Opinion
Civil Action 4:22-CV-00174
07-18-2024
JAMES LOGAN, NATHAN BAXTER, and YUSEF HARRIS, individually and on behalf of all others similarly situated “Class Members, ”[1]Plaintiffs, v. MARKER GROUP, INC., Defendant.
MEMORANDUM OPINION AND ORDER
DREW B. TIPTON, UNITED STATES DISTRICT JUDGE
Defendant Marker Group, Inc. (“Marker Group”) provides litigation support services to law firms. In December 2021, Marker Group notified its clients of a data breach in its system that allowed an unknown third-party to access its servers. Those servers contain sensitive, personal information such as Social Security numbers, identifying information, and medical records. As a result of the data breach, Plaintiffs James Logan, Nathan Baxter, and Yusef Harris allege that they were victims of identity theft and continue to face a risk of future exposure to identity theft. They assert claims for negligence, breach of implied contract, invasion of privacy, unjust enrichment, breach of confidence, and violation of the California Confidentiality of Medical Information Act (“CMIA”). They further seek a declaratory judgment that Marker Group's existing security measures do not comply with its contractual obligations and duties of care, and that it must comply with these obligations and duties by implementing and maintaining reasonable security measures.
Pending before the Court is Marker Group's Partial Motion to Dismiss Plaintiffs' Amended Class Action Complaint. (Dkt. No. 25). Marker Group seeks dismissal under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). After careful review, the Motion is GRANTED IN PART and DENIED IN PART.
Also contained in the Motion is a request to strike under Federal Rule of Civil Procedure 12(f). (Dkt. No. 25 at 1).
For purposes of addressing this Motion, the Court accepts all factual allegations in the Complaint as true and views them in the light most favorable to the nonmovants. See White v. U.S. Corrections, L.L.C., 996 F.3d 302, 306-07 (5th Cir. 2021).
Specializing in multi-district litigation (“MDL”) involving personal injury claims, Marker Group “provides record collection, medical review, data analysis, and many other litigation support services to some of the world's most prestigious defense law firms.” (Dkt. No. 23 at 2). Marker Group's services include the use of an online “[file transfer protocol] platform system that allows medical records and other personal information and documentation to be uploaded, stored, sorted, and analyzed.” (Id.). This platform “serves as a centralized location for parties in large litigation matters to manage medical records, plaintiff fact sheets, and other discovery materials.” (Id. at 7). Equipped with “administrative, physical, and technical safeguards,” Marker Group promises “to ensure the maximum level of control and security” and full compliance with information security laws. (Id. at 3).
Plaintiffs in this case were “required to upload their medical, pharmacy, and insurance records and other sensitive and confidential information onto the Marker Group portal as a condition of their participation in the MDL[.]” (Id. at 8). The information provided “included, without limitation, their names, Social Security numbers, dates of birth, and addresses” along with medical and personal health information. (Id.).
On September 3, 2021, Marker Group “noticed ‘suspicious activity' on its computer network and later determined that files were accessed by an ‘unknown, unauthorized third-party[.]'” (Id. at 3-4). That December, Marker Group issued a Notice of Data Breach Letter (the “Notice”) advising clients that breached files contained protected health information and personally identifiable information. (Id. at 4). The Notice had barely any information indicating “how long these unauthorized third-parties had access to the medical records and other sensitive information[.]” (Id.).
Plaintiffs allege that as a result of this breach, they “experienced fraudulent activity and identity theft . . . including but not limited to unauthorized loan applications, bank account activity, tax fraud, and unemployment fraud.” (Id. at 9). Before becoming aware of the breach, Logan “encountered a situation with his treating physician in which it appeared that information unrelated to him had been transmitted to his physician under his name[,]” an occurrence which he attributes to the data breach. (Id. at 22). Also as a result of the breach, Logan “received text messages from a medical facility . . . confirming medical appointments that he did not make for himself.” (Id.). For Baxter, the consequences of the breach came in the form of “a barrage of phone calls regarding Medicare insurance coverage . . . relay[ing] information and offers that contradict his current coverage” as well as “unsolicited loan offers which contain his personal information.” (Id. at 23). Lastly, following quickly on the heels of the breach, Harris learned that “an unauthorized individual opened a line of credit for $1500 in [his] name, using his Social Security number[.]” (Id.). Although Harris filed a police report and froze his credit accounts, the fraudulent activity still “negatively impacted his credit score.” (Id. at 23-24).
Plaintiffs now bring this class action lawsuit against Marker Group alleging six counts: (1) negligence, (2) breach of implied contract, (3) invasion of privacy, (4) unjust enrichment, (5) breach of confidence, (6) declaratory judgment, and (7) violation of the CMIA. (Id. at 30-48). Plaintiffs also request declaratory relief. (Id. at 45-46). Marker Group filed a Partial Motion to Dismiss, (Dkt. Nos. 25, 25-1), arguing that the Court lacks subject matter jurisdiction over Logan and Baxter's claims, and that Plaintiffs failed to adequately plead a number of his claims.
II. LEGAL STANDARD
A. Rule 12(b)(1)
Rule 12(b)(1) of the Federal Rules of Civil Procedure permits a defendant to move to dismiss for “lack of subject matter jurisdiction.” When considering a motion to dismiss under Rule 12(b)(1), a court must “accept the complaint's well-pleaded factual allegations as true.” Carver v. Atwood, 18 F.4th 494, 496 (5th Cir. 2021). Dismissal for lack of subject- matter jurisdiction is appropriate “when the plaintiff does not ‘plausibly allege all jurisdictional allegations.'” Ghedi v. Mayorkas, 16 F.4th 456, 463 (5th Cir. 2021) (quoting Brownback v. King, 592 U.S. 209, 217, 141 S.Ct. 740, 749, 209 L.Ed.2d 33 (2021)). “For a 12(b)(1) motion, the general burden is on the party asserting jurisdiction.” Dickson v. United States, 11 F.4th 308, 312 (5th Cir. 2021). “When a Rule 12(b)(1) motion is filed with other Rule 12 motions, the court should consider the Rule 12(b)(1) motion ‘before addressing any attack on the merits.'” D&G Holdings, L.L.C. v. Becerra, 22 F.4th 470, 474 (5th Cir. 2022) (quoting Ramming v. United States, 281 F.3d 158, 161 (5th Cir. 2001)).
