Opinion
Civil Action 23-004 (RK) (JBD)
08-21-2024
ANGELA ADKINS, on behalf of herself and all others similarly situated, Plaintiff, v. EVEREST GLOBAL SERVICES, INC., Defendant.
NOT FOR PUBLICATION
OPINION
ROBERT KIRSCH UNITED STATES DISTRICT JUDGE.
THIS MATTER comes before the Court upon Defendant Everest Global Services, Inc.'s (“Everest,” or “Defendant”) Motion to Dismiss, (“Mot.,” ECF No. 20), pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) in response to Plaintiff Angela Adkins' (“Adkins.” or “Plaintiff) First Amended Complaint, (“FAC,” ECF No. 12). Plaintiff filed a brief in opposition, (“Opp'n,” ECF No. 30), and Defendant filed a reply brief, (“Reply,” ECF No. 35). The Court has considered the parties' submissions and resolves the matter without oral argument pursuant to Federal Rule of Civil Procedure 78 and Local Civil Rule 78.1. For the reasons set forth below, Defendant's Motion to Dismiss is GRANTED.
I. BACKGROUND
A. Factual Background
Plaintiff brings this purported class action arising from a 2022 data breach. (See generally, FAC.) Plaintiff alleges that Everest is an insurance and reinsurance provider, and that in the ordinary course of their services, Everest maintains personally identifiable information (“PH”) of its customers, including, but not limited to, names, Social Security numbers (“SSN”), dates of birth, financial information, and medical information. (Id. ¶¶ 26-27.) Plaintiff claims that between August 8, 2022, and August 16, 2022, files related to Defendant's customers were accessed by an unauthorized user (the “Data Breach”). (Id. ¶¶ 13, 35.) On December 16, 2022, Defendant sent a letter to the New Hampshire Attorney General, detailing that they identified suspicious activity related to its email environment on August 15,2022. (Id. ¶ 36.) In this letter, Defendant stated that they immediately implemented their incident response protocols and engaged a third-party vendor to conduct a forensic investigation. (Id.) This investigation revealed that PII was present in the affected email accounts. (Id.) Defendant stated in their letter that the impacted information may include names or some combination of information including SSNs, dates of birth, financial information, and medical information. (Id.) Defendant's letter included that they, have since undertaken security measures and offered impacted individuals 12 months of credit monitoring and identity protection services. (Id.)
Plaintiff alleges that she and other purported class members (the “Class Members”) received notice letters from Defendant about the Data Breach on December 16, 2022. (Id. ¶¶ 11, 37.) Defendant's notice recommended that Plaintiff and Class Members monitor their financial statements and credit reports and provided other steps to protect their PII. (Id. ¶ 37.)
The Court refers to the purported class members as “Class Members” based on Plaintiffs allegations and Plaintiffs use of same in the FAC. However, the Court makes no findings or conclusions as to the merits of class certification herein.
Plaintiff alleges that in February 2023, some six months after the alleged breach, an unauthorized third party attempted to access a joint checking account she shared with her husband and a debit card directly linked to that account. (Id. ¶ 113.) Because of the attempt, her bank closed the debit card without notice. (Id.) Plaintiff became aware of the issue when her husband attempted to purchase gasoline for a vehicle titled in Plaintiffs name and the card was declined. (Id. ¶ 114.) Due to the card's cancellation, her husband was forced to drive to a branch location of their bank to access the account and have a new debit card issued. (Id. ¶ 115.) This inconvenience, Plaintiff states, “caused the consumption of gasoline and wear and tear on the vehicle belonging to Plaintiff.” (Id.) In addition, online automatic payments affiliated with her joint checking account were subsequently declined, causing the services to stop and Plaintiff to lose access to those accounts until a new payment method was set up. (Id. ¶ 116.) Plaintiff alleges that she made efforts-such as reviewing credit reports and financial account statements for indications of' fraud-to mitigate any potential effects from the Data Breach after receiving the notice letter. (Id. ¶¶ 121-22.)
Plaintiff alleges that she suffered actual injury resulting from the Data Breach, including damages to the value of her PII, loss of privacy, and injury from identity theft and fraud. (Id. ¶ 123.) Plaintiff also alleges that she suffered emotional distress and will continue to be at a present, imminent, and increased risk of identity theft of fraud for which she anticipates spending time and money to mitigate. (Id. ¶ 124-25.) Plaintiff does not allege any actual monetary damages.
As a result of the Data Breach and claimed injury, Plaintiff brings this action on behalf of herself and the Class Members against Everest, asserting claims of negligence, (Count One), breach of implied contract, (Count Two), unjust enrichment, (Count Three), and breach of third-party beneficiary contract in the alternative for breach of implied contract (Count Four). Adkins seeks, inter alia, actual, compensatory, and statutory damages; equitable relief with respect to Defendant's wrongful conduct; and certification as a class action.
B. Procedural History
On January 3,2023, Plaintiff filed her original Complaint against Defendant. (ECF No. 1.) In lieu of answering the original Complaint, Defendant filed a Motion to Dismiss on March 15, 2023. (ECF No. 9.) In response, Plaintiff filed the FAC on April 3, 2023. (ECF No. 12.) Defendant again filed a Motion to Dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) on May 1, 2023, (ECF No. 20). The Motion is now fully ripe before the Court.
II. LEGAL STANDARD
A. Federal Rule of Civil Procedure 12(b)(1)
Under Federal Rule of Civil Procedure 12(b)(1), a defendant may move to dismiss a complaint based on lack of subject matter jurisdiction. In deciding a Rule 12(b)(1) motion to dismiss, a court must first determine whether the party presents a facial or factual attack to the jurisdiction, because that distinction determines how the pleading is reviewed. See Mortensen v. First Fed. Sav. & Loan Ass'n, 549 F.2d 884, 891 (3d Cir. 1977). “A facial attack concerns an alleged pleading deficiency whereas a factual attack concerns the actual failure of a plaintiffs claims to comport factually with the jurisdictional prerequisites.” Young v. United States, 152 F.Supp.3d 337, 345 (D.N.J. 2015). In reviewing a facial attack, “the court must only consider the allegations of the complaint and documents referenced therein ... in the light most favorable to the plaintiff.” Gould Elecs. Inc. v. United States, 220 F.3d 169,176 (3d Cir. 2000). On this posture, a court presumes that it lacks subject matter jurisdiction, and “the burden of establishing the contrary rests upon the party asserting jurisdiction.” Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994) (citations omitted). By contrast, in reviewing a factual attack, the court may weigh and consider evidence outside of the pleadings. Const. Party of Pennsylvania v. Aichele, 757 F.3d 347, 358 (3d Cir. 2014). Facial attacks typically occur prior to the defendant answering the complaint and the parties engaging in discovery. See Askew v. Trustees of Gen. Assembly of Church of the Lord Jesus Christ of the Apostolic Faith Inc., 684 F.3d 413, 417 (3d Cir. 2012) (“As the defendants had not answered and the parties had not engaged in discovery, the first motion to dismiss was facial.”). As Defendant contests whether the facts as pled in the Complaint establish standing, the Court construes Defendant's challenge as a facial challenge. See Aichele, 757F.3dat358 (holding that a facial attack “contests the sufficiency of the pleading”) (quoting In re Schering Plough Corp. Intron, 678 F.3d 235,243 (3d Cir. 2012)). The Court applies the same analysis “when considering a facial attack under Rule 12(b)(1) or a motion to dismiss for failure to state a claim under Rule 12(b)(6).” Petruska v. Gannon Univ., 462 F.3d 294,299 n.l (3d Cir. 2006).
