Opinion
Civil Action 23-10817-NMG
03-15-2024
MEMORANDUM & ORDER
NATHANIEL M. GORTON UNITED STATES DISTRICT JUDGE
This putative class action arises from a data breach that purportedly exposed the personal identifiable information ("PII") and protected health information ("PHI") of representative plaintiff Jewell Weekes ("Weekes" or "plaintiff") to criminal cyberhackers. The complaint alleges that defendant law firm Cohen Cleary P.C. ("Cohen Cleary" or "defendant") failed to safeguard plaintiff's data properly.
Pending before the Court is defendant's motion to dismiss (Docket No. 6). For the reasons that follow, the motion will be allowed, in part, and denied, in part.
I. Background
Plaintiff alleges that she and the other putative class members provided their PHI and PII to defendant law firm in order to establish attorney-client relationships. On an unspecified date, a cyberattack targeting defendant's network servers was purportedly launched by hackers. The attack enabled hackers to gain access to the PII and PHI of plaintiff and approximately 12,000 other individuals.
Defendant allegedly discovered the breach as early as September, 2022 but did not inform plaintiff and other similarly situated individuals until November, 2022. The complaint asserts that defendant's data security practices were inadequate and enabled the breach to succeed. The plaintiff is not yet aware of the motivation for the attack, the particular data stolen, the malware used or the current impact on the security of the subject PII and PHI. As a result, plaintiff claims that she and others have had to take preventative measures to protect their PII and PHI and to prevent future harms.
II. Motion to Dismiss
A. Legal Standard
To survive a motion to dismiss under Fed.R.Civ.P. 12(b)(6), the subject pleading must contain sufficient factual matter to state a claim for relief that is actionable as a matter of law and "plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp, v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible if, after accepting as true all non-conclusory factual allegations, the court can draw the reasonable inference that the defendant is liable for the misconduct alleged. Ocasio-Hernandez v. Fortuno-Burset, 640 F.3d 1, 12 (1st Cir. 2011).
When rendering that determination, a court may consider certain categories of documents extrinsic to the complaint "without converting a motion to dismiss into a motion for summary judgment." Freeman v. Town of Hudson, 714 F.3d 29, 36 (1st Cir. 2013) (citing Watterson v. Page, 987 F.2d 1, 3 (1st Cir. 1993)) . For instance, a court may consider documents of undisputed authenticity, official public records, documents central to a plaintiff's claim and documents that were sufficiently referred to in the complaint. Watterson, 987 F.2d at 3.
A court may not disregard properly pled factual allegations in the complaint even if actual proof of those facts is improbable. Ocasio-Hernandez, 640 F.3d at 12. Rather, the court's inquiry must focus on the reasonableness of the inference of liability that the plaintiff is asking the court to draw. Id. at 13.
B. Analysis
1. Standing
The judicial power of Article III extends only to actual cases and controversies. U.S. Const, art. Ill. § 2, cl. 1. The existence of standing goes to this Court's subject matter jurisdiction. See United Seniors Ass'n, Inc, v. Philip Morris USA, 500 F.3d 19, 23 (1st Cir. 2007).
Defendant filed its motion to dismiss based only on Rule 12(b)(6) and insists it has not asserted any jurisdictional defenses. In any event, this Court is obliged to assess its own subject matter jurisdiction, including the existence of Article III standing. United Seniors Ass'n 500 F.3d at 23; see also Doyle v. Huntress, Inc., 419 F.3d 3,6 (1st Cir. 2005) ("we have an obligation to inquire sua sponte into our jurisdiction over the matter").
Plaintiff contends that case law on standing in the data breach context is in flux and that the standards for establishing actual injury are intertwined with the merits. She contends that the Court should wait until the summary judgment stage to assess standing but the Court disagrees.
Standing may be intertwined with a consideration of the merits and therefore warrant a delay in resolution, see Torres-Negron v. J&N Records, LLC, 504 F.3d 151, 162 (1st Cir. 2007), but defendant has not expressly challenged plaintiff's standing. This Court will, however, presume plaintiff's factual allegations are true and determine whether they are sufficient to establish a cognizable injury in fact. See Toddle Inn Franchising, LLC v. KPJ Associates, LLC, 8 F.4th 56, 61 n.5 (1st Cir. 2021).
A cognizable injury in fact involves the invasion of a legally protected interest. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). Such an injury must be "concrete and particularized," that is, plaintiff must allege some harm that she personally suffered. Id. In addition, an alleged injury must be "actual or imminent, not conjectural or hypothetical." Id. Alleged future harm must be certainly impending or substantially likely to occur; "it is not enough that the harm might occur at some future time." Katz v. Pershing, LLC, 672 F.3d 64, 71 (1st Cir. 2012).
