Opinion
No. CV-20-01282-PHX-MTL
2021-09-27
David K. Lietz, Pro Hac Vice, Gary E. Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Gary M. Klinger, Pro Hac Vice, Mason Lietz & Klinger LLP, Chicago, IL, Hart Lawrence Robinovitch, Zimmerman Reed PLLP, Scottsdale, AZ, Neal A. DeYoung, Pro Hac Vice, DeYoung & Associates, Southbury, CT, Carrie Ann Laliberte, Bonnett Fairbourn Friedman & Balint PC, Phoenix, AZ, for Plaintiffs Chris Griffey, Bharath Maduranthgam Rayam, Michael Domingo, Laura Leather, Clara Williams. David K. Lietz, Pro Hac Vice, Gary E. Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Elaine Ann Ryan, Carrie Ann Laliberte, Bonnett Fairbourn Friedman & Balint PC, Phoenix, AZ, Gary M. Klinger, Pro Hac Vice, Mason Lietz & Klinger LLP, Chicago, IL, Neal A. DeYoung, Pro Hac Vice, DeYoung & Associates, Southbury, CT, Hart Lawrence Robinovitch, Zimmerman Reed PLLP, Scottsdale, AZ, for Plaintiff Keith Lewis. Elaine Ann Ryan, Carrie Ann Laliberte, Bonnett Fairbourn Friedman & Balint PC, Phoenix, AZ, Joel Robert Rhine, Pro Hac Vice, Martin A. Ramey, Pro Hac Vice, Rhine Law Firm PC, Wilmington, NC, John A. Yanchunis, Pro Hac Vice, Morgan & Morgan Complex Litigation Group, Tampa, FL, Michael Dell'Angelo, Pro Hac Vice, Berger & Montague PC, Michael K. Yarnoff, Pro Hac Vice, Kehoe Law Firm PC, Philadelphia, PA, Patricia Nicole Syverson, Bonnett Fairbourn Friedman & Balint PC, San Diego, CA, Hart Lawrence Robinovitch, Zimmerman Reed PLLP, Scottsdale, AZ, for Plaintiffs Daniel Ranson, Mitchell Flanders, Joseph Rivera, Teresa Culberson. Christopher A. Wiech, Pro Hac Vice, Baker & Hostetler LLP, Atlanta, GA, Paul Gregory Karlsgodt, Pro Hac Vice, Sean B. Solis, Pro Hac Vice, Baker & Hostetler LLP, Denver, CO, John Christopher Gray, Lewis Roca Rothgerber Christie LLP, Phoenix, AZ, for Defendant.
David K. Lietz, Pro Hac Vice, Gary E. Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Gary M. Klinger, Pro Hac Vice, Mason Lietz & Klinger LLP, Chicago, IL, Hart Lawrence Robinovitch, Zimmerman Reed PLLP, Scottsdale, AZ, Neal A. DeYoung, Pro Hac Vice, DeYoung & Associates, Southbury, CT, Carrie Ann Laliberte, Bonnett Fairbourn Friedman & Balint PC, Phoenix, AZ, for Plaintiffs Chris Griffey, Bharath Maduranthgam Rayam, Michael Domingo, Laura Leather, Clara Williams.
David K. Lietz, Pro Hac Vice, Gary E. Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Elaine Ann Ryan, Carrie Ann Laliberte, Bonnett Fairbourn Friedman & Balint PC, Phoenix, AZ, Gary M. Klinger, Pro Hac Vice, Mason Lietz & Klinger LLP, Chicago, IL, Neal A. DeYoung, Pro Hac Vice, DeYoung & Associates, Southbury, CT, Hart Lawrence Robinovitch, Zimmerman Reed PLLP, Scottsdale, AZ, for Plaintiff Keith Lewis.
Elaine Ann Ryan, Carrie Ann Laliberte, Bonnett Fairbourn Friedman & Balint PC, Phoenix, AZ, Joel Robert Rhine, Pro Hac Vice, Martin A. Ramey, Pro Hac Vice, Rhine Law Firm PC, Wilmington, NC, John A. Yanchunis, Pro Hac Vice, Morgan & Morgan Complex Litigation Group, Tampa, FL, Michael Dell'Angelo, Pro Hac Vice, Berger & Montague PC, Michael K. Yarnoff, Pro Hac Vice, Kehoe Law Firm PC, Philadelphia, PA, Patricia Nicole Syverson, Bonnett Fairbourn Friedman & Balint PC, San Diego, CA, Hart Lawrence Robinovitch, Zimmerman Reed PLLP, Scottsdale, AZ, for Plaintiffs Daniel Ranson, Mitchell Flanders, Joseph Rivera, Teresa Culberson.
Christopher A. Wiech, Pro Hac Vice, Baker & Hostetler LLP, Atlanta, GA, Paul Gregory Karlsgodt, Pro Hac Vice, Sean B. Solis, Pro Hac Vice, Baker & Hostetler LLP, Denver, CO, John Christopher Gray, Lewis Roca Rothgerber Christie LLP, Phoenix, AZ, for Defendant.
ORDER
Michael T. Liburdi, United States District Judge Magellan Health, Inc. ("Magellan") was the subject of a ransomware cyber-attack and data breach. A hacker stole the personally identifiable information ("PII") and protected health information ("PHI") of Magellan employees, contractors, and participants in health care benefit plans that Magellan administers. Plaintiffs here represent these categories of individuals. They assert numerous claims against Magellan relating to the data breach. Magellan has moved to dismiss. (Doc. 33, the "Motion".) The Parties fully briefed the Motion and the Court held oral argument. The Court resolves the Motion as follows.
I. FACTUAL BACKGROUND
The following facts are taken from the First Amended Consolidated Class Action Complaint ("Amended Complaint"). (Doc. 30.) Magellan is a health care company headquartered in Phoenix, Arizona. It administers health and pharmaceutical benefits to plan members in exchange for fees. (Doc. 30 ¶¶ 30–31.) As part of the administration process, Magellan obtains and stores plan members’ PII and PHI on its servers. (Id. ¶¶ 31–33.) Similarly, Magellan collects PII from its employees as a condition of employment. (Id. ¶¶ 63–64.) Plaintiffs further allege that Magellan's privacy policy contains express statements whereby Magellan committed to protecting the PII and PHI it collects. (Id. ¶¶ 50–53.)
In April 2020, a hacker sent a "spear phishing" email to Magellan employees. (Id. ¶¶ 32, 38.) An employee unwittingly responded to the email, and, in doing so, provided the hacker with access to the Magellan email system. (Id. ) A ransomware attack followed. (Id. ¶¶ 32, 38, 82.) The hacker accessed and extracted PII and PHI from Magellan servers. (Id. ¶ 33.) Magellan detected the attack when system files became encrypted. (Id. ¶ 38.) This is a common feature of a successful spear phishing attack. (Id. ¶ 37.) It was Magellan's second data breach that year. (Id. ¶¶ 32, 38, 82.)
Plaintiffs are residents of different states and have different relationships with Magellan, but their claims fall into three categories based on the injury they allegedly suffered. Plaintiffs Chris Griffey, Michael Domingo, Joseph Rivera, and Teresa Culberson received notice of the data breach. (Id. ¶¶ 1, 4, 12–13.) They allege potential risks of future harm, including harm to their PII or PHI. (Id. ) Plaintiffs Bharath Rayam and Clara Williams allegedly experienced attempted fraud but suffered no out-of-pocket losses. (Id. ¶¶ 2–3, 6–7.) Finally, Plaintiffs Laura Leather, Daniel Ranson, Mitchell Flanders, and Keith Lewis allege they incurred out-of-pocket expenses in response to the data breach to protect or monitor their PII and PHI. (Id. ¶¶ 5, 8–11, 14–15.)
Plaintiffs lay out the nature of their alleged current and future injuries in their Amended Complaint: (1) the compromise, publication, theft, damage to, diminution in value, or unauthorized use of their PII or PHI; (2) out-of-pocket costs associated with the prevention, detection, recovery, and remediation from identity theft or fraud; (3) lost opportunity costs and lost wages associated with efforts expended and the loss of productivity from addressing and attempting to mitigate the actual and future consequences of the data breach; (4) the continued risk to their PII and PHI while in Magellan's possession if Magellan does not take appropriate measures to protect Plaintiffs’ information; (5) current and future costs in terms of time, effort, and money that will be expended to prevent, detect, contest, remediate, and repair the impact of the data breach for Plaintiffs’ lives; (6) imminent and impending injury arising from the increased risk of fraud and identity theft; (7) injury in ways yet to be discovered and proven at trial; and (8) a heightened risk for financial fraud, medical fraud, identity theft, and attendant damages for the foreseeable future. (Id. ¶¶ 85–86, 91; see id. ¶ 98.)
Plaintiffs allege Magellan's data security infrastructure was inadequate to prevent the cyber-attack. (Id. ¶¶ 85–91.) As a result, all Plaintiffs and the prospective class members allege claims of negligence, negligence per se , breach of implied contract, unjust enrichment, and violations of the Arizona Consumer Fraud Act ("AzCFA"). (Id. ¶ 28.) In addition, Plaintiffs domiciled outside of Arizona allege violations of their state's consumer protection laws. (Id. )
Magellan moves to dismiss the Amended Complaint asserting various arguments: (1) Plaintiffs lack Article III standing; (2) none of Plaintiffs’ claims for relief are properly pleaded; and (3) many of the claims asserted under state consumer protection statutes do not apply to Magellan.
