Opinion
Civil Action 3:22-cv-02573-M 3:22-cv-02898-M 3:23- cv-184-M
03-25-2024
MEMORANDUM OPINION AND ORDER
Before the Court is the Motion to Dismiss, filed by Defendant Ethos Group Inc. ECF No. 27. On February 7, 2024, the Court heard argument on the Motion. For the reasons stated below, the Motion to Dismiss is GRANTED without prejudice. By April 15, 2024, Plaintiffs shall file an amended pleading addressing the deficiencies identified in this Order.
I. BACKGROUND
This is a putative class action arising out of a data breach in which cybercriminals stole Plaintiffs' names and driver's license numbers. Defendant Ethos Group, Inc. is a consulting group that partners with auto dealerships. The Consolidated Class Action Complaint (“Compl.”)alleges that, on August 1, 2022, Defendant became aware of a data breach by cybercriminals, who accessed Defendant's servers and the personally identifiable information (“PII”) of members of the putative class. Compl. ¶ 1. This PII consists of names and driver's license number. Id. According to a disclosure of the data breach that Defendant filed with the State of Maine, 822,723 people were affected by the breach. Id. ¶ 47.
On November 15, 2022, the Complaint in the lead case, Fedorys, was filed. Two additional cases based on the same data breach were filed in December 2022 (Case No. 3:22-cv-2898, Gorman) and January 2023 (Case No. 3:23-cv-184, Harper). In February 2023, the three cases were consolidated, with Fedorys serving as the lead case. ECF No. 18. On June 23, 2023, Mr. Fedorys voluntarily dismissed his claims. ECF No. 31. The Court notes that, in light of Mr. Fedorys's dismissal, there is no longer technically any plaintiff in Case No. 3:22-cv-2573, apart from the named Plaintiffs in the other consolidated cases, No. 3:22-cv-2898 and No. 3:23-cv-184. As part of their amended pleadings, Plaintiffs shall address whether any action needs to be taken regarding the lack of any plaintiff in Case No. 3:22-cv-2573.
On or about November 2, 2022, Defendant provided notice of the data breach by letter to victims of the breach. Id. ¶ 48. The notice letters state that, following an investigation, Defendant “confirmed the accessed information includes your name and driver's license number.” E.g., ECF No. 28-3 at 1. During oral argument, counsel for Defendant added that the date of birth for certain victims were included in the accessed information, but date of birth for none of the named Plaintiffs was disclosed. The Complaint contains no allegations that date of birth information was stolen as part of the data breach.
Plaintiffs assert claims for negligence, breach of confidence, breach of implied contract, unjust enrichment, declaratory judgment, and violation of the Texas Deceptive Trade Practices Act, on behalf of a Nationwide Class, defined as follows:
Nationwide Class: “All individuals within the United States of America whose PII was exposed to unauthorized third-parties as a result of the Data Breach discovered by Defendant on August 1, 2022.”Compl. ¶ 37.
Excluded from the class are Defendant and Defendant's parents, subsidiaries, affiliates, officers and directors, and any entity in which Defendant has a controlling interest; all individuals who make a timely election to be excluded from this proceeding using the correct protocol for opting out; any and all federal, state or local governments, including but not limited to its departments, agencies, divisions, bureaus, boards, sections, groups, counsels and/or subdivisions; and all judges assigned to hear any aspect of this litigation, as well as its immediate family members. Compl. ¶ 37.
Plaintiffs seek damages and injunctive relief. Defendant moved to dismiss under Federal Rule of Civil Procedure 12(b)(1) and 12(b)(6).
II. LEGAL STANDARD
A pleading must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). This pleading standard does not require “detailed factual allegations,” but it demands more than an unadorned accusation devoid of factual support. Ashcroft v. Iqbal, 556 U.S. 662, 678, (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). To survive a motion to dismiss, a complaint must contain sufficient factual matter to state a claim for relief that is plausible on its face. Twombly, 550 U.S. at 570. The Court must accept all of the plaintiff's factual allegations as true, but it is not bound to accept as true “a legal conclusion couched as a factual allegation.” Id. at 555. Where the factual allegations do not permit the Court to infer more than the mere possibility of misconduct, the complaint has stopped short of showing that the pleader is plausibly entitled to relief. Iqbal, 556 U.S. at 678.
