From Casetext: Smarter Legal Research

Bowen v. Paxton Media Grp.

United States District Court, Western District of Kentucky
Sep 8, 2022
Civil Action 5:21-CV-00143-GNS (W.D. Ky. Sep. 8, 2022)

Opinion

Civil Action 5:21-CV-00143-GNS

09-08-2022

WILLIAM BOWEN, et al. PLAINTIFFS v. PAXTON MEDIA GROUP, LLC DEFENDANT


MEMORANDUM OPINION AND ORDER

Greg N. Stivers, Chief Judge, United States District Court

This matter is before the Court on Defendant's Motions to Dismiss (DN 24, 28), Plaintiffs' Motion for a Hearing (DN 33), and Defendant's Motion for Leave to File a Response (DN 38). This matter is ripe for adjudication.

I. STATEMENT OF FACTS AND CLAIMS

This is a class action arising from a third-party criminal data breach of employees' personal information at Defendant Paxton Media Group, LLC (“Paxton”). (Am. Compl. ¶ 1, DN 27). Named Plaintiffs Amy Brasher (“Brasher”), Jesse Rogers (“Rogers”), John Champion (“Champion”), Jesse Gilstrap (“Gilstrap”) and Mary Bleier-Troup (“Bleier-Troup”) (collectively “Plaintiffs”) were employees at Paxton at the time of the breach and allege to have had personal information such as their Social Security numbers, driver licenses numbers, finance accounts, health insurance information, taxpayer identification numbers, and credit card numbers stolen in the breach. (Am. Compl. ¶¶ 4, 5, 13-18). Plaintiffs bring this action on behalf of those employees who had personal information stolen as part of the breach (collectively the “Class”), asserting claims against Paxton for: (1) negligence; (2) breach of implied contract; (3) invasion of privacy; (4) breach of confidence; (5) unjust enrichment; (6) declaratory and injunctive relief; (7) violation of the Virginia Consumer Protection Act; (8) violation of the Kentucky Consumer Protection Act; and (9) violation of the California Unfair Competition Law. (Am. Compl. ¶¶ 19, 177-285). Paxton has moved to dismiss for lack of Article III Standing and failure to state a claim upon which relief can be granted. (Def.'s Mot. Dismiss 2, 9, DN 28-1). Plaintiffs filed a response and have requested a hearing on Paxton's motion. (Pls.' Resp. Def.'s Mot. Dismiss, DN 31; Pls.' Mot. Hr'g, DN 33). This matter is ripe for decision.

II. JURISDICTION

Diversity jurisdiction exists for this class action suit pursuant to 28 U.S.C. § 1332(d)(2).

III. STANDARD OF REVIEW

Under Fed.R.Civ.P. 12(b)(1), a party may move for dismissal due to a lack of subject matter jurisdiction. Fed.R.Civ.P. 12(b)(1). “Subject matter jurisdiction is always a threshold determination” and “may be raised at any stage in the proceedings ....” Am. Telecom Co., L.L.C. v. Republic of Lebanon, 501 F.3d 534, 537 (6th Cir. 2007) (citation omitted); Schultz v. Gen. R.V. Ctr., 512 F.3d 754, 756 (6th Cir. 2008) (citation omitted). “A Rule 12(b)(1) motion can either attack the claim of jurisdiction on its face, in which case all allegations of the plaintiff must be considered as true, or it can attack the factual basis for jurisdiction, in which case the trial court must weigh the evidence and the plaintiff bears the burden of proving that jurisdiction exists.” DLX, Inc. v. Kentucky, 381 F.3d 511, 516 (6th Cir. 2004) (citations omitted). “A facial attack on the subject-matter jurisdiction alleged in the complaint questions merely the sufficiency of the pleading.” Gentek Bldg. Prods., Inc. v. Sherwin-Williams Co., 491 F.3d 320, 330 (6th Cir. 2007) (citation omitted). “If the court determines at any time that it lacks subject-matter jurisdiction, the court must dismiss the action.” Fed.R.Civ.P. 12(h)(3).

Upon a motion to dismiss for failure to state a claim pursuant to Fed.R.Civ.P. 12(b)(6), a court “must construe the complaint in the light most favorable to plaintiff, accept all well-pled factual allegations as true” and determine whether the “complaint[ ] states a plausible claim for relief ....” League of United Latin Am. Citizens v. Bredesen, 500 F.3d 523, 527 (6th Cir. 2007) (citation omitted); Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009). Under this standard, the plaintiff must provide the grounds for his or her entitlement to relief which “requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action ....” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (citation omitted). A plaintiff satisfies this standard only when he or she “pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. A complaint falls short if it pleads facts “merely consistent with a defendant's liability” or if the alleged facts do not “permit the court to infer more than the mere possibility of misconduct ....” Id. at 678, 679 (internal quotation marks omitted) (quoting Twombly, 550 U.S. at 557). Instead, the allegations must show “that the pleader is entitled to relief.” Id. at 679 (internal quotation marks omitted) (quoting Fed.R.Civ.P. 8(a)(2)).

