellus Defendants responded in opposition to Plaintiffs' motion for reconsideration. (Dkt. 156). Plaintiffs filed a reply in further support of their motion on May 17, 2017. (Dkt. 166). The parties have also submitted multiple letters identifying supplemental authority for their respective positions, each of which the Court has considered in rendering this decision. (See Dkt. 174; Dkt. 175; Dkt. 176; Dkt. 177; Dkt. 178; Dkt. 179; Dkt. 180).
DISCUSSION
I. Standard for Reconsideration
Plaintiffs bring this motion for reconsideration pursuant to Federal Rules of Civil Procedure 59(e) and 60(b)(1) and (2). (Dkt. 142).
Plaintiffs also cite former Local Rule of Civil Procedure 7(d)(3), which addressed the procedure and time to file a motion for reconsideration: "A motion for reconsideration or reargument, unless governed by Fed. R. Civ. P. 60, shall be treated as falling within the scope of Fed. R. Civ. P. 59(e). Thus, the motion must be filed and served no later than twenty-eight (28) days after the entry of the challenged judgment, order, or decree and, pursuant to Fed. R. Civ. P. 6(b)(2), no extension of time will be granted. The motion will be decided on the papers, absent a Court order scheduling oral argument." L.R. Civ. P. 7(d)(3). The most recent amendments to this Court's Local Rules of Civil Procedure eliminated Local Rule 7(d)(3).
Rule 54 of the Federal Rules of Civil Procedure defines "judgment" as "a decree and any order from which an appeal lies." Fed. R. Civ. P. 54(b). Rule 59(e) governs a "motion to alter or amend a judgment." Fed. R. Civ. P. 59(e). Rule 60(b) provides that the Court "may relieve a party ... from a final judgment, order, or proceeding." Fed. R. Civ. P. 60(b). According to the Advisory Committee's notes on the 1946 Amendment of Rule 60 :
The addition of the qualifying word "final" emphasizes the character of the judgments, orders or proceedings from which Rule 60(b) affords relief; and hence interlocutory judgments are not brought within the restrictions of the
rule, but rather they are left subject to the complete power of the court rendering them to afford such relief from them as justice requires.
Fed. R. Civ. P. 60(b) advisory committee's note to 1946 amendment (emphasis added); see also Transaero, Inc. v. La Fuerza Aerea Boliviana , 99 F.3d 538, 541 (2d Cir. 1996) ("By its own terms, Rule 60(b) applies only to judgments that are final.").
The Court's prior Decision and Order is not a judgment as defined in Rule 54(a), in that it is not a "decree ... [or] order from which an appeal lies." Fed. R. Civ. P. 54(a) ; see also 28 U.S.C. § 1291 (stating that the courts of appeals "shall have jurisdiction of appeals from all final decisions of the district courts of the United States"); Coopers & Lybrand v. Livesay , 437 U.S. 463, 467, 98 S.Ct. 2454, 57 L.Ed.2d 351 (1978) (noting that a final decision "ends the litigation on the merits and leaves nothing for the court to do but execute the judgment" (citation omitted) ). The prior Decision and Order did not adjudicate all of Plaintiffs' claims; it dismissed certain claims and certain parties without prejudice, but it ordered that others remain. (See Dkt. 140). "To state it another way, ‘finality does not attach to an order that dismisses some plaintiffs but not all.’ " Ashmore v. CGI Grp., Inc. , 860 F.3d 80, 86 (2d Cir. 2017) (quoting C. Wright & A. Miller, Federal Practice and Procedure § 3914.7 (2d ed. Apr. 2017 Update) ). Thus, Rules 59(e) and Rule 60(b) are procedurally defective means for seeking reconsideration of the Decision and Order. See Bridgeforth v. McKeon, No. 09-CV-6162P, 2012 WL 3962378, at *2 (W.D.N.Y. Sept. 10, 2012) (concluding that reconsideration of an interlocutory order was not available under Rule 60(b) ); D.A. Elia Constr. Corp. v. U.S. Fid. & Guar. Co., No. 94-CV-0190E( ), 1997 WL 215526, at *2 (W.D.N.Y. Apr. 16, 1997) (concluding that Rules 59(e) and 60(b) do not apply to interlocutory orders, but noting that "a district court has the discretion to reconsider and, if appropriate, revise an interlocutory order at any time prior to final judgment"); Burke v. Warren Cty. Sheriff's Dep't, 916 F.Supp. 181, 183 (N.D.N.Y. 1996) (finding that Rule 60(b) motion was "improper procedural vehicle" for request to reconsider decision granting summary judgment in favor of some defendants).
