Opinion
Case No. 1:20cv235
03-30-2021
Finesse Express, LLC, et al., Plaintiffs, v. Total Quality Logistics, LLC, Defendant.
OPINION & ORDER
This matter is before the Court upon the Motion to Dismiss, or in the alternative, to Strike Class Allegations filed by Defendant Total Quality Logistics, LLC. (Doc. 16). Plaintiff filed a Response in Opposition (Doc. 18) and Defendants filed Reply (Doc. 19).
I. BACKGROUND
Defendant TQL is a freight broker which provides freight transportation and logistics services to customers. (Doc. 1, ¶ 2). Plaintiffs Finesse Express LLC, and Wider Group, Inc. are motor carriers. (Id., ¶ 3). Defendant contracts with motor carriers to pick up and deliver the freight of its customers. (Id., ¶ 2). Plaintiffs both entered into a contract with Defendant called a Broker/Carrier Agreement ("BCA"). (Id. ¶ 61). The BCA contains a "Confidentiality" provision which provides:
In addition to confidential information protected by law, whether statutory or otherwise, the Parties agree that all of their financial information and that of CUSTOMERS, including, without limitation, freight and brokerage rates, amounts received for brokerage services, amounts of freight charges collected, amounts of freight charges paid, freight volume requirements, as well as related CUSTOMER information, CUSTOMER shipping or other logistic requirements shared or learned between the Parties and CUSTOMERS shall be treated as confidential, and shall not be disclosed or used for any reason without prior written consent by the Parties. If
confidentiality is breached, the Parties agree that the remedy at law, including monetary damages, may be inadequate and that the Parties shall be entitled, in addition to any other remedy available, to an injunction restraining the violating Party from further violation of this Agreement.(Doc. 1-2, PAGEID# 41-42).
On February 27, 2020, Defendant emailed its customers and motor carriers to notify them that:
we have uncovered a breach of our IT systems. This breach compromised the security of our online portals for many of our carriers. We believe that external hackers gained access to your tax ID number, bank account numbers, and invoice information, including amounts and dates.(Doc. 1, ¶¶ 16-17). Plaintiffs allege that as a result of the data breach, they face an "increased risk of fraud and identity theft," and have had "to divert company resources away from transporting freight during a urgent time of nationwide supply-chain crisis, and instead expend company resources monitoring accounts and interfacing with the understaffed IRS to prevent business identity theft and the potentially bankruptcy-inducing problems that could result." (Id., ¶ 8). Plaintiffs also allege that "Finesse and other Class members have already experienced fraudulent transactions and all members will continue to incur damages in the form of, among other things, identity theft, attempted identity theft, lost business opportunities, paid and unpaid overtime, lost time and expenses mitigating harms, increased risk of harm, diminished value of the Confidential Information, loss of privacy, and/or additional damages." (Id.)
In their Complaint, Plaintiffs assert claims on behalf of a nationwide class defined as follows:
All persons whose sensitive personal and business information, including Social Security numbers or Tax ID numbers, bank account numbers, and [sic] was compromised as a result of the Data Breach at Total Quality Logistics, LLC announced in February 2020.(Id. ¶ 87). Plaintiffs bring four claims: negligence, breach of contract, unjust enrichment, and declaratory and injunctive relief. However, Plaintiffs' breach of contract claim is brought alternatively on behalf of a subclass of motor carriers. The parties agree that Ohio law applies to Plaintiffs' claims.
Defendant argues that Plaintiffs' Complaint should be dismissed pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) for lack of jurisdiction and failure to state a claim upon which relief can be granted. In the alternative, Defendant moves pursuant to Federal Rule of Civil Procedure 23 for an order striking the Complaint's class allegations.
II. ANALYSIS
Defendant argues that Plaintiffs' claims should be dismissed under Rule 12(b)(1) for lack of jurisdiction because Plaintiffs lack standing.