B. Federal Rule of Civil Procedure 12(b)(6)
Federal Rule of Civil Procedure 12(b)(6) provides that a court may dismiss a claim “for failure to state a claim upon which relief can be granted.” Fed.R.Civ.P. 12(b)(6). On a motion to dismiss for failure to state a claim, the moving party “bears the burden of showing that no claim has been presented.” Hedges v. United States, 404 F.3d 744, 750 (3d Cir. 2005) (citing Kehr Packages, Inc. v. Fidelcor, Inc., 926 F.2d 1406, 1409 (3d Cir. 1991)). When reviewing amotion to dismiss for failure to state a claim, courts first separate the factual and legal elements of the claims and accept all of the well-pleaded facts as true. See Fowler v. UPMC Shadyside, 578 F.3d 203,210-11 (3d Cir. 2009). “[A] plaintiffs obligation to provide the ‘grounds' of his ‘ entitle[ment] to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell All. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (citation omitted).
Thus, to survive a Rule 12(b)(6) motion to dismiss, the complaint must contain sufficient factual allegations to raise a plaintiffs right to relief above the speculative level, so that a claim “is plausible on its face.” Id. at 570. “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). All reasonable inferences must be made in the plaintiffs favor. See In re Ins. Brokerage Antitrust Litig., 618 F.3d 300, 314 (3d Cir. 2010).
III. DISCUSSION
A. Choice-of-Law
Defendant argues that the Court, at the outset, must undertake a choice-of-law analysis to decide which state's law-New Jersey or Ohio-governs Plaintiffs claims. (Mot. at 24.) As Plaintiff is an Ohio resident and Defendant is a New Jersey company, two competing states have an interest in this matter. (Id.) Defendant argues that New Jersey substantive law applies to all of Plaintiffs claims because New Jersey and Ohio law do not conflict. (Id. at 25.) Plaintiff, on the other hand, contends it is premature for the Court to engage in a choice-of-law analysis. (Opp'n at 19.)
Defendant identifies one possible exception where New Jersey and Ohio law may conflict recognition of a duty based on a breach of a statute. (Id. at 25.) However, Defendant asserts this conflict is immaterial because both state laws would reach the same conclusion in the case at bar.
The Court declines Defendant's invitation to conduct a choice-of-law analysis at this time for three reasons. First, a “choice-of-law analysis is unnecessary where the laws at issue do not conflict.” Am. Orthopedic & Sports Med. v. Indep. Blue Cross Blue Shield, 890 F.3d 445, 454 n.9 (3d Cir. 2018) (citing Hammersmith v. TIG Ins. Co., 480 F.3d 220,229-30 (3d Cir. 2007)). Second, neither party identifies-aside from “a possible exception” from Defendant-any conflict between Ohio and New Jersey law, let alone briefs the issue. See Snowdy v. Mercedes-Benz USA, LLC, No. 23-1681, 2024 WL 1366446, at *11 (D.N.J. Apr. 1, 2024) (explaining that “pointing out the mere existence of conflicts does not itself allow the Court to perform the requisite claim-by-claim analysis necessary for a choice-of-law inquiry” (citations and quotation marks omitted)).
Finally, the Court agrees with Plaintiff that such an analysis is premature at this point. See In re Liquid Aluminum Sulfate Antitrust Litig., No. 16- 2687, 2017 WL 3131977, at *16 (D.N.J. July 20, 2017) (“[C]hoice of law analysis has routinely been found to be premature at the motion to dismiss phase of a class action lawsuit, especially when certain discovery is needed to further develop the facts that will be used in the choice of law analysis.”); Weston v. Subaru of Am., Inc., No. 20-5876, 2022 WL 1718048, at *6 (D.N.J. May 26, 2022) (“Because New Jersey's choice-of-law analysis is fact intensive, it can be inappropriate or impossible for a court to conduct that analysis at the motion to dismiss stage when little or no discovery has taken place.” (cleaned up)). Therefore, at this juncture, the Court will apply New Jersey law--the law briefed by the parties and the law of the forum state.
B. ArticleIII Standing
Article III limits federal courts' jurisdiction to “cases or controversies.” U.S. Const. Art. Ill. § 2. The doctrine of standing is one of the “landmarks” that identifies justiciable cases and controversies referred to in Article III. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). “Standing is a question of subject matter jurisdiction.” Petroleos Mexicanos Refinancion v. M/T KTNG, A (Ex-Tbilisi), 317 F.3d 329, 224 (3d Cir. 2004). “Absent Article III standing, a federal court does not have subject matter jurisdiction to address a plaintiffs claims.” Taliaferro v. Darby Twp. Zoning Bd., 458 F.3d 181, 188 (3d Cir. 2006). A district court must presume that it lacks jurisdiction over a matter unless jurisdiction is shown to be proper. Kokkonen, 511 U.S. at 377. “To establish standing under Article III of the Constitution, a plaintiff must demonstrate (1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.” Thole v. U S. Bank NA, 590 U.S. 538, 540 (2020).
In this standing analysis, the Court must address the lead plaintiffs claims, as “named plaintiffs who represent a class ‘must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.'” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 n.6 (2016) (quoting Simon v. Eastern Ky. Welfare Rights Organization, 426 U.S. 26, 40, n. 20 (1976)). Defendant disputes the first two prongs-injury in fact and causation-in its Motion to Dismiss. (ECF No. 20 at 10.) The Court turns to each in turn.
