Opinion
21-CV-2210 (KAM)(SJB)
08-28-2023
IN RE GEICO CUSTOMER DATA BREACH LITIGATION
MEMORANDUM & ORDER ADOPTING REPORT & RECOMMENDATION
KIYO A. MATSUMOTO, United States District Judge
Before the Court is a consolidated putative class action filed after third parties gained access to driver's license numbers (“DLN”) through GEICO's online insurance sales website. The putative class members are consumers whose personal information (including their DLNs) was allegedly exposed by GEICO. Plaintiffs Michael Viscardi, Kathleen Dorety, and William Morgan (collectively, “Plaintiffs”), individually and on behalf of the proposed class, assert claims of negligence per se, intrusion upon seclusion, and negligence, as well as violations of New York General Business Law § 349 and the federal Driver's Privacy Protection Act (“DPPA”). Plaintiffs also seek declaratory and injunctive relief.
Defendants Government Employees Insurance Company, GEICO Casualty Company, GEICO Indemnity Company, and GEICO General Insurance Company (collectively, “GEICO” or “Defendants”) moved to dismiss pursuant to Fed.R.Civ.P. 12(b)(6) for failure to state a claim, and pursuant to Fed.R.Civ.P. 12(b)(1) for lack of subject matter jurisdiction over the action due to Plaintiffs' lack of standing. (ECF No. 73 and exhibits.) On April 6, 2023, the Court referred Defendants' motion to dismiss to Magistrate Judge Bulsara for a report and recommendation. (See 04/06/23 Dkt. Order.)
Before the Court are: (1) Magistrate Judge Bulsara's Report and Recommendation (ECF No. 95 (“R&R”)), dated July 21, 2023, recommending that the motion be granted in part and denied in part; (2) GEICO's objections to the R&R (ECF No. 96 (“Defs. Objs.”)); and (3) Plaintiffs' responses to GEICO's objections (ECF No. 98 (“Pls. Resp.”).) For the reasons stated below, upon de novo review, the Court adopts Magistrate Judge Bulsara's thorough, meticulous and well-reasoned R&R in its entirety.
BACKGROUND AND FACTS
The Court assumes the parties' familiarity with the extensive facts thoroughly recounted in the R&R. (See generally R&R.) For present purposes, the Court reiterates only the procedural background and facts relevant to Defendants' objections, as set forth in the R&R and Plaintiffs' Class Action Complaint (ECF No. 61 (“Compl.”)).
On July 21, 2023, Magistrate Judge Bulsara issued his report and recommendations to this Court. For the reasons set forth in the R&R, he recommends that GEICO's motion to dismiss be granted in part and denied in part as follows:
1. Granting GEICO's motion to dismiss Counts III (negligence per se), IV (New York General Business Law (“GBL”) § 349), and V (intrusion upon seclusion), and granting dismissal of the intrusion upon seclusion claim with prejudice;
2. Denying GEICO's motion to dismiss Counts I (DPPA), II (negligence), and VI (declaratory and injunctive relief);
3. Granting GEICO's request to dismiss Plaintiffs Mirvis, Brody, and Connelly.(R&R at 41.)
As GEICO asserts in its Memorandum of Law in support of its motion to dismiss, the Class Action Complaint does not identify Plaintiffs Alexander Mirvis, Raquel Brody, and Ryant Connelly, who had initially filed overlapping proposed class action lawsuits that were ultimately consolidated into the instant action. (ECF No. 73-5 (“Defs. Mem.”) at 5, 5 n.3.) Further, the Court notes that interim class counsel no longer appears to be pursuing claims on those plaintiffs' behalf, evinced by the consolidated Class Action Complaint only brought by Plaintiffs Michael Viscardi, Kathleen Dorety, and William Morgan. (Compl. at 1.) No party objected to the R&R's recommendation that plaintiffs Mirvis, Brody, and Connelly be dismissed from the action, and the Court therefore adopts the recommendation. The Court also notes that Ryant Connelly does not currently appear on the docket as a plaintiff in this action.
