Opinion
2:23-cv-220
07-28-2023
RICHARD KREFTING, individually and on behalf of all others similarly situated, Plaintiff, v. KAYE-SMITH ENTERPRISES INC., and BOEING EMPLOYEE CREDIT UNION, Defendants.
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU'S MOTION TO DISMISS
JAMAL N. WHITEHEAD, UNITED STATES DISTRICT JUDGE
Plaintiff Richard Krefting banked with Defendant Boeing Employees' Credit Union (“BECU”). BECU shared his personally identifiable information with its printing vendor, Defendant Kaye-Smith Enterprises, Inc. A third-party hacked Kaye-Smith's computer network in a data breach and gained access to Plaintiff's and other BECU customers' information. Plaintiff sued BECU and Kaye-Smith in this putative class action for negligence, unjust enrichment, breach of third-party beneficiary contract, breach of implied contract, and violations of the Washington State Consumer Protection Act. BECU filed this motion to dismiss, arguing that Plaintiff lacks standing and has otherwise failed to state a plausible claim for relief against BECU. Having reviewed the parties' briefs and supporting material filed in support of and opposition to the motion, and the complaint, the Court GRANTS in part and DENIES in part BECU's motion.
BACKGROUND
I. Background.
The Court takes the following alleged facts from Plaintiff's Complaint (Dkt. No. 1) and considers them true for purposes of ruling on the pending Motion to Dismiss.
Defendant Boeing Employees' Credit Union (“BECU”) is a Washington-based credit union. Dkt. No. 1 at 4. Defendant Kaye-Smith Enterprises is an Oregon-based company that “provides statement processing and billing services, inventory management, direct mail marketing, web applications, warehousing and distribution, and data management services” for BECU and other corporate clients. Id. at 2, 4. BECU collected the personally identifiable information (“PII”) of its customers, and it provided this information to Kaye-Smith, which in turn stored the customers' PII on its system. Id. at 2. At some point, cybercriminals breached Kaye-Smith's computer network, accessing the PII of BECU's customers (the “Data Breach”). Id. at 2-3, 5.
In May 2022, Kaye-Smith learned of the Data Breach. Id. at 5. In July 2022, BECU notified Plaintiff that his personal information, including name, address, account number(s), credit score, and Social Security number had been exposed to cybercriminals. Id. at 6.
After the Data Breach, Plaintiff discovered that a credit account was fraudulently opened using his personal information. Id. at 6. He also received notifications from Credit Karma that someone has tried to change his home address and make a credit inquiry without his permission. Id. at 6-7. Plaintiff has spent numerous hours responding to the Data Breach, including time spent researching the facts and scope of the breach, monitoring his accounts and personal information, reviewing his credit reports, responding to the fraudulent activity, and taking other steps to mitigate the consequences. Id. at 7.
Plaintiff filed this putative class action against BECU and Kaye-Smith (together, “Defendants”), to “redress Kaye-Smith's unlawful, willful and wanton failure to protect the personally identifiable information of hundreds of thousands of individuals” that had been “exposed in a major data breach of Kaye-Smith's network.” Id. at 2. Plaintiff alleges that he has suffered theft of his PII, “imminent and certain impending injury flowing from fraud and identity theft posed by Plaintiff's PII being placed in the hands of cybercriminals,” diminution in value of PII, loss of the benefit of the bargain, and continued risk to his PII. Id. at 7.
DISCUSSION
I. Legal Standard.
A. Motion to Dismiss Standard.
The Court will grant a motion to dismiss only if the complaint fails to allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citations omitted). The plausibility standard is less than probability, “but it asks for more than a sheer possibility” that a defendant did something wrong. Id. (citations omitted). “Where a complaint pleads facts that are ‘merely consistent with' a defendant's liability, it ‘stops short of the line between possibility and plausibility of ‘entitlement to relief.''” Id. (quoting Twombly, 550 U.S. at 557). In other words, a plaintiff must have pled “more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Id.
When considering a motion to dismiss, the Court accepts factual allegations pled in the complaint as true and construes them in the light most favorable to the plaintiff. Lund v. Cowan, 5 F.4th 964, 968 (9th Cir. 2021). But courts “do not assume the truth of legal conclusions merely because they are cast in the form of factual allegations.” Fayer v. Vaughn, 649 F.3d 1061, 1064 (9th Cir. 2011) (citations omitted). Thus, “conclusory allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss.” Id. (internal quotation marks omitted).