"Article III of the Constitution limits the jurisdiction of federal courts to 'Cases' and 'Controversies.'" Susan B. Anthony List v. Driehaus, 573 U.S. 149, 157, 134 S. Ct. 2334, 2341, 189 L. Ed. 2d 246 (2014) (quoting U.S. Const., Art. III, § 2). To establish Article III standing, a plaintiff must have: "(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)). When a case is at the pleading stage, the plaintiff must clearly allege facts demonstrating each element of standing. See Spokeo, 136 S. Ct. at 1547 (quoting Warth v. Seldin, 422 U.S. 490, 518, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975)). However, "general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we 'presume[e] that general allegations embrace those specific facts that are necessary to support the claim.'" Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (quoting Lujan v. National Wildlife Federation, 497 U.S. 871, 889, 110 S.Ct. 3177, 111 L.Ed.2d 695 (1990)).
Defendant maintains that Plaintiffs cannot establish standing because Plaintiffs' allegations do not establish in injury-in-fact or an injury which is fairly traceable to Defendant.
1. Injury-in-fact
First, Defendant argues that Plaintiffs have failed to plausibly allege an injury in fact. Plaintiffs respond that they have suffered several separate injuries which each independently confer Article III standing: (1) breach of Plaintiffs' contract rights; (2) identity theft; (3) actual losses in time spent responding to data breach; (4) substantial risk of future harm based on increased risk of future identity theft; and (5) diminished value of confidential information.
"To establish injury in fact, a plaintiff must show that he or she suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.'" Spokeo, 136 S. Ct. at 1548. The mere "possib[ility of] future injury," is insufficient to constitute an injury in fact. Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013). However, "[a]n allegation of future injury may suffice if the threatened injury is 'certainly impending,' or there is a 'substantial risk' that the harm will occur." Driehaus, 573 U.S. at 158, 134 S.Ct. 2334.
With regard to Plaintiffs' breach of contract claim, Defendant may question whether Plaintiffs can ultimately prove contract damages, but that is an issue separate and apart from whether they have adequately alleged an injury-in-fact. See Kanuszewski v. Michigan Dep't of Health & Human Servs., 927 F.3d 396, 407 (6th Cir. 2019) ("Our standing analysis does not consider the merits of Plaintiffs' claims . . ."). Here, Plaintiffs have alleged actual damages in the form of company time responding to the data breach (Doc. 1, ¶¶ 78, 81-82) and a lost business opportunity. (Id., ¶ 80). Therefore, Plaintiffs have standing to bring their breach of contract claim. Accord Cain v. Redbox Automated Retail, LLC, 981 F. Supp. 2d 674, 687 (E.D. Mich. 2013) (finding that plaintiffs adequately alleged injury-in-fact based on allegations that plaintiffs incurred actual monetary damages—even if nominal—because "a portion of the price of each Redbox rental paid for by Plaintiffs ... was intended to ensure the confidentiality of Plaintiffs' ... Personal Viewing Information."). In addition, Plaintiffs allege they were deprived of "the value of the Confidential Information for which there is a well-established and quantifiable national and international market." (Doc. 1, ¶ 47). Courts have held that a loss in value of personal information supports a finding that a plaintiff has suffered an injury in fact. See, e.g., also Svenson v. Google, Inc., 2015 WL 1503429, at *5 (N.D. Cal. Apr. 1, 2015) ("Svenson's allegations of diminution in value of her personal information are sufficient to show contract damages for pleading purposes."); but see Chambliss v. Carefirst, Inc., 189 F. Supp. 3d 564, 572 (D. Md. 2016) (finding that plaintiffs failed to allege injury in fact where there were no allegations that the plaintiffs attempted to sell their personal information or that, if they have, the data breach forced them to accept a decreased price for that information).