Defendant does not move to dismiss based on redressability in the present Motion. In the FAC, Plaintiff seeks damages, as well as equitable relief. (FAC at 41-42.) The Third Circuit has stated “[i]n a data breach case, [] there is no reason to believe that monetary compensation will not return plaintiffs to their original position completely ... A Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011); see also Clemens v. ExecuPharm Inc., 48 F.4th 146, 158 (3d Cir. 2022). Thus, the Court finds the redressability prong of the standing analysis satisfied.
1. Injury in Fact
To establish an injury in fact, a plaintiff must allege that their injury is “concrete and particularized” and “actual or imminent, not ‘conjectural' or ‘hypothetical.'” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Lujan, 504 U.S. at 560.) Thus, alleging a potential future injury is not sufficient to find Article III standing. Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011). “An allegation of future injury may suffice if the threatened injury is ‘certainly impending,' or there is a ‘substantial risk' that the harm will occur.” Susan B. Anthony List, 573 U.S. 149, 158, (2014) (quoting Clapper v. Amnesty Inti USA, 568 U.S. 398, 414 n.5, (2013)). Nonetheless, even a potential future injury with an “objectively reasonable likelihood” of occurring does not meet the standard of “certainly impending.” Clapper, 568 U.S. at 410.
In the context of data breach litigation, the Third Circuit has posited several considerations for finding an injury in fact. To satisfy concreteness, an injury need not be tangible; rather, a central consideration is whether the asserted harm has been traditionally recognized as a basis for a lawsuit in American courts. Clemens v. ExecuPharm Inc., 48 F.4th 146, 154 (3d Cir. 2022) (citing TransUnion LLC v. Ramirez, 594 U.S. 413, 414 (2021)). The Third Circuit has explained that unauthorized exposure of private information is “closely related to that contemplated by privacy torts.” Id. at 155; see also In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 638-39 (3d Cir. 2017) (explaining the common law of tort actions regarding dissemination of private information). A court must also consider the relief sought: injunctive relief can qualify as concrete if the risk of future harm is imminent and substantial. Clemens, 48 F.4th at 155. Moreover, a plaintiff seeking damages satisfies concreteness if “the exposure to the risk of future harm itself causes a separate concrete harm.” Id. (quoting TransUnion LLC, 594 U.S. at 436). Therefore, the Third Circuit has held that “in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms.” Id. at 155-56.
To determine if an injury is imminent in the data breach context, the Third Circuit has provided multiple factors to consider, “with no single factor being dispositive to [the] inquiry.” Id. at 153. These factors include whether the data breach was intentional, whether the data was misused, and whether the nature of the accessed information may subject a plaintiff to a heightened risk of identity theft. Id. at 153-54. However, the Third Circuit has made clear that “[t]he present test is actuality, not hypothetical speculations concerning the possibility of future injury.” Reilly, 664 F.3d at 43. Thus, any threatened harms must be substantiated by claims such as misuse, intentionality, or malice. See id. at 44.
Defendant asserts that Plaintiff has not plausibly alleged misuse of her personal information resulting from the Data breach, and therefore Plaintiff does not have standing. (Mot. at 11.) From Defendant's standpoint, the allegations concern injury to Plaintiffs spouse, and no actual misuse of Plaintiff s private information is alleged. (Id.) Defendant's argument highlights that (1) the accessed account is a joint bank account and (2) Plaintiff did not allege that the associated closed debit card was in her name. (Id. at 13.) Defendant emphasizes the fact that the debit card was cancelled before any financial loss or identity theft occurred, demonstrating only a proactive action by the bank. (Id. at 12, 16.) Defendant also argues that phishing attempts are insufficient to confer standing. (Id. at 20.)
In opposition, Plaintiff argues that the fact that the account that a third party attempted to access was a joint account only demonstrates the consequences of Everest's failure to safeguard her data. (Opp'n at 8.) Plaintiff asserts that her name and SSN were compromised in the data breach and the subsequent attempted access of the joint account and closure of the debit card were misuses of that compromised data. (Id. at 11.) Plaintiff contends, under Third Circuit precedent, she has demonstrated actual or imminent injury because she has alleged that the breach was intentional, the data was misused, and the nature of the data subjects her to a heightened risk of identity theft. (Id. at 12-13.) Plaintiff also contends that her mitigation efforts demonstrate a concrete injury to satisfy standing. (Id. at 14.) Plaintiff asserts that economic loss is not required to confer standing and that the attempt alone to access the joint bank account and its associated debit card confers standing. (Id. at 7.) Plaintiff further argues that an increase in spam and phishing calls corroborate her allegations that her information was accessed because of the Data Breach. (Id. at 15.)
Upon review of applicable law, although by a thin reed, the Court finds that Plaintiff has alleged an injury in fact. Here, Plaintiff alleges that her name and SSN were accessed in the Data Breach. (FAC ¶ 120.) She further alleges that six months after the Data Breach, an unauthorized party attempted to access her joint checking account and a payment card linked directly to that account. (Id. ¶ 113.) The kind of information accessed in the breach is sufficient to plausibly create a heightened risk of identity theft and thus imminent injuiy. See Clemens, 48 F.4th at 154 (“disclosure of social security numbers, birth dates, and names is more likely to create a risk of identity theft or fraud”); see also In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 630, 639 n.19 (3d Cir. 2017) (describing stolen information such as “name and demographic information. . . and in some instances, a Social Security number and/or limited clinical information” as “highly personal and could be used to steal one's identity” as suggestions of what creates a material risk of haim).
Because of the attempted fraud, the bank closed the account, causing Plaintiff to lose access to subscription accounts associated with the payment card. (FAC ¶¶ 113, 116.) Unauthorized attempts to access a plaintiff's financial accounts corroborate Plaintiffs allegations that her data was accessed and misused. See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig, No. 19-2904, 2021 WL 5937742, at *8-9 (D.N.J. Dec. 16, 2021) (finding plaintiffs who alleged attempts of third parties to use their information corroborated that their information was accessed and thus adequately pled an injury in fact); see also In re Am. Fin. Res., Inc. Data Breach Litig, No. 22-201757, 2023 WL 3963804, at *4 (D.N.J. Mar. 29, 2023) (same). Plaintiff also alleges that she has experienced phishing attempts, which courts in this Circuit have noted corroborate plaintiffs' allegations of data misuse. See Rauhala v. Greater N.Y. Mut. Ins., Inc., No. 22-1788, 2022 WL 16553382, at *3 (E.D. Pa. Oct. 31, 2022) (citing an increase in spam calls as harm that shows an injury in fact.); see also In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at *4 n.12 (listing phishing calls as an allegation sufficient to demonstrate that an unauthorized person accessed the plaintiffs information).