B. Choice of Law.
“A federal court sitting in diversity ordinarily must follow the choice-of-law rules of the State in which it sits.” Atl. Marine Constr. Co. v. U.S. Dist. Ct., 571 U.S. 49, 65 (2013). “This applies to actions brought under the Class Action Fairness Act [(“CAFA”), 28 U.S.C. § 1332(d)(2),] as well, since CAFA is based upon diversity jurisdiction.” Veridian Credit Union v. Eddie Bauer, LLC, 295 F.Supp.3d 1140, 1149 (W.D. Wash. 2017) (citations omitted). Here, Krefting filed this case in federal court pursuant to CAFA. Dkt. No. 1 at 5. Consequently, the Court follows Washington's choice-of-law rules. Because there is no “conflict between the law of Washington and the law of another state,” the Court need not analyze this issue further and will apply Washington law to this dispute. Burnside v. Simpson Paper Co., 864 P.2d 937, 942 (Wash. 1994).
II. Plaintiff has standing to sue.
BECU claims Plaintiff lacks Article III standing to sue. To establish Article III standing, Plaintiff must demonstrate “(i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2203 (2021) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-561 (1992)).
First, BECU claims that Plaintiff has not suffered an injury in fact. The Supreme Court recently revisited this subject in TransUnion, and it held that “[t]o have Article III standing to sue in federal court, plaintiffs must demonstrate, among other things, that they suffered a concrete harm. No concrete harm, no standing.” TransUnion LLC, 141 S.Ct. at 2200. Concrete harms, such as physical harm and monetary harms, readily qualify as concrete injuries under Article III. Id. at 2204. But intangible harms can also be concrete when the injury bears a “close relationship to harm traditionally recognized as providing a basis for lawsuits in American courts.” Id. (quotations omitted). The Supreme Court described disclosure of private information and intrusion upon seclusion as examples of intangible harms that can also be concrete for standing purposes. Id. Importantly, within the context of this case, the Supreme Court held that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm-at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2211 (emphasis in original).
Plaintiff alleges that after the Data Breach, he “discovered a credit account fraudulently opened using his personal information” and received “notifications from Credit Karma that someone ha[d] attempted to change the location of his home address” and “made a credit inquiry without his permission.” Dkt. No. 1 at 6, 7. BECU argues that Plaintiff's allegations regarding fraudulent activities are insufficient to constitute a concrete harm. The Court disagrees. Plaintiff's claims that someone fraudulently opened an account in his name and attempted to change his home address are actual injuries, and a far cry from the threatened harm of identity theft the Supreme Court found to be “too speculative” for standing purposes in TransUnion. 141 S.Ct. at 2212. On this record, the Court finds Plaintiff's allegations of actual misuse of his PII sufficient to state concrete injury under Article III. See, e.g., Webb v. Injured Workers Pharmacy, LLC, No. 22-1896, 2023 WL 4285814, at *5 (1st Cir. June 30, 2023) (“[T]he complaint's plausible allegations of actual misuse of Webb's stolen PII to file a fraudulent tax return suffice to state a concrete injury under Article III.”); Gaddy v. Long & Foster Cos., No. CV212396RBKEAP, 2023 WL 1926654, at *8 (D.N.J. Feb. 10, 2023) (“Misuse of financial information is a cognizable, intangible injury that, even without financial loss, is sufficient to confer standing.”).
Additionally, Plaintiff alleges that he shared private, sensitive data with BECU, and that BECU failed to safeguard his information, which allowed malicious third parties to carry out the Data Breach. See generally Dkt. No. 1. The Court finds that Plaintiff's claimed injuries flowing from these acts have a close historical and common-law analog since the theft and loss of control over PII is akin to traditional claims for invasions of privacy and intrusion upon seclusion. See TransUnion, 141 S.Ct. 2204; see also Patel v. Facebook, Inc., 932 F.3d 1264, 1274 (9th Cir. 2019) (“Under the common law, an intrusion into privacy rights by itself makes a defendant subject to liability.”). Indeed, “[n]umerous courts” since TransUnion, “including the Ninth Circuit, have found allegations concerning the interference with plaintiffs' control over their personal data to be sufficient for standing on account of their injury implicating an “invasion of the historically recognized right to privacy.” Leonard v. McMenamins, Inc., No. 2:22-CV-00094-BJR, 2022 WL 4017674, at *5 (W.D. Wash. Sept. 2, 2022) (collecting cases).
