Summary
In Netgain Tech, a district court applying Minnesota law found that the FTC Act could not be used to proceed with a negligence per se theory because it gives the FTC enforcement authority.
Summary of this case from Quaife v. Brady Martz & Assocs.Opinion
21-cv-1210 (SRN/LIB)
06-02-2022
Brian C. Gudmundson, Michael J. Laird, and Rachel K. Tack, Zimmerman Reed LLP, Bryan L. Bleichner, Christopher P. Renz, and Jeffrey D. Bores, Chestnut Cambronne PA, Gayle M. Blatt, Casey Gerry Schenk Francavilla Blatt & Penfield, LLP, Amanda M. Williams, Daniel E. Gustafson, and David A. Goodwin, Gustafson Gluek PLLC, Anne T. Regan and Nathan D. Prosser, Hellmuth & Johnson PLLC, Karen H. Riebel, Kate M. Baxter-Kauf, and Maureen K. Berg, Lockridge Grindal Nauen PLLP, Nicholas Migliaccio, Migliaccio & Rathod LLP, Raina Borrelli, Turke & Strauss LLP, and Terence Coates, Markovits, Stock & DeMarco, LLC, for Plaintiffs. R. Henry Pfutzenreuter, Christopher A. Young, Paul R. Smith, and Sarah D. Greening, Larkin Hoffman Daly & Lindgren Ltd., for Defendant.
Brian C. Gudmundson, Michael J. Laird, and Rachel K. Tack, Zimmerman Reed LLP, Bryan L. Bleichner, Christopher P. Renz, and Jeffrey D. Bores, Chestnut Cambronne PA, Gayle M. Blatt, Casey Gerry Schenk Francavilla Blatt & Penfield, LLP, Amanda M. Williams, Daniel E. Gustafson, and David A. Goodwin, Gustafson Gluek PLLC, Anne T. Regan and Nathan D. Prosser, Hellmuth & Johnson PLLC, Karen H. Riebel, Kate M. Baxter-Kauf, and Maureen K. Berg, Lockridge Grindal Nauen PLLP, Nicholas Migliaccio, Migliaccio & Rathod LLP, Raina Borrelli, Turke & Strauss LLP, and Terence Coates, Markovits, Stock & DeMarco, LLC, for Plaintiffs.
R. Henry Pfutzenreuter, Christopher A. Young, Paul R. Smith, and Sarah D. Greening, Larkin Hoffman Daly & Lindgren Ltd., for Defendant.
MEMORANDUM OPINION AND ORDER
SUSAN RICHARD NELSON UNITED STATES DISTRICT JUDGE
This matter is before the Court on the Motion to Dismiss [Doc. No. 45] filed by Defendant Netgain Technology, LLC (“Netgain”). Based on a review of the files, submissions, and proceedings herein, and for the reasons below, the Court GRANTS in part and DENIES in part the motion.
I. BACKGROUND
A. The Parties
Plaintiffs in this matter are seven individuals from California, Minnesota, Nevada, South Carolina, and Wisconsin. (Am. Compl. [Doc. No. 35] ¶¶ 15-21.) They commenced this action on behalf of themselves and a putative class that may ultimately consist of “hundreds of thousands” of individuals. (Id. ¶ 96.)
Netgain is a Delaware corporation with its principal place of business in Minnesota. (Id. ¶ 22.)
B. Factual Background
1. Netgain's Business
Netgain provides third-party information technology and cybersecurity services to businesses. (Id. ¶ 1, 3.) Netgain's cybersecurity model requires businesses to move their information technology to a cloud-based system, which Netgain manages externally. (Id. ¶ 1.) Netgain specializes in serving the healthcare and accounting industries. (Id. ¶¶ 1-2, 24.) As part of its service, Netgain receives access to personally identifiable information (“PII”), personal health information (“PHI”), and other sensitive data (together, “Sensitive Information”). (Id. ¶¶ 24, 40.) Netgain stores this data on its servers. (Id. ¶ 40.) Netgain's clients have included Neighborhood Healthcare, Apple Valley Medical Clinic/Allina Health, Nevada Orthopedic & Spine Center, and Sandhills Medical Center. (Id. ¶¶ 15-21, 46.)
2. The Data Breach
In the fall of 2020, Netgain suffered a ransomware attack (“Data Breach”). (Id. ¶ 39.) Unauthorized individuals (“cybercriminals”) gained access to the data of at least 15 clients that was stored on Netgain's servers and then exported that data out of Netgain's system. (Id. ¶¶ 6, 39, 41.) This data included full names, social security numbers, dates of birth, driver's license numbers, patient cardholder numbers, patient diagnosis and treatment information, clinical notes, referral requests, laboratory reports, and vaccination and immunization information, among other things. (Id. ¶¶ 8, 45.) The cybercriminals also encrypted certain data. (Id. ¶ 43.) Upon discovering the attack, Netgain shut down certain data centers and began to rebuild the affected systems. (See id. ¶¶ 39, 43.)
The cybercriminals issued a ransom demand to Netgain. (Id. ¶ 7.) Netgain allegedly paid the ransom in exchange for assurances that the cybercriminals would delete and not disclose the stolen Sensitive Information. (Id.)
In early 2021, Netgain began notifying clients about the Data Breach. (Id. ¶ 42.) Netgain notified its clients that there was an “unauthorized access to portions of the Netgain environment, ” which occurred as early as September 2020. (Id. ¶ 43.) Netgain also identified opportunities to strengthen its security system by adding new tools, adopting new policies, and implementing “around-the-clock managed detection and response service for proactive threat monitoring.” (Id. ¶ 49.) Netgain explained that these changes would help ensure that data security remained “top-of-mind” going forward. (Id.)
In turn, some of Netgain's current and former clients issued press releases and notices relating to the Data Breach. (Id. ¶¶ 44-45, 53.) The press releases highlighted that “certain identifiable personal and protected health information was accessed and/or acquired from Netgain's network . . . including full names and one or more of the following: Social Security numbers, dates of birth, patient cardholder numbers, and/or treatment/diagnosis information.” (Id. ¶ 45.) Similarly, the notices stated that the stolen data may have included the patient's name, birth date, address, social security number, bank account and routing numbers, billing and medical information, driver's license number, insurance card information, and other data. (Id. ¶ 53.)
3. The Alleged Harm
As a direct and proximate cause of the Data Breach, Plaintiffs allege harm. (Id. ¶¶ 85, 113.) Plaintiffs allege that they received notice that their Sensitive Information was stolen during the Data Breach. (Id. ¶¶ 86-93.) They also allege that they remain “at a present and continued risk of harm due to the exposure and potential misuses of [their] personal data by [the cybercriminals].” (Id. ¶¶ 87-93.) In addition, each plaintiff alleges that they have taken specific actions in response to the Data Breach, as outlined below.
a. Plaintiff Misty Meier
Ms. Meier, a California resident, brings this suit on behalf of her minor child, who is also a California resident. (Id. ¶ 15.) Ms. Meier and her child had provided the child's Sensitive Information to Neighborhood Healthcare. (See id.) On April 8, 2021, Ms. Meier received a notice from Neighborhood Healthcare informing her that her child's “Sensitive Information was exposed during Netgain's Data Breach.” (Id.) She alleges that her child is harmed by the Data Breach because the cybercriminals “may . . . use [her child's] information to take out credit cards and car loans.” (Id. ¶ 86.) She also alleges that the child may not know that he has been a victim for many years because he is a minor without any credit history. (Id.)
