Opinion
23-cv-3570 (CRC)
09-19-2024
DAVID KEOWN, et al., Plaintiffs, v. INTERNATIONAL ASSOCIATION OF SHEET METAL AIR RAIL TRANSPORTATION WORKERS, Defendant.
MEMORANDUM OPINION AND ORDER
CHRISTOPHER R. COOPER UNITED STATES DISTRICT JUDGE
Plaintiffs David Keown and Diana Angus are former members of the International Association of Sheet Metal Air Rail Transportation Workers (“SMART”), a national union based in Washington, D.C., with over 200,000 members. In September 2023, SMART fell victim to a cyberattack that compromised personally identifying information (“PII”) it had collected from its current and past members. After learning that their PII was implicated in the breach, Mr. Keown, a resident of Georgia, and Ms. Angus, a resident of California, each brought a putative class action against SMART in this district, seeking damages and injunctive relief on behalf of themselves and all other affected union members. At the Court's urging, Plaintiffs consolidated their claims into a single amended complaint. Together, Plaintiffs now assert four state common-law counts: negligence, negligence per se, breach of implied contract, and unjust enrichment. Angus, on behalf of herself and a putative subclass of California plaintiffs, also raises claims under the California Unfair Competition Law and California Consumer Privacy Act. SMART moves to dismiss all claims against it, contending that Plaintiffs lack standing to sue and that they fail to state a claim.
The Court determines that both Plaintiffs have standing to bring suit, Keown has presented a plausible claim of negligence, and both Plaintiffs have plausibly alleged breach of an implied contract. But the amended complaint fails to state a claim of negligence for Angus, a claim of unjust enrichment for either Plaintiff, or a cause of action for the California statutory claims. The Court will therefore grant the motion to dismiss in part and deny it in part.
I. Background
In ruling on the motion to dismiss, the Court must take as true the following factual background from the allegations in the amended complaint.
Plaintiffs David Keown and Diana Angus are both former members of SMART, a labor union with 203,000 members spread across North America. See Am. Compl. ¶¶ 25, 132, 145. Keown is a resident of Georgia, Angus of California, and SMART of the District of Columbia. Id. ¶¶ 19-21. When Plaintiffs joined SMART, they were required to provide it with their sensitive PII.
On September 9, 2023, SMART suffered a cyberattack that exposed the records of roughly 62,000 individuals. Id. ¶¶ 3, 7, 37. Two months later, the union notified Keown and Angus that their PII, potentially including their names and social security numbers, “may have been involved.” Id. ¶¶ 37, 136, 148. Though by that point Plaintiffs were no longer SMART members, the union still retained their PII unencrypted on its servers. See id. ¶ 40. Spurred by notification of the breach, both Plaintiffs say they have since spent time and energy mitigating any potential impacts, including by monitoring their bank accounts and contacting their financial institutions. Id. ¶¶ 137, 151. Keown further alleges that his PII was “disseminated on the dark web, according to Discover.” Id. ¶ 139. He purportedly experienced a corresponding increase in spam calls, texts, and emails and claims to suffer “fear, anxiety, and stress” stemming from the breach and subsequent publication of his PII. Id. ¶¶ 140-41. Though Angus does not allege that her PII made it to the dark web, she also claims to have experienced an increased risk of identity theft, along with other potential harms. Id. ¶¶ 149-54. Plaintiffs insist that SMART is responsible for these alleged harms because it “did not use reasonable security procedures and practices appropriate to the nature of the sensitive information it was maintaining” despite its representations that it would do so. Id. ¶¶ 43, 52. Plaintiffs also complain that the notice of the breach failed to inform them of the breach's “root cause” or whether SMART undertook any remedial measures to better secure Plaintiffs' PII. Id. ¶ 38.
Keown sued SMART in November 2023; Angus followed in December 2023. After an initial status conference covering both cases, Plaintiffs filed a joint amended complaint in January 2024. The amended complaint includes counts for negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of California's Unfair Competition Law and Consumer Privacy Act. Id. ¶¶ 170-276. Plaintiffs seek damages on behalf of all individuals who were sent a notice of the data breach, as well as injunctive relief requiring SMART to undertake several data security measures to prevent future harm to Plaintiffs. Id. ¶¶ 158, 202, 204. In its motion to dismiss, SMART contends first that Plaintiffs have not alleged an Article III injury traceable to its conduct and second that each cause of action is either preempted by federal labor law or fails to state a claim for relief. See Mot. Dismiss at 1-2.
Angus has since voluntarily dismissed her related case, originally docketed as Angus v. Int'l Ass'n of Sheet Metal Air Rail Transp. Workers, No. 23-cv-3692 (D.D.C. Dec. 12, 2023).
II. Legal Standards
SMART moves to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). A motion to dismiss under “Rule 12(b)(1) presents a threshold challenge to the court's jurisdiction, whereas 12(b)(6) presents a ruling on the merits with res judicata effect.” Haase v. Sessions, 835 F.2d 902, 906 (D.C. Cir. 1987). Under Rule 12(b)(1), the plaintiff “bears the burden of invoking the court's subject matter jurisdiction, including establishing the elements of standing.” Arpaio v. Obama, 797 F.3d 11, 19 (D.C. Cir. 2015). And because the Court has “an affirmative obligation to ensure that it is acting within the scope of its jurisdictional authority,” “‘the [p]laintiff's factual allegations in the complaint . . . will bear closer scrutiny in resolving a 12(b)(1) motion' than in resolving a 12(b)(6) motion for failure to state a claim.” Grand Lodge of Fraternal Ord. of Police v. Ashcroft, 185 F.Supp.2d 9, 13 (D.D.C. 2001) (alterations in original) (citation omitted). By contrast, to survive a motion to dismiss under Rule 12(b)(6), a complaint need only “contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). The Court “must take all the factual allegations in the complaint as true,” though it is “not bound to accept as true a legal conclusion couched as a factual allegation.” Papasan v. Allain, 478 U.S. 265, 286 (1986). Under either the 12(b)(1) or 12(b)(6) standard, “the allegations of the complaint should be construed favorably to the pleader.” Walker v. Jones, 733 F.2d 923, 926 (D.C. Cir. 1984).
