Opinion
4:24-CV-5045-TOR
12-26-2024
GREEK ISLANDS CUISINE, INC., a Washington corporation, NIKOS DANAKOS, and NICOLE DANAKOS, Plaintiffs, v. YOURPEOPLE, INC., a foreign profit corporation, and NEWCOURSE COMMUNICATIONS, INC., a foreign profit corporation, Defendants.
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT NEWCOURSE'S MOTION TO DISMISS
THOMAS O. RICE UNITED STATES DISTRICT JUDGE
BEFORE THE COURT is Defendant Newcourse's Motion to Dismiss (ECF No. 53). This matter was submitted for consideration without oral argument. The Court has reviewed the record and files herein and is fully informed. For the reasons discussed below, Defendant Newcourse's Motion to Dismiss (ECF No. 53) is GRANTED in part and DENIED in part.
BACKGROUND
This matter arises out of alleged identity theft resulting in the loss of $432,500 from Plaintiffs' business bank account. Plaintiff Greek Islands Cuisine (“Greek Islands”) is a restaurant located in Richland, Washington and owned in part by Plaintiffs Nikos and Nicole Danakos. ECF No. 52 at 2, 5 ¶¶ 2.1, 4.1. Greek Islands maintains a business bank account at KeyBank National Association (“KeyBank”), at its branch in Kennewick, Washington. Id. at 6, ¶ 4.2. Mr. and Mrs. Danakos held a personal checking account at HomeStreet Bank, headquartered in Seattle, Washington. Id. at 21-22, ¶ 4.28. HomeStreet bank utilizes Defendant Newcourse Communications, Inc. (“Newcourse”) in its business providing mailing services to financial institutions. Id.
The Court incorporates by reference the factual summary in its Order Granting Defendant Newcourse Communication Inc.'s Motion to Dismiss, ECF No. 51. In that Order, the Court permitted Plaintiffs to amend their Complaint with respect to claims against Newcourse. The Third Amended Complaint contains much of the same factual background as the previously dismissed Complaint but includes the addition of a relevant fact for this dispute: Plaintiffs allege that in communication with KeyBank, the thieves used the last four digits of Mr. Danakos' Social Security number to answer a security question to gain access to Greek Island's checking account. ECF No. 52 at 15, ¶ 4.18. Plaintiffs assert that the only place Mr. Danakos' partial social security number could have been obtained was in a Newcourse's April-May 2022 data breach, and then used in answering that security question. Id. at 22, 25 ¶¶ 4.29, 4.33. Plaintiffs renew their negligence, negligence per se, and violation of the Washington Consumer Protection Act claims against Defendant Newcourse.
Defendant Newcourse renews its Motion to Dismiss, arguing this Court should dismiss Plaintiffs' claims either for lack of standing or for failure to state a claim. ECF No. 53. Plaintiffs argue that they have successfully shown both standing and stated each of their claims. ECF No. 57.
DISCUSSION
I. Standing
As was previously discussed, Article III of the United States Constitution vests in federal courts the power to entertain disputes over “cases” or “controversies.” U.S. CONST. art. III, § 2. To satisfy the case or controversy requirement, and thereby show standing, a plaintiff must demonstrate that throughout the litigation, they suffered, or will be threatened with, an actual injury traceable to the defendant which will likely be redressed by a favorable judicial decision. Spencer v. Kemna, 523 U.S. 1, 7 (1998) (quoting Lewis v. Cont'l Bank Corp., 494 U.S. 472, 477 (1990)); see also Deakins v. Monaghan, 484 U.S. 193, 199 (1988) (“Article III of the Constitution limits federal courts to the adjudication of actual, ongoing cases or controversies between litigants.”). Three elements must be shown in order to establish Article III standing: (1) the plaintiff must have suffered an “injury in fact” which is both concrete and particularized and not “conjectural” or “hypothetical”; (2) there must be a causal connection between the injury and the conduct complained of; and (3) it must be “likely” as opposed to “speculative” that the injury will be “redressed by a favorable decision.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) (internal citations and quotations omitted). The party invoking federal jurisdiction bears the burden of establishing the elements. Id. at 561 (citing FW/PBS, Inc. v. Dallas, 493 U.S. 215, 231 (1990)). However, “[a]t the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice.” Id.
