Summary
denying without explanation motion to dismiss claim for unjust enrichment in data breach case
Summary of this case from Lamie v. LendingTree, LLCOpinion
3:20-cv-595-FDW-DCK
07-19-2021
ORDER
Frank D. Whitney J., United States District Judge.
THIS MATTER is before the Court on Defendant Filters Fast LLC's Motions to Dismiss. One motion was filed prior to the Amended Complaint (Doc. No. 10), and upon filing of the Amended Complaint, Defendant renewed their motions separately seeking dismissal pursuant to Federal Rule of Civil Procedure 12(b)(1), (Doc. No. 15), and 12(b)(6), (Doc. No. 17). The motions have been fully briefed by the parties and are now ripe for review. For the reasons stated herein, the court DENIES AS MOOT the Original Motion to Dismiss and DENIES the renewed Motions to Dismiss (Doc. Nos. 15, 17).
I. BACKGROUND
According to the Complaint, Defendant is an online retailer of home filtration products based out of North Carolina. (Doc. No. 12, p. 10). Plaintiffs purchased merchandise from Defendant's website between August 2019 and July 2020. (Id.). Subsequently, each Plaintiff received a letter from Defendant dated August 18, 2020, “Notice of Data Breach, ” which stated:
In late February 2020, we were informed of a possible data security incident affecting our website. We immediately began investigating the potential issue. Our investigation included hiring an outside, expert forensics firm to analyze our systems and determine if there was a breach of our security. On July 20, 2020, that investigation revealed that attackers had succeeded in adding malicious code to our website on July 15, 2019, which allowed unauthorized individuals to capture certain information during the checkout process. We removed that malicious code on July 10, 2020, during an unrelated update of our website ending the unauthorized access to our website.(Doc. No. 12 - 2, p. 1).
Since receipt of this notice, Plaintiffs have allegedly experienced fraud and security issues surrounding the payment cards and personal information used to purchase merchandise on Defendant's site. (Doc. No. 12, p. 6). Plaintiffs allege the sharing and use of their personal and financial information. For example, Plaintiff Postolowski alleges that an unauthorized charge was attempted on her card August 2020. (Id. p. 8). In addition to injury in the form of fraudulent charges and compromise of their personal information, Plaintiffs allege the following injuries:
(a) unauthorized charges on their payment card accounts; (b) theft of their personal and financial information; (c) costs associated with the detection and prevention of identity theft and unauthorized use of their financial accounts; (d) loss of use of and access to their account funds and costs associated with inability to obtain money from their accounts or being limited in the amount of money they were permitted to obtain from their accounts, including missed payments on bills and loans, late charges and fees, and adverse effects on their credit including decreased credit scores and adverse credit notations; (e) costs associated with time spent and the loss of productivity from taking time to address and attempting to ameliorate, mitigate, and deal with the actual and future consequences of the data breach, including finding fraudulent charges, cancelling and reissuing cards, purchasing credit monitoring and identity theft protection services, imposition of withdrawal and purchase limits on compromised accounts, and the stress, nuisance and annoyance of dealing with all issues resulting from the data breach; (f) the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal information and PCD being placed in the hands of criminals and already misused via the sale of Plaintiffs' and Class Members' information on the Internet black market; (g) damages to and diminution in value of their personal and financial information entrusted to Filters Fast for the sole purpose of making purchases from Filters Fast and with the mutual understanding that Filters Fast would safeguard Plaintiffs' and Class Members' data against theft and not allow access to and misuse of their information by others; (h) money paid to Filters Fast during the period of the data breach in that Plaintiffs and Class Members would not have purchased from Filters Fast had Defendant disclosed that it lacked adequate systems and procedures to reasonably safeguard customers' personal information and PCD and had Filters Fast provided timely and accurate notice of the data breach; (i) continued risk to their personal information and PCD, which remains in the possession of Filters Fast.(Id. pp. 2-4).