Magistrate Judge Bulsara further concluded that Plaintiffs had standing to obtain injunctive and declaratory relief, and to seek damages for the first five claims asserted. On August 4, 2023, GEICO timely filed four objections to Magistrate Judge Bulsara's R&R. Plaintiffs timely filed their responses to the objections on August 18, 2023.
LEGAL STANDARD
When a party objects to an R&R, the Court must review de novo those recommendations in the R&R to which the party objects. See Fed.R.Civ.P. 72(b)(3); United States v. Male Juvenile, 121 F.3d 34, 38 (2d Cir. 1997). Where a party does not object to a portion of the R&R, the Court “‘need only satisfy itself that there is no clear error on the face of the record.'” Galvez v. Aspen Corp., 967 F.Supp.2d 615, 617 (E.D.N.Y. 2013) (quoting Reyes v. Mantello, No. 00-cv-8936, 2003 WL 76997, at *1 (S.D.N.Y. Jan. 9, 2003)). The Court may “accept, reject, or modify the recommended disposition; receive further evidence; or return the matter to the magistrate judge with instructions.” Fed.R.Civ.P. 72(b)(3); see also 28 U.S.C. § 636(b)(1).
Objections “must be specific and clearly aimed at particular findings in the magistrate judge's proposal.” Green v. Dep't of Educ. of City of N.Y., No. 18-CV-10817 (AT)(GWG), 2020 WL 5814187, at *2 (S.D.N.Y. Sept. 30, 2020) (quoting McDonaugh v. Astrue, 672 F.Supp.2d 542, 547 (S.D.N.Y. 2009)); Barratt v. Joie, No. 96-CV-0324, 2002 WL 335014, at *1 (S.D.N.Y. Mar. 4, 2002) (“Parties filing objections to recommendations are required to ‘pinpoint specific portions of the report and recommendations to which [they] objec[t]....'” (quoting Camardo v. Gen. Motors Hourly-Rate Emps. Pension Plan, 806 F.Supp. 380, 382 (W.D.N.Y. 1992))). If “the [objecting] party makes only frivolous, conclusory or general objections, or simply reiterates [the party's] original arguments, the Court reviews the report and recommendation only for clear error.” Velez v. DNF Assocs., LLC, No. 19-CV-11138, 2020 WL 6946513, at *2 (S.D.N.Y. Nov. 25, 2020) (quoting Chen v. New Trend Apparel, Inc., 8 F.Supp.3d 406, 416 (S.D.N.Y. 2014)); see also Colliton v. Donnelly, No. 07-CV-1922 (LAK), 2009 WL 2850497, at *1 (S.D.N.Y. Aug. 28, 2009), aff'd, 399 Fed.Appx. 619 (2d Cir. 2010) (summary order).
“[E]ven in a de novo review of a party's specific objections,” however, “the court will not consider ‘arguments, case law and/or evidentiary material which could have been, but were not, presented to the magistrate judge in the first instance.'” Brown v. Smith, No. 09-CV-4522, 2012 WL 511581, at *1 (E.D.N.Y. Feb. 15, 2012) (quoting Kennedy v. Adamo, No. 02-CV- 1776, 2006 WL 3704784, at *1 (E.D.N.Y. Sept. 1, 2006)) (alterations omitted).
DISCUSSION
The Court addresses each of GEICO's objections in turn.
I. GEICO's Objections as to Plaintiffs' DPPA Claim
A. Plaintiffs Sufficiently Alleged “Knowing Disclosure” Under the DPPA
GEICO first argues that the R&R “mischaracterizes” Enslin v. Coca-Cola Co., 136 F.Supp.3d 654, 670 (E.D. Pa. 2015):
The Report and Recommendation mischaracterizes Enslin when it held that the Enslin court “rejected the statutory interpretation being advanced by GEICO. The reason that there was no ‘voluntary disclosure,' and no DPPA violation [in Enslin], was because there was no transmission of information at all - not because defendants failed to possess a heightened mens rea.” Report and Recommendation, at p. 28. This
statement regarding Enslin is inaccurate. The plaintiff in Enslin did allege that the theft of his PI [personal information] resulted in the PI eventually being accessed - and used -by malicious third parties to effectuate a wide range of fraudulent activity. See Enslin, 136 F.Supp.3d at 659-60.(Defs. Objs. at 6.)
