Summary
In Arby's, the court compared criminal data breaches to the "peculiarly similar context of premises liability," where the Georgia Supreme Court has held that if a proprietor "has reason to anticipate a criminal act," then he or she has a duty to "exercise ordinary care to guard against injury from dangerous characters."
Summary of this case from In re Equifax, Inc.Opinion
CIVIL ACTION NO. 1:17-CV-0514-AT1:17-CV-1035-AT1:17-MI-55555-AT
2018-06-28
ORDER
Amy Totenberg, United States District Judge
This matter is before the Court on Defendant's Motion to Dismiss Counts VI, VII, VIII, IX of Consumer Plaintiffs' First Amended Consolidated Class Action Complaint [Doc. 117]. The Court addressed Consumer Plaintiffs' initial Complaint [Doc. 47] and Defendant's corresponding Motion to Dismiss [Doc. 52] in its Order dated March 5, 2018 [Doc. 102]. In its Order, the Court dismissed without prejudice Consumer Plaintiffs' claim for a violation of the Georgia Fair Business Practice Act ("GFBPA") and their alternative claims for "Violations of State Consumer Laws." (Order at 53, 55.) The Court granted Plaintiffs leave to amend their Complaint and replead the GFBPA claim and the claims pertaining to violations of similar state consumer protection laws. (Id. ) Consumer Plaintiffs filed an Amended Complaint alleging violations of the GFBPA (Count VI), the Connecticut Unfair Trade Practices Act ("CUTPA") (Count VII), the Florida Deceptive and Unfair Trade Practices Act ("FDUTPA") (Count VIII), and the Tennessee Consumer Protection Act ("TCPA") (Count IX) [Doc. 107]. Defendant has filed a Motion to Dismiss these claims [Doc. 117]. The Court's rulings are set forth below.
I. STANDARD FOR MOTION TO DISMISS
A complaint should be dismissed under Rule 12(b)(6) only where it appears that the facts alleged fail to state a "plausible" claim for relief. Bell Atlantic v. Twombly , 550 U.S. 544, 555-556, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ; Fed. R. Civ. P. 12(b)(6). The plaintiff need only give the defendant fair notice of the plaintiff's claim and the grounds upon which it rests. SeeErickson v. Pardus , 551 U.S. 89, 93, 127 S.Ct. 2197, 167 L.Ed.2d 1081 (2007) (citing Bell Atlantic v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ); Fed. R. Civ. P. 8(a). In ruling on a motion to dismiss, the court must accept the facts alleged in the complaint as true and construe them in the light most favorable to the plaintiff. SeeHill v. White , 321 F.3d 1334, 1335 (11th Cir. 2003).
A claim is plausible where the plaintiff alleges factual content that "allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). A plaintiff is not required to provide "detailed factual allegations" to survive dismissal, but the "obligation to provide the ‘grounds’ of his ‘entitle[ment] to relief’ requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Twombly , 550 U.S. at 555, 127 S.Ct. 1955. The plausibility standard requires that a plaintiff allege sufficient facts "to raise a reasonable expectation that discovery will reveal evidence" that supports the plaintiff's claim. Id. at 556, 127 S.Ct. 1955. A complaint may survive a motion to dismiss for failure to state a claim even if it is "improbable" that a plaintiff would be able to prove those facts and even if the possibility of recovery is extremely "remote and unlikely." Id.
II. ANALYSIS
The Court previously detailed the factual background which guides this analysis in its March Order. (See Order at 2-5.)
A. Georgia Fair Business Practice Act (Count VI)
In its March Order, the Court found that Consumer Plaintiffs had demonstrated standing to assert a violation of the GFBPA and that Plaintiffs had properly pled an injury based on the actual damages alleged. (Order at 44-49.) Additionally, the Court found that the heightened particularity requirement of Rule 9(b) does not apply to Consumer Plaintiffs' GFBPA claim, but that Consumer Plaintiffs' Complaint failed to show actual reliance on Defendant's alleged representations or omissions and resulting injury, as required under the statute. O.C.G.A. § 10-1-399. Tiismann v. Linda Martin Homes Corp. , 281 Ga. 137, 637 S.E.2d 14, 17 (2006) (citing Zeeman v. Black , 156 Ga.App. 82, 273 S.E.2d 910, 910 (1980) ). As such, Plaintiffs GFBPA claim was dismissed, with the Court granting Plaintiffs leave to replead on the sole issue of reliance, which Plaintiffs have now done.