III. Analysis
The Court will take up SMART's challenge to the Court's subject matter jurisdiction over Plaintiffs' claims. Concluding that it has jurisdiction, the Court will then analyze Plaintiffs' common-law claims under the law of the District of Columbia. Finally, the Court will consider Angus's California statutory claims. While the Court determines that Plaintiffs have adequately pled two of the common-law claims (negligence and breach of implied contract), it will grant SMART's motion to dismiss the remaining claims.
A. Subject-Matter Jurisdiction
1. Diversity Jurisdiction
Though SMART does not challenge Plaintiffs' assertion that the Court has diversity jurisdiction over their state-law claims, it bears clarifying that the Court's jurisdiction stems from the Class Action Fairness Act (“CAFA”). CAFA “gives federal courts jurisdiction over certain class actions . . . if the class has more than 100 members, the parties are minimally diverse, and the amount in controversy exceeds $5 million.” Dart Cherokee Basin Operating Co., LLC v. Owens, 574 U.S. 81, 84-85 (2014) (citing 28 U.S.C. §§ 1332(d)(2), (5)(B)). Parties are considered minimally diverse if “any member of a class of plaintiffs is a citizen of a [s]tate different from any defendant.” 28 U.S.C. § 1332(d)(2)(A). Here, Plaintiffs allege that approximately 62,000 people were affected by the data breach, there is minimal diversity because they are from different states than SMART, and the amount in controversy exceeds $5 million. See Am. Compl. ¶¶ 7, 22. The Court accepts these undisputed allegations as true for the purposes of asserting jurisdiction. See, e.g., Dart Cherokee, 574 U.S. at 553 (“When a plaintiff invokes federal-court jurisdiction, the plaintiff's amount-in-controversy allegation is accepted if made in good faith.”).
2. Standing
SMART does, however, contest Plaintiffs' standing to bring suit. Mot. Dismiss at 5-8. “[S]tanding is an essential and unchanging part of the case-or-controversy requirement of Article III.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). Its “irreducible constitutional minimum” consists of “three elements: ‘(1) injury-in-fact, (2) causation, and (3) redressability.'” Am. Freedom L. Ctr. v. Obama, 821 F.3d 44, 48 (D.C. Cir. 2016) (quoting Lujan, 504 U.S. at 560). “As the party invoking the court's subject matter jurisdiction, the plaintiff bears the burden of establishing the elements of standing.” Parents v. Garland, 88 F.4th 298, 304 (D.C. Cir. 2023). And “a plaintiff must ‘demonstrate standing separately for each form of relief sought.'” TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021) (quoting Friends of the Earth, Inc. v. Laidlaw Env't Servs. (TOC), Inc., 528 U.S. 167, 185 (2000)). Plaintiffs have met their burden of proving standing here.
SMART first challenges Plaintiffs' standing to seek damages on the grounds of injury-in-fact and traceability. In terms of injury-in-fact, SMART contends that the amended complaint is deficient because Plaintiffs have not yet incurred “out-of-pocket expenditures” or experienced “financial fraud or identity theft or misuse of [their] information.” Mot. Dismiss at 5-6. But the D.C. Circuit has squarely ruled that such injuries are not required to support standing in data breach cases. See Attias v. Carefirst, Inc. (“Attias II”), 865 F.3d 620, 628 (D.C. Cir. 2017). Rather, a complaint may survive a Rule 12(b)(1) motion where it “plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of [the defendant's] alleged negligence in the data breach.” Id. Like the plaintiffs in Attias II, Plaintiffs here have alleged that SMART collected and stored their PII, including their social security numbers; this sensitive information was stolen in the breach; and breach of the data “place[s] plaintiffs at a high risk of financial fraud” and an “increased risk of identity theft.” Id. at 628; see also Am. Compl. ¶¶ 133, 136, 139, 143, 145, 148-50. Keown further alleges that his PII is now “being disseminated on the dark web, according to Discover.” Am. Compl. ¶ 139. Where, as here, “an unauthorized party has already accessed personally identifying data on [the defendant's] servers . . . it is plausible . . . to infer that this party has both the intent and the ability to use that data for ill.” Attias II, 865 F.3d at 628.
The Supreme Court's intervening decision in TransUnion does not defeat Plaintiffs' alleged injury. Though TransUnion requires that plaintiffs show a separate concrete harm in addition to the risk of future harm to support a claim of damages, 594 U.S. at 436-37, “the expenditure of time or money on mitigation measures in response to a data breach, such as purchasing credit monitoring services or taking other steps to prevent fraud, may create a concrete Article III injury when paired with a risk of future identity theft.” Attias v. CareFirst, Inc., 344 F.R.D. 38, 47 (D.D.C. 2023) (Cooper, J.). As Keown and Angus have both alleged that they have pursued such mitigation measures, they have met that standard here. See Am. Compl. ¶¶ 137, 151.
SMART also asserts that plaintiffs have not established that their alleged injuries are traceable to this data breach because the amended complaint does not plead that this particular data breach is the only one that implicated plaintiffs' PII. See Mot. Dismiss at 7-8. But, at the motion-to-dismiss stage, it is sufficient for the complaint to show that the injuries claimed- substantial risk of identity theft and Plaintiffs' corresponding mitigation measures-are “fairly traceable” to the data breach. Attias II, 865 F.3d at 629 (quoting Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014)); see also In re Unite Here Data Sec. Incident Litig., No. 24-cv-1565 (JSR), 2024 WL 3413942, at *4 (S.D.N.Y. July 15, 2024) (rejecting the same argument because “[t]he fact that there have been other large data breaches, and the speculative possibility that plaintiffs were subjected to them, are matters well beyond the allegations in the complaint and cannot be used to support defendant's motion to dismiss”). Assuming, as the Court must, that Plaintiffs will prevail on the merits of their claim that SMART's negligent handling of their data resulted in unauthorized access to that data, the corresponding risk of financial fraud and identity theft is fairly traceable to SMART's conduct. See Attias II, 865 F.3d at 629 (quoting Lexmark Int'l, Inc., 572 U.S. at 134 n.6).
