Opinion
24-MD-03090-RAR
09-18-2024
In re FORTRA FILE TRANSFER SOFTWARE DATA SECURITY BREACH LITIGATION This Document Relates to:
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS
RODOLFO A. RUIZ II UNITED STATES DISTRICT JUDGE
THIS CAUSE comes before the Court on Defendants NationsBenefits, LLC and NationsBenefits Holdings, LLC's Motion to Dismiss Consolidated Class Action Complaint, [ECF No. 138] (“Motion”). The Court having reviewed the Motion, Plaintiffs' Response, [ECF No. 158], Defendants' Reply, [ECF No. 162], the record, applicable law, and being otherwise fully advised, it is hereby
ORDERED AND ADJUDGED that the Motion is GRANTED IN PART and DENIED IN PART as set forth herein.
BACKGROUND
This multidistrict litigation (“MDL”) action arises from a data security breach perpetrated in January 2023, attacking Fortra, LLC, and impacting Defendants and their customers (“Data Breach”). See Consolidated Class Action Complaint (“Compl.”), [ECF No. 133] ¶¶ 3-4, 12, 17585. The Data Breach exfiltrated the protected health information (“PHI”) and personally identifiable information (“PII”) of over 3 million of Defendants' customers, allegedly including Plaintiffs' full names, dates of birth, Social Security numbers, phone numbers, addresses, genders, health plan subscriber information (including identification numbers), and Medicare numbers. Compl. ¶¶ 3-4, 12, 175-85. NationsBenefits contracted with Fortra for use of Fortra's managed file transfer software, GoAnywhere MFT (“Software”), to facilitate their work in providing supplemental benefits administration services to health insurance plans and employers across the country. Compl. ¶¶ 156, 168.
Plaintiffs allege that NationsBenefits learned of the Data Breach in early February but failed to make appropriate mitigation efforts and then waited 65 days to begin notifying victims. Compl. ¶¶ 3, 7, 6, 188, 190-92. Plaintiffs maintain that Defendants' inaction created-and exacerbated-the risk of future harm of loss of privacy and confidentiality and identity theft and medical fraud. Compl. ¶¶ 5, 12-17, 182, 229-42. And several Plaintiffs claim to have already suffered such misuse of their PII/PHI. Compl. ¶¶ 27, 37, 42, 47, 57, 62, 72, 77, 82, 102, 107, 112, 117, 122, 127, 132, 137, 142, 147, 152.
Between February and April 2024, cases brought by those affected by the Data Breach were transferred to this MDL from district courts throughout the country. See [ECF No. 1]. After the Court ordered the case to proceed in four tracks, beginning with the instant action against NationsBenefits, Defendants now move to dismiss Plaintiffs' Complaint for lack of Article III standing and, alternatively, for failure to state a claim upon which relief can be granted for the various state law claims.
LEGAL STANDARDS
I. Lack of Subject Matter Jurisdiction under Fed. R. Civ. P. 12(b)(1)
The case-or-controversy clause under Article III of the United States Constitution requires that plaintiffs “must establish that they have standing to sue” in federal court. Raines v. Byrd, 521 U.S. 811, 818 (1997). Thus, standing is a “threshold question in every federal case, determining the power of the court to entertain the suit.” Warth v. Seldin, 422 U.S. 490, 498 (1975). In the class action context, Article III requires two distinct inquiries to determine whether a class representative has “standing to represent a class.” Fox v. Ritz-Carlton Hotel Co., L.L.C., 977 F.3d 1039, 1046 (11th Cir. 2020) (quoting Mills v. Foremost Ins. Co., 511 F.3d 1300, 1307 (11th Cir. 2008)). A class representative must satisfy the individual standing prerequisites for each claim he or she asserts and “must also be part of the class and possess the same interest and suffer the same injury as the class members.” Id. (quoting Prado-Steiman ex rel. Prado v. Bush, 221 F.3d 1266, 1279 (11th Cir. 2000)) (cleaned up); see also Preisler v. Eastpoint Recovery Grp., Inc., No. 2062268, 2021 WL 2110794, at *3 (S.D. Fla. May 25, 2021). To be clear, if the case has “at least one individual plaintiff who has demonstrated standing,” the Court need not “consider whether the other plaintiffs have standing to maintain the suit.” Wilding v. DNC Servs. Corp., 941 F.3d 1116, 1124-25 (11th Cir. 2019) (quoting Arlington Heights v. Metro. Hous. Dev. Corp., 429 U.S. 252, 264 & n.9 (1977)) (alteration omitted).
To establish the individual standing prerequisites, a plaintiff must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). These three elements must be supported “with the manner and degree of evidence required at the successive stages of the litigation.” Wilding, 941 F.3d at 1124 (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992)); see also 31 Foster Children v. Bush, 329 F.3d 1255, 1263 (11th Cir. 2003) (“How much evidence is necessary to satisfy [the standing requirement] depends on the stage of litigation at which the standing challenge is made.”). And “plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek.” TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021).
A plaintiff has suffered an injury in fact if he or she has “suffered ‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Spokeo, 578 U.S. at 339 (quoting Lujan, 504 U.S. at 560). “Central to assessing concreteness is whether the asserted harm has a ‘close relationship' to a harm traditionally recognized as providing a basis for a lawsuit in American courts-such as a physical harm, monetary harm, or various intangible harms[.]” TransUnion, 594 U.S. at 417. Concrete intangible harms may include reputational harms, disclosure of private information, and intrusion on seclusion. Id. at 424 (collecting cases).
Beyond establishing that a plaintiff has suffered an injury in fact, he or she must allege a “causal connection between the injury and the conduct complained of”; in other words, the injury must be “fairly traceable to the challenged action of the defendant.” Lujan, 504 U.S. at 560 (cleaned up). However, Article III standing does not require that defendants be the most immediate cause, or even a proximate cause, of plaintiffs' injuries; it requires only that those injuries be fairly traceable to defendants. See Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014). “Even harms that flow indirectly from the action in question can be said to be ‘fairly traceable' to that action for standing purposes.” Wilding, 941 F.3d at 1125 (quoting Focus on the Family v. Pinellas Suncoast Transit Auth., 344 F.3d 1263, 1273 (11th Cir. 2003)) (alteration omitted).
Article III standing may be challenged either facially or factually. A facial attack looks only to the face of the complaint and accepts its allegations as true. See Lawrence v. Dunbar, 919 F.2d 1525, 1528-29 (11th Cir. 1990). It “requires the court merely to look and see if the plaintiff has sufficiently alleged a basis of subject matter jurisdiction.” Stalley ex rel. U.S. v. Orlando Reg'l Healthcare Sys., Inc., 524 F.3d 1229, 1232 (11th Cir. 2008) (quoting McElmurray v. Consol. Gov't of Augusta-Richmond Cnty., 501 F.3d 1244, 1250 (11th Cir. 2007)). A factual attack, by contrast, challenges the factual basis for jurisdiction notwithstanding any of the complaint's allegations. See Lawrence, 919 F.2d at 1528-29. In weighing a factual attack, a court is free to consider materials outside the pleadings, and the pleadings are afforded no presumptive truth. Id. at 1529; see also Butts v. ALN Grp., LLC, 512 F.Supp.3d 1301, 1305 (S.D. Fla. 2021).
II. Failure to State a Claim under Fed. R. Civ. P. 12(b)(6)
“To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). When reviewing a motion to dismiss pursuant to Rule 12(b)(6), a court must accept as true all factual allegations contained in the complaint, and plaintiffs should receive the benefit of all favorable inferences that can be drawn from the facts alleged. Iqbal, 556 U.S. at 678; Chaparro v. Carnival Corp., 693 F.3d 1333, 1337 (11th Cir. 2012). A court considering a Rule 12(b)(6) motion generally is limited to the facts contained in the complaint and attached exhibits but also may consider documents referred to in the complaint that are central to the claim and whose authenticity is undisputed. See Wilchombe v. TeeVee Toons, Inc., 555 F.3d 949, 959 (11th Cir. 2009). “Dismissal pursuant to Rule 12(b)(6) is not appropriate unless it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief.” Magluta v. Samples, 375 F.3d 1269, 1273 (11th Cir. 2004) (cleaned up).
ANALYSIS
Defendants first argue that Plaintiffs lack Article III standing under Rule 12(b)(1) to pursue their claims in federal court. Defendants then contend that Plaintiffs' various common law and state law claims must be dismissed for failure to state a claim upon which relief can be granted. The Court addresses Plaintiffs' standing before turning to the Rule 12(b)(6) assessments.
I. Plaintiffs Allege Article III Standing
Defendants argue that Plaintiffs do not have Article III standing to pursue a claim because they have alleged nothing more than a conjectural or hypothetical risk of future harm and any s in alleged actual or attempted misuse is not traceable to the challenged conduct. See generally Mot. Defendants do not address whether the claims are likely to be redressed by a favorable judicial decision. Id. Plaintiffs respond that they have alleged multiple injuries-including emotional distress, actual misuse of PHI/PII, and risk of future harm-traceable to Defendants' conduct, thereby satisfying standing requirements. Resp. at 3.
1. Plaintiffs Allege Injuries in Fact
Plaintiffs argue they have suffered concrete harm based on the following allegations: (1) risk of identity theft; (2) loss of privacy and confidentiality; (3) loss of value of private information; (4) time and costs spent to mitigate harm; and (5) continuing emotional distress. Resp. at 4-11. At issue is whether these injuries alleged by Plaintiffs are “concrete,” “particularized,” and “actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560. First, Defendants disclaim that Plaintiffs can rely on allegations of actual misuse that are not traceable to the incident to establish an injury in fact. Then, they argue that those Plaintiffs who have not alleged actual misuse of their data cannot establish that their risk of harm is imminent. The Court disagrees and concludes that the Complaint's allegations of imminent future harm are sufficiently imminent, and that Plaintiffs have alleged various independent injuries to confer standing in a suit for damages.
The Court addresses the issue of traceability below, in Section (I)(2).
The Court recently applied holdings in the Supreme Court and Eleventh Circuit to another data breach MDL, In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183 (S.D. Fla. 2022). In Mednax, this Court found that plaintiffs' allegations of substantial risk of imminent future harm-coupled with emotional injuries and mitigation efforts-were sufficient to confer standing in an action that included claims for damages. Id. at 1201-05. The Court analyzed both Tsao v. Captiva MVP Restaurant Partners, 986 F.3d 1332 (11th Cir. 2021), and TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), which delineated that a threat of future harm must be a “substantial risk” or “certainly impending” for purposes of standing. Tsao, 986 F.3d at 1339 (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 416 (2013)). This Court also recognized that, in a claim for damages, the risk of future harm, without more, is not sufficiently concrete to establish standing. Mednax, 603 F.Supp.3d at 1202 (citing TransUnion, 594 U.S. at 437).
a. Plaintiffs demonstrate that their risk of identity theft is a concrete harm
The Complaint advances many of the factors that courts have found to confer standing for plaintiffs alleging an increased risk of identity theft. See, e.g., In re 21st Century Oncology Customer Data Sec. Breach Litig., 380 F.Supp.3d 1243, 1250 (M.D. Fla. 2019); Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 375 (1st Cir. 2023); McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 301-02 (2d Cir. 2021); Clemens v. ExecuPharm Inc., 48 F.4th 146, 153-54 (3d Cir. 2022). Indeed, as the Eleventh Circuit recently confirmed, the posting of financial and personal information on the dark web “establishes both a present injury-credit card data and personal information floating around on the dark web-and a substantial risk of future injury- future misuse of personal information associated with the hacked credit card . . . that is sufficient to establish Article III standing.” Green-Cooper v. Brinker Int'l, Inc., 73 F.4th 883, 890 (11th Cir. 2023).
The Court stresses the following considerations are inherently fact-specific and non-exhaustive but provide useful guidance: (1) whether the plaintiffs' data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
Defendants ask this Court to follow the Eleventh Circuit's holding Tsao and find that Plaintiffs have not alleged a substantial risk of future harm. Mot. at 13. However, the facts here are readily distinguishable from a complaint alleging increased risk of identity theft, unaccompanied by allegations of misuse of any data. Tsao, 986 F.3d at 1335. Plaintiffs maintain that their personal information was actually misused and that hackers “already posted and/or sold Plaintiffs' and Class Members' sensitive information on their dark web-based store.” Compl. ¶ 182. These facts constitute “the misuse for standing purposes that we said was missing in Tsao.” Green-Cooper, 73 F.4th at 888-89 (finding the allegation that plaintiffs' credit card and personal information was “exposed for theft and sale on the dark web” critical to demonstrating standing).