B. Rule 12(b)(6)
Rule 12(b)(6) of the Federal Rules of Civil Procedure permits a defendant to move to dismiss for “failure to state a claim upon which relief can be granted[.]” Rule 8(a)(2) of the Federal Rules of Civil Procedure requires a pleading to contain “a short and plain statement of the claim showing that the pleader is entitled to relief[.]” “[T]he pleading standard Rule 8 announces does not require ‘detailed factual allegations,' but it demands more than . . . ‘labels and conclusions[.]'” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 1949, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 1964-65, 167 L.Ed.2d 929 (2007)). “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Id. at 678, 129 S.Ct. at 1949 (citing Twombly, 550 U.S. at 555, 127 S.Ct. at 1965). “The defendant, as the moving party, bears the burden of proving that no legally cognizable claim for relief exists.” Flores v. Morehead Dotts Rybak, Inc., No. 2:21-CV-00265, 2022 WL 4740076, at *2 (S.D. Tex. Sept. 29, 2022) (citing 5B Charles Alan Wright & Arthur R. Miller, Federal Practice and Procedure § 1357 (3d ed.)).
In reviewing a Rule 12(b)(6) motion to dismiss, a court must accept the plaintiff's factual allegations as true and view those allegations in the light most favorable to the plaintiff. White v. U.S. Corr., L.L.C., 996 F.3d 302, 306-07 (5th Cir. 2021). The court must evaluate whether the complaint contains “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Iqbal, 556 U.S. at 678, 129 S.Ct. at 1949 (quoting Twombly, 550 U.S. at 570, 127 S.Ct. at 1974). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 678, 129 S.Ct. at 1949 (citing Twombly, 550 U.S. at 556, 127 S.Ct. at 1965). “The plausibility standard is not akin to a ‘probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. at 678, 129 S.Ct. at 1949 (quoting Twombly, 550 U.S. at 556, 127 S.Ct. at 1965). “Dismissal . . . is appropriate where the plaintiff fails to allege ‘enough facts to state a claim to relief that is plausible on its face' and thus does not ‘raise a right to relief above the speculative level.'” Montoya v. FedEx Ground Package Sys., Inc., 614 F.3d 145, 148 (5th Cir. 2010) (quoting Twombly, 550 U.S. at 555, 570, 127 S.Ct. at 1965, 1974).
C. Rule 12(f)
Rule 12(f) allows a court to “strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter.” Fed.R.Civ.P. 12(f). Applicable only to pleadings, “motions under Ruler 12(f) are viewed with disfavor and are infrequently granted[.]” SEC v. Faulkner, No. 3:16-CV-01735, 2019 WL 2515000, at *1 (N.D. Tex. June 18, 2019) (quoting FDIC v. Niblo, 821 F.Supp. 441, 449 (N.D. Tex. 1993)). This is because it is a drastic remedy and is often sought as a dilatory tactic. Id. Rule 7(a) of the Federal Rules of Civil Procedure “limits the universe of allowed ‘pleadings,'” and Rule 12(f) motions should only be granted “when the pleading to be stricken has no possible relation to the controversy.” Id. (quotation omitted).
“[F]ederal courts sitting in diversity apply state substantive law and federal procedural law.” Nat'l Liab. & Fire Ins. Co. v. R & R Marine, Inc., 756 F.3d 825, 834 (5th Cir. 2014) (quoting Gasperini v. Ctr. for Humanities, Inc., 518 U.S. 415, 427, 116 S.Ct. 2211, 2219, 135 L.Ed.2d 659 (1996)). The Parties agree that the claims in this case, save the CMIA claim, are governed by Texas law. (See Dkt. No. 25-1 at 19-20); (Dkt. No. 28 at 21-23). Accordingly, the Court will apply Texas law to those. See Erie R.R. Co. v. Tompkins, 304 U.S. 64, 78, 68 S.Ct. 817, 822, 82 L.Ed. 1188 (1938) (“Except in matters governed by the Federal Constitution or acts of Congress, the law to be applied in any case is the law of the state.”).
In its Partial Motion to Dismiss, Marker Group argues that Plaintiffs' Amended Complaint, (Dkt. No. 23), should be dismissed “in its entirety as to Logan and Baxter pursuant to Federal Rule of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction.” (Dkt. No. 25-1 at 11). Marker Group asserts that because neither Logan nor Baxter have “suffered any actual injury, such as identity theft,” they have failed to establish Article III standing. (Id. at 13-17). Marker Group further asserts that partial dismissal is appropriate because Plaintiffs have “failed to state a claim upon which relief can be granted for most of the causes of action in the Amended Complaint.” (Id. at 8, 1828). Lastly, Marker Group asks the Court to “strike the immaterial and impertinent allegations concerning identity theft that have nothing to do with the parties or facts of this case,” such as “extraneous material concerning the actions of identity thieves and statistics about cybercrime.” (Id. at 28-29).