Plaintiffs filed the Complaint against Defendant Filters Fast, LLC, on behalf of themselves and all others similarly situated, for Defendant's alleged: (a) refusal to take adequate and reasonable measures to ensure its data systems were protected; (b) refusal to take available steps to prevent the breach from happening; (c) failure to disclose to its customers the material fact that it did not have adequate computer systems and security practices to safeguard customers' personal and financial information; and (d) failure to provide timely and adequate notice of the data breach. (Id. p. 2).
Plaintiffs now seek to hold Defendant liable for: (1) violation of North Carolina Unfair and Deceptive Trade Practices Act; (2) negligence; (3) negligence per se; (4) breach of implied contract; (5) unjust enrichment; (6) declaratory relief; (7) violation of California's Unfair Competition Law; (8) violation of the California Consumer Privacy Act; and (9) violations of the Florida Unfair and Deceptive Trade Practices Act. (Id.). Defendant has moved to dismiss all counts, both for lack of standing and failure to state a claim. (Doc. Nos. 15, 16). Defendant relies on Rules 12(b)(1) and 12(b)(6) to support both Motions to Dismiss.
II. STANDARD OF REVIEW
Federal Rule of Civil Procedure 12(b)(1) provides for dismissal when the court lacks subject matter jurisdiction and may be raised at any time, by any party. Mansfield, C. & L.M. Ry. Co. v. Swan, 111 U.S. 379, 382 (1884). To survive a 12(b)(1) motion to dismiss, the burden is on the plaintiff to establish the existence of subject matter jurisdiction. In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 455 (D. Md. 2020).
A 12(b)(1) challenge may be raised in one of two ways: a facial challenge or a factual challenge. Id. In a facial challenge, the factual allegations of a complaint are “taken as true, ” however, the moving party asserts that these allegations are “insufficient to establish subject matter jurisdiction.” Id. In a factual challenge, the moving party asserts that the “jurisdictional allegations of the complaint are not true, ” and the court “is entitled to decide disputed issues of fact with respect to subject matter jurisdiction.” Id. (internal quotations omitted).
Here, Defendant asserts a facial challenge against Plaintiffs' standing. Therefore, the Court must “accept as true all material allegations of the complaint and construe the complaint in favor of the complaining party.” Deal v. Mercer Cty. Bd. Of Educ., 911 F.3d 183, 187 (4th Cir. 2018).
Federal Rule of Civil Procedure 12(b)(6) provides for dismissal when the pleading party fails to “state a claim upon which relief can be granted.” A motion to dismiss pursuant to Fed.R.Civ.P. 12(b)(6) tests the “sufficiency of a complaint” and does “not resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses.” In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 455 (D. Md. 2020) (citing Presley v. City of Charlottesville, 464 F.3d 480, 483 (4th Cir. 2006)).
To survive a 12(b)(6) motion to dismiss a complaint must contain “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is “plausible on its face” when the allegations within the complaint “allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 663. This plausibility standard requires “more than a sheer possibility that a defendant has acted unlawfully.” Id. Thus, a motion to dismiss should be granted unless the factual allegations of the complaint are “enough to raise a right to relief above the speculative level on the assumption that all of the complaint's allegations are true.” Bell Atl. Corp., 550 U.S. at 545.
III. STANDING
Defendant asserts Plaintiffs do not have standing and therefore this Court lacks subject matter jurisdiction over their claims. As an initial matter, the Court summarily denies as moot Defendant's original motion to dismiss that was filed prior to the Amended Complaint and instead focuses the analysis on the motion filed in response to the Amended Complaint. To satisfy the “irreducible constitutional minimum of standing” a plaintiff must establish: (1) an “injury-in-fact” that is both “concrete and particularized, ” as well as “actual and imminent”; (2) that this injury is “fairly traceable” to the defendant's alleged conduct; and (3) that it is “likely . . . that the injury will be redressed by a favorable decision” from the court. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992) (internal quotations omitted). Defendant contends Plaintiffs have not met their burden to establish any of the three requirements of standing.