Defendant argues that Plaintiffs' allegations that it might suffer harm in the future— through identity theft or fraud—are not sufficient to establish standing. There is a circuit split in the federal courts whether an increased risk of future harm due to a data breach is sufficient for Article III standing. In re Rutter's Inc. Data Sec. Breach Litig., No. 1:20-CV-382, 2021 WL 29054, at *5 (M.D. Pa. Jan. 5, 2021) (citing cases). However, as one court has observed, "the differing sets of facts involved in each circuit's decision are what appear to have driven the ultimate decision on standing, not necessarily a fundamental disagreement on the law." In re 21st Century Oncology Customer Data Sec. Breach Litig., 380 F. Supp. 3d 1243, 1251 (M.D. Fla. 2019). This same court has identified the following factors which have courts have considered in their analysis: (1) the alleged motive of the unauthorized third party; (2) the type of information compromised, i.e., "easily changeable or replaceable information, such as credit and debit card information, and personally identifiable information, such as social security numbers, birth dates, or driver's license numbers, which is more static;" and (3) whether "there is evidence that a third-party has accessed the sensitive information and/or already used the compromised data fraudulently." Id. at 1251-54.
In an unpublished decision, the Sixth Circuit found that the plaintiffs' allegations of a risk of future harm due to a data breach were sufficient for Article III standing. In Galaria v. Nationwide Mut. Ins. Co., the plaintiffs brought a putative class action based on a data breach of "names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver's license numbers." 663 F. App'x 384, 385 (6th Cir. 2016). The Sixth Circuit held that the plaintiffs' "allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation." Id. at 388. The court explained that the theft of the plaintiffs' personal data "places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of 'possible future injury'" because "[t]here is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals."
In contrast, this Court recognized that under Galaria, "the mere allegation of a risk of harm based on a data breach, without evidence of data theft or that the intruder accessed Plaintiff's specific information, is insufficient to state an 'imminent' injury for purposes of Article III standing." Foster v. Health Recovery Servs., Inc., No. 2:19-CV-4453, 2020 WL 5943021, at *5 (S.D. Ohio Oct. 7, 2020). Therefore, it is not the data breach alone which serves as the basis for a finding of injury-in-fact, but instead, the set of circumstances surrounding the data breach which will guide the determination.
Here, Plaintiffs allege that the data breach included "tax ID number, bank account numbers, and invoice information, including amounts and dates." While the named Plaintiffs are businesses, this information is equivalent to the personal information accessed by hackers in Galaria. As the Sixth Circuit observed in that case, "[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints." 663 Fed. Appx. at 388. In addition, Plaintiffs have alleged that they have had to "expend company resources monitoring accounts and interfacing with the understaffed IRS to prevent business identity theft and the potentially bankruptcy-inducing problems that could result." (Doc. 1, ¶ 8). Similar allegations of mitigation costs to prevent the misuse of stolen personal information have been found to be sufficient to establish Article III injury. McKenzie v. Allconnect, Inc., 369 F. Supp. 3d 810, 816 (E.D. Ky. 2019) (standing existed based on allegations that plaintiffs "lost time and money as a result of taking steps to protect their personal data and prevent the misuse of that data by scammers."). Finally, Plaintiffs allege that as of February 28, 2020, nearly twenty carriers had been identified as having already experienced "ACH payment theft." (Doc. 1, ¶ 7 n.2). While Plaintiffs do not state that they have personally experienced theft, this allegation does support a finding that the risk of harm is substantial because the hackers have already used the compromised data. Therefore, the Court concludes that the complaint contains sufficient allegations to demonstrate that Plaintiffs suffered an injury in fact.
According to the website of the Federal Reserve:
The automated clearinghouse (ACH) system is a nationwide network through which depository institutions send each other batches of electronic credit and debit transfers. The direct deposit of payroll, social security benefits, and tax refunds are typical examples of ACH credit transfers. The direct debiting of mortgages and utility bills are typical examples of ACH debit transfers. While the ACH network was originally used to process mostly recurring payments, the network is today being used extensively to process one-time debit transfers, such as converted check payments and payments made over the telephone and Internet.The Federal Reserve, https://www.federalreserve.gov/paymentsystems/fedach_about.htm (last visited Feb. 23, 2021).