Nonetheless, separate and apart from the procedural avenues set forth in Rules 59(e) and 60(b), the Court has the power to reconsider and modify interlocutory orders prior to the entry of judgment. See Fed. R. Civ. P. 54(b) ("[A]ny order or other decision ... that adjudicates fewer than all the claims ... does not end the action as to any of the claims or parties and may be revised at any time before the entry of a judgment adjudicating all the claims and all the parties' rights and liabilities."); Williams v. County of Nassau , 779 F.Supp.2d 276, 280 & n.2 (E.D.N.Y. 2011) ("A district court retains absolute authority to reconsider or otherwise affect its interlocutory orders any time prior to appeal."), aff'd , 581 Fed.Appx. 56 (2d Cir. 2014).
The Second Circuit has "limited district courts' reconsideration of earlier decisions under Rule 54(b) by treating those decisions as law of the case." Official Comm. of Unsecured Creditors of the Color Tile, Inc. v. Coopers & Lybrand, LLP , 322 F.3d 147, 167 (2d Cir. 2003). Under the law of the case doctrine, "when a court decides upon a rule of law, that decision should continue to govern the same issues in subsequent stages in the same case." Arizona v. California, 460 U.S. 605, 618, 103 S.Ct. 1382, 75 L.Ed.2d 318 (1983). A district court has "discretion to revisit earlier rulings in the same case, subject to the caveat that ‘where litigants have once battled for the court's decision, they should neither be required, nor without good reason permitted, to battle for it again.’ " Coopers & Lybrand, LLP , 322 F.3d at 167 (quoting Zdanok v. Glidden Co. , 327 F.2d 944, 953 (2d Cir. 1964) ). Decisions considered under Rule 54(b)"may not usually be changed unless there is ‘an intervening change of controlling law, the availability of new evidence, or the need to correct a clear error or prevent a manifest injustice.’ " Id. (quoting Virgin Atl. Airways, Ltd. v. Nat'l Mediation Bd. , 956 F.2d 1245, 1255 (2d Cir. 1992) ). With these principles in mind, the Court turns to Plaintiffs' arguments.
II. The Second Circuit's Decision in Whalen v. Michaels Stores, Inc.
In their reply brief, Plaintiffs seek reconsideration based on the Second Circuit's decision in Whalen v. Michaels Stores, Inc. , 689 Fed.Appx. 89 (2d Cir. 2017) (summary order). (See Dkt. 166 at 15–16). Although Plaintiffs cited Whalen as a basis for reconsideration only for the first time in reply, Plaintiffs did so understandably: the Second Circuit issued its decision in Whalen on May 2, 2017, just one day before Defendants filed their response to the motion for reconsideration (Dkt. 156) and approximately two weeks before Plaintiffs filed their reply brief (Dkt. 166). Since briefing on the motion for reconsideration concluded, the parties have submitted to the Court several letters identifying supplemental authority in support of their respective positions on reconsideration, all of which have been considered by the Court. (See Dkt. 174; Dkt. 175; Dkt. 176; Dkt. 177; Dkt. 178; Dkt. 179; Dkt. 180). In one letter, Defendants discuss Whalen and attempt to distinguish it from the instant case. (See Dkt. 176 at 2–3). Defendants argue that " Whalen is distinguishable in that it is a payment card case," and that "the court denied standing based on an alleged increased risk of identity theft in a case where the plaintiff, unlike the four non-misuse plaintiffs here, was able to actually allege that her own information had fraudulently been misused." (Id. at 3).