Courts “typically require misuse of the data cybercriminals acquire from a data breach because such misuse constitutes both a ‘present' injury and a ‘substantial risk' of harm in the future.” Green-Cooper, 73 F.4th at 888-89 (quoting Tsao, 986 F.3d at 1343-44 (“[W]ithout specific evidence of some misuse of class members' data, a named plaintiff's burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was ‘certainly impending'-or that there was a ‘substantial risk' of such harm-will be difficult to meet.” (emphasis in original and citation omitted)); 21st Century Oncology, 380 F.Supp.3d at 1254 (finding that an increased risk of identity theft is “more likely to constitute an injury-in-fact where there is evidence that a third party has accessed the secretive information and/or already used the compromised data fraudulently”). Here, Plaintiffs allege numerous instances of fraudulent misuse of their PII/PHI following the Data Breach, including-among other allegations-suspicious charges and unauthorized account openings. Compl. ¶¶ 27, 30, 37, 42, 47, 57, 62, 72, 77, 82, 102, 107, 112, 117, 122, 127, 132, 137, 142, 147, 152.
The following instances provide a sample of the alleged, actual misuse: Plaintiff Fuss alleges that banks contacted him about accounts he did not open, and fraudulent charges appeared on his debit card, Compl. ¶ 47; Plaintiff T.E. received numerous calls asking her to activate her NationsBenefits card, despite already possessing an activated card and unauthorized charges appeared on T.E.'s Cash App account and federal benefits card, Compl. ¶ 37; Plaintiff Fideleff received an email supposedly from Geek Squad stating she was being billed for an unauthorized transaction and requesting she give them control of her computer to resolve the issue, Compl. ¶ 42; Plaintiff Kosbab's Medicare account was charged numerous times for medical equipment she did not order or receive, Compl. ¶ 62; Plaintiff Skuraskis identified unauthorized charges on PayPal and Forever21 accounts, Compl. ¶ 117; and unauthorized charges appeared on Plaintiff Wilson's debit card along with numerous account inquiries resulting in a decreased credit score, Compl. ¶ 147.
Notably, Defendants concede that “certain Plaintiffs do purport to allege actual misuse of their Private Information.” Reply at 4; Mot. at 6. And, although Defendants are correct that a number of Plaintiffs do not allege actual misuse of their data, evidence of misuse of certain individuals' data is helpful in establishing a “substantial risk” of future harm for plaintiffs who remain unaffected. Mednax, 603 F.Supp.3d at 1202 (citing McMorris, 995 F.3d at 301-02; In re Equifax, 999 F.3d at 1262 (“The actual identity theft already suffered by some Plaintiffs further demonstrates the risk of identity theft all Plaintiffs face-though actual identity theft is by no means required when there is a sufficient risk of identity theft.”)); In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 460 (D. Md. 2020) (explaining that those bellwether plaintiffs who did not allege actual misuse of their PII adequately pleaded imminent threat of identity theft because “the allegations about the targeting of personal information in the cyberattack and the allegations of identity theft by other Plaintiffs whose personal information was stolen makes the threatened injury sufficiently imminent”).
“Only one named plaintiff must have standing as to any particular claim in order for it to advance.” In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247, 1261 (11th Cir. 2021) (citing Wilding, 941 F.3d at 1124-25).
Along with the allegations that at least some portion of the information stolen in the Data Breach has already been misused, the Complaint further maintains that the data breach targeted Plaintiffs' personal information with an intent to use the information fraudulently. Compl. ¶¶ 3, 4, 182. And, “[w]here a data breach targets [PII], a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints.” Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 388 (6th Cir. 2016); see also Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (finding allegations of future injury sufficient to confer standing and noting “customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing” because “[w]hy else would hackers break into a store's database and steal consumers' private information?”). Further, the type of information exfiltrated contained highly sensitive, immutable data such as full names, dates of birth, phone numbers, addresses, genders, Medicare numbers, health plan subscriber information, and-for some-Social Security numbers. Compl. ¶ 12; Webb, 72 F.4th at 376 (explaining that “the risk of future misuse may be heightened where the compromised data is particularly sensitive”). Accordingly, Plaintiffs have demonstrated that they face a substantial and imminent risk of future identity theft.
“Static” information like Social Security numbers, birth dates, driver's license numbers, and health insurance information is particularly valuable to thieves and the theft of such data “will weigh in favor of a finding of injury in fact.” 21st Century Oncology, 380 F.Supp.3d at 1253-54.
b. Plaintiffs allege separate, concrete harms establishing injuries in fact for purposes of standing
As in Mednax, because Plaintiffs' requested relief includes damages, Compl. ¶ 240, the Court must take its analysis one step further. Mednax, 603 F.Supp.3d at 1203; see also Desue v. 20/20 Eye Care Network, Inc., No. 21-61275, 2022 WL 796367, at *5 (S.D. Fla. Mar. 15, 2022). That is because in a claim for damages, “the mere risk of future harm, standing alone, cannot qualify as a concrete harm-at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 594 U.S. at 436. Here, in addition to establishing a substantial risk of future harm, Plaintiffs allege separate, concrete harms: loss of privacy and confidentiality of their private information; loss of value of private information; time and costs spent mitigating the purported harms; and continuing emotional distress. Because the Court finds Plaintiffs' allegations of substantial risk of imminent future harm-coupled with mitigation efforts- sufficient to establish injuries in fact, the Court need not address Defendants' remaining contentions.
Several Plaintiffs allege that they have sustained damages by expending time and costs monitoring their credit and accounts for fraudulent activity as an attempt to mitigate harm from the Data Breach. “‘[A]ny assertion of wasted time and effort necessarily rises or falls along with this Court's determination of whether' a risk of injury is a concrete harm.'” In re Equifax, 999 F.3d at 1262 (quoting Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 931 (11th Cir. 2020)). Defendants contend that Plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is certainly not impending.” Mot. at 14-15. While Defendants are correct that a plaintiff cannot “conjure standing by inflicting some direct harm on itself to mitigate a perceived risk,” Tsao, 986 F.3d at 1339, the Court concludes that the risk of future harm is indeed sufficiently imminent in this case.
“[W]hen a plaintiff faces a sufficient risk of harm, the time, money, and effort spent mitigating that risk are also concrete injuries.” In re Equifax, 999 F.3d at 1262. Here, Plaintiffs have engaged in proactive and reactive mitigation efforts, such as purchasing credit freezes and monitoring services, and spending hours reviewing financial accounts-allegations sufficient to confer standing in claiming damages. See, e.g., Compl. ¶¶ 32, 37, 42, 47, 52, 67, 87; cf. Clapper, 568 U.S. at 417 (“Because respondents do not face a threat of certainly impending interception under § 1881a, the costs that they have incurred to avoid surveillance are simply the product of their fear of surveillance.”).
Defendants challenge Plaintiffs' numerous claims of emotional distress as too abstract to confer standing, relying largely on Kim v. McDonald's USA, LLC, No. 21-05287, 2022 WL 4482826 (N.D. Ill. Sept. 27, 2022). Mot. at 16. However, the court in the Northern District of Illinois found that potential future harms of identity theft were merely speculative because plaintiffs did not allege that they fell victim to a phishing scam or otherwise had their identity stolen-thus, the emotional distress they experienced constituted “quintessential abstract harms.” Id. at *6 (internal quotations omitted). In contrast, the risk of imminent harm here is sufficiently concrete and the Complaint provides tangible instances of emotional distress, including, for example, that Plaintiffs T.E., Fuss, and A.T. must now take or increase their dosages of anxiety medication to alleviate their distress from the theft of their PII/PHI. Compl. ¶¶ 27, 32, 37, 42, 47, 52, 57, 62, 67, 72, 77, 82, 87, 92, 97, 102, 107, 112, 117, 122, 127, 132, 137, 142, 147, 152.
2. Plaintiffs Plausibly Allege Traceability
Defendants also dispute that Plaintiffs meet the second prong of the standing requirement-traceability-and refute that the information potentially impacted by the Data Breach plausibly caused any of the alleged actual or attempted misuse. Mot. at 16-21. Specifically, Defendants argue that (1) the allegedly exfiltrated data was not the same as the data that was ultimately misused; (2) attempted misuse does not confer standing; (3) Plaintiffs do not conceivably allege that the presence of Plaintiffs' information on the dark web is the result of only this Data Breach; and (4) the Complaint does not contain sufficient time and sequence allegations.
Defendants also argue that Plaintiffs who do not allege any actual misuse of their information “should be dismissed outright.” Mot. at 17 n.9. However, as explained above, the Court has concluded that these Plaintiffs maintain standing based on their risk of imminent future harm.
Article III standing requires a “causal connection between the injury and the conduct complained of.” Lujan, 504 U.S. at 560 (cleaned up). In other words, the injury must be “fairly traceable to the challenged action of the defendant.” Id. The Supreme Court has cautioned federal courts not to “confuse weakness on the merits with absence of Article III standing.” Ariz. St. Leg. v. Ariz. Indep. Redistricting Comm 'n, 576 U.S. 787, 800 (2015) (alteration omitted). In the context of Article III standing, “fairly traceable” does not mean “certainly traceable.” Mednax, 603 F.Supp.3d at 1205. Thus, to satisfy Article III's causation requirement, a plaintiff need not show proximate causation. Wilding, 941 F.3d at 1125. “[E]ven harms that flow indirectly from the action in question can be said to be ‘fairly traceable' to that action for standing purposes.” Id. (citing Focus on the Family, 344 F.3d at 1273).
Here, Plaintiffs allege that their PII/PHI was accessed and exfiltrated by hackers due to Defendants' negligence. Compl. ¶¶ 173-88. Consequently, Plaintiffs suffered identity theft (or are otherwise at imminent risk of suffering identity theft) and other losses, including emotional distress and time and costs incurred mitigating harm. Although Defendants duly raise that the Data Breach impacted Fortra's systems-not those of NationsBenefits-Plaintiffs specify that NationsBenefits' failures to protect, maintain, and monitor its GoAnywhere MFT file transfer software-purchased from Fortra-exposed it to vulnerabilities that hackers exploited. Compl. ¶¶ 168-174 (“NationsBenefits did not change the default settings on its installation of GoAnywhere MFT, including leaving the administrative console exposed to anyone with Internet access, failing to comply with reasonable security standards and HIPAA requirements.”); Webb, 72 F.4th at 377 (finding the complaint's allegations satisfy traceability and redressability requirements where “[t]he complaint alleges that IWP's actions led to the exposure and actual or potential misuse of the plaintiffs' PII, making their injuries fairly traceable to IWP's conduct.”); Resnick v. AvMed, Inc., 693 F.3d 1317, 1327 (11th Cir. 2012) (“Plaintiffs allege that the same sensitive information that was stored on the stolen laptops was used to open the Bank of America account,” and therefore, “Plaintiffs' allegations that the data breach caused their identities to be stolen move from the realm of the possible into the plausible.”); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 969 (7th Cir. 2016) (rejecting the argument that fraudulent charges could not be attributed to data breach at P.F. Chang's, and explaining that the argument that there are potential alternative causes for plaintiffs' injuries may be pursued at merits phase); Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017) (holding that plaintiffs satisfied the traceability requirement for Article III standing by alleging that defendants failed to secure their data and thereby subjected them to a substantial risk of identity theft). Indeed, the allegations here are much like an individual purchasing a home alarm system and failing to change the default password.
Further, all Plaintiffs allege either emotional distress as a result of the Data Breach, time and costs spent mitigating harms, or both. And while Defendants maintain that these injuries are not sufficiently concrete, the Court disagrees and finds these injuries in fact are also fairly traceable to Defendants' alleged conduct. Indeed, Plaintiffs need not show that Defendants' actions are the very last step in the chain of causation. See Wilding, 941 F.3d at 1125.