IV. DISCUSSION

A. Motion to Dismiss

After Paxton moved to dismiss the initial Complaint, Plaintiffs filed the Amended Complaint. (Def's Mot. Dismiss, DN 24; Am. Compl., DN 27). Because the Amended Complaint subsumes the allegations in the prior complaints, the Court will deny this motion as moot. See Herran Props., LLC v. Lyon Cnty. Fiscal Ct., No. 5:17-CV-00107-GNS, 2017 WL 6377984, at *2 (W.D. Ky. Dec. 13, 2017) (citing Cedar View, Ltd. v. Colpetzer, No. 5:05-CV-00782, 2006 WL 456482, at *5 (N.D. Ohio Feb. 24, 2006)); Ky. Press Ass'n, Inc. v. Kentucky, 355 F.Supp.2d 853, 857 (E.D. Ky. 2005) (citing Parry v. Mohawk Motors of Mich., Inc., 236 F.3d 299, 306 (6th Cir. 2000)).

1. Fed. R. Civ. P. 12(b)(1)

First, Paxton contends that the Amended Complaint should be dismissed pursuant to Fed.R.Civ.P. 12(b)(1). It contends that Bowen, Rogers, and Bleier-Troup lack standing to assert their claims. (Def.'s Mem. Supp. Mot. Dismiss 2-9, DN 28-1).

“Article III of the Constitution limits the jurisdiction of federal courts to ‘Cases' and ‘Controversies,' and [t]he doctrine of standing gives meaning to these constitutional limits by identify[ing] those disputes which are appropriately resolved through the judicial process.” Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 387 (6th Cir. 2016) (alteration in original) (internal quotation marks omitted) (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 157 (2014)). The Supreme Court has held that the “irreducible constitutional minimum” of standing requires three elements: (1) the plaintiff must have suffered an injury in fact; (2) there must be a causal connection between the injury and the conduct complained of; and (3) it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Id. (citing Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)); Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) (internal quotation marks omitted) (citations omitted).

Plaintiffs, as the party invoking federal jurisdiction, bear the burden of establishing these elements. Lujan, 504 U.S. at 561. “Where, as here, a case is at the pleading stage, the plaintiff must ‘clearly . . . allege facts demonstrating' each element” of standing. Galaria, 663 Fed.Appx. at 388 (quoting Spokeo, 578 U.S. at 338). “Plaintiffs are not absolved of their individual obligation to satisfy the injury element of Article III just because they allege class claims.” Desai v. Geico Cas. Co., 574 F.Supp.3d 507, at *6 (N.D. Ohio 2021) (citing Soehnlen v. Fleet Owners Ins. Fund, 844 F.3d 576, 582 (6th Cir. 2016)). A class representative must demonstrate “individual standing vis-a-vis the defendant; he cannot acquire such standing merely by virtue of bringing a class action.” Id. (citing Fallick v. Nationwide Mut. Ins. Co., 162 F.3d 410, 423 (6th Cir. 1998)). Likewise, “[a] plaintiff must demonstrate standing for each claim he seeks to press and for each form of relief that is sought.” Id. (quoting Kanuszewski v. Mich. Dep't of Health & Hum. Servs., 927 F.3d 396, 406 (6th Cir. 2019)). It is the first element, injury in fact, that is contested in this case. Paxton contends that Bowen, Rogers, and Bleier-Troup have failed to establish standing because they have not alleged any “already-materialized harm” to establish injury in fact. (Def.'s Mot. Dismiss 4). Plaintiffs respond that the substantial and present risk of future harm resulting from a data breach sufficiently confer standing. (Pls.' Resp. Def.'s Mot. Dismiss 15).

To establish an injury in fact, a plaintiff must show an invasion of a legally protected interest that is both “(a) concrete and particularized . . . and (b) actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560 (internal quotation marks omitted) (internal citations omitted) (citation omitted). “Article III standing requires a concrete injury even in the context of a statutory violation.” TransUnion, 141 S.Ct. at 2205 (citation omitted). The Supreme Court has rejected the contention that “a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Id. (quoting Spokeo, 578 U.S. at 341). In other words:

Congress's creation of a statutory prohibition or obligation and a cause of action does not relieve courts of their responsibility to independently decide whether a plaintiff has suffered a concrete harm under Article III any more than, for example, Congress's enactment of a law regulating speech relieves courts of their responsibility to independently decide whether the law violates the First Amendment.
Id. Thus, while Congress' views on what constitutes an injury in fact may be “instructive” the Court “cannot treat an injury as ‘concrete' for Article III purposes based only on Congress's say-so.” Id. (internal quotation marks omitted) (citations omitted). The law recognizes, however, various intangible harms are considered concrete for the purposes of establishing standing, including reputational harm, disclosure of private information, and intrusion upon seclusion. Id. at 2204.

The Sixth Circuit has held that the substantial risk of harm caused by a third-party data breach coupled with reasonably incurred mitigation costs is sufficient to establish a cognizable Article III injury at the pleading stage of litigation. Galaria, 663 Fed.Appx. at 388. Paxton contends that this decision has been superseded by the recent Supreme Court ruling regarding Article III standing in TransUnion LLC v. Ramirez, 141 S.Ct. 2190 (2021). In TransUnion, the plaintiffs sued regarding flags TransUnion generated on plaintiffs' credit reports indicating that the plaintiffs had the same names as individuals on a terrorist watchlist. Id. at 2201. The Court discussed two groups of plaintiffs: (1) plaintiffs whose flagged reports were distributed to third parties; and (2) plaintiffs whose credit reports contained misleading flags, but were never disseminated. Id. at 2208-09. The Court held that the first group demonstrated an injury in fact regardless of whether they suffered an economic injury because through the publication they suffered reputational harm from being labeled as a “potential terrorist.” Id. at 2209. The second group, who did not have their credit reports published, was found not to have suffered an injury in fact. Id. at 2212. The Court explained that without publication: (1) the plaintiffs did not suffer the reputational harm that the published plaintiffs did; and (2) that the risk of dissemination was too speculative to support Article III standing. Id. at 2212.