b. Plaintiff Jane Doe
Ms. Doe is also a resident of California. (Id. ¶ 16.) She gave her Sensitive Information to Health Center Partners of Southern California. (See id.) She was informed on May 8, 2021, that her “Sensitive Information-stored on Netgain's systems-was stolen in the Data Breach.” (Id. ¶ 88.) In response to that notice, she “has monitored her credit using Credit Karma.” (Id.)
c. Plaintiff Susan Reichert
Ms. Reichert is a Wisconsin resident who gave her Sensitive Information to Apple Valley Medical Clinic. (See id. ¶ 17.) On March 26, 2021, she received notice from the clinic that her “Sensitive Data had been compromised by a cyberattack at Netgain.” (Id.) Since the breach, she has “spent time reviewing her credit card and banking statements to identify any fraudulent transactions.” (Id. ¶ 89.)
d. Plaintiff Mark Kalling
Mr. Kalling is a resident of Nevada. (Id. ¶ 18.) He was a patient of Nevada Orthopedic & Spine Center, which sent him notice that his “Sensitive Information was stolen during Netgain's Data Breach.” (Id.) Since the breach, his “credit card accounts experienced suspicious activity” and he “received at least four notifications of credit card fraud.” (Id. ¶¶ 18, 90.) He has also “spent over thirty hours mitigating the damage to his credit.” (Id.)
e. Plaintiff Robert Smithburg
Minnesota resident, Mr. Smithburg, shared his Sensitive Information with Apple Valley Medical Clinic/Allina Health. (See id. ¶ 19.) In March of 2021, he received notice that Netgain's “Data Breach exposed his Sensitive Information.” (Id.) Since the Data Breach, he has spent time “signing up for credit monitoring and reviewing his credit cards and bank statements for fraudulent transactions.” (Id. ¶ 91.)
f. Plaintiff Thomas Lindsay
Mr. Lindsay, also a resident of Minnesota, gave his Sensitive Information to Apple Valley Medical Clinic/Allina Health as well. (See id. ¶ 20.) He received a letter on March 26, 2021, informing him “that his Sensitive Information was stolen.” (Id.) In response, he “spent time contacting Apply Valley Medical Clinic about the breach.” (Id. ¶ 92.) He further alleges that he spent time “signing up for credit monitoring” and “talking to his bank and investment companies about the breach and potential fraud.” (Id.)
g. Plaintiff Robin Guertin
Ms. Guertin is a resident of South Carolina. (Id. ¶ 21.) She provided her Sensitive Information to Sandhills Medical Center. (Id.) On March 5, 2021, she received a letter from Sandhills Medical Center warning that “her Sensitive Information was exposed during the Netgain Data Breach.” (Id.) In response, she has “spent time signing up for credit monitoring, reviewing her banking information to identify fraudulent charges, and changing all of her passwords.” (Id. ¶ 93.)
C. Procedural History
1. The Original Complaints
Plaintiffs separately filed four putative class actions in Minnesota federal court. (See Aug. 24, 2021 Order [Doc. No. 34] at 1, 3-4.) The complaints alleged a substantially similar negligence claim against Netgain. (Id. at 4.) Some of the Plaintiffs also raised common law and statutory claims. (Id.) A little more than a month after filing their respective suits, the Plaintiffs filed a Joint Motion to Consolidate Cases [Doc. No. 16], which the Court granted. (Aug. 24, 2021 Order at 9-10.)
2. The Amended Complaint
In the consolidated action, Plaintiffs filed an Amended Complaint [Doc. No. 35]. They bring suit on behalf of themselves and the following putative class: “All natural persons residing in the United States whose data was exposed as a result of the Data Breach.” (Am. Compl. ¶ 94.) They also bring suit on behalf of a California Subclass and a Minnesota Subclass. (Id.) Plaintiffs, the Class, and the Subclasses seek declaratory, injunctive, and monetary relief, alleging claims of negligence, negligence per se, and violations of the Minnesota Health Records Act, Minn. Stat. §§ 144.191-.293 (“MHRA”).(Am. Compl. ¶¶ 101-56.)
In the Amended Complaint, Plaintiffs and the California Subclass also allege violations of the California Consumer Privacy Act and the California Unfair Competition Law. (Am. Compl. ¶¶ 122-40.) However, Plaintiffs have since withdrawn those causes of action. (Pls.' Opp'n [Doc. No. 50] at 36 n.6 (“Plaintiffs are withdrawing their Third Cause of Action for violation of the California Consumer Privacy Act and their Fourth Cause of Action for violation of California's Unfair Competition Law.”).) Accordingly, as it relates to Counts III and IV, the Court denies Defendant's motion to dismiss as moot.
3. Defendant's Motion to Dismiss
Shortly after Plaintiffs filed the Amended Complaint, Netgain filed this motion to dismiss, seeking dismissal under Rules 12(b)(1) and 12(b)(6) of the Federal Rules of Civil Procedure. (Def.'s Mem. [Doc. No. 47] at 9.) Under Rule 12(b)(1), Netgain contends that Plaintiffs lack Article III standing because they have not suffered an injury in fact that is fairly traceable to Netgain's alleged conduct. (Id. at 10-15.) Alternatively, Netgain moves for dismissal under Rule 12(b)(6) for failure to state claims for negligence, negligence per se, violation of the MHRA, and declaratory and injunctive relief. (Id. at 15-26, 39-46.)
II. DISCUSSION
A. Lack of Standing Under Rule 12(b)(1)
1. Legal Standard
The doctrine of standing limits the court's jurisdiction to “those disputes which are appropriately resolved through the judicial process.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992) (internal quotation marks and citation omitted). To successfully plead standing under Article III of the Constitution, a plaintiff must allege facts demonstrating the existence of an actual case or controversy by showing (1) a concrete injury in fact, (2) that is fairly traceable to the challenged action, and (3) that is likely to be redressed by the relief sought. Id. at 560-61. “[S]tanding is to be determined as of the commencement of the suit, ” and the burden of establishing standing is on the party invoking federal jurisdiction. Id. at 561, 570 n.5. Where, as here, the defendant challenges the existence of jurisdiction on the face of the pleadings, and not through extrinsic evidence, the reviewing court must “accept as true all factual allegations in the complaint, giving no effect to conclusory allegations of law.” Stalley v. Catholic Health Initiatives, 509 F.3d 517, 521 (8th Cir. 2007).
2. Analysis
Defendant contends that Plaintiffs have failed to adequately plead, in the Amended Complaint, that they suffered an injury in fact that is fairly traceable to the Data Breach. (Def.'s Mem. at 10-14.) Because Netgain only challenges injury in fact and traceability, the Court limits its analysis to those two standing elements.
a. Injury in fact
Defendant argues that Plaintiffs have not alleged a concrete, particularized injury that is actual or imminent. (Id. at 11.) Defendant contends that Plaintiffs have instead merely alleged a risk of future injury, which it argues does not confer standing. (Id. at 1214.) The Court disagrees.
The United States Constitution requires that a plaintiff allege an injury in fact in order to have standing to proceed. Spokeo, Inc. v. Robins, 578 U.S. 330, 338-39 (2016), as revised (May 24, 2016). To demonstrate an injury in fact, a plaintiff must show that the alleged injury is “ ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.' ” In re SuperValu, Inc., 870 F.3d 763, 768 (8th Cir. 2017) (quoting Spokeo, 578 U.S. at 339)). A “particularized” injury impacts the plaintiff “in a personal and individual way.” Spokeo, 578 U.S. at 339 (internal quotation marks and citation omitted). A “concrete” injury is one that “actually exists.” Id. at 340. And courts have found an injury in fact based on a substantial risk of future harm. See Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n.5 (2013) (collecting cases).
