Opinion
BUSINESS & CONSUMER DOCKET NO. BCD-CV-20-21
10-13-2020
LISA GONZALES, on behalf of herself and all others similarly situated, Plaintiff, v. SWEETSER, Defendant.
Plaintiff Counsel: Peter Murray, Esq. Alison Tozier, Esq. Peter Murray Law 75 Pearl Street Portland, ME 04101 Defendant Counsel: John Aromando, Esq. Sara Murphy, Esq. Pierce Atwood Merrills Wharf 254 Commercial St. Portland, ME 04101
STATE OF MAINE
CUMBERLAND, ss. ORDER GRANTING SWEETSER'S MOTION TO DISMISS PLAINTIFF'S CLASS ACTION COMPLAINT
Plaintiff Lisa Gonzales on behalf of herself and all others similarly situated ("Gonzales") brought a seven count Class Action Complaint against Defendant Sweetser ("Sweetser") stemming from a phishing attack. Gonzales alleges inter alia that she is now faced with a future risk of harm, and so the case presents the question of whether future risk of harm constitutes a legally cognizable injury. In response to the Class Action Complaint, Sweetser filed a Motion to Dismiss contending Gonzales has not pled actual harm, and thus the entire action should be dismissed. The Court agrees, and for the reasons discussed below, grants Sweetser's Motion to Dismiss.
The seven counts are as follows: Court I: Negligence; Count II: Intrusion Upon Seclusion/Invasion of Privacy; Count III: Breach of Express Contract; Count IV: Breach of Implied Contract; Count V: Negligence per se; Count VI: Breach of Fiduciary Duties; and Count VII: Violation of the Unfair Trade Practices Act. Gonzales has since abandoned her Count V, Negligence per se claim. Pl.'s Br. at 13, n. 5.
STANDARD OF REVIEW
In reviewing a motion to dismiss under Rule 12(b)(6), courts "consider the facts in the complaint as if they were admitted." Bonney v. Stephens Mem. Hosp., 2011 ME 46, ¶ 16, 17 A.3d 123. The complaint is viewed "in the light most favorable to the plaintiff to determine whether it sets forth elements of a cause of action or alleges facts that would entitle the plaintiff to relief pursuant to some legal theory." Id. (quoting Saunders v. Tisher, 2006 ME 94, ¶ 8, 902 A.2d 830). "Dismissal is warranted when it appears beyond a doubt that the plaintiff is not entitled to relief under any set of facts that he might prove in support of his claim." Id. However, although Maine's notice pleading requirements are forgiving, Desjardins v. Reynolds, 2017 Me 99, ¶ 17, 162 A.3d 228, conclusory statements are legally deficient to ward off dismissal if a plaintiff fails to allege sufficient facts. Carey v. Bd. of Overseers of Bar, 2018 ME 119, ¶ 23, 192 A.3d 589, as corrected (October 11, 2018). Further, a court is not bound to accept legal conclusions. Carey, 2018 ME 119, ¶ 23, 192 A.3d 589. A complaint must allege facts sufficient to demonstrate that a plaintiff has been injured in a legally cognizable way. America v. Sunspray Condo. Ass'n, 2013 ME 19, ¶ 20, 61 A.3d 1249 (quoting Burns v. Architectural Doors & Windows, 2011 ME 61, ¶ 17, 19 A.3d 823).
FACTS
The operative pleading in this matter is the Class Action Complaint dated April 2, 2020, and docketed April 6, 2020 (the "Complaint"). Sweetser is a corporation that provides mental and behavioral health services through a statewide network of care. (Pl.'s Compl. ¶¶ 1 & 15-16.) According to the Complaint, on June 24, 2019, Sweetser learned that an unauthorized person or persons gained access to a Sweetser employee's email account. (Pl.'s Compl. ¶ 24.) Upon investigation, Sweetser learned that the breach affected other employee accounts as well, all of which were accessed between June 18 and June 27, 2019. (Pl.'s Compl. ¶ 25.) The compromised email account or accounts contained messages and email attachments that included the personally identifiable information ("PII") and protected health information ("PHI") (collectively, the "Private Information") of at least 22,000 patients. (Pl.'s Compl. ¶ 27-28.)