III. ANALYSIS
As a preliminary matter, the Court notes generally that the Complaint lacks specific details about the actual relationship between Defendant and the Plaintiffs, including the circumstances in which Plaintiffs' information was collected, the services Defendant provides, and whether Defendant, as opposed to the dealerships with which Defendant partners, solicited and invited Plaintiffs to provide their information. Thus, in addition to the deficiencies identified herein, Plaintiffs shall supplement their pleadings to provide additional factual allegations regarding the nature of the relationship between Plaintiffs and Defendant.
In addition, the Court finds that Defendant's concession during oral argument regarding the nature of information disclosed during the data breach-i.e., that, for certain victims, date of birth was disclosed in addition to driver's license number-impacts many of the arguments asserted by Defendant in support of dismissal. Specifically, many of Defendant's arguments for dismissal rely on the supposedly public, unsensitive nature of driver's license numbers as a basis to find that Plaintiffs lack any injury or damages as a result of the data breach. However, the same cannot necessarily be said about date of birth, and given that the parties have not briefed the significance of date of birth as being included in the information disclosed as part of the breach, the Court finds that amendment is necessary and appropriate on these grounds alone. With those initial impressions in mind, the Court will address the remainder of Defendant's Motion to Dismiss.
Defendant moves to dismiss for lack of standing. To establish standing, the plaintiff must show “(1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.” Thole v. U.S. Bank N.A., 140 S.Ct. 1615, 1618 (2020). Stated differently, the plaintiff must demonstrate “personal injury fairly traceable to the defendant's allegedly unlawful conduct and likely to be redressed by the requested relief.” Daves v. Dall. Cnty., 22 F.4th 522, 542 (5th Cir. 2022).
Defendant contends that allegations of a heighted risk of future injury-namely, increased risk of identify theft associated with driver's license numbers and names potentially being accessed by one or more hackers (Compl. ¶ 30)-are insufficient to confer standing, because Plaintiffs do not plausibly explain how gaining access to one's basic contact information and driver's license number creates a credible threat of fraud or identity theft. Defendant further argues that Plaintiffs have not alleged any actual out-of-pocket mitigation costs or financial injury, or that Defendant plausibly caused Plaintiffs to suffer injury. In response, Plaintiffs rely on TransUnion LLC v. Ramirez, 141 S.Ct. 2190 (2021), to argue that mere unauthorized access to protected information constitutes a sufficient injury, and that Plaintiffs need not allege that the information was further misused to establish standing.
As stated, the Court concludes that Defendant's admission at oral argument that birthdate information was disclosed during the data breach warrants amendment of Plaintiffs' pleadings, including as to Plaintiffs' allegations of standing. The Court understands and is sympathetic to Defendant's position that disclosure of publicly available information, without more, is insufficient to allege a concrete injury in fact so as to confer standing; however, Defendant's position is undermined by its own concession that the disclosure included information that is not necessarily publicly available, such as date of birth. Moreover, at the pleadings stage, without the benefit of discovery, Plaintiffs' allegations regarding Defendant's potential contribution to the data breach taking place are sufficient to allege causation for standing purposes.
Defendant moves to dismiss the Amended Consolidated Class Action Complaint for failing to state a claim under Rule 12(b)(6). As a preliminary matter, Plaintiffs' claim for violation of the Texas Deceptive Trade Practices Act is ABATED for sixty days or until Plaintiffs comply with the notice requirements under Texas Business & Commerce Code §§ 17.501 and 17.505. The Court will address Plaintiffs' remaining claims in turn.
i. Negligence
Defendant moves to dismiss Plaintiffs' negligence claim under Rule 12(b)(6), arguing that Plaintiffs' claims of potential future fraud or identity theft are too speculative to support a negligence claim for damages. In addition, Defendant argues that dismissal of the negligence claim is appropriate because Plaintiffs have not alleged that Defendant owed Plaintiffs a duty of care, and the economic loss rule bars Plaintiffs' negligence claim.
The Court agrees that Plaintiffs have not sufficiently alleged that Defendant owes a common law or statutory duty of care to safeguard driver's license numbers. In their response, Plaintiffs do not identify any statutes-and thus appear to concede the absence of any statutory duty of care-and instead ask the Court to recognize a new common law duty under Texas law. See Resp. (ECF No. 32) at 21.
