Summary
concluding that plaintiff stated a negligence claim under D.C. law following data breach because, unlike the plaintiffs in Randolph, the plaintiff alleged that his information "ha[d] already been employed" by hackers
Summary of this case from Attias v. CareFirst, Inc.Opinion
Civil Action No. 19-3195 (JEB)
2020-02-20
Ari Scott Casper, The Casper Firm, LLC, Baltimore, MD, for Plaintiff. Kali N. Bracey, Jessica Ring Amunson, Jenner & Block LLP, Washington, DC, John R. Storino, Leigh J. Jahnig, Jenner & Block LLP, Chicago, IL, for Defendants.
Ari Scott Casper, The Casper Firm, LLC, Baltimore, MD, for Plaintiff.
Kali N. Bracey, Jessica Ring Amunson, Jenner & Block LLP, Washington, DC, John R. Storino, Leigh J. Jahnig, Jenner & Block LLP, Chicago, IL, for Defendants.
MEMORANDUM OPINION
JAMES E. BOASBERG, United States District Judge
This case features an asylum-application process gone awry, accompanied by alleged professional misconduct, foreign-government cyber hacking, and social-media propaganda campaigns. After Plaintiff Guo Wengui, a Chinese businessman and prominent political dissident, retained the services of the law firm Clark Hill, PLC to assist him with an asylum petition, someone — whom the parties presume to be associated with the Chinese government — hacked into the firm's computer servers. The hacker thereby gained access to Plaintiff's confidential information and then published that information on the Internet. Compounding Wengui's problems, the firm withdrew its representation in response to the attack. Plaintiff asserts that in making his information vulnerable to a targeted hacking and subsequently withdrawing from the matter, Defendants Clark Hill and its attorney Thomas Ragland are liable for legal malpractice, breach of fiduciary duty, and breach of contract. Defendants now move to dismiss all claims.
To succeed on his tort claims, Wengui must "point to an act (or omission)" that "resulted in a loss" to him. See Seed Co., Ltd. v. Westerman, 840 F. Supp. 2d 116, 127 (D.D.C. 2012). Plaintiff has successfully pleaded that the alleged mishandling of his information and subsequent cyber attack resulted in damages. The withdrawal, however, may have added insult, but it did not add injury. In addition, he cannot establish that the withdrawal breached Defendants' contractual obligations to him. The Court therefore will dismiss all of Plaintiff's claims to the extent they rely on the theory that Defendants' withdrawal constituted a legally remediable wrong, but it will permit those claims to go forward that allege misrepresentations surrounding and mishandling of his confidential information. Finally, it dismisses the demand for punitive damages, as Plaintiff has not satisfied the high bar necessary for seeking such relief.
I. Background
A. Factual Background
As it must at this juncture, the Court draws the facts from the Complaint. See Sparrow v. United Air Lines, Inc., 216 F.3d 1111, 1113 (D.C. Cir. 2000). Plaintiff is a "highly successful businessman" and "well-known Chinese dissident." ECF No. 1 (Complaint), ¶ 10. While living in China, he exposed "systemic corruption" and "widespread abuse of human rights" being perpetrated by the Communist Party of China (CCP), China's ruling political party. Id., ¶ 15. These activities naturally caught the attention of the CCP, which allegedly threatened his livelihood and that of his family in order to put an end to his subversive activities. Id., ¶¶ 18–19. Fearing further persecution, Plaintiff fled his native country in 2015, and he now resides in New York. Id., ¶ 10. Wengui's escape from China has not prevented further harassment. The Chinese government has, for example, sent emissaries to demonstrate against him outside of his home as part of a larger "malicious negative propaganda campaign" organized against him. Id., ¶¶ 23–24. In response to this cross-continental maltreatment, Plaintiff set about applying for political asylum in the United States.
