Opinion
Civil Action 2:23-cv-1916 2:23-cv-1988
08-15-2024
CINDY TIGNOR, Plaintiff, v. DOLLAR ENERGY FUND, INC., Defendant. JESSICA FLAGELLA, on behalf of herself and her minor children A.F. And A.F, and all others similarly situated, Plaintiff, v. DOLLAR ENERGY FUND, Defendant.
MEMORANDUM OPINION
WILLIAM S. STICKMAN IV, UNITED STATES DISTRICT JUDGE
Plaintiffs Cindy Tignor (“Tignor”) and Jessica Flagella (“Flagella”) (collectively, “Plaintiffs”) bring this action against Defendant Dollar Energy Fund, Inc. (“Dollar Energy”), an energy company that provides utility assistance grants to families and individuals. (ECF No. 14,p. 1). Plaintiffs filed a Consolidated Class Action Complaint (“Amended Complaint”) on January 30, 2024, alleging that Dollar Energy failed to properly secure and safeguard their personally identifiable information, including their full names and Social Security numbers (collectively, “PH”), that it collected and maintained as part of its regular business practices. (Id.). Plaintiffs assert four claims against Dollar Energy: negligence (Count I), negligence per se (Count II), breach of implied contract (Count III), and unjust enrichment (Count IV). (Id. at pp. 39, 44, 45, 48).
Flagella brought her action on behalf of herself and her minor children, A.F. and A.F.
Tignor filed her initial complaint on November 6, 2023 (Civil Action No. 2:23-cv-1916, ECF No. 1), and Flagella filed her initial complaint on November 17, 2023 (Civil Action No. 2:23-cv-1988, ECF No. 1).
Dollar Energy filed a Motion to Dismiss Plaintiffs' Consolidated Class Action Complaint Pursuant to Federal Rules of Civil Procedure 12(b)(1) (“Rule 12(b)(1)”) and 12(b)(6) (“Rule 12(b)(6)”) (collectively, the “Motion”) (ECF No. 15). The Motion turns on two issues: (1) whether Plaintiffs have established standing and (2) whether Plaintiffs state plausible claims. (See ECF No. 15-1). For the following reasons, the Court will grant the Motion for lack of standing as to Flagella. The Motion for lack of standing will be denied as to Tignor, and the Court holds that she has pled a cognizable claim at Count I but not at Counts II, III, and IV.
I. Factual Background
Plaintiffs are current and former customers of Dollar Energy, a corporation that provides utility assistance grants to families and individuals. (ECF No. 14, p. 6). As a condition of purchasing energy products and services, Dollar Energy requires its customers to furnish it with “sensitive, non-public PII.” (Id.). Without this information from its customers, Dollar Energy could not perform its regular business activities. (Id.).
On February 5, 2023, Dollar Energy experienced a disruption to its computer system network (the “Data Breach”). (Id. at p. 8). After reporting the incident to law enforcement, computer specialists determined through an investigation that Dollar Energy's stored PII was accessed between January 31, 2023, and February 5, 2023. (Id.). On September 28, 2023, Dollar Energy notified “potentially impacted individuals,” which included Plaintiffs, of the Data Breach. (Id.). Until that date, Plaintiffs were unaware that their PII had been compromised. (Id. at p. 3). They claim that Dollar Energy left their PII unencrypted in their network. (Id. at p. 6).
By obtaining, collecting, using, and deriving a benefit from the PII, Plaintiffs assert that they reasonably expected Dollar Energy “assumed legal and equitable duties” and “knew or should have known that it was responsible for protecting” their PII from unauthorized disclosure. (Id. at p. 7). Moreover, Plaintiffs assert that Dollar Energy failed to provide them with “timely and adequate notice.” (Id. at p. 3). Plaintiffs claim that they have suffered numerous injuries because of Dollar Energy's “negligent” and “careless” conduct. (Id.).
These injuries include: (i) invasion of privacy; (ii) theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vii) experiencing an increase in spam calls, texts, and/or emails; (viii) Plaintiff Tignor experiencing fraud in the form of an identity thief using her PII to submit a credit card application to Capital One in or about March 2023; (ix) Plaintiff Tignor experiencing fraud in the form of an identity thief using her PII to submit a credit card application to CBNA Energy in or about October 2023 and (x) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in [Dollar Energy]'s possession and is subject to further unauthorized disclosures so long as [Dollar Energy] fails to undertake appropriate and adequate measures to protect the PII.(Id. at pp. 4-5). Additionally, Plaintiffs assert that the substantial risk of identity theft caused them to suffer fear, anxiety, and stress. (ECF No. 14, pp. 31, 33).
Plaintiffs bring this class action lawsuit seeking to represent all persons whose PII was compromised as a result of Dollar Energy's failure to (1) “adequately protect [their] PII” and (2) “effectively secure hardware containing protected PII [at issue] using reasonable and effective security procedures free of vulnerabilities and incidents.” (Id. at pp. 3-4). They seek to remedy these harms and prevent any future data compromises on the individuals' PII that were impacted as a result of the Data Breach. (Id. at p. 5).