Additionally, although Defendants argue there is a mismatch between the compromised data and information actually misused, it is entirely plausible that, as the Complaint alleges, “[b]y aggregating information obtained from the Data Breach with other sources, or other methods, criminals can assemble a full dossier of Private Information on an individual,” facilitating “a wide variety of frauds, thefts, and scams.” Compl. ¶ 13; see also Mednax, 603 F.Supp.3d at 1206 (“Even if the data accessed in the Data Breaches did not provide all the information necessary to inflict these harms, they very well could have been enough to aid therein.”); Resnick, 693 F.3d at 1324 (“Even a showing that a plaintiff's injury is indirectly caused by a defendant's actions satisfies the fairly traceable requirement.”). By focusing narrowly on the allegations pertinent to each named Plaintiff, Defendants “ignore the allegations in the complaint that apply to all plaintiffs,” contradicting the “relatively modest” burden applicable to a standing analysis. In re SuperValu, Inc., 870 F.3d 763, 772-73 (8th Cir. 2017) (citing Resnick, 693 F.3d at 1324).
See also Compl. ¶ 229 (“The exposure of any Private Information can cause unexpected harms one would not ordinarily associate with the type of information stolen. Cybercriminals routinely aggregate Private Information from multiple illicit sources and use stolen information to gather even more information through social engineering, credential stuffing, and other methods. The resulting complete dossiers of Private Information are particularly prized among cybercriminals because they expose the target to every manner of identity theft and fraud.”).
3. Plaintiffs Have Standing to Pursue Injunctive and Declaratory Relief
Defendants assert that Plaintiffs lack standing to pursue injunctive relief-specifically their request that NationsBenefits provide lifetime credit monitoring and identity theft insurance and implement and maintain reasonable security and monitoring measures-because Plaintiffs fail to allege a sufficiently imminent and substantial risk of harm. Mot. at 21 (citing Compl. ¶ 334). For the same reason, Defendants challenge Plaintiffs' claim under the Declaratory Judgment Act (Count VI). Mot. at 26 (“Plaintiffs' claim . . . fails because Plaintiffs have no reasonable expectation of future injury.”). But given the Court's aforementioned finding that Plaintiffs' have sufficiently stated a risk of future harm, Plaintiffs have standing to pursue a claim for declaratory and injunctive relief. See Mednax, 603 F.Supp.3d at 1205 (finding Plaintiffs' alleged injuries “constitute injuries in fact sufficient to satisfy claims for injunctive relief and damages.”); Desue, 2022 WL 796367, at *4-5 (same). And although Defendants advance an argument that the notification letter attached to the Complaint states that NationsBenefits “immediately stopped using Fortra's software,” the requested injunctive relief arises from the allegation that Defendants still possess Plaintiffs' PII/PHI and their data security measures remain inadequate-not that NationsBenefits continues using Fortra's software. Compl. ¶¶ 331-34.
Having found that Plaintiffs have standing, the Court turns to Defendants' arguments that various state statutory and tort law claims should be dismissed pursuant to Federal Rules of Civil Procedure 9(b) and 12(b)(6). The Court will begin by addressing Plaintiffs' common law claims before moving to Plaintiffs' state statutory claims.
II. Plaintiffs' Common Law Claims
At this time, the parties do not dispute that Florida law governs the various tort-based claims. See Mot. at 23 n.10; Resp. at 14-19; see also Mednax, 603 F.Supp.3d at 1198-99.
1. Negligence (Count I)
It is well-established that under federal law, “entities which collect sensitive, private data from consumers and store such data on their networks have a duty to protect the information.” Mednax, 603 F.Supp.3d at 1222. “Where a defendant's conduct creates a foreseeable zone of risk, the law generally will recognize a duty placed upon [the] defendant either to lessen the risk or [to] see that sufficient precautions are taken to protect others from the harm that the risk poses.” Id. (quoting Kaisner v. Kolb, 543 So.2d 732, 735 (Fla. 1989)) (cleaned up). “Where, as here, a business ‘collect[s] sensitive, private data from consumers,' it has ‘a duty to protect that information.'” Id. (quoting Brush v. Miami Beach Healthcare Grp. Ltd., 238 F.Supp.3d 1359, 1365 (S.D. Fla. 2017)).
In support of dismissing Plaintiffs' first count for negligence, Defendants offer two arguments. Mot. at 23. First, Defendants claim Plaintiffs have not plausibly alleged that “NationsBenefits breached its duty to safeguard their Private Information” because “the Incident impacted Fortra, and not NationsBenefits.” Id. Although both parties acknowledge the attack vector of the Breach was a vulnerability in Fortra's program, Plaintiffs allege the attackers gained access to Plaintiffs' sensitive information because of Defendants' failure to properly configure the Fortra program and implement policies that comply with standard information security practices. Compl. ¶¶ 173-74 (“NationsBenefits was able to control the security and configurations of the MFT servers that stored Class Members' sensitive information for transfer, and were responsible for protecting, maintaining, and monitoring those servers for threat activity . . . NationsBenefits did not change the default settings on its installation of GoAnywhere MFT, including leaving the administrative console exposed to anyone with Internet access, failing to comply with reasonable security standards and HIPAA requirements.”). By doing so, Plaintiffs have sufficiently alleged that NationsBenefits-not Fortra-breached its duty. See Farmer v. Humana, Inc., No. 21-1478, 582 F.Supp.3d 1176, 1186 (M.D. Fla. Jan. 25, 2022) (finding plaintiff's allegations that defendants “failed to implement industry protocols and exercise reasonable care in protecting and safeguarding the PII and PHI of [plaintiff]” and “failed to heed industry warnings and alerts to provide adequate safeguards to protect the PII and PHI” sufficient to plead that defendants breached their duty) (cleaned up).
Second, Defendants claim Plaintiffs have not plausibly alleged that they breached their duty to notify Plaintiffs of the Incident because Defendants' “notification was provided timely and in accordance with appliable law.” Mot. at 23. Specifically, Defendants claim that their obligations are “governed by HIPAA” and they “acted well within the timeframe proscribed by HIPAA.” Reply at 8 (citing to 45 C.F.R. § 164.410). However, 45 C.F.R. § 164.410 provides that NationsBenefits was required to provide notification “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” 45 C.F.R. § 164.410(2)(b). Given that Plaintiffs allege Defendants waited “over two months” from the discovery of the Breach before sending notification letters, Compl. ¶¶ 7, 105, 110, Plaintiffs have adequately alleged that Defendants breached their duty under HIPAA as well as other state statutes.
Accordingly, Plaintiffs have stated a claim for negligence in Count I.
2. Negligence Per Se (Count II)
“[A] negligence per se claim cannot rest on a federal statute that does not provide a private right of action.” Mednax, 603 F.Supp.3d at 1225 (citing Weinberg v. Advanced Data Processing, Inc., 147 F.Supp.3d 1359, 1365 (S.D. Fla. 2015) (compiling cases)). “When a statute is silent as to whether it allows for a private cause of action, such a claim can only survive when the statute evidences legislative intent to create a private cause of action.” In re Brinker Data Incident Litig., No. 3:18-CV-686-J-32MCR, 2020 WL 691848, at *9 (M.D. Fla. Jan. 27, 2020) (citation omitted).
Plaintiffs' cause of action for negligence per se arises out of alleged violations of HIPAA, the HIPAA Privacy Rule and Security Rule, HITECH, the FTC Act, and state statutes. Compl. ¶¶ 278-79. As an initial matter, there is no private right of action under HIPAA or HITECH. Mednax, 603 F.Supp.3d at 1216-17 (citing to Brown v. Hill, 174 F.Supp.3d 66, 71 (D.D.C. 2016)). Similarly, “[t]here is no private cause of action implied under the Federal Trade Commission Act.” Lingo v. City of Albany Dep't of Cmty. & Econ. Dev., 195 Fed.Appx. 891, 894 (11th Cir. 2006). Thus, violations of HIPAA, the HIPAA Privacy Rule and Security Rule, HITECH, and the FTC Act cannot form the basis of a negligence per se claim.
Turning to the state statutory violations, Defendants correctly point out that Count II does not specify which state statutes were allegedly violated. See Compl. ¶¶ 277-87. Defendants claim that this “fails to properly put NationsBenefits on notice of which statutes Plaintiffs are relying upon in support of this cause of action[.]”. Mot. at 24. However, Federal Rule of Civil Procedure 8 requires only “a short and plain statement of the claim showing that the pleader is entitled to relief.” Plaintiffs' allegation that Defendants violated state statutes similar to HIPAA and Section 5 of the FTC Act is sufficient to meet this standard. See, e.g., Alvarez v. Hill, 518 F.3d 1152, 1157 (9th Cir. 2008) (“A complaint need not identify the statutory or constitutional source of the claim raised in order to survive a motion to dismiss.”); Welch v. Loftus, 776 F.Supp.2d 222, 226 (S.D. Miss. 2011) (“Rule 8 does not demand that a plaintiff claiming negligence per se include within his Complaint an explicit citation to authority simply for the sake of doing so. So long as the Complaint alleges particular conduct that clearly violates a statute or regulation, it pleads negligence per se with sufficient particularity.”). Indeed, Defendants appear to be sufficiently on notice as to which statutes Plaintiffs allege they violated because they further argue that Count II should be dismissed because “Plaintiffs fail to allege violations of these [state] statutes.” Reply at 9. Accordingly, the Court finds that Plaintiffs have sufficiently stated a claim for negligence per se based on state statutory violations. See Alvarez, 518 F.3d at 1157 (“Indeed, appellees' reply to [appellant's] opposition expressly recognized the applicability of [the statute], conclusively establishing that they had fair notice ....”).
Plaintiffs have thus stated a claim for negligence per se in Count II as to the alleged violation of state statutory schemes only.
3. Breach of Third-Party Beneficiary Contract (Count III)
Under federal law, an intended third-party beneficiary may sue to enforce the terms of a contract. Interface Kanner, LLC v. JPMorgan Chase Bank, N.A., 704 F.3d 927, 932 (11th Cir. 2013). However, to state a third-party beneficiary claim, a plaintiff must allege that the contract reflects an “express or implied intention of the parties to the contract to benefit the third party.” Id. “For a contract to intend to benefit a third party, such intent must be specific and must be clearly expressed in the contract.” Steffan v. Carnival Corp., No. 16-25295, 2017 WL 7796726, at *6 (S.D. Fla. May 22, 2017) (quotations and citations omitted). An “incidental or consequential benefit” is insufficient. Id. The third parties do not need to be specifically named in the contract to qualify as intended beneficiaries, as “long as the contract refers to a well-defined class of readily identifiable persons that it intends to benefit.” Belik v. Carlson Travel Group, Inc., 864 F.Supp.2d 1302, 1312 (S.D. Fla. 2011) (citations omitted).
Defendants argue that Plaintiffs' allegations do not support an inference that Plaintiffs were the direct and primary beneficiaries of the relevant contracts. Mot. at 25. As Defendants point out, “NationsBenefits provided its clients, not the Named Plaintiffs, with administration services.” Mot. at 25 (emphasis supplied) (citing to Compl. ¶¶ 156-57). The Court agrees. Regardless of whether Plaintiffs are able to provide specific language from a contract, Plaintiffs must allege “facts showing that [the parties to the contract] clearly and specifically expressed their intent for the contract to benefit [the Plaintiffs] or any other third parties.” Fischer v. CentralSquare Techs., LLC, No. 21-CV-60856, 2021 WL 10558134, at *4 (S.D. Fla. Sept. 16, 2021). Instead of specific facts, Plaintiffs provide the Court only with circular and boilerplate allegations regarding the intended beneficiaries. See Compl. ¶ 209 (“On information and belief, these contracts are virtually identical and were made expressly for the benefit of Plaintiffs and the Class, as it was their Private Information that NationsBenefits agreed to receive and protect through its services. Thus, the benefit of collection and protection of the Private Information belonging to Plaintiffs and the Class was the direct and primary objective of the contracting parties.”). Plaintiffs have thus failed to “plead factual allegations sufficient ‘to raise a right to relief above the speculative level.'” Fischer, 2021 WL 10558134, at *4 (quoting Twombly, 550 U.S. at 545).
Consequently, Count III must be DISMISSED for failure to state a claim.