The Supreme Court rejected the argument that under Spokeo “the mere risk of future harm, without more, suffices to demonstrate Article III standing in a suit for damages.” Id. at 2211 (discussing Spokeo, 578 U.S. 330). Instead, the Court reiterated that in Spokeo the plaintiffs not only experienced the risk of future harm, but suffered the additional damages of slander and libel per se. Id. at 2211. Thus, in TransUnion, the Court found that the nonpublished plaintiffs lacked a concrete Article III injury where they failed to “present evidence that the class members were independently harmed by their exposure to the risk itself-that is, that they suffered some other injury (such as an emotional injury) from the mere risk that their credit reports would be provided to third-party businesses.” Id. at 2211. Additionally, the Court held that the “plaintiffs did not demonstrate a sufficient likelihood that their individual credit information would be requested by third-party businesses and provided by TransUnion during the relevant time period.” Id. at 2212. The Court explained that “[b]ecause no evidence in the record establishes a serious likelihood of disclosure, we cannot simply presume a material risk of concrete harm” where one has not been proven. Id. at 2212 (quoting Ramirez v. TransUnion LLC, 951 F.3d 1008, 1040 (9th Cir.) (McKeown, J., concurring in part and dissenting in part)).

TransUnion did not foreclose the possibility of a risk of future harm giving rise to Article III standing, instead creating a two-part test to determine when the risk of harm gives rise to Article III standing when: (1) there is material risk of concrete harm; and (2) plaintiffs can demonstrate “some other injury” they suffered stemming from this risk. Id. at 2211; see also In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., No. 21-MD-02994-RAR, 2022 WL 1468057, at *5-8 (S.D. Fla. May 10, 2022). Applying this test to the claims at issue, Bowen, Rogers, and Bleier-Troup have standing to sue for damages.

This discussion is limited to Plaintiffs' claims for money damages. Plaintiffs' claims for injunctive relief are discussed below. See Desai, 2021 WL 5762999, at *6 (“A plaintiff must demonstrate standing for each claim he seeks to press and for each form of relief that is sought.” (quoting Kanuszewski, 927 F.3d at 406)).

First, Bowen, Rogers, and Bleier-Troup have demonstrated “a sufficient risk of future harm to support Article III standing.” TransUnion, 141 S.Ct. at 2212. Courts have looked at whether individuals' data has been misused in a data breach as an indication there is a “substantial risk” of future harm for plaintiffs who remain unaffected. In re Mednax Servs., Inc., 2022 WL 1468057, at *7. Plaintiffs allege that:

Paxton's attackers gained access to, and possession of, Plaintiffs' and Class members' [personally identify information, “PII”]. While many data breach events merely involve the attacker gaining access to the computer or network without meaningful access to the victims' information, in this particular attack on Paxton's systems, hackers gained access to and copied Plaintiffs' and Class members' highly sensitive PII, including Social Security numbers and bank account and other financial information.
(Am. Compl. ¶ 37). Along with alleging that the information of Bowen, Rogers, and Bleirer-Troup is in the hand of criminals, Plaintiffs have pointed to several instances of the stolen data leading to actual misuse and injuries to other Plaintiffs. (Am. Compl. ¶¶ 37, 57, 75, 84). For instance, Brasher had a fraudulent loan taken out and an unauthorized checking account opened in her name. (Am. Compl. ¶ 57). Champion's identity was fraudulently used to receive Pandemic Unemployment Assistance in Ohio, and Gilstrap had a fraudulent bank account opened in his name. (Am. Compl. ¶¶ 75, 84). These allegations that confidential financial information pertaining to Bowen, Rogers, and Bleirer-Troup is in the hands of criminals and that multiple individuals whose information was stolen in the data breach have had their information misused sufficiently alleges a material risk of concrete harm. TransUnion, 141 S.Ct. at 2212.

As noted above, the Sixth Circuit held in Galaria v. Nationwide Mutual Insurance Co. that a substantial risk of harm is present when an individual's confidential financial information is stolen by a third party, stating “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints.” Galaria, 663 Fed.Appx. at 388. The court explained that “there is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.” Id. Bowen, Rogers, and Bleirer-Troup have pled that hackers stole their personal information and that other Class members' information has actually been used to cause injury. (Am. Compl. ¶¶ 37, 57, 75, 84). Therefore, these three Plaintiffs have sufficiently pled a substantial risk of future harm.

Second, Bowen's, Rogers', and Bleier-Troup's alleged mitigation damages demonstrate a real injury stemming from the risk of future harm. TransUnion, 141 S.Ct. at 2212. After establishing that the risk of future harm is “substantial and imminent” the mitigation costs allegedly incurred “are sufficiently concrete to establish standing in a claim for damages.” In re Mednax Servs., Inc., 2022 WL 1468057, at *8. Similarly, in TransUnion the Court cited emotional damages as a potential injury that would confer standing when the primary threat to the plaintiffs is future injury. TransUnion, 141 S.Ct. at 2212. In In re Mednax Services, a case factually similar to the one at hand, the court found the plaintiffs' allegations of “suffering of emotional distress related to possible identity theft and the cost of the increased time Plaintiffs have spent and must continue to spend reviewing their financial information” to be a sufficient injury to confer standing in conjunction with the threat of future injury. In re Mednax Servs., Inc., 2022 WL 1468057, at *7.