The requirements for standing do not change in the class action context. See Spokeo, 578 U.S. at 338 n.6. A putative class action can proceed as long as one named plaintiff has standing. See Horne v. Flores, 557 U.S. 433, 446 (2009) (“Because the superintendent clearly has standing to challenge the lower courts' decisions, we need not consider whether the Legislators also have standing to do so.”); see also Vill. of Arlington Heights v. Metro. Hous. Dev. Corp., 429 U.S. 252, 264 (1977) (“For we have at least one individual plaintiff who has demonstrated standing to assert these rights as his own.”).
The Eighth Circuit has addressed standing in a similar context. See SuperValu, 870 F.3d at 768. In SuperValu, plaintiffs, who were customers of defendants' grocery stores, alleged that their credit and debit card information was stolen by cybercriminals by means of installing malicious software on defendants' network. Id. at 766. Defendants moved to dismiss the complaint for lack of standing, arguing that plaintiffs did not have an injury in fact because they did not allege that the data was stolen. Id. at 769. But the Eighth Circuit rejected that argument. Id. Noting that it must draw all inferences in the plaintiffs' favor, the court highlighted other parts of the complaint that explicitly alleged that plaintiffs “suffered theft.” Id. The court, therefore, drew the inference that plaintiffs' card information was stolen. Id.
For many of the same reasons, Plaintiffs have alleged an injury in fact here. Contrary to Netgain's contention, the Court finds that Plaintiffs have sufficiently alleged that their PII and PHI was stolen. Notably, four Plaintiffs allege that their Sensitive Information “was stolen, ” (Am. Compl. ¶¶ 18, 20, 86, 88); two allege that it was “exposed, ” (id. ¶¶ 19, 21); and one alleges that it was “compromised, ” (id. ¶ 17.) This language, along with Plaintiffs' allegations that Netgain paid a ransom to have the cybercriminals destroy the stolen Sensitive Information, (id. ¶ 7), make it easy for the Court to infer that Plaintiffs' Sensitive Information was in fact stolen.
(i) Allegations of Future Harm
Next, Netgain asserts that even if the cybercriminals stole the Sensitive Information, Plaintiffs have merely alleged that future harm may occur, which Netgain contends is not an injury in fact, citing SuperValu. But, regarding future harm, the factual allegations here are different from the facts alleged in SuperValu. There, despite inferring that plaintiffs' card information was stolen, the Eighth Circuit found that the theft alone did not create a substantial risk of future harm. SuperValu, 870 F.3d at 769-72. Central to the court's reasoning was the fact that the stolen card information did not include any PII. Id. at 770. And without PII, the court reasoned that “there is little to no risk that anyone will use the Card Information . . . to open unauthorized accounts in the plaintiffs' names.” Id.
Here, it is undisputed that the stolen Sensitive Information includes PII and PHI, the absence of which was significant to the Eighth Circuit in SuperValu. See 870 F.3d at 770 (“[W]e note that the allegedly stolen Card Information does not include any personally identifying information.”). This emphasis strongly suggests that substantial risk of future harm is sufficiently alleged when the stolen data includes PII.
Other circuits have held that there is a substantial risk of future harm when PII and PHI is stolen. For example, the Sixth Circuit has held that plaintiffs suffer a concrete harm when they allege a substantial risk of future harm arising from data theft. Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 388-89 (6th Cir. 2016) (explaining that “it would be unreasonable to expect Plaintiffs to wait for actual misuse” where they already knew “that they have lost control of their data”). The Seventh and Ninth Circuits have reached the same conclusion. See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693-94 (7th Cir. 2015) (finding an injury in fact where plaintiffs alleged a substantial risk of future harm due to a data breach); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (finding injury in fact where plaintiffs “alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data” and explaining that it would be different “if no laptop had been stolen”); but see Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011) (finding no risk of future harm because it was unknown “whether the hacker read, copied, or understood” the information, and there was “no evidence that the intrusion was intentional or malicious” or that a “taking occurred”).
This caselaw supports Plaintiffs' argument that they have adequately alleged a substantial risk of future harm in this case because their PII and PHI was stolen. See In re 21st Century Oncology Customer Data Sec. Breach Litig., 380 F.Supp.3d 1243, 1253-54 (M.D. Fla. 2019) (analyzing the circuit split and explaining that the facts weigh in favor of finding an injury in fact where stolen information “includes personally identifiable information”). Like in Galaria, Remijas, and Krottner, Plaintiffs PII and PHI-sensitive data that was not stolen in SuperValu-is in the hands of ill-intentioned criminals, and Plaintiffs with credit took concrete steps to monitor their credit in response to the Data Breach. And unlike Reilly, there is no dispute that the criminals intentionally stole and sought to profit from Plaintiffs' Sensitive Information. As such, the Court finds that Plaintiffs have sufficiently plead a substantial risk of future harm.
Netgain notes that in U.S. Hotel & Resort Management, Inc. v. Onity, Inc., Civ. No. 13-1499 (SRN/FLN), 2014 WL 3748639 (D. Minn. July 30, 2014), this Court found that the alleged future harm did not constitute an injury in fact. But that case is clearly distinguishable. There, there was no data breach. The only alleged injury was a fear of a future unauthorized entry into a hotel room due to defendant's defective door locks. See U.S. Hotel, 2014 WL 3748639, at *3. Yet, as explained above, Plaintiffs' Sensitive Information is already stolen. Applying the U.S. Hotel analogy to this case, the criminals have already broken into the room, looked around, stolen items, and U.S. Hotel has paid a ransom in hopes that the criminals will destroy the stolen items.
(ii) Kalling's Allegations of Present Harm
Regardless, Kalling has alleged a present injury in fact. In SuperValu, after analyzing future harm, the Eighth Circuit went on to determine whether plaintiffs had alleged a present injury. See 870 F.3d at 772. The court focused on one of the plaintiffs, plaintiff Holmes. Id. Plaintiff Holmes had alleged that “he suffered a fraudulent charge on the credit card he previously used to make a purchase at one of defendants' stores affected by the data breaches.” Id. And the court held that this alleged misuse was sufficient to demonstrate an injury in fact. Id. at 773.
Like plaintiff Holmes in SuperValu, Kalling alleges that his PII and PHI was “stolen during the data breach.” (Am. Compl. ¶¶ 8, 90.) He further alleges that, since the Data Breach, he has “received at least four notifications of credit card fraud, ” and that he has “spent over thirty hours mitigating the damage to his credit.” (Id. ¶¶ 18, 90.) This misuse of Kalling's Sensitive Information is a form of identify theft, and “identify theft constitutes an actual, concrete, and particularized injury.” SuperValu, 870 F.3d at 770 (“ ‘Nobody doubts that identify theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury.' ” (quoting Attias v. Carefirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017)). Accordingly, the Court finds that Kalling has established a present injury in fact.
Even if Kalling has alleged an injury in fact, Netgain contends that his allegations are not fairly traceable to the data breach. (Def.'s Mem. at 15.) SuperValu is again instructive. In SuperValu, the defendants also argued that plaintiff Holmes' alleged present injury was not fairly traceable to the data breach. 870 F.3d at 772-73. But the Eighth Circuit held that plaintiff Holmes had met his burden of establishing a causal link by alleging the following: “[d]efendants failed to secure customer Card Information on their network; their network was subsequently hacked; customer Card Information was stolen by the hackers; and Holmes became the victim of identity theft after the data breaches.” Id. at 772. The court found that these allegations were sufficient to plead the “specific facts that are necessary to support a link between Holmes' fraudulent charge and the data breaches.” Id. (internal quotation marks omitted). Because plaintiff Holmes had standing, the court held that it had jurisdiction to hear the entire case. Id. at 774.