According to the Complaint, Sweetser wrongfully failed to safeguard the email accounts and embedded Private Information from unauthorized access. (Pl.'s Compl. ¶¶ 4-6.) As a direct and proximate result of Sweetser's conduct, Gonzales (and those similarly situated) have "been placed at an imminent, immediate, and continuing increased risk of harm from fraud and identity theft" (Pl.'s Compl. ¶ 58); "been forced to expend time dealing with the effects of the Data Breach" (Pl.'s Compl. ¶ 59); "face substantial risk of out-of-pocket fraud losses" (Pl.'s Compl. ¶ 60); "face substantial risk of being targeted for future phishing, data intrusion, and other illegal schemes" (Pl.'s Compl. ¶ 61); "may also incur out-of-pocket costs for protective measures such as credit monitoring fees" (Pl.'s Compl. ¶ 62); "suffered a loss of value of their Private Information" (Pl.'s Compl. ¶ 63); did not receive the "benefit-of-the-bargain" (Pl.'s Compl. ¶ 64); "have spent and will continue to spend significant amounts of time to monitor" (Pl.'s Compl. ¶ 65); suffered "out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach" (Pl.'s Compl. ¶ 66); are forced to "live with anxiety" (Pl.'s Compl. ¶ 68); "suffered a loss of privacy" (Pl.'s Compl. ¶ 69); and "are at imminent and increased risk of future harm (Pl.'s Compl. ¶ 69).
Plaintiff's alleged damages are set forth in Paragraphs 55 - 69 of the Complaint. The Complaint alleges damages in other paragraphs, see Pl.'s Compl. ¶¶ 101, 116, 118, 158, 170, but these further allegations of damages are essentially a reprise of the damages claimed in Paragraphs 55 - 69.
DISCUSSION
Sweetser argues that Gonzales fails to allege any actual harm, and thus all counts of the Complaint must necessarily fail. Gonzales responds that based on the evolving law of jurisdictions outside of Maine, the manner in which harm is pled in the Complaint should be sufficient to allow Gonzales to proceed to discovery. According to Gonzales, as emphasized at oral argument, her core argument is that there should be no functional difference between accessing emails to which private information is attached, and actually acquiring and wrongfully using the information. This action, however, is governed by Maine law. Even in the face of a phishing attack by unknown data thieves which creates a future risk of identity theft, Maine law requires alleging facts sufficient to plead legally cognizable injury. As discussed below, Gonzales' Complaint fails to cross this essential threshold, and thus must be dismissed.
Sweetser also contends that Gonzales has failed to satisfy various other pleading requirements specific to each count. The Court has reviewed these other arguments, and concludes that but for the failure to plead legally cognizable, actual injury, each of the counts in the Complaint (not including Count V) would otherwise survive Sweetser's Motion to Dismiss. Count V sets forth a claim for negligence per se, which is not recognized in Maine as a cause of action. As noted earlier, Gonzales has abandoned her claim of negligence per se, and Count V is dismissed.
Both parties cite interesting case law from other jurisdictions to make or buttress their arguments, but Maine law appears up to the task of resolving the issues in this case.
I. The Complaint Fails to Allege Facts Sufficient to Establish Actual Injury.
Legally cognizable, actual injury is a necessary element of each of the claims Gonzales is pursuing against Sweetser. See Bell ex rel. Bell v. Dawson, 2013 ME 108, ¶ 17, 82 A.3d 827 (negligence); Nelson v. Maine Times, 373 A.2d 1221, 1223 (Me. 1977) (privacy); Tobin v. Barter, 2014 ME 51, ¶ 10, 89 A.3d 1088 (contract); In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 2010 ME 93, ¶ 16, 4 A.3d 492 (implied contract); Byran R. v. Watchtower Bible & Tract Soc. of New York, Inc., 1999 ME 144, ¶ 12, 738 A.2d 839 (fiduciary duty); Noveletsky v. Metro. Life Ins. Co., 49 F. Supp. 3d 123, 151 (D. Me. 2014) (Unfair Trade Practices Act). In this case, although Gonzales "believes her Private Information was stolen and subsequently sold," Pl.'s Compl. ¶ 29, the Complaint fails to describe even a single incident in which her Private Information was actually used, viewed, stolen, or sold by an unauthorized person or persons, leading to fraudulent charges or other forms of identity theft. Absent any such factual allegations, the question becomes whether Gonzales was harmed by the phishing attack in a manner that is legally cognizable.