To be clear, this allegation alone would not be sufficient to support a finding of injury-in-fact. Regardless of whether members of the putative class have suffered injuries, Plaintiff must still establish standing. As this Court has previously acknowledged:
In the context of a class action lawsuit, the United States Supreme Court has stated that any named plaintiffs who represent a class "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent."Key v. DSW, Inc., 454 F. Supp. 2d 684, 687 (S.D. Ohio 2006) (quoting Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 40 n. 20, 96 S.Ct. 1917, 48 L.Ed.2d 450 (1976)).
2. Traceability
Defendant argues that even if Plaintiffs have plausibly alleged an injury-in-fact, Plaintiffs' injury is not traceable to Defendant. Defendant explains that Plaintiffs have not alleged that the information used to commit the alleged fraudulent transactions was the same information disclosed in the data breach.
According to the email Defendant sent to Plaintiffs, hackers gained access to Plaintiffs' "tax ID number, bank account numbers, and invoice information, including amounts and dates." (Doc. 1, Id. ¶ 17). Plaintiffs allege that as a result of the data breach, "Finesse and other Class members have already experienced fraudulent transactions" and "Plaintiff Finesse has identified unauthorized fraudulent charges as recently as March 16, 2020." (Id., ¶ 8, 24). These allegations are sufficient to establish the causation element at this stage of the litigation. See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015) ("It is enough at this stage of the litigation that Neiman Marcus admitted that 350,000 cards might have been exposed and that it contacted members of the class to tell them they were at risk. Those admissions and actions by the store adequately raise the plaintiffs' right to relief above the speculative level."). While Defendant is free to litigate at a later stage of the litigation whether the data breach caused Plaintiffs' fraudulent transactions, "this debate has no bearing on standing to sue." In re SuperValu, Inc., 870 F.3d 763, 773 (8th Cir. 2017) (quoting Remijas, 794 F.3d at 696). Therefore, the Court concludes that Plaintiffs' Complaint contains sufficient allegations to demonstrate that Plaintiffs suffered an injury that is fairly traceable to the challenged conduct.
3. Injunctive relief
Finally, Defendant argues that Plaintiffs do not have standing to seek an order for injunctive relief. A plaintiff requesting injunctive relief must show both "past injury and a real immediate threat of future injury." Mosley v. Kohl's Department Stores, Inc., 942 F.3d 752, 756 (6th Cir. 2019) (quoting Houston v. Marod Supermarkets, Inc., 733 F.3d 1323, 1329 (11th Cir. 2013)); see also City of Los Angeles v. Lyons, 461 U.S. 95, 102-103, 103 S.Ct. 1660, 75 L.Ed.2d 675 (1983) (holding that the threat of future injury must be "real and immediate").
Plaintiffs point out that the confidentiality provision of the BCA specifically provides for an injunction to remedy "further violation" of the parties' agreement to keep information confidential. (Doc. 1, ¶ 61). Plaintiff also alleges that Defendant still retains the confidential information of Plaintiffs, and Defendant's post-breach security measures are still inadequate to protect Plaintiffs from future injury. (Id., ¶¶ 48, 134-41). The Court concludes that based on Plaintiffs' allegations, Plaintiffs have demonstrated that there is a substantial risk of ongoing harm or the type of repeated injury which affords Plaintiffs standing to seek injunctive relief
Based on the foregoing, the Court concludes that Plaintiffs have standing to bring their claims for negligence, breach of contract, unjust enrichment, and declaratory and injunctive relief.
Defendant argues that Plaintiffs fail to state a claim and Plaintiffs' claims for negligence, breach of contract, unjust enrichment should be dismissed on their merits.
In reviewing a motion to dismiss for failure to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6), this Court must "construe the complaint in the light most favorable to the plaintiff, accept its allegations as true and draw all reasonable inferences in favor of the plaintiff." Bassett v. Nat'l Collegiate Athletic Ass'n, 528 F.3d 426, 430 (6th Cir. 2008) (quoting Directv, Inc. v Treesh, 487 F.3d 471, 476 (6th Cir. 2007)). Federal Rule of Civil Procedure 8 provides that all pleadings must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Although particular detail is not generally necessary, the factual allegations "must be enough to raise a right to relief above the speculative level" such that the claim "is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556-57 (2007). "Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 555). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. (citing Twombly, 550 U.S. at 556).
