Opinion
4:24-CV-5045-TOR
09-20-2024
GREEK ISLANDS CUISINE, INC., a Washington corporation, NIKOS DANAKOS, and NICOLE DANAKOS, Plaintiffs, v. YOURPEOPLE, INC., a Delaware corporation, KEYBANK NATIONAL ASSOCIATION, a national bank, and NEWCOURSE COMMUNICATIONS, INC., Defendants.
ORDER GRANTING DEFENDANT NEWCOURSE COMMUNICATION INC.'S MOTION TO DISMISS
THOMAS O. RICE, UNITED STATES DISTRICT JUDGE
BEFORE THE COURT is Defendant Newcourse Communication Inc.'s Motion to Dismiss (ECF No. 35). This matter was submitted for consideration without oral argument. The Court has reviewed the record and files herein and is fully informed. For the reasons discussed below, Defendant Newcourse Communication Inc.'s Motion to Dismiss (ECF No. 35) is GRANTED.
BACKGROUND
This matter arises out of alleged identity theft resulting in the loss of $432,500 from Plaintiffs' business bank account. Plaintiff Greek Islands Cuisine (“Greek Islands”) is a restaurant located in Richland, Washington and owned in part by Plaintiff Nikos Danakos. ECF No. 7 at 5, ¶ 4.1. Greek Islands maintains a business bank account at KeyBank National Association (“KeyBank”), specifically at its branch in Kennewick, Washington. Id., ¶ 4.2. Mr. Danakos, together with his wife Nicole Danakos, held a personal checking account at HomeStreet Bank, headquartered in Seattle, Washington. Id. at 18, ¶ 4.22. HomeStreet bank utilizes Defendant Newcourse Communications, Inc. (“Newcourse”) in its business providing mailing services to financial institutions. Id.
On June 7, 2022, Plaintiffs learned that Greek Islands' business bank account held at KeyBank had been compromised, resulting the loss of $432,500. Id. at 13, ¶ 4.15. Thieves had gained access to the KeyBank business account by impersonating Mr. Danakos to establish a payroll system within the checking account through YourPeople, Inc., d/b/a Zenefits. Id. at 6, ¶ 4.4. The imposters submitted to Zenefits a fraudulent driver's license with an incorrect middle name, another person's photograph and signature, and an incorrect address. Id. at 8, ¶ 4.7. After establishing the direct deposit payroll account with KeyBank, Zenefits processed two transfers amounting the $432,500 on June 3, 2022. Id. at 9, ¶ 4.9.
On September 7, 2022, Newcourse sent Mr. and Mrs. Danakos notice that their account with HomeStreet Bank was included in a data breach occurring sometime between April 27 and May 3, 2022. Id. at 17-18, ¶¶4.22-4.23. The notice stated that in August 2022, Newcourse had discovered that the breach included sensitive information including; Plaintiffs' full names, account numbers, and possibly mortgage statement with their home address and last four digits of their social security numbers. Id. The Amended Complaint does not allege that KeyBank utilized Newcourse's mailing services. Plaintiffs allege that Newcourse's data breach allowed the criminals to obtain their sensitive information, which they used to gain access to the KeyBank account. Id. at 21, ¶ 4.29. This was accomplished, according to Plaintiffs, by the creation of “Fullz” packages, whereby criminals cross reference illegally obtained information with public information to create a full background of an individual to more completely assume a stolen identity. Id. at 26, ¶¶ 4.44-4.45.
Plaintiffs Nikos and Nicole Danakos bring claims of negligence, negligence per se, and a violation of the Washington Consumer Protection Act against Defendant Newcourse. Id. at 33-36, ¶¶ 6.7-6.9. Defendant Newcourse argues that Plaintiffs' claims against it should be dismissed because: (1) they lack standing to support any of their claims, (2) they are unable to establish a breach of duty or injury in negligence, (3) they cite no statutory authority to establish a claim of negligence per se, and (4) they fail to establish any of the factors required under Washington law to establish a Washington Consumer Protection Act claim. ECF No. 35. Plaintiffs, responded, arguing that they do have standing, and that they have established each of their claims. ECF No. 45.
DISCUSSION
I. Article III Standing
Defendant argues that dismissal for lack of Article III standing is warranted because Plaintiffs' fail to allege an injury-in-fact that is fairly traceable to Newcourse. ECF No. 35 at 5. A jurisdictional challenge brought under Federal Rule of Civil Procedure 12(b)(1) may present as either a facial or factual attack. White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000). “In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction. By contrast, in a factual attack, the challenger disputes the truth of the allegations that, by themselves, would otherwise invoke federal jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). The court “resolves a facial attack as it would a motion to dismiss under Rule 12(b)(6): Accepting the plaintiff's allegations as true and drawing all reasonable inferences in the plaintiff's favor, the court determines whether the allegations are sufficient as a legal matter to invoke the court's jurisdiction.” Leite v. Crane Co., 749 F.3d 1117, 1121 (9th Cir. 2014) (citation omitted).