In response to Marker Group's standing arguments, Plaintiffs counter that Logan and Baxter “have sufficiently alleged a concrete harm based on a substantial risk of future identity theft and actual identity theft,” (Dkt. No. 28 at 10-12), and maintain that all Plaintiffs have standing to seek injunctive relief, (id. at 18-19). Moreover, they assert that “the risk of future identity theft constitutes a concrete harm,” and, therefore, “so do the Plaintiffs' efforts to mitigate that harm.” (Id. at 16-18). Alternatively, Plaintiffs argue that a concrete injury exists in the form of “the lost or diminished value of their [personally identifiable information and protected health information] as a result of the Data Breach.” (Id. at 18). As to Defendant's Rule 12(b)(6) arguments, Plaintiffs defend the sufficiency of the allegations pled in support of each of their claims. (Id. at 19-28). Finally, Plaintiffs urge the Court to “not strike the allegations concerning identity theft, but instead [to] leave the sufficiency of the allegations for determination on the merits.” (Id. at 28).
A. Standing
To bring a lawsuit in federal court, a plaintiff must have standing. Fed. Election Comm'n v. Cruz, 596 U.S. 289, 295-96, 142 S.Ct. 1638, 1646, 212 L.Ed.2d 654 (2022). This is a non-waivable, jurisdictional requirement. La. Landmarks Soc., Inc. v. New Orleans, 85 F.3d 1119, 1122 n.3 (5th Cir. 1996). To meet Article Ill's standing requirements, a plaintiff must demonstrate that it has “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338, 136 S.Ct. 1540, 1547, 194 L.Ed.2d 635 (2016). “A plaintiff ‘bears the burden of establishing these elements.'” Daves v. Dallas Cnty., 22 F.4th 522, 542 (5th Cir. 2022) (en banc) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 2136, 119 L.Ed.2d 351 (1992)).
To satisfy the first element, injury in fact, a plaintiff must show a harm suffered that is concrete and actual or imminent, not conjectural or hypothetical. Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 103, 118 S.Ct. 1003, 1016, 140 L.Ed.2d 210 (1998). To satisfy the second element, causation, the plaintiff must establish “a fairly traceable connection between the plaintiff's injury and the complained-of conduct of the defendant.” Id. at 103, 118 S.Ct. at 1016-17. And to satisfy the third and final element, redressability, there must be “ a likelihood that the requested relief will redress the alleged injury.” Id. at 103, 118 S.Ct. at 1017.
Marker Group disputes whether Plaintiffs Logan and Baxter have properly alleged an injury and challenge their ability to assert standing to seek monetary damages under four theories - actual and concrete injury, imminent risk of future injury, injury as a result of mitigation efforts, and injury resulting from diminution in value of their personal information. (Dkt. No. 25-1 at 13-17). Finally, Marker Group attacks the ability of all Plaintiffs to seek injunctive relief because “no Plaintiff has identified any ‘forward-looking' relief that would potentially alleviate any purported risk.” (Id. at 17-18).
1. Actual and Concrete Injury
Marker Group argues that Logan and Baxter have not alleged a concrete injury because neither were truly “victims of identity theft, financial fraud, or any other harm.” (Id. at 13). The text messages received by Logan, it argues, did not “result[] in any harm,” and the transmission of unrelated information could have been the result of a “clerical error[.]” (Id.). As to Baxter's alleged injury, Marker Group argues that “numerous spam calls and unsolicited loan offers” are simply a fact of modern life and do not “plausibly suggest” misuse of his personal information as a result of the breach. (Id.). In response, Plaintiffs maintain that their allegations sufficiently allege that Logan and Baxter “were victims of actual identity theft and fraud,” but offer no new rationale to rebut Marker Group's arguments. (Dkt. No. 28 at 11-12). In reply, Marker Group emphasizes that Plaintiffs can neither explain how “these situations constitute identity theft or fraud,” and objects to Plaintiffs' attempt to “simply state, with no factual basis whatsoever, that any minor, unrelated inconvenience that [they] experienced after the Marker Group data security incident constituted identity theft.” (Dkt. No. 29 at 3). The Court agrees with Marker Group.
Plaintiffs provide no authority supporting their claim that these occurrences constitute an Article III injury. On the contrary, courts have found that similar occurrences, such as “the receipt of phishing emails, while perhaps ‘consistent with' data misuse, does not ‘plausibly suggest' that any actual misuse of Plaintiff's personal identifying information has occurred.” Legg v. Leaders Life Ins. Co., 574 F.Supp.3d 985, 993 (W.D. Okla. 2021) (quoting Twombly, 550 U.S. at 557, 127 S.Ct. at 1966). Conclusory statements alleging actual incidents of identity theft are insufficient to establish an injury in fact because such injuries require a showing that “the information accessed was actually misused or that there has even been an attempt to use it.” Green v. eBay Inc., No. 2:14-CV-01688, 2015 WL 2066531, at *4 (E.D. La. May 4, 2015). For example, one recent court inferred identify theft when a plaintiff's information was stolen and used “to fraudulently open credit cards in their names.” McFarlane v. Altice USA, Inc., 524 F.Supp.3d 264, 270 (S.D.N.Y. 2021); see also Strautins v. Trustwave Holdings, Inc., 27 F.Supp.3d 871, 876 (N.D. Ill. 2014) (finding that whether a data breach results in identity theft “depends on a number of variables, such as whether their data was actually taken during the breach, whether it was subsequently sold or otherwise transferred, whether anyone who obtained the data attempted to use it, and whether or not they succeeded”).