Even without a historical analog tethering his claims to a concrete injury in fact, the Court finds that Plaintiff has sufficiently pled that the Data Breach caused “separate concrete harm” in the form of time expended investigating and mitigating the breach. Dkt. No. 1 at 30. As the Third Circuit explained, “if the plaintiff's knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.” Clemens v. ExecuPharm Inc., 48 F.4th 146, 156 (3d Cir. 2022); see also TransUnion, 141 S.Ct. at 2211 n.7 (“[A] plaintiff 's knowledge that he or she is exposed to a risk of future physical, monetary, or reputational harm could cause its own current emotional or psychological harm.”); Whittum v. Univ. Med. Ctr. of S. Nev., No. 221CV01777MMDEJY, 2023 WL 2967306, at *3 (D. Nev. Apr. 17, 2023) (“Because Plaintiffs undertook substantial mitigation and remedial measures to prevent fraud, incurred out-of-pocket expenses, and suffered emotional distress from the anticipation of fraud, the Court finds that Plaintiffs have alleged concrete, separate injuries for standing from the risk of future harm.”).
Accordingly, Plaintiff has plausibly alleged an injury in fact. Having found at least several of Plaintiff's alleged harms to confer standing, the Court need not address the sufficiency of Plaintiff's other alleged harms like the increased risk of fraud or identity theft, or the diminution in the value of Plaintiff's PII. See Dkt. No. 1 at 31.
Next, the Court considers whether Plaintiff's injuries are “fairly traceable” to BECU's actions. A showing that an injury is fairly traceable requires less than a showing of “proximate cause.” Maya v. Centex Corp., 658 F.3d 1060, 1070 (9th Cir. 2011) (concluding that, for purposes of Article III standing, plaintiffs need not “demonstrate that defendants' actions are the ‘proximate cause' of plaintiffs' injuries”). This step examines the chain of causation, but the chain does not fail simply because it contains several links or because the defendant's actions are not the last link in the chain. See Wash. Env't Council v. Bellon, 732 F.3d 1131, 1142 (9th Cir. 2013). “Even a showing that a plaintiff's injury is indirectly caused by a defendant's actions satisfies the fairly traceable requirement.” Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012). Here, Plaintiff alleges BECU provided his PII to Kaye-Smith, who ultimately suffered the data breach. Thus, for purposes of the Court's standing analysis, Plaintiff's allegations demonstrate sufficiently that BECU's actions are within the causal chain and therefore fairly traceable to his injuries.
Concerning the last element of standing-whether Plaintiff's alleged injuries are redressable by relief that could be obtained through this lawsuit-the Court finds that Plaintiff has alleged sufficient facts demonstrating that her injuries could be compensated through monetary damages and injunctive relief. See Thole v. U.S. BankN.A, 140 S.Ct. 1615, 1618 (2020). Accordingly, the final standing requirement is met.
III. Plaintiff fails to state a plausible claim for relief on some of his claims.
The fact that Plaintiff has standing to sue does not mean he has stated a plausible claim for relief against BECU. See Krottner v. Starbucks Corp., 406 Fed.Appx. 129, 131 (9th Cir. 2010) (“Article III standing does not establish that they adequately pled damages for purposes of their state-law claim.”). Indeed, establishing Article III standing means a Plaintiff has “[s]tanding to sue” but not necessarily “to succeed.” Doe v. Chao, 540 U.S. 614, 641 (2004).
Here, Plaintiff asserts five claims against BECU: negligence, unjust enrichment, breach of a third-party beneficiary contract, breach of implied contract, and violation of the CPA. Plaintiff must allege enough to state a plausible claim for relief, but as explained below, he has not done so here for all of his claims.
A. Plaintiff has stated a plausible negligence claim, in part.
1. Plaintiff alleges sufficient facts demonstrating that BECU's conduct gave rise to a duty to protect his data from third-party acts.