II. Standard of Review
Under Rule 12(b)(1), a court must grant a motion to dismiss if there is a lack of subject matter jurisdiction. Fed. R. Civ. P. 12(b)(1). “A challenge to subject matter jurisdiction under Rule 12(b)(1) may be either a facial or a factual attack.” Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 2016). A facial attack does not dispute the facts alleged in the complaint, id., and therefore essentially applies the same standard as a motion under Rule 12(b)(6). See Const. Party of Pa. v. Aichele, 757 F.3d 347, 358 (3d Cir. 2014) (“[A] facial attack calls for a district court to apply the same standard of review it would use in considering a motion to dismiss under Rule 12(b)(6), i.e., construing the alleged facts in favor of the nonmoving party.”). A court must therefore “only consider the allegations of the complaint and documents referenced therein and attached thereto, in the light most favorable to the plaintiff.” Id. (internal quotations omitted).
“A motion to dismiss for want of standing is ... properly brought pursuant to Rule 12(b)(1), because standing is a jurisdictional matter.” Ballentine v. United States, 486 F.3d 806, 810 (3d Cir. 2007). A court lacks jurisdiction if a plaintiff cannot establish Article III standing. See Davis, 824 F.3d at 346 (“Absent Article III standing, a federal court does not have subject matter jurisdiction to address a plaintiffs claims, and they must be dismissed.”).
A motion to dismiss filed under Rule 12(b)(6) tests the legal sufficiency of the complaint. Kost v. Kozakiewicz, 1 F.3d 176, 183 (3d Cir. 1993). A plaintiff must allege sufficient facts that, if accepted as true, state a claim for relief plausible on its face. See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007); see also Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). A court must accept all well-pleaded factual allegations as true and view them in the light most favorable to a plaintiff. See Doe v. Princeton Univ., 30 F.4th 335, 340 (3d Cir. 2022); see also Fowler v. UPMC Shadyside, 578 F.3d 203, 210 (3d Cir. 2009). Although a court must accept the allegations in the complaint as true, it is “not compelled to accept unsupported conclusions and unwarranted inferences, or a legal conclusion couched as a factual allegation.” Baraka v. McGreevey, 481 F.3d 187, 195 (3d Cir. 2007) (citations omitted).
The “plausibility” standard required for a complaint to survive a motion to dismiss is not akin to a “probability” requirement but asks for more than sheer “possibility.” Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 556). In other words, the complaint's factual allegations must be enough to raise a right to relief above the speculative level, on the assumption that all the allegations are true even if doubtful in fact. Twombly, 550 U.S. at 555. Facial plausibility is present when a plaintiff pleads factual content that allows the court to draw the reasonable inference that a defendant is liable for the misconduct alleged. Iqbal, 556 U.S. at 678. Even if the complaint's well-pleaded facts lead to a plausible inference, that inference alone will not entitle a plaintiff to relief. Id. at 682. The complaint must support the inference with facts to plausibly justify that inferential leap. Id.
III. Analysis
A. Tignor has standing to bring her claims but Flagella does not.
Dollar Energy contends that Plaintiffs do not have standing to bring their claims because they have failed to “establish any actual, concrete, particularized, or imminent injuries.” (ECF No. 15-1, p. 12). It argues that Plaintiffs' allegations of increased risk of future harm, mitigative efforts, loss of value of their PII, and invasion of privacy all fail to create a sufficient legally cognizable injury. (Id.). Dollar Energy also contends that Plaintiffs have failed to establish that future harm in the form of identity theft or fraud is or could be fairly traceable to the Data Breach. (Id.). Plaintiffs counter that they have adequately pled cognizable injuries in fact. (ECF No. 17, p. 10).
Standing is a jurisdictional requirement rooted in Article III of the Constitution, which limits federal courts to resolving cases or controversies. U.S. Const, art. Ill. § 2. For there to be standing under Article III, plaintiffs must have a “personal stake” in the outcome of a given case. Baker v. Carr, 369 U.S. 186, 204 (1962). To show they have a personal stake, the party invoking federal jurisdiction must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (citation omitted). The party invoking federal jurisdiction also bears the burden of establishing each element. Id. (citation omitted). In the instant case, only the first two elements are in dispute. (See ECF No. 15-1, p. 12).
1. Plaintiffs' injuries in fact are fairly traceable to the challenged conduct of Dollar Energy.
To satisfy the element of traceability, Plaintiffs must establish that their injury is “fairly ... tracea[able] to the challenged action of the defendant,” and not the result of a third party's independent action. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992). There is no single standard for establishing a “causal relationship.” Clemens v. ExecuPharm Inc., 48 F.4th 146, 158 (3d Cir. 2022) (citing Khodara Envtl., Inc. v. Blakey, 376 F.3d 187, 195 (3d Cir. 2004)). But-for causation and concurrent causation are both sufficient to satisfy the traceability requirement. Id. (citations omitted).