In its prior Decision and Order, this Court observed that the Second Circuit had not weighed in on the issue of whether increased risk of identity theft is sufficient for standing in a data breach case but recognized that it was poised to do so in Whalen , an appeal that was pending at that time. (Dkt. 140 at 15). This Court also observed that courts—both circuit and district courts—have split over that issue and reached different results. (Id. ). As for the circuit courts, at that time, the Sixth, Seventh, and Ninth Circuits had found standing based on increased risk of identity theft, while the Third and Fourth Circuits had found such injury too speculative to warrant standing. (Id. ). Compare Galaria v. Nationwide Mut. Ins. Co. , 663 Fed.Appx. 384, 388 (6th Cir. 2016) (finding standing based on increased risk of identity theft), and Lewert v. P.F. Chang's China Bistro, Inc. , 819 F.3d 963, 967 (7th Cir. 2016) (same), and Remijas v. Neiman Marcus Grp., LLC , 794 F.3d 688, 693 (7th Cir. 2015) (same), and Krottner v. Starbucks Corp. , 628 F.3d 1139, 1142–43 (9th Cir. 2010) (same), with Beck v. McDonald , 848 F.3d 262, 275 (4th Cir.) (finding increased risk of identity theft insufficient for standing), cert. denied sub nom. Beck v. Shulkin , ––– U.S. ––––, 137 S.Ct. 2307, 198 L.Ed.2d 728 (2017), and Reilly v. Ceridian Corp. , 664 F.3d 38, 43 (3d Cir. 2011) (same).
Since the Court issued its prior Decision and Order on February 22, 2017, the circuit split has deepened. In a decision issued on August 1, 2017, the D.C. Circuit held that the increased risk of identity theft was sufficiently imminent to establish standing in the wake of a health insurer's data breach. See Attias v. Carefirst, Inc. , 865 F.3d 620, 629–30 (D.C. Cir. 2017). Shortly thereafter, in a decision issued on August 30, 2017, the Eighth Circuit concluded that increased risk of future identity theft was insufficient to constitute an injury in fact. See In re SuperValu, Inc. , 870 F.3d 763, 769 (8th Cir. 2017). This issue may be headed to the Supreme Court, as a petition for a writ of certiorari has been filed in Attias and is currently pending. See Petition for Writ of Certiorari, CareFirst, Inc. v. Attias , (No. 17-641), 2017 WL 5041488 (filed Oct. 30, 2017).
Whalen , the Second Circuit's only guidance on this standing issue, was issued after this Court issued its Decision and Order. Whalen was an appeal of the district court's dismissal of Whalen's complaint against Michaels Stores, Inc., for lack of standing. 689 Fed.Appx. at 89. The district court concluded that Whalen failed to allege a cognizable injury resulting from the exposure of her credit card information after a data breach at a Michaels store. Id. Whalen alleged in her complaint that, after she had used her credit card to make purchases at a Michaels store, her credit card twice was presented to attempt to make fraudulent purchases in Ecuador. See id. at 90. She further alleged that, shortly thereafter, she cancelled her credit card; accordingly, she did not actually incur any fraudulent charges on the card or ever become liable for payment of the charges. Id. The district court found that these allegations were insufficient to establish standing, and the Second Circuit affirmed in a summary order. Id. at 90–91. In so concluding, the Second Circuit pointed out that Whalen "does not allege how she can plausibly face a threat of future fraud,"—one of her proffered theories of injury—"because her stolen credit card was promptly canceled after the breach and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen." Id. at 90–91. The implication of this observation is that, if Whalen had alleged the theft of personally identifying information, she would have had standing based on a threat of future fraud. See id.
In support of this conclusion, the Second Circuit favorably cited the Sixth Circuit's decision in Galaria , 663 Fed.Appx. at 386, and summarized its holding as follows: "[P]laintiffs had standing to bring data breach claims when the breached database contained personal information such as ‘names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver's license numbers.’ " Whalen , 689 Fed.Appx. at 91 (quoting Galaria , 663 Fed.Appx. at 386 ). The Second Circuit also distinguished Whalen from the Seventh Circuit's cases, stating "[t]hese shortcomings in Whalen's complaint distinguish her case from two Seventh Circuit cases, both involving vendor data breaches, upon which she heavily relies, Remijas v. Neiman MarcusGrp., LLC , 794 F.3d 688 (7th Cir. 2015), and Lewert v. P.F. Chang's China Bistro, Inc. , 819 F.3d 963 (7th Cir. 2016)." Id. at 91 n.1.