Plaintiff alleges that “it was negligent to provide [his] ... PII and financial information to [Kaye-Smith] who lacked adequate security systems.” Dkt. No. 1 at 3. BECU argues, however, that it owed Plaintiff no duty to safeguard his data, and that even if it did, it did not breach that duty and that any alleged breach did not cause any legally cognizable injury.
To establish a claim for negligence under Washington Law, a plaintiff must prove: “(1) the existence of a duty to the plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the breach as the proximate cause of the injury.” Degel v. Majestic Mobile Manor, Inc., 914 P.2d 728, 731 (Wash. 1996). “The existence of a duty is a question of law and depends on mixed considerations of logic, common sense, justice, policy, and precedent.” Snyder v. Med. Serv. Corp., 35 P.3d 1158, 1164 (Wash. 2001) (internal quotation marks omitted). Duty may be “predicated on violation of statute or common law principles of negligence.” Jackson v. City of Seattle, 244 P.3d 425, 428 (Wash.Ct.App. 2010) (citation omitted).
As general rule, there is no duty under Washington law “to control the conduct of a third person so as to prevent him from causing harm to another.” Robb v. City of Seattle, 295 P.3d 212, 216 (Wash. 2013) (citation omitted). But there are exceptions to this rule, which generally fall into two camps: when there is a “special relationship” with the victim or criminal, and when “the actor's own affirmative act creates a recognizable high degree of risk of harm” to another. Id.
BECU is correct that no Washington court has recognized a special relationship between banks and their customers when it comes to safeguarding their PII, and Plaintiff cites no authority to the contrary.So without more, Plaintiff's conclusory statements that a special relationship existed will not suffice to create a duty where none has been previously recognized by a Washington court.
In fact, one of the primary cases relied upon by PlaintiffBuckley v. Santander Consumer USA, Inc., reached the same conclusion that Washington recognizes no such duty. No. C17-5813 BHS, 2018 WL 1532671, at *5 (W.D. Wash. Mar. 29, 2018) (“Washington courts have not recognized a ‘special relationship' between consumers and data custodians as they have between insurers and their insureds.”); see In re MCG Health Data Sec. Issue Litig., No. 2:22-CV-849-RSM-DWC, 2023 WL 3057428, at *3 (W.D. Wash. Mar. 27, 2023), report and recommendation adopted, No. 2:22-CV-849-RSM-DWC, 2023 WL 4131746 (W.D. Wash. June 22, 2023) (same).
But the Court need not decide whether a special relationship could exist because Plaintiff has sufficiently pled that BECU's affirmative acts exposed her to a high risk of harm thereby creating a duty. See Washburn v. City of Fed. Way, 310 P.3d 1275, 1289 (Wash. 2013) (holding tortfeasor's affirmative acts created new danger giving rise to a duty to guard against the criminal conduct of a third-party). Plaintiff alleges BECU knew that “cybercriminals routinely target corporations ... in an attempt to steal the[ir] collected Private Information,” that Kaye-Smith “failed to maintain many reasonable and necessary industry standards necessary to prevent data breaches,” that BECU failed to ensure that Kaye-Smith had proper safeguards in place, and that BECU provided its customers' PII to Kaye-Smith nevertheless. Dkt. No. 1 at 6, 15, 17, 26. This last step, as alleged, is the affirmative act by BECU that subjected Plaintiff to harm.
BECU tries in vain to disrupt Plaintiff's stated formulation of his negligence claim, arguing that “Plaintiff does not allege that BECU knew that Kaye-Smith allegedly lacked adequate security measures,” but Plaintiff's complaint alleges BECU failed to ensure that Kaye-Smith had proper safeguards in place before deliberately sharing Plaintiff's data. This is all that is required at this stage of the case to adequately allege a duty was owed. See Dkt. No. 1 at 6.
The Court finds that Plaintiff has stated a plausible claim for relief as to the other elements of his negligence claim because (1) Plaintiff's factual allegations about a duty owed also include an allegation that BECU breached its duty to safeguard his data by sharing it with Kaye-Smith, (2) Plaintiff alleges sufficient facts, as explained above, demonstrating that he has been injured by BECU's negligent conduct, and (3) Plaintiff has alleged sufficient connection between BECU's conduct and his alleged harms. See Meyers v. Ferndale Sch. Dist., 481 P.3d 1084, 1088 (Wash. 2021) (In Washington, the “duty analysis informs the proximate cause analysis,” which is “generally a question of fact for the jury..”).