Next, SMART contends that Plaintiffs have not alleged standing to pursue injunctive relief because, in its view, the data breach was an isolated event that is unlikely to recur. Mot. Dismiss at 8. But Plaintiffs need not allege a “credible threat” that SMART “will again be attacked by cybercriminals” to survive a 12(b)(1) motion to dismiss. Id. Plaintiffs allege that their PII “remains unencrypted” and “backed up in Defendant's possession” such that it “is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect [it].” Am. Compl. ¶ 92. “[G]iven [the] Plaintiffs' allegations regarding [Defendant's] continued failure to adequately secure its databases, it is reasonable to infer that there remains a ‘substantial risk' that their personal information will be stolen from [SMART] again in the future.” See In re U.S. Off, of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 54-55 (D.C. Cir. 2019). This “substantial risk” is sufficient to support standing for injunctive relief. Id. at 59; see also TransUnion, 594 U.S. at 415 (“[M]aterial risk of future harm can satisfy the concrete-harm requirement in the context of a claim for injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.”).
Satisfied that it has jurisdiction, the Court now turns to Plaintiffs' asserted claims.
B. Common Law Claims
Plaintiffs assert four common-law counts against SMART: (1) negligence; (2) negligence per se; (3) breach of implied contract; and (4) unjust enrichment. As SMART points out, the amended complaint does not specify under which state's common law Plaintiffs seek relief. See Mot. Dismiss at 9. SMART's motion to dismiss assumes that the law of either the District of Columbia or Plaintiffs' home forums will apply. See, e.g., id. at 18-19 (discussing negligence per se under D.C., Georgia, and California common law). Keown and Angus respond that discovery is necessary to determine which state has the most significant relationship to the dispute, as well as the citizenship of all putative class members. Opp'n at 14-16. The Court first addresses the threshold choice-of-law issue before analyzing each of the claims.
1. Choice of Law
When exercising diversity jurisdiction, federal courts apply the substantive law of the forum state, including its choice-of-law rules. Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496 (1941); Shaw v. Marriott Int'l, Inc., 605 F.3d 1039, 1045 (D.C. Cir. 2010). Under the District of Columbia's choice-of-law rules, courts apply “a modified ‘governmental interests analysis[,]' which seeks to identify the jurisdiction with the ‘most significant relationship' to the dispute.” Washkoviak v. Student Loan Mktg. Ass'n, 900 A.2d 168, 180 (D.C. 2006) (quoting Moore v. Ronald Hsu Constr. Co., 576 A.2d 734, 737 (D.C. 1990)). “Under this approach, the first step is to determine whether a ‘true conflict' exists-that is, whether more than one jurisdiction has a potential interest in having its law applied and, if so, whether the law of the competing jurisdictions is different.” GEICO v. Fetisoff, 958 F.2d 1137, 1141 (D.C. Cir. 1992) (citations omitted). If there is a conflict, courts then “evaluate the governmental policies underlying the applicable laws and determine which jurisdiction's policy would be more advanced by the application of its law to the facts of the case,” considering “the four factors enumerated in the Restatement (Second) of Conflict of Laws § 145.” Washkoviak, 900 A.2d at 180 (quoting District of Columbia v. Coleman, 667 A.2d 811, 816 (D.C. 1995)). Where no conflict exists between the interested states' laws, D.C. law applies by default. See Beach TV Props., Inc. v. Solomon, 306 F.Supp.3d 70, 92 (D.D.C. 2018) (citing GEICO, 958 F.2d at 1141).
a. True Conflict
Both Plaintiffs' home states and the District of Columbia have an interest in having their laws applied. The amended complaint states that Keown is a Georgia resident, Angus is a California resident, and SMART is “governed under the laws of the District of Columbia” with a principal place of business in the District of Columbia. Am. Compl. ¶¶ 19-21. Plaintiffs' home forums have an interest in protecting their residents from injury, while the District of Columbia has an interest in preventing entities within its borders from engaging in tortious conduct. Cf. Washkoviak, 900 A.2d at 180-81 (“Wisconsin has a powerful interest in protecting its residents from fraud and misrepresentation, while the District of Columbia has an equally strong interest in ensuring that its corporate citizens refrain from fraudulent activities.”). Plaintiffs also assert that the putative class members' states of residency may have interests at stake, Opp'n at 29, but the Court need not consider putative class member residencies prior to certification. See Washkoviak, 900 A.2d at 176 n.11; Margolis v. U-Haul Int'l, Inc., 818 F.Supp.2d 91, 105 (D.D.C. 2011) (“The plaintiff has not moved for class certification and no class has been certified. Therefore, the residency of the putative class is irrelevant here.”). With the relevant jurisdictions identified, the Court will next consider whether a “true conflict” exists between the laws of the three jurisdictions.
There does not appear to be a conflict in how the relevant jurisdictions assess breach-of-contract or unjust enrichment claims in the data-breach context. In considering breach-of-contract claims arising from data breaches, all three jurisdictions have applied substantially similar tests to reach the same outcome. See Attias v. CareFirst, Inc. (“Attias VII”), No. 15-CV-882 (CRC), 2023 WL 5952052, at *6 (D.D.C. Sept. 13, 2023); Tracy v. Elekta, Inc., 667 F.Supp.3d 1276, 1287 (N.D.Ga. 2023); In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1144 (C.D. Cal. 2021). Likewise, though D.C.'s federal and state courts have yet to fully adjudicate unjust enrichment claims in the data-breach context, the elements of the claim are similar across the three jurisdictions. See Peart v. D.C. Hous. Auth., 972 A.2d 810, 813-14 (D.C. 2009); St. Paul Mercury Ins. Co. v. Meeks, 508 S.E.2d 646, 648 (Ga. 1998); Peterson v. Cellco P'ship, 80 Cal.Rptr.3d 316, 324 (Cal.Ct.App. 2008). Therefore, by default, the Court will apply D.C. law to these claims. See Beach TV Props., Inc., 306 F.Supp.3d at 92.