As Defendants point out, Whalen is a payment card case in which the plaintiff did not have standing based on an increased risk of identity theft. However, Whalen' s favorable citations to Galaria , Remijas , and Lewert suggest that the Second Circuit would follow the approach to the standing issue adopted by the Sixth and Seventh Circuits, which have both found standing based on increased risk of identity theft. Indeed, a district court in the Southern District of New York has interpreted it that way when concluding, in a data breach case, that an imminent risk of future identity theft satisfies the injury-in-fact requirement. See Sackin v. TransPerfect Glob., Inc. , 278 F.Supp.3d 739, 746 (S.D.N.Y. 2017) ("The harms alleged in the Complaint do not stretch imminence beyond its breaking point. The allegations that Defendant has provided Plaintiffs' names, addresses, dates of birth, Social Security numbers and bank account information directly to cyber-criminals creates a risk of identity theft sufficiently acute so as to fall comfortably into the category of ‘certainly impending.’ The most likely and obvious motivation for the hacking is to use Plaintiffs' [personally identifiable information] nefariously or sell it to someone who would. Circuit courts addressing this issue consistently have held that Article III does not require Plaintiffs to wait for their identities to be stolen before seeking legal recourse." (citations omitted) ). That court pointed to Whalen as evidence that the Second Circuit would join the Sixth Circuit, Seventh Circuit, and—more recently—the D.C. Circuit in holding that increased risk of identity theft is sufficiently imminent to establish standing. Id. at 745-47. However, Whalen does not explicitly reach that holding; rather, it is only implied. See Whalen , 689 Fed.Appx. at 90–91.
Moreover, reliance on Whalen as a basis for reconsideration is problematic for an additional reason: it is an unpublished summary order. Second Circuit Local Rule 32.1.1 states that "[r]ulings by summary order do not have precedential effect." 2d Cir. Local Rule 32.1.1(a). Relying on that rule, "courts in this Circuit have repeatedly denied motions for reconsideration that are based on unpublished summary orders because summary orders, according to the Second Circuit's own rules, do not represent an ‘intervening change of controlling law’ that warrant reconsideration." Hastings Dev., LLC v. Evanston Ins. Co. , No. 14-CV-6203(ADS)(AKT), 2016 WL 3632708, at *4 (E.D.N.Y. June 29, 2016) (citing Hoefer v. Bd. of Educ. of the Enlarged City Sch. Dist. of Middletown , 820 F.3d 58, 65 (2d Cir. 2016) (rejecting appellees' reliance on a summary order because "an unpublished summary order ... is not precedential" in an appeal from partial grant of summary judgment and from dismissal for failure to seek timely reinstatement after conditional dismissal order) ) (collecting cases from district courts in the Second Circuit denying reconsideration based on a summary order). To justify reconsideration, the change in the law must be controlling.
Despite the fact that Whalen —a summary order—does not expressly state that the Second Circuit would find increased risk of identity theft sufficient for standing, this Court concludes (like the Sackin court) that Whalen strongly implies that the Second Circuit would follow those circuits that have held that a risk of future identity theft is sufficient to plead an injury in fact. The Court recognizes that the issue is unresolved, and reasonable jurists may disagree, as evidenced by the circuit split. Indeed, this Court initially concluded otherwise, and another panel of the Second Circuit squarely addressing the issue might take a different stance, as might the Supreme Court, should it choose to grant the pending petition for certiorari in Attias. Nevertheless, this Court finds Whalen 's implications compelling.