In much the same way, Kalling has sufficiently alleged a causal link between his harm and the Data Breach. Specifically, he alleges that (1) Netgain failed to secure his Sensitive Information on its network, (2) Netgain suffered a cyberattack, (3) his Sensitive Information was stolen by the cybercriminals, and (4) he became a victim of four instances of identity theft after the breaches. These specific allegations, in the light of the general allegations in the Amended Complaint, sufficiently plead a causal link for the purposes of Article III standing. See SuperValu, 870 F.3d at 772-74 (finding present injury fairly traceable to the data breach); see also Brown v. Medtronic, Inc., 628 F.3d 451, 459 (8th Cir. 2010) (explaining that standing under Article III presents only a “threshold inquiry”); see also Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014) (“Proximate causation is not a requirement of Article III standing.”). Accordingly, the Court finds that Kalling's injury in fact is fairly traceable to Netgain's Data Breach.
Although Netgain does not challenge the final element of standing, the Court finds that Kalling's injury is likely to be redressed by a favorable judicial decision. See Lujan, 504 U.S. at 561.
Because Kalling has alleged that he suffered an injury in fact that is fairly traceable to Netgain's data breach that is likely to be redressed by a favorable judicial decision, Kalling has Article III standing. And because only one plaintiff needs to have standing for the suit to move forward, the Court denies Netgain's motion to dismiss under Rule 12(b)(1). See SuperValu, 870 F.3d at 768 (“A putative class action can proceed as long as one named plaintiff has standing.”).
B. Failure to State a Claim Under Rule 12(b)(6)
1. Legal Standard
When considering a motion to dismiss under Rule 12(b)(6), the Court accepts the facts alleged in the complaint as true and views those allegations in the light most favorable to the plaintiff. Hager v. Arkansas Dep't of Health, 735 F.3d 1009, 1013 (8th Cir. 2013). However, the Court need not accept as true wholly conclusory allegations or legal conclusions couched as factual allegations. Id. In addition, the Court ordinarily does not consider matters outside the pleadings on a motion to dismiss. See Fed.R.Civ.P. 12(d). Matters outside the pleadings include “any written or oral evidence in support of or in opposition to the pleading that provides some substantiation for and does not merely reiterate what is said in the pleadings, ” as well as statements of counsel at oral argument that raise new facts not alleged in the pleadings. Hamm v. Rhone-Poulenc Rorer Pharm., Inc., 187 F.3d 941, 948 (8th Cir. 1999) (internal quotation marks and citation omitted). The Court may, however, “consider the pleadings themselves, materials embraced by the pleadings, exhibits attached to the pleadings, and matters of public record.” Illig v. Union Elec. Co., 652 F.3d 971, 976 (8th Cir. 2011) (internal quotation marks and citation omitted).
To survive a motion to dismiss, a complaint must contain “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). Although a complaint need not contain “detailed factual allegations, ” it must allege facts with enough specificity “to raise a right to relief above the speculative level.” Id. at 555. “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, ” are insufficient. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 555).
2. Analysis
The United States Supreme Court “has held an individualized choice-of-law analysis must be applied to each plaintiff's claim in a class action.” In re St. Jude Med., Inc., 425 F.3d 1116, 1120 (8th Cir. 2005). But courts generally decline to conduct a choice-of-law analysis prior to discovery. See, e.g., Cantonis v. Stryker Corp., Civ. No. 09-3509 (JRT/JJK), 2011 WL 1084971, at *3 (D. Minn. Mar. 21, 2011) (explaining that “it would be inappropriate to engage in an analysis of what state's laws are to be used throughout the remainder of the litigation”); Ridings v. Stryker Sales Corp., Civ. No. 10-2590 (MJD/FLN), 2010 WL 4963064, at *2 (D. Minn. Dec. 1, 2010) (“[A]t this point, before discovery has occurred, the Court does not have sufficient information to determine which state's law applies.”).
Here, the Court finds that applying a choice-of-law analysis at this time is premature. As such, the Court analyzes Plaintiffs' state law claims of negligence and negligence per se under California, Minnesota, Nevada, South Carolina, and Wisconsin laws. The Court also analyzes the MHRA claim and Plaintiffs' request for declaratory and injunctive relief.
a. Negligence
A negligence claim requires a plaintiff to allege a duty, breach, causation, and injury. In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1170 (D. Minn. 2014) (citing Schmanski v. Church of St. Casimir of Wells, 67 N.W.2d 644, 646 (Minn. 1954). Netgain argues that the negligence claim fails for three reasons. (Def.'s Mem. At 16-24.) First, the economic loss doctrine bars it. (Id. at 17-20.) Second, Plaintiffs have failed to sufficiently plead a duty. (Id. at 20-22.) Third, Plaintiffs' damages are speculative. (Id. at 22-24.) Each argument is considered in turn.
These elements of a claim for negligence are substantially identical in every jurisdiction in which Plaintiffs raise the claim. See, e.g., Hayes v. Cnty. of San Diego, 305 P.3d 252, 255 (Cal. 2013) (California law); Hoida, Inc. v. M & I Midstate Bank, 717 N.W.2d 17, 27 (Wis. 2006) (Wisconsin law); Foster v. Costco Wholesale Corp., 291 P.3d 150, 153 (Nev. 2012) (Nevada law); J.T. Baggerly v. CSX Transp., Inc., 635 S.E.2d 97, 101 (S.C. 2006) (South Carolina law).
(i) Economic Loss Doctrine
Netgain contends that the economic loss doctrine bars Plaintiffs' negligence claim. (Id. at 17-20.) Because it is a judicially developed doctrine, see, e.g., Sheen v. Wells Fargo Bank, N.A., 505 P.3d 625, 627-28 (Cal. 2022), it applies differently in the various states, as discussed below.
a. Minnesota and Wisconsin
In Minnesota and Wisconsin, the economic loss doctrine does not apply to the sale of services. Ins. Co. of N. Am. v. Cease Elec. Inc., 688 N.W.2d 462, 472 (Wis. 2004) (“[W]e determine that the economic loss doctrine is inapplicable to claims for the negligent provision of services.”); McCarthy Well Co., Inc. v. St. Peter Creamery, Inc., 410 N.W.2d 312, 315 (Minn. 1987) (holding that the economic loss doctrine only applies when a transaction is governed by the Uniform Commercial Code). Here, it is undisputed that Netgain provided cybersecurity and cloud-computing “services” to its clients. (Am. Compl. ¶¶ 1, 4, 22, 23.) Accordingly, the economic loss doctrine does not bar Plaintiffs' negligence action in Minnesota and Wisconsin.
b. South Carolina
The Supreme Court of South Carolina has held that the economic loss doctrine applies “where duties are created solely by contract.” Kennedy v. Columbia Lumber & Mfg. Co., Inc., 384 S.E.2d 730, 737 (S.C. 1989) (emphasis in original); see also Tommy L. Griffin Plumbing & Heating Co. v. Jordan, Jones & Goulding, Inc., 463 S.E.2d 85, 88 (S.C. 1995) (confirming that the economic loss doctrine only applies to duties created solely by contract). Here, it is undisputed that Plaintiffs do not have privity of contract with Netgain, meaning no duties between the parties arise from a contract. Therefore, this negligence claim is not barred by the economic loss doctrine in South Carolina.
c. California and Nevada
The courts of California and Nevada have not addressed whether the economic loss doctrine applies in this context. Accordingly, the Court endeavors to determine whether they would apply that doctrine to the facts presented in this case.