Dollar Energy contends that Plaintiffs have failed to plead facts making it plausible that any alleged risk or future harm they face is traceable to the Data Breach. (ECF No. 15-1, p. 22). As Plaintiffs see it, however, their PII could not have been exfiltrated in the Data Breach “but for” Dollar Energy's failure to safeguard it. Specifically, Plaintiffs have identified their injuries as “a result of Dollar Energy's misconduct.” (ECFNo. 17,p. 18). At the pleading stage, the Court finds that Plaintiffs have alleged sufficient facts to establish traceability.
2. Tignor has suffered an injury in fact but not Flagella.
In addition to proving traceability, Plaintiffs must also have suffered an injury in fact to meet the requirements of Article III standing. An injury in fact is an “invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560 (citations and internal quotation marks omitted). As to the “actual or imminent” requirement, the disjunctive conjunction is significant. Clemens, 48 F.4th at 152. “[I]t indicates that a plaintiff need not wait until he or she has actually sustained the feared harm in order to seek judicial redress, but can file suit when the risk of harm becomes imminent.” Id. This is critical in the data breach context, where the harmful consequences of one may manifest instantaneously or sometime in the future depending on the nature of the breach at issue. Id.
“[A]negations of future injury ‘suffice if the threatened injury is certainly impending or there is a substantial risk that the harm will occur.'” Id. (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)) (citation omitted). The Supreme Court of the United States has defined substantial risk as a “realistic danger of sustaining a direct injury.” Pennell v. City of San Jose, 485 U.S. 1, 8 (1988). “While plaintiffs are not required ‘to demonstrate that it is literally certain that the harms they identify will come about,' a ‘possible future injury'-even one with an ‘objectively reasonable likelihood' of occurring-is not sufficient.” Clemens, 48 F.4th at 153 (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398,409-10,414 n. 5 (2013) (emphasis omitted)).
In Reilly v. Ceridian Corp., 664 F.3d38 (3d Cir. 2011), the United States Court of Appeals for the Third Circuit addressed whether employees had standing in a dispute over a data breach. The employees alleged an increased risk of identity theft resulting from an unknown hacker accessing their sensitive information from the defendant's network. Id. at 40. In finding that there was no increased risk, the Third Circuit explained that the alleged future injury was not sufficiently imminent and, instead, was based on mere speculation. Id. at 42. Critical to its analysis, the Third Circuit observed that the employees' allegations were “dependent on entirely speculative, future actions of an unknown third-party.” Id. at 42. Specifically, it was unknown whether the hacker (1) read, copied, or understood the data, (2) intended to commit a future criminal act with it, or (3) was able to use the information to the employees' detriment. Id. Reilly's holding, as it pertains to Article III standing, does not bar Plaintiffs from alleging future injuries. That would contradict Supreme Court precedent, which allows such injuries to have standing where there is a “substantial risk that the harm will occur.” Susan B. Anthony List, 573 U.S. at 158. Instead, Reilly instructs the Court to consider whether an alleged future injury is imminent or hypothetical. See Clemens, 48 F.4th at 153.
Almost, a decade later, the Third Circuit expounded upon Reilly's holding and outlined several factors for determining whether an injury is imminent in the context of a data breach. See Clemens, 48 F.4th at 153-54. In Clemens, the Third Circuit gleaned a list of factors for courts to use as guideposts, including whether the (1) data breach was intentional, (2) data was misused, and (3) information accessed via the data breach could subject a victim to the risk of identity theft. Id. at 153-54. In propagating this list, the Third Circuit noted that “no single factor [is] dispositive” to an imminence inquiry, and “the disclosure of financial information alone, without corresponding personal information, is insufficient.” Id. (citations omitted).
The injury-in-fact prong also requires the alleged injury to be “concrete and particularized.” Lujan, 504 U.S. at 560. Particularization and concreteness are quite different. “For an injury to be particularized, it must affect the plaintiff in a personal and individual way.” Spokeo, 578 U.S. at 339 (citations and internal quotation marks omitted). “[E]ven named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.” Id. at 338 n.6 (cleaned up). Accordingly, whether a suit may be a class action does not factor into a court's standing analysis.
While particularization is necessary to establish injury in fact, it is not sufficient. Id. at 340. An injury in fact still must be “concrete” - that is, “real, and not abstract.” TransUnion LLC v. Ramirez, 594 U.S. 413, 424 (2021) (citation omitted). It is concrete if it is de facto, meaning that it must actually exist. Spokeo, 578 U.S. at 340 (citation omitted). Yet, “concrete” is not synonymous with “tangible.” Id. While tangible harms, such as physical and monetary harms, may more readily qualify as concrete injuries under Article III, intangible harms can also be concrete. TransUnion, 594 U.S. at 425.