1. Breach of contract
In Ohio, "[t]o establish a claim for breach of contract, a plaintiff must prove: (1) the existence of a contract, (2) performance by the plaintiff, (3) breach by the defendant, and (4) damages or loss resulting from the breach." In re Fifth Third Early Access Cash Advance Litig., 925 F.3d 265, 276 (6th Cir. 2019) (citing Claris, Ltd. v. Hotel Dev. Servs., LLC, 104 N.E.3d 1076, ¶ 28 (Ohio Ct. App. 2018)). Plaintiffs' breach of contract claim is brought on behalf of the entire class, which would include Defendant's customers, who are not a party to a BCA. In the alternative, Plaintiffs have brought their breach of contract claim on behalf of a subclass of motor carriers who are a party to a BCA.
Defendants argue that Plaintiffs' breach of contract claim fails because, as a matter of law, Plaintiffs do not allege any conduct on the part of Defendant which constitutes a breach of the confidentiality provision of the BCA. Defendants maintain that while there was an agreement to treat certain information as confidential, nothing in the agreement required Defendant to take the steps identified by Plaintiffs' in their complaint: "to implement the necessary data security policies, rules, and procedures to protect the Confidential Information from hackers" or to "implement adequate IT security measures that reasonably conformed with industry standards." (Doc. 16, PAGEID# 121) (quoting Doc. 1, ¶¶ 6, 66).
In the BCA, Defendant agreed that Plaintiffs' information "shall be treated as confidential, and shall not be disclosed or used for any reason without prior written consent." (Doc. 1-2, PAGEID# 41-42). While the BCA does not specifically mention "necessary data security policies, rules, and procedures" or "adequate IT security measures," Plaintiffs have adequately plead a claim for breach of contract. It will be Plaintiffs' burden at a later stage of the litigation to prove that the failure to provide such measures constitutes a violation of Defendant's promise to treat Plaintiffs' information "as confidential."
Therefore, Defendant's Motion to Dismiss is DENIED as to Plaintiffs' breach of contract claim.
2. Negligence
To state a negligence claim under Ohio law, the plaintiff must allege sufficient facts to meet each of the following elements: "the existence of a duty, a breach of the duty, and an injury proximately resulting therefrom." Middleton v. Rogers Ltd., Inc., 804 F. Supp. 2d 632, 639 (S.D. Ohio 2011) (quoting Nageotte v. Cafaro Co., 160 Ohio App.3d 702, 828 N.E.2d 683, 688 (Ohio Ct. App. 2005)).
Defendant argues that the economic loss doctrine bars Plaintiffs' negligence claim.
Under Ohio law, "the economic loss rule generally prevents recovery in tort of damages for purely economic loss." Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St.3d 412, 835 N.E.2d 701, 704 (2005). "The well established general rule is that a plaintiff who has suffered only economic loss due to another's negligence has not been injured in a manner which is legally cognizable or compensable." Floor Craft Floor Covering, Inc. v. Parma Community General Hosp. Ass'n, 54 Ohio St.3d 1, 560 N.E.2d 206, 208 (1990) (quoting Nebraska Innkeepers, Inc. v. Pittsburgh-Des Moines Corp., 345 N.W.2d 124, 126 (Iowa 1984)). As the Ohio Supreme Court has explained: 'Tort law is not designed . . . to compensate parties for losses suffered as a result of a breach of duties assumed only by agreement. That type of compensation necessitates an analysis of the damages which were within the contemplation of the parties when framing their agreement. It remains the particular province of the law of contracts.'" Floor Craft, 54 Ohio St.3d at 7, 560 N.E.2d 206 (quoting Sensenbrenner v. Rust, Orling & Neale Architects, Inc., 236 Va. 419, 425, 374 S.E.2d 55 (Va. 1988)).