Defendant Newcourse argues that the Third Amended Complaint is still deficient, as the only particularized injury was to Greek Island's bank account, and thus the Danakoses cannot assert a claim for damages sustained by their business. ECF No. 53 at 7. Plaintiffs argue that they have been injured by the conduct of Defendant Newcourse because they allege the last four digits of Mr. Danakos's social security number were taken in the data breach and then used to answer a security question with Greek Island's Keybank Account. ECF No. 52 at 23, ¶ 4.30.
A. Injury in Fact
Defendant Newcourse first argues that the Danakoses have not alleged an injury in fact that is particularized to them. ECF No. 53 at 7. Specifically, it asserts that the only cognizable injury in this lawsuit is the theft of the $432,500 from Greek Island's bank account, an entity wholly separate from them. Id. Plaintiffs argue that the compromised partial Social Security number resulted in theft from their family-owned business demonstrates a cognizable injury. ECF No. 57 at 6-7.
An injury in fact must be concrete, and absent this demonstration, a plaintiff does not have standing. TransUnion LLC v. Ramirez, 594 U.S. 413, 417 (2021). Concrete injuries can be tangible, like monetary loss or physical harms, or they may be intangible, which the Supreme Court has coined as those which have a “close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016). The Court has described these traditional bases as causes of action for things like intrusion upon seclusion, public disclosure of private fact, and reputational damage. TransUnion LLC, 594 U.S. at 425. However, future harms cannot form the basis of a concrete injury “unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 436.
In their Third Amended Complaint, Plaintiffs allege that the last four digits of Mr. Danakos's Social Security number was among the information obtained from the data breach, and that it was used in the effort to commandeer the Greek Island's Keybank account. Other Courts have held that attempts to use stolen information to establish other bank accounts are sufficient allegations to establish an injury in fact, though the injury of attempting to gain entry or establish another account may be intangible. See Krefting v. Kaye-Smith Enterprises Inc., No. 2:23-CV-220, 2023 WL 4846850, at *3 (W.D. Wash. July 28, 2023); Gaddy v. Long & Foster Companies, Inc., No. CV 21-2396 (RBK)(EAP), 2023 WL 1926654, at *8 (D.N.J. Feb. 10, 2023) (“Misuse of financial information is a cognizable, intangible injury that, even without financial loss, is sufficient to confer standing. A party's financial loss may affect the amount of its damages, but financial loss is not always required for an injury in fact.”); Leonard v. McMenamins, Inc., No. 2:22-CV-00094-BJR, 2022 WL 4017674, at *5 (W.D. Wash. Sept. 2, 2022). And so too here, Mr. Danakos currently has alleged an injury in fact, as the last four digits of his Social Security number were allegedly used to gain access to Greek Island's bank account. While true that this harm may not be pervasive, as it seems wholly unlikely that any criminals could use the information stolen to open a new bank account or credit card, the information is alleged to have accessed an existing bank account and could seemingly be used to do so again. Thus, for that injury alone, Mr. Danakos has established standing.