In two recent decisions, the Supreme Court and the Third Circuit provided clarity on what type of concrete harm is needed to establish concreteness in the data breach context. The Court's analysis begins with TransUnion. That case involved a federal class action complaint brought under the Fair Credit Reporting Act (“FCRA”), which creates a cause of action for consumers to sue and recover damages for certain violations. TransUnion, 594 U.S. at 421. A credit reporting agency allegedly placed an inaccurate alert on some of its consumers' credit reports indicating that the consumer's name was a potential match to a name on the U.S. Treasury Department's Office of Foreign Assets Control's (“OFAC”) terrorist and narcotics trafficker list. Id. at 420-21. Consequently, 8,185 consumers with OF AC alerts in their credit files sued the credit reporting agency for failing to use reasonable procedures to ensure the accuracy of their files. Id. at 421. Prior to trial, however, the parties stipulated that only 1,853 of those consumers had their misleading credit reports shared with third parties. Id.
The Supreme Court began its analysis by reinforcing that concreteness is assessed by determining “whether the asserted harm has a ‘close relationship' to a harm traditionally recognized as providing a basis for a lawsuit in American courts.” TransUnion, 594 U.S. at 417 (quoting Spokeo, Inc., 578 U.S. at 340-41). Using this inquiry, the Supreme Court found that the 1,853 consumers whose inaccurate credit reports had been disseminated to third parties were personally harmed and thus suffered a concrete reputational harm akin to the tort of definition. Id. at 433. After holding that plaintiffs' asserted harm has a “close relationship” to the traditionally recognized reputational harm of defamation, the Supreme Court reasoned that “[t]he harm from being labeled a ‘potential terrorist' bears a close relationship to the harm from being labeled a ‘terrorist.'” Id.
As to the remaining 6,332 consumers whose credit reports had not been shared with third parties, the Supreme Court held that they did not demonstrate an intangible concrete harm since their alleged inaccurate credit reports were never disseminated to third parties. Id. at 439. The Supreme Court explained that no historical or common-law analog supports the proposition that “the mere existence of inaccurate information, absent dissemination, amounts to concrete injury.” Id. at 434 (citation and internal quotation marks omitted). In other words, the Anglo-American legal tradition has never recognized an actionable harm with respect to or arising out of the failure to keep accurate records in good order.
Presented with a concreteness dispute in Clemens, the Third Circuit applied TransUnion's guidance in the data breach context. In Clemens, the plaintiff sued her former company and its parent company after their servers were breached and hackers published her sensitive personal information, including her social security number, name, and address, on the dark web. Clemens, 48 F.4th at 150. The plaintiff asserted claims for negligence, negligence per se, and breach of implied contract against both defendants and claims for breach of contract, breach of fiduciary duty, and breach of confidence against her former company. Id. at 151. Following TransUnion's guidance, the Third Circuit held that the plaintiff had standing to assert all her claims. Id. at 159. As to concreteness, the Third Circuit explained:
[I]n the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiffs knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.Id. at 155-56. The Third Circuit analogized the intangible harm of identity theft to those recognized at common law, like the disclosure of private information. Id. at 158. Even though identity theft is a risk of future harm and the plaintiffs suit was for damages, the Third Circuit observed that the plaintiff had standing since she also alleged additional presently felt concrete harms caused by that risk (which included emotional distress, therapy costs, and mitigation costs). Id. at 158-59.
Here, Dollar Energy claims that “Plaintiffs' allegations of increased risk of identity theft and future harm fail to establish sufficient actual imminency and therefore are not concrete injuries under the law.” (ECF No. 15-1, p. 15). It maintains that Plaintiffs rely on pure speculation, similar to what the plaintiff alleged in Reilly. (Id. at p. 16). Plaintiffs counter that they “far exceed what is required” to plead an injury in fact. (ECF No. 17, p. 12). Plaintiffs argue that Reilly is “inapposite” to the instant case because “there were no allegations of actual misuse of the compromised information as there are here.” (Id. atp. 11). They contend that Clemens, not Reilly, is instructive. (Id. at p. 12). As to the concreteness dispute, Plaintiffs argue that the United States Supreme Court has found intangible injuries like the threat of future injury may be concrete. (Id.).
a) Imminence has only been established by Tignor.
The Court, guided by TransUnion, Clemens, and Reilly, begins its evaluation as to whether Plaintiffs have alleged sufficient imminence as to their injury in fact with an examination of the third guidepost set forth in Clemens-i.e., whether the information accessed in the Data Breach could subject them to the risk of identity theft. It finds that Tignor and Flagella have adequately pled that the information accessed through the Data Breach could subject them to a risk of identity theft. (ECF No. 14, p. 3). They pled that their names and Social Security numbers were accessed, which the Third Circuit has explicitly specified are two types of information that are more likely to create a risk of identity theft or fraud. See Clemens, 48 F.4th at 154. Considering the current posture of the case, the third guidepost tilts toward Plaintiffs.