Furthermore, Adkins alleges emotional distress resulting from the theft of her PIT Taken with the attempt to access her bank account, this emotional distress is an additional concrete injury. See Clemens, 48 F.4th at 156 (“if the plaintiffs knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.”); see also Rauhala, 2022 WL 16553382, at *3 (finding plaintiff pled an injury-in-fact where her PII was compromised and she “suffered from anxiety, emotional distress, and loss of privacy from fear of public disclosure”); see also In re Retreat Behav. Health LLC, No. 23-00026, 2024 WL 1016368, at *3 (E.D. Pa. Mar. 7, 2024) (recognizing that emotional distress suffices as a concrete injury when there are allegations that the stolen data has been misused.) Thus, Plaintiff has sufficiently plead concrete, imminent injuries that go beyond hypothetical or speculative injury.
Though Adkins has not alleged any actual economic injury resulting from the Data Breach, this does not preclude her from having standing. The Third Circuit has directed that, in the data breach context, it is particularly important to recognize “that a plaintiff need not wait until he or she has actually sustained the feared harm” to file suit. Clemens, 48 F.4th at 152. Forcing Plaintiff to suffer financial harm or identity theft from the data breach-particularly when there has already been an attempt to access her bank account-would ignore that critical “actual or imminent” disjunctive, where a plaintiff can seek judicial redress for imminent harms. See id. Moreover, courts have expressly recognized that economic loss is not required for standing in the data breach context. See In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at *4 (finding standing for plaintiffs “who have not experienced direct economic harm, but who have alleged facts sufficient to infer that an unauthorized user” accessed their data, such as allegations that “unknown parties unsuccessfully attempted to misuse their financial information”); see also Gaddy v. Long & Foster Companies, Inc., No. 21-2396,2023 WL 1926654, at *8 (D.N.J. Feb. 10,2023) (“Misuse of financial information is a cognizable, intangible injury that, even without financial loss, is sufficient to confer standing.”) Rather, cases where no standing is found are cases with plaintiffs who fail to allege any misuse or facts to suggest imminent misuse. See, e.g, In re Am. Fin. Res., Inc. Data Breach Litig., 2023 WL 3963804, at *4-5.
To the extent that Plaintiff alleges injury based upon the attempted access to a joint account, the Court finds that this does not preclude standing. Defendant cites no authority in their Motion or Reply to persuade the Court that there is a measurable difference in terms of the misuse of personal data when an accessed account is a joint, not individual, account. Plaintiff's joint account is as much hers as it is her husband's. It is plausible that her personal information may be used to attempt to access a joint account just as much as it would be to attempt to access an individual account. Cf. In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at *11 n.21 (finding no standing where minor child plaintiffs mother experienced a fraudulent charge, but alleged no information that minor child's information was accessed or misused). Plaintiff subsequently spent time mitigating any effects following the attempted access. See In re Am. Med. Collection Agency, Inc., 2021 WL 5937742 at *8 (“remedial expenses are sufficiently concrete when the harm a plaintiff faces has already ‘materialized'” (quoting Transunion, LLC, 594 U.S. at 436)). Though the Court recognizes that a joint account leaves open the possibility that the attempt to access it resulted from Adkins's husband's information, this argument is best suited for discovery, in the event the matter proceeds. See Gaddy, 2023 WL 1926654, at *9.
See, e.g, Pan Tech., Inc. v. Alexander, No. 2423-19, 2021 WL 3354999, at *3 ( N.J.Super.Ct.App.Div. Aug. 3, 2021) (explaining that with respect to a joint bank account, “each joint tenant . . . holds ‘per tout,' or the entire property” (quoting 7 Powell on Real Property § 51.03 (2021))); Est. of Cowling v. Est. of Cowling, 109 Ohio St.3d 276, 279 (2006) (““The existence of a joint and survivorship bank account raises a rebuttable presumption that co-owners of the account share equally in the ownership of the funds on deposit.” (quoting Vetter v. Hampton, 54 Ohio St.2d 227 (1978))).
2. Causation
To establish causation for the purposes of standing, the plaintiff must allege an injury in fact that is “fairly traceable to the challenged conduct of the defendant.” Spokeo, Inc., 578 U.S. at 338. This requirement is “akin to ‘but for' causation ... the traceability requirement [can be] met even where the conduct in question might not have been a proximate cause of the harm, due to intervening events.” Edmonson v. Lincoln Nat. Life Ins. Co., 725 F.3d 406, 418 (3d Cir. 2013).
Defendant argues that its conduct is not traceable to the incident because Plaintiff does not allege that she provided her joint checking account or debit card information to it. (Mot. at 14.) Primarily relying on Enslin v. The Coca-Cola Company, Everest argues that Adkins's allegations that her name and SSN were accessed do not plausibly connect to the closing of the debit card. 136 F.Supp.3d 654 (E.D. Pa. 2015). In Enslin, an employee sued his company after criminals stole his employer-owned laptop and misused the employee's personal data on the laptop to, inter alia, commit identity theft and withdraw funds from his bank account. Id. The court in Enslin found standing for the employee's allegations pertaining to fraudulent withdrawals from his bank account and opening new credit cards in his name. Id. at 668. However, the court found that allegations pertaining to unauthorized use of certain credit cards lacked standing because the employee did not allege that he gave the employer the information for those particular credit cards. Id. at 669.
In opposition, Plaintiff contends that Social Security numbers alone can be used to facilitate attacks on financial accounts. (Opp'n at 9.) Plaintiff asserts that the compromise of her name and SSN is sufficient information that can be used to facilitate the attempt at accessing her bank account. (Id. at 11.)
At this juncture, Plaintiffs allegations that her name and SSN were accessed are sufficiently traceable to her alleged injury. See In re Am. Fin. Res., Inc., 2023 WL 3963804, at *5. (holding allegations such as “unauthorized credit charges, and attempts at identity theft that occurred as a result of the [d]efendanf s failure to secure [the plaintiffs'] PII [] sufficient... at this early stage” to satisfy the causation requirement) Though Enslin failed to find causation for allegations regarding unauthorized access to credit card information that was not provided to the defendant, the Court did find causation with respect to PII that was provided to the employer and subsequently leaked. Enslin, 136 F.Supp.3d at 668. At this stage, Plaintiffs allegation that “an unauthorized third party attempted to access her Fifth Third Bank joint-checking account and a payment debit card directly linked to that account,” (FAC ¶ 113), are comparable to the allegations the Enslin court found adequately pled standing. 136 F.Supp.3d at 668. Moreover, determining what information may have been used to access Adkins's bank account is a factual question best suited for discovery. See In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at *12 (“Defendants' argument that the specific information Plaintiffs provided was insufficient to allow criminals to commit identity theft is a question of fact more appropriately resolved on summary judgment or at trial.”); see also Gaddy, 2023 WL 1926654 at *9 (“considering the wide range of information that was potentially exposed in the Data Breach . . . [t]his issue is better left for investigation during discovery than on a motion to amend, without the benefit of factual findings and expert reports.”)