Article III of the United States Constitution vests in federal courts the power to entertain disputes over “cases” or “controversies.” U.S. CONST. art. III, § 2. To satisfy the case or controversy requirement, and thereby show standing, a plaintiff must demonstrate that throughout the litigation, they suffered, or will be threatened with, an actual injury traceable to the defendant which will likely be redressed by a favorable judicial decision. Spencer v. Kemna, 523 U.S. 1, 7 (1998) (quoting Lewis v. Cont'l Bank Corp., 494 U.S. 472, 477 (1990)); see also Deakins v. Monaghan, 484 U.S. 193, 199 (1988) (“Article III of the Constitution limits federal courts to the adjudication of actual, ongoing cases or controversies between litigants.”). Three elements must be shown in order to establish Article III standing: (1) the plaintiff must have suffered an “injury in fact” which is both concrete and particularized and not “conjectural” or “hypothetical”; (2) there must be a causal connection between the injury and the conduct complained of; and (3) it must be “likely” as opposed to “speculative” that the injury will be “redressed by a favorable decision.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) (internal citations and quotations omitted). The party invoking federal jurisdiction bears the burden of establishing the elements. Id. at 561 (citing FW/PBS, Inc. v. Dallas, 493 U.S. 215, 231 (1990)). However, “[a]t the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice.” Id.
“[A] 12(b)(1) motion to dismiss for lack of standing can only succeed if the plaintiff has failed to make ‘general factual allegations of injury resulting from the defendant's conduct.'” Id. Further, “in determining constitutional standing, ‘it is within the trial court's power to allow or to require the plaintiff to supply, by amendment to the complaint or by affidavits, further particularized allegations of fact deemed supportive of plaintiff's standing.'” Maya v. Centex Corp., 658 F.3d 1060, 1067 (9th Cir. 2011) (quoting Warth v. Seldin, 422 U.S. 490, 501 (1975)). The burden of proof rests with the party invoking federal jurisdiction, and the party must support the elements of standing “with the manner and degree of evidence required at the successive stages of the litigation.” Lujan, 504 U.S. at 561.
Plaintiffs' claims against Newcourse stemming from the KeyBank infiltration fails because there is no causal connection between the money stolen from the KeyBank account and the data breach from Newcourse. Under factor two, causation must be fairly traceable in connection between the injury a plaintiff complains of and the conduct of the defendant. Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 103 (1998) (citing Simon v. E. Ky. Welfare Rts. Org., 426 U.S. 26, 41-42 (1976)). A plaintiff may not rely on “a bare legal conclusion to assert injury-in-fact,” or engage in an “ingenious academic exercise in the conceivable” to establish the cause of the injury. Maya, 658 F.3d at 1068 (internal citation and quotations omitted). “A causation chain does not fail simply because it has several ‘links,' provided those links are not hypothetical or tenuous and remain plausible.” Id. at 1070 (internal quotations and citations omitted). Given the early stage of this case, Plaintiffs' burden to establish causation is relatively modest. Bennett v. Spear, 520 U.S. 154, 171 (1997).
However, there must be some causal connection. Here, Plaintiffs contend that criminals utilized the information gained from the Newcourse data breach to add to an online profile, creating a fuller picture, and then used that information to access the KeyBank account. ECF No. 7 at 26, ¶ 4.45. But the First Amended Complaint alleges that the Zenefits payroll account was opened with a fraudulent driver's license full of incorrect information, including Mr. Danakos' middle name and home address, despite the fact that this information was data taken from Newcourse. Id. at 8, ¶ 4.7 and 18, ¶ 4.23. Thus, even if the hackers used Mr. Danakos' identifying information gained from the Newcourse data breach to add to a “Fullz,” package, none of that information was operationalized to gain access to the bank account. See Lujan, 504 U.S. at 560 (internal citation omitted) (“[T]here must be a causal connection between the injury and the conduct complained of -the injury has to be ‘fairly ... trace[able] to the challenged action of the defendant, and not ... th[e] result [of] the independent action of some third party not before the court.' ”); see also Greenstein v. Noblr Reciprocal Exch., 585 F.Supp.3d 1220, 1231 (N.D. Cal. 2022) (finding no connection between a data breach and type of data used for an application to an Unauthorized Data Disclosure, particularly where the information was readily available online); Fernandez v. Leidos, Inc., 127 F.Supp.3d 1078, 1086 (E.D. Cal. 2015) (“Plaintiff's allegations that someone attempted to open a bank account in his name . . . do[es] not allege injuries in fact fairly traceable to the Data Breach, since Plaintiff has not alleged that bank account information or email addresses were on the stolen backup data tapes.”)
