Opinion
CV-20-01282-PHX-MTL
06-01-2022
Chris Griffey, et al., Plaintiffs, v. Magellan Health Incorporated, Defendant.
ORDER
Michael T. Liburdi United Slates District Judge
Magellan Health, Inc.'s (“Magellan's”) computer systems were hacked and a data breach occurred. The personally identifiable information (“PII”) and protected health information (“PHI”) of Magellan employees, Magellan contractors, and Magellan-administered health care benefit plan participants was stolen. Plaintiffs, in their individual capacities and as putative class representatives, assert several claims against Magellan arising from the data breach. The Court previously granted a motion to dismiss with leave to amend. (Doc. 39.) Magellan has filed a Motion to Dismiss (Doc. 41, the “Motion”) the Second Amended Consolidated Class Action Complaint (Doc. 40, the “Second Amended Complaint”) arguing that (1) Plaintiffs have not alleged a cognizable loss on their negligence and consumer protection claims and (2) Plaintiffs' unjust enrichment claims and their various state law claims do not adequately allege “how Magellan's data security was inadequate.” (Doc. 41 at 2.) The Motion (Doc. 41) will be granted in part and denied in part.
Both parties have submitted legal memoranda, and oral argument would not have aided the Court's decisional process. See Partridge v. Reich, 141 F.3d 920, 926 (9th Cir. 1998); see also LRCiv 7.2(f); Fed.R.Civ.P. 78(b).
I. FACTUAL BACKGROUND
The factual background has been previously summarized by this Court. See Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 WL 4427065, at *1-2 (D. Ariz. Sept. 27, 2021). It will not be repeated here except where necessary or where new facts have been alleged. For example, the Second Amended Complaint asserts in greater detail why the data security that Magellan employed to protect Plaintiffs' PII and PHI was inadequate. (Doc. 40 ¶¶ 58-65; 77-96.) Plaintiffs allege that Magellan failed to implement cybersecurity safeguards outlined by the Department of Health and Human Services' Office for Civil Rights, the Federal Bureau of Investigation, the United States Cybersecurity & Infrastructure Security Agency, the Microsoft Threat Protection Intelligence Team, the University of Illinois Chicago, and the Center for Internet Security. (See id. ¶¶ 83-96.)
These security safeguards include, but are not limited to: encrypting PII and PHI, educating and training employees, “correcting the configuration of software and network devices” (Id. ¶ 84), enabling strong spam filters, scanning incoming and outgoing emails, patching operating systems, configuring firewalls, “[s]et[ting] anti-virus and anti-malware programs to conduct regular scans automatically” (Id. ¶ 88), managing privileged accounts, “configur[ing] access controls . . . with least privilege in mind” (Id.), and “[d]isabl[ing] macro scripts from office files transmitted via email” (Id.). (See id. ¶¶ 77-96.) Additionally, Plaintiffs allege that Magellan “fail[ed] to monitor ingress and ingress network traffic; maintain an inventory of public facing [i]ps; monitor elevated privileges; equip its server with anti-virus or anti-malware; and employ basic file integrity monitoring.” (Id. ¶ 91.) The Second Amended Complaint posits that “the occurrence of the Data Breach indicates that Defendant failed to adequately implement one or more of the above measures to prevent ransomware attacks.” (Id.) Plaintiffs also allege that Magellan “failed to meet the minimum standards of the following cybersecurity frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for Internet Security's Critical Security Controls . . . which are established standards in reasonable cybersecurity readiness.” (Id. ¶ 96.)
The Second Amended Complaint also alleges that Magellan has not provided an adequate credit monitoring service since the data breach. (See id. ¶¶ 5, 9, 11, 15, 26-27, 99.) Plaintiffs allege that the service that Magellan offers does not provide alerts for or monitor whether a Plaintiff's personal information appears on the dark web or service and credit applications. (Id. ¶ 5.) They also allege that it does not provide alerts or monitor for a USPS address change verification or fake personal information connected to a person's identity. (Id.) Additionally, they allege that it does not offer “identity theft monitoring and protection.” (Id. ¶¶ 9, 11.) Finally, Plaintiffs allege that the services offered by Magellan “fail[ed] to provide for the fact that victims of Data Breaches and other unauthorized disclosures commonly face multiple years of ongoing identity theft and financial fraud.” (Id. ¶ 104.)
II. STANDARD OF REVIEW
A complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief” such that the defendant is given “fair notice of what the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 545, 555 (2007) (quoting Fed.R.Civ.P. 8(a)(2); Conley v. Gibson, 355 U.S. 41, 47 (1957)). A complaint does not suffice “if it tenders ‘naked assertion[s]' devoid of ‘further factual enhancement.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 556). Dismissal under Rule 12(b)(6) “can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1988). A complaint, however, should not be dismissed “unless it appears beyond doubt that the plaintiff can prove no set of facts in support of the claim that would entitle it to relief.” Williamson v. Gen. Dynamics Corp., 208 F.3d 1144, 1149 (9th Cir. 2000).
The Court must accept material allegations in a complaint as true and construe them in the light most favorable to Plaintiffs. North Star Int'l v. Arizona Corp. Comm'n, 720 F.2d 578, 580 (9th Cir. 1983). “Indeed, factual challenges to a plaintiff's complaint have no bearing on the legal sufficiency of the allegations under Rule 12(b)(6).” See Lee v. City of Los Angeles, 250 F.3d 668, 688 (9th Cir. 2001). Review of a Rule 12(b)(6) motion is “limited to the content of the complaint.” North Star Int'l, 720 F.2d at 581.