Bowen, Rogers, and Bleier-Troup each allege sufficient real injuries related to the risk of future harm caused by the data breach to confer standing. Bowen alleges that he spent more than thirty hours dealing with the consequences of the data breach and that he purchased identity protection for $330 per year. (Am. Compl. ¶ 47). Rogers alleges he spent more than twenty-five hours dealing the consequences of the data breach and purchased identity theft protection for $9.99 a month. (Am. Compl. ¶¶ 65-66). Bleier-Troup claims to have spent more than five hours dealing with the consequences of the data breach and incurred monthly expenses for credit monitoring services. (Am. Compl. ¶ 92). Likewise, all three Plaintiffs allege that they suffered emotional distress related to their fear of identity theft. (Am. Compl. ¶¶ 50, 68, 94). Through these allegations, Plaintiffs have adequately pled that they suffered real injuries stemming from the future risk of harm. TransUnion, 141 S.Ct. at 2212.

Paxton posits that Plaintiffs' allegations of emotional distress are deficient absent an allegation its conduct was “intentional or reckless” and “outrageous and intolerable.” (Def.'s Resp. Pls.' Notice Suppl. Authority 4, DN 38-1). However, In re Mednax Services makes no reference to those elements in its discussion of emotional distress sufficient to confer stranding. In re Mednax Servs., Inc., 2022 WL 1468057, at *7.

Paxton maintains that Plaintiffs only allege mitigation damages which cannot be used to confer standing. (Def.'s Mot. Dismiss 7). Paxton contends that even though the Sixth Circuit explicitly held in Galaria that mitigation efforts to prevent identity theft are sufficient to establish standing, this holding is superseded by the Supreme Court's decision in TransUnion. (Def.'s Mot. Dismiss 7). This argument fails for two reasons. First, Galaria is consistent with TransUnion, which held there was no standing where the plaintiffs failed to allege a material risk of concrete harm and a concrete injury related to that risk. TransUnion, 141 S.Ct. at 2211-12. In Galaria, the court found that standing was present because the plaintiffs had adequately alleged a material risk of concrete harm and “reasonably incurred mitigation costs.” Galaria, 663 Fed.Appx. at 388. The “reasonably incurred” requirement prevents a plaintiff from manufacturing standing by incurring damages solely for that purpose. Id. Second, even if Plaintiffs' time and mitigation costs were not enough to confer standing under TransUnion, Plaintiffs still allege that they suffered emotional damages related to the breach, which TransUnion specifically recognized as a potential concrete injury conferring Article III standing. TransUnion, 141 S.Ct. at 2212.

Plaintiffs have pled both that the data breach caused a material risk of concrete harm and that this risk of future harm has materialized in the form of “some other injury.” TransUnion, 141 S.Ct. at 2211. In this case, that injury allegedly took the form of lost time, mitigation damages, and emotional damages. (Am. Compl. ¶¶ 47, 50, 65-66, 68, 92, 94). As a result, Bowen, Rogers, and Bleier-Troup have sufficiently pled Article III standing to sue Paxton for money damages related to the data breach. Paxton's motion will be denied on this basis.

2. Fed. R. Civ. P. 12(b)(6)

Paxton also moved to dismiss the claims asserted by Bowen, Rogers, and Bleier-Troup pursuant to Fed.R.Civ.P. 12(b)(6). (Def.'s Mem. Supp. Mot. Dismiss 9-22). It challenges the state law claims for negligence, breach of implied contract, invasion of privacy, breach of confidence, unjust enrichment, declaratory and injunctive relief, the Virginia Consumer Protection Act, the Kentucky Consumer Protection Act, and the California Unfair Competition Law.

Paxton contends that Kentucky law applies to this dispute while Plaintiffs argue that the record is not developed enough to make the fact-intensive determination of whether Kentucky, Virginia, Arkansas, or California law applies to this case, which are the states where Plaintiffs reside. (Def.'s Mot. Dismiss 10; Pls.' Resp. Def.'s Mot. Dismiss 14; Am. Compl. ¶¶ 13-18). Federal courts sitting in diversity apply the choice of law statutes of the state in which they sit. McKenzie v. Allconnect, Inc., 369 F.Supp.3d 810, 817 (E.D. Ky. 2019) (citation omitted). Thus, Kentucky's choice of law statute will apply. At this time, no discovery has been conducted and the parties have not sufficiently briefed the issues applying Kentucky choice of law principles. Therefore, this inquiry is not appropriate for determination at this stage in the litigation. See id. (“While the parties mention choice of law in a conclusory manner, the Court does not have sufficient information at this juncture to engage in a comprehensive choice of law analysis. As a result, for the purposes of this 12(b)(6) motion to dismiss, the Court will consider the pleaded claims under the substantive law of both Kentucky and Utah.”).

a. Negligence

Paxton asserts that Plaintiffs failed to state a claim for negligence because their allegations do not meet the injury requirement. (Def.'s Mot. Dismiss 10). To begin, the elements of negligence are similar under the laws of Kentucky, Virginia, California, and Arkansas, each of which have some injury or damages requirement. In their Amended Complaint, Plaintiffs allege a multitude of damages arising from Paxton's negligence including: (1) “monetary costs associated with the detection and prevention of identity theft and unauthorized use of their PII”; (2) “mental distress related to their fear of identity theft”; and (3) “time spent and monetary and other costs associated with the loss of productivity or the enjoyment of one's life from taking time to address and attempt to ameliorate, mitigate and deal with the actual and future consequences of the Data Breach, and the stress, nuisance and annoyance of dealing with all issues resulting from the Data Breach ....” (Am. Compl. ¶ 175). These allegations constitute a concrete injury for which relief can be granted.