When initially confronted with the Excellus Defendants' Rule 12(b)(1) motion directed to the non-misuse Plaintiffs, this Court concluded that resolution of the motion was a close call. With no Second Circuit precedent on point, this Court determined that the non-misuse Plaintiffs' allegations of the threat of future identity theft did not cross the line to establish standing based on what this Court perceived to be the more persuasive reasoning of the other circuits to have addressed the issue. However, had the Second Circuit decided Whalen before this Court issued its prior Decision and Order, this Court would have been compelled to resolve the challenge to the non-misuse Plaintiffs' standing differently. Each of the non-misuse Plaintiffs alleged that his or her personal information—including "names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification, financial information, credit card numbers, and medical claims information"—had been "compromised" in the data breach. (See CMC at ¶¶ 2–3, 17, 30, 33, 36). Moreover, Plaintiffs' allegations suggest that nefarious purposes motivated the cyberattack, given that hackers had been targeting healthcare companies and that the types of personal information stored on the Excellus networks are particularly valuable for committing identity theft and fraud. (See id. at ¶¶ 130, 146–67; see also id. at ¶ 167(e) ("All of these injuries suffered by the Plaintiffs and Class Members are a direct and proximate result of the Excellus data breach and include ... the imminent and certain impending injury flowing from fraud and identify theft posed by their PII and PHI being placed in the hands of unknown third parties.") ). It follows from Whalen that allegations such as those would persuade the Second Circuit to find an injury in fact. As a result, and to avoid "manifest injustice," Coopers & Lybrand, LLP , 322 F.3d at 159, the Court concludes that reconsideration is warranted as an exercise of its discretion. Cf. Allstate Ins. Co. v. Valley Physical Med. & Rehab., P.C. , 555 F.Supp.2d 335, 337 (E.D.N.Y. 2008) ("The decision to grant or deny a motion for reconsideration lies squarely within the discretion of the district court.") (citing Devlin v. Transp. Comm'ns Union , 175 F.3d 121, 132 (2d Cir. 1999) ).
III. Evidence about the Dark Web and the Mandiant Report
This Court's conclusion that reconsideration is warranted based on Whalen is further buttressed by the evidence that Plaintiffs offer in support of their motion for reconsideration. As discussed below, although the evidence is not newly discovered, the Court concedes that if it had the benefit of the information at the time it issued its prior Decision and Order, it would have impacted its decision about the non-misuse Plaintiffs' standing.
A. Plaintiffs' Arguments
Plaintiffs seek reconsideration "based on newly discovered evidence that would reasonably be expected to have altered this Court's holding that the non-misuse Plaintiffs lacked standing." (Dkt. 143 at 6). According to Plaintiffs, "[t]he newly discovered evidence shows the non-misuse Plaintiffs are at a substantial risk of identity theft and/or that this harm is certainly impending, thereby establishing injury-in-fact." (Id. ). Plaintiffs point to two categories of newly discovered evidence: an expert affidavit describing the results of Deep and Dark Web searches, and an expert affidavit describing the Mandiant Intrusion Report. (Id. at 20).
1. Dark Web Searches
First, Plaintiffs point to evidence that the protected health information ("PHI") and/or personally identifiable information ("PII") of three out of the four non-misuse Plaintiffs has been found for sale on the Deep and Dark Web (collectively, "Dark web"), as described in the affidavit of Todd Jones, Vice President of New Product Development for Intersections, Inc., who was retained by Plaintiffs' counsel on July 26, 2016, to investigate the exposure of Plaintiffs' PII and PHI on the Dark web. (Dkt. 143 at 20; Dkt. 44 ("Matarazzo Decl.") at ¶ 14; Dkt. 146 ("Jones Aff.") at ¶¶ 1–2). According to Jones, "[t]he Deep Web is the portion of the internet that is not indexed by standard search engines" (Jones Aff. at ¶ 4), while "[t]he Dark Web is a subset of the Deep Web, and consists of sites that are inaccessible to most users, often requiring specialized encryption software and other tools that mask the locations and identities of their users" (id. at ¶ 5). Jones further states that "[t]he Deep and Dark Web are commonly used for criminal activity" (id. at ¶ 7) and "the sale and purchase of PII and PHI compromised in a data breach" (id. at ¶ 8).