III. DISCUSSION
A. Negligence
“‘To establish a defendant's liability for a negligence claim, a plaintiff must prove: (1) a duty requiring the defendant to conform to a certain standard of care; (2) breach of that standard; (3) a causal connection between the breach and the resulting injury; and (4) actual damages.'” CVS Pharmacy, Inc. v. Bostwick, 251 Ariz. 511, 517 (2021) (quoting Quiroz v. ALCOA Inc., 243 Ariz. 560, 563-64 (2018)). As before, Plaintiffs Culberson, Rayam, Leather, Williams, Ranson, Flanders, and Lewis allege that “[Magellan] had a duty of care to use reasonable means to secure and safeguard its computer property-and Class Members' PII and PHI held within it-to prevent disclosure of the information, and to safeguard the information from theft.” (Doc. 40 ¶ 142.) They also allege that this “duty included a responsibility to implement processes by which it could detect a breach of its security systems in a reasonably expeditious period and to give prompt notice to those affected in the case of a Data Breach.” (Id.) Magellan does not contest Plaintiffs' allegations regarding duty and breach; it does argue that Plaintiffs improperly alleged causation and damages. (Doc. 41 at 4-7.)
1. Causation
“Plaintiffs [have] proved causation if they showed both actual cause and proximate cause, which are ordinarily questions of fact for the jury.” Torres v. Jai Dining Servs. (Phoenix) Inc., 252 Ariz. 28, __, 497 P.3d 481, 483 (2021). “In order to prove proximate cause, a ‘[p]laintiff need only present probable facts from which the causal relationship reasonably may be inferred.'” Pompeneo v. Verde Valley Guidance Clinic, 226 Ariz. 412, 414 (App. 2011) (quoting Robertson v. Sixpence Inns of Am., Inc., 163 Ariz. 539, 546 (1990)). “But like any other element of a cause of action, [proximate causation] must be adequately alleged at the pleading stage in order for the case to proceed. If a plaintiff's allegations, taken as true, are insufficient to establish proximate causation, then the complaint must be dismissed; if they are sufficient, then the plaintiff is entitled to an opportunity to prove them.” Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014) (citation omitted).
Previously, this Court determined that Plaintiffs Rayam, Leather, Williams, Ranson, Flanders, and Lewis properly alleged causation, but Plaintiff Culberson had not properly alleged causation because she had only alleged future injuries. Griffey, 2021 WL 4427065, at *3-4. Plaintiffs Rayam, Leather, Williams, Ranson, Flanders, and Lewis' allegations remain substantially similar such that they have still adequately alleged causation. (Docs. 40; 52-1.) This time Culberson does allege current injuries-“[s]ince the Data Breach, Plaintiff Culberson has had to replace her ATM card three times and has had to stop auto billing from her cellphone and insurance companies.” (Doc. 40 ¶ 13.) Magellan argues that Culberson still has not established causation because she has not properly alleged that its data security was inadequate. (Doc. 41 at 9.) Quoting this Court's previous order, Magellan argues that, without properly alleging that Magellan's data security was inadequate, Culberson's conclusion that it proximately caused Culberson's injuries is conclusory. (Id.)
Griffey, 2021 WL 4427065, at *8, 11 (“Alleging that a system was inadequate because a negative result occurred is conclusory, and Plaintiffs' claim that Magellan's system fell below an ill-defined standard is conclusory .... And so, the Court find that Plaintiffs fail to properly allege that Magellan's data security was inadequate.”).
The Court finds that Plaintiffs' Second Amended Complaint sufficiently alleges that Magellan employed inadequate data security. The pleadings aver several security standards that Magellan allegedly failed to satisfy. Supra Section I. For example, it did not comply with security guidelines and standards promulgated by the United States Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department of Health and Human Services' Office for Civil Rights. Id. These shortcomings allegedly included very basic procedures such as monitoring ingress and ingress network traffic. Id.
Thus, based on the allegations in the Second Amended Complaint, the causal relationship between her injuries and Magellan's inadequate data security can be reasonably inferred: Magellan's data security was inadequate, a data breach occurred, and her injuries began. Magellan's only argument to break this chain of causation is that its data security was adequate. But at this early stage, Magellan's argument constitutes an improper factual assertion. Because the Plaintiffs have properly pleaded that Magellan's data security was inadequate, the Court concludes that Culberson's allegations properly plead causation. And so, every Plaintiff who alleged a negligence claim in the Second Amended Complaint has pleaded sufficient facts to establish causation.
2. Damages
“In assessing whether credit monitoring services in the context of data breach cases are recoverable in negligence, courts have generally analogized to medical monitoring cases, which require a plaintiff to plead that the monitoring costs were both reasonable and necessary.” In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 970 (S.D. Cal. 2014), order corrected, No. 11md2258 AJB (MDD), 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014). In medical monitoring cases, courts look to four factors to determine if the costs of future medical surveillance may be recovered: “(1) the significance and extent of exposure, (2) the toxicity of the contaminant, and the seriousness of the harm for which the individuals are at risk, and (3) the relative increase in the chance of the harm in those exposed, such that (4) monitoring the effects of exposure is reasonable and necessary.” Stollenwerk v. Tri-W. Health Care All., 254 Fed.Appx. 664, 666 (9th Cir. 2007) (cleaned up). As this Court has previously noted, the majority of courts view allegations of lost time and the increased risk of future harm as non-cognizable negligence injuries. Griffey, 2021 WL 4427065, at *4.