As to the first Clemens guidepost-whether the Data Breach was intentional-neither party has provided sufficient facts as to the intentionality of the Data Breach. In their Amended Complaint, Plaintiffs primarily explain what actions Dollar Energy failed to take to prevent a data breach. (ECF No. 14, p. 3). Plaintiffs merely allege that Dollar Energy “experienced a network disruption” on February 5, 2023, and that the hackers behind the Data Breach obtained their PII to exploit its value and steal their identities. (Id. at pp. 3,9). These facts only suggest that the hackers could have accessed Plaintiffs' PII. They do not support Plaintiffs' allegation that the hackers intentionally deployed their attack. In Clemens, the hacker group intentionally breached the defendant's servers by “launch[ing] a sophisticated phishing attack to install malware, encrypted the data, held it for ransom, and published it.” See Clemens, 48 F.4th at 157. Nothing in the Amended Complaint in this case permits an inference that the hackers deployed a sophisticated attack, encrypted the PII, held or attempted to hold the PII for ransom, or published the PII.
Nevertheless, the Court cannot say that the hackers were not intentional with their actions. Dollar Energy contends that the intentionality guidepost leans in its favor because Plaintiffs have not experienced any identity theft crimes that would suggest the hackers published their PII on the black market/dark web. (ECFNo. 15-1, p. 15). Yet, Plaintiffs alleged that Tignor's stolen PII was used to submit two fraudulent credit card applications. (ECF No. 14, p. 33). Thus, the Court cannot rule out that the hackers did not publish Plaintiffs' PII. With the information pled in the Amended Complaint, it is hard for the Court to accurately determine the intentionality behind the Data Breach. Consequently, it finds this guidepost to be neutral.
In weighing the remaining guidepost, which is whether data was misused, the Court finds that Plaintiffs' allegations diverge. Consequently, the Court must evaluate each Plaintiff's allegations separately.
Tignor asserts that her alleged injury in fact is imminent because her PII was used to submit two fraudulent credit card applications. (ECF No. 14, p. 33). The Court finds that Tignor's allegations are similar to Clemens. In Clemens, a known hacker group accessed the plaintiff s sensitive information and published it on the dark web. Clemens, 48 F.4th at 157. This allowed the Third Circuit to logically conclude that the plaintiff faced a substantial risk of identity theft or fraud. Id. Analogous to the plaintiff in Clemens, Tignor pled that whoever is behind the Data Breach went beyond potentially accessing her PII in the Data Breach and put her PII in a position to be misused, as demonstrated by the two alleged fraudulent credit card applications. (ECF No. 14, p. 33). The Court agrees with Tignor. It holds that she has adequately pled that her alleged injury is imminent.
Unlike Tignor, Flagella presents an alleged future injury that remains hypothetical rather than imminent. Flagella has come forth with no allegations of fact in line with Clemens that would allow the Court to infer that she faces a significant risk of identity theft or fraud. Nothing in the Amended Complaint suggests her PII was misused. For example, she does not plead that her PII was used for fraudulent activity, identity theft, or published on the dark web. Moreover, Flagella is not certain that the hackers behind the Data Breach even accessed her PII. Flagella's allegations are more akin to the facts presented in Reilly where the Third Circuit held that a plaintiff did not have standing if hackers potentially gained access to their sensitive information. Reilly, 664 F.3d at 42-43 (emphasis added). Without sufficient allegations of misuse, the Court cannot find her alleged injury to be imminent.
By failing to establish imminence, Flagella has not adequately pled an injury in fact. While she alleged sufficient facts to establish traceability, she did not, however, adequately plead facts that would allow the Court to find her alleged future injury was imminent. The Court cannot move Flagella's case forward. Dollar Bank's Motion will be granted, and Flagella's case will be dismissed for lack of standing.
b) Concreteness and particularization have been established by Tignor.
As to the other injury-in-fact prong, the Court agrees with Tignor that she has adequately pled that her alleged injury is particularized and concrete. In Clemens, the Third Circuit articulated that a plaintiffs injury is concrete if knowledge of the substantial risk of identity theft causes the plaintiff to experience emotional distress or spend money on mitigation measures. See Clemens, 48 F. 4th at 155-56. Tignor pled that the substantial risk of identity theft caused her to suffer fear, anxiety, and stress. (ECF No. 14, p. 33). Accordingly, the Court holds that Tignor has sufficiently alleged a concrete injury.
Tignor must also meet the particularization requirement by showing that she has been personally injured. Spokeo, 578 U.S. at 339. By pleading that the substantial risk of identity theft affected her directly-through the emotional distress she experienced-the Court finds Tignor has demonstrated that her alleged injury is also particularized. (ECF No. 14, p. 33). Having met the requirements of both prongs, the Court holds that Tignor has sufficiently pled an injury in fact.
With Tignor's claims surviving Dollar Energy's challenges to the traceability and injuryin-fact elements, the Court can plausibly infer that she has standing. The Court will deny the Motion as to lack of standing for Tignor.
B. The majority of Tignor's claims will be dismissed for failure to state a claim upon which relief can be granted; only Count I will proceed to discovery.
With the Court holding that Flagella lacks standing and dismissing her case, it need only examine whether Tignor's claims should be dismissed pursuant to Rule 12(b)(6) for failure to state a claim upon which relief can be granted. For the following reasons, only Count I will proceed to discovery.