C. Common Law Claims
Having found that Plaintiff has standing to assert her claims, the Court now turns to the merits of each of Plaintiff's claims. Plaintiff asserts claims for negligence, breach of implied contract, unjust enrichment, and breach of a third-party beneficiary contract. Defendant moves to dismiss all of Plaintiff's claims. The Court will address each claim in turn.
1. Negligence
In Count One, Plaintiff asserts a claim for negligence. (FAC ¶¶ 140-59.) Plaintiff argues that “Defendant owed a duty of care to use reasonable means to secure and safeguard its computer system” which held Plaintiffs and the other Class Members' PIT (Id. ¶ 142.) This duty included “a responsibility to implement processes by which it could detect a breach of its security systems in a reasonably expeditious period of time and to give prompt notice to those affected in the case of a data breach.” (Id.) Plaintiff alleges this duty also included a duty to adhere to “industry standards,” and resulted from the undefined “special relationship that existed between Defendant and patients,” and the “reasonable security measures” prescribed by Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45. (Id. ¶¶ 143-46.) This duty was breached, contends Plaintiff, when Defendant, inter alia, “allowfed] unauthorized access to Class Members' PII,” and failed to “adopt, implement, and maintain adequate security measures to safeguard Class Members' PII,” “adequately monitor the security of its network and systems,” and “timely notify Class Members about the Data Breach.” (Id. ¶ 149.) Plaintiff alleges that by failing to secure the Class Members' PII, Defendant's conduct caused the Data Breach, which led to the injuries underlying the subject lawsuit. (Id. ¶¶ 157-59.)
Defendant moves to dismiss Plaintiff's negligence claim. (Mot. at 25-35.) Defendant argues that it did not owe Plaintiff and the class a duty of care, and Plaintiff fails to establish same. (Id. at 27-28.) Moreover, Defendant contends that even if a duty existed, Defendant did not have a duty to protect Plaintiff and the Class from the criminal actions of a third party-in this case, the hackers behind the Data Breach. (Id. at 30.) In addition, Defendant avers that Plaintiff fails to plausibly allege that Defendant's defects in its security caused the Data Breach, nor was the Data Breach “reasonably foreseeable” from any faults in its security. (Id. at 32-33.)
Under New Jersey law, to assert a claim for negligence, a plaintiff must demonstrate four elements: “(1) a duty of care, (2) that [the defendant] breached that duty, (3) that such breach proximately caused harm, and (4) that [the plaintiff] suffered actual damages.” Lax v. City of Atl. City, No. 19-7036, 2019 WL 7207472, at *4 (D.N.J. Dec. 27, 2019); Ehrlich v. McInerney, No. 17-879, 2019 WL 4745269, at *10 (D.N.J. Sept. 30, 2019). A negligence claim requires a plaintiff to establish that a duty was owed to them. See Pine Belt Enterprises, Inc. v. S.C. & E Admin. Servs., Inc., No. 04-105, 2005 WL 2469672, at *6 (D.N.J. Oct. 6, 2005) (“Before a party may be held liable for breach of an obligation, ‘it must first be established that the party in fact owed a duty to act in a certain manner.'” (quoting Riggs v. Schappell, 939 F.Supp. 321, 329 (D.N.J. 1996))). “[A] duty is an obligation imposed by law requiring one party to conform to a particular standard of conduct toward another.” Rezem Fam. Assocs., LP v. Borough of Millstone, 30 A.3d 1061, 1071 (N.J.Super.Ct.App.Div. 2011) (quoting Acuna v. Turkish, 930 A.2d 416 (N.J. 2007)); see also In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at *14 (“It is axiomatic that a defendant has a duty to protect a plaintiff against foreseeable harm.”).
The determination of whether a duty exists is generally a matter for the Court. Id. “The foreseeability of harm is a significant consideration in the determination of a duty to exercise reasonable care,” and while it does not establish a duty in and of itself, “it is a crucial element in determining whether imposition of a duty on an alleged tortfeasor is appropriate.” Carvalho v. Toll Bros. & Devs., 675 A.2d 209, 212 (N.J. 1996) (citations omitted). Once a party satisfies foreseeability, the Court turns to “considerations of fairness and policy,” including “identifying, weighing, and balancing several factors-the relationship of the parties, the nature of the attendant risk, the opportunity and ability to exercise care, and the public interest in the proposed solution.” Zielinski v. Pro. Appraisal Assocs., 740 A.2d 1131, 1135 (N.J.Super.Ct.App.Div. 1999) (citations and quotation marks omitted); see also New Jersey Dep't of Env't Prot. v. E.I du Pont de Nemours & Co., No. 19-14766, 2021 WL 6144081, at *7 (D.N.J. Dec. 30, 2021) (explaining that New Jersey law requires the court to consider the “relationship of the parties” in determining whether fair to find the existence of a duty).
Conspicuously absent from the FAC is a foundational and rudimentary element for any lawsuit-the relationship between Plaintiff and Defendant. Nowhere in Plaintiffs 43-paged, 197-paragraphed FAC does Plaintiff succinctly describe her relationship to Defendant, whom she asserts is a worldwide “provider of reinsurance and insurance.” (FAC ¶ 22.) Throughout the FAC, Plaintiff refers to the relationship between Plaintiff and Defendant in vague terms which do not explain to the Court the basis or bounds of the association between Plaintiff and Defendant. In fact, it is not until paragraph 179 of Plaintiff s FAC that the Plaintiff, albeit amorphously, provides any description of the nature of the Plaintiffs and Defendant's professional interaction: “Plaintiff and Class Members conferred a monetary benefit on Defendant. Specifically, they purchased goods and services from Defendant and/or its agents and in so doing provided Defendant with their PIT” (Id. ¶ 179.) What “goods” Plaintiff received from Defendant, an insurance provider, is not set forth.
Previously, again with no expounding, Plaintiffs FAC states that “Plaintiff and Class Members overpaid for a service that was intended to be accompanied by adequate data security . . . . Thus, the Plaintiff and the Class Members did not get what they paid for and agreed to.” (Id. ¶ 107.) Plaintiff does not state what “service” she paid for and does not append to the FAC any agreement evidencing a contractual relationship between the parties. See Jaynes v. Henry, No. 2103098, 2022 WL 326993, at *3 (D.N.J. Feb. 3, 2022) (“A court may also rely on exhibits attached to the complaint.”). Adding confusion, Plaintiffs FAC, in a conclusory fashion, avers a “special relationship that existed between Defendant and patients,” (FAC ¶ 144), but provides no substance as to the basis of that purported “special relationship.”