According to the CMC, PHI and PII are among the types of personal information allegedly compromised in the data breach. (CMC at ¶ 2). "The Personal Information compromised in the Excellus data breach includes names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification, financial information, credit card numbers, and medical claims information belonging to millions of adults and minor children." (Id. at ¶ 3).
According to Jones, his investigation revealed that some non-misuse Plaintiffs' data is being sold on the Dark web. (Jones Aff. at ¶¶ 12–13, 16). Jones states, "[s]earching the Deep and Dark Web Data Breach Data Base, leaked documents were found in which PII and PHI about Plaintiff Matthew Fero is exposed," that is, his chiropractic medical records. (Jones Aff. at ¶ 12). Jones also states that the search revealed that Plaintiff Boomershine's email address and password account credentials, dated both October 2013 and June 2016, were on the Dark web, along with the email and password account credentials of six misuse Plaintiffs. (Id. at ¶ 13(g) ). Moreover, Jones' second search revealed "additional exposed PII data for fifteen of the twenty Plaintiffs and exposed documents for one other Plaintiff, which included PHI"; among the exposed information was one plaintiff's social security number. (Id. at ¶ 16).
Plaintiffs' counsel represents that, "[o]n August 16, 2016, plaintiffs received a draft report with the results of high level Deep and Dark Web ... searches for named plaintiffs' PII and PHI." (Matarazzo Decl. ¶ 15). At that time, the Excellus Defendants' motion to dismiss was still pending. (See Dkt. 140 (issued February 22, 2017) ).
2. Mandiant Intrusion Report
Second, Plaintiffs point to the Mandiant Intrusion Report ("Mandiant Report"), arguing that it shows that "Plaintiffs' PII was targeted, collected and exfiltrated from Excellus's network by the attackers." (Dkt. 143 at 5; see also id. at 21–25). In advancing this argument, Plaintiffs rely on the analysis of John Jorgensen, the Chief Executive Officer of Sylint Group, a cybersecurity firm. (Dkt. 145 ("Jorgensen Aff." at ¶¶ 1–2) ). Plaintiffs retained Jorgensen on October 14, 2015, to provide Plaintiffs with cybersecurity expertise in this matter. (Matarazzo Decl. ¶ 16; Jorgensen Aff. at ¶ 10). Jorgensen received the Mandiant Report on May 21, 2016, and discussed the Mandiant Report and its findings with Plaintiffs' counsel in July, August, and December 2016. (Jorgensen Aff. at ¶¶ 11–12). Jorgensen's analysis of the Mandiant Report and discussion of the evidence that, in his view, indicates that the hackers exfiltrated PII and PHI for the purpose of, inter alia, committing identity theft, are set forth in an affidavit that is, in part, filed under seal. (See Dkt. 163 (Sealed Jorgensen Aff.) ). Based on his experience in cybersecurity and his review of the evidence in the Mandiant Report, Jorgensen stated, "it is my opinion to a reasonable degree of scientific certainty that PII and PHI maintained on the Excellus network was targeted, collected, exfiltrated and put up for sale o[n] DarkNet by the attacker for the purpose of, among other things, allowing criminals to purchase the PII and PHI to commit identity theft." (Jorgensen Aff. at ¶ 40).
B. Defendants' Arguments
The Excellus Defendants argue that the evidence summarized above is not new, and, therefore, insufficient to warrant reconsideration of the Court's Decision and Order. (Dkt. 156 at 25). According to Defendants, Plaintiffs adopted a "wait-and-see approach," choosing not to disclose the evidence to the Court until after the Court issued its Decision and Order—even though (1) Plaintiffs retained Jones in July 2016; (2) Jones first reported his findings to Plaintiffs in August 2016; (3) Jorgensen received the Mandiant Report in May 2016; and (4) Plaintiffs' counsel met with Jorgensen about the Mandiant Report in July, August, and December 2016. (Id. ). Defendants point out that all of those events occurred before the Court issued its Decision and Order, and most of them occurred before oral argument on the motion to dismiss on September 8, 2016. (Id. ). In Defendants' view, Plaintiffs had knowledge of the evidence before argument on the motion to dismiss, and therefore, the evidence is not new. (Id. at 26).