4. Breach of Implied Contract (Count IV)
“‘[I]t is a fundamental principle of contracts that in order for a contract to be binding and enforceable, there must be a meeting of the minds on all essential terms and obligations of the contract.'” Harris v. U.S. Dep't of Agric., No. 6:18-CV-882-GMB, 2020 WL 3064944, at *4 (N.D. Ala. June 9, 2020) (quoting Browning v. Peyton, 918 F.2d 1516, 1521 (11th Cir. 1990)). “This is true regardless of whether the agreement is formed under state or federal law.” Id. When considering whether there has been a meeting of the minds on an implied contract in a data breach claim, “[m]any federal courts have held that an implied contract to safeguard customers' sensitive data could reasonably be found to exist in transactions where consumers are solicited or invited to provide personal information in exchange for a good or service.” Mednax, 603 F.Supp.3d at 1221 (citing to In re Brinker, 2020 WL 691848, at *5 and Torres v. Wendy's Int'l, LLC, No. 16-210, 2017 WL 8780453, at *3 (M.D. Fla. Mar. 21, 2017)).
This Court has previously dismissed a breach of implied contract claim where plaintiffs “allege[d] no invitation or solicitation by Defendants indicating that Defendants implicitly assented to secure their PHI and PII in exchange for remuneration.” Id. And it must do the same here. Plaintiffs do not allege any sort of invitation or solicitation by Defendants concerning Plaintiffs' PHI or PII. See Compl. ¶¶ 295-312. Instead, they specifically allege that “NationsBenefits offered to provide services to its clients, which are Plaintiffs' and Class Members' health plan providers, in exchange for payment. Nations Benefits [] required Plaintiffs and Class Members to provide it with their Private Information in order to receive services.” Compl. ¶¶ 296-97. As in Mednax, “Plaintiffs' allegations reveal only that they provided their personal information as required to receive healthcare services from Defendants-not data security services beyond the privacy requirements already imposed on Defendants by federal law.” Mednax, 603 F.Supp.3d at 1221.
Plaintiffs have therefore failed to state a claim for breach of implied contract and Count IV must be DISMISSED with prejudice.
5. Unjust Enrichment (Count V)
To state a claim for unjust enrichment under federal common law, Plaintiffs must show that “(1) a benefit was conferred, (2) the recipient was aware that a benefit was received and; (3) under the circumstances, it would be unjust to allow retention of the benefit without requiring the recipient to pay for it.” United States ex rel. Silva v. VICI Mktg., LLC, 361 F.Supp.3d 1245, 1257 (M.D. Fla. 2019). Defendants argue that dismissal of Count V is appropriate on the sole ground that “[t]his Court's holding in Desue mandates dismissal of the claim for unjust enrichment because Plaintiffs did not have any direct relationship with NationsBenefits.” Reply at 10 (citing to Desue, 2022 WL 796367, at *8). However, the “federal common law does not require” that Plaintiffs “allege that [Defendants] conferred a benefit directly upon [Plaintiffs] to plead a claim of unjust enrichment.” United States ex rel. Borges v. Doctor's Care Med. Ctr., Inc., No. 01-8112, 2007 WL 9702639, at *17 (S.D. Fla. Jan. 29, 2007).
Additionally, as Plaintiffs rightly note, the present case is distinguishable from Desue. As an initial matter, Desue applied Florida law-which specifically requires that a plaintiff “directly confer a benefit on to the defendant.” Desue, 2022 WL 796367, at *8. Moreover, there, the Court found that the plaintiffs failed to state a claim for unjust enrichment because “[t]hey did not affirmatively choose to use Defendants' services; they did not pay for Defendants' services nor provide their private information to Defendants.” Id. Here, Plaintiffs specifically allege that at least one class member provided their private information to Defendants directly, Compl. ¶ 37, and additional class members may be revealed through discovery. Plaintiffs also allege that “Plaintiffs and Class Members whose insurance or managed care organizations partner with NationsBenefits are often required to share their sensitive PII/PHI with NationsBenefits in order to receive the member benefits to which they are entitled.” Compl. ¶¶ 159-162. These allegations distinguish the present matter from Desue, where the Court explicitly based its holding on the fact that the plaintiffs did not “provide their private information to Defendants.” Desue, 2022 WL 796367, at *8. In sum, drawing all inferences in favor of Plaintiffs, Twombly, 550 U.S. at 570, the Court finds that Plaintiffs have sufficiently alleged a direct relationship between Plaintiffs/Class Members and Defendant.
Therefore, Plaintiffs have adequately stated a claim for Unjust Enrichment under Count V.
III. Plaintiffs' State Statutory Claims
Plaintiffs have agreed to dismiss their California Consumer Privacy Act claim (Count VIII). See Resp. at 21 n.8. Accordingly, Count VIII is DISMISSED with prejudice.
1. Rule 9(b) and Reliance
Defendants argue that Counts X, XV, XXIII, and XXVII must be dismissed for failure to meet the heightened pleading standard provided under Rule 9(b). See Mot. at 29 n.15, 31 n.16, 34 n.17, 35 n.18. Given that Defendants raise the same Rule 9(b) argument as to Counts X, XV, XXIII and XXVII-and also contest Plaintiffs' purported reliance as alleged in Counts XXV, XXVI, and XXII-the Court will provide this analysis at the outset.
To satisfy Rule 9(b)'s heightened pleading standard, “claims of fraud must be plead with particularity, which means identifying the who, what, when, where, and how of the fraud alleged.” Omnipol, A.S. v. Multinational Def. Servs., LLC, 32 F.4th 1298, 1307 (11th Cir. 2022). “Rule 9(b) serves two purposes: ‘alerting defendants to the precise misconduct with which they are charged and protecting defendants against spurious charges of immoral and fraudulent behavior.'” United States ex rel. 84Partners, LLC v. Nuflo, Inc., 79 F.4th 1353, 1360 (11th Cir. 2023) (quoting United States ex rel. Clausen v. Lab'y Corp. of Am., 290 F.3d 1301, 1310 (11th Cir. 2002)).
However, “a court considering a motion to dismiss for failure to plead fraud with particularity should always be careful to harmonize the directives of Rule 9(b) with the broader policy of notice pleading.” Gose v. Native Am. Servs. Corp., 109 F.4th 1297, 1318 (11th Cir. 2024) (quoting Friedlander v. Nims, 755 F.2d 810, 813 n.3 (11th Cir. 1985), abrogated on other grounds by Wagner v. Daewoo Heavy Indus. Am. Corp., 314 F.3d 541 (11th Cir. 2002) (en banc)). Accordingly, “a court should ‘hesitate to dismiss a complaint under Rule 9(b) if the court is satisfied (1) that the defendant has been made aware of the particular circumstances for which she will have to prepare a defense at trial, and (2) that plaintiff has substantial prediscovery evidence of those facts.” Id. (quoting from Harrison v. Westinghouse Savannah River Co., 176 F.3d 776, 784 (4th Cir. 1999)).
With this framework in mind, Plaintiffs have satisfied the standards set out under Rule 9(b). Plaintiffs have provided specific allegations in each count that Defendants engaged in deceptive or fraudulent business practices by “[m]isrepresenting that [they] would protect the privacy and confidentiality of Plaintiffs' [] Private Information” despite failing to do so. Compl. ¶ 385(d) (as to Count X); ¶ 437(d) (Count XV); ¶ 568(d) (Count XXV); ¶ 592(d) (Count XXVII). Plaintiffs also allege in each count that Defendants misrepresented they “would comply with common law and statutory duties pertaining to the security and privacy of Plaintiffs' [] Private Information[.]” Compl. ¶ 385(e) (as to Count X); Compl. ¶ 437(e) (Count XV); ¶ 568(e) (Count XXV); ¶ 592(e) (Count XXVII). As for omissions, Plaintiffs claim that Defendants omitted “the material fact that [they] did not comply with common law and statutory duties pertaining to the security and privacy of Plaintiffs'[] Private Information[.]” Compl. ¶ 385(g) (as to Count X); see also Compl. ¶ 437(g) (Count XV); ¶ 568(g) (Count XXV); ¶ 592(g) (Count XXVII). Finally, as to reliance, Plaintiffs aver that they “relied on NationsBenefits' promise to keep private information confidential” and to “ensure that it held vendors with whom it shared sensitive Private Information to the same high standards of data protection.” Compl. ¶¶ 166-67.
Upon review, these allegations are not conclusory in nature. Plaintiffs specifically claim that NationsBenefits knew or should have known that (1) third-party vendors like Fortra “were frequently attacked,” Compl. ¶ 196; (2) GoAnywhere MFT experienced numerous security vulnerabilities in the past, Compl. ¶ 172; (3) the Clop hackers primarily targeted the healthcare industry and file transfer services, Compl. ¶ 199; and (4) extensive harm would occur if the Class's PII/PHI was exposed in a breach, Compl. ¶ 201. Reading these allegations together with the remainder of the Complaint, the Court is satisfied that Defendants “[have] been made aware of the particular circumstances for which [they] will have to prepare a defense at trial” and Plaintiffs “ha[ve] substantial prediscovery evidence of those facts.” Gose, 109 F.4th at 1318. Accordingly, the Complaint meets the particularity requirements of Rule 9(b) and sufficiently alleges relianceon Defendants' material misrepresentations and omissions.
In its general allegations, Plaintiffs also identify the following statements in NationsBenefits' privacy policy as misrepresentations: “that it will ‘use reasonable physical, technical, and administrative safeguards' to protect customers' Private Information” and “that it will only share customer information in limited circumstances, none of which include sharing with the cyber criminals that facilitated the Breach”; Plaintiffs further allege that NationsBenefits omitted from the privacy policy that it would share Plaintiffs' PII/PHI with third parties. Compl. ¶¶ 163-65, 203-04, 437, 443, 591, 539. Plaintiffs claim they would not have shared their PII/PHI with their health insurer had they known of NationsBenefits' security failings. E.g., Compl. ¶¶ 31, 36, 106, 111, 146.
Defendants additionally argue, in a single footnote in their Reply, that Counts X, XV, XXIII, and XXVII fail to allege reliance under Rule 9(b)'s heightened pleading requirements because Plaintiffs do not allege they actually read NationsBenefits' privacy policy. See Reply at 12 n.11 (“While Plaintiffs rely on NationsBenefits' privacy policy, nowhere in the Complaint do they allege that they actually read this policy”). Defendants did not raise this argument in their Motion, and to avoid prejudice to Plaintiffs who were unable to respond to this new argument, the Court will not consider it. See Gen. Star Nat'l Ins. Co. v. MDLV, LLC, No. 21-24284, 2023 WL 2436148, at *5 (S.D. Fla. Jan. 5, 2023), report and recommendation adopted, No. 21-24284, 2023 WL 2388518 (S.D. Fla. Feb. 3, 2023), aff'd, No. 23-11064, 2024 WL 700425 (11th Cir. Feb. 21, 2024) (“In the Eleventh Circuit, courts do not consider arguments raised for the first time in a reply brief.”).
2. Arkansas Deceptive Trade Practices Act (“ADTPA”) (Count VII)
Plaintiffs Pamela and Stephen Lazaroff advance an ADTPA claim on behalf of the
Arkansas subclass. ADTPA lists specific types of behavior that constitute deceptive and unconscionable trade practices and includes a catchall provision prohibiting “[e]ngaging in any other unconscionable, false, or deceptive act or practices in business, commerce, or trade.” Ark. Code. Ann. § 4-88-107(a)(10). Courts have refused to “convert the relatively nuanced modifying phrase chosen by the state legislature for the catch-all provision-‘unconscionable, false, or deceptive'-into a general reference to any unlawful conduct.” Universal Cooperatives, Inc. v. AACFlying Serv., Inc., 710 F.3d 790, 795 (8th Cir. 2013); Dickinson v. SunTrust Mortg., Inc., No. 3:12CV00112 BSM, 2015 WL 1868827, at *2 (E.D. Ark. Apr. 23, 2015); Chruby v. Glob. Tel*link Corp., No. 5:15-CV-5136, 2017 WL 4320330, at *11 (W.D. Ark. Sept. 28, 2017).