That question underscores the larger question about why Gonzales choose to bring her case now, before she experienced any actual harm. She is not facing any imminent statute of limitations. She could engage in credit monitoring and other protective measures, and then seek recovery for unreimbursed mitigation costs in the event of any actual harm. The Court is not persuaded there is a reason sufficient to upend the normal rule applicable to the causes of action pled in this case that a plaintiff initiates an action for damages after injury has occurred, not before. At oral argument, Plaintiff's Counsel pointed out the Complaint also seeks equitable relief, but equitable relief of the nature sought must be premised on the existence of actual injury.
In In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 2010 ME 93, 4 A.3d 492, the Law Court addressed a similar situation. Data thieves breached Hannaford's computer system and stole a vast quantity of financial and other personal identity information pertaining to customers. Id. ¶ 2. A group of plaintiffs brought a complaint in federal district court against Hannaford seeking damages for the expenditure of time and effort to remedy the disruption of their financial affairs, and for various fees, charges, and lost reward points. Id. ¶ 4. The plaintiffs consisted of two groups: those who had never experienced a fraudulent charge as a result of Hannaford's computer system being breached, and those who had experienced fraudulent charges that had been reversed. Id. ¶¶ 6, 7. The federal district court certified the question of whether, under the circumstances, time and effort to avoid or remediate reasonably foreseeable harm constitutes a cognizable injury for which damages can be recovered under the Maine law of negligence or implied contract. Id. ¶ 1.
In the federal case, there was a third class of plaintiff consisting of a single plaintiff who still had outstanding fraudulent charges. Id. at ¶ 6. However, the plaintiff's charges were eventually reimbursed, reducing the number of plaintiff classes to two. Id. at ¶ 7.
The Law Court began its analysis by noting that the plaintiffs, including those who had actually experienced fraudulent charges (that were reversed), "have suffered no physical harm, economic loss, or identity theft." Id. ¶ 8. The Court next confirmed the requirement of Maine law that "actual injury or damage" is an element of both negligence and contract claims. Id. ¶ 8. The Court then explained that a plaintiff is only entitled to damages for time and effort to monitor, remediate, and mitigate future harm, when there is actual injury or damage. Id. ¶¶ 9-16. Since none of the plaintiffs had experienced actual injury or damage, the Court held that their time and effort expended to avoid reasonably foreseeable harm was not a cognizable injury under the Maine law of negligence or implied contract. Id. ¶¶ 14, 16.
At oral argument, Gonzales argued In re Hannaford Bros. Co. was inapposite, because the plaintiffs in that case did not incur monitoring fees, unlike the Plaintiff in this case. The Court disagrees, for three reasons. First, in addition to time and effort, the plaintiffs in In re Hannaford Bros. Co. did incur "various fees, charges." Id. ¶ 4. Second, the allegation in this case is that Gonzales "may" incur out-of-pocket expenses such as credit monitoring fees, not that she actually had incurred such expenses. Pl.'s Comp. ¶ 62. Third, to the extent Gonzales has actually incurred out-of-pocket expenses as part of her mitigation efforts, which is unclear from the Complaint, see Pl.'s Compl. ¶ 66, those expenses are not compensable as damages unless a plaintiff has suffered a legally cognizable injury. In re Hannaford Bros. Co., 2010 ME 93, ¶¶ 9-14, 4 A.3d 492.
The holding in In re Hannaford Bros. Co. applies equally as well to the additional causes of action brought in this case, i.e. Invasion of Privacy, Breach of Fiduciary Duty, and Violation of the Unfair Trade Practices Act, since each of those actions also require the existence of legally cognizable injury. --------
The Hannaford decision disposes of most, if not all, of the types of injuries claimed by Gonzales in this case. Unlike at least some of the plaintiffs in Hannaford, in this case Gonzales has not experienced any fraud, improper charges, or identity theft. Accordingly, there is even less basis to claim time and effort spent in remediation as a compensable injury. Hence, the following allegations of harm do not constitute legally cognizable injuries: "been forced to expend time dealing with the effects of the Data Breach" (Pl.'s Compl. ¶ 59); "may also incur out-of-pocket costs for protective measures such as credit monitoring fees" (Pl.'s Compl. ¶ 62); "have spent and will continue to spend significant amounts of time to monitor" (Pl.'s Compl. ¶ 65); and, suffered "out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach"( Pl.'s Compl. ¶ 66).