In Foster v. Health Recovery Servs., Inc., this Court analyzed whether the costs incurred to monitor the plaintiff's credit following a data breach fall within the purview of Ohio's economic loss doctrine or whether that claim must instead be pursued as a contract claim. Case No. 2:19-CV-4453, 2020 WL 5943021, at *10 (S.D. Ohio Oct. 7, 2020). This Court noted:
In Foster, the defendant was a non-profit which provided treatment for mental illness or substance abuse issues. 2020 WL 5943021, *1. The defendant notified its clients that for nearly a year, an unauthorized IP address had been remotely accessing its computer network, which contained the personal information of its clients. The plaintiff claimed, on behalf of himself and those similarly situated, that the defendant's failure to take reasonable measures to protect his personal information caused financial injury and placed him at risk of identity theft and fraud. Id.
Courts in Ohio permit a plaintiff to pursue a tort claim at the same time as a
breach of contract claim if "the plaintiff is able to demonstrate that tortious conduct by the defendant ... breached 'a duty owed separately from that created by the contract, that is, a duty owed even if no contract existed.' " Wells Fargo Bank, N.A. v. Fifth Third Bank, 931 F. Supp. 2d 834, 839 (S.D. Ohio 2013). Plaintiff must also allege "actual damages attributable to the wrongful acts of the alleged tortfeasor which are in addition to those attributable to the breach of the contract." Id. at 839.2020 WL 5943021, at *10. This Court concluded that because the plaintiff's tort and breach of contract claims were premised on the same allegations of wrongdoing and based on the same claims for damages, the plaintiff's negligence claim was barred by the economic loss doctrine. Id.
Here, Plaintiffs maintain that Defendant has an independent duty to handle its motor carriers' and customers' confidential information with due care and consistent with industry standards to prevent the foreseeable harm that arises from a breach of that duty.
Some courts have found the existence of a duty to take reasonable steps to safeguard personal information. For example, in McKenzie v. Allconnect, Inc., 369 F. Supp. 3d 810, (E.D. Ky. 2019), the court explained that under either Kentucky or Utah law:
The Plaintiffs have provided sufficient information in the complaint to demonstrate that they were obligated to provide sensitive personal information to Allconnect as a condition of their employment. As a result, while Allconnect may not have had a duty to protect its employees from unknown or unforeseen third-parties, Allconnect did have a duty to prevent foreseeable harm to its employees and, as part of that duty, had a duty to safeguard the sensitive personal information of its employees from unauthorized release or theft. Of course, that is not to say that the Plaintiffs have demonstrated that the duty was breached in this case but only that, when reading the complaint in the light most favorable to the Plaintiff and assuming the facts as true, that the Plaintiffs have pleaded sufficient factual information in their complaint to demonstrate they were owed a duty of care.Id. at 818. However, even if Defendant did have a duty to safeguard Plaintiffs' information under Ohio law, Plaintiffs have not claimed any damages that Defendant's alleged negligence has caused in addition to the damages Plaintiffs seek to recover in their breach of contract claims. Instead, Plaintiffs allege one set of damages resulting from the data breach: Plaintiffs allege that in the weeks after the data breach, they spent approximately 15 hours responding to the data breach, including reviewing all transactions; spent time away from driving and acquiring loads contesting fraudulent charges; lost a 890-mile load worth $2,500 because of time spent responding to the data breach; and spent time on the phone with financial institutions and time monitoring company bank accounts. (Id., ¶¶ 78-81). As in Foster, Plaintiffs' negligence and breach of contract claims are premised on the same allegations and the same claims for damages. Therefore, the economic-loss rule bars Plaintiffs' negligence claim; and Defendant's Motion to Dismiss is GRANTED as to Plaintiffs' negligence claim.
3. Unjust enrichment
Defendant argues that Plaintiffs' unjust enrichment claim must be dismissed because the BCA is an express agreement which covers the controversy at issue here. Plaintiffs respond that their unjust enrichment claim is plead in the alternative.