See Hayes v. D.C.I. Props.-D KY, LLC, 563 S.W.3d 619, 622 (Ky. 2018) (“In any negligence case, a plaintiff must prove the existence of a duty, breach of that duty, causation between the breach of duty and the plaintiffs injury and damages.”); McKim v. Sullivan, 548 S.W.3d 835, 837-38 (Ark. 2018) (“[T]he Plaintiff must prove the following elements to establish a prima facie negligence cause against Sullivan: 1) the Plaintiff sustained damages, 2) Sullivan was negligent, and 3) that negligence was the proximate cause of Plaintiff's damages.” (citation omitted)); Talley v. Danke Med., Inc., 179 F.3d 154, 157 (4th Cir. 1999) (“The essential elements of a negligence claim in Virginia, as elsewhere, are (1) the identification of a legal duty of the defendant to the plaintiff; (2) a breach of that duty; and (3) injury to the plaintiff proximately caused by the breach.” (citation omitted)); Peredia v. HR Mobile Servs., Inc., 25 Cal.App. 5th 680, 687 (Ct. App. 2018) (“The elements of any negligence cause of action are duty, breach of duty, proximate cause, and damages.” (citation omitted)).

b. Breach of Implied Contract

Paxton argues that there was no implicit provision in the employment contracts between Plaintiffs and Paxton requiring Paxton to protect Plaintiffs' PII. (Def.'s Mot. Dismiss 12). The elements of breach of implied contract are substantially similar in each of the four relevant jurisdictions. Plaintiffs allege that by asking them for their personal information as a condition of employment, Paxton impliedly agreed “to safeguard and protect such information, to keep such information secure and confidential, and to timely and accurately notify Plaintiffs and the Employee Subclass if their data had been breached and compromised or stolen.” (Am. Compl. ¶ 179). In McKenzie v. Allstate, the court found that the plaintiffs sufficiently pled a breach of implied contract claim in the data breach context. McKenzie, 369 F.Supp.3d at 820-22. Therefore, Plaintiffs have successfully pled a claim for which relief can be granted.

See McKenzie, 369 F.Supp.3d at 820 (“To establish breach of an implied contract, the Plaintiff must prove the existence of an implied contract, created by mutual assent, and the failure of a party to comply with the contract's terms.” (citations omitted)); Farmers Edge Inc. v. Farmobile, LLC, 970 F.3d 1027, 1031 (8th Cir. 2020) (“An implied contract is an agreement implied in fact, founded upon a meeting of minds, which, although not embodied in an express contract, is inferred, as a fact, from conduct of the parties showing, in light of the surrounding circumstances, their tacit understanding.” (internal quotation marks omitted) (citation omitted)); Bd. of Supervisors of Fairfax Cnty. v. United States, 408 F.Supp. 556, 567 (E.D. Va. 1976) (“The Supreme Court has defined an implied in fact contract as one ‘founded upon a meeting of the minds, which, although not embodied in an express contract, is inferred, as a fact, from conduct of the parties showing, in the light of the surrounding circumstances, their tacit understanding.'” (citation omitted)); Yari v. Producers Guild of Am., Inc., 161 Cal.App.4th 172 (Ct. App. 2008) (“A cause of action for breach of implied contract has the same elements as does a cause of action for breach of contract, except that the promise is not expressed in words but is implied from the promisor's conduct.” (citation omitted)).

Paxton argues that McKenzie is distinguishable from this case because in McKenzie an employee inadvertently played a role in the data breach by falling prey to a phishing email. McKenzie, 369 F.Supp.3d at 821-22. However, at this point in the litigation, when no discovery has been conducted, Plaintiffs have sufficiently stated a claim for breach of implied contract.

c. Breach of Confidence

Paxton argues that Plaintiffs' breach of confidence claim should be dismissed because it is not a tort recognized in Kentucky. (Def.'s Mot. Dismiss 14). However, because it is uncertain which states' laws would apply, the Court declines to dismiss this claim as a matter of law at this juncture.

d. Invasion of Privacy

Paxton contends that Plaintiffs' invasion of privacy claims should be dismissed because Plaintiffs failed to “plead any facts that [Paxton] knowingly allowed third parties to access Plaintiffs' PII.” (Def.'s Mot. Dismiss 13). Under Kentucky law, to state a claim for intrusion upon seclusion, a plaintiff must allege “(1) an intentional intrusion by the defendant, (2) into a matter that the plaintiff has a right to keep private, and (3) which is highly offensive to a reasonable person.” McKenzie, 369 F.Supp.3d at 819 (citations omitted). However, “[a] defendant's actions may be intentional when the Defendant acts with such reckless disregard for the privacy of the plaintiff that the actions rise to the level of being an intentional tort.” Id. (citing Smith v. Bob Smith Chevrolet, Inc., 275 F.Supp.2d 808, 822 (W.D. Ky. 2003)).

Both Plaintiffs and Paxton discuss Plaintiffs' invasion of privacy claim solely under Kentucky law. (Def.'s Mot. Dismiss 13; Pls.' Resp. Def.'s Mot. Dismiss 18-19).