II. STANDARD OF REVIEW
A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief" such that the defendant is given "fair notice of what the ... claim is and the grounds upon which it rests." Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) (quoting Fed. R. Civ. P. 8(a)(2) ; Conley v. Gibson , 355 U.S. 41, 47, 78 S.Ct. 99, 2 L.Ed.2d 80 (1957) ). A complaint does not suffice "if it tenders ‘naked assertion[s]’ devoid of ‘further factual enhancement.’ " Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Twombly , 550 U.S. at 556, 127 S.Ct. 1955 ). Dismissal under Rule 12(b)(6) "can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." Balistreri v. Pacifica Police Dep't , 901 F.2d 696, 699 (9th Cir. 1988). A complaint, however, should not be dismissed "unless it appears beyond doubt that the plaintiff can prove no set of facts in support of the claim that would entitle it to relief." Williamson v. Gen. Dynamics Corp. , 208 F.3d 1144, 1149 (9th Cir. 2000).
The Court must accept material allegations in a complaint as true and construe them in the light most favorable to Plaintiffs. North Star Int'l v. Arizona Corp. Comm'n , 720 F.2d 578, 580 (9th Cir. 1983). "Indeed, factual challenges to a plaintiff's complaint have no bearing on the legal sufficiency of the allegations under Rule 12(b)(6)." See Lee v. City of Los Angeles , 250 F.3d 668, 688 (9th Cir. 2001). Review of a Rule 12(b)(6) motion is "limited to the content of the complaint." North Star Int'l , 720 F.2d at 581.
III. DISCUSSION
The Court addresses whether Plaintiffs have standing and then addresses whether Plaintiffs have stated a claim in each cause of action.
A. Standing
The standing doctrine is rooted in Article III of the United States Constitution. To proceed with an action in federal court, a plaintiff must show "(i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief." TransUnion LLC v. Ramirez , ––– U.S. ––––, 141 S. Ct. 2190, 2203, 210 L.Ed.2d 568 (2021) (citing Lujan v. Defenders of Wildlife , 504 U.S. 555, 560–561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ). Here, redressability and causation are not at issue. The critical inquiry is whether each Plaintiff suffered an actual, concrete injury. Magellan argues that Plaintiffs have not. The Court disagrees.
Setting aside the issue of whether Plaintiffs have stated cognizable injuries for the purposes of their substantive claims against Magellan, it is axiomatic that a plaintiff can satisfy the Article III injury-in-fact requirement but, ultimately, fall short of satisfying the cognizable injury requirement for, say, a negligence claim. See Krottner v. Starbucks Corp. , 406 F. App'x 129, 131 (9th Cir. 2010). To qualify under this standard, conduct, like Magellan's here, must create a risk of future injury that is "certainly impending." Clapper v. Amnesty Int'l USA , 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013). This Court has previously reasoned that injuries in data breach cases like the ones Plaintiffs allege here satisfy the injury-in-fact requirement. See, e.g. , In re Banner Health Data Breach Litig. , No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *2 (D. Ariz. Dec. 20, 2017) (concluding that all of the Plaintiffs in a data breach case involving the theft of individuals’ personal information stored by a health care services provider had alleged an injury-in-fact).
For example, in In re Banner Health , the court held that allegations claiming personal information was stolen and then sold for financial gain satisfied Article III standing. Id. at *2. What is more, the court in In re Banner Health also observed that even without allegations such as "who stole [Plaintiffs’] information and what their motives might have been," Article III standing would still exist in similar data breach cases. See id. (deducing this conclusion through the holding in Krottner v. Starbucks Corp. , 628 F.3d 1139, 1140 (9th Cir. 2010) ). Indeed, the United States Supreme Court has recently recognized that "disclosure of private information" is one of many "[v]arious intangible harms" that satisfy Article III standing. TransUnion LLC , 141 S. Ct. at 2204. Thus, the Court finds these allegations sufficient for the purposes of the standing inquiry.
B. Negligence
A negligence claim under Arizona law requires proof of four elements: duty, breach, causation, and damages. Quiroz v. ALCOA Inc. , 243 Ariz. 560, 563, 416 P.3d 824 (2018). Generally speaking, Plaintiffs claim that Magellan owed them a "duty of care to use reasonable means to secure and safeguard its computer property—and Class Members’ PII and PHI held within it—to prevent disclosure of the information, and to safeguard the information from theft." (Doc. 30 ¶ 119.) They further claim that Magellan breached this duty by employing vulnerable data systems. (Id. ¶ 130.) Magellan's Motion does not take issue with these allegations. Instead, it argues that Plaintiffs’ Amended Complaint fails to properly allege causation and damages. (Doc. 33 at 4–7.)
1. Causation
Causation is generally a question of fact for the jury. Cramer v. Starr , 240 Ariz. 4, 11, 375 P.3d 69 (2016). At the motion to dismiss stage, however, the Court may review the complaint to determine if causation is adequately pleaded. Lexmark Int'l, Inc. v. Static Control Components, Inc. , 572 U.S. 118, 134, 134 S.Ct. 1377, 188 L.Ed.2d 392 (2014) ("But like any other element of a cause of action, [proximate causation] must be adequately alleged at the pleading stage in order for the case to proceed."). A causal or logical relationship between events creates proximate cause; a purely temporal connection may not. Stollenwerk v. Tri-W. Health Care All., 254 F. App'x 664, 668 (9th Cir. 2007).
Plaintiffs allege that Magellan's failure to "properly monitor the computer network and systems" containing Plaintiffs’ PII and PHI caused their injuries. (Doc. 30 ¶ 23.) This failure, they claim, caused the data breach and constituted "reckless and negligent conduct." (Id. ¶ 24.) As a result of Magellan's negligent behavior, Plaintiffs allege their PII and PHI fell into "the hands of data thieves and [is] available on the dark web." (Id. ) This directly and proximately caused their injuries to occur. (Id. ¶¶ 25–26.)
Magellan argues that Plaintiffs cannot draw a sufficiently strong causal link between the data breach and the alleged injuries. (Doc. 33 at 7.) Magellan believes Plaintiffs Griffey, Domingo, Rivera, and Culberson cannot show proximate cause because they only allege the potential for future injuries which cannot be casually linked to the data breach. (Doc. 33 at 7.) Plaintiffs do not contest this argument. (See Doc. 34 at 6–7.) Next, Magellan asserts that Plaintiffs Rayam, Leather, Williams, Ranson, Flanders, and Lewis have not shown a causal link between the data breach and their alleged injuries. (Id. ) Instead of showing a logical connection between the data breach and the injuries, Magellan argues that Plaintiffs are relying on a purely temporal argument: the data breach occurred and then these injuries happened. Magellan maintains that this sequence of events does not indicate causality.
Focusing on the injuries suffered by the other six plaintiffs, Plaintiffs argue that the connection between the data breach and injuries is not purely temporal. (Id. ) They claim the data breach and the events immediately after—increased spam calls, PII and PHI on the "dark web," fraudulent applications for unemployment benefits, fraudulent accounts being opened, and "other suspicious activities"—are logically connected and sufficient to support allegations of proximate cause.
The Court finds the analysis in Stollenwerk instructive in this case. In Stollenwerk , the Ninth Circuit held the theft of a computer hard drive proximately caused the release of personal information held on that hard drive. Stollenwerk , 254 F. App'x at 668. The court reasoned that it was plausible that the thief could have extracted information and then released it. Id. In addition, the plaintiff alleged that he normally refused to transmit his personal information over the internet, habitually shredded mail containing personal information, and had a nearly nonexistent record of personal information being stolen prior to the hard drive theft. Id. And so, the court denied the motion to dismiss for lack of proximate cause. Id.
Like in Stollenwerk , Plaintiffs plausibly allege proximate causation because this case has fewer links in the chain of causation. In Stollenwerk the computer hardware was stolen and the court had to assume that the personal information on the hardware could be and was extracted. Here, the personal information in this case was stolen directly. This means that the first link in the chain of causation the court in Stollenwerk deemed plausible is a certainty in this case. Furthermore, like the plaintiffs in Stollenwerk , Plaintiffs here allege that they took reasonable steps to maintain the confidentiality of their PII and PHI. (Doc. 30 ¶ 66.) But, unlike the complaint in Stollenwerk , the Amended Complaint here does not elaborate on the measures taken by Plaintiffs in this case. If it is true that Plaintiffs’ steps to protect their PII or PHI were reasonable, then the allegation that the data breach proximately caused the misappropriation and misuse of Plaintiffs Rayam, Williams, Lewis, Flanders, Ranson, and Leather's PII and PHI is more plausible than the causation allegations in Stollenwerk . Thus, Plaintiffs Rayam, Williams, Lewis, Flanders, Ranson, and Leathers sufficiently allege causation for the purposes of Rule 12(b)(6). Plaintiffs Griffey, Domingo, Rivera, and Culberson do not because they allege only future injuries.