Defendant Newcourse also argues that the Danakoses may not state a claim for the actual monetary amount lost from the Greek Island account as their own personal injury for the purpose of standing, both because they have no right to assert it as owners and because it is not a distinct claim from that of Greek Islands. On the one hand, Greek Islands is an incorporated entity, and thus as owners, the Danakoses normally do not have an interest in the damage done by a third-party criminal to Greek Islands. United States v. Stonehill, 83 F.3d 1156, 1160 (9th Cir. 1996) (collecting cases); see also Sabey v. Howard Johnson & Co., 101 Wash.App. 575, 584 (2000) (“Even a shareholder who owns all or most of the stock, but who suffers damages only indirectly as a shareholder, cannot sue as an individual.”); Woods View II, LLC v. Kitsap Cnty., 188 Wash.App. 1, 24 (2015) (finding that the sole owner of a corporation was unable to assert “an injury distinct from that of other shareholders” to recover financial damage sustained by her construction company). Even a sole shareholder cannot establish standing by claiming diminution in value of the corporation. Sparling v. Hoffman Constr. Co., 864 F.2d 635, 640 (9th Cir.1988). Thus, the Danakoses' claim for their interest in the money stolen from their family business is not enough to confer onto them a separate injury for the purposes of standing.
However, a shareholder may assert an injury in fact for standing if they can demonstrate a direct injury that is independent of that to the corporation. Shell Petroleum, N.V. v. Graves, 709 F.2d 593, 595 (9th Cir. 1983). Further, there are two instances recognized in Washington State law in which an individual shareholder may assert an injury sustained by a corporation as their own for the purpose of establishing standing: “(1) where there is a special duty, such as a contractual duty, between the wrongdoer and the shareholder; and (2) where the shareholder suffered an injury separate and distinct from that suffered by other shareholders.” Sabey, 101 Wash.App. at 584-85. Defendant Newcourse argues that the only claims advanced by the Danakoses are those which are shared with Greek Islands, and thus they cannot establish standing. ECF No. 60 at 3.
However, as discussed above, Mr. Danakos alleges that his Social Security number was used to gain access to the Greek Islands account. While the corporation is a separate entity, it does not have its own Social Security number, demonstrating that Mr. Danakos has a claim separate and apart from other shareholders. See Von Brimer v. Whirlpool Corp., 536 F.2d 838, 846 (9th Cir. 1976) (holding that a shareholder must assert more than economic injury suffered by the corporation to have standing). Additionally, as is discussed more fully below, Greek Islands has no independent connection to Defendant Newcourse, and it is alleged that the corporation only came into contact with the mailing service through the misuse of Mr. Danakos' information.
Next, Defendant Newcourse argues that Plaintiffs still do not allege an injury in fact because none of the information taken was personally identifiable, and therefore not sensitive. ECF No. 53 at 10. The Washington law on security breaches defines personal information in part as:
An individual's first name or first initial and last name in combination with one or more of the following data elements: (A) Social security number; (B) Driver's license number or Washington identification card number; (C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account; (D) Full date of birth; (E) Private key that is unique to an individual and that is used to authenticate or sign an electronic record; (F) Student, military, or passport identification number; (G) Health insurance policy number or health insurance identification number; (H) Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consume.RCW 19.255.005(2)(a).
The statute goes on to state that personal information “does not include publicly available information that is lawfully made available to the public from federal, state, or local government records.” RCW 19.255.005(2)(b). Here, Plaintiffs allege that their full names, HomeStreet Bank account numbers, and the last four digits of their Social Security numbers were compromised. ECF No. 52 at 22, ¶ 4.29. They maintain that they do not publicize any part of their Social
Security numbers, and that they are for all intents and purposes, private data points. Defendant Newcourse insists that this information could not be used to achieve any identity theft, and as such, Plaintiffs will be unable to maintain claims for time and expense on preventive measures, diminution of value of the information, delay in receipts of tax funds, and emotional harm. ECF No. 53 at 10-11.
