From Casetext: Smarter Legal Research

In re Unite Here Data Sec. Incident Litig.

United States District Court, S.D. New York
Jul 15, 2024
24-CV-1565(JSR) (S.D.N.Y. Jul. 15, 2024)

Opinion

24-CV-1565(JSR)

07-15-2024

In re UNITE HERE DATA SECURITY INCIDENT LITIGATION This Document Relates To ALL ACTIONS


OPINION & ORDER

JED S. RAKOFF, U.S.D.J.

This is a data breach class action brought against the labor union UNITE HERE ("UNITE") by two members of the union. The data breach involved the theft of, among other information, plaintiffs' names, Social Security numbers, dates of birth, and medical information that plaintiffs gave to the union. Plaintiffs' consolidated complaint asserts six claims on behalf of a putative class of similarly situated union members affected by the data breach for (1) negligence, (2) breach of implied contract, (3) unjust enrichment, (4) breach of confidence, (5) violation of New York's Deceptive Trade Practices Act (N.Y. General Business Law § 349), and (6) for a declaratory judgment. UNITE has moved to dismiss the complaint in its entirety, raising three categories of arguments: standing, preemption, and substantive grounds pursuant to the Federal Rule of Civil Procedure 12(b)(6). For the reasons set forth below, the Court grants in part and denies in part UNITE's motion.

I. Factual Allegations

Defendant UNITE is a New York-based labor union that represents several hundred thousand workers in the hospitality industry throughout the United States and Canada. Consolidated Complaint ("Compl.") ¶¶ 2, 25. UNITE employs "more than 379 people and generat[es] around $91.9 million in annual revenue." Id. ¶ 25. UNITE requires its members to provide personal and health information as a condition to receiving its services, including a member's name, Social Security number, date of birth, financial account information, driver's license, state identification number, and medical information. See id. ¶¶ 26, 32.

On October 20, 2023, UNITE became aware of an unauthorized access to its computer system that had occurred on that day. Id. ¶¶ 31-32. But it was not until four months later, in February 2024, that UNITE, after conducting a forensic investigation, informed its members of the data breach. Id. ¶ 33. The complaint alleges that the breach was the result of defendant's failure to implement reasonable security measures, failures to comply with FTC guidance regarding data security, and failures to comply with industry standards regarding data security. See id. ¶¶ 49-69.

Plaintiff Michelle Puller-Soto became a union member of UNITE in or around 2020 and provided UNITE with her name, Social Security number, date of birth and medical information, all of which were allegedly taken in the breach. Id. ¶¶ 91-92. She received one year of credit monitoring from UNITE after being notified of the breach, which she alleges is insufficient since the breach caused her "a lifetime of increased risk of identity theft" and "medical fraud." Id. ¶ 93. She alleges injury "in the form of (a) damage to and diminution in the value of her [personally identifiable information] and [protected health information] . . .; (b) violation of her privacy rights; and (c) present, imminent, and impending injury arising from the increased risk of identity theft, and fraud she now faces [,]" as well as feelings of anxiety. Id. ¶¶ 101-102. Further, she has allegedly "spen[t] considerable time and money on an ongoing basis to try to mitigate and address the many harms caused by the Data Breach." Id. ¶ 103.

Plaintiff Tamiko Conway is a current union member and provided UNITE with "her name, Social Security number, and other sensitive information," all of which were allegedly stolen in the data breach. Id. ¶¶ 105, 108. In addition to suffering the same harms as Puller-Soto, Conway alleges two instances of fraudulent charges on her Chime credit card caused by UNITE's data breach, one for approximately $242 in or about October 2023, and another for approximately $100 in or about February 2024. Id. ¶¶ 109-112.

The consolidated complaint asserts claims for negligence, breach of implied contract, unjust enrichment, breach of confidence, violation of New York's Deceptive Trade Practices Act (N.Y. General Business Law § 349), and for a declaratory judgment. See id. ¶¶ 150 239. Plaintiffs seek to represent a nationwide class of "[a]11 individuals in the United States who had Private Information accessed and/ or acquired as a result of the Data Breach, including all who were sent a notice of the Data Breach." Compl. ¶ 138.

The Court previously granted plaintiffs' unopposed motion to consolidate Puller-Soto's and Conway's cases in this single action. See Dkt. 14.

II. Discussion

Defendant has moved to dismiss plaintiffs' complaint in its entirety, raising three kinds of arguments. First, defendant argues plaintiffs lack standing to assert these claims because they have not suffered any cognizable injury actually traceable to defendant's conduct and redressable by injunctive relief. Second, defendant argues plaintiffs' claims are preempted by the federal duty of fair representation under the National Labor Relations Act and Section 301 of the Labor Management Relations Act. Third, defendant argues each of plaintiffs' claims fail as a substantive matter. Each argument is discussed in turn.

A. Standing

Under Article III of the Constitution, the federal judicial power is confined to resolving "Cases" and "Controversies," which in turn requires a plaintiff to have a "personal stake" in the outcome of the case (i.e. standing). See TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021). To establish standing, "a plaintiff must show (i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief." Id. (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)). The plaintiff "bears the burden of establishing these elements . . . and must 'clearly . . . allege facts demonstrating' each element at the pleading stage." Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (quoting Warth v. Seldin, 422 U.S. 490, 498 (1975)). In a class action, "[s]tanding is satisfied so long as at least one named plaintiff can demonstrate the requisite injury." Hyland v. Navient Corp., 48 F.4th 110, 117 (2d Cir. 2022) . Here, defendant argues that plaintiffs have failed to satisfy the first, second and, to a degree, the third element of standing.

Unless otherwise indicated, all internal citations and quotation marks are omitted.

1. Injury in fact

An injury in fact must be "'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.'" Spokeo, 578 U.S. at 339 (quoting Lujan, 504 U.S. at 560). A concrete and particularized injury "must affect the plaintiff in a personal and individual way[,]" and it must be "de facto," meaning that it has to "actually exist." Id. at 339-40. Concrete injuries can be intangible, such as "reputational harms, disclosure of private information, and intrusion upon seclusion [,]" so long as the injury has "a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts." TransUnion LLC, 594 U.S. at 425. If the alleged injury is a risk of future injury, then it must be "certainly impending" or substantially likely to occur. Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) .