The source of this dispute dates back to Plaintiff's negotiations with Defendant Thomas Ragland, an attorney and partner at Defendant Clark Hill, PLC — a firm comprising about 650 lawyers — regarding potential assistance with his asylum petition. Id., ¶¶ 11–12. Hoping to secure Plaintiff as a client, Ragland assured him that both he and the firm more broadly "were qualified, capable, and competent to represent plaintiff and to protect his interests fully and professionally." Id., ¶ 28. At a subsequent meeting in August 2016, Wengui conveyed to Ragland and other Clark Hill attorneys "his standing and visibility as a prominent Chinese political dissident" and "the risks associated with and attendant to plaintiff's position as a prominent visible critic of the Chinese regime." Id., ¶ 31. Plaintiff also "warned of the persistent and relentless cyber attacks that he and his associates had endured." Id.
In further meetings with the firm, Wengui continued to warn Defendants that they should "expect to be subjected to sophisticated cyber attacks." Id., ¶ 32. In taking on Plaintiff's case, Defendants accordingly agreed to "take special precautions to prevent improper disclosure of plaintiff's sensitive confidential information." Id., ¶ 33. These precautions would include distinct measures to impede or evade cyber attacks, by, for example, "not placing any of plaintiff's information on the firm's computer server," as doing so would make the information more vulnerable to hackings. Id. Relying on the firm's commitments regarding the protection of his confidential information, Plaintiff hired Defendants, executing a letter of retention and paying the firm a retainer fee of $10,000. Id., ¶ 36.
Unfortunately for all parties involved, Plaintiff's warnings of a cyber attack, apparently as unheeded as Cassandra's, proved prescient. On September 12, 2017, the firm's computer system was "hacked" — again, both parties assume that the hacking was orchestrated by the Chinese government — "apparently without great difficulty." Id., ¶ 41. The hacker obtained a substantial amount of Plaintiff's and his spouse's personal information, such as their passport identification numbers, as well as Plaintiff's application for political asylum. Id., ¶ 43. This information, including the contents of Wengui's asylum petition, was then published and disseminated on social media. Id., ¶ 44.
Following the attack, the parties' relationship quickly dissolved. On September 19, Clark Hill's General Counsel, Edward Hood, informed Plaintiff that the firm was terminating its involvement with his case. Id., ¶ 49. Hood explained that the attack might require Ragland, along with other members of the firm, to serve as witnesses at Plaintiff's asylum proceeding, as the hacking provided evidence of the political persecution from which Plaintiff sought asylum in the United States. Id. Hood posited that because the Rules of Professional Conduct bar attorneys from playing the dual role of witness and advocate, Defendants were required to withdraw from the matter. Id., ¶¶ 49–50. At the time of that withdrawal, Plaintiff had filed an asylum application and was awaiting a hearing. Id., ¶ 51.
B. Procedural History
On September 19, 2019, Wengui filed this action against Defendants in the Superior Court of the District of Columbia. Defendants then removed the case to this Court on diversity-jurisdiction grounds. See ECF No. 1 (Notice of Removal) at 1–2. Plaintiff's Complaint asserts four counts: (1) breach of fiduciary duty; (2) breach of contract; (3) legal malpractice; and (4) punitive damages. See Compl., ¶¶ 66–93. Defendants now move to dismiss all counts, maintaining that they fail to state plausible claims for relief.
II. Legal Standard
Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of an action where a complaint fails to "state a claim upon which relief can be granted." Although "detailed factual allegations" are not necessary to withstand a Rule 12(b)(6) motion, Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007), "a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (internal quotation omitted).