Even so, BECU argues that it could never be liable for Kaye-Smith's conduct because “in Washington, one who employs an independent contractor is not liable to third parties for the alleged negligence of that independent contractor or its employees.” Dkt. No. 24 at 19. But Washington courts recognize several exceptions to this rule, including “exceptions that subject the principal to liability for its own negligence and the second being exceptions that subject the principal to liability for its contractor's tortious conduct even if the principal has itself exercised reasonable care.” Millican v. N.A. Degerstrom, Inc., 313 P.3d 1215, 1219 (Wash.Ct.App. 2013); see generally David K. DeWolf & Keller W. Allen, 16 Washington Practice, Tort Law and Practice § 4.15 (5th ed. 2020) (discussing exceptions to general rule exempting a contracting party for the negligence of an independent contractor). Many of the exceptions are highly factspecific, and the Court need not analyze them at this early stage of the case, except to say that Plaintiff has alleged facts sufficient to show that BECU owed him a duty as outlined above.
Accordingly, the Court finds that Plaintiff has adequately pled his theory that BECU owed him a duty because it transmitted his personal data to Kaye-Smith without ensuring that Kaye-Smith had taken adequate measures to safeguard Plaintiff's data, thus exposing him to a high degree of risk of data theft. See Buckley, 2018 WL 1532671, at *5 (holding the plaintiff adequately alleged a negligence claim in a data breach case when bank “deliberately transmitted” plaintiff's personal information to an unauthorized third party who later suffered a data breach).
2. Plaintiff's negligence claim based on a failure to notify fails to state a claim.
Plaintiff argues that BECU owed him a duty of care to “timely and sufficiently notify” him of the Data Breach, but that BECU failed to act within the 30-days generally allowed to notify affected consumers under Washington's Data Breach Act (“DBA”), RCW 19.255.010(8). BECU argues that it notified Plaintiff within 30 days of learning that his data was breached, as distinguished from when it first learned of the data intrusion in general, and thus complied with the DBA.
Washington courts turn to the Restatement (Second) of Torts section 286 to determine whether a duty may be predicated upon a statutory violation. Barrett v. Lucky Seven Saloon, Inc., 96 P.3d 386, 390 (Wash. 2004). “Under this provision of the Restatement, “[t]he court may adopt as the standard of conduct of a reasonable [person] the requirements of a legislative enactment . . . whose purpose is found to be exclusively or in part (a) to protect a class of persons that includes the person whose interest is invaded, and (b) to protect the particular interest which is invaded, and (c) to protect that interest against the kind of harm which has resulted, and (d) to protect that interest against the particular hazard from which the harm results.” Id. (quoting Restatement (Second) of Torts § 286 (1965)).
The Court is unaware of, and the parties do not cite, any Washington cases deciding whether a duty may be derived from the breach-notification provision found in the DBA, but the Court need not decide the issue, as BECU notified Plaintiff within the time prescribed by the statute. In pertinent part, the statute reads:
Notification to affected 1consumers under this section must be made in the most expedient time possible, without unreasonable delay, and no more than thirty calendar days after the breach was discovered....RCW 19.255.010(8). Here, Plaintiff attached to his complaint the notice BECU provided him following the breach, stating that BECU learned on July 5, 2022, that an unauthorized third party accessed Plaintiff's personal data. Dkt. No. 1 at 39. Plaintiff alleges he “received a breach notification letter from BECU” on July 25, 2022, which was no more than 30 calendar days after BECU discovered that Plaintiff was affected by the breach. Dkt. No. at 6.
Thus, Plaintiff fails to allege facts supporting his claim that BECU failed to timely and sufficiently notify him of the breach even assuming the DBA created a duty owed.
B. Because an express contract covers the same subject matter, Plaintiff cannot maintain separate claims for breach of an implied contract and unjust enrichment.