Defendant argues that Plaintiffs have still failed to plead actual reliance in their Amended Complaint because they fail to "identify any statement by Arby's 1) containing a purported misrepresentation or omission regarding Arby's data security 2) that they actually read and relied on." (Memo Supp. Mot. Dismiss at 3.)
Plaintiffs argue that they have adequately pled reliance in asserting that 1) Arby's had knowledge of the vulnerabilities in its data systems yet misrepresented itself as compliant with data security protection standards; and that 2) consumers "relied to their detriment" upon these representations and omissions regarding data security, when they used their credit and debit cards, expecting that Arby's data systems were secure and that the information contained on their cards would be secure. (Consumer's Resp. at 2; Consumer's Am. Compl. ¶¶ 204-215.) Had Arby's disclosed that its systems were not secure, Consumer Plaintiffs would not have used their cards and may not have made purchases at all at these Arby's locations. (Consumer's Resp. at 3; Consumer's Am. Compl. ¶ 213.) In both their Original and Amended Complaints, Consumer Plaintiffs alleged the following specific misrepresentations:
More specifically, ARG violated the following provisions of the GFBPA:
a. Engaging in unfair and deceptive acts and practices in the credit and debit card processing services furnished in connection with the sale of goods at Arby's restaurants ( O.C.G.A. § 10-1-393(a) );
b. Misrepresenting that its services and data systems abided by and had sponsorship, approval, or certification by the Payment card Industry Security Standards Council ( O.C.G.A. § 10-1-393(b)(2) );
c. Misrepresenting that its services and data systems had an affiliation, connection, or association with, or certification by, the Payment Card Industry
Security Standards Council ( O.C.G.A. § 10-1-393(b)(3) ); and
d. Misrepresenting that its services and data systems had the sponsorship, approval, characteristics, and benefits by complying with the PCI DSS standards ( O.C.G.A. 10-1-393(b)(5) ).
(Consumer's Am. Compl. ¶ 205.) In their Amended Complaint, Consumer Plaintiffs added six paragraphs involving reliance:
209. Because ARG accepted credit and debit cards as methods of payment its customers, including Plaintiffs and Class members, expected that ARG's POS and data systems were secure and that their customer data would be secure.
210. Because ARG accepted credit and debit cards as methods of payment, Consumer Plaintiffs and Class members relied upon ARG to advise customers if its POS and data systems were not secure and, thus, Customer Data could be compromised.
211. Consumer Plaintiffs and Class members were not afforded by ARG equal or ample opportunity to make any inspection to determine ARG's data security or to otherwise ascertain the truthfulness of Defendant's representations and omissions regarding data security, including ARG's failure to alert customers that its POS and data systems were not secure and, thus, were vulnerable to attack.
212. In deciding to use their payment cards for their purchases at ARG-owned and operated restaurants, Consumer Plaintiffs and Class members relied to their detriment upon ARG's representations and omissions regarding data security, including ARG's failure to alert customers that its POS and data systems were not secure and, thus, were vulnerable to attack.
213. Had ARG disclosed to Consumer Plaintiffs and Class members that its POS and data systems were not secure, and, thus, vulnerable to attack, Consumer Plaintiffs and Class members would not have used their payment cards at ARG-owned and operated restaurants, and very well may not have made purchases at all at these Arby's locations
214. As a direct result of their reliance on ARG to be truthful in its disclosures and non-disclosures regarding the vulnerability of its POS and data systems, Consumer Plaintiffs and Class members used their payment cards to make purchases at ARG-owned and operated restaurants during Data Breach period and their Customer Data was compromised causing Plaintiff and Class members to suffer damages.
(Consumer's Am. Compl. ¶¶ 209-214.)
Thus, though Plaintiffs Amended Complaint facially addresses reliance, Arby's argues that because the new reliance allegations still don't identify a specific statement made by Arby's, they are conclusory and fail to state a claim. (Memo Supp. Mot. Dismiss at 3.) In support of this contention, Arby's first cites to cases which consider the GFBPA in contexts wholly unrelated to a data breach. (Id. ) (citing Samuel v. Ocwen Loan Servicing, LLC , No. 1:14-cv-2398-ELR-LTW, 2015 WL 11256663 (N.D.Ga. 2015) ; Lynas v. Williams , 216 Ga.App. 434, 454 S.E.2d 570 (1995). ) The Court does not find these cases helpful or relevant in analyzing a situation involving a data breach. Arby's then points to Bishop v. Shorter in arguing that a "would-not-have-shopped" theory is insufficient to plead reliance. Bishop v. Shorter Univ., Inc. , No. 4:15-cv-33-HLM (N.D.Ga. June 4, 2015), ECF No. 22, at 35-36, 49. Besides that Bishop does not deal with a GFBPA claim or an online data hack , the court in Bishop found that defendants did warn plaintiffs to be on alert about their financial records, and further found that plaintiffs had failed to properly allege reliance because they had not indicated any actions they took or did not take as a result of the purported misrepresentations involved. Id. at 48-49. Here, Arby's has not argued that they gave customers any similar warnings and Consumer Plaintiffs, in their Amended Complaint, specifically allege that the use of their payment cards at Arby's restaurants was a result of their reliance on Arby's misrepresentations and omissions. (Consumer's Am. Compl. ¶¶ 212-215.)