There may, however, be a conflict with respect to the law of negligence in these jurisdictions. Though Georgia, California, and D.C. all set forth a similar formulation of the standard elements of duty, breach, causation, and damages, see Hedgepeth v. Whitman Walker Clinic, 22 A.3d 789, 793 (D.C. 2011) (en banc); John B. v. Superior Ct., 137 P.3d 153, 159 (Cal. 2006); Weller v. Blake, 726 S.E.2d 698, 702 (Ga. 2012), they have applied those elements differently in such data-breach cases. For example, when assessing the damages element, Georgia recognizes the risk of harm presented by “data in the hands of criminals,” Tracy, 667 F.Supp.3d at 1283 (citing Collins v. Athens Orthopedic Clinic, P.A., 837 S.E.2d 310 (Ga. 2019)), California recognizes increased time spent on credit monitoring, see, e.g., In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F.Supp.3d 1284, 1295-96 (S.D. Cal. 2020), but D.C. recognizes neither, see Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702, 708 (D.C. 2009). As a result, the Court must proceed to determine which jurisdiction's policy would be better advanced by application of its law to the facts of the case under the Restatement factors. The Court determines that the factors moderately favor application of D.C. law, see infra Part II.B.i.b, so it will apply D.C. law to the negligence counts as well. While this analysis is close, D.C. law would have applied even if it was inconclusive. See Wu v. Stomber, 750 F.3d 944, 949 (D.C. Cir. 2014).
b. Governmental Interests Test
To determine which state has the greater interest in a dispute, D.C. courts look to four factors: “a) the place where the injury occurred; b) the place where the conduct causing the injury occurred; c) the domicile, residence, nationality, place of incorporation and place of business of the parties; and d) the place where the relationship is centered.” See Washkoviak, 900 A.2d at 180 (quoting Coleman, 667 A.2d at 816).
The first factor, the location of the injury, is indeterminate. Plaintiffs have experienced some of their alleged injuries in their home forums, including their emotional distress and time spent responding to the data breach. See Am. Compl. ¶¶ 199-200. But other alleged injuries, like Plaintiffs' loss of privacy and the devaluation of their PII, logically stem from the place where cybercriminals accessed the data. See id. ¶ 199. And still other purported injuries, like Plaintiffs' loss of the benefit of the bargain and the risk of misuse of PII, cannot be said to stem from one location. See id. Therefore, this factor does not clearly favor any one jurisdiction.
As for the second factor-the conduct causing injury-the complaint allegations favor application of D.C. law. As Plaintiffs note, “to determine the place where the conduct causing injury occurred in data breach case, courts generally focus on the location of the servers from where the data was hacked” or, in the absence of such a location, “have applied the law of the forum state” or “look[ed] to defendants' headquarters or possibly where cybersecurity decisions were made.” Opp'n at 15 (citing In re Blackbaud, Inc., Customer Data Breach Litig., 567 F.Supp.3d 667, 675 (D.S.C. 2021); In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183, 1199 (S.D. Fla. 2022)). Each of these alternatives points to the District of Columbia. Plaintiffs allege that SMART's place of business is in the District of Columbia, that SMART “maintains Class Members' PII in this District,” and that “decisions made by Defendant's governance and management personnel or inaction by those individuals that led to the Data Breach” occurred in the District of Columbia. See Am. Compl. ¶ 24. At the motion-to-dismiss stage, the Court must take these allegations as true, even though discovery may later reveal that Plaintiffs' data was housed or SMART's decision-making actually took place elsewhere. Therefore, with no pled connections to Plaintiffs' home forums, this factor favors the District of Columbia. See In re APA Assessment Fee Litig., 766 F.3d 39, 54 (D.C. Cir. 2014).
Next, “the domicil[e], residence, nationality, place of incorporation[,] and place of business of the parties” is “split evenly” among the three states, as each party hails from a different one. Id. (quoting Washkoviak, 900 A.2d at 181). While Plaintiffs point out that this case is a “putative nationwide class” and “the state citizenship of all putative Class Members is not yet known,” Opp'n at 29, as the Court noted above, “[a] class action, when filed, includes only the claims of the named plaintiff or plaintiffs.” Molock v. Whole Foods Mkt. Grp., Inc., 952 F.3d 293, 298 (D.C. Cir. 2020) (quoting Gibson v. Chrysler Corp., 261 F.3d 927, 940 (9th Cir. 2001)).
The final factor, the place where the relationship is centered, is neutral. Where, as here, “the parties cite no case law directly addressing where the relationship between a national nonprofit organization and its members is ‘centered[,'] . . . the fourth factor does not weigh strongly in favor of either party.” In re APA Assessment Fee Litig., 766 F.3d at 54.
Taken together, the factors somewhat favor application of D.C. law. Given that D.C. courts apply D.C. law even “where the [Restatement] factors do not point to a clear answer,” the Court finds this outcome all the more appropriate here. Wu, 750 F.3d at 949 (citing Washkoviak, 900 A.2d at 176). Moreover, applying D.C. law “works no unfairness to plaintiffs, because they chose to pursue their claim in the District of Columbia.” In re APA Assessment Fee Litig., 766 F.3d at 55 (citation omitted). Though the Court will apply D.C. law to each claim in ruling on the motion to dismiss, the Court “leave[s] open the possibility that, after both parties have been afforded the opportunity to conduct discovery and present evidence, [the Court] may conclude . . . that [a foreign jurisdiction] has a greater interest than the District of Columbia in the resolution of this controversy[.]” Washkoviak, 900 A.2d at 183.
The Court now turns to each of Plaintiffs' asserted common-law claims: (1) negligence; (2) negligence per se; (3) breach of implied contract; and (4) unjust enrichment.
2. Negligence & Negligence Per Se
Plaintiffs contend that SMART's mishandling of their sensitive PII was negligent (Count 1) and negligent per se under Section 5 of the Federal Trade Commission Act (“FTC Act”) (Count 2). See Am. Compl. ¶¶ 170-224 (citing 15 U.S.C. § 45).