Given that the Court must take all Plaintiffs' allegations as true and draw all reasonable inferences in their favor, in this instance, the last four digits of a Social Security number, in conjunction with a full name, is sensitive information. See Wolfe v. Strankman, 392 F.3d 358, 362 (9th Cir. 2004). Defendant points to Federal Rule of Civil Procedure 5.2 as evidence that the last four digits of a Social Security number can be substituted for the full number set in court filings, and therefore do not function as inherently private pieces of identifiable information. However, in accepting the Third Amended Complaint as true, there is more than a remote possibility that a third-party may use the combination of Plaintiffs' name and partial social security numbers to gain access again to other financial accounts that they already hold. In re Zappos.com, Inc., 888 F.3d 1020, 1027-28 (9th Cir. 2018). Moreover, a note to Rule 5.2 advises that “[w]hile providing for the public filing of some information, such as the last four digits of an account number, the rule does not intend to establish a presumption that this information never could or should be protected.” In keeping in mind the In re Zappos, the Court finds that Plaintiffs' have alleged injuries in future harms such as preventative measures, diminution in value of their personal identifying information, and emotional distress, given they allege the information has already been used to assume Mr. Danakos's identity. See also Krefting, 2023 WL 4846850, at *3 (finding injury in fact for investigating and mitigating breach, as well as the related emotional stress).
However, the Court finds that the Third Amended Complaint does not adequately plead an injury in fact regarding delay in receipt of tax refunds as Plaintiffs do not explain how a breach of the last four digits of their social security numbers impacted their tax refund.
B. Causal Connection
Under factor two, causation must be fairly traceable in connection between the injury a plaintiff complains of and the conduct of the defendant. Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 103 (1998) (citing Simon v. E. Ky. Welfare Rts. Org., 426 U.S. 26, 41-42 (1976)). A plaintiff may not rely on “a bare legal conclusion to assert injury-in-fact,” or engage in an “ingenious academic exercise in the conceivable” to establish the cause of the injury. Maya v. Centex Corp., 658 F.3d 1060, 1068 (9th Cir. 2011) (internal citation and quotations omitted). “A causation chain does not fail simply because it has several ‘links,' provided those links are not hypothetical or tenuous and remain plausible.” Id. at 1070 (internal quotations and citations omitted). Given the early stage of this case, Plaintiffs' burden to establish causation is relatively modest. Bennett v. Spear, 520 U.S. 154, 171 (1997).
Here, Plaintiffs allege that their claim survives a standing challenge because they can demonstrate monetary injury, as well as the impending or substantial risk of harm associated with the stolen information from the Newcourse data breach. The last four digits of Mr. Danakos's Social Security Number, as alleged to only derive from the Newcourse data breach, was used to authenticate a security question with KeyBank. ECF No. 52 at 25, ¶ 4.33. If proven true, this claim is a contributing factor to the ultimate theft of the $432,500 from Greek Islands' bank account, serving as a causal link.
The Court also seeks to clarify its prior Order regarding which claims may be asserted by the Danakoses with respect to standing. The current thread linking Defendant Newcourse to this action is the allegation that it is the only entity from which the third-party criminals could have received Mr. Danakos's partial social security number. ECF No. 52 at 25, ¶ 4.33. Should that thread become severed, the claim will cease to arise out of the same conduct upon which this lawsuit is based, Defendant Newcourse will be completely unrelated to all other defendants, and dismissal will be proper. Fed.R.Civ.P. 20(2); see also Visendi v. Bank of Am., N.A., 733 F.3d 863, 871 (9th Cir. 2013); Coleman v. Quaker Oats Co., 232 F.3d 1271, 1296 (9th Cir. 2000) (“Under Rule 20(b), the district court may sever the trial in order to avoid prejudice.”). Because there is currently a tie between Plaintiffs and Defendant Newcourse, the Court will retain claims related to their identity theft more generally for the purposes of judicial economy. Coughlin v. Rogers, 130 F.3d 1348, 1351 (9th Cir. 1997) (“Rule 20 is designed to promote judicial economy, and reduce inconvenience, delay, and added expense.”).
C. Redressability
Finally, though not challenged by Defendant Newcourse, the Court notes that if Plaintiffs are successful on the merits, the injury inflicted by the data breach and threat of future harms is redressable by damages. See Lujan, 504 U.S. at 561.
II. Failure to State a Claim
Defendant next argues that, even if Plaintiffs' have established standing, they have failed to state a claim with respect to negligence, negligence per se, and a violation of the Washington Consumer Protection Act, and are not entitled to injunctive relief. ECF No. 53.