Plaintiff claims BECU breached an implied contract to safeguard his PII. He claims that when he provided his PII to BECU in exchange for banking services, that they entered an implied contract “in which Defendant agreed to comply with its statutory and common law duties to protect” him and timely notify him in the event of a data breach. Dkt. No. 34 at 26. Plaintiff's only allegation that BECU failed to safeguard his information is that it negligently shared his PII with Kaye-Smith. In response, BECU argues Plaintiff cannot claim breach of an implied contract when there's an actual express contract that covers the issues at stake. BECU has a point.
Under long standing Washington law, “[a] party to a valid express contract is bound by the provisions of that contract, and may not disregard the same and bring an action on an implied contract relating to the same matter, in contravention of the express contract.” Chandler v. Wash. Toll Bridge Auth., 137 P.2d 97, 103 (Wash. 1943). Before addressing this issue squarely, however, the Court must first determine the scope of the record on review.
Typically, the Court's review of the record is confined to the contents of the complaint when considering a Rule 12(b)(6) motion. Campanelli v. Bockrath, 100 F.3d 1476, 1479 (9th Cir. 1996). But courts may consider documents referenced extensively in the complaint, documents that form the basis of plaintiff's claim, and matters of judicial notice when determining whether the allegations in the complaint state a claim upon which relief can be granted. United States v. Ritchie, 342 F.3d 903, 908-09 (9th Cir. 2003). BECU has submitted its standard Membership Agreement containing the terms and conditions of its relationship with customers like Plaintiff. Dkt. No. 25 at 3-40. Plaintiff has not challenged the authenticity of the agreement or whether the Court may consider it as a matter of judicial notice or under the doctrine of incorporation by reference. For purposes of determining whether Plaintiff has stated a plausible claim for relief under an implied contract theory, the Court will consider the Membership Agreement.
Plaintiff does not contest that the Membership Agreement is a valid contract. But he contends that the Membership Agreement does not govern either dispute. The Membership Agreement contains a section title, “PRIVACY NOTICE.” Dkt. No. 25 at 8 (emphasis in original). The notice explains that, among other things, BECU will collect and share its customers' PII “for [its] everyday business purposes,” “for [its] marketing purposes,” and “for joint marketing with other financial companies.” Id. When it comes to protecting personal information, the Membership Agreement states that BECU will protect “personal information from unauthorized access and use” and that BECU will “use security measures that comply with federal law[,]” including “computer safeguards and secured files and buildings.” Id. On this record, the Court finds that the Membership Agreement covers the same subject matter implicated by Plaintiff's implied contract claim.
Plaintiff may contend that his claims are based on BECU's alleged failure to follow some more generalized standard of care apart from its express contractual obligations, but this theory falls for at least two reasons: Plaintiff alleges no facts that BECU agreed to be bound by anything more than what's in the express agreement, and any claim that BECU failed to exercise some level of reasonable care sounds in something other than contract. Thus, Plaintiff may not maintain a cause of action for breach of an implied contract.
Plaintiff's unjust enrichment claim meets a similar fate. “Unjust enrichment is the method of recovery for the value of the benefit retained absent any contractual relationship because notions of fairness and justice require it.” Young v. Young, 191 P.3d 1258, 1262 (Wash. 2008); see also Hurlbut v. Crines, 473 P.3d 263, 270 (Wash.Ct.App. 2020) (“[T]he courts will not allow a claim for unjust enrichment in contravention of a provision in a valid express contract.”) (internal citation omitted). Like Plaintiff's implied contract claim, the Court finds that the Membership Agreement relates to the same subject matter as Plaintiff's unjust enrichment claim and thus applies with equal preclusive force.
Because the defects in Plaintiff's implied contract and unjust enrichment claims cannot be cured with additional factual allegations, the Court dismisses these claims with prejudice.
C. Plaintiff fails to state a breach of a third-party beneficiary contract claim.
Plaintiff asserts that he was a third-party beneficiary to the contract between BECU and Kaye-Smith, but his allegations lack specificity, and therefore, fail to state a claim.