In evaluating Defendants' Motion to Dismiss, the Court must "treat the complaint's factual allegations as true and must grant plaintiff ‘the benefit of all inferences that can be derived from the facts alleged.’ " Sparrow, 216 F.3d at 1113 (citation omitted) (quoting Schuler v. United States, 617 F.2d 605, 608 (D.C. Cir. 1979) ) (citing Leatherman v. Tarrant Cty. Narcotics Intelligence & Coordination Unit, 507 U.S. 163, 164, 113 S.Ct. 1160, 122 L.Ed.2d 517 (1993) ). The Court need not accept as true, however, "a legal conclusion couched as a factual allegation" nor an inference unsupported by the facts set forth in the Complaint. See Trudeau v. FTC, 456 F.3d 178, 193 (D.C. Cir. 2006) (quoting Papasan v. Allain, 478 U.S. 265, 286, 106 S.Ct. 2932, 92 L.Ed.2d 209 (1986) ). Finally, even at the Rule 12(b)(6) stage, a court can review "documents attached as exhibits or incorporated by reference in the complaint" or "documents upon which the plaintiff's complaint necessarily relies." Ward v. D.C. Dep't of Youth Rehab. Servs., 768 F. Supp. 2d 117, 119 (D.D.C. 2011) (internal quotation marks and citations omitted).
III. Analysis
In seeking dismissal here, Defendants argue that neither the cyber attack nor the withdrawal constitutes a ground for a viable claim of legal malpractice, breach of fiduciary duty, or breach of contract. In particular, they assert that their conduct surrounding these two events did not breach any duty owed to Plaintiff. They also argue that their actions, even if improper, did not cause him to suffer any actual damages. The Court will consider the two relevant events in turn, examining the separate counts in that context, albeit slightly out of sequence.
A. The Cyber Attack
As recounted above, the Complaint alleges that: Plaintiff warned Defendants of the risk of an impending cyber attack; Defendants misrepresented the manner in which they would protect Plaintiff's confidential information from such an attack; and Defendants then failed to protect this information, allowing it to be retrieved and then publicly disseminated by a third-party hacker. Defendants dispute that they made such representations and argue that, in any event, the cyber attack did not actually harm Plaintiff. The Court, however, rejects Defendants' premature attempt to litigate disputed facts at the pleading stage and will deny their Motion to Dismiss as it pertains to the cyber attack.
1. Breach of Fiduciary Duty
Count I asserts that Defendants breached various fiduciary duties owed to Plaintiff, including the duty of good faith, the duty of loyalty, and the duty to protect Plaintiff's confidential records. See Compl., ¶ 68. To succeed on a claim of breach of fiduciary duty in the District of Columbia — the relevant jurisdiction here — Plaintiff must establish "(1) the existence of a fiduciary duty and (2) a violation of that duty that (3) proximately causes injury." Council on Am.-Islamic Relations Action Network, Inc. v. Gaubatz, 82 F. Supp. 3d 344, 353 (D.D.C. 2015) (citing Shapiro, Lifschitz & Schram, P.C. v. Hazard, 24 F. Supp. 2d 66, 75 (D.D.C. 1998) ). It is axiomatic that the attorney-client relationship is fiduciary in nature. See Thomas v. Nat'l Legal Prof'l Assocs., 594 F. Supp. 2d 31, 34 (D.D.C. 2009) ("[T]here is an ever present fiduciary responsibility that arches over every aspect of the lawyer-client relationship.") (quoting Connelly v. Swick & Shapiro, P.C., 749 A.2d 1264, 1268 (D.C. 2000) ). Defendants argue, however, that they did not breach any recognized fiduciary duties owed to Plaintiff and, in any event, did not cause any actual injury to him.
First, as to breach of duty, Wengui does not allege, contrary to Defendants' assertion, simply that "because there was a cyber incident, Defendants must have put up ... ‘unreasonable’ security measures." ECF No. 12 (Def. MTD) at 12. It is true that some courts have gone so far as to hold that corporations maintain a duty to consumers to " ‘protect against a criminal act of a third person,’ which could include hacking into a private data system, ‘if it is alleged that the entity had reason to anticipate the criminal act.’ " Attias v. CareFirst, Inc., 365 F. Supp. 3d 1, 21 (D.D.C. 2019) (quoting In re Arby's Restaurant Group Inc., Litig., 2018 WL 2128441, at *5 (N.D. Ga. Mar. 5, 2018) ). As a result, those courts have held that if a corporation fails to prevent a forseeable cyber attack, it thereby breaches fiduciary duties owed its customers. Id. This Court, however, need not go so far as to find that any corporation's failure to protect against any forseeable cyber attack, standing on its own, constitutes a breach of fiduciary duty.