GEICO also objects to the R&R's characterization of Allen v. Vertafore, Inc., Case No. 4:20-cv-04139, 2021 WL 3148870, at *4 (S.D. Tex. June 14, 2021), arguing that the R&R “inaccurately states that the underlying Memorandum and Recommendation in Allen held that Plaintiff failed to sufficiently plead a DPPA claim because the allegations there ‘describe Vertafore as having stored the data on servers under Vertafore's control, meaning the data was never actually knowingly disclosed to anyone outside of Vertafore.'” (Def. Obj. at 9); see also Allen, 2021 WL 3148870, report and recommendation adopted, No. 4:20-cv-04139, 2021 WL 3144469 (S.D. Tex. July 23, 2021), aff'd, 28 F.4th 613 (5th Cir. 2022), cert. denied, 214 L.Ed.2d 26, 143 S.Ct. 109 (2022).
On de novo review, the Court finds that GEICO's arguments are unavailing, as GEICO's reliance on Enslin and Allen, neither of which is controlling, is misplaced and misconstrues Plaintiffs' well-pleaded allegations.
Enslin involved the theft of fifty-five laptops by an employee of the defendant company, theft which the company later discovered. The laptops contained personal information of the plaintiff and a putative class of current and former employees of the company. The Enslin court specifically noted that “Plaintiff does not describe any allegedly improper disclosure of Plaintiff's PDI [“person's driving information”] . . . rather, Plaintiff speaks in general terms about the ‘Coke [D]efendants' retention of his PDI and purported ‘disclosure' as a result of the theft of his PDI.” Enslin, 136 F.Supp.3d at 671 (emphasis added), aff'd sub nom. Enslin v. Coca-Cola Co., 739 Fed.Appx. 91 (3d Cir. 2018). Allen, in turn, involved a data breach in which, “because of human error, three data files containing driver information for Texas driver's licenses . . . had been inadvertently stored in an unsecured external storage service that appeared to have been accessed without authorization.” Allen, 2021 WL 3148870, at *1. The Allen court found that the plaintiffs failed to assert a DPPA claim because the complaint did not contain “any factual allegation describing how this purported mismanagement of information amounts to a knowing disclosure of personal information for an improper purpose.” Id. at *3 (emphasis added).
On de novo review, the Court finds that, as the R&R accurately set forth, Plaintiffs' DPPA claim is grounded in allegations that “GEICO affirmatively displayed DLNs and Plaintiffs' information, and did so without any safeguards,” and not in allegations that “GEICO was a passive bystander attacked by a third party.” (R&R at 29 (citing Compl. ¶¶ 77-78).)
Plaintiffs allege in relevant part:
GEICO knew that it was using driver's license information on its online sales platform . . . and that the website would auto-populate driver's license information into its quoting tool once that basic information is entered. Indeed, GEICO was responsible for its website, including its design and design features. GEICO thus knew, inferably knew, or should have known, that its website and the website's auto-populate feature disclosed consumers' driver's license number to anyone.(Compl. ¶ 77.)
Plaintiffs further allege that “[b]y adding the autopopulation feature to its online quoting process, which GEICO knowingly chose to do, GEICO intended to use the driver's license numbers and make the displayed information easily accessible to anyone who entered basic information into its system.” (Id. ¶ 78.) Such well-pleaded allegations are plainly distinguishable from those in Enslin, in which a wayward employee of the defendant company stole laptops containing the plaintiff's personal information, and those in Allen, in which human error led to the improper and inadvertent storage of data files containing DLNs.