Plaintiffs Williams and Rayam's alleged damages are unchanged from the previous complaint. (Doc. 52-1 ¶¶ 2-3, 6-7; compare Doc. 40 ¶ 164, with Doc. 30 ¶ 131.) Magellan argues that their allegations do not constitute a cognizable loss because their allegations amount to claims for lost time and the risk of future harm. (See Doc. 41 at 4-5.) Citing In re Banner Health Data Breach Litig., CV-16-02696-PHX-SRB, 2017 WL 6763548, at *8 (D. Ariz. Dec. 20, 2017), Williams and Rayam argue that because they have “‘suffered actual misuse of their personal information, '” they “‘have clearly suffered an actual injury for which they may recover.'” (Doc. 42 at 4.) The Court agrees with Magellan. Williams and Rayam allege that both instances of attempted fraud were unsuccessful. (Doc. 40 ¶¶ 23, 6-7.) The only damages they allege as a result of the “actual misuse” are lost time addressing the attempted fraud and the increased risk of future harm. (Id.) Those are not cognizable negligence damages. Similarly, Culberson alleges that she “has had to replace her ATM card three times and has had to stop auto billing from her cellphone and insurance companies.” (Id. ¶ 13.) But Culberson alleges no out-of-pocket expenses. And so, she also alleges nothing more than lost time monitoring her credit and an increased risk of future harm. Thus, Williams, Rayam, and Culberson did not allege actual damages and their alleged loss is not cognizable.
Rayam only alleges that he suffered “an unauthorized and fraudulent charge in the amount of $3.79.” (Doc. 40 ¶ 3.) He does not allege that he was required to pay the charge. (Id.)
In its prior Order, the Court rejected Plaintiffs Leather, Ranson, Flanders, and Lewis' claims for out-of-pocket damages because those claims did not specifically allege why Magellan's data security systems were inadequate. See Griffey, 2021 WL 4427065, at *6. This time, as previously explained, the Court finds that the Plaintiffs have adequately alleged that Magellan's data security was inadequate. Supra Section III.A(1).
In one sentence in its Reply, Magellan raises the issue that Ranson has only alleged that he has “enrolled” in extra data monitoring services without articulating a price paid for the extra services. (Doc. 44 at 3.) Because this issue was first raised in Magellan's reply brief, it has been waived and will not be considered. Autotel v. Nevada Bell Tel. Co., 697 F.3d 846, 852 n.2 (9th Cir. 2012) (“‘Arguments raised for the first time in a reply brief are waived.'” (citing Turtle Island Restoration Network v. U.S. Dep't of Commerce, 672 F.3d 1160, 1166 n.8 (9th Cir. 2012) (brackets omitted))).
Plaintiffs' alleged damages stem from not only Magellan's allegedly inadequate data security, but also the allegedly inadequate complimentary data protection services that it offered to Plaintiffs after the breach. Plaintiffs have successfully alleged that these services were inadequate for protecting their identities after their personal information was compromised. See supra Section I. For example, the services that Magellan offered Plaintiffs did not provide basic services, such as alerts when personal information was entered on credit applications or when fake personal information was tied to one of the Plaintiff's identities. Id. Furthermore, the services were allegedly offered for too short of a period of time to protect Plaintiffs' identities after the data breach. Id. As a result, Plaintiffs allege that they were forced to spend extra money to properly secure their PII and PHI. Id. These additional costs are the negligence damages they plead in this case. (See Doc. 40 ¶¶ 5, 8-11, 14-15, 138-166.)
Plaintiffs Leather, Ranson, and Lewis all properly allege that they suffered cognizable negligence damages because they aver that the extra data security services that they purchased and enrolled in were reasonable and necessary to protect their PII and PHI. (Id. ¶¶ 5, 8-10, 14-15; see generally ¶¶ 138-166.) Plaintiff Flanders alleges that he hired a consultant for the same reason-the stolen information was sensitive and the services that Magellan offered were inadequate to protect him from the data breach. (Id. ¶ 11.) Thus, all four Plaintiffs alleged that they paid out-of-pocket to remedy the harm done to them by Magellan's alleged negligence.
To determine if Leather, Ranson, Lewis, and Flanders properly pleaded cognizable negligence claims, the Court applies the Stollenwerk factors. According to the alleged facts, their data was exposed to the entire dark web-a vast digital landscape where criminals can acquire and misuse their personal data. Plaintiffs also properly alleged a variety of serious harms, including identity theft, that can result from their PII and PHI being exposed on the dark web. Plaintiffs also sufficiently alleged that, without their additional purchases, they would suffer an increased risk of serious harm to their PII and PHI. Thus, all four Stollenwerk factors weigh in favor of determining that this alleged injury is a cognizable negligence claim. Furthermore, the only argument that Magellan raises in opposition is that Plaintiffs paying for additional services was unnecessary because its complimentary services were adequate. (Doc. 41 at 6-7; Doc. 44 at 1, 3-4.) This is an argument better suited for summary judgment, as it relies on facts not yet in the record.
Therefore, the Court finds that Leather, Ranson, Flanders, and Lewis have adequately alleged a cognizable negligence claim. Leather, Ranson, Flanders, and Lewis' negligence claims will not be dismissed. Conversely, Culberson, Rayam, and Williams have not alleged a cognizable negligence claim; and so, their claims will be dismissed.
B. Unjust Enrichment
Each plaintiff asserts an unjust enrichment claim against Magellan. Under Arizona law, “[a]n unjust enrichment claim requires proof of ‘(1) an enrichment, (2) an impoverishment, (3) a connection between the enrichment and impoverishment, (4) the absence of justification for the enrichment and impoverishment, and (5) the absence of a remedy provided by law.'” Perdue v. La Rue, 250 Ariz. 34, 42 (App. 2020) (quoting Wang Elec., Inc. v. Smoke Tree Resort, LLC, 230 Ariz. 314, 318 (App. 2012)). The Court previously dismissed all of the unjust enrichment claims because Plaintiffs' First Amended Consolidated Class Action Complaint failed to sufficiently allege that Magellan's data security systems were inadequate to withstand a data breach incident. Griffey, 2021 WL 4427065, at *6-8. Plaintiffs have augmented their factual allegations to include additional detail explaining their general theory of liability. Magellan renews its motion to dismiss the unjust enrichment claims, arguing that the claims still fail at the pleading stage because “Plaintiffs concede that they did not pay anything to Magellan. Accordingly, Magellan could not have been enriched at Plaintiffs' expense.” (Doc. 41 at 15 (record citation omitted).)