Moreover, even if Logan and Baxter's alleged occurrences could constitute a sufficient injury-in-fact, they would still “fail to meet the causation and redressability elements of the standing test.” See Peters v. St. Joseph Servs. Corp., 74 F.Supp.3d 847, 857 (S.D. Tex. 2015). Courts in the Fifth Circuit have held that attempted credit card charges, phone solicitations, spam emails, and receipt of materials targeting one's specific medical conditions perpetrated “by unknown third parties . . . fail[] to account for the sufficient break in causation caused by opportunistic third parties.” Id. (emphasis in original); see also Almon v. Conduent Bus. Servs., LLC, No. 5:19-CV-01075, 2022 WL 902992, at *23 (W.D. Tex. Mar. 25, 2022) (“Because Plaintiffs cannot establish a causal connection between their injuries and the alleged data breach, they lack standing to assert claims arising out of the alleged data breach.”) (citing Lujan, 504 U.S. at 560, 112 S.Ct. at 2136). As Marker Group points out, the texts received by Logan could have resulted from a clerical error and the phone calls received by Baxter are not unusual in modern life. Thus, the claimed injuries are not cognizable under Article III for standing purposes. Peters, 74 F.Supp.3d at 857. Moreover, “to the extent that [such injuries] meet the first prong” of the standing test, without “any quantifiable damage or loss” alleged, a favorable decision from this Court could not redress the injuries. Id. Thus, the Court finds that Logan and Baxter lack Article III standing as victims of actual identity theft.
2. Imminent Risk of Future Injury
Marker Group additionally argues that Logan and Baxter have “failed to allege any risk of future harm that can confer standing” because they do not claim to be victims of actual identity theft, and the risk they face of future identity theft is highly speculative. (Dkt. No. 25-1 at 13-16). In response, Plaintiffs assert that they “do allege that they were victims of actual identity theft and fraud,” and, in addition to that harm, “they now face a lifetime of heightened risk of identity theft and fraud” as a result of the data breach, which is sufficient to confer standing under Article III. (Dkt. No. 28 at 11) (emphasis in original). The Court agrees with Marker Group.
Generally, in a suit for damages, “the risk of future harm on its own does not support Article III standing[.]” TransUnion LLC v. Ramirez, 594 U.S. 413, 441, 141 S.Ct. 2190, 2213, 210 L.Ed.2d 568 (2021). In fact, Plaintiffs' exact theory has been rejected by courts in the Fifth Circuit on several occasions. See, e.g., Peters, 74 F.Supp.3d at 849; Green, 2015 WL 2066531, at *4; Kostka v. Dickey's Barbeque Rests., Inc., No. 3:20-CV-03424, 2022 WL 16821685, at *4 (N.D. Tex. Oct. 14, 2022), report and recommendation adopted, No. 3:20-CV-03424, 2022 WL 16821685 (N.D. Tex. Nov. 8, 2022).
Two courts in this Circuit have directly examined “whether the heightened risk of future identity theft/fraud posed by a data security breach confers Article III standing on persons whose information may have been accessed[,]” and both found “that the answer is no.” Peters, 74 F.Supp.3d at 849; see also Green, 2015 WL 2066531, at *4 (finding that even when Social Security numbers were stolen as a result of a data breach, “courts nonetheless have found that the mere risk of identity theft is insufficient to confer standing, even in cases where there were actual attempts to use the stolen information”). While more recent cases have asked similar questions in a different context, the rule remains that “the risk of future harm on its own does not support Article III standing” because “the mere risk of future harm, standing alone, cannot qualify as a concrete harm[.]” Kostka, 2022 WL 16821685, at *4 (quoting TransUnion, 594 U.S. at 436, 141 S.Ct. 2210-11). Thus, Logan and Baxter have failed to establish standing on a speculative risk of identity theft at some unknown point in the future.
3. Mitigation Efforts
Marker Group argues that Plaintiffs cannot establish standing by claiming that “they were forced to spend time and money on mitigation efforts related to the risk of identity theft.” (Dkt. No. 25-1 at 16). Doing so, according to Marker Group, would allow Plaintiffs to “manufacture standing by incurring self-imposed costs.” (Id.). Plaintiffs' response is premised on their argument that the risk of future harm is, itself, an Article III injury. (Dkt. No. 28 at 16-18). They claim that “[b]ecause Plaintiffs have demonstrated that their risk of identity theft resulting from the data breach is a concrete harm, the time, money, and effort spent mitigating that risk are separate, concrete injuries that confer standing in this case as well as cognizable damages.” (Id. at 17). The Court agrees with Marker Group.
Under Article III, parties “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 416, 133 S.Ct. 1138, 1151, 185 L.Ed.2d 264 (2013). Since the Court has already determined that the risk of future identity theft based on the data breach is not a concrete injury sufficient to confer standing, Plaintiffs' attempt to conjure harms based on fear of that hypothetical future harm is also insufficient to establish standing. See Green, 2015 WL 2066531, at *5 n.59 (finding that “because there have been no reported incidences of actual identity theft or identity fraud as a result of the Data Breach . . . there is no reason to believe such mitigation costs are necessary”).
4. Diminution in Value
Lastly, Marker Group argues Plaintiffs have not offered any factual support for the claim that they have suffered injuries in the form of diminution of value with respect to their personally identifiable information. (Dkt. No. 25-1 at 17). Plaintiffs respond that they have sufficiently alleged losses and “are not required to allege that [someone] attempted to sell their [information.]” (Dkt. No. 28 at 18).
“[D]istrict courts have been reluctant to find standing based solely on a theory that the value of a plaintiff's [personal information] has been diminished.” In re Google Android Consumer Priv. Litig., No. 4:11-CV-02264, 2013 WL 1283236, at *4 (N.D. Cal. Mar. 26, 2013) (emphasis in original) (collecting cases). When courts have adopted a theory of injury based on diminution in value, the cases “involved circumstances where the defendants collected information that was itself monetized and used for commercial purposes.” In re Am. Med. Collection Agency, Inc. Consumer Data Sec. Breach Litig., No. 2:19-CV-02904, 2021 WL 5937742, at *10 (D.N.J. Dec. 16, 2021). Because personal information “does not have an inherent monetary value[,]” Willingham v. Glob. Payments, Inc., No. 1:12-CV-01157, 2013 WL 440702, at *7 (N.D.Ga. Feb. 5, 2013), “collection of personal information does not create an economic loss.” Low v. LinkedIn Corp., No. 5:11-CV-01468, 2011 WL 5509848, at *4 (N.D. Cal. Nov. 11, 2011).