Finally, though the Court notes GEICO's statement that it “respectfully disagrees with” the decisions in two relevant Southern District of New York cases (Defs. Objs. at 2 n.2), GEICO has not put forth compelling reasons in either its motion papers or its objections for the Court to stray from two persuasive sister-courts' decisions on the issue of knowing disclosure. (See R&R at 29 (citing Rand v. Travelers Indem. Co., 637 F.Supp.3d 55, 68 (S.D.N.Y. 2022) (“Travelers's voluntary decision to autopopulate its quote responses with driver's license numbers constitutes a ‘knowing disclosure' of personal information [under the DPAA].”); In re USAA Data Sec. Litig., 621 F.Supp.3d 454, 468 (S.D.N.Y. 2022) (“USAA's voluntary decision to automatically pre-fill its quote forms with driver's license numbers constitutes a ‘knowing disclosure' of personal information.”).)
B. Plaintiffs Sufficiently Alleged that GEICO Disclosed PI for an Improper Purpose
Notwithstanding the “default rules of non-disclosure, the DPPA [enumerates] fourteen ‘permissible uses' - exceptions from the default rule - for which personal information may be obtained, disclosed, used, or resold.” Gordon v. Softech Int'l Inc., 726 F.3d 42, 45 (2d Cir. 2013). Specifically, GEICO asserts that it was permitted to use PI “in connection with . . . rating and underwriting.” (Defs. Mem. at 22-23; Defs. Objs. at 11); See 18 U.S.C. § 2721(b)(6). But the Complaint does not allege that GEICO used Plaintiffs' PI for rating or underwriting. Instead, the Complaint alleges that GEICO “knowingly us[ed] the PI of Plaintiffs and the Class for sales and marketing purposes.” (Compl. ¶ 68.) GEICO objects to the R&R's finding that Plaintiffs' factual allegations support the plausible inference “that GEICO disclosed their DLNs for the improper profit-seeking purpose, irrespective of whether GEICO also had a permissible purpose,” (Defs. Objs. at 11 (citing R&R at 31)), and notes that the Complaint alleges that once a GEICO website visitor enters their name, date of birth, and address to obtain a quote, “Defendants' system auto-populates the quotation with driver's license information . . . and makes that information visible to the person entering the information on the GEICO quote website.” (Id. at 12 (citing Compl. ¶ 58).) Thus, Defendant invokes the exempted purpose of “rating and underwriting.” On de novo review, the Court overrules this objection as well.
As an initial matter, the Court finds that Magistrate Judge Bulsara properly and accurately relied on Maracich v. Spears, 570 U.S. 48 (2013) to read DPPA exceptions narrowly in order “to preserve the primary operation” of the statute. See id. at 60-61 (“Unless commanded by the text, [the DPPA's 14 exceptions] ought not operate to the farthest reach of their linguistic possibilities if that result would contravene the statutory design . . . of protecting an individual's right to privacy in his or her motor vehicle records.”).
Here, GEICO objects to the R&R's reliance on Pichler v. UNITE, 542 F.3d 380 (3d Cir. 2008), which held, inter alia, that the DPPA “contains no language that would excuse an impermissible use merely because it was executed in conjunction with a permissible purpose.” Id. at 395. GEICO asserts that Pichler “requires allegations that the use or disclosure was made for an improper purpose” (Defs. Objs. at 14), but this is precisely what the R&R accurately and appropriately set forth:
In other words, if GEICO used or disclosed a person's information for several purposes - both permissible ones (for example, to conduct underwriting) and impermissible ones - it would still be liable for that impermissible purpose.(R&R at 31.) The Complaint alleges that GEICO affirmatively implemented a website that displays DLNs and Plaintiffs' information without safeguards to the general public using the website. (Comp. ¶¶ 77-78; R&R at 29-31.) Thus, “[b]y knowingly using the PI of Plaintiffs and the Class for sales and marketing purposes, and by knowingly disclosing that PI to the public, Defendants ran afoul [of] the purpose of DPPA, and threatened the privacy and safety of licensed drivers, for whose protection the statute was enacted.” (R&R at 30 (citing Compl. ¶ 68).)