The Court generally finds the unjust enrichment theory dubious. As best the Court can tell, the health plan participants' unjust enrichment theory alleges that Magellan represented that a portion of the premiums paid to it by Plaintiffs', or some other third-party payors on Plaintiffs' behalf, was intended for a data security system that protected their PHI and PII. (See Doc. 40 ¶¶ 167-77.) They allege that Magellan did not expend the resources required to implement this system. (Id.) As a result, Plaintiffs' information was allegedly stolen by cyber criminals. (Id.) Magellan was, allegedly, unjustly enriched because it pocketed money that was intended for this system. (Id.) As Magellan emphasizes, some plaintiffs-Laura Leather, Joseph Rivera, and Teresa Culberson-did not pay Magellan directly. (Doc. 41 at 9-10.) Those payments were, instead, made to an affiliate or the state in which Magellan administers those plaintiffs' health care services. (Id.) The Court finds that, as a matter of law, these plaintiffs cannot state an unjust enrichment claim.
Plaintiff Lewis' connection with Magellan is even more attenuated. He does not specifically allege anything to establish a relationship between him and Magellan or one of Magellan's affiliates. (Doc. 40 ¶¶ 14-15.) He alleges that he paid for health services that Magellan sold, but he does not specify to whom or what those payments were made. (See id. ¶¶ 14-15, 252-64.) Thus, Lewis' unjust enrichment claim fails because he has not properly alleged that Magellan was enriched by his payments.
The former employee and contractor plaintiffs-Chris Griffey, Bharath Rayam, Michael Domingo, Clara Williams, Daniel Ranson, and Mitchell Flanders-theorize that their compensation packages included data protection against cyber piracy. (Doc. 42 at 67; see Doc. 40 ¶¶ 167-77.) The Motion to Dismiss argues that former employee and contractor plaintiffs were not unjustly enriched because they “were paid for their services.” (Doc. 44 at 10.) The Court again expresses skepticism toward this unjust enrichment theory. Nonetheless, construing all of the pleading allegations and reasonable inferences in the former employee and contractor plaintiffs' favor, the Court finds that these plaintiffs have asserted sufficient allegations to survive the Motion to Dismiss.
In short, the Motion to Dismiss Plaintiffs' unjust enrichment claims is granted in part. Those plaintiffs who are part of the health plan participants group and whose costs were paid by others are dismissed: Laura Leather, Joseph Rivera, and Teresa Culberson. Keith Lewis' claim is dismissed for failing to properly allege enrichment. For all other plaintiffs, the Motion is denied.
C. California Consumer Protection Act
“Any consumer whose . . . personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of [a] business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” under the California Consumer Protection Act (“California CPA”). Cal. Civ. Code § 1798.150. The California CPA allows for the recovery of statutory damages. Id. § 1798.150(b). To recover such damages, consumers must first provide 30-days' written notice to the business from which they are trying to collect statutory damages before initiating litigation. Id.
Ranson, a California resident, alleges that Magellan violated the California CPA by failing to prevent the data breach and providing inadequate data security for his information. (Doc. 40 ¶¶ 189-200.) The Court previously dismissed this claim because Ranson had not alleged out-of-pocket damages, he had not sought statutory damages, he had not complied with the California CPA's 30-day notice requirement, and he had failed to establish why Magellan's data security was inadequate. Griffey, 2021 WL 4427065, at *14-15. Magellan's Motion again argues that Ranson has not alleged compliance with the California CPA's 30-day notice requirement. (Doc. 41 at 14-15; Doc. 44 at 9-11.) Ranson counters that the notice was timely because more than 30 days have elapsed between the notice and the eventual filing of the Second Amended Complaint. (Doc. 42 at 15.)
The Court finds that Ranson failed to allege that he provided notice as required by the California CPA. In analogous circumstances, courts have held that the objective of a “pre-suit notice, ” such as the requirement here, is “to allow the defendant an opportunity to cure the defect outside of court.” T & M Solar & Air Conditioning, Inc. v. Lennox Int'l Inc., 83 F.Supp.3d 855, 875 (N.D. Cal. 2015). The 30-day notice required by the California CPA serves the same purpose. If a notice filed before the 30-day deadline could be updated when an amended complaint is filed and satisfy the 30-day notice requirement, then having the pre-suit notice requirement would be pointless. Ranson alleges that he gave notice on December 8, 2020, three days before filing his California CPA claim. (Doc.41-1; see Doc. 30.) He cannot supplement the time between the notice and the initiation of the lawsuit by amending his complaint. Clearly, he failed to satisfy the 30-day notice requirement. The California CPA claim is dismissed with prejudice.
D. Florida Unfair and Deceptive Trade Practices Act
Lewis, a Florida resident, alleges that Magellan violated the Florida Unfair and Deceptive Trade Practices Act (“Florida DUTPA”). Specifically, that Magellan “engaged in deceptive, unfair, and unlawful trade acts or practices in the conduct of trade or commerce, in violation of Fla. Stat. § 501.204(1)” and “Fla. Stat. § 501.171(2)” by disseminating the Notice of Privacy Practices in Florida. (Doc. 40 ¶¶ 252-64; see id. ¶¶ 55-57.) He also alleges that these misrepresentations “substantially] injur[ed]” him. (Id. ¶ 261.)