2. Damages
Magellan also seeks the dismissal of Plaintiffs’ negligence claim on the separate basis that the Amended Complaint does not allege cognizable injuries. Negligence "damage[s] must be actual and appreciable, non-speculative, and more than merely the threat of future harm." CDT, Inc. v. Addison, Roberts & Ludwig, C.P.A., P.C. , 198 Ariz. 173, 176–77, 7 P.3d 979 (App. 2000) (quotation omitted). The majority view is that "general allegations of lost time," "continued risk to [plaintiff's] personal data," and "the danger of future harm" are not cognizable injuries. Pruchnicki v. Envision Healthcare Corp. , 439 F. Supp. 3d 1226, 1232–33 (D. Nev. 2020), aff'd 845 F. App'x 613 (9th Cir. 2021) ; accord Krottner v. Starbucks Corp. , 406 F. App'x 129, 131 (9th Cir. 2010). Similarly, general allegations that a plaintiff's personal information has diminished in value are not enough. "In order to survive a motion to dismiss on this theory of damages, a plaintiff ‘must establish both the existence of a market for her personal information and an impairment of her ability to participate in that market.’ " Pruchnicki , 439 F. Supp. 3d at 1234 (quoting Svenson v. Google Inc. , No. 13-CV-04080-BLF, 2016 WL 8943301, at *9 (N.D. Cal. Dec. 21, 2016) ). Even with out-of-pocket expenses, paying for additional credit monitoring services requires "a plaintiff to plead that the monitoring costs were both reasonable and necessary." In re Sony Gaming Networks & Customer Data Sec. Breach Litig. , 996 F. Supp. 2d 942, 970 (S.D. Cal. 2014), order corrected , (MDD), No. 11MD2258 AJB, 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014).
Magellan argues that the Plaintiffs do not allege sufficiently cognizable injuries to support a negligence claim. (Doc. 33 at 4–7.) Plaintiffs Griffey, Domingo, Rivera, and Culberson allege a threat of future injury which is not cognizable under CDT because such allegations qualify as speculative and as threats of future harm. (Id. at 4.) Magellan next observes that Plaintiffs Williams and Rayam do not allege out-of-pocket expenses. (Id. at 5.) Citing cases like Pruchnicki , Magellan concludes Williams and Rayam's claims are not cognizable. (Id. ) After that, Magellan notes that Plaintiffs’ claims that they suffered damages to and diminution in the value of their PII or PHI are not cognizable because they fail to establish a market for their personal information and an impairment on their ability to participate in that market. (Id. at 6.) Finally, while some Plaintiffs incurred out-of-pocket expenses, Magellan argues they fail to allege that their expenditures to mitigate damages were reasonable and necessary. (Id. at 6–7.)
Plaintiffs disagree. They initially argue that attempted or actual identity fraud constitutes sufficient damages to support a negligence claim. (Doc. 34 at 3–4.) Then, Plaintiffs rely on out-of-circuit caselaw to challenge Magellan's arguments about lost time allegations. (See Id. at 4–5 .) Finally, Plaintiffs argue that when compromised PII or PHI loses value it is a cognizable injury. (Id. at 6.)
Citing In re Facebook Litig. , 572 F. App'x 494 (9th Cir. 2014), In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig. , 440 F. Supp. 3d 447, 461 (D. MD. 2020), In re Experian Data Breach Litig. , No. SACV151592AGDFMX, 2016 WL 7973595, at *5 (C.D. Cal. Dec. 29, 2016), and In re Yahoo! Inc. Customer Data Sec. Breach Litig. , No. 16-MD-02752-LHK, 2017 WL 3727318, at *13 (N.D. Cal. Aug. 30, 2017)
Plaintiffs’ allegations of lost time addressing the data breach, continued risk to their PII and PHI, and the danger of future harm are not cognizable injuries for negligence claims. Krottner , 406 F. App'x at 131 ; Pruchnicki , 439 F. Supp. 3d at 1232–33. The cases Plaintiffs cite are either consistent with this principle or not binding on this court. (See Doc. 34 at 4.) Plaintiffs’ claims of future injury simply are not cognizable. Thus, even if Plaintiffs Griffey, Domingo, Rivera, and Culberson sufficiently alleged causation, their claims would still be dismissed for failure to state a claim.
Although Plaintiffs Williams and Rayam experienced attempted fraud, their claims are not cognizable. Whether any fraud will actually occur in the future is speculative. As a result, Plaintiffs only suffer a threat of future injuries. But Arizona law requires negligence damages to be more than merely a threat of future harm. CDT , 198 Ariz. at 176–177, 7 P.3d 979. Threats of future harm, on their own, are not cognizable negligence injuries.
Courts also recognize that merely alleging a diminution in value to somebody's PII or PHI is insufficient; the plaintiff must demonstrate a market exists for the personal information at issue and an impairment in a plaintiff's ability to participate in that market. See Pruchnicki , 439 F. Supp. 3d at 1234 (citing the Svenson test). The Amended Complaint demonstrates neither. Plaintiffs only identify an illegal market for their personal information, the "dark web." This Court declines to recognize the "dark web" as a legitimate market by which individuals may sell their information. Furthermore, Plaintiffs fail to allege that the availability of their information on the "dark web" lowers the value of their information. What is more, in support of their negligence claims, Plaintiffs argue that compromised PII inherently loses value. (Doc. 34 at 6.) Their argument reflects a fundamental misunderstanding of the law. In re Facebook only applied to breach of contract and fraud claims, not negligence claims; In re Experian applied In re Facebook and thus cannot be used to show compromised PII inherently loses value in negligence claims; and In re Yahoo discussed standing, not cognizable injury in negligence claims. Moreover, Plaintiffs’ citation to In re Marriott that PII or PHI has value in our digital economy actually supports the test articulated in Svenson . Svenson acknowledged that PII and PHI have value in our economy and that a plaintiff must identify a market in which he would like to sell his or her data. This, unlike the observation in In re Marriott , proposes a means to measure the value of PII or PHI. Thus, without identifying a market in which they can or could and intend or intended to sell their information, Plaintiffs here fail to demonstrate a loss in value of their PII or PHI. Finally, Plaintiffs Lewis, Flanders, Ranson, and Leathers allege damages due to out-of-pocket expenses spent on credit monitoring services in addition to the identity monitoring services provided by Magellan. (Doc. 30 ¶ 90.) Even when out-of-pocket expenses are alleged, Plaintiffs must also allege that the monitoring costs were reasonable and necessary. In re Sony , 996 F. Supp. 2d at 970. Plaintiffs fail to allege their out-of-pocket expenses were necessary in the Amended Complaint. (See generally Doc. 30.) Even if Plaintiffs had offered a conclusory allegation that their out-of-pocket expenses were reasonable and necessary, they would still need to properly allege that the identity monitoring services offered by Magellan were inadequate in some way to justify the out-of-pocket expenses. Yet Plaintiffs allege no metric or measure indicating their risk increased such that the identity monitoring services provided by Magellan were inadequate. (Doc. 30 ¶ 90; see generally Doc. 30.) Without substantiating their claims that Magellan's services were inadequate, Plaintiffs have no argument that their out-of-pocket expenses were reasonable or necessary.
Thus, Plaintiffs fail to state a claim alleging a cognizable tort injury. And so, all negligence claims will be dismissed with leave to amend.
3. Negligence Per Se
Magellan moves to dismiss Plaintiffs’ separately pleaded claim for negligence per se. "Negligence per se is not a cause of action separate from common law negligence. It is a doctrine under which a plaintiff can establish the duty and breach elements of a negligence claim based on a violation of a statute that supplies the relevant duty of care." Craten v. Foster Poultry Farms Inc. , 305 F. Supp. 3d 1051, 1054 n.2 (D. Ariz. 2018). Indeed, Plaintiffs at oral argument all but conceded that negligence per se is not a separate cause of action. Plaintiffs’ negligence per se claim will be dismissed with prejudice to the extent that it is a stand-alone claim for relief. If Plaintiffs choose to file a seconded amended complaint, this does not preclude them from applying the theory of negligence per se to their negligence claims.
4. Economic Loss Doctrine
Magellan argues that Plaintiffs’ negligence claims should be dismissed under the economic loss doctrine. According to Magellan, Plaintiffs are limited to contract damages. Plaintiffs respond that Arizona's version of the economic loss doctrine does not extend beyond product liability and construction defect cases. They also argue that Magellan's argument is self-contradictory because it denies the existence of any contract.
"The ‘economic loss doctrine’ bars plaintiffs, in certain circumstances, from recovering economic damages in tort." Flagstaff Affordable Housing Ltd. Partnership v. Design Alliance, Inc. , 223 Ariz. 320, 321, 223 P.3d 664 (2010). The doctrine advances "[t]he contract law policy of upholding the expectations of the parties." Id. at 325, 223 P.3d 664. The Arizona Supreme Court has stated, "[o]ur adoption of the economic loss doctrine in construction defect cases reflects our assessment of the relevant policy concerns in that context; it does not suggest that the doctrine should be applied with a broad brush in other circumstances." Id. at 329, 223 P.3d 664. The parties have not cited any Arizona case where the economic loss doctrine was applied outside the context of products liability or construction defect cases. Given the Arizona Supreme Court's direction that the economic loss doctrine should be applied only in limited contexts, this Court will not expand the doctrine to apply in data breach cases without more direct guidance from the Arizona courts that such doctrine is applicable in this category of cases.