“[A] claim alleging the tort of negligence must show: (1) that the defendant owed a duty to the plaintiff, (2) breach of that duty, and (3) injury to the plaintiff that was proximately caused by the breach.” Hedgepeth, 22 A.3d at 793. “The same is true of negligence-per-se,” Tolson v. The Hartford Fin. Servs. Grp., Inc., 278 F.Supp.3d 27, 36 (D.D.C. 2017), because “negligence per se is not in and of itself a separate legal claim-rather, it permits a plaintiff under ‘certain circumstances and under specified conditions,' to ‘rely on a statute or regulation as proof of the applicable standard of care,'” Hunter ex rel. A.H. v. District of Columbia, 64 F.Supp.3d 158, 188-89 (D.D.C. 2014) (quoting McNeil Pharm. v. Hawkins, 686 A.2d 567, 578 (D.C. 1996)).
SMART moves to dismiss both counts, asserting that (1) the federal-law duty of fair representation preempts any common law negligence claim against the union; (2) the FTC Act cannot serve as the statutory basis for negligence per se; and (3) Plaintiffs fail to allege any actual damages. Because negligence per se “is not in and of itself a separate legal claim,” id., the Court will consider Plaintiffs' negligence per se “claim” as one possible theory of proving SMART's duty and breach. Ultimately, the Court concludes that Plaintiffs' negligence claims are not preempted but that only Keown has plausibly alleged the elements of such a claim.
a. Preemption
The National Labor Relations Act (“the NLRA”) imposes a duty on unions “as the exclusive bargaining representative of the employees . . . fairly to represent all of those employees.” United Steelworkers of Am. v. Rawson, 495 U.S. 362, 372 (1990) (quoting Vaca v. Sipes, 386 U.S. 171, 177 (1967)). This “duty of fair representation” applies to both the union's “collective bargaining . . . and . . . its enforcement of the resulting collective bargaining agreement.” Id. (quoting Vaca, 386 U.S. at 177). Under the duty of fair representation, “the exclusive agent's statutory authority to represent all members of a designated unit includes a statutory obligation to serve the interests of all members without hostility or discrimination toward any, to exercise its discretion with complete good faith and honesty, and to avoid arbitrary conduct.” Vaca, 386 U.S. at 177. Breach of this duty occurs “only when a union's conduct toward a member of the collective bargaining unit is arbitrary, discriminatory, or in bad faith.” Id. (quoting Vaca, 386 U.S. at 190). As SMART would have it, this duty preempts any state-law negligence claim. Mot. Dismiss at 10-14. The Court disagrees.
The D.C. Circuit has held that the duty of fair representation preempts “identical” state law claims. See May v. Shuttle, Inc., 129 F.3d 165, 179 (D.C. Cir. 1997) (citing Nellis v. Air Line Pilots Ass'n, 15 F.3d 50, 51 (4th Cir. 1994)). In May, for example, the Circuit determined that the plaintiffs' state-law fraud claim was preempted because the plaintiffs' counsel effectively conceded that it arose from the “collective bargaining agreement,” under which “lying . . . [was not] condoned.” Id. In reaching this conclusion, the Circuit relied on the Fourth Circuit's decision in Nellis, which held that the duty of fair representation preempted state-law contract claims arising from duties “were ‘mere refinements' of the federal duty of fair representation.” 15 F.3d at 51.
Here, Plaintiffs' claims challenging negligent data storage are not “identical” to a duty of fair representation claim. Rather, their negligence counts are premised on alleged duties separate from the duty of fair representation, including duties of care imposed by the FTC Act and SMART's promises to Plaintiffs regarding its data security. Opp'n at 16. Moreover, unlike in May, where the alleged duty arose from the parties' collective bargaining agreement and thereby fell within the scope of its duty of fair representation, neither party here suggests that their collective bargaining agreement imposed on SMART a duty to protect its members' PII. The union characterizes Plaintiffs' negligence claim as a challenge to its “administration of its dues collection system,” Mot. Dismiss at 14, to which the duty of fair representation applies. But SMART's use of Plaintiffs' PII for dues collection does not transform its allegedly improper storage of that information into representational activity. Plaintiffs' claims are therefore not preempted.
Because Plaintiffs' claims “involve[] union activity that [is] peripheral to the concern of the applicable federal statutes and present[s] only a tangential or remote potential conflict with the federal regulatory scheme,” Condon v. Loc. 2944, 683 F.2d 590, 595 (1st Cir. 1982), the Court need not address whether, as SMART contends, the duty of fair representation preempts the “field” of “all forms of representational conduct,” Mot. Dismiss at 13. The circuits are split on whether they consider the duty of fair representation as a species of field or conflict preemption. See Figueroa v. Foster, 864 F.3d 222, 228-32 (2d Cir. 2017) (explaining that the First, Fifth, and Tenth Circuits understand the duty to preempt all state-law causes of action in the regulated field, while the Second, Fourth, Eighth, and Ninth Circuits have adopted a narrower, conflict-preemption approach). The D.C. Circuit has not weighed in on this split but, for the reasons discussed, SMART's argument is unavailing under either theory.
b. Duty & Breach
“As a general rule, the plaintiff in a negligence action bears the burden of proving ‘the applicable standard of care[] [and] a deviation from that standard by the defendant[.]'” McNeil Pharm., 686 A.2d at 577 (quoting Toy v. District of Columbia, 549 A.2d 1, 6 (D.C. 1988)). In their opposition brief, Plaintiffs seek to locate SMART's duty of care in three sources: (1) the FTC Act (as the basis of their negligence per se theory), (2) “the standard duties of care in Defendant's industry,” and (3) “Defendant's own promises and representations that were made to Plaintiffs, regarding its data security.” Opp'n at 16. None of these sources impose a duty on SMART that plausibly gives rise to a negligence claim. However, the Court finds that Plaintiffs have adequately alleged that SMART had (and deviated from) a common-law duty of care to protect their PII from foreseeable risk of theft. See Am. Compl. ¶¶ 188-92.