“‘A claim for damages under [the Florida DUTPA] has three elements: (1) a deceptive act or unfair practice; (2) causation; and (3) actual damages.'” Caribbean Cruise Line, Inc. v. Better Bus. Bureau of Palm Beach Cty., Inc., 169 So.3d 164, 167 (Fla. Dist. Ct. App. 2015) (citing Kertesz v. Net Transactions, Ltd., 635 F.Supp.2d 1339, 1348 (S.D. Fla. 2009)). Magellan argues that Lewis' Florida DUTPA claims fail because he is not a consumer. (Doc. 41 at 13.) Magellan also argues that, even if Lewis need not have been a consumer to assert a Florida DUTPA claim, he “must still allege that a consumer was injured.” (Doc. 44 at 9 (emphasis omitted).) Next, Magellan argues that Lewis has failed to allege that he suffered a “cognizable loss” or that any consumer suffered a “consumer injury.” (Id.) Finally, Magellan argues that Lewis' allegations amount to an extraterritorial application of the Florida DUTPA. (Doc. 41 at 11-12; Doc. 44 at 7-8.)
Lewis counters that his status as a consumer is irrelevant because “[n]umerous Florida district courts . . . have . . . held that . . . non-consumers may bring [Florida DUTPA] claims.” (Doc. 42 at 13; id. at 12-13.) Lewis further argues that, even when a consumer purchase is not involved, “inadequate data security-like the kind at issue in this case-has been found to be an unfair trade practice for [Florida DUTPA] purposes.” (Id. at 14.) Finally, Lewis argues that he has not alleged an extraterritorial application of the Florida DUTPA. (Doc. 42 at 9-11.)
This Court finds the Florida court's analysis in Caribbean Cruise Line compelling and adopts its stance that “the legislative change regarding the claimant able to recover under [the Florida DUTPA] from a ‘consumer' to a ‘person' must be afforded significant meaning. This change indicates that the legislature no longer intended [the Florida DUTPA] to apply to only consumers, but to other entities able to prove the remaining elements of the claim as well.” 169 So.3d at 169. A claimant must prove, however, that “there was an injury or detriment to consumers in order to satisfy all of the elements of a [Florida DUTPA] claim.” Id. (emphasis omitted). Consistent with the holding in Caribbean Cruise Line, the Court finds that Lewis' status as a non-consumer does not affect his ability to bring the claim. Thus, the Court must examine each element of a Florida DUTPA claim to determine if Lewis' Florida DUTPA claim is properly pleaded. “An objective test is used to determine whether an act is deceptive under [the Florida DUTPA], and ‘the plaintiff must show that the alleged practice was likely to deceive a consumer acting reasonably in the same circumstances.'” Marrache v. Bacardi U.S.A., Inc., 17 F.4th 1084, 1098 (11th Cir. 2021) (quoting Carriuolo v. Gen. Motors Co., 823 F.3d 977, 983-84 (11th Cir. 2016)).
Lewis alleges that, in its Notice of Privacy Practices, Magellan states that it “believe[s] in protecting the privacy of [Plaintiffs'] health information” and that the “law requires [it] to maintain the privacy of [Plaintiffs'] PHI.” (Doc. 40 ¶ 56.) He also alleges that Magellan states “[t]he law also requires us to provide you with this notice of our legal duties and privacy practices with respect to your PHI. We are required to follow the terms of the privacy policy that is currently in effect.” (Id.) A reasonable Florida consumer under the circumstances would likely read that policy, deduce that Magellan's data security system adhered to applicable legal requirements, and assume that Magellan implemented adequate data security systems. But Magellan allegedly failed to do so. See supra Section III.A. As a result, Lewis' PII and PHI were stolen, and he needed to purchase additional data security. Id. Thus, causation has also been adequately pleaded. This leaves only the question of damages.
To recover under the Florida DUTPA, Lewis must plead “actual damages.” Caribbean Cruise Line, Inc., 169 So.3d at 167. “‘[A]ctual damages' do not include consequential damages.” Rollins, Inc. v. Butland, 951 So.2d 860, 869 (Fla. Dist. Ct. App. 2006). “Actual damages under [the Florida DUTPA] ‘are measured according to the difference in the market value of the product or service in the condition in which it was delivered and its market value in the condition in which it should have been delivered according to the contract of the parties.'” Marrache, 17 F.4th at 1098 (quoting Carriuolo, 823 F.3d at 986); see also In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 424 n.33 (E.D. Va. 2020) (“For example . . . consequential damages from the Data Breach would include the costs for credit monitoring and identity protection services or the time and expenses related to monitoring their financial accounts since they bear no relation to the diminution in the product value.”). Here, some of Lewis' alleged damages are the fees he paid for additional data security. (Doc. 40 ¶¶ 14-15.) These are consequential damages, which do not support a claim. See In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d at 424.
But Lewis also alleges damages for “overpaying for the products and services sold by [Magellan].” (Id. ¶ 258.) He does not explicitly allege that he overpaid for health services provided by Magellan. But, given the allegations in the Second Amended Complaint (Doc. 40) and the arguments found elsewhere in his Response Brief (Doc. 42), it is reasonable to infer that he alleges that he overpaid for health services that Magellan in some way administers because Magellan's data security was inadequate. As this Court has found, Lewis has failed to allege that these payments enriched Magellan. Supra Section III.B. But that does not inhibit Lewis from suffering actual damages as defined in Marrache. Magellan administered the heath services for which Lewis paid and there was a market value difference between the services as marketed in the Notice of Privacy Policies and the services Lewis actually received because Magellan provided inadequate data security services.
The Florida DUTPA does not apply extraterritorially. Eli Lilly & Co. v. Tyco Integrated Sec., LLC., No. 13-80371-CIV, 2015 WL 11251732, at *4 (S.D. Fla. Feb. 10, 2015) (holding the Florida DUTPA only applies to actions that occur within Florida, but the actions need not occur exclusively in Florida). Here, Magellan's allegedly deceptive or unfair action was the dissemination of the Notice of Privacy Practices to Lewis in his home state of Florida. (See Doc. 40 ¶¶ 55-57.) As the Court explained, Lewis has properly pleaded that the Notice was deceptive and its dissemination qualifies as an alleged violation of the Florida DUPTA. Thus, the Court finds that Lewis has not pleaded an extraterritorial application of the Florida DUTPA. And so, Lewis has properly alleged a Florida DUTPA claim on behalf of himself and the putative subclass.