Moreover, “Plaintiffs do not explain how they were ‘deprived' of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party.” LaCourt v. Specific Media, Inc., No. 2:10-CV-01256, 2011 WL 1661532, at *5 (C.D. Cal. Apr. 28, 2011). An issue that has yet to be addressed in the Fifth Circuit, the court in Green noted that “[e]ven if the Court were to find that personal information has an inherent value and the deprivation of such value is an injury sufficient to confer standing, Plaintiff has failed to allege facts indicating how the value of his personal information has decreased as a result of the Data Breach.” Green, 2015 WL 2066531, at *5 n.59. The same is true here. Because Plaintiffs' claims are “dependent on entirely speculative, future actions of an unknown third-party[,]” they are insufficient to confer Article III standing. Browne v. U.S. Fertility, LLC, No. 2:21-CV-00367, 2021 WL 2550643, at *3 (E.D. Pa. June 22, 2021). Thus, Logan and Baxter cannot establish standing on this basis.
5. Injunctive Relief
Finding that Plaintiffs Logan and Baxter failed to establish standing to bring any monetary claims, the Court will now consider whether Harris, the sole remaining Plaintiff, has standing to maintain a claim for injunctive relief. Marker Group argues that injunctive relief is inappropriate in this case because the data breach occurred more than one year ago and “the Amended Complaint does not specifically identify any ‘forward-looking' injunctive relief that could possibly prevent any potential future harm stemming from the incident from occurring.” (Dkt. No. 25-1 at 18). In response, Plaintiffs argue that because Marker Group still possesses Plaintiffs' personal information, Plaintiffs seek injunctive relief requiring Marker Group to “implement and maintain reasonable security measures moving forward[.]” (Dkt. No. 28 at 19). In reply, Marker Group asserts that the claimed relief cannot prevent any potential future injuries resulting from this data breach, and is, therefore, inappropriate. (Dkt. No. 29 at 9). Marker Group is correct.
“[A] person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” TransUnion, 594 U.S. at 435, 141 S.Ct. at 2210. The Court has already determined that the risk of future identity theft resulting from this data breach is insufficient to establish standing, and the Court also finds that Plaintiffs have not adequately pleaded facts to allege an imminent and substantial harm that another data breach will occur in the future. See I.C. v. Zynga, Inc., 600 F.Supp.3d 1034, 1055 (N.D. Cal. 2022) (finding that plaintiffs did not have standing to seek injunctive relief because they could not “show any imminent risk of future harm from this data breach” (emphasis in original)). Thus, no Plaintiff has standing to seek injunctive relief.
B. Failure to State a Claim
Having determined that the Court lacks subject matter jurisdiction over Logan's and Baxter's claims-only Harris's claim remain. Marker Group moves to dismiss for failure to state a claim on Counts 2 through 6 of the Amended Complaint.(Dkt. No. 251 at 24-28). Plaintiffs assert these claims are adequately pled. (Dkt. No. 28 at 19-28). The Court addresses whether Harris pled a viable cause of action claim-by-claim.
Marker Group did not move to dismiss Harris's claim for negligence in Count 1.
1. Breach of Implied Contract
Marker Group moves to dismiss Harris's breach-of-implied-contract claim because “[t]here was no meeting of the minds here[.]” (Dkt. No. 25-1 at 25). Marker Group asserts that “[Harris] never entered into an implied contract with Marker Group,” and, moreover, Marker Group never “made any particular representations about data security” or “indicated an intention to be contractually bound in any other way” to Harris. (Dkt. No. 25-1 at 25). Harris responds that “[a] meeting of the minds occurred insofar as both parties understood that Defendant would use reasonable, industry standard measures to protect their [personal information].” (Dkt. No. 28 at 23). In addition, via Marker Group's website, Harris “identified concrete promises to protect [personal information] made by Defendant,” not merely implied promises. (Id.).
Under Texas law, the elements of a breach of contract claim are “(1) the existence of a valid contract; (2) performance or tender of performance; (3) breach by the defendant; and (4) damages resulting from the breach.” Oliphant Fin., LLC v. Galaviz, 299 S.W.3d 829, 834 (Tex. App.-Dallas 2009, no pet.). A binding contract, whether express or implied in fact, requires “(1) an offer, (2) an acceptance in strict compliance with the terms of the offer, (3) a meeting of the minds, [and] (4) each party's consent to the terms[.]” Buxani v. Nussbaum, 940 S.W.2d 350, 352 (Tex. App.-San Antonio 1997, no writ). When alleging an implied contract, “the element of mutual assent can be inferred from the circumstances of the transaction.” Id. (citing Haws & Garrett Gen. Contractors, Inc. v. Gorbett Bros. Welding Co., 480 S.W.2d 607, 609 (Tex. 1972)). “Mutual assent can arise from the parties' acts and conduct from which one party can ‘reasonably draw the inference of a promise.'” Id. (quoting Haws & Garrett, 480 S.W.2d at 609-10).
“Many federal courts have held that an implied contract to safeguard customers' sensitive data could reasonably be found to exist in transactions where consumers are solicited or invited to provide personal information in exchange for a good or service.” In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183, 1221 (S.D. Fla. 2022); see also In re Marriott Int'l, Inc., Consumer Data Sec. Breach Litig., 440 F.Supp.3d 447, 486 (D. Md. 2020) (collecting cases). Even in those circumstances, however, the plaintiffs alleging existence of an implied contract must provide some “evidence from which one could plausibly infer that defendant intended to contractually bind itself to a general standard of reasonable care or any particular cybersecurity standard or protocol by accepting” receipt of plaintiff's personal information. Lovell v. P.F. Chang's China Bistro, Inc., No. 2:14-CV-01152, 2015 WL 4940371, at *3 (W.D. Wash. Mar. 27, 2015).