In California and Nevada, a plaintiff may not recover in tort for purely economic damages. See NuCal Foods, Inc. v. Quality Egg LLC, 918 F.Supp.2d 1023, 1028 (E.D. Cal. 2013) (“[P]urely economic losses are not recoverable in tort.”); Terracon Consultants W., Inc. v. Mandalay Resort Grp., 206 P.3d 81, 86 (Nev. 2009) (explaining that the economic loss doctrine generally prohibits unintentional tort actions in which the plaintiff seeks to recover purely economic losses). In Nevada, purely economic loss means “the loss of the benefit of the user's bargain . . . including . . . pecuniary damage for inadequate value, the cost of repair and replacement of the defective product, or consequent loss of profits, without any claim of personal injury or damage to other property.” Calloway v. City of Reno, 993 P.2d 1259, 1263 (Nev. 2000) (internal quotation marks omitted) (superseded by statute on other grounds as stated in Olson v. Richard, 89 P.3d 31 (Nev. 2004)). California courts similarly interpret the economic loss doctrine. See, e.g., In re Ambry Genetics Data Breach Litig., No. SACV 20-00791-CJC (KESx), 2021 WL 4891610, at *4 (C.D. Cal. Oct. 18, 2021) (finding that purely economic losses do not include alleged injuries of privacy, anxiety, concern, unease, and loss of time due to a data breach); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 3:19-cv-2284-H-KSC, 2020 WL 2214152, at *4 (S.D. Cal. May 7, 2020) (finding same as to alleged damages of loss of time and increased anxiety due to a data breach.); see also Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1039 (N.D. Cal. 2019) (“[P]laintiff alleged his loss of time as a harm and so does not allege pure economic loss.”).
Here, the Court concludes that Plaintiffs have alleged damages that are not purely economic losses under the laws of Nevada and California. Specifically, Plaintiffs allege that the Data Breach has made the “Class's identities less secure and reliable” and that they “will also have to protect against identity theft for years to come.” (Am. Compl. ¶ 113.) Like in Ambry, Solara, and Bass, Plaintiffs have alleged loss of time damages. These allegations go beyond purely economic loss. See, e.g., Calloway, 993 P.2d at 1263.
Moreover, finding an exception to the economic loss doctrine in this case supports Nevada's public policy to impose liability where “the law would not exert significant financial pressures to avoid such negligence.” Terracon Consultants, 206 P.3d at 88 (explaining why negligent misrepresentation claims are exceptions to the economic loss doctrine under Nevada law). Without tort liability in these types of cases, the law would not exert sufficient financial pressure on cybersecurity providers to properly update their systems to protect this highly sensitive information. Put another way, Netgain and its clients could negotiate limited liability in these situations, which would undermine the personal stake of those individuals whose information is at risk.
For these reasons, the Court finds that the economic loss doctrine does not bar Plaintiffs' negligence claim in Nevada and California.
(ii) Duty
Next, Netgain argues that it has no duty to protect Plaintiffs from the criminal actions of third parties. (Def.'s Mem. at 20-22.) The Court considers this argument under the law of each state.
a. California
Plaintiffs have sufficiently alleged a common law duty under California law. California courts have held that certain businesses have a duty to reasonably protect personal data. See Castillo v. Seagate Tech., LLC, Case No. 16-cv-01958-RS, 2016 WL 9280242, at *3 (N.D. Cal. Sept. 14, 2016) (concluding that employer had a duty to protect the personal identifying information of its employees and their spouses and dependents); Corona v. Sony Pictures Ent., Inc., No. 14-CV-09600 RGK (Ex), 2015 WL 3916744, at *5 (C.D. Cal. June 15, 2015) (denying motion to dismiss the negligence claim regarding the employer's alleged duty to “maintain adequate security measures” to safeguard plaintiffs' personal information); see also In re Facebook, Inc., Consumer Privacy User Profile Litigation, 402 F.Supp.3d 767, 799 (N.D. Cal. 2019) (finding that plaintiffs had plausibly alleged a duty because “Facebook had a responsibility to handle its users' sensitive information with care”).
Rather than allege that there is no common law duty, Netgain asserts that it has no duty to protect Plaintiffs from the intervening acts of criminals because Plaintiffs have failed to allege the existence of a “special relationship.” (Def.'s Mem. at 21.) Netgain offers no legal support, however, for its argument that no “special relationship” exists in these circumstances.
In Castillo, a California district court found that an employer had a duty to protect the personal information it possessed regarding the spouses and dependents of its employees and former employees, despite no privity of contract with those persons. See 2016 WL 9280242, at *3. In reaching this conclusion, the court considered the following factors:
(1) the foreseeability of the harm to the plaintiff; (2) the degree of certainty that the plaintiff suffered injury; (3) the closeness of the connection between the defendant's conduct and the injury suffered; (4) the moral blame attached to the defendant's conduct; (5) the policy of preventing future harm; and (6) the extent of the burden to the defendant and consequences to the community of imposing a duty to exercise care with resulting liability for breach and the availability, cost, and prevalence of insurance for the risk involved.d. at *3.
Applied here, these factors suggest that Netgain owed Plaintiffs a duty to safeguard their PII and PHI. The Sensitive Information was valuable, as evidenced by Netgain's ransom payment. Further, Plaintiffs have alleged certain injury from the Data Breach, including time spent monitoring their credit reports and less secure and reliable identities. (Am. Compl. ¶¶ 85-93, 113.) Likewise, Kalling has alleged that he “received at least four notifications of credit card fraud” and “spent over thirty hours mitigating the damage.” (Id. ¶¶ 18, 90.) And it is foreseeable that these alleged harms would result when a cybersecurity provider fails to properly protect data from its clients in the healthcare and accounting industries. To be sure, the chance that Plaintiffs may actually suffer identity theft is unknown at this time. But it is reasonable to infer that persons whose information was stolen by cybercriminals would, at the very least, spend time and effort to detect or prevent identity theft. Additionally, imposing a common law duty on cybersecurity companies that are trusted with sensitive PII and PHI further promotes a policy of preventing identity theft and protecting the confidentiality of medical information.
These considerations were affirmed in Bass. There, the Northern District of California held that plaintiffs had plausibly alleged that Facebook owed them a duty. Bass, 394 F.Supp.3d at 2039. In finding a duty, the court reasoned that Facebook should have known that a “lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information, ” and that this was significant because some of the information was private and plaintiffs were trusting Facebook to use appropriate data security. Id. Notably, the court emphasized that finding no duty of care would “create perverse incentives for businesses who profit off the use of consumers' personal data to turn a blind eye and ignore known security risks.” Id. (internal quotation marks and citation omitted).
So too here. Netgain provides cybersecurity services to its clients and Netgain should know that a lack of reasonable care creates foreseeable harm to the individuals providing that information to Netgain's clients. Like in Bass, this information included private information (i.e., PII and PHI) and Netgain's clients were trusting Netgain to employ appropriate data security. Accordingly, under California law, Plaintiffs plausibly plead a duty.
b. Minnesota
Under Minnesota law, an individual has a duty “ ‘to act with reasonable care for the protection of others' in two situations.” In re Target Corp., 64 F.Supp.3d at 1308 (quoting Domagala v. Rolland, 805 N.W.2d 14, 23 (Minn. 1936)). First, general negligence law “imposes a general duty of reasonable care when the defendant's own conduct creates a foreseeable risk of injury to a foreseeable plaintiff.” Id. Second, a duty arises when there is a special relationship between the defendant and the plaintiff and an “action by someone other than the defendant creates a foreseeable risk of harm to the plaintiff.” Id.