E. New York General Business Law § 349
“Deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in [New York] are . . . unlawful.” N.Y. Gen. Bus. Law § 349 (“New York GBL § 349”). “‘To make out a prima facie case under [§] 349, a plaintiff must demonstrate that (1) the defendant's deceptive acts were directed at consumers, (2) the acts are misleading in a material way, and (3) the plaintiff has been injured as a result.'” Grossman v. Simply Nourish Pet Food Co. LLC, 516 F.Supp.3d 261, 278 (E.D.N.Y. 2021) (quoting Maurizio v. Goldsmith, 230 F.3d 518, 521 (2d Cir. 2000)). “An act is materially misleading if it is ‘likely to mislead a reasonable consumer acting reasonably under the circumstances.' ‘It is well settled that a court may determine as a matter of law that an allegedly deceptive advertisement would not have mislead a reasonable consumer.'” Harris v. Pfizer Inc., No. 1:21-CV-06789-DLC, 2022 WL 488410, at *7 (S.D.N.Y. Feb. 16, 2022) (quoting Fink v. Time Warner Cable, 714 F.3d 739, 741 (2d Cir. 2013)).
Leather, a New York resident, contends that she sufficiently pleads a violation of § 349 in the Second Amended Complaint. (Doc. 40 ¶¶ 202-15; Doc. 42 at 11-12.) She asserts that the representations made by Magellan about the reliability of its data security systems constitute a § 349 violation. (See Doc. 40 ¶¶ 202-15; Doc. 42 at 11-12.) Magellan's Motion to Dismiss challenges Leather's alleged injury on the grounds that she has (1) not sufficiently alleged a cognizable loss, (2) alleged an improper extraterritorial application of § 349, (3) not sufficiently alleged how Magellan's notice was false or misleading, (4) not sufficiently alleged that Magellan's data security was inadequate, and (5) not sufficiently alleged that Magellan's complimentary credit-monitoring services were insufficient. (Doc. 41 at 6-7, 11-13; Doc. 44 at 7-8.) This Court has already decided that Plaintiffs have properly alleged that Magellan's data security was inadequate and that Magellan's complimentary credit-monitoring services were insufficient; those arguments will not be revisited. Supra Section III.A.
1. Extraterritoriality and Deceptive Act Directed at Consumers
Magellan argues that Leather asserts an extraterritorial application of § 349 because the fact that she allegedly received a notice of Magellan's privacy policies in her home state of New York is not enough to establish that liability-creating conduct occurred. (Doc. 41 at 12.) The Second Amended Complaint specifically alleges that the Notice was disseminated to Leather in New York. (Doc. 40 ¶ 206.) Presumably, she received and read the Notice in New York. The information provided in the Notice allegedly deceived her into thinking that Magellan had adequate data security. See supra Section III.D. Such allegations are enough to state a § 349 claim. See Haft v. Haier U.S. Appliance Sols., Inc., No. 1:21-CV-00506-GHW, 2022 WL 62181, at *13 (S.D.N.Y. Jan. 5, 2022) (“[T]o qualify as a prohibited act under [§ 349], the deception of a consumer must occur in New York.”) (citing Goshen v. Mut. Life Ins. Co. of New York, 98 N.Y.2d 314, 325 (2002)).
2. Materially Misleading
The Court must next decide whether Leather has sufficiently pleaded that Magellan's actions were materially misleading. As previously noted, she alleges that Magellan made statements in the Notice of Privacy Practices which, when combined, could be construed as a representation that Magellan's data security systems for her PII and PHI were adequate. Supra Section III.D. But, based on her allegations, Magellan failed to implement adequate data security systems. See supra Section III.A. Such statements would likely mislead a reasonable New York consumer acting reasonably under the circumstances to wrongly assume that Magellan's data security was adequate. See supra Section III.D.
Thus, she has properly alleged that the notice that Magellan disseminated was a materially misleading statement. See Harris, 2022 WL 488410, at *7 (quoting Fink, 714 F.3d at 741) (“An act is materially misleading if it is ‘likely to mislead a reasonable consumer acting reasonably under the circumstances.'”).
3. Cognizable Injury
“‘To make out a prima facie case under [§] 349, a plaintiff must demonstrate that . . . the plaintiff has been injured ....'” Grossman, 516 F.Supp.3d at 278 (quoting Maurizio, 230 F.3d at 521). “‘Injury is adequately alleged under [§ 349] by a claim that a plaintiff paid a premium for a product based on defendants' inaccurate representations.'” Id. at 282 (quoting Ackerman v. Coca-Cola Co., No. CV-09-0395 (JG)(RML), 2010 WL 2925955, at *23 (E.D.N.Y. July 21, 2010)).
Here, Leather alleges that she paid for Magellan's services, including its data security systems for PII and PHI, by paying for health services. See supra Section III.B. She also alleges that these payments were, in part, predicated on the representations Magellan made in the Notice of Privacy Practices, which was disseminated to Leather in New York. (Doc. 40 ¶¶ 55-57.) She further alleges that among other representations that were misleading, the Notice said that “the law requires [Magellan] to maintain the privacy of your PHI, ” and that “Magellan . . . believe[s] in protecting the privacy of your health information.” (Id. ¶ 56.)
The alleged statements in Magellan's Notice imply that Magellan implemented good data security to protect people like Leather. See supra Section III.D. And, as this Court has already discussed, Plaintiffs have properly alleged that Magellan's data security was inadequate. Supra Section III.A. Based on this Notice, Leather would reasonably believe that her PII and PHI were sufficiently protected. Supra Section III.D. Leather alleges that she relied on these representations when deciding to pay for Magellan health services. (Doc. 40 ¶¶ 210-11.) Thus, in part, she paid for what she understood to be adequate data security services when, in reality, they were inadequate services. This portion of her fees paid to Magellan constitutes a premium that she paid for data security services that she never received. And so, this Court finds that Leather has properly alleged that Magellan's Notice was an inaccurate representation which induced her to continue to pay for its health services. This satisfies the definition of a cognizable § 349 injury. Therefore, Leather has sufficiently alleged a § 349 claim to survive a motion to dismiss.