Samuel involved an allegedly unlawful foreclosure or attempted foreclosure on plaintiff's rental property and related misrepresentations.
Lynas involved alleged misrepresentations regarding car restoration services.
In Bishop , plaintiffs, students at Shorter University, alleged that hard copies of their medical records were stolen when a door to the records room was left unlocked. Id. at 10-12.
Defendant next argues that "[d]ata breach cases in other jurisdictions have reached the same result under other states' consumer protection statutes." (Memo Supp. Mot. Dismiss at 3 fn. 2.) But these cases are also unpersuasive. First, In re Michaels Stores Pin Pad Litig. , 830 F.Supp.2d 518, 526 (N.D. Ill. 2011) is distinguishable. Though plaintiffs in that case failed to plead a "deceptive" practice because they could not identify a specific communication from the defendant containing a deceptive omission, plaintiffs did successfully state a claim for "unfair" practices under the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA). As under ICFA, a claim under the GFBPA may proceed under an "unfairness" theory , as Consumer Plaintiffs have alleged here. (Consumer's Am. Compl. ¶ 204.) Next, Arby's cites In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig. , 834 F.Supp.2d 566 (S.D. Tex. 2011)rev'd in part sub nom.Lone Star Nat. Bank, N.A. v. Heartland Payment Sys., Inc. , 729 F.3d 421 (5th Cir. 2013). But in that case, the bank-plaintiffs' claim of a violation of the New Jersey consumer protection statute failed because it was unclear how the banks relied on misrepresentations or what actions they took in relying. As noted above, Consumer Plaintiffs' Amended Complaint alleges that Class members "relied to their detriment upon ARG's representations and omissions regarding data security," and that "as a direct result of their reliance upon ARG to be truthful in its disclosures and non-disclosures," Consumer Plaintiffs used their payment cards at Arby's restaurants, and suffered injury as a direct and proximate result. (Consumer's Am. Compl. ¶¶ 209-215.) In contrast, the Court finds persuasive authority in the decisions of courts around the country which, when ruling on more analogous data breach situations, have found that plaintiffs successfully stated claims of "unfair or deceptive acts or practices affecting commerce" under other state consumer protection statutes. 15 U.S.C. § 45(a)(1). SeeIn re: The Home Depot, Inc., Customer Data Sec. Breach Litig. , No. 1:14-MD-2583-TWT, 2016 WL 2897520, at *5-7 (N.D. Ga. May 18, 2016) (finding that inadequate data security measures alleged by plaintiffs were sufficient to survive a motion to dismiss under state consumer protection statutes in Alaska, Connecticut, Illinois, Massachusetts, and Washington); First Choice Fed. Credit Union v. Wendy's Co. , Civil Action No. 16-506, 2017 WL 9487086, 2017 U.S. Dist. LEXIS 20754 at *15 (W.D. Pa. Feb. 13, 2017) (finding that plaintiffs' allegations that they were harmed by Wendy's misrepresenting the level of security of their payment card system advanced a plausible claim for a violation of the Ohio Deceptive Trade Practices Act ); In re TJX Companies Retail Sec. Breach Litig. , 564 F.3d 489 (1st Cir. 2009), as amended on reh'g in part (May 5, 2009) (plaintiff-banks who had credit and debit card information stolen from discount store's computers stated a claim under Massachusetts's unfair or deceptive practice law by alleging defendant's lack of security measures was "unfair" under the FTCA).
The GFBPA, like statutes in other states, must be interpreted and constructed consistently with federal case law and Section 5 of the Federal Trade Commission Act ("FTCA"), which makes "unfair or deceptive acts or practices in or affecting commerce" unlawful. 15 U.S.C. § 45(a)(1).
The additional cases Defendant relies on are also distinguishable. The portion of In re Yahoo! Inc. Customer Data Sec. Breach Litig. , 16-md-2752-LHK, 2017 WL 3727318 (N.D. Cal. Aug. 30, 2017) that Defendant cites involves a Privacy Policy issue, unlike anything here, and in Smith v. Sabre Corp. , No. 2:17-cv-5149-SVM-AFM (C.D. Cal. Oct. 23 2017), a case involving a tech company defendant, the court found that plaintiffs had suffered no injury, and that Rule 9(b) applied, unlike in the instant case.