Here, Plaintiff alleges six kinds of injury: (1) the future risk of identity theft resulting from the data breach, (2) certain fraudulent charges allegedly incurred on one plaintiff's credit card, (3) the time and effort expended in mitigating the risks from the data breach, (4) the lost benefit-of-the-bargain between plaintiffs and UNITE, (5) the diminution in the value of plaintiffs' private information as a result of the breach, and (6) the emotional distress plaintiffs suffered upon learning of the data breach. Because the Court finds the first of these injuries sufficient to confer standing, it does not consider the viability of the remaining kind of injury, though they may be subject to challenge at later stages of this litigation.

The Second Circuit has held that "plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data," even where no such misuse of the data has yet occurred. McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 300-01 (2d Cir. 2021) ("[R]equiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court's recognition that '[a]n allegation of future injury may suffice' to establish Article III standing 'if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.'") (quoting Susan B. Anthony List, 573 U.S. at 158)); see Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 289 (2d Cir. 2023)). The Second Circuit has set forth a non-exclusive set of three factors for courts to consider in determining whether "an increased risk of identity theft or fraud" qualifies as an injury in fact in a given case:

(1) whether the plaintiffs' data has been exposed as the result of a targeted attempt to obtain that data;
(2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and
(3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
McMorris, 995 F.3d at 303.

The first factor supports a finding of standing in this case. Plaintiffs have alleged that the data breach was a "cyberattack" conducted by "cybercriminals." Compl. ¶¶ 10, 153. Because healthcare and personally identifiable information are especially attractive and vulnerable to cyberattacks, the data breach qualifies as "a targeted attempt to obtain that data." Compl. ¶¶ 36, 153. In such circumstances, it is reasonable to infer the purpose of the attack was to misuse the data. See McMorris, 995 F.3d at 301 ("Why else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities.").

The third factor also weighs strongly in plaintiffs' favor. Plaintiffs have alleged that "UNITE HERE union members' personally identifiable information and protected health information, including their names, Social Security numbers, dates of birth, and medical information" were stolen. Compl. ¶ 1. The complaint describes the numerous ways this information can be misused, including through "credit card fraud, phone or utilities fraud, bank fraud, to obtain a driver's license or official identification card in the victim's name but with the thief's picture, to obtain government benefits, or to file a fraudulent tax return using the victim's information." Compl. ¶ 79. The Second Circuit has acknowledged that "Social Security numbers and dates of birth" are "high-risk" and sensitive information making victims more vulnerable to "future identity theft or fraud." McMorris, 995 F.3d at 302; see Bohnak, 79 F.4th at 289 (noting that Social Security numbers are "exactly the kind of information that gives rise to a high risk of identity theft . . . [and] among the worst kind of personal information to have stolen because they may be put to a variety of fraudulent uses and are difficult for an individual to change") . Further, the instant case also includes allegations of theft of sensitive health information, which the complaint alleges is substantially more valuable to criminals than personally identifiable information and can be used to carry out other fraudulent schemes, including to "take advantage of the victim's medical conditions or victim settlements," "to create fake insurance claims," or to "gain access to prescriptions for illegal use or resale." Compl. ¶¶ 83-84.

Plaintiffs argue that the second factor also supports a finding of standing. The complaint alleges that plaintiff Conway experienced two instances of fraudulent charges -- one on her Chime checking account in October 2023 and another on her Chime credit card in February 2024 -- totaling around $342 that the complaint alleges "upon information and belief, w[ere] caused by the Data Breach." Compl. ¶¶ 111-112. The problem with this allegation is that, as defendant points out that, while the data breach involved "names, Social Security numbers, dates of birth, and medical information," Compl. ¶ 1, it did not include not financial or credit card information, and plaintiffs have offered no plausible explanation or allegation of how these fraudulent charges were caused by the data breach. See De Medicis v. Ally Bank, 2022 WL 3043669, at *7 (S.D.N.Y. Aug. 2, 2022) (finding allegations of unauthorized account activity did not confer standing where complaint failed to adequately allege "a nexus between the two instances beyond allegations of time and sequence").

Plaintiffs argue that "[i]n order to access Plaintiff Conway's Chime account, cybercriminals would need her name, date of birth, and Social Security number, each of which were" taken during the data breach. Pls. Opp. at 12. Plaintiffs cite to certain paragraphs of the complaint that describe how cyber criminals can use information obtained in a hack to obtain further information or combine that stolen information with information from other sources to carryout identity theft. See id. (citing Compl. ¶¶ 72-73) . The problem with this argument is that plaintiffs do not allege anyone attempted to create a Chime account in Conway's name. Accordingly, this does not cure the absence of any plausible link between the charges and the data breach.

While plaintiffs have not shown that the second factor supports standing, the Second Circuit has squarely held that doing so is not always necessary if the other factors are met. Specifically, in Bohnak v. Marsh & McLennan Cos., Lnc., the Second Circuit held that a data breach victim had standing even where "she ha[d] not alleged any known misuse of information in the dataset accessed in the hack." 79 F.4th at 289. The Bohnak court instead found that the plaintiff had plausibly alleged standing where the first and third factors were otherwise satisfied, as is the case here. Id. at 288-89. Indeed, the factual allegations here are arguably stronger than in Bohnak, because this case involved the theft of all the same information that was stolen in Bohnak plus the theft of personal health information, which was not at issue there. Accordingly, plaintiffs have alleged a sufficiently substantial risk of future identity theft and medical fraud to confer standing.

2. Traceability

Traceability requires the plaintiff to "demonstrate a causal nexus between the defendant's conduct and the injury." Chevron Corp, v. Donziger, 833 F.3d 74, 121 (2d Cir. 2016). Traceability is a lower bar than proving causation on the merits. So long as there is a "'fairly. . . trace[able]' connection between the alleged injury in fact and the alleged conduct of the defendant[,]" traceability can be satisfied. Vt. Agency of Nat. Res. v. United States ex rel. Stevens, 529 U.S. 765, 771 (2000) (quoting Simon v. Eastern Ky. Welfare Rts. Org., 426 U.S. 26, 41 (1976)) .

Defendant argues that plaintiffs have failed to satisfy the traceability element because "there is a good chance that one or both Plaintiffs has already had her personal information exposed" in any one of the many major data breaches that have occurred in the U.S. recently. UNITE MTD, at 11. This argument ignores the procedural posture of the case. The fact that there have been other large data breaches, and the speculative possibility that plaintiffs were subjected to them, are matters well beyond the allegations in the complaint and cannot be used to support defendant's motion to dismiss. See Cohen v. Northeast Radiology, P.C., 2021 WL 293123, at *6 (S.D. N.Y.Jan. 28, 2021) (holding that although "other data breaches may have exposed his personal information[,]" it "has no bearing on plaintiff's standing to sue"); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 969 (7th Cir. 2016) (stating that defendant's argument regarding potential alternative causes for plaintiffs' injuries may be "pursued at the merits phase").