F. Remaining Statutory Claims
Plaintiffs Domingo, Rivera, and Ranson allege that Magellan violated several state consumer protection statutes: Pennsylvania's Unfair Trade Practices and Consumer Protection Law (“Pennsylvania CPL”), Wisconsin's Deceptive Trade Practices Act (“Wisconsin DTPA”), and California's Unfair Competition Law (“California UCL”). (Doc. 40 ¶¶ 178-88, 216-51.) Magellan argues that Plaintiffs' Pennsylvania CPL, Wisconsin DTPA, and California UCL claims have failed to allege a cognizable loss. (See Doc. 41 at 4-7; Doc. 44 at 2-4.) Magellan also argues that Ranson asserts an impermissible extraterritorial application of the California UCL. (Doc. 41 at 11-12; Doc. 44 at 7-8.)
1. Pennsylvania Unfair Trade Practices and Consumer Protection Law
The Pennsylvania CPL requires that Domingo, a Pennsylvania resident, allege that he “suffered [an] ascertainable loss as a result of” his reliance on Magellan's deceptive act. Cessna v. REA Energy Coop., Inc., 258 F.Supp.3d 566, 579 (W.D. Pa. 2017); see also Yocca v. Pittsburgh Steelers Sports, Inc., 578 Pa. 479, 854 A.2d 425, 438 (2004) (“To bring a private cause of action under the [Pennsylvania CPL], a plaintiff must show that he justifiably relied on the defendant's wrongful conduct or representation and that he suffered harm as a result of that reliance.”). An ascertainable loss must be a “loss of money or property” due to the defendant's infringing behavior. Grimes v. Enter. Leasing Co. of Philadelphia, LLC, 629 Pa. 457, 464 (2014). Here, Domingo alleges no present harm-not even lost time. (Doc. 40 ¶ 4.) Domingo's only conceivable claim for damages is unknown future injuries that are clearly not “ascertainable.” See, e.g., Grimes, 629 Pa. at 466 (concluding “that a plaintiff could incur an ‘ascertainable loss' simply by hiring counsel” is an “untenable” interpretation of the statute). Because “[o]nly those who can meet the requirements of the [Pennsylvania CPL] private cause of action may bring a personal action, and [Domingo's] allegations simply do not satisfy the statutory ‘ascertainable loss' element, ” his Pennsylvania CPL claims are dismissed. Id.
2. Wisconsin Deceptive Trade Practices Act
Only a person who has suffered a pecuniary loss may recover under the Wisconsin DTPA. Pagoudis v. Keidl, 399 Wis.2d 75, 96 (App. 2021). “‘Pecuniary loss' . . . encompass[es] any monetary loss.” Mueller v. Harry Kaufmann Motorcars, Inc., 359 Wis.2d 597, 613 (App. 2014). Rivera, a Wisconsin resident, alleges no present harm- not even lost time. (Doc. 40 ¶ 12.) Rivera's only conceivable claim for damages involves unknown future injuries and lost time. Neither are pecuniary because neither involve monetary loss. Thus, Rivera's Wisconsin DTPA claims do not articulate a cognizable loss and are dismissed.
3. California Unfair Competition Law a. Cognizable Loss
To survive a motion to dismiss under the California UCL, Ranson, a California resident, must allege that he “‘lost money or property' as a result of [Magellan's] conduct.” Klein v. Facebook, Inc., No. 20-CV-08570-LHK, 2022 WL 141561, at *39 (N.D. Cal. Jan. 14, 2022) (quoting Brown v. Google, No. 20-CV-3664-LHK, 2021 WL 6064009, at *14 (N.D. Cal. Dec. 22, 2021)). In Klein, the court determined that the cash value of a plaintiff's personal information satisfied this requirement. See 2022 WL 141561, at *39 (“Thus, [the plaintiffs] have adequately alleged that, by providing Facebook with their information and attention, they lost money or property.” (internal quotation omitted)). Ranson similarly alleges cash value associated with his stolen PII and PHI. (Doc. 40 ¶¶ 71-76.) Ranson also alleges that he enrolled in extra data security because of specific deficiencies in the services that Magellan offered him after the data breach. Supra Section III.A. And so, he has sufficiently alleged a cognizable loss to sustain his California UCL claims.
b. Extraterritoriality
Magellan's only alleged instance of liability-creating conduct in California was the Notice of Privacy Practices it allegedly disseminated to Ranson in California. (See Doc. 40 ¶¶ 55-57, 182.) In that Notice, Ranson alleges, Magellan made false representations regarding the data security it implemented to protect the PII and PHI it had collected. (See id. ¶¶ 77-82, 178-88.) “‘[A] plaintiff must show that the misrepresentation was an immediate cause of the injury-producing conduct . . . [;]' [h]owever, a ‘plaintiff is not required to allege that the challenged misrepresentations were the sole or even the decisive cause of the injury-producing conduct.'” Kwikset Corp. v. Superior Ct., 51 Cal.4th 310, 327 (2011) (quoting In re Tobacco II Cases, 46 Cal.4th 298, 326, 328 (2009)). “[F]or example, in Hale v. Sharp Healthcare, 183 Cal.App.4th [1373, 1385-86 (2010)], the Court of Appeal found the complaint adequate where, from its allegations, one could infer the plaintiff had relied on a defendant's representation that it would charge its ‘regular rates.'” Kwikset, 51 Cal.4th at 327. Similarly, here, the Court finds that one could infer from the Second Amended Complaint that Ranson relied on Magellan's representation in the Notice of Privacy Practices. See supra Section III.D-E (drawing the same conclusion with regard to the Florida and New York plaintiffs). And the Court has already decided that Ranson has properly pleaded that those statements were misrepresentations because he has sufficiently alleged that Magellan's data security systems were inadequate. See supra Section III.A, D-E. Thus, Ranson has properly alleged that Magellan made qualifying misrepresentations in California.