A fiduciary relationship — like that between a lawyer and client — "is founded upon trust or confidence reposed by one person in the integrity and fidelity of another." Democracy Partners v. Project Veritas Action Fund, 285 F. Supp. 3d 109, 121 (D.D.C. 2018) (quoting Bolton v. Crowley, Hoge, & Fein, P.C., 110 A.3d 575, 584 (D.C. 2015) ). The duty of loyalty in this context "has been described as one of ‘uberrima fides,’ which means, most abundant good faith, requiring absolute and perfect candor, openness and honesty, and the absence of any concealment or deception." Herbin v. Hoeffel, 806 A.2d 186, 197 (D.C. 2002) (emphasis added) (quotation marks omitted); see also Seed Co., 840 F. Supp. 2d at 126–27 (attorney breaches fiduciary duties when providing clients with "incorrect and misleading" advice); Herbin, 806 A.2d at 197 ("Disclosure of client confidences is contrary to the fundamental principle that the attorney owes a fiduciary duty to her client and must serve the client's interest with the utmost loyalty and devotion.") (quotation marks omitted).
Plaintiff has sufficiently pleaded that Defendants breached their duties of loyalty and good faith by misrepresenting the manner in which they would protect his confidential information in order to secure his business. Although they promised to take special precautions, they placed that information, including his asylum application, on their server and conveyed it via a firm email account — in direct contravention of his instructions — leaving Plaintiff vulnerable to the precise sort of machinations he had forewarned counsel about. See Compl., ¶¶ 2–3, 40–43. He further alleges that the firm breached the applicable duty of care in its treatment of his information by utilizing security measures that were "inadequate, unreasonable, and fell woefully far short of [D]efendants' promises, assurances, obligations, and commitments to provide adequate security measures." Id., ¶ 42. Discovery may reveal that Defendants never made any such misrepresentations to Plaintiff and were not negligent in their handling of his confidential information, but the well-pleaded allegations in the Complaint preclude granting Defendants' Motion to Dismiss.
Defendants argue in the alternative that even if they misled Plaintiff and were negligent in handling his confidential information, the cyber attack did not actually cause him any cognizable harm. Under D.C. law, not surprisingly, a breach of a fiduciary duty requires a showing of injury or damages. See Headfirst Baseball LLC v. Elwood, 239 F. Supp. 3d 7, 14 (D.D.C. 2017) (canvassing D.C. caselaw); see also Becker v. Colonial Parking, Inc., 409 F.2d 1130, 1136 (D.C. Cir. 1969) ("A simple breach of duty having no causal connection with the injury, we have admonished, cannot produce legal responsibility.") (quotation marks omitted). In arguing that Plaintiff has not made such a showing, Defendants rely on Randolph v. ING Life Insurance & Annuity Company, 973 A.2d 702 (D.C. 2009), where the District of Columbia Court of Appeals held that an "increased risk of future identity theft" does not qualify as an "actionable" injury "required to maintain a suit for common-law breach of fiduciary duty." Id. at 708.
Although this case, like Randolph, concerns a data breach, the similarities end there. In Randolph, an unknown burglar stole a laptop computer owned by the employee of an insurance company, which contained the plaintiffs' insurance information, including their names, addresses, and social-security numbers. Id. at 704. The DCCA reasoned that the plaintiffs had failed to plead "actual harm" because they had not alleged that the burglar stole the laptop in order to access their information or that their information had even been accessed since the laptop was stolen. Id. at 706–08. Instead, they simply alleged "the anticipation of future injury [identity theft] that has not materialized." Id. at 708 ; see also In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 19 (D.D.C. 2014) (dismissing case where plaintiffs' information, along with other items, was allegedly stolen from parked car because "mere loss of data — without evidence that it has been either viewed or misused — does not constitute an injury sufficient to confer standing").