C. Unjust Enrichment
"Unjust enrichment occurs when one party has and retains money or benefits that in justice and equity belong to another." Trustmark Ins. Co. v. Bank One, Arizona, NA , 202 Ariz. 535, 541, 48 P.3d 485 (Ct. App. 2002), as corrected (June 19, 2002). Arizona courts require a plaintiff to show five elements: "(1) an enrichment; (2) an impoverishment; (3) a connection between the enrichment and the impoverishment; (4) the absence of justification for the enrichment and the impoverishment; and (5) the absence of a legal remedy." Id. Plaintiffs who have "already received the benefit of [their] contractual bargain" cannot recover under a theory of unjust enrichment. Adelman v. Christy , 90 F. Supp. 2d 1034, 1045 (D. Ariz. 2000). Thus, if Plaintiffs recover under their implied contracts theory, they cannot recover for unjust enrichment. But a plaintiff is permitted to plead alternative claims of relief in the complaint; "the mere existence of a contract governing the dispute does not automatically invalidate an unjust enrichment alternative theory of recovery." Id. And so, although recovery for breach of an implied contract would preclude recovery for unjust enrichment, Plaintiffs may plead both breach of implied contract and unjust enrichment in their Amended Complaint.
Some Plaintiffs were employees of Magellan, some were contractors, and others were beneficiaries of health care plans administered by Magellan or one of its affiliates or subsidiaries. (Doc. 30 ¶¶ 167–176.) Yet the allegations for unjust enrichment are substantially the same for all Plaintiffs. (Id. ) Plaintiffs allege that they provided money or labor to Magellan affiliates and subsidiaries by which Magellan was enriched. (Id. ¶ 167.) The money provided or the benefit conferred by Plaintiffs’ labor was intended, in part, to be used by Magellan to fund "adequate security" for the PII and PHI it stored. (Id. ) Magellan enriched itself by spending less than it should have on data security and did not provide a reasonable amount of security to protect Plaintiffs’ PII or PHI. (Id. ¶ 168.) Cutting corners on data security led to the data breach. (Id. ) There is no justification for Magellan's decision. (Id. ¶ 169.) Plaintiffs further allege that Magellan's data security was inadequate because this was the second data breach for Magellan in a year and because Magellan should have known about and implemented industry standards for data security. (Id. ¶¶ 80–82.) Plaintiffs did not allege what actions Magellan took that were inadequate or which features of its data security system were below industry standards. (Id. ) But, according to Plaintiffs, they have stated a claim for unjust enrichment. (Id. )
The Amended Complaint does not clearly explain whether Plaintiffs Williams and Lewis still receive health care services administered by Magellan or one of Magellan's affiliates or subsidiaries. (Doc. 30 ¶¶ 5, 14.)
Magellan argues that Plaintiffs’ claims fail because Plaintiffs admit that Magellan was not paid directly by Plaintiffs, indicating there was no enrichment. Also, Plaintiffs received the health care services to which they were entitled, so they were not impoverished. (Doc. 33 at 11; Doc. 35 at 7–8.) Plaintiffs counter that the enrichment does not have to come from direct payment or services to Magellan because unjust enrichment is an equitable doctrine. (Doc. 34 at 11–12.) Additionally, Plaintiffs argue their impoverishment stems from Magellan's lack of adequate data security. (Id. ) Plaintiffs’ data were entitled to more security than provided. (Id. )
On this issue, the parties cited three cases with conflicting holdings. Compare In re Banner Health , 2017 WL 6763548 at *6 (holding that plaintiffs in a similar data breach adequately pleaded unjust enrichment), with Irwin v. Jimmy John's Franchise, LLC , 175 F. Supp. 3d 1064, 1071–1072 (C.D. Ill. 2016) (applying Arizona law and dismissing unjust enrichment claims even though Jimmy John's did not have data security for customer credit card information) and In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig. , 45 F. Supp. 3d 14, 30 (D.D.C. 2014) (holding a similar claim did not meet Article III standing).
Irwin concerned customers who paid for sandwiches at Jimmy John's restaurants. Customers who paid with their credit cards claimed Jimmy John's was unjustly enriched because the company did not provide reasonable data security for customer credit card information. Irwin , 175 F. Supp. 3d at 1071. In Irwin , Jimmy John's had a group of separate cash-only customers who paid the same price as those who purchased food with a credit card. Id. at 1071–1072. Thus, the entire price paid by credit card users accounted for the sandwiches they purchased. See id. This was the same amount paid by cash customers. And so, Irwin held the credit-paying plaintiffs did not experience an impoverishment because they "did not pay for a side order of data security and protection" with their sandwiches. Id. at 1072. None of the money paid could be reasonably attributed to credit card security.
Here, unlike Irwin , the Amended Complaint does not specify whether Plaintiffs all paid by the same means and at the same price for health care services. Likewise, all employees or contractors turned over the same PII as a condition of working for or with Magellan. The Amended Complaint identifies no group that paid the same price for services and required no data security. And the Amended Complaint identifies no group or groups that provided services without turning over their PII. On balance, Irwin ’s logic and conclusion that Plaintiffs could not expect to receive data security does not apply in this case.
The Amended Complaint only states that Magellan received the fees that Plaintiffs paid to Magellan's affiliates and subsidiaries and the states in which they operate. (Doc. 30 ¶ 31.)
In re Banner Health and In re Science Applications came to opposite conclusions with similar facts. In re Science Applications involved a government data breach which resulted in the increased risk of identity theft for approximately 4.7 million people. 45 F. Supp. 3d at 19–22. The court required Plaintiffs to allege a market difference between the value of services received and the price paid to establish Article III standing. In re Science Applications , 45 F. Supp. 3d at 30. As explained elsewhere in this order, however, this Court concludes that the Plaintiffs have standing. In re Banner Health concerned a data breach during which hackers accessed the PII and PHI of "nearly 4 million patients, insurance plan members, plan beneficiaries, payment card users, and healthcare providers." In re Banner Health , 2017 WL 6763548 at *1. The plaintiffs alleged that Banner Health "failed to provide adequate data security." Id. at *6. Specifically, the plaintiffs in In re Banner Health pointed to the lack of a "multi-factor authentication for remote access to computer networks that contain sensitive information." Plaintiffs’ Consolidated Amended Class Action Complaint at 34, In re Banner Health Data Breach Litig. , 2017 WL 6763548 (D. Ariz. Dec. 20, 2017) (No. 16-02696). The Court concluded that the plaintiffs had adequately pleaded unjust enrichment. In re Banner Health , 2017 WL 6763548 at *6. But this Court does not follow In re Banner Health ’s conclusion because Plaintiffs here allege no specific reasons explaining why Magellan's data security was inadequate.
Plaintiffs offer two post hoc explanations when alleging that Magellan's data security services were "inadequate." First, they allege that two data breaches in a year necessarily implies that Magellan's data security was inadequate. That is not enough. As a matter of logic, however, the existence of an adequate data security infrastructure and two data breaches in a year are not mutually exclusive.
Second, they allege that Magellan should have known about industry standards and did not meet those standards. Plaintiffs allege that Magellan did not implement a series of policies, procedures, and "best practices" outlined by private cyber-security firms and the Department of Health and Human Services’ Office for Civil Rights ("HHS"). (See Id. ¶ 80–82.) But the Amended Complaint does not explain with which of the many standards listed Magellan failed to comply. (Id. ) Plaintiffs’ Amended Complaint also does not specify of which standards Magellan should have been or was aware. (Id. ) In addition, Plaintiffs’ allegations do not explain whether Magellan's data security systems were better or worse than the standards articulated in the Amended Complaint. As written, the Amended Complaint could be read to assert that Magellan's data security systems did not follow the standards outlined by private cyber-security firms or HHS because Magellan's data security systems were better. Thus, it is unclear what standard determines a security system is inadequate and which parts, if any, of Magellan's data security systems were below industry standards.
Even if everything Plaintiffs allege is true, there are plausible explanations beyond the existence of an inadequate data security system that account for Magellan's second data breach in a year. Alleging that a system was inadequate because a negative result occurred is conclusory, and Plaintiffs’ claim that Magellan's system fell below an ill-defined standard is conclusory. The Court is permitted to disregard conclusory allegations. And so, the Court finds that Plaintiffs fail to properly allege that Magellan's data security was inadequate.
Without Plaintiffs properly alleging that Magellan's systems were inadequate, there is no way to establish on the pleadings that Magellan was enriched, that Plaintiffs were impoverished, or that there was a connection between the enrichment and impoverishment. Thus, Plaintiffs fail to state a claim for unjust enrichment and will be granted leave to amend.