1. Tignor has stated a claim for negligence.
In Pennsylvania, “[i]t is axiomatic that in order to maintain a negligence action, the plaintiff must show that the defendant had a duty to conform to a certain standard of conduct; that the defendant breached that duty; that such breach caused the injury in question; and actual loss or damage.” Wisniski v. Brown & Brown Ins., 906 A.2d 571, 575-76 (Pa. Super. 2006). Dollar Energy argues that Tignor has failed to state a claim for negligence because it had no duty to conform and Tignor does not plead a sufficient injury. (ECF No. 15-1, p. 23-24). Dollar Energy's argument is twofold. First, Dollar Energy argues that Tignor alleges a standard of conduct that does not apply to it and to which there was no duty to conform. (ECF No. 15-1, p. 24). Second, Dollar Energy avers that Tignor's allegations of damages are largely contingent on future harm, making them insufficient to establish an actual loss or damage. (Id.). Additionally, Dollar Energy asserts that Tignor's claim that it violated Section 5 of the Federal Trade Commission (“FTC”) Act, 15 U.S.C. § 45, also fails. (ECF No. 15-1, p. 24). According to Dollar Energy, an act or practice is unfair under the FTC Act if it “causes or is likely to cause substantial injury to customers.” (Id.). Dollar Energy states that Tignor did not allege a substantial injury that was directly caused by the security breach. (Id.). As a result, Dollar Energy asserts that Tignor has failed to satisfy the damages prong of Tignor's negligence claim. (Id.).
Tignor responds that Pennsylvania “recognizes an independent common law duty for a company that collects personal information to safeguard and maintain that information as confidential.” (ECF No. 17, p. 21). Even if that were not the case, Tignor argues that a duty would arise under Section 5 of the FTC Act, which requires companies that collect PII from consumers to implement reasonable data security safeguards. (Id.). As to the damages prong, Tignor asserts she adequately alleged that the hackers accessed her PII, which resulted in the alleged harm. (Id. at p. 20). According to Tignor, these allegations are sufficient to satisfy the damages prong at this stage. (Id.).
The Court's research has led it to conclude that no Pennsylvania court has explicitly recognized a duty of care owed by nonprofits to grantees in protecting their PII from data breaches. However, there is “longstanding jurisprudence” in Pennsylvania that “[i]n scenarios involving an actor's affirmative conduct,” the actor is typically “under a duty ... to protect [others] against an unreasonable risk of harm to them arising out of the act.” In re Rutter's Inc. Data Sec. Breach Litig., 511 F.Supp.3d at 514, 528 (M.D. Pa. 2021). In Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), the Pennsylvania Supreme Court addressed whether an employer has a legal duty to use reasonable care to safeguard the sensitive information of its employees that it stores on its network. Id. at 1038. There, employees sued their employer for negligence and breach of implied contract after they alleged it failed to protect their personal information. Id. at 1039. The employees claimed that the employer had a duty to exercise reasonable care to protect their “personal and financial information within its possession or control from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.” Id. (internal quotation marks omitted). The Pennsylvania Supreme Court found that the employees sufficiently alleged the employer's affirmative conduct created the risk of the data breach, noting that the employer, in collecting and storing their data on its computer systems, owed them a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act. Id.
Importantly, the Pennsylvania Supreme Court rejected the employer's argument that the third-party criminality caused the data breach and did not eliminate the duty the employer owed to its employees. Id. at 1047. It explained:
The act of a third person in committing an intentional tort or crime is a superseding cause of harm to another resulting therefrom, although the actor's negligent conduct
created a situation which afforded an opportunity to the third person to commit such a tort or crime, unless the actor at the time of his negligent conduct realized or should have realized the likelihood that such a situation might be created, and that a third person might avail himself of the opportunity to commit such a tort or crime.Id. (citations omitted). Applying this case law, the Pennsylvania Supreme Court observed that the employer created a scope of risk by collecting and storing the employees' sensitive personal information without implementing adequate security measures. Id. at 1048.
Although Dittman involved an employer-employee relationship, the Court interprets the case to stand for the proposition that affirmative conduct associated with an increased risk of harm can yield a special relationship for tort purposes. Like the employees in Dittman, Tignor asserts that Dollar Energy collected and stored her PII without the use of adequate security measures, which, considering the case's current posture, the Court is required to accept as true. In applying Dittman's precedent, the Court finds that Tignor's factual allegations constituted affirmative conduct on the part of Dollar Energy. This affirmative conduct further created a risk of foreseeable harm for third-party criminality, which is enough to recognize a legal duty. Dollar Energy may be able to prove at summary judgment (or trial) that it satisfied this duty through the employment of appropriate risk-mitigation measures, but that is not the inquiry at the current stage.