Despite Harris's assertion that it has identified evidence establishing that Marker Group promised to protect their personal information, (Dkt. No. 28 at 23), Marker Group did not solicit or invite Harris to provide such information in exchange for their services. This case resembles In re Mednax where the plaintiffs only “provided their personal information as required to receive healthcare services from Defendants-not data security services beyond the privacy requirements already imposed on Defendants by federal law.” 603 F.Supp.3d at 1221. Just like the plaintiffs in In Re Mednax, Harris “allege[s] no invitation or solicitation by Defendants indicating that Defendants implicitly assented to secure [his personal information] in exchange for remuneration.” Id.
Moreover, the court in In Re Mednax emphasized that a “privacy notice is of no consequence because such notices are not contractual in nature.” Id. Documents that inform patients, or in this case MDL participants, of their rights under federal law “cannot create contractual obligations” when defendants “are required by law to adhere to [federal law] without receiving any consideration from Plaintiffs or any other patient[.]” Id. at 1222. Thus, not only did Harris fail to allege that Marker Group solicited receipt of their personal information in exchange for data security services, he also failed to explain why Marker Group's representation that “it is fully compliant with the HIPAA Standards for Privacy, Electronic Transactions and Security . . . to ensure compliance with federal and state information security laws” is contractual in nature. (Dkt. No. 28 at 23). Accordingly, Harris has not pled a viable breach-of-implied contract claim in Count 2 of the Amended Complaint, and it is therefore dismissed.
2. Invasion of Privacy
Marker Group next moves the Court to dismiss Harris's invasion of privacy claim, arguing that Harris failed to plead “any facts showing that Marker Group intentionally allowed an unauthorized third party to access [his] information.” (Dkt. No. 25-1 at 2526). The Court agrees with Marker Group.
To survive dismissal, Harris must plead facts alleging that “(1) the defendant intentionally intruded on the plaintiff's solitude, seclusion, or private affairs; and (2) the intrusion would be highly offensive to a reasonable person.” Beaumont v. Basham, 205 S.W.3d 608, 614 (Tex. App.-Waco 2006, pet. denied) (citing Valenzuela v. Aquino, 853 S.W.2d 512, 513 (Tex. 1993)). He fails on the first element.
Harris pleads, in a conclusory manner, that Marker Group “acted with an intentional state of mind when it permitted the Data Breach to occur because it acted with actual knowledge that its information security practices were inadequate and insufficient.” (Dkt. No. 23 at 40). He claims that it can be “inferred” from the data breach that Marker Group's security practices were inadequate and insufficient. (Id. at 17). However, Harris provides no facts explaining how Marker Group supposedly knew of the alleged inadequacies and insufficiencies of its security practices. Because invasion of privacy is an intentional tort, a theory based on “negligent failure to safeguard and protect” personal information is “insufficient to state a claim” for invasion of privacy. In re Mednax, 603 F.Supp.3d at 1226 (cleaned up).
Additionally, because Harris voluntarily gave his information to Marker Group, he cannot now allege that Marker Group intruded on his solitude. When confronted with invasion-of-privacy claims in the data breach context, courts have similarly noted that a plaintiff's voluntary disclosure of their personal information “dooms their claim.” In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 598 (N.D. Ill. 2022) (cleaned up). In that case, the plaintiffs “disclosed their [personal information] to Defendants as part of their relationships with Defendants.” Id. (quotation omitted). The same is true here. Harris, in order to participate in the MDL, freely disclosed his personal information to Marker Group whose role was “to manage medical records, plaintiff fact sheets, and other discovery materials” in a central location where it can be “housed for continued access by the parties.” (Dkt. No. 23 at 7). Accordingly, Harris has not pled a viable invasion-of-privacy claim in Count 3 of the Amended Complaint, and it is therefore dismissed.
3. Unjust Enrichment
Marker Group argues that Harris failed to adequately plead an unjust enrichment claim because he “did not confer any benefit on Marker Group.” (Dkt. No. 25-1 at 26). Harris responds that he conferred a benefit to Marker Group because they profited from receiving his personal information “through its contracts with its customers[.]” (Dkt. No. 28 at 27).
In Texas, “[a] party may recover under the unjust enrichment theory when one person has obtained a benefit from another by fraud, duress, or the taking of an undue advantage.” Heldenfels Bros., Inc. v. Corpus Christi, 832 S.W.2d 39, 41 (Tex. 1992). “Unjust enrichment is an equitable theory of recovery that is based on an implied agreement to pay for benefits received.” Jupiter Enters., Inc. v. Harrison, No. 05-00-01914-CV, 2002 WL 318305, at *3 (Tex. App.-Dallas Mar. 1, 2002, no pet.) (citing Vortt Exploration Co., Inc. v. Chevron U.S.A., Inc., 787 S.W.2d 942, 944 (Tex. 1990)). In the absence of an express contract, a party can bring a claim for unjust enrichment by alleging that “(1) that valuable services were rendered or materials furnished; (2) for the person sought to be charged; (3) which services and materials were accepted by the person sought to be charged, used, and enjoyed by that person; and (4) under such circumstances as reasonably notified the person sought to be charged that the plaintiff in performing such services was expecting to be paid by the person sought to be charged.” Id. (citing Vortt, 787 S.W.2d at 944). Here, Harris cannot prove the first element of unjust enrichment- that he conferred any benefit or valuable services or materials to Marker Group.