Standing must also be established for each form of relief sought. See Davis v. Fed Election Comm'n, 554 U.S. 724, 734 (2008) . Here, plaintiff seeks both injunctive and monetary relief.
a. Injunctive Relief
Plaintiff seeks several forms of injunctive relief concerning defendant's alleged breach of privacy and disclosure practices. She asserts that injunctive relief is necessary to prevent defendant from "continu[ing] in its failure to properly secure the PHI/PII of Class Members." Thus, plaintiff demands injunctive relief to stave off bad actors from accessing and detrimentally using her PHI and PII as a result of defendant's allegedly substandard security practices.
Plaintiff also asks this Court to order defendant to "cease and desist from unlawful activities" which the Court takes to mean any data privacy and / or breach disclosure practices that may fall afoul of the law.
Understood as an injunction to prevent future harm, plaintiff fails to allege an imminent injury sufficient to confer standing for the injunctive remedies sought. In Webb, the First Circuit Court of Appeals ("First Circuit") considered a similar request for injunctive relief following a data breach that exposed plaintiff's PII to hackers. Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023). The Court found that because bad actors had already accessed plaintiff's PII, an injunction would not safeguard plaintiff's PII from future misuse. Id. at 378.
Turning to the risk of future breaches, the Webb Court held that it would be speculative to infer that a new hacker would once again gain access to plaintiff's data. Id. While the Webb Court noted changes made by defendant in its cybersecurity practices, the Court did not conduct a substantive assessment of those changes. Id. Rather, it concluded that defendant "faces much the same risk of future cyberhacking as virtually every holder of private data." Id.
Here too, there are no pleadings from which this Court can infer that the law firm will be successfully targeted by cyberhackers. Thus, the pleadings are insufficient to establish that plaintiff faces a certainly impending or substantial risk that her PII will once again be exposed to hackers. See City of Los Angeles v. Lyons, 461 U.S. 95, 109 (1983) (explaining that plaintiff's lack of standing rests on the "speculative nature of his claim that he will again experience injury as the result of [defendant's] practice even if [it] continued."). An injunction here would not redress the harm caused by the current or a future breach. See Webb, 72 F.4th at 378.
b. Monetary Relief
Whether plaintiff has established standing to be eligible to recover monetary relief is a closer call.
In Katz, the First Circuit found that plaintiff, an individual whose PII was subject to a data breach, lacked standing to sue for damages where plaintiff did not allege that her PII had yet been accessed by any unauthorized individual. Katz v. Pershing, LLC, 672 F.3d 64, 79 (1st Cir. 2012).
Conversely, in Webb, the First Circuit held that a plaintiff had standing to sue for damages where her PII had not yet been misused. Webb, 72 F.4th at 374-75. The critical distinction was that in Webb a co-plaintiff's PII, which was stolen in the same breach, had been used to file a fraudulent tax return. Id. at 375-76. The misuse of the co-plaintiff's data "makes it likely that other portions of the stolen data will be similarly misused." Id. at 376. In addition, the Court gave weight to the "high-risk" nature of the PII stolen, which included Social Security numbers. Id.
Here, the allegations concerning the existence of actual misuse of plaintiff's PII or that of other victims of the data breach are tenuous. The complaint alleges that the breach has caused, inter alia,
(i) actual identity theft; (ii) the loss of the opportunity of how their PHI/PII is used; (iii) the compromise, publication, and/or theft of their PHI/PII; (iv) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PHI/PII; (v) lost opportunity costs associated with effort expended and the loss of productivity addressing and attempting to mitigate the actual and future consequences of the Data Breach...
While plaintiff provides little detail as to the nature of the "actual identity theft" alleged, at the motion to dismiss stage the Court will accept the facts as pled. Webb makes pellucid that both 1) actual identity theft of plaintiff's PII and 2) risk of future identity theft, after actual identity theft of another individual affected by the same breach has occurred, combined with other indicia of risk, are independent bases to establish an Article III injury. Drawing inferences in favor of plaintiff, both eventualities remain plausible.
Accordingly, the Court concludes that the complaint sets forth a sufficient basis for standing with respect to plaintiff's claims for monetary relief.
2. Negligence
To state a claim for negligence in Massachusetts, plaintiff must demonstrate that
defendant owed the plaintiff a duty of reasonable care, that the defendant breached this duty, that damage resulted, and that there was a causal relation between the breach of the duty and the damage.Correa v. Schoek, 98 N.E.3d 191, 198 (Mass. 2018).
Defendant asserts that the negligence claim should be dismissed for failure to allege breach and damages plausibly.