Federal Rule of Civil Procedure 12(b)(6) provides that a defendant may move to dismiss the complaint for “failure to state a claim upon which relief can be granted.” A 12(b)(6) motion will be denied if the plaintiff alleges “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A motion to dismiss for failure to state a claim “tests the legal sufficiency” of the plaintiff's claims. Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). While the plaintiff's “allegations of material fact are taken as true and construed in the light most favorable to the plaintiff” the plaintiff cannot rely on “conclusory allegations of law and unwarranted inferences ... to defeat a motion to dismiss for failure to state a claim.” In re Stac Elecs. Sec. Litig., 89 F.3d 1399, 1403 (9th Cir. 1996) (citation and brackets omitted). That is, the plaintiff must provide “more than labels and conclusions, and a formulaic recitation of the elements.” Twombly, 550 U.S. at 555. Instead, a plaintiff must show “factual content that allows the court to draw the reasonable inference that the defendant is liable for the alleged misconduct.” Iqbal, 556 U.S. 662. A claim may be dismissed only if “it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief.” Navarro, 250 F.3d at 732.
This matter is before this Court on the basis of its diversity jurisdiction pursuant to 28 U.S.C. § 1332(a)(1); Plaintiffs are citizens of Washington State and Defendant Newcourse is incorporated and has a principal place of business in Tennessee. ECF No. 52 at 3, ¶¶ 2.2, 2.3, 2.6. As a federal court sitting in diversity in Washington, this Court applies Washington's choice-of-law rules. See Patton v. Cox, 276 F.3d 493, 495 (9th Cir. 2001). Washington courts will only engage in a choice-of-law analysis if there is actual conflict between Washington law and the laws or interests of another state. FutureSelect Portfolio Mgmt., Inc. Tremont Grp. Holdings, Inc., 180 Wash.2d 954, 967 (2014). Here, both parties are seemingly in agreement that Washington law applies.
A. Negligence
Defendant Newcourse first argues that Plaintiffs are unable to establish that the printing company owed them any sort of duty, as they had no “special relationship,” nor can they allege that Newcourse took any affirmative action which led to the data breach. ECF No. 60 at 6-7. Further, Defendant Newcourse argues that Plaintiffs will be unable to demonstrate both injury and proximate cause. ECF No. 53 at 16.
The elements of the tort of negligence are duty, breach, causation, and damage or injury. Hartley v. State, 103 Wash.2d 768, 777 (1985). Washington law requires that the breach be the proximate cause of the injury, meaning that it is both the cause in fact and the legal cause. Id. (internal citation omitted).
i. Duty
“The existence of a duty is a question of law and depends on mixed considerations of logic, common sense, justice, policy, and precedent.” Snyder v. Med. Serv. Corp. of E. Washington, 145 Wash.2d 233, 243 (2001) (internal quotation marks omitted). Duty may be “predicated on violation of statute or common law principles of negligence.” Jackson v. City of Seattle, 158 Wash.App. 647, 651 (2010) (citation omitted).
Plaintiffs allege that Newcourse breached a duty to provide reasonable cybersecurity measures, which is an unfair act under Section 5 of the Federal Trade Commission Act. ECF No. 57 at 15. Defendant Newcourse argues that courts have rejected the premise that a statutory duty can be based on a violation of Section 5 of the Federal Trade Commission Act with respect to cybersecurity measures. ECF No. 57 at 15.
Washington courts follow Restatement (Second) of Torts § 286 (1965) to determine whether a statute imposes a legal duty. Hansen v. Friend, 118 Wn.2d 476, 480-81 (1992) (citation omitted). Under the Restatement, the statute that is asserted to convey a duty must have a purpose that, “is found to be exclusively or in part:”
(a) to protect a class of persons which includes the one whose interest is invaded, and
(b) to protect the particular interest which is invaded, and
(c) to protect that interest against the kind of harm which has resulted, and
(d) to protect that interest against the particular hazard from which the harm results.