As to Dollar Energy's argument that Tignor set forth sufficient allegations of damages, the Court disagrees. In making its argument, Dollar Energy asserts that the risk of future harm after a data breach does not constitute sufficient damages for Tignor's negligence claim. (ECF No. 15-1, p. 24). Although this issue has not been addressed by Pennsylvania courts, a sister federal district court has held that mitigation damages are a sufficient form of damages for a negligence claim. See Simona Opris v. Sincera Reprod. Med., No. 21-3072, 2022 U.S. Dist. LEXIS 94192, *1, *18-19 (E.D. Pa. 2022). Here, Tignor pled that she has suffered mitigation damages as a result of the breach. (ECF No. 14, pp. 42-43). Accordingly, the Court finds that these mitigation expenses satisfy the damages requirement of negligence.
The Court holds that Tignor has sufficiently stated her negligence claim. The Motion will be denied as to Count I.
2. Tignor cannot bring a negligence and a negligence per se claim.
Dollar Energy argues that Tignor has failed to state a claim for negligence per se because it is not an independent cause of action under Pennsylvania law. (ECF No. 15-1, p. 25). Negligence per se is a doctrine that “establishes the elements of duty and breach of duty where an individual violates an applicable statute, ordinance, or regulation designed to prevent a public harm.” Schemberg v. Smicherko, 85 A.3d 1071,1074 (Pa. Super. 2014). “Where a plaintiff alleges negligence and negligence per se as separate causes of action, courts within the Third Circuit routinely dismiss the negligence per se claim as subsumed within the standard negligence claim,” even when applying Pennsylvania law. In re Rutter's Inc., 511 F.Supp.3d at 531 (citing Sipp-Lipscomb v. Einstein Physicians Pennypack Pediatrics, No. 20-cv-1926, 2020 WL 7353105, *1 (E.D. Pa. Dec. 9, 2020)); see also Cabiroy v. Scipione, 767 A.2d 1078, 1081 (Pa. Super. 2001) (noting that negligence per se is not “an independent basis of tort liability but rather establishes, by reference to a statutory scheme, the standard of care appropriate to the underlying tort.”).
Tignor brings her negligence per se claim as a separate cause of action. With the Court having already determined that she has stated a proper claim for negligence, dismissal of Count II is warranted. See In re Rutter's Inc., 511 F.Supp.3d at 531. Dismissal of Count II, however, does not limit Tignor from asserting a negligence per se theory. The Court will grant her leave to amend the operative complaint to incorporate her negligence per se theory into Count I. Thus, the Court will grant the Motion as to Count II without prejudice.
3. Tignor has not stated a cognizable claim for breach of implied contract.
Dollar Energy argues that Tignor has failed to state a claim for breach of implied contract because she has “failed to establish the basic requirements of offer, acceptance, and consideration.” (ECF No. 15-1, p. 22). In Pennsylvania, “[t]he essential elements of breach of implied contract are the same as an express contract, except the contract is implied through the parties' conduct, rather than expressly written.” Enslin v. The Coca-Cola Co., 136 F.Supp.3d 654, 675 (E.D. Pa. 2015), aff'd sub nom., Enslin v. Coca-Cola Co., 739 Fed.Appx. 91 (3d Cir. 2018) (citing Highland Sewer & Water Auth. v. Forest Hills Mun. Auth., 797 A.2d 385, 390 (Pa. Commw. Ct. 2002)). For a breach of contract claim, Pennsylvania law requires “(1) the existence of a contract, including its essential terms, (2) a breach of duty imposed by the contract, and (3) resultant damages.” CoreStates Energy, N.A. v. Cutillo, 723 A.2d 1053, 1058 (Pa. Super. 1999) (citation omitted). The parties' dispute revolves around the first element.
The crux of Dollar Energy's argument is that the mere fact that Tignor provided her PII to it does not mean that it agreed to guarantee the safety of that information. (ECF No. 15-1, p. 29). Dollar Energy asserts that it never entered into an agreement with Tignor that specified the details of how it would safeguard her information. (Id. at p. 26). Tignor counters that Dollar Energy's privacy policy serves as more than an implicit understanding between the parties but as a “direct promise[].” (ECF No. 17, p. 23). From Tignor's perspective, she entrusted her PII to Dollar Energy in exchange for the services that it provided her. (Id. at p. 24). Critical to Tignor's claim is her argument that her PII has value, although she fails to explain why. (Id.).
Ultimately, the Court sides with Dollar Energy as Tignor has failed to show the exchange of consideration between the parties. “Consideration consists of a benefit to the promisor or a detriment to the promisee.” Weavertown Transp. Leasing, Inc. v. Moran, 834 A.2d 1169, 1172 (Pa. Super. 2003) (citing Stelmack v. Glen Alden Coal Co., 14 A.2d 127, 128 (Pa. 1940)). Pennsylvania law is clear, however, that it is not enough for the promisee to suffer a legal detriment at the request of the promisor. Id. (quoting Stelmack, 14 A.2d at 128).
The detriment incurred must be the ‘quid pro quo', or the ‘price' of the promise, and the inducement for which it was made.... If the promisor merely intends to make a gift to the promisee upon the performance of a condition, the promise is gratuitous and the satisfaction of the condition is not consideration for a contract. The distinction between such a conditional gift and a contract is well illustrated in Willison on Contracts, Rev. Ed., Vol. 1, Section 112, where it is said: ‘If a benevolent man says to a tramp, -‘If you go around the comer to the clothing shop there, you may purchase an overcoat on my credit,' no reasonable person would understand that the short walk was requested as the consideration for the promise, but that in the event of the tramp going to the shop the promisor would make him a gift.'Id. (quoting Stelmack, 14 A.2d at 128-29).