As explained above, the complaint plausibly alleges that plaintiffs were subject to an increased risk of identity theft because important and sensitive information was stolen in the breach. Further, the complaint describes in some detail how compounding data breaches can increase the risk of identity theft as stolen information is compiled from multiple sources and used by criminals. See Compl. ¶¶ 70-89; In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 31-32 (D.D.C. May 9, 2014) (giving plaintiffs "the benefit of the doubt" on traceability even if "[n]o one alleges that credit-card, debit-card, or bank-account information was" breached). Therefore, the complaint easily satisfies the traceability requirement.

3. Redressability

Defendant argues that plaintiffs lack standing to seek their requested injunctive relief. In this regard, plaintiffs seek an order requiring UNITE to "strengthen its data security systems and monitoring procedures, conduct periodic audits of those systems, and provide lifetime credit monitoring and identity theft insurance to Plaintiffs and Class Member." Compl. ¶ 172. To satisfy the redressability requirement when seeking prospective relief, a plaintiff must show that the injury is "likely to be redressed by a favorable decision" and that the plaintiff is "likely to be harmed again in the future in a similar way." Nicosia v. Amazon.com, Inc., 834 F.3d 220, 239 (2d Cir. 2016). "[A] person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial." TransUnion, 594 U.S. at 435.

Here, plaintiffs' sensitive personal information is still in the possession of defendant. Comp. ¶ 135. Strengthening UNITE's security system and conducting periodic audits will decrease the risk of a similar data breach happening in the future. The allegations in the complaint regarding the risk of a future data breach are more than sufficient to seek injunctive relief to mitigate the risk. Further, because plaintiffs already face a risk of identity theft from the first data breach, plaintiffs may similarly seek lifetime credit monitoring and identity theft insurance to mitigate the risk.

Defendant argues that, because the plaintiff's data is "irreparably compromised," any future breach would not cause harm. UNITE MTD, at 12. This argument fails, both because more data may be provided by the class in the future and because other, different hackers may attempt to breach UNITE's systems in the future, thereby exacerbating the risk of its misuse. Therefore, redressability is satisfied.

Defendant also argues that the Court should dismiss plaintiffs' claims for injunctive relief because "Rule 23(b)(2) does not authorize class certification when-despite the suitability of generalized injunctive or declaratory relief-each class member would [also] be entitled to an individualized award of monetary damages.'" UNITE MTD, at 12 (quoting Nationwide Life Ins. Co. v. Haddock, 460 Fed.Appx. 26, 28-29 (2d Cir. 2012)). But the cited case concerned a situation where plaintiffs sought to shoehorn a damages class into Rule 23(b)(2). Here, by contrast, the plaintiffs here seek to have their class certified pursuant to Rule 23(b)(3) as a damages class, and only seek certification under Rule 23(b) (2) in the alternative, in the event their Rule 23(b)(3) argument fails. See Compl. ¶¶ 141-48.

B. Preemption

In its motion to dismiss, UNITE argues that all of plaintiffs' claims are preempted by (1) the federal duty of fair representation under the National Labor Relations Act ("NLRA") and (2) Section 301 of the Labor Management Relations Act ("LMRA").

"Under the Supremacy Clause of the Constitution, state and local laws that conflict with federal law are without effect." Figueroa v. Foster, 864 F.3d 222, 227 (2d Cir. 2017). There are generally three types of preemption:

(1) express preemption, where Congress has expressly preempted local law;(2) field preemption, where Congress has legislated so comprehensively that federal law occupies an entire field of regulation and leaves no room for state law; and (3) conflict preemption, where local law conflicts with federal law such that it is impossible for a party to comply with both or the local law is an obstacle to the achievement
of federal objectives. The latter two are forms of implied preemption.
Id. at 227-28. Although bearing different names, these doctrines "all . . . work in the same way: Congress enacts a law that imposes restrictions or confers rights on private actors; a state law confers rights or imposes restrictions that conflict with the federal law; and therefore the federal law takes precedence and the state law is preempted." N.J. Thoroughbred Horsemen's Ass'n v. Nat'l Collegiate Athletic Ass'n, 584 U.S. 453, 477 (2018). The two forms of preemption relevant in this present case are field and conflict preemption, which although they "are not rigidly distinct [,] . . . remain independent bases for preemption." Figueroa, 864 F.3d at 228.

1. The Federal Duty of Fair Representation

The duty of fair representation is a judicially created doctrine derived from Section 9(a) of the NLRA and imposes on labor unions "a statutory obligation to serve the interests of all [their] members without hostility or discrimination toward any, to exercise [their] discretion with complete good faith and honesty, and to avoid arbitrary conduct" in the context of obtaining and enforcing a collective bargaining agreement. Vaca v. Sipes, 386 U.S. 171, 177 (1967); see also Figueroa, 864 F.3d at 229. This "statutory duty of fair representation was developed [in the mid-20th century] in a series of cases involving alleged racial discrimination by unions certified as exclusive bargaining representatives under the Railway Labor Act, and was soon extended to unions certified under the N.L.R.A." Vaca, 386 U.S. at 177. "A union breaches its duty of fair representation if its actions with respect to a member are arbitrary, discriminatory, or taken in bad faith." Figueroa, 864 F.3d at 229.

Section 9(a) statute reads: "(a) Exclusive representatives; employees' adjustment of grievances directly with employer. Representatives designated or selected for the purposes of collective bargaining by the majority of the employees in a unit appropriate for such purposes shall be the exclusive representatives of all the employees in such unit for the purposes of collective bargaining..." 29 U.S.C. § 159(a).

UNITE argues that "[t]he scope of the duty of fair representation . . . [is] defined solely by federal law," and "the duty of fair representation completely preempts state law claims which would impose a different standard on the union's conduct." UNITE MTD, at 14 (emphasis added). In other words, UNITE's entire argument is premised upon the assumption that the duty of fair representation is a species of field preemption. Though cited by neither party, there is binding Second Circuit precedent that holds to the contrary.