Defendant argues that it has no duty because Plaintiffs do not adequately plead that there is a special relationship under Minnesota law. (Def.'s Mem. at 21.) But Plaintiffs contend that this is not a special relationship case, but rather a general negligence case where Netgain's own conduct, in failing to maintain appropriate data security measures, created a foreseeable risk of the harm that occurred, and Plaintiffs were the foreseeable victims of that harm. (Pls.' Opp'n at 24-29.) The Court agrees with Plaintiffs.
Minnesota courts have considered the following factors when determining whether a defendant owed a duty of care in a general negligence case: “(1) the foreseeability of harm to the plaintiff, (2) the connection between the defendant's conduct and the injury suffered, (3) the moral blame attached to the defendant's conduct, (4) the policy of preventing future harm, and (5) the burden to the defendant and community of imposing a duty to exercise care with resulting liability for breach.” In re Target Corp., 64 F.Supp.3d at 1309 (citing Domagala, 805 N.W.2d at 26.) “The duty to exercise reasonable care arises from the probability or foreseeability of injury to the plaintiff.” Id. And, although usually an issue for the jury, “the foreseeability of harm can be decided by the court as a matter of law when the issue is clear.” Foss v. Kincade, 766 N.W.2d 317, 322-23 (Minn. 2009). The Court must review these factors in the light most favorable to Plaintiffs, keeping in mind that this motion tests only the sufficiency of the pleadings and not the ultimate success of Plaintiffs' legal theories.
At this preliminary stage of the litigation, Plaintiffs plausibly plead a general negligence case. Plaintiffs sufficiently allege that Netgain's actions and inactions- implementing knowingly deficient data security measures and failing to follow its own advice for protecting against cybercriminals-caused foreseeable harm to Plaintiffs. Plaintiffs also plausibly allege that Netgain's conduct caused the harm they suffered. And Plaintiffs' allegation that Netgain was responsible to safeguard the data is also plausible. Although the third-party cybercriminals caused the harm, Netgain played a central role in permitting that harm to occur. Simply put, Plaintiffs allege that Netgain's “own conduct create[d] a foreseeable risk of injury to a foreseeable plaintiff, ” Domagala, 805 N.W.2d at 23. Accordingly, the Court finds that Plaintiffs plausibly plead a duty under Minnesota law.
c. Nevada
In Nevada, “no duty is owed to control the dangerous conduct of another.” Sanchez ex re. Sanchez v. Wal-Mart Stores, Inc., 221 P.3d 1276, 1280 (Nev. 2009). However, there are exceptions to that general rule, including “when (1) a special relationship exists between the parties or between the defendant and the identifiable victim, and (2) the harm created by the defendant's conduct is foreseeable.” Id. at 1280-81. A crucial factor in establishing liability under this exception is “the element of control.” Scialabba v. Brandise Constr. Co., 921 P.2d 928, 930 (Nev. 1996). In Scialabba, the Nevada Supreme Court held that a special relationship arose between a construction company performing work on an apartment complex and one of the tenants. Id. at 932. The court explained that “a duty should be imposed upon the one possessing control (and thus the power to act) to take reasonable precautions to protect the other one from assaults by third parties which, at least, could reasonably have been anticipated.” Id. (alteration in original) (internal quotation omitted). And the court found that “the alleged failure to lock the doors to the vacant apartments created a foreseeable risk of criminal activity and harm to [the tenant].” Id.
The same reasoning applies here. Netgain, a third party, took exclusive control over Plaintiffs' Sensitive Information in a way that deprives them of the ability to protect that information, and where it is reasonably anticipated that cybercriminals may try to steal the information. Notably, Netgain has not cited any caselaw establishing that such a special relationship cannot arise under Nevada law. Accordingly, the Court finds that Plaintiffs plausibly plead a claim for negligence under Nevada law.
d. South Carolina
Under South Carolina law, “[a]n affirmative legal duty exists only if created by statute, contract, relationship, status, property interest, or some other special circumstance.” Hendricks v. Clemson Univ., 578 S.E.2d 711, 714 (S.C. 2003). In general, there is no common law duty to act; however, where an act is voluntarily undertaken, the actor assumes the duty to use due care. Id.; Vaughan v. Town of Lyman, 635 S.E.2d 631, 637 (S.C. 2006). Whether such a duty exists depends on “the relationship between the parties, ” and “not the potential ‘foreseeability of injury.' ” Williams v. Preiss-WalPatIII, LLC, 17 F.Supp.3d 528, 535 (D.S.C. 2014).
In Shaw v. Psychemedics Corporation, the South Carolina Supreme Court held that a duty arose from the special circumstances surrounding the contractual relationship between an employer and a drug-testing laboratory. 826 S.E.2d 281, 283 (S.C. 2019). Specifically, the court held that there was a duty of care owed by the laboratory to the employer's employees who were subject to testing at the laboratory. Id. In reaching this decision, the court explained that “[t]he principal purpose of the contract between the laboratory and the employer is to test a given employee's biological specimen for the presence of drugs.” Id. at 283. The court further explained that, at some point during the testing process, if not for the entire duration, the laboratory “possesses and exercises control over the employee's specimen.” Id. As such, the court explained that “if the laboratory is negligent in testing the employee's specimen, it is foreseeable that the employee will likely suffer a direct economic injury.” Id. The court also highlighted that South Carolina's public policy favors recognition of a duty because (1) there is a public interest in accurate drug testing, (2) significant consequences follow from a positive drug test, and (3) the injured employee would be left without redress. Id. at 183-84. Therefore, the court held that there was a duty. Id. at 283.
The Court finds this reasoning persuasive and therefore finds that a special circumstance arose under South Carolina law in this case. Like in Shaw, the contractual relationship between Netgain and its clients created a special circumstance where Netgain possessed and exercised exclusive control over Plaintiffs' Sensitive Information. If Netgain acted negligently, then Plaintiffs would suffer injury. And absent a duty, Plaintiffs effectively have no other recourse.
At least one other federal court has reached the same conclusion when applying South Carolina law. See In re Blackbaud, Inc., Customer Data Breach Litig., No. 3:20-mn-02972-JMC, 2021 WL 4866393 (D.S.C. Oct. 19, 2021). In Blackbaud, the District of South Carolina concluded that the plaintiffs sufficiently plead an exception to the general rule that there is not duty to act. Id. at *7. The court held that plaintiffs had established that a third-party software and cybersecurity provider had a common law duty to maintain and secure plaintiffs' private information. Id. In reaching this decision, the court rejected defendant's argument that it had no duty to protect a third party from danger. Id. at *7-8. Instead, the court relied on South Carolina precedent that provides, as outlined above, that a duty to a third party can arise where an act is voluntarily undertaken, including through a contractual relationship. Id.
