Summary
declining to conclude that an employer had contractually obligated itself to use "adequate" measures to protect its employees' private information in part because "it is implausible that [a company] would ever agree to allow others to bring private actions against [it] for data breaches committed by unknown third parties"
Summary of this case from Enslin v. Coca-Cola Co.Opinion
CIVIL NO. 1:15-CV-00422
09-22-2015
MEMORANDUM
I. Introduction
In this putative class action lawsuit involving an alleged data breach by unknown third parties, the plaintiffs raise state-law claims against the defendants for negligence or, in the alternative, breach of implied contract. Currently pending is the defendants' motion to dismiss pursuant to Rules 12(b)(1) and (b)(6) of the Federal Rules of Civil Procedure. (Doc. 23). For the following reasons we will deny defendants' motion under Rule 12(b)(1) but grant the motion under Rule 12(b)(6). II. Background
Plaintiffs initiated this lawsuit by filing a class-action complaint on February 26, 2015. (Doc. 1). On June 23, 2015, in response to a motion to dismiss filed by the defendants, (see Doc. 13), plaintiffs filed an amended-class-action complaint (the "amended complaint"). (Doc. 20).
As set forth in the amended complaint, the defendants are subsidiaries of a Limited Partnership, each with registered addresses in Dauphin County, Pennsylvania. Collectively, the defendants provide an array of prescription benefit administration services. (See id. at ¶¶ 12-18). With respect to the plaintiffs, those named in the amended complaint are Pennsylvania residents who are also former employees and customer members of the defendants. (Id. at ¶¶ 7-12). The putative class is to include (1) current and former employees and (2) current and former customer members of the defendants. (Id. at ¶¶ 1, 60).
Collectively, the named plaintiffs and putative class members will be referred to as "plaintiffs."
According to the plaintiffs, before commencing employment with, and / or utilizing the services of, the defendants, they were required to provide private information such as their full names, dates of birth, addresses, and social security numbers. (Id. at ¶¶ 32-33). This private information, along with their W-2 tax forms and other personal financial information, was then to be maintained by the defendants throughout the course of the respective relationship with the plaintiffs. (See id. at ¶ 34). Plaintiffs allege that they expected the defendants to protect their private information from a data breach; otherwise they would not have provided the information to the defendants. (Id. at ¶¶ 35-36).
Within the "past several months," however, a data breach allegedly occurred at the hands of unknown third parties, because the defendants did not adequately encrypt, safely transmit, handle, store, or destroy plaintiffs' private information. (Id. at ¶¶ 37, 40(a)-(c), (e)). In a similar vein, the defendants allegedly failed to protect against a server intrusion or adequately protect private information on their internal network. (Id. at ¶¶ 40(d), (f)). All of this the defendants allegedly failed to do despite a previous data breach that had occurred in 2011, resulting in the filing of fraudulent tax returns in the names of several current employees and customer members of the defendants. (Id. at ¶¶ 19-21).
In addition to the 2011 data breach that had previously occurred, plaintiffs claim that it was common knowledge to business entities such as the defendants that they were at risk for data breaches and that the risk, and resultant financial harm to victims such as the plaintiffs, had been well documented by several sources. (See id. at ¶¶ 22- 30). Further, plaintiffs allege that the Federal Government had issued warnings to businesses advising them to carefully protect their employees' and customer members' private information. (Id. at ¶ 29). As well, the Government had issued publications and guides to assist companies in safeguarding their employees' and customers' private information. (See id. at ¶¶ 28-31).
In light of the defendants' alleged failures to adequately safeguard and protect the plaintiffs' private information, the more recent data breach purportedly resulted in unknown third parties filing fraudulent tax returns in the plaintiffs' names for the 2014 tax year. (Id. at ¶ 42). Plaintiffs, thus, aver that the IRS issued tax refunds to the unknown third parties rather than to the plaintiffs. (Id. at ¶ 43). Also, plaintiffs claim that they have incurred additional financial harm, including, but not limited to, additional filing fees, accounting costs, and identity theft protection. (Id. at ¶ 44). Further, because unknown individuals allegedly have access to their private information, plaintiffs fear that additional financial fraud will occur to them; therefore, they have spent "countless hours" attempting to perform damage control to prevent devastation to their credit and livelihood. (Id. at ¶¶ 45-46).