The FTC Act cannot serve as the basis of Plaintiffs' negligence per se theory under D.C. law, which permits “[v]iolation of a statute or regulation [to] constitute negligence per se only ‘if the statute is meant to promote safety, if the plaintiff is a member of the class to be protected by the statute, and if the defendant is a person upon whom the statute imposes specific duties.'” Night & Day Mgmt., LLC v. Butler, 101 A.3d 1033, 1039 (D.C. 2014) (quoting Ginsberg v. Granados, 963 A.2d 1134, 1140 (D.C. 2009)). The FTC Act, which declares unlawful “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce,” 15 U.S.C. § 45, is not “meant to promote safety.” Night & Day Mgmt., LLC, 101 A.3d at 1039; cf. In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 407-08 (E.D. Va. 2020) (concluding that the FTC Act could underpin a negligence per se theory under New York but not Virginia law because, like D.C., negligence per se under Virginia law requires a public safety purpose, and “Section 5 of the FTC was intended to prevent unfair and deceptive trade practices”). Therefore, it is not a viable source of an alleged negligence claim against SMART.
Nor are “the standard duties of care in [SMART's] industry” or “[SMART's] own promises and representations that were made to Plaintiffs, regarding its data security.” Plaintiffs do not identify the source of any “standard duties of care” for the labor union industry apart from the duty of fair representation, see Am. Compl. ¶¶ 87-91 (listing several alleged “best practices” for “labor unions dealing with sensitive PII” without alleging the source of these practices or any duty to follow them), on which Plaintiffs expressly disavow reliance, Opp'n at 19 (“Here, there is no ‘fair representation' claim[.]”). As to SMART's alleged promises of data security, the amended complaint points only to the union's website privacy policy, which, by its own terms, applies just to “information collected from visitors to the web site.” Am. Compl. ¶ 30. Plaintiffs do not allege that they gave their PII to SMART as visitors to its website and do not respond to SMART's observation that the website policy does not apply to them as a result. Consequently, these sources also cannot support Plaintiffs' claimed duty of care.
But Plaintiffs adequately pled that SMART violated a common-law duty of care when it failed to protect their PII from foreseeable risks. See id. ¶¶ 188-92. As this Court has recognized in the past, “there are some circumstances under District of Columbia law where even a failure to act will give rise to a legal duty.” Attias v. CareFirst, Inc. (“Attias III”), 365 F.Supp.3d 1, 20 (D.D.C. 2019). “[C]onsideration of whether a duty exists to protect another from intervening criminal acts includes consideration of heightened foreseeability.” Bd. of Trs. of Univ. of D.C. v. DiSalvo, 974 A.2d 868, 871-72 (D.C. 2009). Where “the injury that befell the plaintiff was ‘reasonably foreseeable' to the defendant, then courts will usually conclude that the defendant owed the plaintiff a duty to avoid causing that injury[.]” Hedgepeth, 22 A.3d at 793. This duty is also informed by the relationship between the parties. Id.
Here, Plaintiffs allege that SMART had a duty “to protect[] Plaintiffs and the Class from the risk of foreseeable criminal conduct of third parties[.]” Am. Compl. ¶ 195. In support of this legal conclusion, Plaintiffs allege that they were required to give their highly sensitive PII to SMART as members of the organization. Id. ¶ 27. Risk of unauthorized access to this information was foreseeable, they allege, because SMART held it unencrypted on its servers, an “inadequate security practice[],” and there had been a “high known frequency of cyberattacks and data breaches in the labor union industry.” Id. ¶¶ 28, 188-89. Though they do not delve into specifics, Plaintiffs further allege that there were “repeated warnings and alerts directed to protecting and securing sensitive data,” a “substantial increase in cyber-attacks and/or data breaches targeting labor unions that collect and store PII, like Defendant, preceding the date of the breach,” and a high “prevalence of public announcements of data breach and data security compromise.” Id. ¶¶ 55, 56, 67. Plaintiffs further contend that SMART could have prevented the disclosure of their PII merely “by properly securing and encrypting the files and file servers containing the PII of Plaintiffs and Class Members.” Id. ¶ 54.
Taking these allegations as true and drawing all reasonable inferences from them, the complaint plausibly alleges that SMART failed to take reasonable steps to protect Plaintiffs' PII despite the foreseeable risk of a cyberattack. Cf. Attias III, 365 F.Supp.3d at 21 (finding no duty of care where the plaintiffs had not alleged known issues with the organization's data security system or other recent highly publicized data breaches in that industry). Moreover, to the extent SMART's alleged failure to take these measures would violate the FTC Act, such evidence also supports Plaintiffs' claim of duty and breach. See Rong Yao Zhou v. Jennifer Mall Rest., Inc., 534 A.2d 1268, 1274 (D.C. 1987) (“Where the court does not perceive a public safety purpose in the legislative enactment, the statutory violation may be admitted as evidence of negligence, although it does not constitute negligence per se.” (quoting Stevens v. Hall, 391 A.2d 792, 795-96 (D.C. 1978)); In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d at 407 (collecting cases finding that the FTC Act creates a “duty [that] is ascertainable as it relates to data breach cases” and that inadequate security measures may violate this duty).
c. Causation & Injury
Moving to causation and injury, “[t]o maintain an action for negligence, a plaintiff must allege more than speculative harm from defendant's allegedly negligent conduct.” Randolph, 973 A.2d at 708. Plaintiffs here present six forms of actual harm allegedly caused by the data breach: (1) heightened risk of misuse of personal information; (2) time, effort, and future costs to mitigate the risk of harm; (3) lost benefit of the bargain; (4) diminution in value of their private information; (5) loss of privacy; and (6) emotional distress. Opp'n at 24-28. Each of these harms, Plaintiffs argue, is sufficient to establish causation and injury. To support that argument, however, Plaintiffs cite only cases considering the injury-in-fact requirement for standing. See, e.g., Opp'n at 24-27. That won't do because “[p]laintiffs may satisfy the Article III injury-in-fact requirement and yet fail to adequately plead damages for a particular cause of action.” Attias III, 365 F.Supp.3d at 9. Moreover, D.C. law, which holds that “speculative harm, or the threat of future harm-not yet realized-does not suffice to create a cause of action for negligence,” forecloses many of Plaintiffs' alleged forms of damages. In re Estate of Curseen v. Buchanan Ingersoll, P.C., 890 A.2d 191, 193 n.3 (D.C. 2006). After considering each of Plaintiffs' theories of actual harm under D.C. law, the Court concludes that Keown's claim survives, while Angus's does not.
i) Heightened Risk of Misuse & Mitigation Efforts
The District of Columbia Court of Appeals has expressly declined to treat heightened risk of misuse of personal information and lost time spent on mitigation measures as actual damages for the purpose of a negligence claim in the data breach context. See Randolph, 973 A.2d at 708. Randolph precludes recovery on this theory for Angus, who alleges solely that she “faces a substantial risk” of “illegal schemes,” that she expended “time and effort” to mitigate any effect of the data breach, and that she “may incur out-of-pocket costs for protective measures” in the future. Am. Compl. ¶¶ 150-52; see also Randolph, 973 A.2d at 708 (“To the extent that [plaintiffs] allege actual harm from expenses they have incurred to undertake credit monitoring or other security measures to guard against possible misuse of their data, they have alleged an injury that is ‘not the result of any present injury, but rather the [result of] the anticipation of future injury that has not materialized.'” (quoting In re Estate of Curseen, 890 A.2d at 194)).