Plaintiff, however, has gone well beyond pleading the anticipation of future injury and has instead alleged an actual injury resulting from Defendants' conduct. According to the Complaint, the Chinese government or someone associated with it hacked Defendants' server for the express purpose of stealing Plaintiff's information. The hacker then "published" the confidential material, including Plaintiff's application for political asylum and passport identification number, on social media. See Compl., ¶¶ 43–44. This chain of events occurred in the context of a broader propaganda campaign orchestrated by the CCP, one that included utilizing social-media platforms to spread information about Plaintiff and mobilizing demonstrators to protest his presence in the United States. Id., ¶¶ 22–24. Wengui therefore does not "speculate" as to potential uses of the stolen information; it has already been employed as part of the CCP's persecution and harassment of him. The Court therefore rejects Defendants' invitation to find that the cyber attack did not actually harm Plaintiff as a matter of law.
2. Legal Malpractice
Count III alleges legal malpractice, asserting that Defendants breached their "common law" and "professional and ethical duties and obligations to plaintiff ... by failing to use the required degree of professional care and skill in representing plaintiff," and in failing to maintain "reasonable security measures to secure their computer system from unauthorized access, as required and promised to plaintiff." Id., ¶¶ 82–85.
The elements of a legal-malpractice claim are similar to, but slightly distinct from, those for breach of fiduciary duty. See Hickey v. Scott, 738 F. Supp. 2d 55, 67 (D.D.C. 2010) (quoting Shapiro, Lifschitz & Schram, 24 F. Supp. 2d at 74 ). As Justice O'Conner has commented, "Lawyers are professionals, and as such they have greater obligations." Zauderer v. Office of Disciplinary Counsel, 471 U.S. 626, 676, 105 S.Ct. 2265, 85 L.Ed.2d 652 (1985) (O'Connor, J., concurring). To succeed on a legal-malpractice claim in the District of Columbia, "the plaintiff must show that (1) the defendant was employed as the plaintiff's attorney, (2) the defendant breached a reasonable duty, and (3) that breach resulted in, and was the proximate cause of, the plaintiff's loss or damages." Beach TV Props., Inc. v. Solomon, 306 F. Supp. 3d 70, 93 (D.D.C. 2018) (quoting Martin v. Ross, 6 A.3d 860, 862 (D.C. 2010) ).
For the reasons recounted above, this count may also proceed as to the cyber attack because the Complaint identifies a breach of the duty of reasonable care owed by attorneys to their clients and actual damages. To be sure, attorneys cannot be held "liable for mistakes made in the honest exercise of professional judgment." Biomet Inc. v. Finnegan Henderson LLP, 967 A.2d 662, 665 (D.C. 2009). Honest mistakes, however, are a far cry from the conduct alleged here: misrepresentations made in order to secure a prospective client, the failure to follow promised procedures to adequately secure confidential information, and damages. See Swann v. Waldman, 465 A.2d 844, 846 (D.C. 1983) (finding plaintiff's allegations that attorney lied to him about attempting to obtain continuance and was negligent in failing to obtain expert witness sufficient to withstand motion for summary judgment on legal-malpractice claim).
3. Breach of Contract
Plaintiff also brings a claim for breach of contract in Count II, alleging that the firm violated its contractual obligation to provide "competent representation" by undertaking a matter beyond its "professional or technical competence" and "neglecting to undertake reasonable security measures." Compl., ¶ 76. "To prevail on a claim of breach of contract, a party must establish (1) a valid contract between the parties; (2) an obligation or duty arising out of the contract; (3) a breach of that duty; and (4) damages caused by breach." United States Conference of Mayors v. Great-W. Life & Annuity Ins. Co., 327 F. Supp. 3d 125, 129 (D.D.C. 2018), aff'd, 767 F. App'x 18 (D.C. Cir. 2019) (quoting Tsintolas Realty Co. v. Mendez, 984 A.2d 181, 187 (D.C. 2009) ). Defendants concede that the parties entered into a valid contract (in this case, an engagement letter) that set forth their "respective obligations and expectations." See Def. MTD at 14. They dispute, however, that Plaintiff has alleged a breach of that contract.