C. Analysis
Courts in this district apply "the standards of Rule 60(b)(2)... where, as here, ‘a party seeks to avoid the [law of the case] by reopening factual issues based upon new evidence.’ " Johnson v. Askin Capital Mgmt., L.P. , 202 F.R.D. 112, 114 (S.D.N.Y. 2001) (alteration in original) (quoting Morin v. Trupin , 809 F.Supp. 1081, 1086 (S.D.N.Y. 1993) ). A party moving for relief under Rule 60(b)(2) based on newly discovered evidence must "meet an ‘onerous standard’ " by demonstrating the following:
(1) the newly discovered evidence was of facts that existed [at] the time of the prior dispositive proceeding, (2) the movant must have been justifiably ignorant of them despite due diligence, (3) the evidence must be admissible and of such importance that it probably would have changed the outcome, and (4) the evidence must not be merely cumulative or impeaching.
Id. (quoting United States v. International Brotherhood of Teamsters , 247 F.3d 370, 392 (2d Cir. 2001) ).
The first question is whether Plaintiffs have demonstrated that the two categories of evidence discussed above—the Dark web searches and the Mandiant Report information—are newly discovered. For evidence to be considered new, it must be "evidence that was ‘truly newly discovered or could not have been found by due diligence.’ " Space Hunters, Inc. v. United States , 500 Fed.Appx. 76, 81 (2d Cir. 2012) (quoting United States v. Potamkin Cadillac Corp. , 697 F.2d 491, 493 (2d Cir. 1983) ). The cited evidence does not meet that standard. By Plaintiffs' own account, the evidence was available during their briefing on the motion to dismiss, but they did not bring it to the Court's attention. See Yi Xiang v. Inovalon Holdings, Inc. , 268 F.Supp.3d 515, 523 (S.D.N.Y. 2017) (declining to reconsider denial of motion to dismiss where purportedly new information was "not evidence that was unavailable to [the d]efendants during their briefing of the motion to dismiss—they just did not previously raise it"). After Plaintiffs became aware of the evidence, they could have, at the very least, moved to amend the complaint on that basis. The heart of Plaintiffs' argument based on newly discovered evidence appears not to be that the evidence was truly "new" and could not have been found, but rather that Plaintiffs "had no legal obligation to submit evidence in response to defendants' facial motion to dismiss." (Dkt. 166 at 10). However, the procedural question of whether Plaintiffs were required to bring the evidence to the Court's attention is different from whether the evidence was newly discovered for purposes of reconsideration.
Plaintiffs' opposition to the motion to dismiss requested leave to amend the complaint in the event that the Court concluded that Plaintiffs lacked standing or had not stated a claim. (See Dkt. 122–3 at 51 ("To the extent the Court concludes that Plaintiffs lack Article III standing or have not adequately stated a claim upon which relief can be granted, Plaintiffs respectfully request leave to amend their pleadings consistent with the Court's ruling.") ). Plaintiffs' cursory request was procedurally defective under the Local Rules of Civil Procedure. See Wi3, Inc. v. Actiontec Elecs., 71 F.Supp.3d 358, 363 (W.D.N.Y. 2014) (finding request for leave to amend defective for failure to comply with Local Rules of Civil Procedure); see also Food Holdings Ltd. v. Bank of Am. Corp., 423 Fed.Appx. 73, 76 (2d Cir. 2011) (finding district court did not abuse its discretion in denying leave to amend complaint when request to amend was made "on the final page of their brief in opposition to defendants' motion to dismiss, in boilerplate language and without any explanation as to why leave to amend was warranted" and collecting cases). Local Rule 15(a) provides that "[a] movant seeking to amend or supplement a pleading must attach an unsigned copy of the proposed amended pleading as an exhibit to the motion," and Local Rule 15(b) requires parties represented by counsel to identify the proposed amendments "through the use of a word processing ‘redline’ function or other similar markings...." L.R. Civ. P. 15(a), (b). Because Plaintiffs did not comply with the Local Rules, the Court did not abuse its discretion in denying this "cursory or boilerplate request[ ] ... made solely in a memorandum in opposition to a motion to dismiss." Malin v. XL Capital, Ltd., 312 Fed.Appx. 400, 402 (2d Cir. 2009) (citation omitted). If Plaintiffs wished to seek leave to amend, they should have done so through a procedurally compliant motion.