"It is well established that Ohio law does not permit recovery under the theory of unjust enrichment when an express contract covers the same subject." Tunnell Hill Reclamation, LLC v. Endurance Am., Specialty Ins. Co., No. 2:15-CV-2720, 2016 WL 3689100, at *6 (S.D. Ohio July 12, 2016) (quoting Aultman Hosp. Ass'n v. Community Mut. Ins. Co., 544 N.E.2d 920, 924 (Ohio 1989)). However, "[a] claim for unjust enrichment may be pled in the alternative . . . when the existence of an express contract is in dispute and may be maintained despite the existence of an express contract where there is evidence of fraud, bad faith, or illegality." Gascho v. Glob. Fitness Holdings, LLC, 863 F. Supp. 2d 677, 699 (S.D. Ohio 2012) (citing Resource Title Agency, Inc. v. Morreale Real Estate Services, Inc., 314 F.Supp.2d 763, 772 (N.D.Ohio 2004)).
In this instance, Plaintiffs and Defendant do not dispute the existence of a contract between the parties; and Plaintiffs have not argued that there was fraud, bad faith or illegality, or otherwise questioned the validity of the BCA. Therefore, Defendant's Motion to Dismiss is GRANTED as to Plaintiffs' unjust enrichment claim.
4. Declaratory judgment
Defendant argues that Plaintiffs' declaratory judgment claim is duplicative of their negligence, contract, and unjust enrichment claims, and therefore, the declaratory judgment claim should be dismissed.
The Declaratory Judgement Act is "'an enabling Act, which confers a discretion on the courts rather than an absolute right upon the litigant.'" Wilton v. Seven Falls Co., 515 U.S. 277, 287, 115 S.Ct. 2137, 132 L.Ed.2d 214 (1995) (quoting Public Serv. Comm'n of Utah v. Wycoff Co., 344 U.S. 237, 241, 73 S.Ct. 236, 97 L.Ed. 291 (1952)). In deciding whether to entertain a declaratory judgment action, the following factors should be considered:
(1) whether the judgment would settle the controversy;Bituminous Cas. Corp. v. J & L Lumber Co., Inc., 373 F.3d 807, 813 (6th Cir. 2004).
(2) whether the declaratory judgment action would serve a useful purpose in clarifying the legal relations at issue;
(3) whether the declaratory remedy is being used merely for the purpose of "procedural fencing" or "to provide an arena for a race for res judicata";
(4) whether the use of a declaratory action would increase the friction between our federal and state courts and improperly encroach on state jurisdiction; and
(5) whether there is an alternative remedy that is better or more effective.
This Court concludes that factor one weighs in favor of dismissing Plaintiffs' declaratory judgment action. The declaratory judgment act claim would not settle the controversy regarding whether Defendant breached the BCA, and Plaintiffs' claim for breach of contract would serve a more useful purpose in that regard. However, factors two and five weigh against dismissing Plaintiffs' declaratory judgment claim. Plaintiffs' breach of contract claim would allow for an award of damages, but would not clarify the prospective obligations which Defendant may have to protect Plaintiffs' information under the BCA. Therefore, Plaintiffs' declaratory judgment claim would provide Plaintiffs' with more complete relief.
Therefore, Defendant's Motion to Dismiss is DENIED as to Plaintiffs' declaratory judgment claim.
5. Injunctive relief
Defendant argues that Plaintiffs' claim for injunctive relief is not a stand-alone claim, and therefore should be dismissed along with all of Plaintiffs' other claims. However, given the Courts' rulings above, Defendant's Motion to Dismiss Plaintiffs' claim for injunctive relief is DENIED.
C. Class allegations
In the alternative, Defendant argues that Plaintiffs' class allegations should be struck.