Thus, the Eighth Circuit has interpreted the term “unconscionable” in the catch-all subsection to include instances of “false representation, fraud, or the improper use of economic leverage in a trade transaction.” Universal Cooperatives, 710 F.3d at 796. “The elements of such a cause of action are (1) a deceptive consumer-oriented act or practice which is misleading in a material respect and (2) injury resulting from such act.” Apprentice Info. Sys., Inc. v. DataScout, LLC, 544 S.W.3d 536, 539 (Ark. 2018).
Defendants predicate their challenge on Plaintiffs' “fail[ure] to allege any direct relationship with NationsBenefits.” Mot. at 27. However, the Court concludes that Plaintiffs allege facts that establish a “direct relationship” between the parties, including via Defendants' mobile app and membership platform, which are “often required for [Plaintiffs] to obtain certain benefits” from their health plans. Compl. ¶¶ 161, 162. Defendants also maintain that the allegations are merely conclusory. Mot. at 27. The Court disagrees and finds that Plaintiffs sufficiently state a claim, alleging, for example, that Defendants employed a “bait-and-switch” method when offering their good and services, “accepting] the responsibility of protecting the data” to attract Plaintiffs, only to “keep[] the inadequate state of its security controls secret from the public.” Compl. ¶ 345-49; cf. Bellwether Cmty. Credit Union v. Chipotle Mexican Grill, Inc., 353 F.Supp.3d 1070, 1091 (D. Col. 2018) (assessing the ADTPA's applicability to a data breach at a Chipotle and dismissing the claim where plaintiff had not addressed “how Chipotle's decisions improperly used economic leverage.”); see also State ex rel. Bryant v. R & A Inv. Co., Inc., 985 S.W.2d 299, at 302-03 (Ark. 1999) (noting “liberal construction of the ADTPA is appropriate”). Accordingly, Count VII will stand.
3. California Customer Records Act (“CCRA”) (Count IX)
Plaintiff Ariana Skurauskis on behalf of herself and the California subclass allege a violation of Cal. Civ. Code §§ 1798.80 et seq. Defendants challenge the claim on the grounds that (1) Skurauskis does not allege that NationsBenefits did not maintain reasonable security practices and (2) Skurauskis fails to sufficiently allege deficient notice. Mot. at 28. The CCRA “requires California businesses that own or license computerized data that includes personal information to disclose a data breach after discovering one ‘in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.'” In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1149 (C.D. Cal. 2021) (quoting Cal. Civ. Code § 1798.82). Here, as the Court explained when expounding on traceability, the Complaint details how NationsBenefits failed to protect, maintain, and monitor its software. Compl. ¶¶ 168-174.
Next, Plaintiffs' allegation that Defendants failed to disclose the Data Breach “in a timely and accurate fashion,” waiting until at least April 13, 2023, despite being notified by February 3, 2023-Compl. ¶¶ 190, 373-is similarly sufficient. In re Ambry Genetics, 567 F.Supp.3d at 1150 (“At the pleading stage the Court must accept as true Plaintiffs' allegation that Defendants' approximately 3-month delay was unreasonable.”). Count IX will therefore stand.
4. California Unfair Competition Law (“CUCL”) (Count X)
Defendants contend that Plaintiffs' CUCL claim fails because Plaintiffs do not allege they lack an adequate remedy at law and fail to allege reliance on any misrepresentations and omissions. Mot. at 28-29. As this Court explained in Mednax, the equitable claim fails because Plaintiffs do not allege that they “lack[ed] an adequate remedy at law.” Mednax, 608 F.Supp.3d at 1216 (citing Sonner v. Premier Nutrition Corp., 971 F.3d 834, 839 n.2 (9th Cir. 2020); In re Cal. Gasoline Spot Mkt. Antitrust Litig., No. 20-03131, 2021 WL 1176645, at *7-8 (N.D. Cal. Mar. 29, 2021)). And an injunction may issue only where a plaintiff lacks an adequate remedy at law. Id.; see also Huu Nguyen v. Nissan N. Am., Inc., No. 16-cv-05591-LHK, 2017 WL 1330602, at *5 (N.D. Cal. Apr. 11, 2017) (dismissing request for injunctive relief at the pleading stage due to insufficient allegations regarding the inadequacy of legal relief); Silvercrest Realty, Inc. v. Great Am. E&S Ins. Co., No. 11-cv-01197-CJC, 2012 WL 13028094, at *3 (C.D. Cal. Apr. 4, 2012) (“Plaintiff may not seek this relief because Plaintiff has an adequate remedy at law in the form of Plaintiff's claims for damages”).
In their Response, Plaintiffs assert that they “lack an adequate remedy at law for future harms” and, in essence, should be permitted to proceed with the CUCL claim in the alternative. Resp. at 22. The Complaint itself, however, does not advance this allegation-nor is this claim pleaded in the alternative. Therefore, Count X is DISMISSED with prejudice.
Plaintiffs rely on Chaplin v. Walmart, Inc., No. 3:23-CV-00878-WHO, 2023 WL 4843956, at *6 (N.D. Cal. May 25, 2023) for the proposition that a plaintiff may bring a damages claim and a CUCL claim for equitable relief “so long as she show[s] the monetary damages for past harm are an inadequate remedy for the future harm that an injunction under California consumer protection law is aimed at.” Resp. at 22. However, there is no “clear[]” showing in the Complaint “that the injunctive relief [Plaintiffs] seek[] is different from any legal remedy [they] may be entitled to.” Id.
5. Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”) (Count XI)
Plaintiffs Anthony Skuya, Renee Fideleff, and Stephen Wolsey advance a FDUTPA claim for monetary and non-monetary relief, “including actual damages under Fla. Stat. § 501.211; [and] declaratory and injunctive relief” on behalf of themselves and the Florida subclass. Compl. ¶¶ 391, 398. Defendants argue that this claim fails because Plaintiffs do not allege a diminution in value of the goods and services that they received from NationsBenefits. Mot. at 29. The issue here, then, is whether Plaintiffs' claims of “loss of value of their Private Information; overpayment for NationsBenfits' services; [and] loss of the value of access to their Private Information” are merely consequential or otherwise not cognizable under FDUTPA. Compl. ¶ 397. In accordance with this Court's prior ruling in Mednax-and given the absence of countervailing case law-the Court concludes that Plaintiffs cannot seek actual damages under FDUTPA.
FDUTPA does not apply to “a claim for damage to property other than the property that is the subject of the consumer transaction.” Fla. Stat. § 501.212(3). A consumer claim for damages under FDUTPA has three elements: (1) an objectively deceptive act or unfair practice; (2) causation; and (3) actual damages. Carriuolo v. Gen. Motors Co., 823 F.3d 977, 983 (11th Cir. 2016) (citing City First Mortg. Corp. v. Barton, 988 So.2d 82, 86 (Fla. 4th DCA 2008)). Florida courts consider actual damages, in the FDUTPA context, to be a “term of art.” Casa Dimitri Corp. v. Invicta Watch Co. of Am., 270 F.Supp.3d 1340, 1352 (S.D. Fla. 2017).
Generally, actual damages constitute “the difference in the market value of the product or service in the condition in which it was delivered and its market value in the condition in which it should have been delivered according to the contract of the parties.” Rollins, Inc. v. Butland, 951 So.2d 860, 869 (Fla. 2d DCA 2006) (quoting Rollins, Inc. v. Heller, 454 So.2d 580, 585 (Fla. 3d DCA 1984) (describing this measurement as being “well-defined in the case law”). Importantly, “[FDUTPA] entitles a consumer to recover damages attributable to the diminished value of the goods or services received, but does not authorize recovery of consequential damages to other property attributable to the consumer's use of such goods or services.” Fort Lauderdale Lincoln Mercury, Inc. v. Corgnati, 715 So.2d 311, 314 (Fla. 4th DCA 1998) (quoting Urling v. Helms Exterminators, Inc., 468 So.2d 451, 454 (Fla. 1st DCA 1985)).
Here, the losses “associated with” the Breach, see Compl. ¶ 397, amount to consequential damages insufficient to state a claim under FDUTPA. Resp. at 24; Farmer, 582 F.Supp.3d at 1191 (finding that “damages arising from identity theft and fraud” as well as the “increased risk of future identity theft and fraud, and the costs associated therewith; and time spent monitoring, addressing, and correcting the current and future consequences of the data breach” are not cognizable under FDUTPA). And, as in Mednax, Plaintiffs here ultimately fail to plausibly allege that the healthcare services they received diminished in value as a result of the Breach. Mednax, 603 F.Supp.3d at 1212. Plaintiffs attempt to reframe their allegation to maintain that “Defendants' conduct reduced the value” of healthcare services. Resp. at 23 (citing Compl. ¶ 243). But their actual claim-that they would not have paid as much for NationsBenefits' services or benefits had they “known the truth about NationsBenefits' data security practices”-still fails under FDUTPA, which exempts claims for damages to “property other than the property that is the subject of the consumer transaction.” Compl. ¶ 243; Fla. Stat. § 501.212(3).
Here, the “property that is the subject of the consumer transaction” is the “supplemental benefits administration services,” Compl. ¶ 155, that Plaintiffs access through their healthcare plans. Fla. Stat. § 501.212(3); In re Brinker, 2020 WL 691848, at *13. Plaintiffs have not alleged that Defendants expressly provide data security as part of the services that constitute the subject consumer transaction. Rather, consequential to its offering of an “array of supplemental healthcare solutions,” NationsBenefits “collects and processes an enormous volume of personal data.” Compl. ¶¶ 156, 159. Absent such allegations, Plaintiffs' impacted “personal information is merely other property that was damaged as result of” using Defendants' services. In re Brinker, 2020 WL 691848, at *13 (internal citation omitted). Accordingly, Plaintiffs' FDUTPA claim is limited to injunctive relief and any claims for actual damages are DISMISSED with prejudice.
Plaintiffs rely on Tymar Distrib. LLC v. Mitchell Grp. USA, LLC, 558 F.Supp.3d 1275, 1286 (S.D. Fla. Sept. 8, 2021) to suggest that FDUTPA articulates a larger universe of damages available, including claims that arise from “actual and indirect pecuniary loss, mental suffering, value of time, actual expenses, and bodily pain and suffering.” Resp. at 23-24. But as this Court explained in Desue, Plaintiffs' reliance on Tymar is misplaced. The court in Tymar limited its liberal construction of FDUTPA to cases that do not contemplate an expectancy measure of damages-specifically, the corporate-competitor plaintiff seeking lost profits. Desue, 2022 WL 796367, at *10 (citing Tymar, 558 F.Supp.3d at 1286).
6. Illinois Personal Information Protection Act (“IPIPA”) (Count XII) and Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”) (Count XIII)
Although styled as a standalone claim, Plaintiffs seek relief for willful violations of 815 Ill. Comp. Stat. § 530/10(a), the ICFA statute. The “[I]PIPA itself does not provide for a private cause of action to seek damages for violations.” See Best v. Malec, No. 09 C 7749, 2010 WL 2364412, at *7 (N.D. Ill. June 11, 2010). However, a violation of the IPIPA constitutes a violation of the ICFA, which expressly permits damages suits. Therefore, if Plaintiffs can bring an ICFA claim, they can seek recovery for an IPIPA violation. In re SuperValu, Inc., 925 F.3d 955, 964 (8th Cir. 2019) (“The only way to pursue a claim under [I]PIPA is by satisfying ICFA's requirements because [I]PIPA does not create a separate cause of action”); see also Miller v. Nextgen Healthcare, Inc., No. 1:23-CV-2043-TWT, 2024 WL 3543433, at *13 (N.D.Ga. July 25, 2024) (noting that “whether [plaintiff] may assert this claim depends on whether she has plausibly alleged a violation of [I]PIPA and otherwise meets the requirements of the ICFA”). Here, Plaintiffs appear to also allege an ICFA violation, based in part on Defendants' alleged violation of the IPIPA. Compl. ¶ 416. Accordingly, the Court will first examine whether Plaintiffs adequately state a claim under the ICFA.
Although Count XIII is currently styled as another “Illinois Personal Information Protection Act” claim, the count cites the ICFA statute, 815 Ill. Comp. Stat. §§ 505 et seq., and the briefing raises arguments regarding an ICFA claim.