Accepting the facts in the Complaint as true, Wengui has met his pleading burden — if just barely — of establishing that Defendants did not meet their contractual obligations. In particular, he alleges that they violated their obligations to provide "competent representation" and keep Plaintiff "reasonably informed about the status of the matter," Def. MSJ, Exh. A (Retainer Agreement) at 2, by misleading him as to the manner in which his information would be handled in the future, and then by failing to inform him when they eventually placed that information on their server. For the reasons stated in regard to the prior counts, this claim can proceed on the basis of failing to safeguard his information, which could amount to incompetent representation.
Going forward, however, Plaintiff may need to clarify this count because he appears to be exploring several different theories as to how Defendants breached the retainer agreement. First, he seems to be laying the groundwork for the introduction of extrinsic evidence. This evidence might demonstrate that Defendants orally amended the terms of the contract in making representations regarding higher-level protection of Plaintiff's personal information. See Segal Wholesale, Inc. v. United Drug Serv., 933 A.2d 780, 784 (D.C. 2007) (extrinsic evidence "consistent with the terms of a partially integrated agreement is permissible"); see also Stamenich v. Markovic, 462 A.2d 452, 455 (D.C. 1983) (extrinsic evidence permissible to demonstrate "a contemporaneous agreement in addition to and not inconsistent with or a variation of the written agreement between the same parties, which was an essential inducement of the written contract" or where "fraud, mistake, or duress is alleged").
Alternatively, Plaintiff also appears to be seeking to demonstrate that Defendants violated a general obligation to provide competent representation in providing insufficient protection of client materials. See Compl., ¶ 76. Or, finally, he may be asserting that Defendants breached the "implied duty of good faith and fair dealing" that D.C. courts have found to be contained within all contracts, one that prohibits "evad[ing] the spirit of the contract" or "willfully render[ing] imperfect performance." Murray v. Wells Fargo Home Mortg., 953 A.2d 308, 321 (D.C. 2008) (internal quotation marks omitted). Plaintiff will have to choose among these theories, and provide much more substantial support for them, should he decide to defend this count against further dispositive motions.
4. Duplicative Nature of Claims
Finally, the Court rejects Defendants' argument that the three claims chronicled above are necessarily "duplicative" of one other and thus that only one can proceed past the pleading stage. Under D.C. law, when a plaintiff's breach-of-fiduciary-duty claim rests on the same factual allegations and requests the same relief as his professional-malpractice claim, a court "as a matter of judicial economy, should dismiss" one of the claims as duplicative. See N. Am. Catholic Educ. Programming Found., Inc. v. Womble, Carlyle, Sandridge & Rice, PLLC, 887 F. Supp. 2d 78, 84 (D.D.C. 2012) (collecting cases). The same holds true for tort claims that arise out of the same factual circumstances as a breach-of-contract claim. See Attias, 365 F. Supp. 3d at 18 ("Under D.C. law, for a plaintiff to recover in tort for conduct that also constitutes a breach of contract, ‘the tort must exist in its own right independent of the contract, and any duty upon which the tort is based must flow from considerations other than the contractual relationship.’ ") (quoting Choharis v. State Farm Fire & Cas. Co., 961 A.2d 1080, 1089 (D.C. 2008) ).
Down the line, Plaintiff may indeed have to choose among his three common-law claims. At this early stage, however, it would be premature to dismiss any of the three as duplicative, given the fact-dependent nature of such an inquiry. While the counts all relate to the cyber attack generally, they may be predicated on distinct wrongs surrounding the attack. Defendants' conduct may have, for example, violated a Rule of Professional Responsibility — potentially creating liability for legal malpractice — which does not necessarily give rise to a breach of fiduciary duty. See, e.g., Hickey, 738 F. Supp. 2d at 67–68 (finding fee-related fiduciary-duty claim distinct from legal-malpractice claim concerning breach of Rule of Professional Responsibility in dispute over fees).