In this instance, Plaintiffs allege that “Defendant acted with a knowing state of mind when it permitted the Data Breach to occur because it had actual knowledge that its information security practices were inadequate and insufficient.” (Am. Compl. ¶ 201). Likewise, Plaintiffs allege “Defendant was aware of the potential of a data breach and failed to adequately safeguard its systems and implement appropriate policies to prevent the unauthorized release of Plaintiffs' and Class members' data.” (Am. Compl. ¶ 203). Taken as true, these allegations could lead a jury to infer that Paxton acted with such reckless disregard as to the safety of Plaintiffs' confidential financial information to rise to the level of intentionally allowing the intrusion upon Plaintiffs' seclusion. Thus, Plaintiffs have properly stated a claim for invasion of privacy.

e. Unjust Enrichment

Paxton next contends that Plaintiffs have failed to state a claim for unjust enrichment. Under Kentucky law, unjust enrichment is “1) a benefit conferred upon [the defendant] at [the plaintiff's] expense; 2) a resulting appreciation of the benefit by [the defendant]; and 3) an inequitable retention of the benefit without payment for its value.” Marcus & Millichap Real Est. Inv. Brokerage Co. v. Skeeters, 395 F.Supp.2d 541, 557 (W.D. Ky. 2005) (citation omitted). “Kentucky courts have consistently found that the first element not only requires a benefit be conferred upon the defendant, but also that the plaintiff be the party conferring that benefit.” Simpson v. Champion Petfoods USA, Inc., 397 F.Supp.3d 952, 973 (E.D. Ky. 2019) (citation omitted). Plaintiffs allege that “[b]y engaging in the acts and failures to act described in this Complaint, Defendant has been knowingly enriched by the savings in costs that should have been reasonably expended to protect the PII of Plaintiffs and the Class.” (Am. Compl. ¶ 221). At this stage in the litigation, Plaintiffs have sufficiently pled facts from which a reasonable jury could infer that Defendant received a benefit at the expense of the Plaintiffs “without payment for its value.” Skeeters, 395 F.Supp.2d at 557 (citation omitted). Therefore, Plaintiffs have stated a claim for unjust enrichment and dismissal is inappropriate.

Again, Plaintiffs and Paxton address the unjust enrichment claim under Kentucky law. (Def.'s Mot. Dismiss 14-15; Pls.' Resp. Def.'s Mot. Dismiss 20). For the purposes of this motion, the Court will discuss this claim under Kentucky law as well.

f. Declaratory and Injunctive Relief

Paxton also seeks dismissal of Plaintiffs' claims for declaratory and injunctive relief. (Def.'s Mot. Dismiss 16-17). Plaintiffs seek a declaration that “Defendant's existing security measures do not comply with its contractual obligations and duties of care to provide adequate security ....” (Am. Compl. ¶ 236). Under the Declaratory Judgment Act, “[i]n a case of actual controversy within its jurisdiction . . . any court of the United States . . . may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.” 28 U.S.C. § 2201(a). The factors courts should consider when considering declaratory relief, the court should consider: (1) whether the declaratory action would settle the controversy; (2) whether the declaratory action would serve a useful purpose in clarifying the legal relations in issue; (3) whether the declaratory remedy is being used merely for the purpose of procedural fencing or to provide an arena for a race for res judicata; (4) whether the use of a declaratory action would increase friction between our federal and state courts and improperly encroach upon state jurisdiction; and (5) whether there is an alternative remedy which is better or more effective. England v. Perkins, No. 1:21-CV-00048-GNS, 2022 WL 2195207, at *7-8 (W.D. Ky. June 17, 2022) (citing Grand Trunk W. R. Co. v. Consol. Rail Corp., 746 F.2d 323, 326 (6th Cir. 1984)).

Before considering the factors, however, jurisdictional requirements must be met. Larry E. Parrish, P.C. v. Bennett, 989 F.3d 452, 457 (6th Cir. 2021). “A plaintiff must demonstrate standing for each claim he seeks to press and for each form of relief that is sought.” Desai, 2021 WL 5762999, at *6 (quoting Kanuszewski, 927 F.3d at 406). For declaratory relief, the plaintiff “must present a justiciable case or controversy under Article III.” Hemlock Semiconductor Corp. v. Kyocera Corp., 747 Fed.Appx. 285, 292 (6th Cir. 2018) (citation omitted). The plaintiff “must demonstrate that the facts alleged, under all the circumstances, show that there is a substantial controversy, between parties having adverse legal interests, of sufficient immediacy and reality to warrant the issuance of a declaratory judgment.” Id. (internal quotation marks omitted) (citation omitted). Plaintiffs have alleged here only a past injury, their data being stolen, but fail to claim an ongoing risk of harm warranting the declaratory judgment they seek. Plaintiffs further request declaratory judgment that Paxton's security measures are inadequate and that Paxton must increase its security measures accordingly. (Am. Compl. ¶ 236). These measures, however, would not affect the risk that Plaintiffs' stolen information will be misused. Thus, Plaintiffs have failed to allege a live controversy warranting declaratory relief and this claim will be dismissed.