A defendant is permitted to file motion to strike before the plaintiffs have the opportunity to file a motion to certify the class. Pilgrim v. Universal Health Card, LLC, 660 F.3d 943, 949 (6th Cir. 2011) (explaining that Fed. R. Civ. 23(c)(1)(A) states that the district court should decide whether to certify a class "[a]t an early practicable time"). However, this this Court has previously acknowledged that courts should exercise caution when striking class action allegations based solely on the pleadings. Progressive Health & Rehab Corp. v. Quinn Med., Inc., 323 F.R.D. 242, 244-45 (S.D. Ohio 2017); see also Geary v. Green Tree Serv., LLC, No. 2:14-cv-00522, 2015 WL 1286347, at *17 (S.D. Ohio Mar. 20, 2015) ("The Court deems it prudent to assess the propriety of class certification in the context of a fully briefed class certification motion rather than in the context of a motion to strike class claims at the pleading stage."). "The moving party has the burden of demonstrating from the face of the ... complaint that it will be impossible to certify the class as alleged, regardless of the facts plaintiffs may be able to prove." Fishon v. Mars Petcare US, Inc., No. 3:19-CV-00816, 2020 WL 6826733, at *13 (M.D. Tenn. Nov. 20, 2020) (quoting Schilling v. Kenton Cnty, Ky., No. 10-CV-143, 2011 WL 293759, at *4 (E.D. Ky. Jan. 27, 2011)).
To certify a class pursuant to Federal Rule of Civil Procedure 23, a claimant must satisfy two sets of requirements: (1) each of the four prerequisites under Rule 23(a), and (2) the prerequisites of one of the three types of class actions provided for by Rule 23(b). Pilgrim, 660 F.3d at 945-46. The four prerequisites set forth in Rule 23(a) are as follows: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class.
Defendant argues that Plaintiffs' claims do not present common questions of law because Plaintiffs are seeking a nationwide class, but Plaintiffs' claims would need to be adjudicated under the laws of multiple jurisdictions. However, it is undisputed that the BCA contains a choice of law provision which states that Ohio law governs. In addition, the parties appear to agree that Ohio law applies to Plaintiffs' claims.
Defendant also argues that while the named Plaintiffs have brought a breach of contract claim on behalf of the class, Plaintiffs' proposed class includes Defendant's customers, who were not parties to a BCA. Defendant points out that under Ohio law, a breach of contract claim may be brought only by a party to the contract or an intended third-party beneficiary; and therefore, Plaintiffs do not have standing to bring claims on behalf of Defendant's customers. In addition, Defendant has submitted emails which indicate that the only customer information which may have been at risk was "non-financial" data such as "customer email addresses, phone numbers, first and last names, and TQL customer ID numbers." (Doc. 16-1).
The Court concludes that "at this stage in the litigation, before any limited discovery, it is premature to decide the class certification issue." McKenzie v. Allconnect, Inc., 369 F. Supp. 3d 810, 824 (E.D. Ky. 2019) (citing In re Am. Med. Sys., Inc., 75 F.3d 1069, 1079 (6th Cir. 1996) ("[O]rdinarily the determination should be predicated on more information than the pleadings will provide. . . . The parties should be afforded an opportunity to present evidence on the maintainability of the class action.") (quoting Weathers v. Peters Realty Corp., 499 F.2d 1197, 1200 (6th Cir. 1974)). While class action allegations may be stricken prior to a motion for class certification, the complaint itself must demonstrate that the requirements for maintaining a class action cannot be met. Rikos v. Procter & Gamble Co., No. 1:11-CV-226, 2012 WL 641946, at *3 (S.D. Ohio Feb. 28, 2012) (citing Pilgrim v. Universal Health Card, LLC, 660 F.3d 943, 949 (6th Cir.2011) Here, the Court notes that the "Confidentiality" provision in BCA applies to the confidential information of the motor carriers as well as "CUSTOMERS." In addition, the emails presented by Defendant as an attachment to its Motion cannot be considered because they are documents outside the pleadings.
Therefore, to the extent that Defendant moves to strike the class allegations, Defendant's Motion is DENIED.
III. CONCLUSION
Based on the foregoing, Defendant's Motion to Dismiss filed (Doc. 16) is GRANTED in PART and DENIED in PART; and Defendant's Motion to Strike (Doc. 16) is DENIED.
IT IS SO ORDERED.
/s/ Michael R . Barrett
JUDGE MICHAEL R. BARRETT