In Figueroa v. Foster, the Second Circuit held that to the extent the duty of fair representation preempts state law, it is a species of conflict preemption only, and does not preempt the field. 864 F.3d at 229-35 (holding that preemption does not apply because "the [state law] presents no potential conflict so incompatible with federal labor laws that all of its provisions must fall") . In reaching this conclusion, the Second Circuit expressly "disagree[d] with the decisions of our sister First, Fifth, and Tenth Circuits to the extent that they suggest that any question of preemption by the NLRA's duty of fair representation should be evaluated under the broader doctrine of field preemption." Id. at 232. Most of the authority cited by defendant conflicts with Figueroa and is not good law in this Circuit.

See, e.g., Walsh v. Int'l Bhd. Of Elec. Workers (I.B.E.W.) Local 503, 62 F.Supp.3d 300, 302 (S.D.N.Y. 2014) (adopting the First and Fifth Circuit's field preemption approach); Bryant v. Am. Fed'n of Musicians of the U.S. & Can. & Screen Actors Guild, 2015 WL 7301076, at *3 (S.D.N.Y. Nov. 18, 2015) (relying on Walsh); Cahoon v. Int'l Bhd. of Elec. Workers Loc. 261, 175 F.Supp.2d 220, 225 (D. Conn. 2001) (citing First and Fifth Circuit precedent to conclude field preemption applied,); BIW Deceived v. Local S6, Indus. Union of Marine & Shipbuilding Workers of Am., 132 F.3d 824, 831-33 (1st Cir. 1997); Richardson v. United Steelworkers of Am., 864 F.2d 1162, 1167-69 (5th Cir. 1989)); see also Roache v. Long Island R.R., 487 F.Supp.3d 154, 164 n.4 (E.D.N.Y. 2020) (acknowledging that Figueroa overruled the line of precedent applying field preemption test).

Under the conflict preemption framework adopted by Figueroa, a plaintiff's claim is preempted by the duty of fair representation only if "it is either impossible for a private party to comply with both the NLRA's duty of fair representation and the [state law], or [if] the [state law] stands as an obstacle to the execution of Congress's intent as expressed in the NLRA's duty of fair representation." Id. at 234 (emphasis added). So-called "impossibility" preemption "occurs when state law penalizes what federal law requires, or when state law claims directly conflict with federal law." Id. So-called "obstacle" preemption "precludes state law that poses an actual conflict with the overriding federal purpose and objective" of a statute. Id. at 23435. "The burden of establishing obstacle preemption, like that of impossibility preemption, is heavy[,]" and "the mere fact of tension between federal and state law is generally not enough." Id. at 235. "[F]ederal law does not preempt state law under the obstacle preemption analysis unless the repugnance or conflict is so direct and positive that the two acts cannot be reconciled or consistently stand together." Id.

For example, in Figueroa the Second Circuit held that the NLRA's federal duty of fair representation did not preempt the New York State Human Rights Law ("NYSHRL"), which was aimed at "prohibit[ing] the commission of specific unlawful discriminatory practices, including retaliatory conduct, by entities including labor organizations." Id. at 224-25. Specifically, the court found that there was no impossibility because the union failed "to demonstrate that it could not comply with the federal duty of fair representation if it also complied with the NYSHRL." Id. at 234. Similarly, the court found that the state law was not an obstacle to federal policy because, in fact, "the NYSHRL and the NLRA serve [d] the same purpose of prohibiting discrimination" and therefore "[t]his mutual service [was] not a conflict such that the duty of fair representation and the NYSHRL cannot be reconciled or consistently stand together." Id. at 235.

Applying these principles here, plaintiffs' claims are clearly not preempted. As noted, the duty of fair representation imposes an "obligation to serve the interests of all [union] members without hostility or discrimination toward any, to exercise its discretion with complete good faith and honesty, and to avoid arbitrary conduct." Vaca, 386 U.S. at 177. The focus of the duty is on the actions of a union in representing its members, and accordingly ev.en the precedent relied upon, erroneously, by defendant recognized that duty did not preempt claims that "arises wholly outside the ambit of those obligations circumscribed by a union's duty of fair representation under the collective bargaining agreement." Walsh, 62 F.Supp.3d at 303.

Plaintiffs challenge defendant's alleged failure to enact adequate cybersecurity measures to prevent a data breach. Plaintiffs allege that UNITE owed and violated independent duties separate from their duty of fair representation, including duties of care imposed by state tort law, the FTC Act and the New York Deceptive Trade Practices, and the labor organization industry as a whole. See Pls. Opp., at 14. These claims have little if anything to do with UNITE's representation of its members. Indeed, the only even arguable connection plaintiffs' claims have to UNITE's representation is that the data was collected to further that representation in some nebulous way. Even assuming such a tenuous connection were sufficient to satisfy the overruled field preemption test, it is certainly insufficient to show there is some actual conflict between state and federal law. Because defendant has not provided any reason why plaintiffs' claims conflict with the federal duty of fair representation, they are not preempted.

2. LMRA § 301

Section 301 of the LMRA generally preempts state law claims alleging violations of a union's collective bargaining agreement ("CBA") or similar union constitution. See Whitehurst v. 1199SEIU United Healthcare Workers E., 928 F.3d 201, 206 (2d Cir. 2019). The pertinent statute reads:

Venue, Amount, and Citizenship. Suits for violation of contracts between an employer and a labor organization representing employees in an industry affecting commerce as defined in this chapter, or between any such labor organizations, may be brought in any district court of the United States having jurisdiction of the parties, without respect to the amount in controversy or without regard to the citizenship of the parties.
29 U.S.C. Code § 185(a) (emphasis added). Unlike NLRA preemption, which is a species of conflict preemption, Section 301 of the LMRA enacts a species of field preemption. See Whitehurst, 928 F.3d at 206 (recognizing Section 301 has "the requisite preemptive force to support complete preemption"). In the words of the Second Circuit,
Section 301 preemption serves to ensure uniform interpretation of collective-bargaining agreements . . . [and] governs claims founded directly on rights created by collective-bargaining agreements, and also claims substantially dependent on analysis of a collectivebargaining agreement. Thus, when resolution of a state law claim is substantially dependent upon or inextricably intertwined with analysis of the terms of a CBA, the state law claim must either be treated as a § 301 claim, or dismissed as pre-empted by federal labor-contract law. When, on the other hand, a plaintiff covered by a CBA asserts legal rights independent of that agreement, preemption does not occur. A state-law claim is independent when resolving it does not require construing the collective-bargaining agreement. This rule ensures that § 301 is not read broadly to pre-empt nonnegotiable rights conferred on individual employees as a matter of state law.
Whitehurst, 928 F.3d at 206-207; see also Foy v. Pratt & Whitney Grp., 127 F.3d 229, 232, 235 (2d Cir. 1997) (Section 301 did not preempt state law negligent misrepresentation claims because they rested on independent state law rights that did not require interpretation of CBA and "[s]tate law-not the CBA-[was] the source of the rights asserted by the plaintiffs") . "That a court may need to consult the CBA in resolving the state law claim-to compute damages, for instancedoes not subject that claim to preemption by § 301." Whitehurst, 928 F.3d at 207. "The boundary between claims requiring interpretation of a CBA and ones that merely require such an agreement to be consulted is elusive." Id.