As Harris points out, several courts across the country have allowed unjust enrichment claims to survive at the Rule 12 stage in the data-breach context. (Dkt. No. 28 at 26) (collecting cases). However, in each of Harris's cited cases, the plaintiffs allege that their data was given to the defendant along with something else of value-usually money. For example, in In re Target Corp. Customer Data Security Breach Litig., the plaintiffs' theorized that they would not have given money to Target if they had been warned of Target's allegedly faulty data security. 66 F.Supp.3d. 1154, 1177-78 (D. Minn. 2014). And in Baldwin v. National Western Life Insurance Company, the plaintiff's theory was also premised on an actual benefit to the defendant other than solely personal information. No. 2:21-CV-04066, 2021 WL 4206736, at *8 (W.D. Mo. Sept. 15, 2021). Namely, the Baldwin plaintiff argued that she benefitted the defendant by “pa[ying] for life insurance and that part of those payments were for data security.” Id. Thus, in both cases, the defendant was unjustly enriched by taking the plaintiff's data and their money, and then failing to protect the data. Id.; In Re Target Corp., 66 F.Supp.3d. at 1177-78.
This case more closely resembles a 2021 case out of South Carolina, In re Blackbaud, Inc., Customer Data Breach Litigation, 567 F.Supp.3d 667 (D.S.C. 2021). In Blackbaud, a group of plaintiffs sued Blackbaud, a data storage company, after its servers were breached and the plaintiffs' data was accessed. Id. at 672. The plaintiffs alleged, among other things, that Blackbaud was unjustly enriched by receiving payment to store the plaintiffs' data, and then failing to protect it. Id. at 687. The court dismissed the claim at the Rule 12 stage, reasoning that unlike the other data breach cases with successful unjust enrichment claims, the plaintiffs did not actually pay Blackbaud to store their data and therefore conferred no benefit. Id. at 687-88. Instead, the Blackbaud plaintiffs had given their information to various companies “who in turn sought out, paid for, and utilized Blackbaud's services.” Id. at 688.
This case presents the same issue discussed in Blackbaud. Here, the only thing Harris gave to Marker Group was his personal information. With nothing else to serve as consideration for the safe keeping of such information, Harris conferred no benefit on Marker Group. Again, personal information “does not have an inherent monetary value,” Willingham, 2013 WL 440702, at *7, and “collection of personal information does not create an economic loss.” Low, 2011 WL 5509848, at *4. The only benefit conferred to Marker Group was the money paid by a third-party, not Harris, who contracted and paid for Marker Group's services. (Dkt. No. 23 at 41). Thus, Harris cannot plead the first element of an unjust enrichment claim in Count 4 of the Amended Complaint, i.e., that he conferred a benefit. It is therefore dismissed.
4. Breach of Confidence
Marker Group asserts that Harris's breach of confidence claim also warrants dismissal because it is not a cause of action recognized by Texas law. (Dkt. No. 25-1 at 27). The Court agrees.
A court in the Eastern District of Virginia recently noted that it was “not aware of any decision under [Texas] law that has recognized a tort for the breach of confidence[.]” In re Capital One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 409 n.21 (E.D. Va. 2020). Harris did not provide this Court with any case law establishing the existence of a breach of confidence claim in Texas, and the Court is unaware of any such authority. Accordingly, Harris has not pled a viable breach of confidence claim in Count 5 of the Amended Complaint, and it is therefore dismissed.
5. Declaratory Relief
Lastly, Marker Group contends Harris is not entitled to declaratory relief. (Dkt. No. 25-1 at 27-28). Harris requests “a declaration that (1) each of Defendant's existing security measures do not comply with their explicit or implicit contractual obligations and duties of care,” and (2) a declaration requiring Marker Group “to comply with their explicit or implicit contractual obligations and duties of care,” including the implementation and maintenance of reasonable security measures, of which Plaintiff list eight examples. (Dkt. No. 23 at 45-46). Harris asserts that a declaratory judgment is proper because Marker Group “has not provided any reassurance to [him] that it has taken steps to prevent another Data Breach from occurring in the future.” (Dkt. No. 28 at 27). Emphasizing that Harris lacks standing for this relief, Marker Group argues that Harris's request is injunctive in nature and should be dismissed. (Dkt. No. 25-1 at 27-28). Finding that only the first of Harris's two requests for declaratory judgment is proper, the Court agrees in part with Harris and in part with Marker Group.
To state a claim under the Declaratory Judgment Act, 28 U.S.C. § 28 U.S.C. §§ 220102, a plaintiff must allege the existence of a dispute that is “definite and concrete, touching the legal relations of parties having adverse legal interests,” and that the dispute be “real and substantial and admit of specific relief through a decree of a conclusive character, as distinguished from an opinion advising what the law would be upon a hypothetical state of facts.” MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 127, 127 S.Ct. 764, 771, 166 L.Ed.2d 604 (2007) (cleaned up). “Further necessary or proper relief based on a declaratory judgment or decree may be granted, after reasonable notice and hearing, against any adverse party whose rights have been determined by such judgment.” 28 U.S.C. § 2202 (emphasis added).
“Basically, the question in each case is whether the facts alleged, under all the circumstances, show that there is a substantial controversy, between parties having adverse legal interests, of sufficient immediacy and reality to warrant the issuance of a declaratory judgment.” MedImmune, Inc., 549 U.S. at 127, 127 S.Ct. at 771. Because the “Declaratory Judgment Act is ‘an authorization, not a command' . . . federal courts have wide discretion to grant or deny declaratory judgment.” Aguiluz v. Citibank, N.A., No. 2:18-CV-05126, 2018 WL 5773302, at *5 (E.D. La. Nov. 2, 2018) (quoting Pub. Affs. Assocs., Inc. v. Rickover, 369 U.S. 111, 112, 82 S.Ct. 580, 582, 7 L.Ed.2d 604 (1962)).