Furthermore, the Court agrees with Plaintiffs that GEICO's “arguments about permitted use and proper purposes are fact intensive and premature at the pleading stage without the benefit of discovery.” (See Pls. Resp. at 12 n.5); see Senne v. Vill. of Palatine, Ill., 695 F.3d 597, 608 (7th Cir. 2012) (explaining that the issue of whether disclosed information was used in effectuating the statutory permissible uses “cannot be resolved on review of the entry of judgment on a motion to dismiss” and “[f]urther proceedings will permit the parties to explore this question”). Consequently, GEICO's objection to the R&R's finding that Plaintiffs sufficiently alleged that GEICO disclosed PI for an improper purpose is overruled.
II. GEICO's Objection as to the “Proximate Cause” Determination of Plaintiffs' Negligence Claim
To show negligence under New York state law, a plaintiff must demonstrate “(1) the defendant owed the plaintiff a cognizable duty of care; (2) the defendant breached that duty; and (3) the plaintiff suffered damage as a proximate result.'” Ferreira v. City of Binghamton, 975 F.3d 255, 266 (2d Cir. 2020) (quoting Williams v. Utica Coll. Of Syracuse Univ., 453 F.3d 112, 116 (2d Cir. 2006)). GEICO only objects to the R&R's determination of proximate causation - specifically, that Plaintiffs' allegations, taken together, “permit the plausible inference that GEICO's disclosure of DLNs was a substantial cause of Plaintiffs' damages.” (R&R at 34.)
In sum and substance, GEICO's argument here is that the R&R “failed to consider the indisputable reality and context of this massive data breach scheme involving a multitude of carriers and the unauthorized access to the same type of personal information when it determined that Plaintiffs sufficiently pled GEICO's data breach was a ‘substantial cause' of Plaintiffs' alleged damages.” (Defs. Objs. at 15 (emphasis in original); see also id. at 14-17.) The majority of GEICO's arguments is that GEICO may not prove to be the specific or sole proximate cause of Plaintiffs' damages “in light of the reality of the massive data breach scheme impacting the insurance industry” (Defs. Objs. at 15), which GEICO couches under the argument that Plaintiffs' allegations were insufficient on this issue. Whether facts exist outside the allegations in the complaint that may bear on proximate cause is not the question on a 12(b)(6) motion to dismiss. GEICO has not cited any authority mandating that a court take judicial notice of such broad, unpleaded factual context into consideration and fails to cite any sources regarding the “massive data breach” at the same time as “GEICO's data incident” - let alone any authority mandating that such expansive consideration and analysis would be appropriate in assessing proximate causation in the context of a 12(b)(6) motion to dismiss.
It is well-established that the issue of proximate causation “is fact laden and inappropriate for a motion to dismiss at the pleadings stage.” See In re Sept. 11 Prop. Damage & Bus. Loss Litig., 468 F.Supp.2d 508, 531 (S.D.N.Y. 2006), aff'd sub nom. Aegis Ins. Servs., Inc. v. 7 World Trade Co., L.P., 737 F.3d 166 (2d Cir. 2013); e.g., Sawyer v. Wight, 196 F.Supp.2d 220, 227 (E.D.N.Y. 2002) (“Proximate causation is a factual question left to the fact finder.”) (citing Peter McKinnon v. Bell Security, 268 A.D.2d 220, 700 N.Y.S.2d 469, 471 (N.Y.App.Div. 2000)); see also Consol. Edison Co. of New York, Inc. v. ACE Am. Ins. Co., No. 1:21-CV-9216-GHW, 2023 WL 3569273, at *11 (S.D.N.Y. May 18, 2023) (citing Hain v. Jamison, 28 N.Y.3d 524, 530, 68 N.E.3d 1233, 1238 (N.Y. 2016) (“Proximate cause is, at its core, a uniquely factspecific determination, and [d]epending upon the nature of the case, a variety of factors may be relevant in assessing legal cause.”)).