Similarly, Plaintiffs have failed to state a claim for injunctive relief. Plaintiffs seek an injunction for Paxton to “comply with its contractual obligations and duties of care, [and] . . . implement and maintain reasonable security measures ....” (Am. Compl. ¶ 236). Plaintiffs have again only alleged a past injury, the theft of their data, but fail to allege an ongoing risk of harm sufficient to justify injunctive relief they seek. Forcing Paxton to improve its security now would not decrease the risk of the stolen data being mis-used and thus, Plaintiffs have failed to state a claim for injunctive relief. For this reason, Plaintiffs' claims for injunctive relief and declaratory judgment will be dismissed.

Plaintiffs define reasonable measures as including, but not limited to:

A. Ordering that Defendant engage third-party security auditors/penetration testers as well as internal security personnel to conduct testing, including simulated attacks, penetration tests, and audits on Defendant's systems on a periodic basis, and ordering Defendant to promptly correct any problems or issues detected by such third-party security auditors;
B. Ordering that Defendant engage third-party security auditors and internal personnel to run automated security monitoring;
C. Ordering that Defendant audit, test, and train its security personnel regarding any new or modified procedures;
D. Ordering that Defendant segment employee data by, among other things, creating firewalls and access controls so that if one area of Defendant's systems is compromised, hackers cannot gain access to other portions of Defendant's systems;
E. Ordering that Defendant purge, delete, and destroy, in a reasonably secure manner, customer data not necessary for their provisions of services;
F. Ordering that Defendant conduct regular database scanning and security checks; and
G. Ordering that Defendant routinely and continually conduct internal training and education to inform internal security personnel how to identify and contain a breach when it occurs and what to do in response to a breach.
(Am. Compl. ¶ 236).

g. Virginia Consumer Protection Act (“VCPA”)

Bowen also brings a claim against Paxton for violation of the Virginia Consumer Protection Act (“VCPA”). (Am. Compl. ¶¶ 237-50). To state a claim under the VCPA, a plaintiff must allege “(1) fraud, (2) by a supplier, (3) in a consumer transaction.” Nahigian v. Juno Loudoun, LLC, 684 F.Supp.2d 731, 741 (E.D. Va. 2010) (citations omitted). Employees are not protected by the VCPA because they are not consumers. Lucker v. Cole Vision Corp., No. 7:05CV00126, 2005 U.S. Dist. LEXIS 25118, at *19-20 (W.D. Va. 2005) (citation omitted) (“Lucker is not within the protective reach of the statute because he was an employee and not a consumer.”).

Bowen is a citizen of Virginia. (Am. Compl. ¶ 13).

Plaintiffs rely on Smith v. Interactive Financial Marketing Group, L.L.C., No. CL08-5950, 2009 WL 7388863 (City of Richmond Cir. Ct. 2009), in which the court held that the VCPA is “applicable to consumers and not employees, such as the Plaintiff.” Id. at *6. Bowen argues that Smith is distinguishable because there the plaintiff asserted a claim related to his at-will employment while Bowen's claim relates to offering Bowen employment and safeguarding his PII. (Pls.' Resp. Def.'s Mot. Dismiss 22). This supposed distinction, however, does not change the nature of the relationship between Bowen and Paxton. Bowen has failed to plead that he was a consumer or that his claim involved a consumer transaction and cites no case law indicating that a VCPA claim should be allowed in the employer-employee context. Therefore, Bowen's claim fails under the VCPA.

h. Kentucky Consumer Protection Act (“KCPA”)

Champion, Gilstrap, and Rogers have similarly failed to state a claim under the KCPA because they have not established that they were consumers or purchasers, or that Paxton was engaging in trade or commerce. Under the KCPA:

Champion, Gilstrap, and Rogers are citizens of Kentucky. (Am. Compl. ¶¶ 15-17).

Any person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by [Ky. Rev. Stat. §] 367.170, may bring an action under the Rules of Civil Procedure in the Circuit Court in which the seller or lessor resides or has his principal place of business or is doing business, or in the Circuit Court in which the purchaser or lessee of goods or services resides, or where the transaction in question occurred, to recover actual damages.
Kempf v. Lumber Liquidators, Inc., No. 3:16-CV-492-DJH, 2017 WL 4288903, at *3 (W.D. Ky. Sept. 27, 2017) (alteration in original) (citing KRS 367.220(1)). “[T]he KCPA provides a private remedy to ‘[a]ny person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal,' as a result of a violation of KRS § 367.170.” Helton v. Am. Gen. Life Ins. Co., 946 F.Supp.2d 695, 701 (W.D. Ky. 2013) (quoting KRS 367.220(1)). Plaintiffs cite no Kentucky law allowing a claim for under KCPA by an employee against an employer. This claim will be dismissed for failure to state a claim under the KCPA. Plaintiffs' allegations that “Defendant advertised, offered, or sold services relating to the employment of Plaintiffs and Kentucky Subclass members” is not sufficient to state a claim under KCPA. (Am. Compl. ¶ 254).

i. California Unfair Competition Law (“UCL”)

Bleier-Troup asserts a claim for violation of the UCL. (Am. Compl. ¶¶ 264-85). The UCL prohibits an entity from engaging in any “unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising ....” Cal. Bus. & Prof. Code § 17200. Bleier-Troup alleges claims under both unlawful business practices and unfair business practices. (Am. Compl. ¶¶ 272-85). Even if a plaintiff only asserts claims under the “unlawful” and “unfair” prongs of the UCL-and not the “fraudulent” prong-the plaintiff must meet the heightened pleading requirement of Rule 9(b) when alleging activity that consists of “a unified course of fraudulent conduct ....” Hadley v. Kellogg Sales Co., 243 F.Supp.3d 1074, 1094 (N.D. Cal. 2017). Paxton first contends that Bleier-Troup failed to allege that Paxton's conduct violated another law which is a requirement when bringing a claim for unlawful business practices. (Def.'s Mot. Dismiss 10). However, Bleier-Troup alleges that “Defendant violated Section 5(a) of the FTC Act (which is a predicate legal violation for this UCL claim) by misrepresenting the safety of its computer systems, specifically the security thereof and whether the systems were properly up-to-date or encrypted, and its ability to safely store ....” (Am. Compl. ¶ 272). Even under the heightened pleading standard, Bleier-Troup has adequately stated a claim under the UCL.