The Ohio Deceptive Trade Practices Act also requires a showing of reliance. Id. at *, 2017 U.S. Dist. LEXIS 20754 at *14.
In addition to these rulings, the Court is guided by the language of the statute which states that a manufacturer or supplier of merchandise, whose "act or omission" is the basis for the action, shall be liable for damages suffered by retailers. O.C.G.A. § 10-1-399(e) (emphasis added). The construction of the statute thus indicates that allegations of an omission alone, without a specific statement, can suffice to state a claim.
Further, logic dictates that plaintiffs alleging misconduct by omission or passive conduct, as Consumer Plaintiffs do here (Consumer's Am. Compl. ¶ 204), will be less able to specify the details of the wrongdoing as precisely as in a normal fraud claim. SeeIn re Anthem, Inc. Data Breach Litig. , No. 15-MD-02617-LHK, 2016 WL 3029783, at *35 (N.D. Cal. May 27, 2016) (finding that the heightened pleading standard under 9(b) is somewhat relaxed in a case based on fraudulent omission). And see Hill v. Morehouse Med. Assocs., Inc. , No. 02-14429, 2003 WL 22019936 at *3-4 (11th Cir. Aug. 15, 2003) (finding 9(b)'s pleading standard may be applied less stringently when specific factual information about the fraud is peculiarly within the defendant's knowledge or control or when the fraud allegedly occurred over a period of time) (citing United States ex rel. Clausen v. Lab. Corp. of Am. , 290 F.3d 1301, 1314 n. 25 (11th Cir. 2002) ) .
Though these analyses deals with the pleading standards under 9(b), the same logic applies in determining whether a plaintiff has sufficiently stated a claim under the less demanding requirements of Rule 8(a).
Finally, the Court looks to the purpose of and policy behind the GFBPA. The GFBPA is to be liberally construed in order to effectuate the purpose of the statute — protecting consumers. Georgia Receivables Inc. v. Welch , 242 Ga.App. 146, 529 S.E.2d 164 (2000). In order to ensure that consumers are protected, the GFBPA must be strictly enforced against a business which engages in unfair or deceptive acts or practices that the Act seeks to prohibit. Id.
In light of the above-cited rulings in similar data breach cases, the statutory language itself, pleading expectations under the specific circumstances, the purpose of the GFBPA, and the amended allegations, the Court finds that Consumer Plaintiffs have sufficiently alleged both a violation of the Act and reliance to show causation as required by O.C.G.A. § 10-1-399. Tiismann , 637 S.E.2d at 17. At this early stage of litigation, Consumer Plaintiffs have stated a plausible claim under the GFBPA . The Court DENIES Defendant's Motion to Dismiss the GFBPA (Count VI) claim.
Though Consumer Plaintiffs' GFBPA claim survives a motion to dismiss, they will be required to show sufficient evidence to establish the merits of their claim at summary judgment or at trial.
B. State Consumer Protection Laws in Connecticut, Florida, and Tennessee (Counts VII, VIII, IX)
In their Amended Complaint, Plaintiffs asserted claims under the CUTPA, FDUTPA, and TCPA, all in the alternative to their GFBPA claim. (Doc. 107 at 77, 84, 90). Because the Court finds that Consumer Plaintiffs' GFBPA claim will go forward, the Court DISMISSES Counts VII, VIII, and IX as redundant and duplicative . As noted in the previous order on this issue, there is no statutory provision in the GFBPA that restricts the private right of action to Georgia citizens. (Order at 46.) Because Consumer Plaintiffs are all represented in the GFBPA claim, the other state consumer protection statutory claims are unnecessary. Further, were the Connecticut, Florida, and Tennessee counts permitted to proceed, it is possible that class members from other states might move to add claims under the consumer protection statutes of their home states, which too would be unnecessary under the circumstances .
The Court notes that it does not dismiss these claims for the reasons Defendant argues and thus does not grant Defendant's Motion to Dismiss in any part.
Additionally, allowing a multitude of different state consumer protection claims to proceed would serve to further complicate and or delay an already complex legal case without any substantial benefit.
III. CONCLUSION
For the foregoing reasons, the Court DENIES Defendant's Motion to Dismiss Count VI but DISMISSES Counts VII, VIII, and IX as redundant.
IT IS SO ORDERED this 28th day of June, 2018.