Defendants argue that the ICFA does not apply if the transaction occurs primarily out of state. See Mot. at 30. Interpreting the ICFA, the Illinois Supreme Court reasoned, “we conclude that the General Assembly did not intend the Consumer Fraud Act to apply to fraudulent transactions which take place outside Illinois.” Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 853 (Ill. 2005). While Avery involved nonresident plaintiffs pursuing an action under the ICFA, the decision did not exclude Illinois residents from its interpretation. Id.
Further, the Illinois Supreme Court “recognize[d] that there is no single formula or bright-line test for determining whether a transaction occurs within this state. Rather, each case must be decided on its own facts.” Avery, 835 N.E.2d at 854. As Plaintiffs have not alleged that events underlying their claims occurred primarily and substantially in Illinois-and the only alleged connection between the IPIPA claim and the state of Illinois is Plaintiffs' Illinois citizenship-the ICFA claim (Count XIII) is DISMISSED. See Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 77374 (C.D. Ill. 2020) (dismissing ICFA claim despite plaintiff being an Illinois resident because the “disputed transaction occurred in Kansas, not Illinois.”). And given that Plaintiffs fail to state an ICFA claim, their IPIPA claim (Count XII) is also DISMISSED. See Miller, 2024 WL 3543433, at *14 (dismissing IPIPA claim for failure to allege events underlying the claim occurred primarily and substantially in Illinois under the ICFA).
Had Plaintiffs successfully alleged an ICFA claim, their IPIPA claim would survive. The IPIPA requires data collectors owning personal information of an Illinois resident to notify the resident of a data breach “in the most expedient time possible and without unreasonable delay.” In re Michaels Stores Pin Pad Litig., 830 F.Supp.2d 518, 527-28 (N.D. Ill. 2011) (quoting 815 Ill. Comp. Stat. 530/10). The Complaint alleges that Defendants “fail[ed] to disclose the Data Breach . . . in the most expedient time possible and without reasonable delay.” Compl. ¶ 407. Indeed, Plaintiffs allege that NationsBenefits did not inform affected customers for over two months after they learned of the Breach. Compl. ¶ 7.
7. Illinois Uniform Deceptive Trade Practices Act (“IUDTPA”) (Count XIV)
In opposition to Plaintiffs' IUDTPA claim, Defendants maintain that Plaintiffs have failed to sufficiently allege that NationsBenefits' misrepresentations are likely to cause future injury sufficient to pursue injunctive relief. Mot. at 30. Notwithstanding the IUDTPA's “primary focus on acts between competitors, a consumer action is possible.” Popp v. Cash Station, Inc., 613 N.E.2d 1150, 1157 (Ill.App.Ct. 2d Dist. 1992) (citing Greenberg v. United Airlines, 563 N.E.2d 1031, 1037 (Ill.App.Ct. 1st Dist. 1990)). In most consumer actions, the plaintiff is unable to allege facts showing a likelihood of future harm because the harm has already occurred, and because the plaintiff is unlikely to be deceived by a defendant's misstatements again in the future. Reid v. Unilever U.S., Inc., 964 F.Supp.2d 893, 918 (N.D. Ill. 2013). Nonetheless, a consumer may seek injunctive relief under the IUDTPA if she can show that she is likely to be damaged in the future by the defendant's misleading trade practices. See Fox v. Iowa Health Sys., 399 F.Supp.3d 780, 799 (W.D. Wis. July 25, 2019).
Defendants reference Perdue-a class action against a supermarket chain attacked by hackers-which found that defendant's misrepresentations regarding their data security measures could not be redressed by injunctive relief because allegations of future misuse of data already stolen were insufficient to state a claim under the IUDTPA. 455 F.Supp.3d at 773. The Complaint here, however, identifies the potential imminent future harm and addresses how injunctive measures could still abate it. Specifically, Plaintiffs allege the risk of another data breach occurring, as NationsBenefits still possesses their data while maintaining inadequate security. Cf. Fox, 399 F.Supp.3d at 799-800 (noting plaintiff's failure to establish how defendant's continued misrepresentations concerning securing patient health information caused future damage). Accordingly, Plaintiffs can maintain their IUDTPA claim for injunctive relief.
8. Indiana Deceptive Consumer Sales Act (“IDSCA”) (Count XV)
The IDCSA prohibits “unfair, abusive, or deceptive act[s], omission[s], or practice[s] in connection with a consumer transaction.” Ind. Code § 24-5-0.5-3(a). Importantly, the statute requires that it be “liberally construed and applied to promote its purposes and policies.” Ind. Code § 24-5-0.5-1. A plaintiff may bring a case pursuant to the IDCSA if they relied upon “an uncured or incurable deceptive act.” Id. at § 24-5-0.5-4(a). Unless the deceptive act is incurable, however, a plaintiff cannot bring an action without first giving notice to the supplier. Id. at § 24-n 5-0.5-5(a). Defendants argue that the IDSCA claim here is deficient because (1) there was no “consumer transaction” between the parties and (2) there was no notice of uncured or incurable deceptive acts. Mot. at 31.
With regards to Defendants' second point, Plaintiff Shepherd alleges that “NationsBenefits' conduct includes incurable deceptive acts.” Compl. ¶ 449. And notice is not required for intentional incurable deceptive acts. Perry v. Gulf Stream Coach, Inc., 814 N.E.2d 634, 647 (Ind.Ct.App. 2004) (holding that an act is “incurable” and immediately actionable without notice to the seller if the seller committed the act with intent to defraud or mislead). Accordingly, this argument fails.
As for Defendants' argument regarding the lack of a “consumer transaction,” the IDCSA defines “consumer transaction” as “a sale, lease, assignment, award by chance, or other disposition of an item of personal property, real property, a service, or an intangible . . . to a person for purposes that are primarily personal, familial, charitable, agricultural, or household[.]” Ind. Code § 24-5-0.5-2(a)(1). Courts have interpreted this definition broadly, noting, for example, that “the IDCSA does not require a direct transaction between the plaintiff and the defendant involving the sale of goods.” In re Actiq Sales & Mktg. Pracs. Litig., 790 F.Supp.2d 313, 326 (E.D. Pa. Mar. 23, 2011) (finding transaction between third-party payors and drug manufacturer constituted “consumer transaction”).
Defendants' sole authority to challenge the matter as a consumer transaction is Mackey v. Belden, Inc., No. 21-CV-00149-JAR, 2021 WL 3363174, at *12-14 (E.D. Mo. Aug. 3, 2021), which did not identify plaintiff's employee relationship as a “consumer transaction”-even under the statute's prescription for liberal construction. Id. (citing Ind. Code § 24-5-0.501). But unlike here, the plaintiff in Mackey “did not purchase any product from [defendant] for personal use.” Id. at 13. Thus, Mackey is distinguishable from the instant case. And pursuant to the statutory charge that the IDSCA be “liberally construed,” the Court finds that Plaintiffs' use of NationsBenefits' services to access their health plan's benefits constitutes a consumer transaction under the statute. Accordingly, Plaintiffs' IDCSA claim stands.
9. Kansas Protection of Consumer Information Act (“KPCIA”) (Count XVI)
Defendants maintain that NationsBenefits is exempt from an action under the KPCIA as an entity regulated by HIPAA, relying exclusively on In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. 19-md-2904, 2023 WL 8540911 (D.N.J. May 5, 2023). Mot. at 31. Plaintiff (A.T., brought on behalf of himself and the Kansas Subclass) retorts that this argument is a defense that should not be decided at this stage in the proceedings, where the Complaint alleges that Defendants “violated HIPPA by using a non-compliant third-party file application and failing to configure it for HIPAA compliance.” Resp. at 27.
The Court disagrees with the interpretation of the KPCIA's plain language in In re American Medical Collection Agency, which found that entities regulated by federal law (such as HIPAA) are exempt from the KPCIA-regardless of compliance. 2023 WL 8540911, at *11 (citing Kan. Stat. Ann. § 50-7a02(e)). The KPCIA makes clear that an entity is deemed compliant with the statute (and is thereby exempt from it) if the procedures it maintains for a security breach are “pursuant to the laws, rules, regulations, guidances or guidelines established by its primary or functional state or federal regulator.” Kan. Stat. Ann. § 50-7a02(e) (emphasis added); see also Pursuant To, Black's Law Dictionary (12th ed. 2024) (“In compliance with; in accordance with; under”; “As authorized by”). In other words, a violation of the statute could occur if an entity, including those regulated by HIPAA, departed from the appropriate security protocols. Here, Plaintiffs acknowledge that Defendants are regulated by state or federal law (HIPAA) but posit that their security procedures are not in compliance with-or “pursuant to”-HIPAA. Compl. ¶ 221 (alleging that Defendants “failed to comply with HIPAA” and “failed to maintain adequate security practices”). Plaintiffs may therefore maintain their KPCIA count.
10. Kansas Consumer Protection Act (“KCPA”) (Count XVII)
Defendants argue that there is no consumer transaction sufficient to state a claim under the KCPA. Mot. at 32. The KCPA “generally prohibits both deceptive acts or practices and unconscionable acts or practices ‘in connection with a consumer transaction,'” Martinez v. Hobbs Mech., No. 123,027, 2021 WL 3439219, at *6 (Kan. App. 2021) (quoting K.S.A. 2020 Supp. 50-626(a); K.S.A. 50-627(a)). Among other things, deceptive acts or practices include a wide variety of knowing misrepresentations, id. § 50-626(a)(1), and willful failure to state a material fact, id. § 50-626(a)(3). The statute also prohibits suppliers from engaging in any unconscionable act or practice in connection with a consumer transaction. K.S.A. § 50-627(a).Courts considering the KCPA often address “three inquiries in determining consumer status under the Act: ‘(1) to whom were the representations made; (2) who suffered damages; and (3) who was affected by the defendant's alleged misconduct.'” Kape Roofing & Gutters, Inc. v. Chebultz, No. 113,025, 2016 WL 3655893, at *10 (Kan. App. 2016) (quoting Ellibee v. Aramark Correctional Services, Inc., 37 Kan.App.2d 430, 433 (2007)).
The KCPA defines “consumer” to include someone who “seeks or acquires property or services[,]” K.S.A. 2020 Supp. 50-624(b); defines “supplier” as one that “solicits, engages in or enforces consumer transactions[,]” K.S.A. 2020 Supp. 50-624(1); and defines “consumer transaction” to include “a solicitation by a supplier with respect to any” “disposition for value of property or services within this state.” K.S.A. 2020 Supp. 50-624(c).
In Ellibee, which Defendants rely on in their Reply, an inmate plaintiff brought KCPA claims against a contractual meal provider for the Kansas Department of Corrections. 37 Kan.App.2d at 433; Reply at 11. In affirming the trial court's dismissal of the KCPA claims, the Court of Appeals of Kansas reasoned that there was “no evidence in the record on appeal that [the contractual meal provider] ever made any representation directly to [the inmate plaintiff]” regarding the meal service. Id. Given the absence of any representations made by the contractual meal provider to the inmate plaintiff-and the lack of evidence of any sale or trade-there was no basis for a KCPA claim. Id. (citing K.S.A. 50-624(c)).
Here, although Plaintiffs similarly did not contract directly with Defendants to obtain their services, the Complaint includes allegations that NationsBenefits engaged with and made representations to Plaintiffs-and avers an exchange of paid-for services or benefits. Compl. ¶¶ 243, 469; see also Moral v. PHH Mortg. Corp., No. 6:21-CV-01070-HLT-TJJ, 2022 WL 4016583, at *9 (D. Kan. Sept. 2, 2022) (holding that the KCPA may apply to companies that enforce consumer transactions “whether or not dealing directly with the consumer”) (quoting Kan. Stat. Ann. § 50-264)). Plaintiffs have thus set forth sufficient allegations to maintain their KCPA action.