Plaintiffs also allege that the defendants learned of the more recent data breach on or about February 14, 2015, and then, a week later, sent an email to the presently employed plaintiffs, stating that there "may have been unauthorized access to employee information," which resulted in "some employees [having] problems filing their 2014 tax returns." (Id. at ¶¶ 49-51). The defendants, though, did not send that email notification to any former employees or customer members of the defendants. (Id. at ¶ 53). Subsequently, on or about February 20, 2015, the defendants sent a second email to its presently employed employees, advising: "we have learned that fraudulent federal tax returns have been filed for some of our employees." (Id. at ¶ 54). The second email notification was similarly not sent to former employees or customer members of the defendants, and, to date, said persons have not received any notifications about the data breach. (Id. at ¶¶ 55-56). Finally, it is alleged that none of the employees or customer members of the defendants have received information regarding the scope of the data breach, such as how many fraudulent tax returns have been filed. (Id. at ¶ 57).
Based on these allegations, the plaintiffs raise claims for negligence (Count I) or, in the alternative, breach of implied contract (Count II). Plaintiffs seek damages in excess of $5,000,000, as well as attorney's fees and costs. On July 7, 2015, after the amended complaint was filed, the defendants filed a motion to dismiss that is ripe for the Court's disposition. (Docs. 23, 27, 32 & 33). III. Discussion
In their motion, the defendants first argue under Rule 12(b)(1) that the amended complaint should be dismissed because the Court lacks subject matter jurisdiction in that the plaintiffs do not have standing to sue in order to satisfy the "case-or-controversy" requirement of Article III, § 2 of the United States Constitution. (See Doc. 27). Second, the defendants argue that the allegations in the amended complaint fail to state a claim for negligence or breach of implied contract under Pennsylvania law. (Id.). These arguments will be addressed seriatim, beginning with defendants' standing arguments because "[w]e have 'an obligation to assure ourselves' of litigants' standing . . . ." DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 340 (2006)(quoting Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180 (2000)).
A. Standing
Defendants' standing arguments, challenging the Court's subject-matter jurisdiction, are raised under Rule 12(b)(1): the proper procedural mechanism through which to raise such a challenge. Ballentine v. United States, 486 F.3d 806, 810 (3d Cir. 2007). Once such a challenge is raised, the party invoking a federal court's jurisdiction bears the burden of persuading the court that it has jurisdiction. Gould Elecs., Inc. v. United States, 220 F.3d 169, 178 (3d Cir. 2000). Depending on the type of challenge to the Court's subject-matter jurisdiction, i.e., facial or factual, we "may consider and weigh evidence outside the pleadings" in order to determine whether we possess jurisdiction over the claim. Id.; see also S.R.P. v. United States, 676 F.3d 329, 332 (3d Cir. 2012). Otherwise, we are to view the allegations in a pleading in the light most favorable to the plaintiff. Gould Elecs., Inc., 220 F.3d at 176 (citing Mortensen v. First Federal Sav. And Loan Ass'n, 549 F.2d 884, 891 (3d Cir. 1977)).
Regarding a litigant's standing to sue, Article III governs the issue by limiting a federal court's jurisdiction to actual "cases or controversies." U.S. Const. art. III, § 2. To have standing, and satisfy the "case-or-controversy" requirement, a plaintiff must demonstrate for each claim "(1) an 'injury in fact,' (2) a sufficient 'causal connection between the injury and the conduct complained of,' and (3) a 'likel[ihood]' that the injury 'will be redressed by a favorable decision.'" Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014)(alterations in original)(quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)); DaimlerChrysler, 547 U.S. at 352. In the context of a putative class action, the Article III requirement is satisfied so long as one named plaintiff has standing. Neale v. Volvo Cars of North America, LLC, 794 F.3d 353, 362, 364 (3d Cir. 2015).
According to the defendants, the amended complaint should be dismissed because, on its face, the plaintiffs fail to satisfy the "redressability" prong to show standing. (Doc. 27 at 10). Specifically, the defendants argue that the plaintiffs do not allege that any tax refunds allegedly issued to unknown third parties were unreimbursed, out-of-pocket losses. (Id.). Further, the defendants contend that the allegations suggest that the plaintiffs will receive their refunds (if they have not already), without the Court's assistance, given that the plaintiffs allege the incurrence of additional filing fees. (Id. at 10-11).
The redressability prong concerns whether a favorable judicial decision would alleviate the alleged harm (or injury in fact). See Toll Bros., Inc. v. Township of Readington, 555 F.3d 131, 142 (3d Cir. 2009). It is sufficient for a plaintiff to satisfy this prong by showing a substantial likelihood that the requested relief will remedy the alleged harm. Id. at 143.