Restatement (Second) of Torts § 286 (1965).
Section 5 of the Federal Trade Commission Act prohibits unfair and deceptive acts or practices in commerce. 15 U.S.C. § 45(a). “The paramount aim of [the FTC Act] is the protection of the public from the evils likely to result from the destruction of competition or the restriction of it in a substantial degree.” FTC v. Raladam Co., 283 U.S. 643, 647-48 (1931). Courts outside of Washington have interpreted this language to convey a duty to defend consumers from data hacking and require adequate cybersecurity. See F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 240 (3d Cir. 2015); In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 407 (E.D. Va. 2020); In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 479 (D. Md. 2020). However, courts in Washington have acknowledged cases from other circuits, including Wyndham, and roundly rejected the reasoning that the requirement of cybersecurity may be read into the FTC Act to create a statutory-based duty. See Guy v. Convergent Outsourcing, Inc., No. C22-1558 MJP, 2023 WL 4637318, at *4 (W.D. Wash. July 20, 2023); Veridian Credit Union v. Eddie Bauer, LLC, 295 F.Supp.3d 1140, 1159 (W.D. Wash. 2017) (“Veridian alleges no harm from ‘the destruction of competition,' and it alleges neither that it is a customer nor a competitor of Eddie Bauer.”); In re MCG Health Data Sec. Issue Litig. No. 2:22-CV-849-RSM-DWC, 2023 WL 4131746 (W.D. Wash. June 22, 2023). The Court declines to break with the norm established by other courts in Washington, and thus does not find that the FTC Act gives rise to a duty to protect from data breaches. Plaintiffs point to no Washington case in which a court has recognized a legal duty arising out of the FTC Act involving cybersecurity or data breaches, nor do they satisfy the requirements of the Restatement.
However, Plaintiffs argue that nevertheless, they may maintain a negligence claim under a common law theory of duty. In general, common law does not impose a duty onto a private person to protect others from the criminal activity of a third party. Nivens v. 7-11 Hoagy's Corner, 133 Wash.2d 192, 199 (1997) (quoting Hutchins v. 1001 Fourth Ave. Assocs., 116 Wash.2d 217, 223 (1991)). However, Washington law has recognized the duty to protect from third party criminal activity in two situations: where there is a special relationship with the victim or where there is a special relationship with the criminal. Tae Kim v. Budget Rent A Car Sys., Inc., 143 Wash.2d 190, 195 (2001).
Plaintiffs allege that Defendant Newcourse created a high risk of harm through its failure to safely retain Plaintiffs' stored information. ECF No. 57 at 16. This failure was an affirmative act, Plaintiffs argue, through their maintenance of insufficient and inadequate security systems. Id. However, the Court finds that Defendant Newcourse did not commit misfeasance, and instead is guilty of nonfeasance. See Veridian Credit Union, 295 F.Supp.3d at 1158 (determining that a plaintiff's allegation that the defendant failed to employ adequate data security measures are omissions, and therefore nonfeasance rather than misfeasance). Plaintiffs insist that the factual background of their case is analogous to the findings of Krefting v. Kaye-Smith Enterprises Inc., No. 2:23-CV- 220, 2023 WL 4846850, at *4-5 (W.D. Wash. July 28, 2023), in which the Western District of Washington found that a credit union had a duty to safeguard the personal information of customers when it transferred such information to a mailing service. Plaintiffs conclude, incorrectly, that baked into the decision was a finding of an affirmative action by the mailing service. ECF No. 57 at 17. However, the court in Krefting explicitly said that of the allegations that were made in that case, the only affirmative act of the credit union was providing the mailing service with its customers' personal information. Krefting, 2023 WL 4846850, at *4-5. The court was silent as to the duty of the mailing service to maintain the safety of the data transferred to it, and here the Court does not find that Defendant Newcourse took any affirmative step giving rise to misfeasance.