For these reasons, the Court finds that Plaintiffs plausibly plead a duty under South Carolina law.
e. Wisconsin
Wisconsin law provides that a duty of care is established “when it can be said that it was foreseeable that his act or omission to act may cause harm to someone.” Rockweit by Donohue v. Senecal, 541 N.W.2d 742, 747 (Wis. 1995) (internal quotation marks and citation omitted). At a minimum, “every person is subject to a duty to exercise ordinary care in all of his or her activities.” Gritzner v. Michael R., 611 N.W.2d 906, 912 (Wis. 2000). The Wisconsin Supreme Court routinely employs the analysis of Restatement (Second) of Torts § 324A when determining whether such a duty arises. Id. at 920 (“This court has adopted the theory of negligence set forth in the Restatement (Second) of Torts § 324A.”). Section 324A provides as follows:
One who undertakes, gratuitously or for consideration, to render services to another which he should recognize as necessary for the protection of a third person or his things, is subject to liability to the third person for physical harm resulting from his failure to exercise reasonable care to protect his undertaking, if
(a) his failure to exercise reasonable care increases the risk of such harm, or
(b) he has undertaken to perform a duty owed by the other to the third person, or
(c) the harm is suffered because of reliance of the other or the third person upon the undertaking.Stephenson v. Universal Metrics, Inc., 641 N.W.2d 158, 163-64 (Wis. 2002) (quoting Restatement (Second) of Torts § 324A). In Stephenson, the Wisconsin Supreme Court applied this standard to hold that an individual had a duty to protect a third party when he gratuitously agreed to give the third party a ride home. Id. at 164. The court concluded that the individual, without any duty to act, voluntarily chose to act and thus created a duty to act without negligence. Id. And the court concluded that “a reasonable jury could have found that [the individual] failed to exercise reasonable care, and that such a failure increased the risk of harm to other persons and property.” Id.
In the same way, Netgain had no duty to provide cybersecurity services to businesses. However, it voluntarily reached out to potential clients as a “cybersecurity expert” and entered into agreements with them to secure PII and PHI. (Am. Compl. ¶¶ 2 5, 23-34, 46, 81.) Like the individual in Stephenson, Netgain assumed this duty and thus assumed a duty not to act negligently. Moreover, it was foreseeable that cybercriminals may try to steal this information, causing harm to Plaintiffs. And Netgain knew this because its business model is premised on protecting such data from cybercriminals. Accordingly, the Court finds that Plaintiff's plausibly plead a duty under Wisconsin law.
(iii) Damages
Netgain asserts that Plaintiffs do not plead cognizable damages. (Def.'s Mem. at 22-24.) Specifically, Netgain contends that Plaintiffs' damages are speculative because they have only alleged a 25% risk that their Sensitive Information will result in identity theft. (Id. at 23.) The Court is unpersuaded.
Courts have held that damages like monitoring and lost time are cognizable. See Gardner v. Health Net, Inc., Civ. No. 10-2140 PA (CWx), 2010 WL 11571242, at *3 (C.D. Cal. Nov. 29, 2010) (finding “credit monitoring costs” cognizable damages for a negligence claim); cf. Potter v. Firestone Tire & Rubber Co., 863 P.2d 795, 824 (Cal. 1993) (“[W]e hold that the cost of medical monitoring is a compensable item of damages ....”); Burlison v. Janssen, 141 N.W.2d 274, 279 (Wis. 1966) (“A plaintiff may recover damages for lost wages or lost time . . .”); Sieg v. Wagner, 217 N.W. 439, 441 (Minn. 1928) (affirming “lost time” damages award in a negligence action); Sadler v. PacifiCare of Nev., 340 P.3d 1264, 1270 (Nev. 2014) (discussing damages for a “medical monitoring claim”).
The Court finds that Plaintiffs have alleged cognizable damages. Specifically, the Plaintiffs allege that cybercriminals stole their Sensitive Information, including full names, birth dates, social security numbers, driver's license numbers, medical records, and other types of information. (E.g., Am. Compl. ¶ 8, 53.) As a result of the breach, Plaintiffs allege damages due to Netgain's untimely and inadequate notification of the Data Breach, along with opportunity costs, loss of time costs, and out-of-pocket expenses. (Id. ¶ 85.) And Plaintiffs Doe, Reichert, Smithburg, Lindsay, and Guertin allege that they spent time signing up for credit monitoring. Similarly, Kalling has “received at least four notifications of credit card fraud” and “spent over thirty hours mitigating the damage.” At this stage of the proceedings, this is enough for the Plaintiffs to establish cognizable damages. See, e.g., In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 494 (D. Md. 2020) (rejecting argument that plaintiffs had failed to plead damages by explaining that plaintiffs “do not need to assign a value at this stage to adequately plead damages” and thus denying the motion to dismiss); In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295, 1317 (N.D.Ga. 2019) (“[T]he Plaintiffs here have sufficiently alleged a substantial and imminent risk of impending identity fraud due to the vast amount of information that was obtained in the Data Breach.”).
The cases relied upon by Netgain are distinguishable. For example, Netgain cites a series of cases that analyze whether there was enough evidence introduced at trial to support a damages award. See Holt v. Brown, 185 F.Supp.3d 727, 730, 739 (D.S.C. 2016) (finding, after a bench trial, that plaintiff had not established that future medical treatment was reasonably necessary); Watt v. Nevada Cent. R. Co., 44 P. 423, 424, 428-29 (Nev. 1896), modified, 46 P. 52 (Nev. 1896) (reversing, after a bench trial, the district court's award of damages as speculative); Johnson v. Rouchleau-Ray Iron Land Co., 168 N.W. 1, 2 (Minn. 1918) (holding, after trial, that apprehension of a future mud slide did not constitute damage to real property and thus reversing district court's award of damages); Brantner v. Jenson, 360 N.W.2d 529, 532 (Wis. 1985) (affirming, after a jury trial, damages award because the evidence supported a finding that plaintiff's pain necessitated future surgery).
And Netgain's other citations involve circumstances where it is unknown whether the data was actually accessed by the criminals. See Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1019-20 (D. Minn. 2006) (granting summary judgment because the evidence failed to show that “the information on the stolen computers has been accessed or misused”); Gardner, 2010 WL 11571242, at *2 (dismissing negligence claim as to plaintiff who failed to allege that her confidential information “was actually exposed”); Rhoades v. Lourey, No. A18-1120, 2019 WL 1006804, at *4 (Minn.Ct.App. Mar. 4, 2019) (affirming district court's determination that plaintiff failed to sufficiently plead statutory damages in part because the allegedly negligently handled private information “never left the MSOP system.”).
Gardner makes this distinction plain. There, the court distinguished between one plaintiff who had not alleged that her data “was actually exposed, ” and a different plaintiff who had alleged that her information “was significantly exposed.” Gardner, 2010 WL 11571241, at *1-3. The court dismissed the plaintiff's claim who failed to allege exposure, while permitting the other plaintiff's negligence claim to advance. Id. at *2-3. The court noted that the second plaintiff properly alleged that her risk of identify fraud was “significantly increased . . . as a result of the exposure of [her] information.” Id. at *3 (emphasis added).
Netgain also cites Pruchnicki v. Envision Healthcare Corporation, 439 F.Supp.3d 1226 (D. Nev. 2020), aff'd, 845 Fed.Appx. 613 (9th Cir. 2021), for the proposition that lost time damages are not cognizable damages. (Def.'s Reply at 15.) However, the only Plaintiff from Nevada is Kalling, and he alleges much more than lost time damages. (Am. Compl. ¶¶ 18, 90 (alleging that he “received at least four notifications of credit card fraud” and “spent over thirty hours mitigating the damage to his credit”).) Accordingly, Pruchnicki does not compel dismissal here.