D. Implied Contract
Contracts consist of an offer, acceptance, consideration, and intent by the parties to be bound by the contract. Day v. LSI Corp. , 174 F. Supp. 3d 1130, 1153 (D. Ariz. 2016), aff'd , 705 F. App'x 539 (9th Cir. 2017). Contracts can be implied in law and in fact. Barmat v. John & Jane Doe Partners A-D , 155 Ariz. 519, 521–522, 747 P.2d 1218 (1987). Implied in fact contracts are enforceable contracts, but, unlike express contracts, implied in fact contracts are created by "conduct rather than words [to convey] the necessary assent and undertakings." Barmat , 155 Ariz. at 521, 747 P.2d 1218 (quoting 1 A. Corbin, Corbin on Contracts § 18, at 39 (1963)). Plaintiffs allege that Magellan has violated the terms of the parties’ implied contracts established by Magellan's privacy policy. (Doc. 30 ¶¶ 52–53.) In addition to the express statements in the privacy policy, Plaintiffs allege that the implied contracts also incorporated Magellan's HIPAA obligations. (Id. ¶¶ 51–53.) At bottom, Plaintiffs and Magellan disagree over two issues: (1) Did Plaintiffs sufficiently allege the terms of the implied in fact contracts? (2) Did Plaintiffs adequately allege consideration in the implied in fact contracts?
1. Terms of the Implied Contracts
In a breach of contract claim, the plaintiff must demonstrate that the breach caused an injury. Thomas v. Montelucia Villas, LLC , 232 Ariz. 92, 96, 302 P.3d 617 (2013). A calculation of damages cannot be speculative. See Cole v. Atkins , 69 Ariz. 81, 86, 209 P.2d 859 (1949) (holding a party cannot recover "for speculative or remote damages"); e.g. Lindsey v. Univ. of Arizona , 157 Ariz. 48, 54, 754 P.2d 1152 (App. 1987) (holding employee social reputation damages are too speculative). Contract terms cannot be vaguely pleaded. Even at the motion to dismiss stage, courts cannot be left to "guess" how a party failed to perform their contractual obligations. Kuhns v. Scottrade, Inc. , 868 F.3d 711, 718 (8th Cir. 2017).
Plaintiffs allege that Magellan failed to uphold its bargain when it did not "properly monitor the computer network and systems" containing Plaintiffs’ PII or PHI. (Id. ¶ 23.) This failure to provide adequate data security violated the implied contracts and caused the data breach. (Id. ¶¶ 24, 156–162.) Because Magellan violated the implied contracts, Plaintiffs allege their PII and PHI fell into "the hands of data thieves and [is] available on the dark web." (Id. ) And this caused their injuries and damages to occur. (Id. ¶ 25–26; see Id. ¶ 163.)
Magellan argues Plaintiffs do not sufficiently allege the terms of the implied contracts. (Doc. 33 at 9; Doc. 35 at 6–7.) Magellan believes the privacy policy does not establish any implied contracts and only applies to the use of its website. (Doc. 35 at 7.) Furthermore, even if implied contracts were formed, Magellan asserts Plaintiffs do not sufficiently allege what Magellan specifically promised to do to protect against cyber-attacks. (Doc. 33 at 9.)
Plaintiffs counter that they do allege implied contracts with specific terms. (See generally , Doc. 34 at 9–11.) Plaintiffs believe that their health care services fees or labor "were inextricably linked" with the surrender of PII or PHI. (Id. at 9.) Thus, "the parties manifested a joint understanding that Plaintiffs’ PII and PHI would be reasonably safeguarded by Defendant and only disclosed to authorized parties." (Id. )
Plaintiffs allege that Magellan's privacy policy posted on its website established terms for a promise to protect their PII and PHI beyond the requirements of HIPPA. (See Doc. 30 ¶¶ 52–53, 154–155.) But Plaintiffs allege no facts concerning the applicability or scope of Magellan's privacy policy beyond the allegations that it applies and that Magellan implemented data security below industry standards in violation of it. On a motion to dismiss, the Court must assume Plaintiffs’ factual allegations are true, but the Court has no obligation to consider conclusory or nonexistent allegations. Plaintiffs fail to allege specific terms of the implied contracts: when and to what extent did the contract apply? Without more, Plaintiffs’ argument boils down to the same argument in their unjust enrichment claims. Because there was a data breach, Magellan's data security must have been inadequate, which is a breach of the implied contracts. And, because Magellan did not conform to an unclear standard of data security, Magellan must have breached the implied contracts. As with their unjust enrichment claims, Plaintiffs’ allegations are conclusory. Thus, Plaintiffs fail to state a claim.
2. Consideration
Normally, courts do not examine the adequacy of the parties’ consideration. Carroll v. Lee , 148 Ariz. 10, 13–14, 712 P.2d 923 (1986). It is, however, well established that "a promise to perform a pre-existing duty is insufficient consideration." Hisel v. Upchurch , 797 F. Supp. 1509, 1521 (D. Ariz. 1992) (citing Restatement (Second) of Contracts § 73 (1981) ). See, e.g. , In re Banner Health , 2017 WL 6763548, at *3. Thus, courts will examine the existence, rather than the adequacy, of consideration. See, e.g. , id.
Some courts maintain that the receipt of PII or PHI implies assent to protect that information. E.g. Castillo v. Seagate Technology, LLC , No. 16-CV-01958-RS, 2016 WL 9280242 at *9 (N.D. Cal. Sept. 14, 2016). Other courts hold that privacy policies must promise to do more than that which is legally mandated to establish consideration. For example, In re Banner Health considered language in a privacy policy similar to the language in Magellan's privacy policy. See In re Banner Health , 2017 WL 6763548, at *4 ("Banner is committed to protecting the confidentiality of information about you, and is required by law to do so ...."). The court held, "this language could arguably be read as a promise to keep patient information confidential," but "it cannot be read as a promise to do anything above and beyond what is already required by law." Id. The court ruled that the defendant "was already under a preexisting legal duty to protect [p]laintiff's information." Id. Thus, without a promise beyond that legal duty, the court found that no implied contract was formed because there was no consideration. See id. (citing Hisel , 797 F. Supp. at 1521 ).
Plaintiffs allege Magellan's privacy policy promised data security beyond the level Magellan was legally required to supply as consideration for implied contracts with Plaintiffs. (Doc. 30 ¶¶ 52–53, 157.) Specifically, they allege that Magellan "expressly promised Plaintiffs ... that it would only disclose PII or PHI under certain circumstances, none of which," applied to the data breach. (Id. ¶ 154.) They also allege Magellan "promised to comply with industry standards and to make sure Plaintiffs’ ... PII and PHI would remain protected." (Id. ¶ 155.) Finally, Plaintiffs allege that they had a reasonable belief that Magellan's "data security practices complied with relevant laws and regulations and were consistent with industry standards." (Id. ¶ 159.)
Magellan argues there was no consideration because Magellan's only promise was to do something which it was already legally obligated to do, and such promises do not constitute consideration. (Doc. 33 at 10; Doc. 35 at 6–7.) Plaintiffs disagree. They believe Magellan's request for privacy information was an exchange of promises. (Doc. 34 at 10.) They assert Plaintiffs who were members and paid for health care services exchanged fees and data for health care services and data security. (Id. ) Plaintiffs who were employed by or contracted with Magellan exchanged labor and data for financial compensation and data security. (Id. ) Finally, they believe Magellan's privacy policy established implied in fact contracts that promised a level of data security beyond Magellan's legal requirements. (Id. at 10–11.)
Plaintiffs here fail to allege consideration because they did not allege that Magellan promised to act beyond the existing HIPPA mandates. Magellan's privacy policy statements—"your personal privacy is important to us" and "Magellan uses physical, technical, and administrative safeguards to protect any personally identifiable data stored on its computers. Only authorized employees and third parties have access to the information you provide to Magellan for providing service to you"—are like the statements in In re Banner Health . They do not suggest any promise beyond Magellan's legal obligations. Thus, without more, there is no consideration between Plaintiffs and Magellan. Plaintiffs therefore fail to state a claim for breach of implied contract.
E. Rule 9(b)
Plaintiffs allege that Magellan's actions violated its privacy policy because Magellan knew or should have known its data security was inadequate. (Doc. 30 ¶¶ 52–53, 183.) Plaintiffs also allege that Magellan committed active fraud, fraud-by-omission, or both by concealing material facts about its data security. (Id. ¶¶ 52–53, 181, 183.) Additionally, Plaintiffs allege the privacy policy applies to their PII or PHI because they were required to surrender their information to either receive health care services or to work for Magellan. (Id. ¶53.) Because Magellan violated its privacy policy, according to Plaintiffs, they assert claims under the AzCFA and the consumer protection laws of the states in which they live. (Id. ¶ 28.)
"It is established law, in this circuit and elsewhere, that Rule 9(b)’s particularity requirement applies to state-law causes of action." Vess v. Ciba-Geigy Corp. USA , 317 F.3d 1097, 1103 (9th Cir. 2003) ; e.g. Lorona v. Arizona Summit L. Sch. , LLC, 188 F. Supp. 3d 927, 935 (D. Ariz. 2016) (applying Rule 9(b) to the AzCFA). When "alleging fraud or mistake, Federal Rule of Civil Procedure 9(b) requires a party to state with particularity the circumstances constituting fraud including the who, what, when, where and how of the misconduct charged." Loomis v. U.S. Bank Home Mortg. , 912 F. Supp. 2d 848, 856 (D. Ariz. 2012) (internal quotation marks omitted). "In addition, the plaintiff must set forth what is false or misleading about a statement." Id.