Plaintiffs do not allege that any information stolen from Newcourse assisted thieves in the discovery of Greek Island's KeyBank account, nor that the last four digits of their social security numbers or mortgage information gained from the data breach were required by Zenefits to open the account. There is also no allegation that KeyBank uses Newcourse for its own mailing purposes, nor that the two entities are in any way connected. The Court recognizes that Plaintiffs allege that a closeness in time aspect bolsters their claim, but there is still no traceable connection. ECF No. 45 at 14. Unlike in Roper v. Rise Interactive Media & Analytics, LLC, which they rely upon as support for the contention that timeliness between the breach and fraud is a key factor, there is no suggestion in Plaintiffs' First Amended Complaint that the individuals who opened the Zenefits account used any of the information obtained from Newcourse. No. 23 CV 1836, 2023 WL 7410641, at *5 (N.D. Ill. Nov. 9, 2023) (finding that plaintiffs' were able to show causation through traceability when thieves attempted to use stolen health insurance to fill a prescription and attempted to use stolen financial information to open a bank account); see also Smith v. Loyola Univ. Med. Ctr., No. 23 CV 15828, 2024 WL 3338941, at *4 (N.D. Ill. July 9, 2024) (discussing temporal proximity of targeted medical advertisements surrounding online use of personal medical information). As currently presented, these are two separate potential harms without a link: one being the data breach at Newcourse, and the other being the theft of $432,500 from the KeyBank account. Thus, Plaintiff's theory that their information was traded to create a complete online dossier may be true, but as the First Amended Complaint is currently pled, there is no plausible connection for standing purpose because none of the information allegedly stolen from Newcourse was used in the KeyBank scheme.
Newcourse also requests the Court dismiss Plaintiffs' claims for future harm they may face resulting from the information leaked during the data breach, because these injuries are hypothetical and not concrete. ECF No. 35 at 5-7. To show standing, a plaintiff must establish an, “‘injury-in-fact'-an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560 (internal quotations and citations removed). Part of establishing an injury in fact is demonstrating that the claim is specific to the individual bringing it and not based upon an injury “shared with all members of the public.” United States v. Richardson, 418 U.S. 166, 178 (1974) (internal citation and quotation marks omitted) (“[I]t is not sufficient the [plaintiff] has merely a general interest common to all members of the public.”). Additionally, a party must make some showing that their claim is concrete and not hypothetical or conjectural, meaning the injury is “real and not abstract.” Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016).
The Court declines to address Plaintiffs' more general claims surrounding the theft of their Personally Identifiable Information (“PII”) against Newcourse, and the current or future financial harms they allege separate from those involving KeyBank. ECF No. 7 at 22, ¶ 4.33 and 23-24, ¶ 4.36. However, this potential cause of action does not warrant dismissal with prejudice, as the Ninth Circuit has, under certain circumstances, upheld claims where individuals face an immediate harm stemming from compromised personal information. See In re Zappos.com, Inc., 888 F.3d 1020, 1027-28 (9th Cir. 2018) (finding the type of information stolen, including full credit card numbers, was sufficient to create a credible future threat of identity theft); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (“Here, Plaintiffs-Appellants have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data. Were Plaintiffs-Appellants' allegations more conjectural or hypothetical-for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future-we would find the threat far less credible.”). But see Clapper v. Amnesty Int'l USA, 568 U.S. 398, 410 (2013) (“[R]espondents' theory of standing, which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending.”); Spokeo, 578 U.S. at 342 (discussing how a statutory violation may not result in actual injury).
As it currently stands, any case of identity theft Plaintiffs may have against Newcourse is divorced from the relevant facts of the matter at hand, and therefore properly resolved in a separate proceeding. Plaintiffs may either amend their Second Amended Complaint to address the issue of standing and the substance of their claims in this case, or they may pursue a separate lawsuit against Newcourse for harm they allege resulted or will result from identity theft outside of the allegation that the data breach is connected to the loss of $432,500 from KeyBank. See Maya v. Centex Corp., 658 F.3d 1060, 1069 (9th Cir. 2011) (“[P]laintiffs should be permitted to amend their complaint because plaintiffs may be able to establish by amendment that they have standing to pursue their claims.”)
ACCORDINGLY, IT IS HEREBY ORDERED:
1. Defendant Newcourse Communication Inc.'s Motion to Dismiss (ECF No. 35) is GRANTED.
2. Plaintiffs' claims of negligence, negligence per se, and a violation of the Washington Consumer Protection Act are DISMISSED without prejudice.
3. Plaintiffs may amend their claims against Newcourse in this matter within 14 days of this Order.
The District Court Executive is directed to enter this Order, terminate Newcourse Communication Inc., and furnish copies to counsel.