While contractual privity is not necessary, and indeed may belie any tort claims, any contractual information would enlighten the Court on the parties' relationship.
Moreover, it is unclear to the Court as to who might be referred to as “patients,” be it Plaintiff or others.
As another example, Plaintiff states in a conclusory fashion that “Plaintiffs and Class Members' PII. . . was entrusted to Defendant, its officials, and agents ....” (FAC ¶ 5.) Elsewhere, Plaintiff alleges that “Defendant obtained and continues to maintain Plaintiff Adkin's PII and owed her a legal duty and obligation to protect that PII from unauthorized access and disclosure,” (id. ¶ 20), and “[b]y collecting and storing this data in its computer system and network,” (id. ¶ 142)- but fails to provide any details on how or why Defendant obtained Plaintiffs PII in its systems in the first place, which may assist the Court in its determination that a duty has been forged. Likewise, Defendant defines the relationship between the parties amorphously and fails to make clear how it acquired Plaintiffs PII. At times in its Motion to Dismiss, Defendant appears to concede that Plaintiff purchased goods from Defendant. (See Mot. at 39 (citing FAC ¶ 179).) However, in other sections, Defendant argues that it “has no direct relationship with” Plaintiff. (See Mot. at 30.)
As described above, “the relationship of the parties” is a factor “relevant to the existence of a duty under New Jersey law.” Willekes v. Serengeti Trading Co., No. 13-7498, 2016 WL 5334522, at *16 (D.N.J. Sept. 22, 2016). Without this foundational information and a key factor in the fairness determination, the Court is unable to ascertain whether Defendant owed Plaintiff a duty to safeguard her PII. See Serengeti Trading Co., 2016 WL 5334522, at *17 (dismissing tort claim where plaintiff failed to “allege a relationship that would give rise to a duty owed them”); S. Broward Hosp. Dist. v. MedQuist Inc., 516 F.Supp.2d 370, 398 n. 17 (D.N.J.), off din part, 258 Fed.Appx. 466 (3d Cir. 2007) (explaining that plaintiff is required to “plead facts to support the existence of [] a relationship” in order for the court to determine whether a duty arises out of same); see also Tersco, Inc. v. E.I. DuPont de Nemours & Co., 879 F.Supp. 445, 449 (E.D. Pa. 1992) (dismissing tort claim where the plaintiffs complaint, among other reasons, failed to explain the relationships which gave rise to the alleged claims).
In the case at bar, without explanation as to how Defendant acquired Plaintiffs PII, the Court cannot assess whether it would be fair to hold that Defendant had a duty to protect this information. It is not up to the Court to fill the void of Plaintiffs amorphous description of its relationship to Defendant, and the Court will not hypothesize why Defendant may have had an obligation to safeguard Plaintiffs information. Accordingly, the Court grants Defendant's Motion as to Plaintiffs negligence claim without prejudice.
While the Court does not dismiss the FAC under Federal Rule of Civil Procedure 8, cases discussing this rule are instructive on the need to properly define the relationship between plaintiff and defendant See Jannarone v. Sunpower Corp., No. 18-9612, 2018 WL 5849468, at *3 (D.N.J. Nov. 7, 2018) (“Under Federal Rule of Civil Procedure 8, Plaintiff is required to plead facts sufficient to establish this asserted legal relationship existed.”); Townes v. Christie, No. 14-2162, 2014 WL 4798884, at *2 (D.N.J. Sept. 26, 2014) (dismissing complaint under Rule 8 where the plaintiff “failed to show that each Defendant would be liable for the claims presented against him or her”); see also Tommolillo v. Columbia Bank, No. 233140, 2024 WL 1328186, at *5 (D.N.J. Mar. 28, 2024) (“Rule 8 requires that a complaint set forth the plaintiffs claims with enough specificity to ‘give the defendant fair notice of what the . . . claim is and the grounds upon which it rests.'” (quoting Twombly, 550 U.S. at 555)).
Because the Court finds Plaintiff fails to allege any duty, the Court does not address the other elements of negligence or Defendant's argument that the negligence claim is barred by the economic loss doctrine.
2. Breach of Implied Contract
In Count Two, Plaintiff asserts a claim for breach of an implied contract. (FAC ¶¶ 160- 174.) Plaintiff contends that she and “the Class Members entered into implied contracts with Defendants under which Defendant agreed to safeguard and protect [PII] and to timely and accurately notify Plaintiff and Class Members that their information had been breached and compromised.” (Id. ¶ 161.) The FAC alleges that the PII was provided to Defendant “for the purpose of providing services,” and in accepting this PII, Defendant “became obligated to reasonably safeguard Plaintiffs and other Class Members' PII.” (Id. ¶ 165) In paying Defendant for its “services,” the FAC claims that Plaintiff “intended and understood that Defendant would adequately safeguard their data as part of that service.” (Id. ¶ 166.) When the Data Breach occurred, “Defendant breached the implied contract... by failing to take reasonable measures to safeguard [Plaintiffs] PII.” (Id. ¶ 173.)
“Implied-in-fact contracts are formed by conditions manifested by words and inferred from circumstances, thus entailing consideration of factors such as oral representations, employee manuals, and party conduct.” Tliadis v. Wal-Mart Stores, Inc., 922 A.2d 710, 722 (N.J. 2007)). To form an implied contract, a plaintiff must demonstrate “mutual assent” of the parties. See In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at *19 (“Mutual assent is an essential element of an implied contract claim . . . .”). In the context of PII and data breaches, “the fact that a defendant required plaintiffs to provide personal information does not alone support the inference that the parties agreed for the defendant to secure this information.” Id. Rather, a complaint “must allege some other conduct by the Defendant from which mutual assent for [the defendant] to safeguard Plaintiffs PII arose.” In re Am. Fin. Res., Inc., 2023 WL 3963804, at *8; see also Longenecker-Wells v. Benecard Services Inc., 658 Fed.Appx. 659, 662 (3d Cir. 2016) (explaining that plaintiffs, who were required to provide PII to their employer as a condition of employment, failed to plead an implied contract where the plaintiffs “failed to plead any facts supporting their contention that an implied contract arose between the parties other than that [Defendant] required Plaintiffs' personal infoimation as a prerequisite to employment”).