Magellan argues that Rule 9(b) applies to these claims and that these allegations lack the required specificity because Plaintiffs fail to articulate the "who, what, when, where, and how" of the data breach. (Doc. 33 at 12–14; Doc. 35 at 8–9.) Magellan asserts that Plaintiffs do not articulate where the misrepresentations took place, when these actions happened, what statements were misrepresentations, and how the statements were a misrepresentation. (Id. ) Plaintiffs maintain Rule 9(b) does not apply to their consumer protection claims, and, even if it did, they adequately articulated the who, Magellan; what, misrepresentations about their data security system; where, in Magellan's privacy policy; when, during the class period; and how, failing to protect Plaintiffs’ sensitive information as promised in the privacy policy. (Doc. 34 at 14.)
The Court addresses whether Plaintiffs’ AzCFA, California Unfair Competition Law ("UCL"), Florida Unfair and Deceptive Trade Practices Act ("DUTPA"), Missouri Merchandising Practices Act ("MoMPA"), Pennsylvania Unfair Trade Practices and Consumer Protection Law ("CPL"), and Wisconsin Deceptive Trade Practices Act ("DTPA") claims satisfy Rule 9(b) in turn.
1. AzCFA
All Plaintiffs assert an AzCFA claim. When filing an AzCFA claim, "a plaintiff in a fraud-by-omission suit faces a slightly more relaxed burden, due to the fraud-by-omission plaintiff's inherent inability to specify the time, place, and specific content of an omission in quite as precise a manner." In re Arizona Theranos, Inc., Litig. , 256 F. Supp. 3d 1009, 1023 (D. Ariz. 2017), on reconsideration in part , No. 2:16-CV-2138-HRH, 2017 WL 4337340 (D. Ariz. Sept. 29, 2017). Thus, courts still apply Rule 9(b) to AzCFA claims, but relax the burden by not requiring Plaintiffs to articulate the time, place, and specific content of an omission precisely. E.g. Lorona , 188 F. Supp. 3d at 935.
Regardless of the type of fraud alleged, Plaintiffs’ AzCFA claims fail because even when applying the lower standard articulated in Theranos , they fail to adequately articulate the "how" of the data breach. Plaintiffs’ argument that Magellan's data security was inadequate simply because there was a data breach is the same argument they made for unjust enrichment. And, as with Plaintiffs’ unjust enrichment claims, this Court holds the argument that a system was inadequate because a negative result occurred is conclusory. Plaintiffs fail to specify how Magellan's security was inadequate. Thus, Plaintiffs fail to state an AzCFA claim and shall be given leave to amend.
2. Californica UCL
Rule 9(b) apples to claims asserted under the California UCL. See, e.g. , In re Google Android Consumer Priv. Litig. , No. 11-MD-02264 JSW, 2013 WL 1283236 at *9 (N.D. Cal. Mar. 26, 2013). As with his AzCFA claim, Ranson's UCL claim fails because he has not explained with any specificity how Magellan's data security was inadequate beyond pointing to the fact that a security breach happened. That is a conclusory allegation. And so, Ranson fails to state a California UCL claim and shall be given leave to amend.
3. Florida DUTPA
There is a district split about whether Rule 9(b) applies to the Florida DUTPA. But, generally, "where the gravamen of the claim sounds in fraud ... Rule 9(b) applies." See State Farm Mut. Auto. Ins. Co. v. Performance Orthopaedics & Neurosurgery, LLC , 278 F. Supp. 3d 1307, 1328 (S.D. Fla. 2017) ; see, e.g. , In re Monat Hair Care Prod. Mktg., Sales Pracs., & Prod. Liab. Litig. , No. 18-MD-02841, 2019 WL 5423457, at *7 n.11 (S.D. Fla. Oct. 23, 2019) (applying Rule 9(b) "where such claims sound in fraud"). Here, the Court finds this case "sounds in fraud" because Plaintiffs’ argument is that Magellan portended it would furnish a level of data security far greater than it actually did. Thus, the Court applies Rule 9(b). As with his AzCFA claim, Lewis’ Florida claim fails because he has not explained with any specificity how Magellan's data security was inadequate beyond pointing to the fact that a security breach happened. That is a conclusory allegation. Thus, Lewis fails to state a Florida DUTPA claim and shall be given leave to amend.
4. MoMPA
Griffey's MoMPA claims are subject to Rule 9(b) because this case sounds in fraud. See Kuhns v. Scottrade, Inc. , 868 F.3d 711, 719 (8th Cir. 2017) (applying Rule 9(b) to MoMPA claims that sound in fraud). Griffey's MoMPA claim fails because he has not explained with any specificity how Magellan's data security was inadequate beyond pointing to the fact that a security breach happened. That is a conclusory allegation. And so, Griffey fails to state an MoMPA claim and shall be given leave to amend.
5. Pennsylvania CPL
Plaintiff Domingo's Pennsylvania CPL claim is subject to Rule 9(b). See Schmidt v. Ford Motor Co. , 972 F. Supp. 2d 712, 720 (E.D. Pa. 2013). As with his AzCFA claim, Domingo's Pennsylvania claim fails because he has not explained with any specificity how Magellan's data security was inadequate beyond pointing to the fact that a security breach happened. That is a conclusory allegation. Thus, Domingo fails to state a Pennsylvania CPL claim and shall be given leave to amend.
6. Wisconsin DTPA
Rule 9(b) applies to the Wisconsin DTPA. See Murillo v. Kohl's Corp. , 197 F. Supp. 3d 1119, 1129–1130 (E.D. Wis. 2016). As with his AzCFA claim, Rivera's Wisconsin claim fails because he has not explained with any specificity how Magellan's data security was inadequate beyond pointing to the fact that a security breach happened. That is a conclusory allegation. Rivera fails to state a Wisconsin DTPA claim and shall be given leave to amend.
F. NYGBL § 349 Material Misrepresentation or Omission
Under New York law, "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service" are unlawful. N.Y. Gen. Bus. Law § 349. A cause of action under § 349 has three elements: "(1) defendant's deceptive acts were directed at consumers, (2) the acts are misleading in a material way, and (3) the plaintiff has been injured as a result." Dixon v. Ford Motor Co. , No. 14-CV-6135 JMA ARL, 2015 WL 6437612, at *7 (E.D.N.Y. Sept. 30, 2015) (citing Maurizio v. Goldsmith , 230 F.3d 518, 521 (2d Cir. 2000) (per curiam)). "Whether a representation or an omission, the deceptive practice must be ‘likely to mislead a reasonable consumer acting reasonably under the circumstances.’ " Id. (citing Stutman v. Chem. Bank , 95 N.Y.2d 24, 29, 709 N.Y.S.2d 892, 731 N.E.2d 608 (2000) ).
Plaintiff Leather alleges that Magellan misrepresented material facts about its data security practices in its privacy policy, leading to the disclosure of her personal information. (Doc. 30 ¶¶ 221–229.) Specifically, Leather alleges the privacy policy listed several promises that Magellan did not keep when protecting her personal information. (Id. ¶¶ 221–225.) She also alleges this conduct was unconscionable, unfair, and was the direct and proximate cause of her data being stolen. (Id. ¶¶ 226–227.) Thus, she seeks relief under NYGBL § 349. (Id. ¶¶ 228–229.)
New York courts apply different standards based on the language in a privacy policy. One court granted a motion to dismiss based on whether a claim was adequately alleged under § 349. Abdale v. N. Shore Long Island Jewish Health Sys., Inc. , 49 Misc.3d 1027, 19 N.Y.S.3d 850, 859 (N.Y. Sup. Ct. 2015). In Abdale , the privacy policy "guarantee[d]" that unauthorized third parties would not have access to the plaintiffs’ personal information. Id. By contrast, Magellan's privacy policy does not explicitly "guarantee" protection from third parties. (Doc. 30 ¶ 52.) Despite "guaranteeing" protection, the Abdale court held that the privacy policy statements "[did] not constitute an unlimited guaranty that patient information could not be stolen or ... hacked." Abdale , 19 N.Y.S.3d at 859. Thus, the "[d]efendants’ alleged failure to safeguard [the] plaintiffs’ [PHI] and [PII] from theft did not [mislead] the plaintiffs in any material way and [did] not constitute a deceptive practice within the meaning of the statute." Id. at 859–860.