It is well settled that a timely-filed amended pleading supersedes the original pleading, and motions directed at superseded pleadings may be denied as moot. Young v. City of Mount Ranier, 238 F.3d 567, 573 (4th Cir. 2001) ([t]he general rule is that an amended pleading supersedes the original pleading, rendering the original pleading of no effect); Colin v. Marconi Commerce Systems Employees Retirement Plan, 335 F.Supp.2d 590, 614 (M.D. N.C. 2004) (motion to dismiss was rendered moot by the filing of second amended complaint); Turner v. Kight, 192 F.Supp.2d 391, 397 (D. Md. 2002) (denying as moot motion to dismiss original complaint on grounds that amended complaint superseded original complaint); see also Brown v. Sikora and Associates, Inc., 2008 WL 1751934, *3 (4th Cir. 2008); Atlantic Skanska, Inc. v. City of Charlotte, N.C., 2007 WL 3224985, *4 (W.D. N.C. 2007); Hi-Tech, Inc. v. Rising, 2006 WL 1966663, *3 (W.D. N.C. July 11, 2006). This ruling is without prejudice to Defendant's right to reassert any applicable arguments that pertain to the Amended Complaint.
“In a class action matter, we analyze standing based on the allegations of personal injury made by the named plaintiff” Dreher v. Experian Info. Sols., Inc., 856 F.3d, 337, 343 (4th Cir. 2017) (internal quotations omitted). “At least one plaintiff must have standing to seek each form of relief requested in the complaint.” Town of Chester, N.Y. v. Laroe Ests., Inc., U.S., 137 S.Ct. 1645, 1651, 198 L.Ed.2d 64 (2017); see also Clark v. Duke Univ., No. 16-1044, , 2018 WL 1801946, at *7 (M.D. N.C. Apr. 13, 2018) (“There must be a named plaintiff with constitutional standing to assert each claim.” (citing Daimler Chrysler Corp. v. Cuno, 547 U.S. 332, 352, 126 S.Ct. 1854, 164 L.Ed.2d 589 (2006))).
A. Injury-in-Fact
First, Defendant contends Plaintiffs have not alleged an “injury-in-fact” that satisfies the standing requirements of Article III. To establish an “injury-in-fact, ” a plaintiff must show that the defendant's alleged conduct has invaded a “legally protected interest which is concrete and particularized.” Lujan, 504 U.S. at 560. The injury “need not be large, an identifiable trifle will suffice.” Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 156 (4th Cir. 2000) (citing Sierra Club v. Cedar Point Oil Co., 73 F.3d 546, 557 (5th Cir. 1996)). Alternatively, an injury-in fact cannot be established when the harm alleged rests on a “speculative chain of possibilities.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 (2013).
The Fourth Circuit has previously held that “mere compromise of personal information, without more, ” fails to satisfy the “injury-in-fact” requirement of standing in the context of a data breach. Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 621 (4th Cir. 2018) (emphasis added); see also Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017) (holding that the plaintiffs' “enhanced risk of future identity theft [is] too speculative” to establish standing). In Hutton, the court found standing existed for the plaintiffs who were victims of a data breach because the plaintiffs had sufficiently alleged their data had been “stolen, accessed and used in a fraudulent manner.” Id. at p. 622 (emphasis added).
Moreover, the Fourth Circuit has not previously required that a plaintiff allege out-ofpocket loss from the fraudulent charges to establish an injury-in-fact; misuse or targeting of personal information by hackers, alone, may be sufficient. See Hutton, 892 F.3d 613, 622 (4th Cir. 2018) (holding that use of a plaintiff's personal information to open credit cards was an injury-in-fact and that economic injury was not required); see also United States v. Students Challenging Regulatory Agency Procedures, 412 U.S. 669, 686 (1973) (“[I]n interpreting injury in fact . . . standing [is] not confined to those who [can] show economic harm.”); see also In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 459 (D. Md. 2020) (holding that a complaint alleging misuse or intentional targeting of personal information by hackers “bring[s] the actual and threatened harm out of the realm of speculation and into the realm of sufficiently imminent and particularized harm to satisfy the injury-in-fact requirement” for standing).