In this instance, we read the allegations in the amended complaint as plausibly suggesting a substantial likelihood that the requested relief will remedy the alleged harm to the named plaintiffs, i.e., lost tax refunds. While it is not explicitly alleged in the amended complaint that the lost tax refunds amount to an unreimbursed, out-of-pocket loss, common sense dictates that to be the scenario complained of in this matter. In addition, although the named plaintiffs may alternatively be seeking lost tax refunds through other, non-judicial, means, (see Doc. 1 at ¶ 44), we do not read the allegations to suggest that a refund for them is imminent or guaranteed, much less that any refund has already been processed or delivered to the same group of plaintiffs. Cf. In re Horizon Healthcare Services Inc. Data Breach Litigation, No. 13-7418, 2010 WL 1472483, at *8 (D.N.J. Mar. 31, 2015).
Moreover, contrary to the defendants' apparent suggestion, (see Doc. 27 at 12), we do not read the allegations in the amended complaint as pointing to the lost tax refunds as being the sole injury, or harm, incurred by the plaintiffs. Indeed, it is alleged in the amended complaint that the plaintiffs "have also incurred additional financial harm, including . . . filing fees, accounting costs, and identity theft protection." (Doc. 1 at ¶ 44 (emphasis added); accord id. at ¶ 80). It is further claimed that the plaintiffs will likely endure future financial harm because unknown persons have access to their private information. (Id. at ¶¶ 45-46, 81). Confronted with the allegations that fraudulent tax returns have already been filed in their names, we find that the other alleged injuries, or harms, satisfy the "injury-in-fact" prong to demonstrate standing to sue in the data-breach scenario we encounter here. See Storm v. Paytime, Inc., No. 14-1138, 2015 WL 1119724, at *5 (M.D. Pa. Mar. 13, 2015)(citing Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011)). As a result, even if the named plaintiffs were to recover lost tax refunds while this litigation is ongoing, the Article III standing requirement is still likely to be satisfied.
Finally, regarding the issue of standing, the defendants also raise a factual challenge to the Court's subject-matter jurisdiction, asserting that the putative class of 35,000 customer members went uninjured, unlike the named plaintiffs who were both former employees and customer members. (See Doc. 27 at 12-14). As the Third Circuit in Neale held, however, only named plaintiffs are required to establish Article III standing; accordingly, we are not concerned with the constitutional standing of the unnamed putative class members, namely the current and former customer members of the defendants who may not have also been employees.
The defendants' argument here is more appropriately a Rule 23 challenge. See Neale, 794 F.3d at 368.
To summarize, at least one named plaintiff in the amended complaint has standing. We will therefore deny defendants' motion to dismiss under Rule 12(b)(1).
B. Plaintiffs' State-Law Claims
In the amended complaint, plaintiffs raise state-law claims for negligence or, in the alternative, breach of implied contract. The parties agree that Pennsylvania law governs these state-law claims. See also, Erie R.R. Co. v. Tompkins, 304 U.S. 64, 78 (1938); McKenna v. Pacific Rail Service, 32 F.3d 820, 825 (3d Cir. 1994); Gares v. Willingboro Twp., 90 F.3d 720, 725 (3d Cir. 1996); accord, Farina v. Nokia, Inc., 625 F.3d 97 110 (3d Cir. 2010). The defendants nonetheless argue, under Rule 12(b)(6), that both claims should be dismissed.
A motion filed under Rule 12(b)(6) contests whether a claimant has stated a cognizable claim. In ruling on such a motion, we must accept all of the claimant's factual allegations as true, construe them in the light most favorable to claimant, and determine if, "under any reasonable reading of the pleading, the [claimant] may be entitled to relief." Fowler v. UPMC Shadyside, 578 F.3d 203, 210 (3d Cir. 2009) (quoting Phillips v. County of Allegheny, 515 F.3d 224, 231 (3d Cir. 2008)). Our analysis consists of two parts: first, separating the "legal elements of a claim" from the factual allegations, and second, determining whether the factual allegations "show" a plausible entitlement to relief. Id. at 210-11.
1. Negligence
Generally, in Count I, plaintiffs complain that the alleged data breach by unknown third parties resulted from defendants' negligence in failing to protect and adequately secure the plaintiffs' private information, and the plaintiffs suffered economic damages as a result of the breach as well as the delay in being informed about the same. (See Doc. 20 at ¶¶ 72-81; Doc. 32 at 24). Among other arguments, the defendants contend that this claim, assuming it is a viable one, should be dismissed because of Pennsylvania's economic-loss doctrine. Since we agree with the defendants on that point, we dispense with a discussion of their other arguments regarding plaintiffs' claim of negligence.
In reaching this conclusion, we do not decide whether the negligence claim is a viable one; we merely assume that it is.