Two recent decisions from the Honorable Madeline Cox Arleo, U.S.D.J. are instructive. In In re Am. Med. Collection Agency, Inc., Judge Arleo dismissed the plaintiffs claim for an implied contract. 2021 WL 5937742, at *18-20. In that case, the plaintiffs provided the defendant healthcare companies with their PII for billing purposes. In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at *1. When a patient would fail to pay their bill, the defendant healthcare companies engaged a collections agency to collect payment, in which point the defendant companies would pass the patients' PII to the collections agency. Id. at *1-2. A lawsuit resulted when the collections agency experienced a data breach, resulting in a leak of the plaintiffs' data. Id. The plaintiffs in that case averred that “when they provided their [PII to the defendants], Defendants agreed to implied contracts to secure their Personal Information and provide timely notice of any data breach.” Id. at *18. However, Judge Arleo found these allegations insufficient to sustain a claim for breach of an implied contract. Id. at *19.
As she explained, the plaintiffs “paid Defendants to perform health care services” and provided their PII “to ensure Defendants received payment.” Id. However, the plaintiffs failed “to identify [] a policy or practice from the which the Court could infer an implied contract.” Id. at *20. The complaint lacked any allegations that Defendants agreed to safeguard this information besides complying with federal regulations. Id. Moreover, the privacy notices on the defendants' websites made clear that the defendants “did not ensure the privacy and safety of Plaintiffs' information.” Id. at *20 (emphasis in original). Because the plaintiffs failed to allege that the defendants agreed to safeguard their PII, the plaintiffs could not demonstrate mutual assent, and thus, their breach of implied contract claim failed. Id.
On the other hand, in In re Am. Fin. Res., Inc., Judge Arleo held that the plaintiffs stated a claim for breach of an implied contract. 2023 WL 3963804, at *8. In that matter, the defendant, a provider of real estate lending, required loan customers to provide it with PII. Id. at * 1. This data was hacked and certain customers' PII was revealed to third parties. Id. Judge Arleo focused on the defendant's Privacy Statement, which was “available on [the defendant's] website” and stated that PII would be kept as “[c]onfidential information.” Id. As such, this information would be “subject to physical, electronic, and procedural safeguards,” and the defendant stated it was “protecting the privacy and security of the information you share with us.” Id. Based on these allegations, Judge Arleo held the plaintiffs had alleged “a policy or practice from which the Court could infer an implied contract” and allowed the claim to proceed. Id. (quoting In re Am. Med. Collection Agency, Inc. 2021 WL 5937742, at *20).
In the case at bar, Plaintiff fails to identify such “a policy or practice” that would allow the Court to find an implied contract. In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at *20. Without providing any factual support, Plaintiff alleges that “Defendant became obligated to reasonably safeguard Plaintiffs and other Class Members' PII,” and Plaintiff believed “Defendant would adequately safeguard the data.” (FAC ¶¶ 165-66.) In fact, aside from conclusory allegations, the FAC is devoid of any allegations surrounding any policy or practice of Defendant from which the Court could infer an implied contract. See Degrazia, 2008 WL 2456489, at *3 (explaining that conclusory statements cannot serve as the basis for a complaint to survive dismissal). Indeed, Plaintiff provides no information regarding Defendant's privacy agreements on its websites, or any standard safeguards to which Defendant agreed when Plaintiff purchased “services” from Defendant or its agents. Plaintiff fails to point to any basis for the Court to find an implied promise to safeguard their data. As such, the Court dismisses Plaintiffs breach of implied contract claim without prejudice.
3. Unjust Enrichment
In Count Three, Plaintiff asserts a claim for unjust enrichment. (FAC ¶¶l 75-89.) Plaintiff argues that she and other class members provided Defendant with monetary support in return for, along with its “goods and services from Defendant and/or its agents,” “data security measures to secure Plaintiffs . . . PII.” (Id. ¶¶ 180-81.) By failing to secure her PII, Plaintiff contends that Defendant “enriched itself by saving the costs” that should have been spent on data security. (Id. ¶ 182.) Plaintiff brings this claim to recover these funds. (Id. ¶ 183.)
Defendant argues that the Court must dismiss this claim. (Mot. at 38-39.) Defendant contends that Plaintiff “fails to allege a benefit conferred to [Defendant] for which it would be unjust for [Defendant] to retain,” as Plaintiff received “goods and services” from Defendant. (Id. at 39.)
“The unjust enrichment doctrine requires that plaintiff show that it expected remuneration from the defendant at the time it performed or conferred a benefit on defendant and that the failure of remuneration enriched defendant beyond its contractual rights.” Bava v. Hamilton Farm Golf Club, No. 08-5473, 2009 WL 2778108, at *3 (D.N.J. Aug. 28, 2009) (quoting VRG Corp. v. GKN Realty Corp., 641 A.2d 519, 526 (N.J. 1994)). An unjust enrichment claim requires “a direct relationship between the parties.” Hammerv. Vital Pharms., Inc.,No. 11-4124,2012 WL 1018842, at *10 (D.N.J. Mar. 26, 2012).
As described above, the Court notes the relationship between Plaintiff and Defendant is unclear. In this section of its Motion, Defendant appears to concede that Plaintiff purchased goods from Defendant. (See Mot. at 38.) However, in previous sections, Defendant argues that it “has no direct relationship with” Plaintiff. (See Mot. at 30.) Plaintiff attempts to paint the relationship as direct, alleging that Plaintiff “purchased goods and services from Defendant and/or its agents.” (FAC ¶ 179.) As a “direct relationship” is necessary to assert a claim for unjust enrichment, Hammer, 2012 WL 1018842, at *10, the Court will accept the factual allegations in the light most favorable to Plaintiff and not dismiss the claim on this ground.
The Court agrees with Defendant that Plaintiff has failed to allege Defendant “receive[d] any additional value from Plaintiff['s] Personal Information.” In re Am. Med. Collection Agency, Inc., 2021 WL 5937742, at * 18. Plaintiff alleges it “purchased goods and services from Defendant and/or its agents,” and paid Defendant for same. (FAC ¶ 179.) The payment for the “goods and services,” therefore, is not an “independent benefit that Defendant[] received.” In re Am. Fin. Res., Inc., 2023 WL 3963804, at *8. Plaintiff fails to claim that she conferred upon Defendant anything additional. The FAC lacks any allegations that Defendant benefited from Plaintiffs PII, by, for example, selling the data or otherwise commercially profited from same. Without this, Plaintiffs unjust enrichment claim fails. See Pereira v. Azevedo, No. 12-907, 2013 WL 1655988, at *5 (D.N.J. Apr. 17, 2013) (dismissing unjust enrichment claim where the plaintiffs fail to show any benefit received from the defendant).