Defendant's reliance on opinions from other circuits is misplaced as this Court is bound by the Fourth Circuit precedent. The Court recognizes a circuit split exists regarding what is a cognizable injury-in-fact in the realm of data breach. See e.g. In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 458 (D. Md. 2020) (collecting cases); see also In Re Rutter's Inc. Data Breach Security Litig., F.Supp.3d, 2021 WL 29054 *5 (M.D. Penn. 2021) (collecting cases and noting, “[T]he Fourth Circuit has taken an approach somewhere between those two poles-where a plaintiff alleges that personal information was actually targeted or misused in the hack, then a compromised plaintiff's risk of future injury is sufficiently imminent and non-speculative.” (citations omitted)). Fourth Circuit precedent does not support Defendant's argument that Plaintiffs must suffer out-of-pocket loss to establish an injury-in-fact. See Hutton, 892 F.3d at 622.
Further, it is instructive to contrast the present case with Beck, where the court held that the “risk of future identity theft” without more was too speculative on an “attenuated chain of possibilities.” and insufficient to establish an “injury-in-fact.” Beck v. McDonald, 848 F.3d 262, 274-75 (4th Cir. 2017) (emphasis added and citations omitted). In Beck, the plaintiffs' personal information was merely compromised when a laptop containing this personal information was stolen from the VA Medical Center. Id. The plaintiffs neither alleged the laptop was stolen with the intent to misuse their personal information nor alleged actual misuse of their personal information. Id. Therefore, the risk of future identity theft was “too speculative” to establish an “injury-in-fact.” Id. Here, Plaintiffs are not alleging the “mere compromise” of their personal information like in Beck, but instead, alleging actual misuse of their personal information.
As to the alleged injury for theft of personal information, Plaintiff Postolowski alleges misuse of her card in the form of a fraudulent charge and Plaintiff McCreary also alleges her personal information was accessed and misused when allegedly published on the Dark Web. Though Plaintiffs have not alleged economic injury resulting directly from the fraudulent charges, they do allege that there was actual misuse of their personal information. These allegations of actual misuse bring the “actual and threatened harm” alleged by Plaintiffs “out of the realm of speculation and into the realm of sufficiently imminent and particularized harm.”
The Court initially addresses Plaintiffs' claimed injuries for theft of personal information (Doc. No. 12, p. 3) as it appears to be the bulk of their argument. The other alleged injuries will be summarily addressed following this analysis.
B. Traceability
Defendant next argues that even if Plaintiffs have suffered an injury-in-fact, this injury is not “fairly traceable” to Defendant's data breach. Specifically, Defendant contends Plaintiffs do not allege facts showing the fraudulent charges are a result of Defendant's data breach. Instead, Defendant makes the argument that the fraudulent charges could have been a result of some other data breach that occurred in 2020.
The “fairly traceable” requirement of standing “ensures that there is a genuine nexus between a plaintiff's injury and a defendant's alleged illegal conduct.” Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 161 (4th Cir. 2000). This traceability requirement does not mean a plaintiff must “show to a scientific certainty that defendant . . . caused the precise harm suffered.” Id. Thus, Defendant's argument regarding potential causation by some other data breach that occurred in 2020 is misplaced.
The Fourth Circuit has previously addressed the issue of traceability in the context of a data breach. In Hutton, the court determined the plaintiffs' complaint containing allegations that the defendant was the only common source of their personal information demonstrated it was both “plausible and likely” that the defendant's conduct was the source of their alleged injuries. 892 F.3d at 622 (4th Cir. 2018).
Similarly, in In re Marriott, the district court determined the plaintiffs' complaint adequately alleged their injuries were “fairly traceable” to the defendant's conduct. 440 F.Supp.3d at 467 (D. Md. 2020). There, the plaintiffs alleged “they stayed at Marriott properties, that they gave their personal information to Marriot to do so, that Marriott was the target of one of the largest data breaches in history . . . and as a result, fraudulent accounts were opened or applied for in their names.” Id.