Bleier-Troup is a citizen of California. (Am. Compl. ¶ 18).

Bleier-Troup further alleges that “Defendant also violated Section 5(a) of the FTC Act by failing to implement reasonable and appropriate security measures or follow industry standards for data security, including with regard to encryption, and by failing to timely notify Plaintiff and all California Subclass members of the Data Breach”; and “Defendant also violated California Civil Code § 1798.81.5(b) in that it failed to maintain reasonable security procedures and practices, including with regard to encryption.” (Am. Compl. ¶¶ 273-74).

Paxton additionally contends that Bleier-Troup failed to allege that Paxton's actions “either offends an established public policy or is immoral, unethical, oppressive, or unscrupulous” as required to bring a claim for unfair business practices. McDonald v. Coldwell Banker, 543 F.3d 498, 506 (9th Cir. 2008) (internal quotation marks omitted) (citation omitted); (Def.'s Mot. Dismiss 21). Bleier-Troup, however, specifically points to California public policy that Paxton allegedly violated and claims that the members of the Class in California were harmed by Paxton's alleged actions. (Am. Compl. ¶ 280). Finally, Paxton argues that Bleier-Troup has failed to state a claim under UCL because she did not plead facts showing she is entitled to restitution or injunctive relief. (Def.'s Mot. Dismiss 20). However, this is not required at the pleading stage. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F.Supp.2d 942, 970 (S.D. Cal. 2012); McDonald, 543 F.3d at 506.

j. Alternatively, Immaterial and Impertinent Allegations Should Be Stricken

Paxton argues alternatively that Plaintiffs' allegations regarding the motivations of the cybercriminals who executed the attack on Paxton should be stricken. (Def.'s Mot. Dismiss 22). “Rule 12(f) allows a court to ‘strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter.'” Operating Eng'rs Loc. 324 Health Care Plan v. G & W Constr. Co., 783 F.3d 1045, 1050 (6th Cir. 2015) (citations omitted). Motions to strike are viewed with disfavor and are not frequently granted. Brown & Williamson Tobacco Corp. v. United States, 201 F.2d 819, 822 (6th Cir. 1953). The function of the motion is to “avoid the expenditure of time and money that must arise from litigating spurious issues by dispensing with those issues prior to trial ....” Kennedy v. City of Cleveland, 797 F.2d 297, 305 (6th Cir. 1986) (quoting Sidney-Vinstein v. A.H. Robins Co., 697 F.2d 880, 885 (9th Cir. 1983)). Since these motions are disfavored and the Court does not believe that the allegations are so immaterial and impertinent that including them will cause increased expenditure of time and money by the parties, the Court declines to grant Paxton's motion. Id.

B. Motion for a Hearing

Plaintiffs have requested a hearing on Paxton's motion seeking dismissal of the Amended Complaint. (Pls.' Mot. Hr'g, DN 33). Based on the Court's review of the record, a hearing is unnecessary to address Paxton's dispositive motion, and Plaintiffs' motion will be denied.

C. Motion for Leave to File a Response

While the dispositive motions were pending, Plaintiffs filed supplemental authority with the Court, and Paxton moved for leave to file a response. (Pls.' Notice Suppl. Authority, DN 37; Def.'s Mot. Leave File Resp., DN 38). Because Plaintiffs have not opposed the motion, the Court will grant the motion.

V. CONCLUSION

For the foregoing reasons, IT IS HEREBY ORDERED as follows:

1. Defendant's Motion to Dismiss (DN 24) is DENIED AS MOOT. 2. Defendant's Motion to Dismiss (DN 28) is GRANTED IN PART and DENIED IN PART. Counts 6, 7, and 8 of the Amended Complaint are DISMISSED. 3. Plaintiffs' Motion for a Hearing (DN 33) is DENIED. 4. Defendant's Motion for Leave to File a Response (DN 38) is GRANTED.


Summaries of

Bowen v. Paxton Media Grp.

United States District Court, Western District of Kentucky
Sep 8, 2022
Civil Action 5:21-CV-00143-GNS (W.D. Ky. Sep. 8, 2022)
Case details for

Bowen v. Paxton Media Grp.

Case Details

Full title:WILLIAM BOWEN, et al. PLAINTIFFS v. PAXTON MEDIA GROUP, LLC DEFENDANT

Court:United States District Court, Western District of Kentucky

Date published: Sep 8, 2022

Citations

Civil Action 5:21-CV-00143-GNS (W.D. Ky. Sep. 8, 2022)

Citing Cases

Savidge v. Pharm-Save, Inc.

[a] defendant's actions may be intentional when the Defendant acts with such reckless disregard for the…

Savidge v. Pharm-Save, Inc.

Id. (citing TransUnion, 594 U.S. at 437; Bowen v. Paxton Media Grp., LLC, No. 5:21-CV-00143-GNS, 2022…