Here, UNITE's constitution likely constitutes a "contract" within the meaning of Section 301(a). See United Ass'n of Journeymen & Apprentices v. Loc. 334, 452 U.S. 615, 622 (1981) . However, the complaint makes no reference to UNITE's constitution. Nevertheless, defendant argues that preemption applies because plaintiffs' claims necessarily depend on an interpretation of UNITE's constitution. See UNITE MTD, at 17-18. This is so, defendant argues, because "Plaintiffs allege that '[a]s a condition of receiving union representation and other benefits, UNITE HERE requires that its union members entrust it with highly sensitive personal and health information.'" Id. at 18. And because Article 13 of the constitution discusses relations with individual members, consideration of plaintiffs' claims will, according to defendant, somehow require reference to that provision.

Defendant's argument fails for the simple reason that the constitution has absolutely nothing to say about data security or privacy. Article 13, the only section referenced by defendant in its motion to dismiss, discusses membership in the most general terms - for example, by setting forth qualifications to join and high-level requirements for ongoing membership. Id. It makes no mention of the personal information of its members and sets forth no requirement that its members provide such information as a condition of joining, let alone describe any corollary obligation of the union to protect that information. Accordingly, it does not appear that any of plaintiffs' claims implicate the UNITE constitution.

Defendant responds that the absence of any reference to privacy in the constitution "only serves to highlight that the issues of what UNITE HERE requires of its members and what it is required to provide to those members are so inexorably intertwined with the UNITE HERE Constitution." Reply at 7. In other words, defendant's argument seems to be that any claim that imposes obligations beyond those imposed by the constitution is itself preempted. But if defendant's logic were adopted, and the absence of an obligation in a constitution were itself sufficient to establish preemption, then every claim against a union would be preempted by Section 301, because either the right being enforced is in the constitution or it is not. Such a sweeping interpretation of Section 301 makes little sense and is inconsistent with Second Circuit precedent. See Whitehurst, 928 F.3d at 207 ("When ... a plaintiff covered by a CBA asserts legal rights independent of that agreement, preemption does not occur.").

Defendant elsewhere argues that plaintiffs' breach of implied contract and unjust enrichment claims somehow "require reference to" the constitution. UNITE MTD, at 18 & n.27. The fact that defendant points to nothing remotely related to data security in the constitution is sufficient grounds to reject this argument. But even were this not the case, the fact that a court has to make some reference to a union's constitution still does not mean the claim is preempted so long as doing so "does not require construing the collective-bargaining agreement." Whitehurst, 928 F.3d at 207; see Wynn v. AC Rochester, 273 F.3d 153, 158 (2d Cir. 2001) (suggesting that "simple reference to the face of the CBA," such as consulting a provision that neither party disputes the meaning of, does not require preemption). Similarly, the fact that plaintiffs' claims require interpretation of a different (implied) contract between the union and its members does not warrant preemption. See Caterpillar Inc. v. Williams, 482 U.S. 386, 396 (1987) ("[A] plaintiff covered by a collective-bargaining agreement is permitted [by Section 301(a)] to assert legal rights independent of that agreement, including state-law contract rights, so long as the contract relied upon is not a collective-bargaining agreement.").

Accordingly, because plaintiffs' claims in no way depend upon the UNITE constitution, they are not preempted by Section 301.

C. Failure to State A Claim

Defendant lastly argues that the complaint should be dismissed in its entirety for failure to state a claim. The complaint alleges claims for negligence, breach of implied contract, unjust enrichment, breach of confidence, violation of the New York Deceptive Trade Practices Act, and a declaratory judgement. See Compl. ¶¶ 150-239. Defendant argues each of these claims fails on substantive grounds. The parties apparently agree that New York law applies to plaintiffs' claims and litigate the motion accordingly. Accordingly, the Court adopts the same assumption for purposes of the instant motion.

1. Injury

Defendant begins by arguing that all of plaintiffs' claims fail because the complaint does not allege that plaintiff suffered any injury or damages, which defendant argues is a substantive element of each claim. See UNITE MTD, at 19. Defendant largely recycles its standing argument, discussed above, claiming that even if the court finds standing plaintiffs have nevertheless failed to satisfy the injury element for each of these claims. See id. Defendant's argument rests primarily on the Second Circuit's suggestion in Harry v. Total Gas & Power N. Am., Inc. that, as a matter of pleading, to satisfy the substantive injury element of a cause of action the "[i]njury must be plausible," whereas for standing the injury need only be "colorable." 889 F.3d 104, 112 (2d Cir. 2018). In other words, defendant argues that a greater degree of plausibility is required to allege the substantive element of injury.

In response, plaintiffs cite the more recent Second Circuit decision in Bohnak, where the court apparently conflated the injuryin-fact requirement and the substantive injury element of a breach of contract claim. 79 F.4th at 290 ("To say that the plaintiffs have standing is to say that they have alleged injury in fact, and if they have suffered an injury then damages are available."). In particular, Bohnak concluded that "the increased risk of harm" and "the time and money spent trying to mitigate the consequences of the data breach" were sufficient injuries to state a claim. Id. at 289-90.

Further, whereas Bohnak directly addressed a data breach claim, Harry involved an alleged violation of the Commodities Exchange Act, and rested its ultimately holding that plaintiffs had not alleged damage based upon the explicit requirement in that act that plaintiff show "actual damages resulting" from a statutory violation. Harry, 889 F.3d at 112 (quoting 7 U.S.C. § 25(a) (1)). Accordingly, Bohnak is far more on-point than is Harry, which arguably did not even address the same legal issue.