Pennsylvania's economic-loss doctrine "provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage." Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162, 175 (3d Cir. 2008)(quoting Adams v. Copper Beach Townhome Cmtys., L.P., 816 A.2d 301, 305 (Pa. Super. Ct. 2003)); Excavation Techs., Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840, 841-43 (Pa. 2009). The doctrine is concerned primarily with two main factors: foreseeability and limitation of liability. Azur v. Chase Bank, USA, Nat. Ass'n, 601 F.3d 212, 222 (3d Cir. 2010).
Here, plaintiffs do not complain about suffering physical or property damage; instead, they complain about economic damages. As such, the economic-loss doctrine should act as a bar to plaintiffs' negligence claim.
The plaintiffs, however, argue that the doctrine's application to the facts alleged would be "nonsensical" because they (the plaintiffs) make up a well-defined class particularly known to the defendants, the economic damages were foreseeable, and the responsibility for a data breach of the kind alleged was not allocated between them and the defendants. (See Doc. 32 at 25-27). To support their argument against the application of the economic-loss doctrine, plaintiffs reference Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 280 (Pa. 2005).
In Bilt-Rite, a lawsuit involving a claim of negligent-misrepresentation:
[A] general contractor, entered into a construction contract to build a new school for a school district. In formulating its winning bid for the contract, plaintiff claimed that it had relied on the drawings and specifications prepared by an architect who had been hired by the school district for the very purpose of preparing drawings and specifications that were to be used to prepare bids. However, during the subsequent construction, Bilt-Rite discovered that some of the representations in the specifications were inaccurate. Bilt-Rite incurred significant cost overruns in attempting to build the building, and it sued the architect for negligent misrepresentation to recover its losses.Sovereign Bank, 533 F.3d at 177. At the trial level, the court sustained the architect's preliminary objections based on the operation of the economic-loss doctrine, and, on appeal, the Pennsylvania Superior Court affirmed. On further appeal to the Supreme Court of Pennsylvania, though, the appellate court held that the economic-loss doctrine did not bar the contractor's negligent misrepresentation claim.
In reaching its holding, the Supreme Court of Pennsylvania adopted Restatement (Second) of Torts § 552 and crafted an "exception [to the economic-loss doctrine] to allow a commercial plaintiff recourse from an 'expert supplier of information' with whom the plaintiff has no contractual relationship, when the plaintiff has relied on that person's 'special expertise' and 'the supplier negligently misrepresents the information to another in privity." Sovereign Bank, 533 F.3d at 177 (citing Bilt-Rite, 866 A.2d at 286); accord id. at 178. Since Bilt-Rite was decided by the Commonwealth's highest court, the exception carved out has been described as a "narrow" one that did not weaken the economic-loss doctrine. Sovereign Bank, 533 F.3d at 177; see Gongloff Contracting, L.L.C. v. L. Robert Kimball & Associates, Architects and Engineers, Inc., 2015 WL 4112446, at *5 (Pa. July 8, 2015)(describing the exception as "narrow"); Azur, 601 F.3d at 223, 224 (describing the exception as "narrow" and not applying to all cases in which a plaintiff has no contractual remedy); see also, Excavation Techs., 985 A.2d at 841, 843-44.
Restatement (Second) of Torts § 552 provides:
(1) One who, in the course of his business . . . [negligently] supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information . . . .
(2) [This liability] is limited to loss suffered
(a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and
(b) through reliance upon it in a transaction that he intends the information to influence or knows that the recipient so intends or in a substantially similar transaction.
Based on the allegations in the amended complaint, it is readily apparent that the narrow exception carved out by the Bilt-Rite Court does not have specific applicability to this case. As well, in the data-breach context, we are only aware of cases where the Bilt-Rite exception has not been extended to save a plaintiff's negligence claim(s) from the clutches of the economic-loss doctrine. See Sovereign Bank, 533 F.3d at 175-78; Dittman v. UPMC, No. GD-14-003285, 2015 WL 4945713, at *2-*3 (Pa. Com. Pl. May 28, 2015); see also, Grimm v. Discover Financial Services, Nos. 08-747, 08-832, 2008 WL 4821695, at *12-*13 (W.D. Pa. Nov. 4, 2008). Moreover, regardless of whether the class of plaintiffs and the alleged damages in this case were foreseeable, it is important to recall one of the "sound" policy reasons for conditioning tort recovery on injury to person or property: "[A]llowance of a cause of action for negligent interference with economic advantage would create an undue burden upon industrial freedom of action, and would create a disproportion between the large amount of damages that might be recovered and the extent of the defendant's fault. See Restatement (Second) of Torts § 766c, comment a (1979)." Sovereign Bank, 533 F.3d at 176 (quoting Aikens v. Baltimore & Ohio R.R. Co., 501 A.2d 277 (Pa. Super. Ct. 1985)). Indeed, in this era, where the threat of data breaches by unknown third parties is omnipresent, regardless of what preventative measures are taken, the potential disparity between the degree of a defendant's fault and the damages to be recovered could be immensely disproportionate, resulting in drastic implications for defendants named in lawsuits as well as our economic system at large. Comparatively, in a case such as Bilt-Rite, that disparity is unquestionably lessened, making it "nonsensical" to apply the economic-loss doctrine to that line of cases.