G. Rule 9(b)
“It is established law that Rule 9(b)'s particularity requirement applies to state law causes of action relating to fraud when asserted in federal court.” Irving Firemen's Relief & Ret. Fund v. Uber Techs., Inc., 998 F.3d 397, 404 (9th Cir. 2021) (citing Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1103 (9th Cir. 2003)). To satisfy this standard, the complaint “must ‘identify the who, what, when, where, and how of the misconduct charged, as well as what is false or misleading about the purportedly fraudulent statement, and why it is false.'” Depot, Inc. v. Caring for Montanans, Inc., 915 F.3d 643, 668 (9th Cir. 2019) (quoting Salameh v. Tarsadia Hotel, 726 F.3d 1124, 1133 (9th Cir. 2013)).
Magellan argues that Plaintiffs have not sufficiently alleged the “‘when, where, and how' the alleged misconduct occurred” to meet Rule 9(b)'s heightened pleading standard. (Doc. 41 at 11; see id. at 10-11.) Plaintiffs Ranson, Leather, and Lewis argue that the Second Amended Complaint properly specifies that Magellan's statements in the Notice of Privacy Practices, which was disseminated in their home states, were the misrepresentations on which their California UCL, New York GBL § 349, and Florida DUTPA causes of action are predicated. (Doc. 42 at 7-9.)
Here, the Court concludes that Ranson, Leather, and Lewis have articulated “the who, what, when, where, and how of the misconduct charged, as well as what is false or misleading about the purportedly fraudulent statement, and why it is false.” Depot, Inc., 915 F.3d at 688. They allege that Magellan (“who”) made statements in its Notice of Privacy Practices (“what”) “when” it disseminated the Notice to Ranson, Leather, and Lewis in California, New York, and Florida (“where”). This Court has already decided that they have properly alleged that those statements were false or misleading because, contrary to its representations in the Notice of Privacy Practices, Magellan's data security systems were inadequate. Supra Section III.A, D. Thus, Ranson, Leather, and Lewis have met the Rule 9(b) pleading standard for their California UCL, New York GBL § 349, and Florida DUTPA claims.
H. Leave to Amend
Federal Rule of Civil Procedure 15(a) provides that leave to amend should be freely granted “when justice so requires.” Fed.R.Civ.P. 15(a)(2). “The power to grant leave to amend . . . is entrusted to the discretion of the district court, which ‘determines the propriety of a motion to amend by ascertaining the presence of any of four factors: bad faith, undue delay, prejudice to the opposing party, and/or futility.'” Serra v. Lappin, 600 F.3d 1191, 1200 (9th Cir. 2010) (quoting William O. Gilley Enters. v. Atl. Richfield Co., 588 F.3d 659, 669 n.8 (9th Cir.2009)). “[W]here the plaintiff has previously been granted leave to amend and has subsequently failed to add the requisite particularity to its claims, the district court's discretion to deny leave to amend is particularly broad.” Zucco Partners, LLC v. Digimarc Corp., 552 F.3d 981, 1007 (9th Cir. 2009), as amended (Feb. 10, 2009) (quotations omitted). District courts properly deny leave to amend if the proposed amendment would be futile or “the amended complaint would be subject to dismissal.” Saul v. United States, 928 F.2d 829, 843 (9th Cir. 1991). “[A] proposed amendment is futile only if no set of facts can be proved under the amendment to the pleadings that would constitute a valid and sufficient claim.” Miller v. Rykoff-Sexton, Inc., 845 F.2d 209, 214 (9th Cir. 1988).
Here, Plaintiffs have not requested leave to amend. (Doc. 42.) Additionally, Plaintiffs have been afforded multiple opportunities to amend their claims. In the abstract, granting leave to amend would not be futile because a set of facts could be alleged that would constitute a valid, specific, and properly pleaded negligence, unjust enrichment, California CPA, Pennsylvania CPL, and Wisconsin DTPA claim. But in practice, given Plaintiffs' multiple opportunities to properly plead these claims, it is clear why they have not requested leave to amend: the facts necessary to properly plead these claims do not exist. Accordingly, leave to amend will not be granted because it would be futile.
IV. CONCLUSION
Accordingly, IT IS ORDERED denying in part and granting in part the Motion to Dismiss Plaintiffs' Second Amended Consolidated Class Action Complaint (Doc. 41). Plaintiffs Culberson, Rayam, Williams, and their similarly situated putative class members' negligence claims are dismissed with prejudice. Plaintiffs Leather, Ranson, Flanders, Lewis, and their similarly situated putative class members' negligence claims will remain.
IT IS FURTHER ORDERED that Plaintiffs Leather, Rivera, Lewis, and Culberson's unjust enrichment claims are dismissed with prejudice. Plaintiffs Ranson, Domingo, Griffey, Rayam, Williams, and Flanders' unjust enrichment claims will remain.
IT IS FURTHER ORDERED that, regarding the California Consumer Privacy Act, the Pennsylvania Unfair Trade Practices and Consumer Protection Law, and the Wisconsin Deceptive Trade Practices Act causes of action, the Motion is granted. Causes of Action Four, Six, and Seven are dismissed, with prejudice.
IT IS FINALLY ORDERED that with regard to all other causes of action, the Motion to Dismiss Plaintiffs' Second Amended Consolidated Class Action Complaint is denied. Those causes of action shall remain.