By contrast, Keown alleges that his PII was “disseminated on the dark web” because of the data breach and that he has “experienc[ed] an increase in spam calls, texts, and/or emails.” Am. Compl. ¶¶ 139-40. He further alleges that he has “spent significant time” dealing with these effects that he “otherwise would have spent on other activities, including but not limited to work and/or recreation.” Id. ¶ 137. This expenditure of time is much closer to the present injury of scammers using Keown's PII than to efforts to mitigate potential future harm. As a result, Keown “has gone well beyond pleading the anticipation of future injury and has instead alleged an actual injury resulting from [SMART's] conduct” sufficient to support a negligence claim under D.C. law. Guo Wengui v. Clark Hill, PLC, 440 F.Supp.3d 30, 37 (D.D.C. 2020) (considering a plaintiff whose PII was posted on social media).
ii) Lost Value
Plaintiffs next contend that they were harmed by “lost benefit of the bargain” and “lost or diminished value of PII.” Am. Compl. ¶¶ 131, 198; Opp'n at 25-27. This argument fails. Even under the more lenient standard for injury-in-fact, courts in this district have rejected the benefit-of-the-bargain theory, including in the commercial context where plaintiffs have allegedly “paid money that could have gone towards a better data-security policy.” In re Sci. Applications Int'l Corp. Backup Tape Data Theft Litig. (“SAIC”), 45 F.Supp.3d 14, 30 (D.D.C. 2014); see Austin-Spearman v. AARP & AARP Servs. Inc., 119 F.Supp.3d 1, 13-14 (D.D.C. 2015); Attias III, 365 F.Supp.3d at 12. Plaintiffs here would not have been able to satisfy even this rejected theory given that they have not alleged that they paid any money that could have gone to data security. Consequently, their unsupported allegations that their union memberships somehow lost value because of a data breach that occurred years after they left the union certainly fails the more stringent standard of actually pleading damages.
The Court similarly finds the alleged loss of value of Plaintiffs' PII insufficient to state a claim of actual damages. As two courts in this district have observed in rejecting this theory in the injury-in-fact context, Plaintiffs “do not allege facts to support the inference of their allegation that their personal information became less valuable as a result of the [data] breach or that they attempted to sell their information and were rebuffed because of a lower price-point attributable to the breach.” Welborn v. Internal Revenue Serv., 218 F.Supp.3d 64, 78 (D.D.C. 2016). Though Plaintiffs allege that personal information “can be sold at a price ranging from $40 to $200” and that theirs has now decreased in “rarity,” Am. Compl. ¶¶ 71, 153, the “[p]laintiffs do not contend that they intended to sell [their] information on the cyber black market in the first place, so it is uncertain how they were injured by this alleged loss,” SAIC, 45F.Supp.3d at 30. To the contrary, Keown and Angus both allege that they are “very careful about sharing [their] Private Information.” Am. Compl. ¶¶ 135, 146. Because Plaintiffs do not show how they were injured by any alleged loss in value of their PII, this theory does not support their negligence claim.
iii) Privacy
Plaintiffs next contend that they have experienced a loss of privacy due to the data breach. Id. ¶¶ 138, 156. Injury to a legally recognized intangible interest, such as a plaintiff's privacy, may constitute “damage to the interests of the plaintiff” sufficient to support a claim of negligence if the defendant has a duty to prevent such damage. District of Columbia v. Cooper, 483 A.2d 317, 321 (D.C. 1984); see also Tyson v. District of Columbia, No. 20-CV-1450 (RC), 2021 WL 860263, at *3 (D.D.C. Mar. 8, 2021) (sustaining a negligence claim where the injury was “restriction[] on [the plaintiff's] liberty” resulting from failure to timely release him from prison); cf, SAIC, 45 F.Supp.3d at 29 (holding that plaintiffs whose stolen data was used had claimed an “injury to their privacy” sufficient for standing purposes). However, “[f]or a person's privacy to be invaded, their personal information must, at a minimum, be disclosed to a third party.” SAIC, 45 F.Supp.3d at 28.
Mr. Keown has plausibly alleged that public disclosure on the dark web of his social security number and name, as well as possibly other information, constitutes an actual harm to his interest in privacy that is both judicially cognizable and recognized at common law. See Randolph, 973 A.2d at 710 (“In this age of identity theft and other wrongful conduct through the unauthorized use of electronically-stored data, . . . conduct giving rise to unauthorized viewing of personal information such as a plaintiff's Social Security number and other identifying information can constitute an intrusion that is highly offensive to any reasonable person, and may support an action for invasion of privacy[.]”); Magruder v. Cap. One, Nat'l Ass'n, 540 F.Supp.3d 1, 11 (D.D.C. 2021) (“[T]here is ‘a significant history, including at common law, of lawsuits based on [] the unauthorized disclosure of a person's private information[.]'” (quoting Gambles v. Sterling Infosystems, Inc., 234 F.Supp.3d 510, 522 (S.D.N.Y. 2017)). Though “invasion of privacy” is an intentional tort, Randolph, 973 A.2d at 711, “one incident may give rise to claims of intentional tort or negligence,” if “presented individually and founded on appropriate evidence.” Sabir v. District of Columbia, 755 A.2d 449, 452 (D.C. 2000). In this case, Keown has plausibly alleged “that the defendant, in the process of engaging in the conduct that included the intentional tort, was also breaching another recognized duty owed the plaintiff.” McCracken v. David Walls-Kaufman, 717 A.2d 346, 351 (D.C. 1998). He has therefore plausibly alleged a negligence claim separate from the elements of an intentional tort.