The court in Fero did not apply the same standard as Abdale on a similar motion to dismiss. Fero v. Excellus Health Plan, Inc. , 236 F. Supp. 3d 735, 776 (W.D.N.Y. 2017), on reconsideration , 304 F. Supp. 3d 333 (W.D.N.Y. 2018), order clarified , 502 F. Supp. 3d 724 (W.D.N.Y. 2020), and order clarified , 502 F. Supp. 3d 724 (W.D.N.Y. 2020). The privacy policy in Fero stated that defendants would comply with the requirements of relevant federal and state laws pertaining to the privacy and security of New York class members’ personal information. Id. at 776–777. Because at least one other district court had previously stated nearly identical language was sufficient to support an NYGBL § 349 allegation, Fero declined to dismiss the claims. Id. at 777. The court did so because it believed applying Abdale when a company's privacy policy had stronger language resulted in "thinly-reasoned" and unpersuasive judicial opinions. Id. The court reached this conclusion, in part, because "whether a particular act or practice is deceptive is usually a question of fact" as the privacy policy becomes stronger. Id. at 777 (citing Quinn v. Walgreen Co. , 958 F. Supp. 2d 533, 543 (S.D.N.Y. 2013) ).
Magellan argues Leather's allegations are conclusory because she fails to identify the specific misrepresentations Magellan made and the additional disclosures Magellan should have made. (Doc. 33 at 14; Doc. 35 at 9.) Magellan also argues that, even if Leather properly alleged her claim, it still fails under the standard articulated in Abdale . (Doc. 33 at 14; Doc. 35 at 9.) Although Leather believes the Court should apply Fero , Magellan maintains that this Court should apply the standard in Abdale because the facts in this case more closely align with the facts in Abdale . (Doc. 35 at 9.) Leather disagrees and insists that the Court should follow Fero because it is plausible that the representations made on Magellan's website could be interpreted as more akin to the statements in Fero . Thus, Magellan's privacy policy could have led her to believe that Magellan provided more data security than it did.
Even if the privacy policy applies to Magellan's data security measures for its health care plans, Abdale is more closely aligned with the facts in this case. Here, Leather did not allege that Magellan's privacy policy made statements as strong as the statements in Fero . (See Doc. 30 ¶ 52.) Indeed, Leather never alleges that Magellan "guaranteed" anything. Id. Like in Abdale , Magellan's privacy policy does not amount to an unlimited guaranty protecting PII and PHI from data breaches. Leather alleges that the policy was inadequate and did not comply with New York state law. (Doc. 30 ¶ 221.) But Leather fails to offer an explanation as to how or why Magellan's policy was misleading, noncompliant, or inadequate; such accusations are conclusory. Thus, Leather fails to state an NYGBL § 349 claim and shall be given leave to amend.
G. Virginia Code § 18.2-186.6 Unreasonable Delay
Data breaches involving personal information must be disclosed to the Virginia Attorney General and any affected Virginia Resident without unreasonable delay. Va. Code Ann. § 18.2-186.6. Whether a delay was reasonable requires courts to look beyond the length of the delay and consider the facts alleged. See Razuki v. Caliber Home Loans, Inc. , No. 17CV1718-LAB (WVG), 2018 WL 6018361, at *2 (S.D. Cal. Nov. 15, 2018) (applying a California law with similar language and holding notice delayed by five months was reasonable).
Plaintiff Flanders alleges Magellan's disclosure of the data breach was untimely, thus establishing a claim under Va. Code § 18.2-186.6. (Doc. 30 ¶¶ 245–253.) Flanders seeks actual damages, injunctive relief, and attorneys fees. (Doc. 30 ¶ 253.) Magellan argues the delay between the breach and notice was less than a month which is not an unreasonable delay. (Doc. 33 at 16; Doc. 34 at 11.) There is no case law directly on point, but Magellan points to Razuki where the court examined a similar statute and held that a five-month delay was reasonable. (Doc. 33 at 16; Doc. 34 at 11.) It stands to reason that a one-month delay would be reasonable under Razuki . Plaintiff counters that whether the delay was reasonable is a question of fact not suited for a motion to dismiss and that anything beyond immediate notice may be unreasonable. (Doc. 34 at 16.)
Flanders presents no facts to indicate there was an unreasonable delay. Flanders was given notice within a month of the data breach. After a similar data breach and interpreting a similar California law, the court in Razuki firmly held that a five-month delay was reasonable. The Court does not adopt Razuiki ’s five-month rule. But the Court does conclude that written notice delayed less than a month in data breach cases the size and scope of Magellan's data breach here is reasonable. Because Magellan's notice was reasonable, Plaintiff Flanders fails to state a claim, and it is unlikely that this claim can be cured by amendment. Nonetheless, because the Court is giving Plaintiff leave to amend other counts, and because of this Circuit's liberal amendment policy, the Court will permit Plaintiff Flanders leave to amend this claim.
H. California Consumer Protection Act
California law establishes a cause of action for consumers whose personal information is stolen in a data breach "as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." Cal. Civ. Code § 1798.150(a)(1). Consumers can recover "actual pecuniary damages" or statutory damages. Cal. Civ. Code § 1798.150(a) – (b).
Plaintiff Ranson alleges that Magellan violated its duty under California law to protect his information and that Magellan's violation caused his personal information to be stolen. (Doc. 30 ¶¶ 198–208.) Specifically, he alleges that Magellan failed to prevent the data breach and should have known their data security system was inadequate. (Id. ¶ 203.) As a result, he alleges lost money or property and seeks actual pecuniary and statutory damages. (Id. ¶ 205–208.)
Magellan argues Ranson's allegations fail to establish damages. (Doc. 33 at 17; Doc. 35 at 11.) Ranson's allegations are not "actual pecuniary damages" because Ranson never alleges that he ever paid any out-of-pocket expenses. (Doc. 35 at 11.) Ranson counters that, even if Magellan is right, he need not show he suffered actual loss because statutory damages are available. (Doc. 34 at 17.) Magellan responds that Ranson has not complied with the California Consumer Protection Act notice requirement and thus is not entitled to statutory damages. (Doc. 35 at 11.)
Ranson did not allege sufficient facts to establish how or why Magellan's systems were inadequate or unreasonable or how or why Magellan knew or should have known its systems were inadequate or unreasonable. Instead, Ranson relies on the same conclusory allegations found elsewhere in the Amended Complaint. That is, because there was a breach, Magellan's data security was inadequate. This argument is insufficient to survive Magellan's motion to dismiss. Thus, Ranson fails to state a claim and shall be given leave to amend.
Even if Ranson adequately alleged Magellan had a deficient data security system, he insufficiently alleges damages. First, Ranson alleges no out-of-pocket expenses. Thus, his case does not present any "actual pecuniary damages." Indeed, by his own admission, Ranson's claims only qualify for statutory damages. (See Doc. 34 at 17.) Second, although Ranson argues his claim can survive Magellan's motion to dismiss because he is eligible for statutory damages, the Amended Complaint clearly states Ranson has not sought statutory damages at this time. (Doc. 30 ¶ 207.) And so, Ranson fails to state a claim and shall be given leave to amend.
I. Alternative Reasons to Dismiss
In the alternative to these arguments, the Court finds a number of claims should be dismissed for failure to state a claim with leave to amend for the following reasons:
1. "Sale" of "Merchandise" under the AzCFA or the MoMPA
Arizona and Missouri law create a private right of action when there is a fraudulent sale of merchandise or services. See Davis v. Bank of Am. Corp. , No. CV 12-01059-PHX-NVW, 2012 WL 3637903, at *4–5 (D. Ariz. Aug. 23, 2012) (citing the AzCFA); Kuhns , 868 F.3d at 718–719 (citing the MoMPA). Both states’ statutory schemes define a "sale" as a sale for consideration. A.R.S. § 44-1521(7) ; Mo. Ann. Stat. § 407.010(6). Both state codes maintain "objects, wares, goods, commodities, intangibles, real estate or services" are "merchandise." A.R.S. § 44-1521(5) ; Mo. Ann. Stat. § 407.010(4).
Plaintiffs Griffey, Rayam, Domingo, Ranson, and Flanders worked for, but did not receive health care services from, Magellan or one of Magellan's affiliates or subsidiaries as employees or contractors. (Doc. 30 ¶¶ 1–4, 8–11.) These Plaintiffs were required to disclose personal information when working for Magellan or one of Magellan's affiliates or subsidiaries. (Doc. 30 ¶¶ 63–64.) Plaintiffs Griffey, Rayam, Domingo, Ranson, and Flanders allege the exchange of information and labor for financial compensation and data security constituted a "sale" of "merchandise" under the AzCFA and MoMPA. (Doc. 30 ¶¶ 177–186, 209–219.) Plaintiff Williams also asserts an AzCFA claim as a former employee or contractor, but unlike Griffey, Rayam, Domingo, Ranson, and Flanders, she received health care services from Magellan or one of Magellan's affiliates or subsidiaries. (Doc. 30 ¶¶ 6–7; Doc. 34 at 16.)
Magellan argues that employees and contractors do not qualify under either the AzCFA or MoMPA because neither relationship constitutes "merchandise." (Doc. 33 at 16; Doc. 35 at 10.) Additionally, Magellan argues that the AzCFA and MoMPA are intended to be applied in merchant-consumer transactions and that Plaintiffs Griffey, Rayam, Domingo, Ranson, and Flanders transactions with Magellan were not merchant-consumer transactions. (Doc. 33 at 16; Doc. 35 at 10.) Plaintiffs do not contest these assertions in their response. (Doc. 34 at 16.)