As explained above, plaintiffs have adequately alleged at least the increased risk of identity theft. In light of Bohnak, those allegations, when coupled with time and money spent on mitigation, are sufficient to satisfy the substantive injury element as well. And while Bohnak dealt exclusively with a breach of contract claim, the defendant does not argue that the substantive injury element differs as between plaintiffs' claims. Accordingly, the Court finds plaintiffs have adequately alleged that they have suffered an injury.

2. Negligence

To bring a negligence claim, the plaintiffs must plead "(1) that the defendant owed him or her a cognizable duty of care; (2) that the defendant breached that duty; and (3) that the plaintiff suffered damage as a proximate result of that breach." Anwar v. Fairfield Greenwich, Ltd., 728 F.Supp.2d 372, 432 (S.D.N.Y. 2010). Defendant offers two arguments as to why plaintiffs negligence claim fails.

First, defendant argues that plaintiffs have failed to allege a cognizable duty of care. UNITE MTD, at 20-21. In response, plaintiffs cite numerous cases that have found a duty of care exists "where the recipient of Private Information is in the best or exclusive position to protect the Private Information from unauthorized access." Pls. Opp at 20. While none of these cases involved the relationship between a union and its members, they are nonetheless sufficiently analogous to apply with full force here. See, e.g., In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *8 (S.D.N.Y. Aug. 4, 2021) (concluding employer owed employees "a duty to exercise reasonable care in safeguarding their PII"); Toretto v. Donnelley Fin. Sols., Inc., 583 F.Supp.3d 570, 593 (S.D.N.Y. 2022) (concluding company owed customers "a duty to exercise reasonable care safeguarding their personal information"); Sackin v. TransPerfect Glob., Inc., 278 F.Supp.3d 739, 748 (S.D.N.Y. 2017) ("[E]mployers have a duty to take reasonable precautions to protect the PII that they require from employees.").

In response, defendant's only argument is that "Plaintiffs make only general allegations of a duty of care, which are too conclusory to meet even the basic standard under Rule 8 of a short and plain statement of the claim." UNITE Reply, at 8. As explained below, this is a mischaracterization of the complaint's factual allegations. And in any case, there is no requirement to allege the specific duty that is being breached, because "[t]he definition and scope of an alleged tortfeasor's duty owed to a plaintiff is a question of law." Pasternack v. Lab. Corp, of Am. Holdings, 27 N.Y.3d 817, 825 (2016). Accordingly, "duty" is not a factual matter that must be alleged in the complaint.

Second, defendant argues that plaintiffs have failed to allege how defendant breached its duty of care. UNITE MTD, at 21. Contrary to defendant's contention, however, the complaint contains a variety of allegations about how defendant's conduct fell below the standard of care, including as follows:

a. Failing to maintain an adequate data security system that would reduce the risk of data breaches and cyberattacks;
b. Failing to adequately protect union members' Private Information;
c. Failing to properly monitor its own data security systems for existing intrusions;
d. Failing to sufficiently train its employees regarding the proper handling of its union members Private Information;
e. Failing to fully comply with FTC guidelines for cybersecurity in violation of the FTCA; and f. Otherwise breaching its duties and obligations to protect Plaintiffs' and Class Members' Private Information.
Compl. ¶ 66.

These allegations are more than sufficient to state a claim under Rule 8(a)'s minimal pleading standard. The single case cited by defendant to the contrary is plainly distinguishable, because in that case the complaint "plead[] no facts regarding any specific measures that [defendant] did or didn't take, nor does it contain any allegations regarding the manner in which their systems were breached." In re Waste Mgmt. Data Breach Litig., 2022 WL 561734, *4 (S.D.N.Y. Feb. 24, 2022). Therefore, plaintiffs have sufficiently pleaded a claim for negligence.

3. Breach of Implied Contract

The elements of a breach of implied contract claim are the same as for a traditional breach of contract claim: "(1) the existence of a contract, (2) performance by the party seeking recovery, (3) breach by the other party, and (4) damages suffered as a result of the breach." Zam & Zam Super Mkt., LLC v. Ignite Payments, LLC, 736 Fed.Appx. 274, 276 (2d Cir. 2018); see Wallace v. Health Quest Sys., 2021 WL 1109727, at *10 (S.D.N.Y. Mar. 23, 2021). An implied contract "may result as an inference from the facts and circumstances of the case, although not formally stated in words, and is derived from the presumed intention of the parties as indicated by their conduct." Beth Isr. Med. Ctr. v. Horizon Blue Cross & Blue Shield of N.J., Inc., 448 F.3d 573, 582 (2d Cir. 2006).

Here, the complaint alleges that when plaintiffs entrusted defendant with their private information, "Plaintiffs and the Class entered into implied contracts with Defendant by which Defendant agreed to safeguard and protect such information, to keep such information secure and confidential, and to timely and accurately notify Plaintiffs and the Class if their data had been breached and compromised or stolen." Compl. ¶ 175. Plaintiffs' claim that defendant "solicited, offered, and invited" class members to "provide their Private Information," an offer to which plaintiffs agreed, and that as part of this transaction "it was understood and agreed that [defendant] was required to reasonably safeguard the Private Information from unauthorized access or disclosure." Id. ¶¶ 179-180. Beyond this, the complaint alleges "[o]n information and belief," that defendant "promised to comply with industry standards" to protect plaintiffs' data and "at all relevant times Defendant promulgated, adopted, and implemented written privacy policies whereby it expressly promised Plaintiffs and Class Members that it would only disclose Private Information under certain circumstances, none of which relate to the Data Breach." Id. ¶¶ 181-182.

Defendant argues that these allegations are insufficient because they do not "explain what those contracts might be, when or how they were formed, or what consideration was involved." UNITE MTD, at 2122. In response, plaintiffs cite several cases from this district that have allowed a breach of implied contract claim by employees against employers who were subject to a data breach. See Sackin, 278 F.Supp.3d at 750 ("TransPerfect required and obtained the PII as part of the employment relationship, evincing an implicit promise by TransPerfect to act reasonably to keep its employees' PII safe."); In re Waste Mgmt. Data Breach Litig., 2022 WL 561734, at *5; In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *12. Plaintiffs also correctly observe that "[t]he existence of an implied contract will ordinarily be a question of fact, as it involves an assessment of the parties conduct and the extent to which such conduct demonstrates a meeting of the minds.'" Wallace, No. 2021 WL 1109727, at *10.