It follows as a necessary corollary of the Hannaford holding, that the risk of future harm is also not a legally cognizable injury. Indeed, the whole premise of the Law Court's reasoning in Hannaford is that none of the plaintiffs, including those in the first group who only experienced a "risk of injury," had suffered actual injury or damage. Hannaford, 2010 ME 93, ¶¶ 6, 8. If the time and effort actually incurred to avoid risk of future harm fails as a cognizable injury, even after sensitive customer financial data is exposed to data thieves who hacked into a computer system, then the risk of future harm itself fails as a cognizable injury. See Bernier v. Raymark Industries, Inc., 516 A.2d 534, 543 (Me. 1986) (exposure to asbestos is not itself actual injury; a judicially cognizable injury does not occur until there has been a manifestation of physical injury to a person resulting from the exposure); see also Michaud v. Steckino, 390 A.2d 524, 530 (Me. 1978) ("a mere possibility" of future pain or suffering or some later injury not sufficient to warrant damages). The following allegations of harm, therefore, do not constitute legally cognizable injuries: "been placed at an imminent, immediate, and continued increased risk of harm from fraud and identity theft" (Pl.'s Compl. ¶58); "face substantial risk of out-of-pocket fraud losses" (Pl.'s Compl. ¶ 60); "face substantial risk of being targeted for future phishing" (Pl.'s Compl. ¶ 61); "may also incur out-of-pocket costs for protective measures such as credit monitoring fees" (Pl.'s Compl. ¶ 62); are forced to "live with anxiety" about the future risk (Pl.'s Compl. ¶ 68); and "are at imminent and increased risk of future harm (Pl.'s Compl. ¶ 69).
The only allegations of harm that remain, are Gonzales' claims that her Private Information has lost value; she did not receive the benefit of the bargain; and she suffered a loss of privacy. Under Maine law, however, none of these allegations amount to legally cognizable, actual injury. First, the allegations primarily constitute conclusions of law. It is a legal conclusion that Gonzales' private information lost value. Similarly, the allegations that Gonzales did not receive the benefit of her contractual bargain, and that she suffered a loss of privacy are both legal conclusions. The Court is not bound at the motion to dismiss stage to accept conclusions of law as admissions, Seacoast Hangar Condo. II Ass'n v. Martel, 2001 ME 112, ¶ 16, 775 A.2d 1166, and therefore the allegations fail to satisfy the requirement for pleading legally cognizable, actual injury.
Second, to the extent the allegations constitute mixed conclusions of law and statements of fact, the factual components of the allegations are vague, uncertain, and contingent. For instance, there are no factual details pled as to the monetary worth of the Private Information, when the Private Information was actually viewed, or when and how it led to fraudulent charges or identity theft. "Damages must be grounded on established positive facts or on evidence from which their existence and amount may be determined to a probability." Michaud, 390 A.2d at 530. In Maine, damages are not recoverable when uncertain, contingent, or speculative. Id.; Wood v. Bell, 2006 ME 98, ¶ 21, 902 A.2d 843; Snow v. Villacci, 2000 ME 127, ¶ 13, 754 A.2d 360; Gottesman & Co. v. Portland Terminal Co., 27 A.2d 394, 395 (Me. 1942). The following allegations of harm, therefore, do not constitute legally cognizable injuries: "suffered a loss of value of their Private Information" (Pl.'s Compl. ¶ 63); did not receive the "benefit-of-the-bargain" (Pl.'s Compl. ¶ 64); "suffered a loss of privacy" (Pl.'s Compl. ¶ 69). There are no further types of harm claimed, and thus the Complaint fails to allege any legally cognizable, actual injury.
CONCLUSION
For all the foregoing reasons, Sweetser's Motion to Dismiss is GRANTED on all counts, and the action is dismissed with prejudice.
Pursuant to M.R. Civ. P. 79(a), the Clerk is instructed to incorporate this Order by reference on the docket for this case.
So Ordered.
Dated: October 13, 2020
/s/_________
Michael A. Duddy
Judge, Business and Consumer Docket
Plaintiff Counsel:
Peter Murray, Esq.
Alison Tozier, Esq.
Peter Murray Law
75 Pearl Street
Portland, ME 04101
Defendant Counsel:
John Aromando, Esq.
Sara Murphy, Esq.
Pierce Atwood
Merrills Wharf
254 Commercial St.
Portland, ME 04101