Based on the foregoing, we predict that the Supreme Court of Pennsylvania would not carve out a new exception to the economic-loss doctrine, or extend the one carved out in Bilt-Rite, to this case and others like it. Thus, the plaintiffs' negligence claim will be dismissed with prejudice.
2. Breach of Implied Contract
According to the plaintiffs, their claim for breach of implied contract is raised in the alternative to their negligence claim, assuming that we were to dismiss the latter, (Doc. 32 at 27, n. 6), which we have already decided to do. In moving for dismissal of this claim, the defendants claim that the plaintiffs fail to plausibly allege the existence of a contract implied in fact. (Doc. 27 at 22).
Plaintiffs do not appear to dispute that the theory of their breach-of-contract claim is premised upon a contract implied in fact. (See Doc. 32 at 28). --------
"Pennsylvania law provides that '[a] contract, implied in fact, is an actual contract which arises where the parties agree upon the obligations to be incurred, but their intention, instead of being expressed in words, is inferred from their acts in light of the surrounding circumstances.'" Kane v. Cook Bros. Companies, Inc., No. 08-481, 2009 WL 179728, at * (M.D. Pa. Jan. 23, 2009)(quoting In re Home Protection Bldg. & Loan Ass'n, 17 A.2d 755, 756 (Pa. Super. Ct. 1941)). Accordingly, the existence and nature of any implied-in-fact contract must be ascertained from all the facts and circumstances. See Liss & Marion, P.C. v. Recordex Acquisition Corp., 983 A.2d 652, 659 (Pa. 2009) (citing Ingrassia Construction Company v. Walsh, 486 A.2d 478, 483 (Pa. Super. Ct. 1984), for the proposition that an implied-in-fact contract may arise where "the ordinary course of dealing and the common understanding of men, show a mutual intention to contract" (citation omitted)); Ingrassia, 486 A.2d at 483 (stating that the existence and nature of an implied-in-fact contract is determined by the parties' "outward and objective manifestations of assent, as opposed to their undisclosed and subjective intentions").
In the amended complaint, it is alleged that the plaintiffs were required to provide private information to the defendants in order to commence employment with them and / or utilize their (the defendants') services. (Doc. 1 at ¶¶ 32-33). Further, plaintiffs claim that they reasonably expected the defendants to protect their private information from being compromised and / or misappropriated; otherwise they would not have provided said information to the defendants. (Id. at ¶¶ 35-36). On these factual allegations, plaintiffs contend that an implied-in-fact contract plausibly existed, requiring defendants to protect private information turned over by its employees and / or customer members from being compromised and / or misappropriated. (See id. at ¶¶ 83-86; Doc. 32 at 29).
While the defendants might have had an implied contractual duty not to directly, or affirmatively, turn over the plaintiffs' confidential information to third parties, see generally, McGuire v. Shubert, 722 A.2d 1087, 1091 (Pa. Super. Ct. 1998), that is not this case. Moreover, this is not a case where plaintiffs allege that the defendants took no measures to protect their private information; instead, the plaintiffs primarily complain that the defendants did not take "adequate" measures. Further, it is undeniable that entities such as the defendants might anticipate that they are likely to experience data breaches, regardless of what preventative measures have been taken; therefore, it is implausible that they would ever agree to allow others to bring private actions against them for data breaches committed by unknown third parties. See also, Dittman, 2015 WL 4945713, at *6. Plaintiffs' claim for breach of implied contract will consequently be dismissed with prejudice. IV. Conclusion
Since we find that at least one named plaintiff has Article III standing, we will deny defendants' motion to dismiss under Rule 12(b)(1). We will nevertheless dismiss plaintiffs' state-law claims with prejudice for failing to state a claim and grant the defendants' motion to dismiss under Rule 12(b)(6). An appropriate Order will follow.
/s/ William W. Caldwell
William W. Caldwell
United States District Judge