Further, “New Jersey does not recognize unjust enrichment as an independent tort cause of action.” Id. (citing Castro v. NYT Television, 851 A.2d 88 (N.J.Super. App. Div. 2004)); Nelson v. Xacta 3000 Inc., No. 08-5426, 2009 WL 4119176, at *7 (D.N.J. Nov. 24, 2009) (dismissing unjust enrichment claim where it was “presented as a tort-based theory of recovery”). In the case at bar, Plaintiff does not claim she did not receive the “goods and services” from Defendant. Rather, at base, Plaintiff alleges that “ [a] s a direct and proximate result of Defendant's conduct”- failing to safeguard Plaintiffs data-Plaintiff has been injured. (FAC ¶ 187.) Plaintiffs unjust enrichment claim, in essence, sounds in tort. She alleges that Defendant's failure to protect her data caused her injury. Under New Jersey law, Plaintiff cannot cloak her tort claim as one of unjust enrichment. See Pereira, 2013 WL 1655988, at *5. As such, the Court grants Defendant's Motion as to Plaintiffs unjust enrichment claim. Plaintiffs claim is dismissed without prejudice.
4. Breach of a Third-Party Beneficiary Contract
Count Four sets forth a claim for a breach of a third-party beneficiary contract. (FAC ¶¶ 190-97.) Plaintiff contends that Defendant “entered into various contracts to provide insurance and reinsurance services” and “[t]hese contracts were made expressly for the benefit of Plaintiff and the Class, as it was their PII that Defendant agreed to collect and protect through its services.” (Id. ¶¶ 192-92.) As such, “the benefit of collection and protection of the PII” was the primary goal of the contracting parties. (Id. ¶ 193.) Plaintiff alleges that “Defendant breached its contracts with its clients when it failed to use reasonable data security measures that could have prevented the Data Breach,” thus harming Plaintiff when her and other Class Members' data was leaked. (Id. ¶¶ 195-96.)
Defendant moves to dismiss this claim. (Mot. at 37-38.) Defendant argues that Plaintiff “fails to allege the existence of [an] express contract to which she was an intended third-party beneficiary.” Id. The Court agrees.
To assert a third-party beneficiary breach of contract claim, a plaintiff must demonstrate the existence of a contract and that “the pertinent contract was ‘made for the benefit of [that] third party within the intent and contemplation of the contracting parties.'”McLane Foodservice, Inc. v. Ready Pac Produce, Inc.,No. 10-6076,2012 WL 2462291, at *3 (D.N.J. June 27,2012) (quoting Grant v. Coca-Cola Bottling Co. of N.Y., Inc., 780 F.Supp. 246, 248 (D.N.J. 1991)); see also Plastic Surgery Ctr., P.A. v. Cigna Health & Life Ins. Co., No. 17-2055, 2019 WL 1916205, at *7 (D.N.J. Apr. 30, 2019) (“The test for determining whether a third-party has an actionable right under contract is whether contracting parties intended that a third party should receive a benefit which might be enforced in the court.” (quoting GE Capital Mortg. Services, Inc. v. Privetera, 788 A.2d 324, 330 ( N.J.Super.Ct.App.Div. 2002))). This intent is crucial to a plaintiffs ability to enforce the contractual benefits as a third party. See Broadway Maint. Corp. v. Rutgers, State Univ., 447 A.2d 906, 909 (N.J. 1982) (“The contractual intent to recognize a right to performance in the third person is the key.”); GE Capital, 788 A.2d at 330 (“If that intent does not exist, then the third person is only an incidental beneficiary, having no contractual standing.”). To determine the intent of the contract, a court must “examine the terms of the agreement and the surrounding circumstances.” J.V. ex rel. Valdez v. Macy's, Inc.,No. 13-5957, 2014 WL 4896423, at *3 (D.N.J. Sept. 30, 2014) (quoting Grant, 780 F.Supp. at 249); MHA, LLC v. Amerigroup Corp., 539 F.Supp.3d 349, 363 (D.N.J. 2021) (explaining that “Courts will glean [] intent from an examination of the contract and a consideration of the circumstances.” (citation and quotation marks omitted)).
A breach of contract claim requires a plaintiff to demonstrate that “(1) a valid contract existed, (2) the defendant failed to perform under the contract, (3) damages flowing therefrom, and (4) the party stating the claim performed its own contractual obligations.” Vaswani, Inc. v. Atl. Enterprises Ltd, No. 22-137, 2023 WL 4740905, at *11 (D.N.J. July 25, 2023) (citing Frederico v. Home Depot, 507 F.3d 188, 203 (3d Cir. 2007)).
In the case at bar, Plaintiff asserts, in a conclusory manner, that Defendant entered into contracts with unnamed third parties that “were made expressly for the benefit of Plaintiff and the Class.” (FAC ¶ 191.) Plaintiff, however, fails to identify any specific contracts, or even the parties with whom Defendant entered these contracts. Nor does Plaintiff clarify the explicit provisions of the alleged contracts that demonstrate these contracts were made with the intent to benefit Plaintiff-the “key” to a third-party beneficiary breach of contract claim. See Broadway, 447 A.2d at 909. These “conclusory” and “threadbare” assertions cannot carry Plaintiffs burden to allege this claim. See Plastic Surgery Ctr., 2019 WL 916205, at *8 (dismissing claim where the plaintiff failed to provide the alleged contract or “reference a single provision from that contract” such that the plaintiff had “not sufficiently alleged, nor could the Court ascertain, if [the third parties] entered into an agreement for the direct benefit” of the plaintiff); MHA, LLC v. Amerigroup Corp., 539 F.Supp.3d 349, 363 (D.N.J. 2021) (dismissing claim where complaint failed to supply “the critical inference” that the contract was entered into for the benefit of the plaintiff).
Aside from failing to demonstrate the intent of the contract, Plaintiff fails to allege the existence, let alone the breach, of any agreements between Defendant and a third-party. Without such factual allegations, the Court cannot determine in the first place whether there was a breach of a contract to support a third-party beneficiary claim. See Vaswani, Inc. v. All. Enterprises Ltd, No. 22-137, 2023 WL 4740905, at *11 (D.N.J. July 25, 2023) (holding third-party beneficiary claim failed where the complaint failed to allege breach of any underlying contract). Therefore, the Court grants Defendant's Motion as to the third-party beneficiary breach of contract claim and dismisses this claim without prejudice.
CONCLUSION
For the foregoing reasons, Defendant's Motion to Dismiss is GRANTED. Plaintiff may file a Second Amended Complaint within 30 days, which addresses the deficiencies identified by the Court. Failure to file an amended pleading within 30 days will result in dismissal with prejudice. An appropriate Order will accompany this Opinion.