Setting aside the fact that the evidence is not newly discovered—which makes it a procedurally defective basis for reconsideration—the Court acknowledges that it certainly supports an argument that cyber attackers committed the data breach and stole Plaintiffs' information, including that of at least some of the non-misuse Plaintiffs, for nefarious reasons and to commit identity fraud. While not justifying reconsideration in and of itself, particularly because the information was known by Plaintiffs at the time of the argument before this Court on the motions to dismiss and should have been brought to the Court's attention at that time, the existence of this evidence reinforces the Court's conclusion that, based on the Second Circuit's decision in Whalen , reconsideration is warranted in order to avoid a manifest injustice. Had the Court had the benefit of all this additional information when it rendered the Decision and Order, it would have reached a different conclusion—and it does so now.
IV. Plaintiffs' Remaining Arguments Based on a Need to Correct Clear Error of Law
Plaintiffs argue that the Court's Decision and Order contained certain clear errors of law with respect to the dismissal of the four non-misuse Plaintiffs. Specifically, Plaintiffs argue that the Court committed a clear error of law when it considered extra-pleading materials when resolving the Excellus Defendants' motion to dismiss. (Dkt. 143 at 5). Plaintiffs also argue that the Court committed a clear error of law when it denied the non-misuse Plaintiffs the opportunity to replead to provide additional jurisdictional facts. (Id. ). They argue that the Court, in its application of the test for standing set forth in Khan v. Children's National Health System , 188 F.Supp.3d 524, 531 (D. Md. 2016), overlooked an element that confers standing on the non-misuse Plaintiffs, and that it should have found that Plaintiff Fero had an independent source of standing: his breach of contract claim. (Id. at 5–6).
Because the Court has already concluded that reconsideration is warranted, it need not address Plaintiffs' remaining arguments in support of reconsideration based on purported clear errors of law. However, the Court notes that, even if Plaintiffs are correct that it was error for the Court to consider the extra-pleading materials, those materials were not essential to the Court's conclusion that the non-misuse Plaintiffs did not have an injury in fact. Separate and apart from those materials, the Court's conclusion was based on the non-misuse Plaintiffs' failure to allege any misuse of their personal information, which undercut their assertion that the harm of future identity theft is certainly impending. The Court also found that the asserted harm was speculative because it relied on a chain of possibilities about the actions of independent actors. The purpose of citing to the extra-pleading materials—which state that it is unclear whether the hackers exfiltrated the data and therefore do not give a clear indication that the hackers breached the network in order to commit identity fraud—was merely to bolster the Court's conclusion that the harm was too speculative.
In the end, the Court's conclusion in the Decision and Order, and the Court's conclusion now, is a legal one: whether allegations of the threat of future harm based on misappropriation of personal identifying information such as those of the non-misuse Plaintiffs are sufficient for Article III standing. In its Decision and Order, this Court concluded that they were not—but now, with the Whalen decision, this Court concludes that, at least at this stage of the proceedings, the non-misuse Plaintiffs' claims should be allowed to proceed. The Mandiant Report's findings cited in the initial Decision and Order, much like the additional information that Plaintiffs have now brought to light about the Dark web, simply reinforce this Court's conclusion—but in neither case are those factual matters dispositive. Until the Supreme Court or the Second Circuit definitively weighs in, in this Circuit at least, harm based on the theft of personally identifying information, such as a social security number or date of birth, as alleged in the CMC, is sufficient to establish standing.
CONCLUSION
For the reasons set forth above, Plaintiffs' motion for reconsideration is granted (Dkt. 142), and, upon reconsideration, the Excellus Defendants' motion pursuant to Federal Rule of Civil Procedure 12(b)(1) to dismiss the four non-misuse Plaintiffs (Fero, Church, Boomershine, and Caltagarone) is denied.
SO ORDERED.