Here, the detriment alleged by Tignor-to provide Dollar Energy its PII-does not equate to the price of the promise. Nor can the Court infer that she incurred some type of legal detriment for merely providing her PII. Tignor fails to explain why the conveyance of her PII to Dollar Energy satisfies the element of consideration. As Tignor admits, Dollar Energy provides utility assistance grants to those in need. (ECF No. 17, p. 8); (ECF No. 14, p. 1 n.l). Without more, the Court cannot infer that Dollar Energy is somehow benefitting from acquiring Tignor's PII. Instead, the facts, as presented, appear to align more with the scenario that Dollar Energy agreed to assist Tignor with her payments to the utility company upon the performance of a condition, to share with it her PII. Tignor's factual allegations must be more than speculative to withstand a motion to dismiss under Rule 12(b)(6), the “[f]actual allegations must be enough to raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555. As pled, Tignor's factual allegations are not. The Court will grant the Motion as to Count III.
4. Tignor has not stated a claim for unjust enrichment.
Dollar Energy argues that Tignor has failed to state a claim for unjust enrichment because she has failed to sufficiently allege that she imparted a benefit to it. (ECF No. 15-1, p. 29). To properly bring a claim for unjust enrichment under Pennsylvania law, a plaintiff must allege: (1) that the plaintiff conferred a benefit on the defendant; (2) the defendant appreciated such benefit; and (3) the defendant accepted and retained such benefit under circumstances that it would be inequitable for the defendant to retain the benefit without payment of value. Karden Constr. Servs., Inc. v. D'Amico, 219 A.3d 619, 628 (Pa. Super. 2019) (citation omitted). “In determining if the doctrine applies, [the Court's] focus is not on the intention of the parties, but rather on whether the defendant has been unjustly enriched.” Mitchell v. Moore, 729 A.2d 1200, 1204 (Pa. Super. 1999) (citation omitted).
Dollar Energy argues that Tignor never made any payments to it because it provides utility assistance grants to those in need. (ECF No. 15-1, p. 30). Dollar Energy also stresses that Tignor did not confer a monetary benefit on it by providing its PII. (Id.). At the core of its argument, Dollar Energy states that Tignor's PII has no independent monetary value, and it does not commoditize or sell PII. Dollar Energy explains that it utilizes the PII of its grantees “in order to provide funds directly to the utility providers [the grantees] owe money [to] in order to preserve or restart utility services.” (Id. at p. 31).
In response, Tignor argues that Dollar Energy would not exist but for its dependence on the PII of those who use its services. (ECF No. 17, pp. 24-25). Tignor claims that In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374 (E.D. Va. 2020) supports her argument. (ECF No. 17, p. 25). In that case, the United States District Court for Eastern District of Virginia concluded “that the failure to secure a party's data can give rise to an unjust enrichment claim where a defendant accepts the benefits accompanying [a] plaintiffs data and does so at the plaintiffs expense by not implementing adequate safeguards.” (ECF No. 17, p. 25) (citing In re Cap. One., 488 F.Supp.3d at 412).
The Court finds that Tignor's allegations in the Amended Complaint and her responsive brief do not provide sufficient support as to what benefit she conferred to Dollar Energy. Tignor appears to employ a scatter-shot approach to her arguments in Count IV, presenting a multitude of conclusory allegations in the hopes that at least one will prove persuasive. She pled that she conferred a benefit on Dollar Energy in the form of payments for products and services as well as by providing her PII. (ECF No. 14, p. 48). Tignor also claims that Dollar Energy could not perform its regulator business activities without collecting sensitive, non-public PII. (Id. at p. 6). However, in her responsive brief, Tignor appears to drop her monetary benefit theory and argue that Dollar Energy either commoditized her PII or “enriched itself by diverting costs meant to protect PII to its own profit.” (ECF No. 17, p. 25). Meanwhile, nowhere does Tignor set forth facts that she made payments to Dollar Energy, that Dollar Energy commoditized her PII, or why Dollar Energy cannot perform its business activities without the collection of grantees' PII. These bare conclusions are not entitled to the assumption of truth, and, at this stage of litigation, the Court is not compelled to accept unsupported conclusions and unwarranted inferences. See Iqbal, 556 U.S. at 679; Baraka, 481 F.3d at 211. The Court will grant the Motion as to Count IV.
IV. Conclusion
For the foregoing reasons, the Motion will be granted in part and denied in part. As it relates to standing, the Motion will be denied as to Tignor and granted as to Flagella. Flagella will be terminated as a party. As the Motion relates to Tignor's failure to state a claim upon which relief can be granted, it will be denied as to Count I. The Motion will be granted as to Counts II, III, and IV. An Order of Court will follow.