“The right of a third party beneficiary to sue upon a contract depends, as a rule, upon whether the contract is for his direct benefit or whether his benefit under it is merely incidental, indirect or consequential.” Lonsdale v. Chesterfield, 573 P.2d 822, 825 (Wash.Ct.App. 1978). Under Washington law, “both contracting parties must intend that a third-party beneficiary contract be created.” Rajagopalan v. NoteWorld, LLC, 718 F.3d 844, 847 (9th Cir. 2013) (citation omitted). The “key” question is “whether performance under the contract would necessarily and directly benefit the party.” Id. “The contracting parties' intent is determined by construing the terms of the contract as a whole, in light of the circumstances under which it is made.” Postlewait Constr., Inc. v. Great Am. Ins. Cos., 720 P.2d 805, 807 (Wash. 1986).
Here, Plaintiff alleges that Kaye-Smith and BECU entered various contracts “expressly for the benefit of Plaintiff' to perform services, including “process and servicing of third-party information.” Dkt. No. 1 at 31-31. These contentions are borderline conclusory in nature and close to the unadorned, the-defendant-unlawfully-harmed-me accusation that the Supreme Court warns against, but the Court construes them in the light most favorable to Plaintiff and finds that he has sufficiently alleged that he is a third-party beneficiary of a contract between the defendants.
But Plaintiff has not sufficiently alleged that BECU breached its contract with Kaye-Smith, which is fatal to his third-party claim against BECU. Indeed, his complaint alleges that Kaye-Smith breached the contract and is silent about any breach by BECU. Plaintiff tries to expand the scope of his factual allegations in his opposition brief by arguing that the contract was breached when the PII was exposed and when “BECU failed to timely notify” Plaintiff of the Data Breach. These claims, however, are found nowhere in his complaint and the Court will not consider them now. See Schneider v. Cal. Dep 't of Corr., 151 F.3d 1194, 1197 n.1 (9th Cir. 1998) (“In determining the propriety of a Rule 12(b)(6) dismissal, a court may not look beyond the complaint to a plaintiff's moving papers, such as a memorandum in opposition to a defendant's motion to dismiss.”); Car Carriers v. Ford Motor Co., 745 F.2d 1101, 1107 (7th Cir. 1984) (“[T]he complaint may not be amended by the briefs in opposition to a motion to dismiss.”).
Thus, the Court finds that Plaintiff has failed to state a plausible claim for breach of a third-party beneficiary contract claim.
D. Plaintiff states a plausible CPA claim.
BECU argues that Plaintiff fails to make out a CPA claim because he has not pled any unfair or deceptive practice. The Court disagrees.
The Washington CPA prohibits “[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce ..” RCW 19.86.020. To prevail on his CPA claim, Plaintiff must show: (1) an unfair or deceptive act (2) in trade or commerce (3) that affects the public interest, (4) injury to the plaintiff in his or her business or property, and (5) a causal link between the unfair or deceptive act complained of and the injury suffered. Trujillo v. Nw. Tr. Servs., Inc., 355 P.3d 1100, 1107 (Wash. 2015). Plaintiff must satisfy every element of a CPA claim. Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 719 P.2d 531, 539-40 (Wash. 1986). But the CPA “shall be liberally construed [so] that its beneficial purposes may be served.” RCW 19.86.920.
‘“Because the CPA does not define ‘unfair or deceptive, the Washington Supreme Court has allowed the definitions to evolve through a gradual process of judicial inclusion and exclusion.'” Veridian Credit Union, 295 F.Supp.3d at 1161 (quoting Saunders v. Lloyd's of London, 779 P.2d 249, 256 (Wash. 1989). “Either an unfair or a deceptive act can be the basis for a CPA claim.” Id. (citing Klem v. Wash. Mut. Bank, 295 P.3d 1179, 1187 (Wash. 2013)). ‘“An unfair act is established by evidence that it (1) causes or is likely to cause substantial injury, which (2) consumers cannot avoid, and (3) is not ‘outweighed by countervailing benefits.''” Id. (quoting Merriman v. Am. Guar. & Liab. Ins. Co., 396 P.3d 351, 368 (Wash.Ct.App. 2017)).