11. Michigan Consumer Protection Act (“MCPA”) (Count XVIII)
Michigan residents Teresa Hassan, Catherine Radtke, and Martin Radtke advance an MCPA claim on behalf of themselves and the putative Michigan subclass, which Defendants challenge for their failure to allege actual reliance on wrongful conduct. Mot. at 32. While the Court has already concluded that Plaintiffs sufficiently allege reliance, it will consider the arguments specifically raised in opposition to the MCPA claim. Under the MCPA, “[u]nfair, unconscionable, or deceptive methods, acts, or practices in the conduct of trade or commerce are unlawful[.]” Mich. Comp. Laws § 445.903(1). A plaintiff alleging a violation of the MCPA based on material misrepresentations must show reliance on such statements to their detriment. In re OnStar Contract Litig., 278 F.R.D. 352, 378 (E.D. Mich. 2011) (stating that there is “no dispute” that individuals asserting MCPA misrepresentation claims “must establish reliance”); Flynn v. FCA U.S. LLC, 327 F.R.D. 206, 219 (S.D. Ill. 2018) (holding that MCPA misrepresentation claim requires reliance and identification of specific statements upon which the plaintiff allegedly relied) (citations omitted). On the other hand, a claim premised on a failure to disclose material facts does not require a consumer to prove reliance or a duty to disclose. Flynn, 327 F.R.D. at 219 (citing Mich. Comp. Laws § 445.903(1)(s)). Here, Plaintiffs allege both misrepresentations and omissions.
Defendants rely on In re American Medical Collection Agency, Inc., which held that plaintiffs' failure to allege that they “viewed any data privacy policies before obtaining services,” prevented them from establishing actual reliance, thereby warranting dismissal of the MCPA claims. No. CV 19-MD-2904, 2021 WL 5937742, at *32 (D.N.J. Dec. 16, 2021). Here, however, Plaintiffs identify Defendants' privacy policy and allege that they relied on “NationsBenefits' promise to keep their [PII/PHI] confidential and securely maintained, and to only make authorized disclosures of this information.” Compl. ¶¶ 163, 166. Plaintiffs also allege reliance “on NationsBenefits to ensure that it held vendors with whom it shared sensitive Private Information to the same high standards of data protection.” Compl. ¶ 167. Further, as explained above, the Complaint highlights the harm Plaintiffs experienced as a result of such reliance. See supra at 1315; 23-25. Accordingly, Plaintiffs have sufficiently alleged a claim under the MCPA.
12. Missouri Merchandise Practices Act (“MMPA”) (Count XIX)
Defendants argue that Plaintiffs' MMPA claim fails because Plaintiffs do not allege any unlawful act in relation to any purchase of merchandise by Plaintiffs from NationsBenefits, relying on this Court's analysis in Mednax. Mot. at 32 (citing Mednax, 603 F.Supp.3d at 1215). To state a claim under the Missouri law, “the alleged unlawful act must occur in relation to a sale of merchandise, and an ascertainable pecuniary loss must occur in relation to the plaintiff's purchase or lease of that merchandise.” Kuhns v. Scottrade, Inc., 868 F.3d 711, 719 (8th Cir. 2017) (holding that although “intangible services may qualify as merchandise” for purposes of the MMPA, defendant sold brokerage services and not data security services and thus was not liable under the statute for the harm arising out of a data breach).
Plaintiffs maintain, “[u]nlike Mednax, data security is fundamental, not incidental to Defendants' business.” Resp. at 28. Yet, the Complaint advances no such allegations and instead alludes broadly to any business's duty to maintain adequate security practices in the modern age. Compl. ¶ 9. Moreover, the Complaint acknowledges Defendants' business as a “health benefits administration company that partners with managed care organizations to provide supplemental benefits, flex cards, and member engagement solutions,” which “directly and indirectly collected [PII and PHI].” Compl. ¶ 2. In other words, “Defendants sold healthcare services and not data security services.” Mednax, 603 F.Supp.3d at 1215. Accordingly, the MMPA claim (Count XIX) is DISMISSED with prejudice.
13. New Jersey Consumer Fraud Act (“NJCFA”) (Count XX)
Plaintiff Edward Wilczynski brings the NJCFA action on behalf of himself and the putative New Jersey subclass, which Defendants seek to dismiss for failure to allege a consumer transaction between Plaintiffs and NationsBenefits. Mot. at 33. To state a NJCFA claim, a “consumer” must allege sufficient facts to demonstrate (1) unlawful conduct by the defendant that violates the NJCFA; (2) an ascertainable loss by the plaintiff; and (3) a causal relationship between the unlawful conduct and the ascertainable loss. Gonzalez v. Wilshire Credit Corp., 207 N.J. 557, 576 (2011) (citing Lee v. Carter-Reed Co., L.L.C., 203 N.J. 496, 521 (2010)). “It is well-established that NJCFA claims must meet the heightened pleading requirements of Fed.R.Civ.P. 9(b).” Lieberson v. Johnson & Johnson Consumer Cos., Inc., 865 F.Supp.2d 529, 538 (D.N.J. 2011) (citing Frederico v. Home Depot, 507 F.3d 188, 200 (3d Cir. 2007)).
The NJCFA “is not intended to cover every transaction that occurs in the marketplace, instead its applicability is limited to consumer transactions which are defined both by the status of the parties and the nature of the transaction itself.” In re Blackbaud, Inc., Cust. Data Breach Litig., No. 3:20-MN-02972-JMC, 2021 WL 3568394, at *11 (D.S.C. Aug. 12, 2021) (internal quotations omitted) (dismissing NJCFA claim, finding plaintiffs were not “consumers” entitled to protection of the statute because they did not assert that they purchased or used defendant's services or even perceived defendant's existence). The NJCFA is intended to protect “consumers who purchase ‘goods or services generally sold to the public at large.'” Arc Networks, Inc. v. Gold Phone Card Co., Inc., 333 N.J.Super. 587, 589 (Law Div. 2000) (quoting Marascio v. Campanella, 298 N.J.Super. 491, 499 (App. Div. 1997)). “A plaintiff does not qualify as a consumer if they do not purchase a product for consumption.” In re Blackbaud, 2021 WL 3568394, at * 11 (citing Arc Networks, 333 N.J.Super. at 589-90); see also Windsor Card Shops, Inc. v. Hallmark Cards, Inc., 957 F.Supp. 562, 567 n.6 (D.N.J. 1997) (holding that a corporation “cannot sue as a consumer of goods under [the] NJCFA” when it “purchased the goods at wholesale to sell to its store customers”).
Here, Plaintiff does not allege a consumer transaction with the specificity contemplated by the NJCFA-or that Plaintiff is a consumer vis-a-vis Defendants. Rather, Plaintiff Wilczynski alleges that he “receives benefits from NationsBenefits by virtue of his health plan membership with Aetna.” Compl. ¶ 134 (emphasis added); see also Specialty Ins. Agency v. Walter Kaye Assocs., Inc., No. CIV. 89-1708 (CSF), 1989 WL 120752, at *5 (D.N.J. Oct. 2, 1989) (“[I]n order for an entity such as SIA to recover under the Consumer Fraud Act it must be a consumer vis-avis the defendants.”). Indeed, Plaintiffs describe the relationship as one that exists through another entity, explaining that “Plaintiffs and Class Members provided their Private Information to their respective health plans or other entities who in turn provided that information to NationsBenefits.” Compl. ¶ 202; In re Schering-Plough Corp. Intron/Temodar Consumer Class Action, No. 2:06-CV-5774(SRC), 2009 WL 2043604, at *31 (D.N.J. July 10, 2009) (“Products and services that are purchased for consumption or use in the operation of a business are covered by the NJCFA.”); see also In re Blackbaud, 2021 WL 3568394, at *12 (finding that plaintiff did not plausibly contend she was a consumer of Blackbaud's services where she merely represented that Blackbaud “stored her data as a result of” her relationship to another entity); Robinson v. Maintech Inc., No. CV 2304458, 2024 WL 1598416, at *5 (D.N.J. Apr. 12, 2024) (dismissing NJCFA claim and noting that “Plaintiff did not directly purchase services from Defendants”). Thus, given the absence of a consumer transaction as contemplated by the statute, Plaintiffs' NJCFA claim (Count XX) must be DISMISSED with prejudice.
While the Court has found consumer transactions exist under various other state statutes, the NJCFA appears particularly strict in its consideration of what constitutes a “consumer transaction.”
14. New York General Business Law § 349 (“NYGBL”) (Count XXI)
Plaintiffs Michael Wanser and Mary Ann Landries are New York residents advancing the NYGBL claim on behalf of themselves and the New York subclass. Compl. ¶¶ 68, 128. Defendants challenge the purportedly extraterritorial application of Plaintiffs' NYGBL claim, considering NationsBenefits is headquartered in Florida. Mot. at 33. Section 349 prohibits “[d]eceptive acts or practices in the conduct of any business, trade[,] or commerce or in the furnishing of any service in this state.” N.Y. Gen. Bus. Law § 349(a). A narrow reading of § 349's territorial requirement mandating that an act occur “in this state” contemplates where a plaintiff was deceived. See Cruz v. FXDirectDealer, LLC, 720 F.3d 115, 122-23 (2d Cir. 2013) (citing cases focusing on where the deception occurred); Ovitz v. Bloomberg L.P., 77 A.D.3d 515, 516 (1st Dept. 2010) (“The complaint also fails to state a cause of action under General Business Law § 349. Plaintiff, a resident of Illinois, was not deceived in New York State.”), aff'd, 18 N.Y.3d 753 (2012).
Despite Defendants' assertion that NationsBenefits is headquartered in Florida and not New York, this Court has previously clarified that “[w]here a defendant keeps its headquarters and conducts its business is ‘irrelevant.'” In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., No. 21-MD-02994-RAR, 2022 WL 3550045, at *5 (S.D. Fla. Aug. 18, 2022) (dismissing nonresident NYGBL claim where the complaint “fails to aver whether part of any relevant transaction occurred in New York”) (citing In re GE/CBPS Data Breach Litig., No. 20-2903, 2021 WL 3406374, at *13 (S.D.N.Y. Aug. 4, 2021))). And construing all reasonable inferences in favor of Plaintiffs at this stage, the Court finds it plausible that the harm befell the named New York Plaintiffs in New York. Ashcroft, 556 U.S. at 678 (“To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” (quoting Bell Atl. Corp., 550 U.S. at 570)).
The NYGBL, unlike the ICFA, see supra 31-32, focuses on where a plaintiff was deceived, not where the underlying claim primarily occurred. In other words, the ICFA requires allegations connecting the relevant transaction to the state of Illinois, whereas the NYGBL focuses on whether plaintiff was located in New York when deceived. Consequently, Plaintiffs' NYGBL claim survives dismissal, as opposed to Plaintiffs' ICFA claim.
Defendants also assert that Plaintiffs do not identify any deceptive statements, thereby failing to provide notice of their claims. Mot. at 33. Plaintiffs respond that they allege (1) Defendants promised Plaintiffs they would “use reasonable physical, technical, and administrative safeguards” to protect customers' PII/PHI, Compl. ¶ 163; (2) they would “only share customer information in limited circumstances, none of which include sharing with the cyber criminals”, Compl. ¶ 164; and (3) Defendants failed to disclose that third parties would “collect, process, and store PHI protected under HIPAA”, Compl. ¶ 165. Resp. at 30. The Court finds these allegations sufficient to state a claim under the NYGBL. See Wallace v. Health Quest Sys., No. 20 CV 545 (VB), 2021 WL 1109727, at *15 (S.D.N.Y. Mar. 23, 2021) (finding defendants' statements that it was “committed to protecting medical information” and would notify customers of any data breach without unreasonable delay stated an NYGBL claim); Fero v. Excellus Health Plan, Inc., 236 F.Supp.3d 735, 774-75 (W.D.N.Y. 2017) (finding allegations that defendants would “maintain adequate data privacy and security practices” and “comply with the requirements of relevant federal and state laws” plausibly alleged violation of the NYGBL). Accordingly, Plaintiffs' NYGBL claim shall stand.
15. North Carolina Identity Theft Protection Act (“NCITPA”) (Count XXII) and North Carolina Unfair Trade Practices ACT (“NCUDTPA”) (Count XXIII)
Defendants argue that Plaintiffs' NCITPA claim must be dismissed because there is no private right of action under the statute-and any claim for a violation of the NCITPA must be brought under the NCUDTPA. Mot. at 33-34. However, as Plaintiffs correctly point out, North Carolina federal and state courts allow private plaintiffs alleging injuries to bring NCITPA claims. See, e.g., Curry v. Schletter Inc., No. 1:17-CV-0001-MR-DLH, 2018 WL 1472485, at *5-7 (W.D. N.C. Mar. 26, 2018); Fisher v. Comm. Workers of Am., No. 08 CVS 3154, 2008 WL 4754850, at *6 (N.C. Super. Oct. 30, 2008). Additionally, the plain language of the NCITPA provides that there is no private right of action “unless such individual is injured as a result of the violation.” N.C. Gen. Stat. § 75-65(i). Accordingly, Plaintiffs have standing to maintain their claims under North Carolina state law.