As discussed supra, at the motion to dismiss stage, the Court finds that plaintiff has pled a plausible injury sufficient to satisfy Article III. The same logic supports plaintiff's claim for damages. The complaint alleges either actual misuse of plaintiff's PII or that another victim of the breach has had his or her PII misused, along with other indicia of imminent harm. If proven true, damages caused by the actual misuse or efforts expended to prevent imminent misuse of plaintiff's PII satisfy the damages requirement for negligence. See Portier v. NEO Technology Solutions, 2019 WL 7946103, at *16 (D. Mass. Dec. 31, 2019) (citations omitted).
Defendant contends, however, that plaintiff's negligence claim should be dismissed because plaintiff fails to identify specifically how defendant's protocol and practice were insufficient to fend off the cyberattack and notify plaintiff of the breach. The Court disagrees. While plaintiff's theory of breach is quite vague, allegations that defendant failed to encrypt plaintiff's data effectively, store plaintiff's data, or learn of the breach and waited for more than one month to notify plaintiff of the data breach, are sufficient to satisfy the plausibility standard.
Finally, the Court notes that defendant did not substantially address the existence of a duty in its memorandum in support of its motion to dismiss. See Docket No. 7, at 4 ("[t]o state a negligence claim, a plaintiff must plead duty, breach, causation, and damages. In this case, Plaintiff fails to allege: (1) a breach by Cohen Cleary; and (2) cognizable damages.") (internal citation omitted). Accordingly, the Court will not elaborate on the question of duty but will note that other sessions of this Court have found a duty to protect PII from foreseeable cyberattacks in the data breach context. See Portier v. NEO Tech. Solutions, 2019 WL 7946103, at *12-13 (D. Mass. Dec. 31, 2019); Webb v. Injured Workers Pharmacy, LLC, 2023 WL 5938606, at *2 (D. Mass. Sep. 12, 2023) ("Webb II").
3. Breach of Confidence
Defendant asserts that plaintiff cannot plausibly set forth a claim for breach of confidence. That is because she does not allege that defendant intentionally disclosed confidential information to third parties but rather, bad actors breached defendant's data security systems leading to the exposure of her PII. The Court agrees. Where defendant did not "improperly disclose[] information that it knew was confidential," a breach of confidence claim is not viable. See Shaoguang Li v. Off, of Transcription Servs., 2016 WL 6609796, at *1 (Mass. App. Ct. Nov. 8, 2016). Count II will be dismissed.
4. Implied Contract
In Massachusetts, a valid contract requires offer, acceptance and consideration. See Josef Gartner USA LP v. Consigli Const. Co., Inc., 2011 WL 2417137, at *4 (D. Mass. Jun. 10, 2011).
An implied contract requires the same elements as a contract except that the manifestation of mutual assent may be found to exist from the conduct and relationship of the parties Durbeck v. Suffolk Univ., 547 F.Supp.3d 133, 145 (D. Mass. 2021) (citing Squeri v. Mount Ida Coll., 954 F.3d 56, 71 (1st Cir. 2020)). Plaintiff must state with "substantial certainty" the facts that demonstrate the existence of a contract and its legal effect. Id. (quoting Squeri, 954 F.3d at 71).
Defendant contends that the Complaint does not sufficiently allege either mutual assent or the existence of consideration to state a plausible claim for breach of implied contract. The Court agrees that mutual assent cannot be sufficiently inferred from the parties' conduct and relationship.
Plaintiff alleges that defendant law firm required her to disclose PII and PHI as a condition of its representation. She makes no allegation, however, that either party ever discussed the manner of safeguarding the PII and PHI or that plaintiff had a particular concern about disclosing that information. The Complaint does not explain how an implied contractual relationship formed from the particular conduct of the parties. Indeed, the vast majority of commercial transactions today require the disclosure of PII. Plaintiff's allegations supporting an implied contract claim are conclusory as to the necessary element of mutual assent and thus, are insufficient to support an implied contract claim. See Webb II, 2023 WL 5938606, at *3 (D. Mass. Sep. 12, 2023) (rejecting a breach of implied contract claim in data breach context).
5. Implied Covenant of Good Faith and Fair Dealing
In Massachusetts, a covenant of good faith and fair dealing is implicit in every contract. See Hopkinton Friendly Serv., Inc, v. Global Cos. LLC, 490 F.Supp.3d 421, 427 (D. Mass. 2020). As defendant asserts, however, the covenant does not give rise to an independent cause of action. See Mill-Bern Assocs., Inc, v. Dallas Semiconductor Corp,, 2002 WL 1340853, at *9 (Mass. Super. Ct. June 13, 2002), aff'd, 799 N.E.2d 606 (Mass. App. Ct. 2003) . Because the Court finds that there is no implied contract between the parties concerning the protection of plaintiff's PII and PHI, the claim for breach of the implied covenant of good faith and fair dealing will be dismissed.
ORDER
For the reasons set forth above, defendant's motion to dismiss (Docket No. 6) is, with respect to injunctive remedies, and Counts II, III and IV, ALLOWED, but is otherwise DENIED.
So ordered.