In the present case, Plaintiffs allege they made purchases on Defendant's site during the time of the breach, their personal information was stolen during this transaction, and hackers who breached Defendant's site subsequently accessed and misused their personal information. Taking the allegations as true, Plaintiffs have alleged Defendant failed to properly secure Plaintiffs' personal information and this failure resulted in the theft and misuse of their personal information. Therefore, the complaint sufficiently alleges that there is a genuine nexus between the alleged injury and the data breach, and a jury could reasonably find it is plausible that Defendant was the cause of the alleged injury. While Defendant may ultimately show this injury was not caused by the data breach, that argument is more appropriate for a jury.
In sum, the factual allegations of Plaintiffs' complaint set forth plausible allegations that Defendant's data breach is the source of Plaintiffs' injury, therefore satisfying the fairly traceable requirement of standing.
C. Redressability
Finally, Defendant asserts Plaintiffs' alleged injury cannot be redressed through a “favorable decision” from the court. The Supreme Court, as well as the D.C. Circuit, have recognized that costs reasonably incurred to “mitigate or avoid” harm may allow a court to “award damages to recoup these costs.” Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017); see also Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n. 5 (2013) (holding that a “substantial risk” of harm may “prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm”). Further, a plaintiff who has “reasonably spent money to protect themselves against a substantial risk” creates the “potential for them to be made whole by monetary damages.” Attias, 865 F.3d at 629.
Defendant directs the court to the Complaint and argue Plaintiffs have cancelled the affected payment cards and have not experienced any monetary loss. This, according to Defendant, makes Plaintiffs' injuries unable to be redressed through an injunction or damages. Whether or not Plaintiffs have cancelled their payment cards, however, is not dispositive to this standing analysis. Plaintiffs allege monetary loss resulting from the theft and misuse of their personal information. Therefore, if Plaintiffs succeed on the merits of the case, then a favorable decision from the court awarding damages could redress these alleged injuries.
D. Remaining Alleged Injuries
Bearing the above principles in mind, the Court summarily finds Plaintiffs have made sufficient allegations to set forth an imminent threat of the injury, based on the actual access and use of their stolen data, to confer Article III standing for the following injuries:
a. unauthorized charges on their payment card accounts; see Hutton, 892 F.3d at 622 (holding that economic loss is not required and the plaintiffs “time and resources” spent to “repair her credit” was sufficient to establish standing); see also United States v. Students Challenging Regulatory Agency Procedures, 412 U.S. 669, 686 (1973) (“[I]n interpreting injury in fact . . . standing [is] not confined to those who [can] show economic harm.”)
b. costs associated with the detection and prevention of identity theft and unauthorized use of their financial accounts, as well as costs associated with mitigating the actual and future consequences of the data breach; see Hutton, 892 F.3d at 622 (“And although incurring costs for mitigating measures to safeguard against future identity theft may not constitute an injury-in-fact when that injury is speculative, the Court has recognized standing to sue on the basis of costs incurred to mitigate or avoid harm when a substantial risk of harm actually exists.”)
c. loss of use of and access to their account funds and costs associated with inability to obtain money from their accounts or being limited in the amount of money they were permitted to obtain from their accounts; see id.;
d. the imminent and impending injury flowing from potential fraud and identity theft and the continued risk to Plaintiffs' personal information; see Hutton, 892 F.3d at 622 (holding because the plaintiffs alleged they were concretely injured by the misuse of their personal information, threat of future identity theft was not too speculative to establish standing); see also In re Marriot, 440 F.Supp.3d at 459.
e. damages to and diminution in value of their personal and financial information; see In re Marriot, 440 F.Supp.3d at 462-63 (holding because the plaintiffs “adequately pled that the personal identifying information collected by Marriot has value” they have sufficiently alleged an injury in fact based on the loss of value of their personal information);
f. money paid to Filters Fast during the period of the data breach that Plaintiffs would not have paid had Defendant disclosed it lacked adequate systems to safeguard Plaintiffs' personal information; see id. at 465-66 (holding the plaintiffs' complaint containing allegations that “had they known the truth about Marriott's data security practices they would have paid less or not stayed at Marriot” were sufficient to allege injury based on the overpayment theory).