“Imposing a legal duty is no small thing, given the massive consequences that can flow from doing so or refusing to do so.” Elephant Ins. Co. v. Kenyon, 644 S.W.3d 137, 155-60 (Tex. 2022) (concurrence). Plaintiff points to no court-let alone a Texas court or the Fifth Circuit- that has recognized a common law duty to safeguard driver's license numbers; in the absence of any authority indicating that Texas courts might do so, the Court declines to take the bold step of creating a duty under the common law where one does not yet exist. Cf. Trevino v. Ortega, 969 S.W.2d 950, 951 (Tex. 1998) (“This Court treads cautiously when deciding whether to recognize a new tort.”).
However, the Court notes that the issue of whether there exists a common law duty of care to safeguard information besides driver's license numbers-such as birthdates-has not been addressed by the parties. In light of Defendant's concession at oral argument that the data breach included, for certain victims, disclosure of date of birth in addition to driver's license number, Plaintiffs have leave to amend their negligence claim to address whether there is a statutory or common law duty to protect date of birth from disclosure.
ii. Breach of Confidence
Defendant moves to dismiss Plaintiffs' breach of confidence claim on the grounds that it has never been recognized as a cause of action in Texas outside of the trade secret context. See Richter v. Carnival Corp., No. 3:18-CV-2172-N, 2019 WL 5894213, at *7 (N.D. Tex. Nov. 12, 2019) (“Under Texas law, a breach of confidence claim mirrors a misappropriation of trade secrets claim. Hyde Corp. v. Huffines, 314 S.W.2d 763, 769 (Tex. 1958).”).
The Court agrees that, as currently pleaded, Plaintiffs' breach of confidence claim is deficient. Even assuming that this tort applies outside of the trade secrets context, Plaintiffs do not allege that the information taken-names and driver license numbers-is “secret or substantially secret.” See id. (“To establish the common law claim of breach of confidence or misappropriation of confidential information, a plaintiff must establish that the information is ‘secret or substantially secret.'”). At best, Plaintiffs allege only that that “sensitive” data was accessed, and that the Class took steps to “maintain the confidentiality of their PII,” without specifying how. Compl. ¶¶ 46, 60. Driver's license numbers are generally not secret, given that they are issued by and maintained by a public entity, and some states (as explained by Defendant) even sell or make such information publicly available.
However, the same cannot necessarily be said for date of birth. Given Defendant's admission at oral argument that the data breach included some persons' date of birth, Plaintiffs must amend their pleadings to provide additional factual allegations regarding the specific steps that Plaintiffs took to maintain their driver's license numbers and date of birth as secret or substantially secret.
iii. Breach of Implied Contract and Unjust Enrichment
Defendant argues that there are no factual allegations in support of Plaintiffs' claim for implied contract, and that the Complaint does no more than recite the elements of an implied contract without any factual allegations in support. See Compl. ¶¶ 157-60. Similarly, in support of Plaintiffs' claim for unjust enrichment, the Complaint alleges that Plaintiffs “did not receive the benefit of their bargain because they paid for products and/or services that did not satisfy the purposes for which they bought/sought them,” without any specific factual allegations regarding the products supposedly purchased or the nature of the relationship-contractual or otherwise- between Plaintiffs and Defendant. See Compl. ¶¶ 169-73.
The Court agrees. The Complaint contains only vague and unspecific descriptions of the relationship and interactions between Plaintiffs and Defendant, and thus lacks the sufficiency necessary to state a claim for implied contract or unjust enrichment. On amendment, Plaintiffs must supplement to provide additional factual allegations regarding the relationship between Plaintiffs and Defendant, including the circumstances in which Plaintiffs and Defendant interacted, the nature of services or products provided by Defendant, whether Plaintiffs paid for services or products from Defendant, and whether and how Plaintiffs entered into a contractual relationship with Defendant.
iv. Declaratory Judgment
Defendant's Motion to Dismiss Plaintiffs' claim for declaratory judgment is granted except as follows: Plaintiff's claim for declaratory judgment and injunctive relief is limited to seeking a declaration as to whether there is a factual basis to support an injunction regarding the status of Defendant's future information technology security systems to protect PII.
IV. CONCLUSION
Defendant's Motion to Dismiss is GRANTED and Plaintiffs' claims are dismissed without prejudice to repleading. Plaintiffs' claim for violation of the Texas Deceptive Trade Practices Act is ABATED for sixty days or until Plaintiffs comply with the notice requirements under Texas Business & Commerce Code §§ 17.501 and 17.505. By April 15, 2024, Plaintiffs shall file an amended pleading addressing the deficiencies identified in this Order.
SO ORDERED.