The court in In re Capital One reviewed a similar claim at the motion to dismiss stage and ruled against dismissal. 488 F.Supp.3d at 414-15. In that case, the court explained that “Plaintiffs have adequately alleged the existence of an actionable dispute for purposes of the Declaratory Judgment Act” because “there remains a dispute over the security of Plaintiff's [personal information], which continues to be stored on [defendant's] servers and remain subjected to a heightened risk of access and misuse by hackers.” Id. at 414. While the defendants in that case argued that they “had corrected the very vulnerability in [the] system,” the plaintiffs had “plausibly alleged the continued inadequacy of Defendant's security measures.” Id. at 414-15. Finding that the dispute concerned the defendant's “current security practices and their continued storage of Plaintiffs' [personal information], not a hypothetical set of acts or omissions regarding a speculatively likely data breach scenario,” the court in In re Capital One allowed the claim to proceed. Id. at 415.
Similarly, in this case, Harris has alleged that Marker Group “does not specify in its Notice of Data Breach letter what steps they have taken to prevent this from occurring again,” and that, as a result, he is “at risk of harm due to the exposure of [his personal information] and Defendant's failure to address the security failings that lead to such exposure.” (Dkt. No. 23 at 45). As was the case in In re Capital One, this case involves an ongoing dispute as to “the adequacy of any remedial measures undertaken to ensure a breach does not occur again,” which, according to Harris, has “not been transparently shared with regulators or Plaintiffs[,] who retain a vested interest in ensuring that their information remains protected.” (Id. at 9).
Marker Group points to Khuns v. Scottrade, Inc., another data breach case in which the Eighth Circuit affirmed the dismissal of a “bare bones claim for declaratory relief” as “virtually unintelligible.” 868 F.3d 711, 718 (8th Cir. 2017). In that case, the plaintiff focused on past conduct, not the defendant's “current practices,” in requesting that the court order the defendant to obey the contract at issue. Id. The court concluded that it did not have this authority in the context of a contractual dispute. Id.
Here, Harris properly requests declaratory judgment as to whether Marker Group's security measures are in compliance with its obligations, but improperly requests that the Court effectively issue an injunction by ordering Marker Group to revise its policies. Not only does Harris lack the requisite standing, but such relief would be premature at this stage. See 28 U.S.C. § 2202. Accordingly, Harris's first request as to the propriety of Marker Group's current security measures remains, while his second request for the Court to order Marker Group to change its security measures is dismissed for failing to state a claim upon which relief can be granted.
C. Request to Strike Allegations
Marker Group requests that the Court “limit the Amended Complaint to the Marker Group data security incident and their individual experiences” by striking paragraphs 46-50 and 59-66 of the Amended Complaint, which contain “extraneous material concerning the actions of identity thieves and statistics about cybercrime.” (Dkt. No 25-1 at 29). Harris responds that because “the risk of future identity theft is at the heart of the controversy in this case,” striking under Rule 12(f) is inappropriate and the Court “should leave the sufficiency of the allegations for determination on the merits.” (Dkt. No. 28 at 28). The Court agrees with Harris.
Under Rule 12(f) of the Federal Rules of Civil Procedure, a district court has discretion to “strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter.” Fed.R.Civ.P. 12(f). However, a court should only strike material from a pleading that bears “no possible relation to the controversy.” United States v. Coney, 689 F.3d 365, 379 (5th Cir. 2012) (quoting Augustus v. Bd. of Pub. Instruction of Escambia Cty., Fla., 306 F.2d 862, 868 (5th Cir. 1962) (quoting Brown & Williamson Tobacco Corp. v. United States, 201 F.2d 819, 822 (6th Cir. 1953))). “Both because striking a portion of a pleading is a drastic remedy, and because it often is sought by the movant simply as a dilatory tactic, motions under Rule 12(f) are viewed with disfavor and are infrequently granted.” FDIC, 821 F.Supp. at 449 (citing Augustus, 306 F.2d at 868).
For example, in Fortman v. Nissan Motor Co., Ltd., the court denied a motion to strike because “[t]he challenged allegations regarding crashworthiness and industry safety and manufacturing standards cannot be said to have ‘no possible relation' to these claims.” No. 1:21-CV-00660, 2022 WL 2761372, at *3 (W.D. Tex. Mar. 31, 2022) (quoting Coney, 689 F.3d at 379). In the same way, the material included in the Amended Complaint, though extraneous, cannot be said to have no possible relation to the claims at issue. In addition, as in Fortman, Marker Group has failed to show that “the presence of the challenged allegations in the pleading throughout the proceeding will be prejudicial.” Id. (cleaned up). Although Marker Group claims that the material is “designed to improperly inflame the issues and lend weight to the alleged risk of future identity theft,” (Dkt. No. 25-1 at 29), Marker Group “offer[s] nothing but vague and conclusory statements with no showing of how and to what degree [it] will be prejudiced by the inclusion of these allegations.” Fortman, 2022 WL 2761372, at *3. Thus, the Court denies Marker Group's 12(f) request.
IV. CONCLUSION
For the foregoing reasons, the Court GRANTS IN PART and DENIES IN PART Defendant Marker Group's Partial Motion to Dismiss Plaintiffs' Amended Class Action Complaint. (Dkt. No. 25).
All claims brought on behalf of Plaintiffs Logan and Baxter, including Baxter's CMIA claim, are DISMISSED WITHOUT PREJUDICE for lack of subject matter jurisdiction. Harris is the sole remaining Plaintiff.
As to Harris, his negligence claim remains. However, Harris's breach of implied contract, invasion of privacy, unjust enrichment, and breach of confidence claims are DISMISSED WITHOUT PREJUDICE in their entirety for failure to state a claim. Harris's first request for declaratory judgment remains, but the second request is DISMISSED WITHOUT PREJUDICE.
Harris is ORDERED to file a Second Amended Complaint in conformity with this Memorandum Opinion and Order within 14 calendar days of the date of this Order.
It is SO ORDERED.