Further, whereas Bohnak directly addressed a data breach claim, Harry involved an alleged violation of the Commodities Exchange Act, and rested its ultimately holding that plaintiffs had not alleged damage based upon the explicit requirement in that act that plaintiff show "actual damages resulting" from a statutory violation. Harry, 889 F.3d at 112 (quoting 7 U.S.C. § 25(a) (1)). Accordingly, Bohnak is far more on-point than is Harry, which arguably did not even address the same legal issue.

The Court finds plaintiffs' allegations sufficient to survive a motion to dismiss. The fact plaintiffs turned over their data, entrusting it to defendants, combined with the complaint's other allegations gives rise to a plausible inference that the parties mutually agreed defendant would safeguard that data. Accordingly, the Court denies defendant's motion to dismiss plaintiffs' breach of implied contract claim.

4. Unjust Enrichment

To state a claim for unjust enrichment, "a plaintiff must allege that (1) defendant was enriched; (2) the enrichment was at plaintiff's expense; and (3) the circumstances were such that equity and good conscience require defendants to make restitution." Labajo v. Best Buy Stores, L.P., 478 F.Supp.2d 523, 530-31 (S.D.N.Y. 2007). Defendant argues that plaintiffs have not stated a claim for unjust enrichment because they have not identified a monetary benefit conferred on defendant through its supposedly inequitable conduct. See UNITE MTD, at 22-23. Defendant attempts to characterize the relief sought through this claim as the "refund of their union dues." Id. at 23.

Plaintiffs' theory is, in essence, that defendant "accepted the benefits accompanying plaintiff's data, but [did] so at the plaintiff's expense by not implementing adequate safeguards, thus making it inequitable and unconscionable to permit defendant to retain funds that it saved by shirking data-security and leaving the plaintiff to suffer the consequences." Pls. Opp. at 22 (quoting Rudolph v. Hudson's Bay Co., 2019 WL 2023713, at *12 (S.D. N.Y.May 7, 2019)). Plaintiffs cite several cases from somewhat analogous contexts, including consumer purchases and employer-employee relations, that have found this theory to be viable. See Rudolph, 2019 WL 2023713, at *12 ("[Plaintiff] has plausibly alleged: (a) that she purchased merchandise from Saks [Fifth Ave] using her Bank of America debit card, (b) that she would not have purchased the merchandise if Saks had not accepted the debit card, and (c) that the purchase of merchandise conferred a benefit on Saks and Hudson."); Sackin, 278 F.Supp.3d at 751 (claim by employee against employer); Wallace, 2021 WL 1109727, at *11 ("[Plaintiffs] claim they were patients of defendant's healthcare provider network, paid defendant for its services, and were denied those benefits when defendant failed to abide by its obligations to safeguard plaintiffs' Private Information. These allegations plead the 'essence' of a claim for unjust enrichment.").

Admittedly, this theory does not fit quite as comfortably when applied to a non-profit labor union such as defendant. While plaintiffs conferred a benefit on defendant by paying union dues, it is not clear how the union itself benefited from collecting this information. The complaint suggests vaguely that the union "derived a substantial economic benefit" from the data and the information was necessary to "perform the services it provides," but it is not clear what the purpose of collecting this data was or exactly how the union benefited. Compl. ¶ 38.

Nonetheless, the Court finds that plaintiffs have adequately (if barely) alleged an unjust enrichment claim. If plaintiffs' payment of this union dues included a requirement that a portion of the dues would go to data security (a legitimate inference from the complaint's allegations), and defendant instead shirked that duty (resulting in the data's theft), defendant would have arguably been unjustly enriched to the extent of those improper savings. While the Court is somewhat skeptical that this claim will survive summary judgment, the complaint's allegations are sufficient to survive a motion to dismiss.

5. Breach of Confidence

To plead a breach of confidence claim, a plaintiff must allege" (i) the defendant assumed a duty of confidentiality, (ii) the defendant intentionally, knowingly, or negligently breached that duty, and (iii) the plaintiff was damaged as a result of that breach." In re Canon U.S.A. Data Breach Litig., 2022 WL 22248656, *11 (E.D.N.Y. Mar. 15, 2022) .

UNITE contends that the tort- of breach of confidence is inapplicable because "New York has only applied the tort to physicianpatient relationships." UNITE MTD, at 23. However, the single case defendant cites for this proposition, while acknowledging that "[a]t this point, New York courts have recognized it only in the context of physician-patient relationships," also suggests that "[t]he breach-of-confidence theory may be applicable to a wide spectrum of associations," referencing the "bank-customer relationship[]" as another example. Young v. U.S. Dep' t of Justice, 882 F.2d 633, 640-41 (2d Cir. 1989) .

By contrast, there is some precedent that suggests the tort should be extended to encompass the relationship between a union and its members. Since Young was decided in 1989, at least one lower New York court has extended the tort to encompass the relationship between a life insurer and its customer. See Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530, 892 (Sup. Ct. 2004). Daly analogized the breach of confidence tort to the more general heightened obligation of a fiduciary that arise "where one party reposed trust and confidence in another," and reasoned that policy considerations counseled for extending the tort to circumstances where sensitive information is wholly entrusted to the discretion of a third-party. Id. A few federal district courts applying New York law have also extended the duty to encompass the relationship between a medical corporation and its patients, Wallace, 2021 WL 1109727, at *12-13, and the relationship between a bank and its customers, Jones v. Commerce Bancorp, 2006 WL 1409492, at *3 (S.D.N.Y. May 23, 2006). Another federal case, while not specifically addressing the tort of breach of confidence, has suggested that a union official breached his fiduciary duty by improperly disclosing confidential information, citing to the aforementioned cases as support. See United States v. Dist. Council of N.Y.C., 2013 WL 2451737, at *6 (S.D.N.Y. June 5, 2013).

On the other hand, there are two cases in this district that suggest the tort does not extend to the relationship between an employee and an employer. See In re Canon U.S.A. Data Breach Litig., 2022 WL 22248656 at *28 ("New York courts do not recognize [a breach of confidence] claim brought by employees for a third party's theft of their PIT."); In re Waste Mgmt. Data Breach Litig., 2022 WL 561734, at *6.