“Plaintiff alleges BECU knew that ‘cybercriminals routinely target corporations ... in an attempt to steal the[ir] collected Private Information,' that Kaye-Smith ‘failed to maintain many reasonable and necessary industry standards necessary to prevent data breaches,' that BECU failed to ensure that Kaye-Smith had proper safeguards in place, and that BECU provided its customers' PII to Kaye-Smith nevertheless. Dkt. No. 1 at 6, 15, 17, 26. This last step, as alleged, is the affirmative act by BECU that subjected Plaintiff to harm.”
In the matter at hand, the Court finds Plaintiffs' arguments regarding a duty arising through a third-party contract unavailing. First, the Third Amended Complaint is silent as to a claim centering from a third-party beneficiary contract. However, the Court is doubtful that Plaintiffs would be able to successfully carry a claim of a duty arising out of a third-party contract, even if amendment was granted.
Under Washington law, a third-party contract exists if performance under a contract necessarily and directly benefits a third party. Warner v. Design & Build Homes, Inc., 128 Wash.App. 34, 43 (2005). A benefit to a third party that is incidental, indirect, or inconsequential is insufficient to demonstrate an intent to create a contract directly obligating the promisor to perform a duty to a third party. Del Guzzi Constr. Co. v. Global Northwest Ltd., 105 Wash.2d 878, 886 (1986). Whatever contract Newcourse and HomeStreet Bank entered into was for the benefit of Newcourse to provide mailing services for HomeStreet Bank. ECF No. 52 at 22, ¶ 4.28. And Plaintiffs' Response does not assert anything except a conclusory allegation, as they baldly claim that they were the beneficiary of the contract between HomeStreet Bank and Newcourse. ECF No. 57 at 17. Any benefit they may have been intended to receive from this contract was, at best, indirect.
As Plaintiffs have failed to develop a theory of duty, the Court declines to consider their arguments under injury and proximate cause, and dismisses their negligence claim against Defendant Newcourse.
B. Negligence Per Se
Washington courts do not recognize a separate cause of action under negligence per se. Veridian Credit Union, 295 F.Supp.3d at 1155 (“[I]n Washington, the violation of a statute or the breach of a statutory duty is not considered negligence per se, but may be considered by the trier of fact as evidence of negligence.”) As such, the Court dismissed Plaintiffs' negligence per se claim against Newcourse.
C. Washington Consumer Protection Act
The Washington's Consumer Protection Act (“CPA”) prohibits “[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce.” RCW 19.86.020. “To prevail in a private CPA claim, the plaintiff must prove (1) an unfair or deceptive act or practice, (2) occurring in trade or commerce, (3) affecting the public interest, (4) injury to a person's business or property, and (5) causation.” Panag v. Farmers Ins. Co. of Washington, 166 Wash.2d 27, 37 (2009). All elements of the CPA must be satisfied in order to bring a claim. Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wash.2d 778, 784 (1986). The CPA “shall be liberally construed [so] that its beneficial purposes may be served.” RCW 19.86.920.
Defendant Newcourse argues that Plaintiffs are unable to satisfy the first three elements of the CPA. ECF No. 53 at 21. The CPA does not define unfair or deceptive, and Washington courts have “allowed the definitions to evolve through a gradual process of judicial inclusion and exclusion.” Veridian Credit Union, 295 F.Supp.3d at 1161. “An unfair act is established by evidence that it (1) causes or is likely to cause substantial injury, which (2) consumers cannot avoid, and (3) is not ‘outweighed by countervailing benefits.” Merriman v. Am. Guarantee & Liab. Ins. Co., 198 Wash.App. 594, 368 (2017).