Based on the Washington courts' definition and the liberal construction afforded to the CPA, the Court finds that Plaintiff has adequately alleged that BECU engaged in an unfair act when it failed to safeguard its customers' data by disclosing it to Kaye-Smith without investigating whether its computer and network security systems were vulnerable to cyberattacks. Plaintiff further alleges BECU engaged in an unfair or deceptive act by omitting key information from consumers about Kaye-Smith's inadequate data security measures. Under similar circumstances, the Court has found that the failure to take proper measures to secure PII can constitute an unfair act under the CPA. Leo Guy v. Convergent Outsourcing, Inc., No. C22-1558 MJP, 2023 WL 4637318, at *8 (W.D. Wash. July 20, 2023); Veridian Credit Union, 295 F.Supp. at 1162 (denying motion to dismiss CPA claim when “key wrong doing” alleged was defendant's “failure to employ adequate data security measures”); In re MCG Health Data Sec. Issue Litig., 2023 WL 3057428, at *14, report and recommendation adopted, No. 2:22-CV-849-RSM-DWC, 2023 WL 4131746 (W.D. Wash. June 22, 2023) (report and recommendation on defendant's motion to dismiss recommending that plaintiff's Washington CPA claim proceed based on plaintiffs allegations that defendant “failed to take proper measures to protect their private information with respect to its data security systems.”); Buckley, 2018 WL 1532671, at *3 (denying motion to dismiss CPA claim when plaintiff alleged that defendant “intentionally exposed her to an unacceptable” risk of data theft when it shared her PII with unauthorized third-party).
BECU also argues that Plaintiff suffered no injury as a result of its unfair or deceptive practice, and that to the extent he did suffer an injury, BECU was not the cause. But “injury to property or business is broadly construed;” “[e]ven minimal injury is sufficient to meet the damages element of a CPA claim.” Univ. of Wash. v. Gov't Emps. Ins. Co., 404 P.3d 559, 571 (Wash Ct. App. 2017). In fact, nonquantifiable injuries such as time or expense incurred investigating a suspected deceptive practice will suffice. See Lock v. Am. Fam. Ins. Co., 460 P.3d 683, 694 (2020). As discussed above, under the standing analysis, the Court finds that Plaintiff has alleged sufficient injuries to proceed with his claims.
The causation element is satisfied if the plaintiff establishes that he relied upon a misrepresentation of fact, or where the defendant “induced” the plaintiff to act or refrain from acting. See Desranleau v. Hyland's, Inc., 450 P.3d 1203, 1210 (Wash.Ct.App. 2019), review denied, 458 P.3d 783 (2020) (trial court properly dismissed CPA claim against manufacturer where plaintiff had never heard of product until after child's death). But when the unfair or deceptive act is premised on an omission, as is the case here, Washington courts recognize a rebuttable presumption of reliance. Eng. v. Specialized Loan Servicing, 500 P.3d 171, 181 (Wash.Ct.App. 2021) (trial court erroneously dismissed CPA claim where borrower was entitled to rebuttable presumption of reliance); Deegan v. Windermere Real Estate/Center-Isle, Inc., 391 P.3d 582, 587 (Wash.Ct.App. 2017). Thus, the Court finds that Plaintiff has stated a plausible claim for a violation of the CPA.
IV. Leave to Amend.
In his opposition to the motion, Plaintiff requests leave to amend his complaint “to the extent any portion of the Motion is granted.” Dkt. No. 34 at 29, 30. As explained above, the Court dismisses Plaintiff's implied contract and unjust enrichment claims, as well as Plaintiff's negligence claim to the extent it relies on BECU's alleged failure to timely notify him about the Data Breach, with prejudice. Plaintiff's third-party beneficiary claim is dismissed without prejudice because the dismissal is rooted in the insufficiency of Plaintiff's factual allegations.
Plaintiff may therefore move to amend his complaint, but he must comply with the Civil and Local Rules in doing so. In light of the rulings, the Court need not decide whether Plaintiff's complaint constitutes impermissible “shotgun pleading,” as BECU contends. Dkt. No. 24 at 29.
CONCLUSION
For the foregoing reasons, BECU's motion to dismiss (Dkt. No. 24) is GRANTED in part and DENIED in part. Plaintiff's implied contract and unjust enrichment claims against BECU are dismissed with prejudice. Plaintiff's negligence claim, to the extent it relies on BECU's alleged failure to notify him about the Data Breach is also dismissed with prejudice. But Plaintiff's third-party beneficiary claims against BECU is dismissed without prejudice. To the extent Plaintiff wishes to file an amended complaint, he must comply with the Civil and Local Rules.