Finally, considerations of judicial economy do not weigh in favor of dismissal of any claims here. Allowing all three to proceed will not expand the scope of the case or potential avenues of discovery. At this juncture, therefore, the Court will decline Defendants' invitation to narrow Plaintiff's potential theories of relief. In sum, the Court will deny Defendants' Motion to Dismiss Counts I, II, and III to the extent that they rely on the theft of his personal information via cyber attack and Defendants' misrepresentations relating to protections from that attack.
B. The Withdrawal
By contrast, Defendants' withdrawal from Plaintiff's asylum process — or, as Plaintiff labels the incident, their "firing" of him — does not provide grounds for a viable legal claim. As described above, Defendants terminated their representation of Wengui following the cyber attack. They explained in a letter to him that the attack had created "several ethical complications" related to their representation. See ECF No. 12-5 (Clark Hill Termination Letter) at 1. Defendants' "primary concern" was that "the cyberattack would require Mr. Ragland — and possibly other members of the Firm — to be a witness in [Plaintiff's] asylum proceeding" because they now had first-hand knowledge of China's prior persecution of Plaintiff, a factor relevant to that proceeding. Id.
In their Motion to Dismiss, Defendants argue that not only did their withdrawal not breach any duty owed to Wengui, but that it was in fact required by the Rules of Professional Conduct. See D.C. R. Prof. Conduct 1.16(a)(1) (D.C. Bar 2010) (attorney must withdraw from representing client if ongoing representation would violate Rule of Professional Conduct). Defendants again rely on Rule of Professional Conduct 3.7(a), which states that an attorney "shall not" act as an advocate for a client when she is "likely to be a necessary witness" in the proceeding. They also invoke Rule 1.7(b)(4), which requires withdrawal if the lawyer's ability to represent a client "reasonably may be adversely affected by the lawyer's responsibilities to or interests in a third party or the lawyer's own financial, business, property, or personal interests." Defendants explain that following the cyber attack, they had their "own interests in investigating and mitigating the incident — which conflicted with their representation of Plaintiff." Def. MTD at 8. Regarding Rule 3.7(a), Plaintiff counters that Defendants' withdrawal was premature at best, given that Wengui "did not have an asylum interview, let alone any hearing" and "had not asked that Mr. Ragland be a witness." ECF No. 14 (Pl. Opp.) at 8. Additionally, Plaintiff argues that Rule 1.7(b)(4) raises "inherently factual issues" as to whether the cyber attack created a conflict of interest, issues that cannot be resolved at this stage. Id. at 21.
The Court need not settle these disputes because Wengui's fiduciary and malpractice claims run aground on a different shoal. Plaintiff has not sufficiently pled that Defendants' conduct, even if improper, damaged or prejudiced him. Both of these claims require a showing of damage or loss. See, e.g., Seed Co., 840 F. Supp. 2d at 126 (plaintiff bringing malpractice claim "must point to an act (or omission) by the ... [D]efendants that resulted in a loss" to him); Randolph, 973 A.2d at 708–09 (same regarding breach of fiduciary duty). As one court in this district described the applicable test when considering legal malpractice, the claim " ‘does not accrue until the plaintiff-client has sustained some injury from the malpractice[,]’ and the ‘mere breach of a professional duty, causing only nominal damages, speculative harm, or the threat of future harm — not yet realized — does not suffice to create a cause of action for negligence.’ " Venable LLP v. Overseas Lease Grp., Inc., 2015 WL 4555372, at *2 (D.D.C. July 28, 2015) (quoting Knight v. Furlow, 553 A.2d 1232, 1235 (D.C. 1989) ).