GEICO further argues that Plaintiffs' allegation that the data incident was part of “an ongoing and concerted campaign by fraudsters to engage with insurers' online quoting platforms to obtain driver's license numbers” supports GEICO's arguments that Plaintiffs did not sufficiently allege proximate causation. (Defs. Objs. at 16 (citing Compl. ¶ 71).) To the extent GEICO is arguing that ¶ 71 implies that multiple platforms experienced data incidents, it is unclear how that undermines a finding that proximate cause was sufficiently pleaded. It is well-settled that proximate cause determination does not require a finding that a liable party is the “sole cause of harm; it only asks that the identified cause be a substantial factor in bringing about the injury.” Hydro Invs., Inc. v. Trafalgar Power Inc., 227 F.3d 8, 15 (2d Cir. 2000); see also Zerega Ave. Realty Corp. v. Hornbeck Offshore Transp., LLC, 513 Fed.Appx. 30, 32-33 (2d Cir. 2013) (summary order) (“[t]he common law of torts . . . instructs that the existence of additional factors causing an injury does not necessarily negate the fact that the defendant's wrong is also the legal cause of the injury”) (citing Henrietta D. v. Bloomberg, 331 F.3d 261, 278-79 (2d. Cir. 2003)). GEICO acknowledges as much in citing Derdiarian v. Felix Contracting Corp., 51 N.Y.2d 308, 315 (N.Y. 1980). (See Defs. Objs. at 14.) On de novo review, the Court is, therefore, unconvinced by GEICO's arguments and overrules GEICO's objections regarding proximate cause.
III. GEICO's Objection as to Plaintiffs' Standing to Seek Damages
GEICO objects to the R&R's determination that Plaintiffs sufficiently alleged injury-in-fact to establish standing to assert their claims. (Defs. Objs. at 17; see also R&R at 19-22.) GEICO objects on the grounds that Plaintiffs “offer no specific allegations supporting loss of ‘expenses' or ‘money'” and “merely mention loss of time in having spent an unquantified number of hours or significant time monitoring accounts or communicating with their banking institutions regrading alleged fraud attempts.” (Defs. Objs. at 19.) On de novo review, the Court agrees with the R&R's careful and well-reasoned determination that Plaintiffs' allegations sufficiently established an injury because “each of the Plaintiffs spent significant time, effort, and resources addressing the allegedly fraudulent bank accounts, credit card charges, and unemployment claims taken out in their names.” (R&R at 20.)
The Second Circuit has repeatedly held that the injuryin-fact requirement of standing is a “low threshold.” See, e.g., John v. Whole Foods Mkt. Grp., Inc., 858 F.3d 732, 736 (2d Cir. 2017) (collecting cases). Here, all three named Plaintiffs make allegations as to the time, effort, and resources expended in addressing issues of fraud allegedly arising from GEICO's data incident. Plaintiff Viscardi experienced (and accordingly, had to expend resources to resolve) two fraudulent pandemic-related unemployment benefit claims, a fraudulent attempt to transfer funds from his bank account to an unauthorized account, and a fraudulent charge on two separate credit cards. (Compl. ¶¶ 1824.) The Complaint also alleges that Viscardi “spent approximately 90 hours monitoring accounts and otherwise dealing with the fallout of” the GEICO data incident. (Id. ¶ 25.) Plaintiff Dorety alleges that she received a notice of a fraudulent unemployment benefits claim and a fraudulent bank account opened in her name, and accordingly had to spend time to file police reports for both claims. (See id. ¶¶ 31-35.) Plaintiff Morgan “underwent the time and effort to freeze his credit” after a fraudulent unemployment benefits claim was made in his name. (See id. ¶¶ 42-45.) Finally, as to each named Plaintiff, the Complaint alleges:
As a result of GEICO's Data Disclosure, [Plaintiff] suffered an injury and/or damages, including but not limited to actual identify theft; time and expenses interacting with government agencies, and general mitigation
efforts spent on monitoring credit and for identity theft; time and expenses spent scrutinizing bank statements, credit card statements, and credit reports; time and expenses spent monitoring bank accounts for fraudulent activity; loss in value of [Plaintiff's] personal data; lost property in the form of [Plaintiff's] compromised PI; and injury to [Plaintiff's] privacy. Additionally, as a result of GEICO's Data Disclosure, [Plaintiff] now faces a substantial threat that unauthorized third parties will further misuse [Plaintiff's] PI.(Compl. ¶¶ 26, 37, 47.)