The Court finds the policy rationale expressed in Daly to be persuasive and accordingly concludes the tort of breach of confidence should extend to encompass the relationship between a union and its members. The asymmetry in the ability to take precautions found in the insurance and banking context applies with equal force here. Further, there is a history of unions owing their members a heightened duty of care, and so this is not a typical commercial relationship that might result in an unlimited proliferation of the scope of the duty. See Dist. Council of N.Y.C., 2013 WL 2451737 at *6 (S.D.N.Y Jun. 5, 2013). Though there are cases that found no duty between an employer and employee, the only authority they cite for this position is the Second Circuit's decision in Young which, as explained above, was equivocal on this point and did not in fact purport to limit the scope of the doctrine. See In re Waste Mgmt. Data Breach Litig., WL 561734 at *6. Accordingly, defendant's motion to dismiss plaintiff's breach of confidence claim is denied.

6. N.Y. Deceptive Trade Practices Act

The New York Deceptive Trade Practices Act ("DTPA") proscribes "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in th[e] state." See NYGBL § 349(a). "To state a claim, a plaintiff must allege (1) that the defendant's acts were consumer oriented, (2) that the acts or practices are deceptive or misleading in a material way, and (3) that the plaintiff has been injured as a result." Goldemberg v. Johnson & Johnson Consumer Companies, Inc., 8 F.Supp.3d 467, 478 (S.D.N.Y. 2014) .

Defendant argues that "Plaintiffs have failed to properly plead how the acts of UNITE HERE were deceptive or misleading or that Plaintiffs were actually aware of those acts." UNITE MTD, at 24-25. The only alleged misrepresentations the complaint identifies are (a) the notice letter to union members (b) the privacy policy associated with UNITE HERE'S website and (c) the allegation, "[o]n information and belief," that "at all relevant times Defendant promulgated, adopted, and implemented written privacy policies whereby it expressly promised Plaintiffs and Class Members that it would only disclose Private Information under certain circumstances, none of which relate to the Data Breach." Compl. ¶¶ 27, 181. The notice letter clearly cannot support plaintiffs' claim, because it was sent to members after the data breach occurred. The allegations regarding the more general "privacy policy" are similarly deficient, because nowhere does plaintiff actually describe the terms of this policy or explain how its contents were, in fact, deceptive.

While plaintiffs vaguely suggest defendant can be held liable based purely on an omission theory - that they were required to disclose the vulnerabilities but did not - plaintiffs cite no case to suggest such a theory is viable in the absence of some affirmative misrepresentation, and the Court is aware of none.

This leaves the privacy policy associated with UNITE's website. Unlike the other two purported misstatements, the complaint does identify portions of the privacy policy that were allegedly misleading, for exampling alleging that "UNITE HERE [falsely] informs its union members that it makes every effort to ensure the secure collection and transmission of your sensitive information using industry accepted data collection and encryption methodologies, such as SSL (Secure Sockets Layer)." Compl. ¶ 27.

However, this last allegation suffers from a different defect. To allege a misrepresentation claim pursuant to the DTPA, a "[p]laintiff also must properly allege actual injury caused by Defendant's statements." Goldenberg, 8 F.Supp.3d at 480. "To properly allege causation, a plaintiff must state in his complaint that he has seen the misleading statements of which he complains." Id. In other words, "a plaintiff must plausibly allege that [he] actually viewed the misleading statement . . . and must set forth where, when and how [he] came to view it." Troy v. Am. Bar Ass'n, 2024 WL 1886753, *6 (E.D.N.Y. Apr. 30, 2024). Here, plaintiffs do not allege that either of them ever saw or relied upon the website's privacy policy, and plaintiffs' counsel conceded during oral argument that plaintiffs had not viewed it. See June 21, 2024 Oral Arg. Tr. Even setting this defect aside, the complaint does not allege that the privacy policy for the website applied to the data plaintiffs provided that was stolen. Accordingly, this allegation is similarly deficient.

Plaintiffs lastly argue the DTPA has been construed "'by looking to the definition of deceptive acts and practices under [S]ection 5 of the Federal Trade Commission Act,'" and "unfair and deceptive practices related to safeguarding consumer Private Information is well within the ambit of the FTC Act." Pls. Opp. at 24. Plaintiffs presumably advance this argument to circumvent the absence of any misrepresentation in the complaint. The problem with this argument, however, is that the DTPA applies only to" [d] eceptive acts or practices, NYGBL § 349(a), whereas the FTC Act applies to "unfair or deceptive acts or practices." 15 U.S.C. § 45(a) (1) (emphasis added). The cases plaintiffs cite that found an FTC claim actionable without regard to deception relied on the distinct unfairness prong of the FTC Act. Because the DTPA does not have a similar unfairness prong, those cases are inapposite. Thus, the plaintiff has failed to allege a DTPA violation.

Because the Court finds plaintiffs fail to allege any misrepresentation, it does not reach defendant's further argument that the union did not engage in any consumer-oriented behavior. See UNITE MTD, at 24.

7. Declaratory Judgement

Finally, defendant makes the perfunctory argument that plaintiffs claim for a declaratory judgment "should be dismissed as duplicative." UNITE MTD, at 25. In response, plaintiff argues that the declaration such a claim would provide is forward looking, and would preserve plaintiffs' rights in the future, and so is not duplicative. Pls. Opp. at 25. See In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 414-15 (E.D. Va. 2020) (finding allegation of "continued inadequacy of Defendants' security measures" was sufficient to support declaratory judgment claim in data breach case). Tellingly, defendant does not even discuss this argument its reply. The Court agrees that dismissal of plaintiff's declaratory judgment claim is unwarranted.

III. Conclusion

For the reasons set forth above, the Court hereby grants UNITE's motion to dismiss plaintiffs' DPTA claim but denies defendant's motion in all other respects. The case will therefore go forward with respect to plaintiffs' remaining claims.

SO ORDERED.


Summaries of

In re Unite Here Data Sec. Incident Litig.

United States District Court, S.D. New York
Jul 15, 2024
24-CV-1565(JSR) (S.D.N.Y. Jul. 15, 2024)
Case details for

In re Unite Here Data Sec. Incident Litig.

Case Details

Full title:In re UNITE HERE DATA SECURITY INCIDENT LITIGATION This Document Relates…

Court:United States District Court, S.D. New York

Date published: Jul 15, 2024

Citations

24-CV-1565(JSR) (S.D.N.Y. Jul. 15, 2024)

Citing Cases

Keown v. Int'l Ass'n of Sheet Metal Air Rail Transp. Workers

But, at the motion-to-dismiss stage, it is sufficient for the complaint to show that the injuries claimed-…

Gaboriault v. Primmer Piper Eggleston & Cramer, P.C.

The Court therefore finds that the allegations of a targeted attack by an unauthorized party are “sufficient…