Here, as explained above, there is no dispute that the Plaintiffs' Sensitive Information was stolen and exposed. In fact, the parties agree that Netgain paid the cybercriminals an undisclosed amount of money in the hopes that the cybercriminals would destroy the Sensitive Information. Accordingly, the Court denies Netgain's motion to dismiss Plaintiffs' negligence claim.
b. Negligence per se
Netgain argues that Plaintiffs' claim for negligence per se fails because there is no private right of action under Section 5 of the Federal Trade Commission (“FTC”) Act, 15 U.S.C. §§ 41-58. (Def.'s Mem. at 24-26.) The Court agrees.
A claim for negligence per se arises when a duty is created by statute. E.g., Sanchez, 221 P.3d at 1283. For negligence per se to apply, the injured person must show that he or she is a member of the “class of persons whom the statute is intended to protect and the injury is of the type against which the statue is intended to protect.” Id.; Anderson v. State, Dep't of Nat. Res., 693 N.W.2d 181, 190 (Minn. 2005); Hoff v. Vacaville Unified Sch. Dist., 968 P.2d 522, 530 (Cal. 1998); Whitlaw v. Kroger Co., 410 S.E.2d 251, 252 (S.C. 1991); Antwaun A. ex rel. Muwonge v. Heritage Mut. Ins. Co., 596 N.W.2d 456, 466 (Wis. 1999).
Here, Plaintiffs generally allege that “Plaintiffs and the Class are within the class of persons Section 5 of the FTCA (and similar state statutes) were intended to protect.” (Am. Compl. ¶ 120.) This conclusory allegation fails to explain how Plaintiffs constitute members of the group that the statute was designed to protect. See, e.g., In re Blackbaud, 2021 WL 4866393, at *11 (applying South Carolina law to dismiss plaintiffs' negligence per se claim for violation of the FTC Act because plaintiffs “d[id] not actually define or otherwise explain” how they were members of the group the statute was designed to protect); Williams ex rel. Estate of Williams v. CSX Transp., Inc., No. 2007-MO-001, 2007 WL 8434527, at *2 (S.C. Jan. 2, 2007) (concluding that the district court erred in charging jury in negligence per se when it was clear that plaintiff “was not a member of the class of persons intended to be protected by [the statute].”); Grozdanich v. Leisure Hills Health Ctr., Inc., 25 F.Supp.2d 953, 986 (D. Minn. 1998) (dismissing negligence per se claim because “[t]he Plaintiff is simply not a member of the class of persons who were intended to be protected by the [statute]”); Ashwood v. Clark Cnty., 930 P.2d 740, 744 (Nev. 1997) (affirming summary judgment on negligence per se claim because “as a matter of law, ” plaintiff was “not a member of the class of persons the [statute] . . . was meant to protect”); Hoff, 968 P.2d at 530 (affirming district court's grant of motion for nonsuit on negligence claim in part because the statute was not designed “to protect against the risk of injury to members of the general public”).
What is more, Plaintiffs have not established that negligence per se can be based on a violation of Section 5 of the FTC Act. Pursuant to the FTC Act, the Federal Trade Commission has the authority to, among other things, enforce against “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). Under this authority, the Commission brings many enforcement actions “against companies that have purportedly failed to protect consumer financial data against hackers.” SuperValu, 925 F.3d at 963. However, the FTC Act creates no private right of action. FTC v. Johnson, 800 F.3d 448, 452 (8th Cir. 2015).
Here, Plaintiffs have not cited any precedent in California, Minnesota, Nevada, South Carolina, or Wisconsin that permits a state-law negligence per se claim to proceed based on the theory that there is a violation of Section 5 of the FTC Act. Contrary to Plaintiffs' position, the Court has found one federal case applying California law, which found that a negligence per se claim was barred “because the FTC Act creates no private right of action.” Pica v. Delta Air Lines, Inc., No. CV 18-2876-MWF (Ex), 2018 WL 5861362, at *9 (C.D. Cal. Sept. 18, 2018).
The Court finds this reasoning persuasive. Simply put, the FTC Act grants the FTC enforcement authority and establishes a certain standard of care, not a private right of action. For these reasons, the Court grants Defendant's motion to dismiss Count II.
c. Minnesota Health Records Act (“MHRA”)
Netgain contends that Plaintiff's MHRA claim must be dismissed because Netgain did not “release” any health records. (Def.'s Mem at 39-43.) The Court agrees.
Minnesota law provides as follows:
A person who does any of the following may be liable to a patient for compensatory damages caused by an unauthorized release or an intentional, unauthorized access, plus costs and reasonable attorney fees:
(1) negligently or intentionally requests or releases a health record in violation of sections 144.291 to 144.297 ....Minn. Stat. § 144.298, subd. 2. The Minnesota Supreme Court explained that “a person must affirmatively release a record that was not authorized for release by the patient's consent.” Larson v. Nw. Mut. Life Ins. Co., 855 N.W.2d 293, 302 (Minn. 2014) (emphasis added). And the court defined “release” to mean “[t]o set free from . . . [or] let go” or “[t]o make available for use.” Id. (alterations in original).
Applied here, Netgain never affirmatively released the health records to the cybercriminals. Instead, as is alleged in the Amended Complaint, the cybercriminals exfiltrated (i.e., stole) Plaintiffs' Sensitive Information. (Am. Compl. ¶¶ 6, 41.) And a stealing does not constitute an affirmative release as required by the statute.
Because the Court dismisses the MHRA claim on this basis, the Court need not consider Defendant's alternative arguments. (See Def.'s Mem. at 40, 43.)
d. Declaratory Judgment
Netgain contends that Plaintiffs' request for a declaratory judgment fails because it seeks “nothing more than a ruling on Plaintiffs' other claims.” (Def.'s Mem. at 44.) Further, Netgain contends that Plaintiffs' request for relief should be dismissed because they only seek injunctive relief, which it contends is not available here because Plaintiffs have other adequate legal remedies and because there is no ongoing, irreparable injury to enjoin. (See id. at 44-45.)
The Declaratory Judgment Act permits the judiciary to “declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.” 28 U.S.C. § 2201(a). To proceed successfully under the Declaratory Judgment Act, there must be a “substantial controversy” that presents a “concrete and specific” question. Caldwell v. Gurley Refining Co., 755 F.2d 645, 649-50 (8th Cir. 1985) (internal quotation marks and citation omitted).
Netgain's arguments are premature at this stage of the litigation. Plaintiffs allege that Netgain continues to provide “inadequate and unreasonable” data security, and that they and the Class “continue to suffer injury.” (Am. Compl. ¶ 151.) This is enough to survive a motion to dismiss. See In re Arby's Rest. Grp. Inc. Litig., No. 1:17-cv-0514-AT, 2018 WL 2128441, at *15 (N.D.Ga. Mar. 5, 2018) (denying motion to dismiss the declaratory judgment claim); In re: The Home Depot, Inc., Customer Data Sec. Breach Litig., No. 1:14-MD-2583-TWT, 2016 WL 2897520, at *4-5 (N.D.Ga. May 18, 2016) (denying motion to dismiss claims for declaratory and injunctive relief).
III. CONCLUSION
Based on the submissions and the entire file and proceedings herein, IT IS HEREBY ORDERED that Defendant Netgain Technology, LLC's Motion to Dismiss [Doc. No. 45] is granted in part and denied in part, as follows:
1. The Motion is GRANTED as to Counts II and V;
2. The Motion is DENIED as to Counts I and VI; and
3. The Motion is DENIED as moot as to Counts III and IV.