The Court finds that such allegations satisfy the injury-in-fact requirement at the pleadings stage and therefore overrules GEICO's objection. In USAA, the plaintiffs alleged that they incurred “costs associated with credit freezes” as well as “lowered credit scores resulting from [their] credit inquiries following fraudulent activities.” In re USAA, 621 F.Supp.3d at 466. The USAA court noted that “[b]ecause these alleged losses implicate monetary harm directly caused by the data breach, they are sufficiently concrete to constitute an injury-in-fact.” Id. Similarly to the allegations in the instant Complaint, the USAA plaintiffs alleged that “they have spent significant time, effort, and resources addressing the insurance and unemployment claims taken out in their names.” Id.
In light of the above, the Court agrees with the USAA court that, “[e]ven absent a risk of future identity theft, such ‘concrete and particularized loss[es] based on actual time spent responding to' the already-occurred identity thefts are sufficient to demonstrate a concrete injury for the purpose of Article III standing.” Id. (citing Rudolph v. Hudson's Bay Co., No. 18-CV-8472 (PKC), 2019 WL 2023713, at *7 (S.D.N.Y. May 7, 2019)) (emphasis added); see also Cohen v. Ne. Radiology, P.C., No. 20-CV-1202 (VB), 2021 WL 293123, at *5 (S.D.N.Y. Jan. 28, 2021) (finding that the plaintiff's allegation that “he has spent time communicating with credit agencies and financial institutions and monitoring credit reports and accounts further supports the contention that plaintiff has suffered an injury-in-fact”); cf. Miller v. Syracuse Univ., No. 21-CV-1073 (LEK/TWD), 2023 WL 2572937, at *7 (N.D.N.Y. Mar. 20, 2023) (“In the data breach context, the time and money spent to respond to a data breach may satisfy the injury-in-fact requirement.” (citing Rand, 2022 WL 15523722, at *3)); Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (finding that plaintiff had sufficiently alleged injury-in-fact “because the value of one's own time needed to set things straight is a loss from an opportunity-cost perspective” and such “injuries can justify money damages, just as they support standing”).
IV. GEICO's Objection as to Plaintiffs' Sought Remedies of Declaratory and Injunctive Relief
As set forth above, GEICO argued that the R&R should have recommended dismissal of the DPPA and negligence claims, and accordingly, filed a fourth and final objection arguing that Plaintiffs' “request for declaratory/injunctive relief/remedies should also have been dismissed.” (Defs. Objs. at 24.) In light of the Court overruling GEICO's first and second objections, supra, this final objection is also overruled. As the R&R properly addressed, although Plaintiffs pleaded declaratory and injunctive relief as a separate count (Count VI), declaratory and injunctive relief are remedies, not independent causes of actions. See, e.g., Chevron Corp. v. Naranjo, 667 F.3d 232, 244-45 (2d Cir. 2012) (“The [Declaratory Judgment Act] is procedural only, and does not create an independent cause of action.” (quotations and citations omitted)); Budhani v. Monster Energy Co., 527 F.Supp.3d 667, 688 (S.D.N.Y. 2021) (“[A] request for injunctive relief is not an independent cause of action [but] is merely the remedy sought for the legal wrongs alleged in the substantive counts.” (quotations and citations omitted)); (see also Compl. ¶¶ 198-206; R&R at 39.)
CONCLUSION
Based on the foregoing reasons and upon de novo review, GEICO's objections are overruled, and the Court adopts Magistrate Judge Bulsara's thorough and well-reasoned recommendations as follows:
1. Granting GEICO's motion to dismiss Counts III (negligence per se), IV (New York General Business Law (“GBL”) § 349), and V (intrusion upon seclusion), and granting
dismissal of the intrusion upon seclusion claim with prejudice;
2. Denying GEICO's motion to dismiss Counts I (DPPA), II (negligence), and VI (declaratory and injunctive relief);
3. Granting GEICO's request to dismiss Plaintiffs Mirvis, Brody, and Connelly.
In light of this Memorandum & Order, the parties are referred to Magistrate Judge Bulsara for supervision of any settlement discussions, conducting discovery, and remaining pretrial issues as appropriate.
SO ORDERED.