The Court acknowledges In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374 (E.D. Va. 2020), reached a difference conclusion. There, the court found the plaintiffs failed to plausibly allege injury. The court stated:
Plaintiffs do not allege any facts explaining how their PII became less valuable as a result of the breach. For instance, they are no allegations that Plaintiff attempted to sell their information and were refused a sale because of or related to their PII's prior exposure arising from the Data Breach. Nor is there any allegation that Plaintiff have attempted to purchase goods or services, which requires the exchange of their PII, and Plaintiffs were denied receipt of that good or service or were only offered less-than-desirable terms because of their PII's prior exposure through the Data Breach.Id. at 403. That case is distinguishable because here, Plaintiff McCreary alleges actual injury in the value of her personal and financial information. For example, as a result of the breach and publication of her information on the Dark Web, she actually encountered “several extra steps . . . when trying to get approved for credit with a lower interest rate;” and “McCreary had to keep her higher interest rates rather than trying to resolve the issues preventing her from applying for lower credit rates.” (Doc. No. 12, p. 6).
The Court summarily finds Plaintiffs do not have standing to sue for alleged injuries arising out of the “continued risk to their personal information and PCD, which remains in the possession of Filters Fast and which is subject to further breaches so long as Filters Fast continues to fail to undertake appropriate and adequate measures to protect Plaintiffs' and Class Members' data in its possession.” (Doc. No. 12, p. 4). Unlike the asserted injury of “imminent and impending injury flowing from potential fraud and identity theft and the continued risk to Plaintiffs' personal information” arising from the data breach that already occurred, including the access and use of Plaintiffs' stolen data, this future injury-that some other hacker or data thief might access their personal data stored by Defendant-requires speculation that Defendant's data storage is likely to be retargeted simply because it has previously been hacked. This asserted injury hinges on a speculative “increased risk of future identity theft, ” which both Clapper and Beck reject as an injury-in-fact. Indeed, even if Plaintiffs' data was again stolen from Defendant, “the mere theft of these items, without more, cannot confer Article III standing.” Beck, 848 F.3d at 275 (citing Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 7-8 (D.D.C. 2007) (deeming as speculative plaintiffs' allegations “that at some unspecified point in the indefinite future they will be the victims of identity theft” where, although plaintiffs clearly alleged their information was stolen by a burglar, they did “not allege that the burglar who stole the laptop did so in order to access their [i]nformation, or that their [i]nformation ha[d] actually been accessed since the laptop was stolen”)).
IV. FAILURE TO STATE A CLAIM
After reviewing the Complaint, the Court summarily DENIES Defendant's 12(b)(6) Motion to Dismiss on all counts. This ruling is without prejudice, and Defendant may reassert any arguments, if applicable, at summary judgment.
V. CONCLUSION
IT IS THEREFORE ORDERED that Defendant's 12(b)(1) and 12(b)(6) Motions to Dismiss (Doc. Nos. 15, 17) are DENIED. Defendant's Motion to Dismiss (Doc. No. 10) is DENIED AS MOOT.
IT IS FURTHER ORDERED that the Court finds it necessary to expedite certain deadlines so that a case management order can be issued and discovery can commence. Defendant shall file its Answer to the Amended Complaint (Doc. No. 12) within fourteen (14) days from the date of this Order. Following the filing of the Answer, the parties shall have fourteen (14) days to confer pursuant to Rule 26 of the Federal Rules of Civil Procedure and seven (7) days after the conference to submit their Certificate of Initial Attorney Conference Form.
IT IS SO ORDERED.