Magellan also argues that Williams’ health care services were merely incidental to the work she did for Magellan. (Doc. 35 at 10.) Magellan claims that Williams’ services were not provided "in the connection with the sale ... of any merchandise." (Id. ) As a result, it believes the AzCFA does not apply to her claims. (Id. ) Williams argues this distinction is immaterial; she was "a member of a health care plan serviced by Magellan" and the AzCFA applies.
Arizona and Missouri require a consumer-merchant relationship to apply the AzCFA or the MoMPA. See A.R.S. § 44-1522 (AzCFA applies when acts are taken "in connection with the sale or advertisement of any merchandise."); Mo. Ann. Stat. § 407.020 (MoMPA applies when acts are taken "in connection with the sale or advertisement of any merchandise in trade or commerce."); Powers v. Guar. RV, Inc. , 229 Ariz. 555, 561, 278 P.3d 333 (Ct. App. 2012) ("The [A]CFA is designed to root out and eliminate unlawful practices in merchant-consumer transactions." (alterations omitted)); Berry v. Volkswagen Grp. of Am., Inc. , 397 S.W.3d 425, 439 (Mo. 2013) ("[T]he fundamental purpose of the [MoMPA] ... is the protection of consumers from false, fraudulent and deceptive merchandising practices." (quotations omitted)).
Plaintiffs Griffey, Rayam, Domingo, Ranson, and Flanders did not have a consumer-merchant relationship with Magellan or Magellan's affiliates or subsidiaries because they were not the target of a sale or advertisement of health care services or data security. Any data security Magellan provided was incidental to their employment. Similarly, Williams’ health care services were incidental to her employment and do not implicate the merchant-consumer relationship contemplated by the AzCFA. And so, the AzCFA and MoMPA do not apply to Plaintiffs Griffey, Rayam, Domingo, Ranson, Flanders, and Williams. Thus, they fail to state a claim, however, because the Court is giving Plaintiffs leave to amend other counts, and because of this Circuit's liberal amendment policy, the Court will permit Plaintiffs Griffey, Rayam, Domingo, Ranson, Flanders, and Williams leave to amend this claim.
2. Extraterritoriality
Many of the non-Arizona consumer protection causes of action Plaintiffs allege rely on laws that do not apply extraterritorially. That is, these laws require that liability-creating conduct occurs within the state. See, e.g. , Terpin v. AT&T Mobility, LLC , 399 F. Supp. 3d 1035, 1047 (C.D. Cal. 2019) (maintaining the UCL only applies when liability-creating conduct occurs in California); Eli Lilly & Co. v. Tyco Integrated Sec., LLC. , No. 13-80371-CIV, 2015 WL 11251732, at *4 (S.D. Fla. Feb. 10, 2015) (holding the Florida DUTPA only applies to actions that occur within Florida, but the actions need not occur exclusively in Florida); State ex rel. Nixon v. Estes , 108 S.W.3d 795, 800–01 (Mo. Ct. App. 2003) ("[T]he trade or commerce [must] originate or occur in or from the state of Missouri." (citations omitted)); Goshen v. Mut. Life Ins. Co. of New York , 98 N.Y.2d 314, 325, 746 N.Y.S.2d 858, 774 N.E.2d 1190 (2002) ("[T]o qualify as a prohibited act under the statute, the deception of a consumer must occur in New York."); T&M Farms v. CNH Indus. Am., LLC , 488 F. Supp. 3d 756, 763 (E.D. Wis. 2020) ("[T]he Wisconsin DTPA does not apply unless a person makes a deceptive representation that is likely to reach and induce action by a purchaser in Wisconsin.").
Plaintiffs Ranson, Lewis, Griffey, Leather, and Rivera live in California, Florida, Missouri, New York, and Wisconsin respectively. (Doc. 30 ¶¶ 1, 5, 8–10, 12, 14.) Each brings a consumer protection claim based on the law of their state. (See Id. ¶¶ 187, 209, 220, 254, 275.) They allege Magellan's computer systems are likely based in Arizona. (Doc. 30 ¶ 18.) Aside from suffering their alleged injuries in their domicile state, they do not allege that any other conduct occurred outside of Arizona. (See generally id. )
Magellan contends that the determinative issue is where the liability-creating conduct occurs. (Doc. 35 at 9.) Magellan then highlights that Plaintiffs allege all relevant conduct likely occurred in Arizona. (Doc. 33 at 15.) Thus, Magellan reasons, because each of these statutes only apply when liability-creating conduct occurs inside the respective state, all five claims should be dismissed. (Id. ) Magellan also asserts that discovery is not necessary because Plaintiffs fail to allege that any liability-creating conduct occurred outside of Arizona. (Doc. 35 at 10.)
Plaintiffs argue that the determinative issue is whether a plaintiff suffers in-state harm. (Doc. 34 at 15.) Because Plaintiffs allege they live in California, Florida, Missouri, New York, and Wisconsin and suffered injuries while living in those states, they believe they have stated a claim. (Id. ) In the alternative, Plaintiffs argue that no discovery has taken place to determine where the wrongful conduct occurred.
The Court must assume that all nonconclusory allegations made by the Plaintiffs are true at the motion to dismiss stage, but the Court cannot assume facts that are not alleged. Alleging that some liability-creating conduct likely occurred in Arizona is not the same as alleging that conduct occurred or likely occurred in California, Florida, Missouri, New York, or Wisconsin. Aside from the fact that they are residents of these five states, Plaintiffs allege no facts in the Amended Complaint as to whether any liability-creating conduct occurred outside of Arizona. For example, Plaintiff Ranson may have a California claim that applies extraterritorially. But Plaintiffs did not plead any facts describing liability creating conduct that occurred in California. For California UCL, Florida DUTPA, Missouri MPA, NYGBL § 349, and Wisconsin DTPA claims, alleging that any injury occurred in a state is not sufficient to state a claim. Thus, Plaintiffs Ranson, Lewis, Griffey, Leather, and Rivera fail to state a claim under their respective state's consumer protection laws and shall be given leave to amend.
J. Leave to Amend
Federal Rule of Civil Procedure 15(a) provides that leave to amend should be freely granted "when justice so requires." Fed. R. Civ. P. 15(a)(2). "The power to grant leave to amend ... is entrusted to the discretion of the district court, which ‘determines the propriety of a motion to amend by ascertaining the presence of any of four factors: bad faith, undue delay, prejudice to the opposing party, and/or futility.’ " Serra v. Lappin , 600 F.3d 1191, 1200 (9th Cir. 2010) (quotation omitted). District courts properly deny leave to amend if the proposed amendment would be futile or the amended complaint would be subject to dismissal. Saul v. United States , 928 F.2d 829, 843 (9th Cir. 1991). "[A] proposed amendment is futile only if no set of facts can be proved under the amendment to the pleadings that would constitute a valid and sufficient claim." Miller v. Rykoff-Sexton, Inc. , 845 F.2d 209, 214 (9th Cir. 1988).
Plaintiffs’ negligence per se claim is dismissed with prejudice because negligence per se is not an individual claim which Plaintiffs may assert. The negligence per se arguments should be subsumed in Plaintiffs’ generalized negligence claims. Thus, Plaintiffs are still permitted to argue negligence per se as a legal theory should they choose to refile a negligence claim.
Plaintiffs’ negligence, unjust enrichment, implied contract, and consumer protection causes of action suffer from a similar, non-futile flaw: they have not pleaded necessary facts to establish a cause of action. The negligence claim sufficiently alleges causation but fails to articulate a cognizable injury upon which relief can be granted. The unjust enrichment, implied contract, and consumer protection claims do not articulate enough facts to establish how Magellan's data security measures were inadequate or below industry standards. Simply arguing that because there were two data breaches in a year, the system must have been inadequate is not enough. Admittedly, how a second amended complaint could remedy Plaintiff Flanders’ Va. Code Ann. § 18.2-186.6 claim and Plaintiffs Griffey, Rayam, Domingo, Ranson, and Flanders’ AzCFA and MoMPA claims is unclear. But, the Court grants leave to amend those claims. And so, because each of these claims could, presumably, be remedied in an amended complaint, it would be inappropriate to simply dismiss with prejudice at this time. Thus, leave to amend shall be granted on the negligence, unjust enrichment, implied contract, and consumer protection claims. That being said, Plaintiffs and their attorneys are reminded of their obligations under Rule 11, Fed. R. Civ. P., and elsewhere that claims asserted in a second amended complaint must be "warranted by existing law or by a nonfrivolous argument for extending, modifying, or reversing existing law or for establishing new law." Rule 11(b)(2).
IV. CONCLUSION
Accordingly,
IT IS ORDERED granting Magellan's Motion to Dismiss (Doc. 33). Magellan's Motion as to all claims is granted for failure to state a claim, with leave to amend, with the exception of Plaintiffs’ negligence per se claims which are dismissed with prejudice.
IT IS FURTHER ORDERED that Plaintiffs shall file a Second Amended Complaint, if they so choose, no later than 14 days after this Order is filed.
IT IS FURTHER ORDERED that, if Plaintiffs fail to file an amended complaint within 14 days of the date of this Order, the Clerk of the Court shall enter judgment dismissing this entire case with prejudice.