Plaintiff's claims predicated on the withdrawal do not plead damages that rise above the "speculative" or "nominal" level. Wengui does not dispute, for example, that at the time of Defendants' withdrawal, his asylum application had already been filed and he was awaiting an initial interview, which can take years to schedule. See Def. MTD at 20. He also does not claim to have experienced difficulties in finding a successor counsel with immigration-law expertise. As a result, Wengui has failed to factually substantiate his conclusory allegations that Defendants' withdrawal caused him "undue delay and complications," reputational harm, and prejudiced the outcome of his case. See Compl., ¶ 60; see also Hinton v. Stein, 278 F. Supp. 2d 27, 33 (D.D.C. 2003) (rejecting legal-malpractice claim where "[a]lthough there was a brief attorney-client relationship between the parties, defendant was justified in seeking to withdraw[,] ... [h]er motion to withdraw was filed promptly[,] and there is no indication that plaintiff suffered any injury as a result of her withdrawal"). Put differently, the Complaint does not allege that Plaintiff "suffered any injury because of Defendant[s'] failure to represent him," and the Court will therefore dismiss his fiduciary-duty and malpractice claims to the extent that they rely on the withdrawal as the purported harm. Id.
Plaintiff's breach-of-contract claim based on the withdrawal is somewhat different, but also merits dismissal. A party may prevail on such a claim even if he "fails to prove actual damages," although he will be "entitled to no more than nominal damages." Wright v. Howard Univ., 60 A.3d 749, 753 (D.C. 2013) (quoting Bedell v. Inver Housing Inc., 506 A.2d 202, 205 (D.C. 1986) ). With regard to the withdrawal, however, Plaintiff has failed to even gesture at provisions of the contract that Defendants breached in terminating their representation or at extrinsic evidence that might support such a claim. See Retainer Agreement at 2, 4 (attorney may terminate agreement for reasons permitted under Rules of Professional Conduct or if any conflict of interest arises).
C. Punitive Damages
The Court last tackles Count IV, which asserts a claim of punitive damages. Specifically, the Complaint alleges that Defendants violated Plaintiff's "rights" in an "intentional deliberate, [and] outrageous" manner. See Compl., ¶ 90. To begin, punitive damages are a form of relief, not a stand-alone cause of action. Although the count cannot survive independently, the Court considers whether such damages are available to Wengui at all. "To recover punitive damages," a plaintiff must establish that "the tortious act was committed with ‘an evil motive, actual malice, deliberate violence or oppression’ or in support of ‘outrageous conduct in willful disregard of another's rights.’ " Embassy of Nigeria v. Ugwuonye, 297 F.R.D. 4, 14 (D.D.C. 2013) (quoting Robinson v. Sarisky, 535 A.2d 901, 906 (D.C. 1988) ). The imposition of punitive damages thus requires conduct that is "replete with malice." See Dalo v. Kivitz, 596 A.2d 35, 40 (D.C. 1991) ; see also Hendry v. Pelland, 73 F.3d 397, 400 (D.C. Cir. 1996) ("District of Columbia law allows punitive damages only if the attorney acted with fraud, ill will, recklessness, wantonness, oppressiveness, or willful disregard of the clients' rights.").
The Complaint does not plead such "outrageous" activity. Instead, if true, Wengui's allegations suggest that Defendants' failure to protect his information against hacking may mean that the firm acted "imprudently or incompetently, but they fall far short of showing the blatant wrongdoing necessary for a jury to infer that [Defendants] acted either with deliberate malice or conscious disregard of [their client's] rights." Hendry, 73 F.3d at 400 ; see also Embassy of Nigeria, 297 F.R.D. at 14 (rejecting punitive-damages claim where attorney stole client's tax refund and deposited it in firm's account). Plaintiff does not allege, for example, that Defendants intentionally left their server vulnerable to third-party hackings or stood to profit from such an event in any way. The Court therefore dismisses Count IV of the Complaint.
IV. Conclusion
For the foregoing reasons, the Court will grant in part and deny in part Defendants' Motion to Dismiss. A separate Order consistent with this Opinion will be issued this day.