Next, Defendants argue that Plaintiffs' NCUDTPA claims fail because “Plaintiffs cannot allege that NationsBenefits owed a duty to disclose any deficiencies with respect to Fortra's data security practices, particularly where the Incident was the result of a zero-day vulnerability.” Mot. at 34. But Plaintiffs allege that NationsBenefits made affirmative misrepresentations in addition to omissions by “[m]isrepresenting that it would protect the privacy and confidentiality of Plaintiff's and North Carolina Subclass Members' Private Information, including by implementing and maintaining reasonable security measures” and “[m]isrepresenting that it would comply with common law and statutory duties pertaining to the security and privacy of Plaintiff's and North Carolina Subclass Members' Private Information, including duties imposed by the FTC Act, 15 U.S.C. § 45.” Compl. ¶¶ 539(d)-(e). And Defendants do not maintain that Plaintiffs' affirmative misrepresentation claims are insufficiently pleaded. Thus, the Court will allow the affirmative misrepresentation portion of Plaintiffs' NCUDTPA claim to stand.
As for Plaintiffs' omission claim under NCUDTPA, a duty to disclose arises where “a party has taken affirmative steps to conceal material facts from the other; or . . . one party has knowledge of a latent defect in the subject matter of the negotiations about which the other party is both ignorant and unable to discover through reasonable diligence.” City of High Point v. Suez Treatment Sols. Inc., 485 F.Supp.3d 608, 636 (M.D. N.C. 2020). As this Court has previously held, allegations that defendants' duty to disclose arose from their “possession of exclusive knowledge regarding their data security, active concealment of the state of their security, and incomplete representations about the security and integrity of their computer and data systems” are sufficient to state a claim under the NCUDTPA. Mednax, 603 F.Supp.3d at 1216.
Here, Plaintiffs allege that NationsBenefits knew its GoAnywhere MFT had several security vulnerabilities; that its configuration of the software was insecure and unencrypted (and that it failed to change these insecure default settings); and that its industry was being targeted by the Clop hackers. Compl. ¶¶ 170-74, 196-98. Accordingly, Plaintiff has stated a viable claim under the NCUDTPA.
16. Ohio Consumer Sales Practices Act (“OCSPA”) (Count XXIV)
The OCSPA prohibits an “unfair or deceptive act or practice in connection with a consumer transaction and permits consumers to bring an individual cause of action to ‘rescind the transaction or recover the consumer's actual economic damages plus an amount not exceeding five thousand dollars in noneconomic damages.'” Foster v. Health Recovery Servs., Inc., 493 F.Supp.3d 622, 636 (S.D. Ohio 2020) (quoting Oh. Rev. C. §§ 1345.02, 1345.09). A plaintiff must allege that the defendant's conduct was substantially similar to conduct that was either: (1) established as deceptive by an Ohio administrative rule; or (2) found to be deceptive by an Ohio state court decision. See Phillips v. Philip Morris Companies Inc., 290 F.R.D. 476, 478 (N.D. Ohio 2013).
Here, Defendants correctly note that Plaintiffs do not allege their conduct was “substantially similar” to conduct that an Ohio administrative rule or state court decision has established as deceptive. Mot. at 34; see also Phillips, 290 F.R.D. at 478 (“The complaint contains no allegation that defendants engaged in conduct that was ‘substantially similar' to conduct that was found deceptive by an Ohio administrative rule or an Ohio state court decision, as required by Section 1345.09(B)”); Foster, 493 F.Supp.3d at 637 (dismissing OCSPA claim and finding a consent judgment order insufficient to establish notice of substantially similar conduct). Accordingly, Count XXIV is DISMISSED.
17. Ohio Deceptive Trade Practices Act (“ODTPA”) (Count XXV)
Defendants argue that Plaintiffs' ODTPA claim warrants dismissal because Plaintiffs lack standing to pursue such a claim. Mot. at 34-35. In response, Plaintiffs acknowledge that there is a split of authority as to whether individual consumers can bring claims under the ODTPA-but argue that the plain language of the statute allows consumers to do so. Resp. at 32-33.
The ODTPA provides standing for any “person who is likely to be damaged by a person who commits a deceptive trade practice” or any “person who is injured by a person who commits a deceptive trade practice.” Ohio Rev. Code § 4165.03(A)(1)-(2). The ODTPA defines a “person” as “an individual, corporation, government, governmental subdivision or agency, business trust, estate, trust, partnership, unincorporated association, limited liability company, two or more of any of the foregoing having a joint or common interest, or any other legal or commercial entity.” Ohio Rev. Code § 4165.01(D). While courts are split as to whether individual consumers have standing, “[a] broad majority of the courts to directly address this issue have held that the ODTPA does not give consumers standing.” Hamilton v. Ulta Beauty, No. 5:18-cv-754, 2018 WL 3093527, at *3 (N.D. Ohio June 21, 2018).
Here, the Court joins the broad majority of courts in holding that individual consumers do not have standing under the ODTPA. See, e.g., Holbrook v. Louisiana-Pac. Corp., 533 Fed.Appx. 493, 497-98 (6th Cir. 2013); Michelson v. Volkswagen Aktiengesellschaft, No. 105960, 2018 WL 1640053, at *3 & n.2 (Ohio Ct. App. Apr. 5, 2018). As laid out by the Hamilton court in its well-reasoned opinion, there are three reasons consumers lack standing. First, “Ohio courts look to the federal Lanham Act when interpreting the ODTPA, and the Lanham Act does not give a consumer [a] right of action.” 2018 WL 3093527, at *3. Second, the definition of “person” in the ODTPA qualifies its enumerated list of those possessing standing with “or any other legal or commercial entity,” thereby implying that an individual “may not bring suit as a non-commercial consumer.” Id. Third, the Hamilton court recognized that the OCSPA already “provides for consumer standing and prohibits virtually the same practices as the ODTPA” and therefore would be rendered superfluous if consumers could also sue under the ODTPA. Id.
Accordingly, the Court finds that Plaintiffs lack standing under the ODTPA and Count XXV must be DISMISSED with prejudice.
18. Pennsylvania Unfair Trade Practices and Consumer Protection Law (“PUTPCPL”) (Count XXVI)
Plaintiff Leroy Fuss brings the PUTPCPL claim on behalf of himself and the Pennsylvania subclass. Compl. ¶ 575. The PUTPCPL provides that “[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce as defined by . . . this act . . . are hereby declared unlawful.” 73 P.S. § 201-3. The statute “is designed to protect the public from fraud and deceptive business practices.” Pirozzi v. Penske Olds-Cadillac-GMC, Inc., 605 A.2d 373, 375 (Pa. Super. Ct. Mar. 19, 1992). It provides a private right of action for “[a]ny person who purchases . . . goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property” because of the seller's unfair or deceptive practices. 73 P.S. § 201-9.2(a). To maintain a private right of action under the PUTPCPL, “a plaintiff must show that he justifiably relied on the defendant's wrongful conduct or representation and that he suffered harm as a result of that reliance.” Yocca v. Pittsburgh Steelers Sports, Inc., 578 Pa. 479, 501 (Pa. July 20, 2004); see also Hunt v. U.S. Tobacco Co., 538 F.3d 217, 221 (3d Cir. 2008). The harm that resulted must be “an ascertainable loss.” Weinberg v. Sun Co., Inc., 565 Pa. 612, 618 (Pa. July 26, 2001).
Defendants maintain that Plaintiffs' PUTPCPL claim fails because they have insufficiently alleged (1) ascertainable losses which are fairly traceable to the data breach and (2) justifiable reliance. Mot. at 35. As to the first prong, however, Defendants concede that Fuss “allege[s] that he lost money as a result of the Incident.” Mot. at 35. Specifically, Fuss claims that the fraudulent charges that appeared on his credit card “cost [him] approximately $4,800”-or a “tangible loss of money.” In re Rutter's Inc. Data Sec. Breach Litig., 511 F.Supp.3d 514, 541 (M.D. Pa. Jan. 5, 2021) (finding that plaintiff satisfied the ascertainable loss element for a PUTPCPL claim, alleging he lost a full day of wages-at around $15 per hour-due to various remedial actions). And, as discussed above, Plaintiffs have set forth sufficient allegations to support traceability. Accordingly, Plaintiffs have satisfied the first prong.
Defendants also challenge Plaintiffs' reliance under the second prong. However, as the Court has already found, supra at 23-25, Plaintiffs have sufficiently alleged reliance on Defendants' misrepresentations. See Compl. ¶¶ 166-67 (alleging that Plaintiffs “relied on NationsBenefits' promise to keep private information confidential” and to “ensure that it held vendors with whom it shared sensitive Private Information to the same high standards of data protection”). Accordingly, Plaintiffs' PUTPCPL claim must stand.
19. Texas Deceptive Trade Practices-Consumer Protection Act (“TDTPA”) (Count XXVII)
Plaintiffs Kimberly Dekenipp, Wanda Wilson, and Dezarae Sanders, individually and on behalf of the Texas subclass, allege a TDTPA claim, Texas Bus. & Com. Code §§ 17.41, et seq. Defendants argue that because Plaintiffs do not allege a consumer transaction, the TDTPA does not apply. Mot. at 35. The TDTPA grants “consumers” a cause of action for false, misleading, or deceptive acts or practices. Tex. Bus. & Com. Code § 17.50(a)(1); Mendoza v. American Nat'l Ins. Co., 932 S.W.2d 605, 608 (Tex. App.-San Antonio [4th Dist.] 1996) (holding a plaintiff must qualify as a “consumer” to have standing under the TDTPA). In relevant part, the TDTPA defines a “consumer” as “an individual . . . who seeks or acquires by purchase or lease, any goods or services.” Tex. Bus. & Com. Code § 17.45(4).
In In re Capital One Consumer Data Security Breach Litigation, the court-also addressing an argument that victims of a data breach were not “consumers” under the TDTPA- considered the Texas Supreme Court's interpretation of the TDTPA to conclude that plaintiff raised a plausible inference that, in receiving a credit line from Capital One, she sought to acquire goods and services-thereby sufficiently alleging she was a “consumer” under the statute. 488 F.Supp.3d 374, 426-27 (E.D. Va. 2020); see also Knight v. Int'lHarvester Credit Corp., 627 S.W.2d 382 (Tex. 1982) (qualifying bank customers as consumers under the TDTPA where plaintiff sought financing to purchase a consumer good); Flenniken v. Longview Bank & Trust Co., 661 S.W.2d 705 (Tex. 1983) (same).
Here, like the plaintiffs applying for credit cards to acquire goods and services, Plaintiffs allege that they used NationsBenefits' services “in order to receive the member benefits to which they are entitled.” Compl. ¶ 159. And the Court finds that these benefits qualify as goods and services, as contemplated by the Texas statute. Compl. ¶ 156 (detailing the supplemental healthcare solutions and products Defendants provide). Therefore, Defendants' TDTPA claim must stand.
CONCLUSION
For the foregoing reasons Defendants' Motion to Dismiss Consolidated Class Action Complaint, [ECF No. 138], is GRANTED IN PART and DENIED IN PART as follows:
1. The following counts are DISMISSED with prejudice'.
a. Breach of Implied Contract (Count IV);
b. California Consumer Privacy Act (Count VIII) (pmsuant to the parties' agreement);
c. California Unfair Competition Act (Count X);
d. Florida Deceptive and Unfair Trade Practices Act (Count XI) (as to damages);
e. Missouri Merchandise Practices Act (Count XIX);
f. New Jersey Consumer Fraud Act (Count XX); and g. Ohio Deceptive Trade Practices Act (Count XXV)
2. The following counts are DISMISSED with leave to amend.
a. Breach of Third-Party Beneficiary Contract (Count IE);
b. Illinois Personal Information Protection Act (Counts XII and XIII); and c. Ohio Consumer Sales Practices Act (Count XXIV).
3. The Motion is otheiwise DENIED as to the remaining counts.
DONE AND ORDERED.