Given the liberal construction of the CPA, the Court finds that Plaintiffs' allegations that Newcourse failure to take appropriate cybersecurity measures and secure their personal data constitutes an unfair practice. See Veridian Credit Union, 295 F.Supp.3d at 1162; Convergent Outsourcing, Inc., 2023 WL 4637318, at *8 (“Plaintiffs' allegations of Convergent's failure to secure their PII sufficiently identifies an unfair act that satisfies this element of the CPA.”). Moreover, the CPA does not require a direct or implied business or consumer relationship between a plaintiff and a defendant. Panag v. Farmers Ins. Co. of Washington, 166 Wn.2d 27, 40 (2009). Plaintiffs argue they are two of 13,214 residents in Washington affected by the data breach, which they allege ultimately contributed to a $432,500 loss from their business. ECF No. 52 at 22-23, ¶ 4.30.
Defendant Newcourse finally argues that Plaintiffs are unable to demonstrate causation, as no action taken or not taken by the mailing service impacted the Plaintiffs' behavior with respect to the damage to the KeyBank account. ECF No. 60 at 10. Washington courts recognize a rebuttable presumption of reliance when the unfair or deceptive act is premised on an omission, such as a failure to disclose cybersecurity safety practices. Eng. v. Specialized Loan Servicing, 500 P.3d 171, 181 (Wash.Ct.App. 2021) (Remanding in part because the trial court erroneously dismissed a CPA claim where borrower was entitled to rebuttable presumption of reliance). Even in a situation where the parties are not in privity with one another, there is still a requirement that the defendant's violation caused the injury to plaintiff, creating the necessary “link” of causation. Panag, 166 Wn.2d 27, 39-40 (2009) (“[W]hile RCW 19.86.090 requires such injury, and thus a connection between the wrongdoing (the wrongdoer) and the plaintiff, it does not require that the plaintiff be in a consumer or other business relationship with the actor.”).
In essence, Plaintiffs' claim is that Defendant Newcourse does not disclose, either directly or indirectly, its substandard security measure, and such failure to safeguard their information damaged their business by assisting hackers in accessing the KeyBank account. ECF No. 52 at 22-25. The Court finds the link to be flimsy, but for consideration under the standard required for a Rule 12(b)(6) motion, the Court denies dismissal at this stage. See Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008). Though admittedly with little discussion of the issue of causation, the court in Guy v. Convergent Outsourcing, Inc., denied dismissal of a CPA claim with a similar factual background. There, the court maintained a CPA claim against a third-party consumer debt collector that experienced a data breach impacting the personally identifiable information for 640,906 individuals who were not customers of the collection service. Convergent Outsourcing, Inc., 2023 WL 4637318, at *1. In its reasoning for denying dismissal of the claim, the court stated, “[p]laintiffs have alleged an injury from the lost value of the PII and this satisfies both the CPA element and Article III standing, given that it is a concrete injury fairly traceable to Convergent's alleged misconduct.” Id. at *8. Here, the allegations are similar in that the Court has found that Plaintiffs have alleged a concrete harm resulting from the data breach. Given the relatively minimal showing required to overcome a Motion to Dismiss, and the rebuttable nature of the presumption, the Court finds that Plaintiffs have made an adequate showing to maintain their CPA claim.
Given this finding, the Court determines that it is premature to dismiss Plaintiffs' claim for injunctive relief as permitted by the CPA. See RCW 19.86.090; In re Zappos.com, Inc., 888 F.3d at 1030 (“And at least some of their requested injunctive relief would limit the extent of the threatened injury by helping Plaintiffs to monitor their credit and the like.”); Hockley v. Hargitt, 82 Wn.2d 337, 351 (1973) (“We hold that under RCW 19.86.090 an individual may seek and obtain an injunction that would, besides protecting his own interests, protect the public interest.”).
ACCORDINGLY, IT IS HEREBY ORDERED:
1. Defendant's Motion to Dismiss (ECF No. 53) is GRANTED in part and DENIED in part.
2. Plaintiffs' claims for negligence, negligence per se, and for damage arising out of delayed tax returns against Defendant Newcourse are DISMISSED with prejudice.
The District Court Executive is directed to enter this Order and furnish copies to counsel