Ms. Angus, on the other hand, does not allege that her PII “has been viewed nor that [her] information has been exposed in a way that would facilitate easy, imminent access.” SAIC, 45 F.Supp.3d at 29. The hackers may have accessed the records of 62,000 individuals, but they did not necessarily “read, cop[y], or underst[an]d [every individual's] data.” Id. (citing Reilly v. Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011)). Unlike Keown, Angus does not allege any present effects of the data breach demonstrating that her PII was publicly disclosed or even actually compromised. See Am. Compl. ¶ 37 (noting that recipients of the notice of breach only “may have [had data] involved”). Accordingly, Keown has stated a claim under this theory, but Angus has not.
iv) Emotional Distress
Finally, both Keown and Angus allege they have suffered emotional distress in connection with the data breach. Keown claims he experiences “fear, anxiety, and stress” as a result of the publication of his PII on the dark web following the breach. Id. ¶ 141. Because this emotional distress stems from the invasion of another legally protected interest-one in privacy-Keown may seek so-called “parasitic” damages. Hedgepeth, 22 A.3d at 809 (“Damages for emotional distress also are awarded as part of compensation for violation of statutory and common law rights that result in foreseeable emotional distress.”). Angus, however, does not tie her claimed emotional distress to any other theory of injury. And in the District of Columbia, “[t]o state a claim where emotional distress is the only injury suffered, the plaintiff must satisfy either the ‘zone of physical danger' rule . . . or the special relationship and undertaking rule[.]” Attias III, 365 F.Supp.3d at 16 (first quoting Williams v. Baker, 572 A.2d 1062 (D.C. 1990) (en banc); then citing Hedgepeth, 22 A.3d at 810). Angus does not allege that the data breach placed her in physical danger, and Plaintiffs have disclaimed reliance on a special relationship theory. See Opp'n at 18 (“It is not the ‘special relationship' between the Parties here that forms the duty.”). Therefore, Angus cannot rest her negligence action on emotional-distress damages alone.
While the amended complaint does not directly state that Angus has experienced emotional distress, it generally alleges that the “Plaintiffs and the Class have suffered . . . emotional distress.” Am. Compl. ¶ 200. The Court will evaluate this claim as if directly alleged by Angus.
In sum, Keown has plausibly alleged that the data breach resulted in time spent responding to scammers, an invasion of his privacy, and emotional distress. Because his injuries are neither purely economic nor purely emotional, Keown need not allege a special relationship to recover. See Gutrejman v. United States, 527 F.Supp.3d 1, 8 (D.D.C. 2021) (noting that the “economic loss doctrine” “bars recovery ‘of purely economic losses in negligence, subject to only one limited exception where a special relationship exists'” (quoting Aguilar v. RP MRP Wash. Harbour LLC, 98 A.3d 979, 985-86 (D.C. 2014)). On the other hand, Angus fails to plausibly allege any present injury sufficient to support a claim of negligence because she has not alleged that her PII was viewed, published, or used in any way. The Court will therefore deny SMART's motion to dismiss Count 1 as to Keown but grant the motion as to Angus.
3. Breach of Implied Contract
Count 3 of the amended complaint alleges that when Plaintiffs entrusted SMART with their PII, the parties entered into an implied contract for SMART to
(a) use such PII for business purposes only, (b) take reasonable steps to safeguard that PII, (c) prevent unauthorized disclosures of the PII, (d) provide Plaintiffs and Class Members with prompt and sufficient notice of any and all unauthorized access and/or theft of their PII, (e) reasonably safeguard and protect the PII of Plaintiffs and Class Members from unauthorized disclosure or uses, [and] (f) retain the PII only under conditions that kept such information secure and confidential.Am. Compl. ¶¶ 223-29. They further allege that SMART “promulgated, adopted, and implemented written privacy policies whereby it expressly promised Plaintiffs and Class Members that it would only disclose PII under certain circumstances, none of which relate to the Data Breach” and “promised to comply with industry standards and to make sure that Plaintiffs' and Class Members' PII would remain protected.” Id. ¶¶ 233-34. Plaintiffs also claim to have had the “reasonable belief and expectation that Defendant would use part of its earnings to obtain adequate data security.” Id. ¶ 235. Yet SMART purportedly “breached the implied contracts it made with Plaintiffs and the Class by failing to safeguard and protect their personal information, by failing to delete the information of Plaintiffs and the Class once the relationship ended, and by failing to provide accurate notice to them that personal information was compromised as a result of the Data Breach,” causing damages to Plaintiffs. Id. ¶¶ 239-40.
The Court understands Plaintiff's reference to “written privacy policies” that include “express[] promise[s]” solely as evidence supporting the existence of an implied contract, rather than as the basis for an express contract. See Am. Compl. ¶ 233.
As with Plaintiffs' negligence claims, SMART first contends that this claim is preempted by federal law and then asserts that Plaintiffs fail to state a claim.
a. Preemption
SMART posits that Plaintiffs' breach-of-implied-contract claim is preempted by section 301(a) of the Labor Management Relations Act (“LMRA”). Mot. Dismiss at 23-25. Section 301 preempts application of state law “only if such application requires the interpretation of a collective-bargaining agreement.” Lingle v. Norge Div. of Magic Chef, Inc., 486 U.S. 399, 413 (1988)). “[Section] 301 pre-emption merely ensures that federal law will be the basis for interpreting collective-bargaining agreements, and says nothing about the substantive rights a [s]tate may provide to workers when adjudication of those rights does not depend upon the interpretation of such agreements.” Id. at 409.
The parties here are governed by a union constitution, which “is a ‘contract' within the plain meaning of § 301(a).” United Ass'n of Journeymen & Apprentices v. Loc. 334, 452 U.S. 615, 622 (1981). So, if the breach-of-implied-contract claim relied on the SMART Constitution, the claim would be preempted. See Mot. Dismiss at 24 (citing Saunders v. Hankerson, 312 F.Supp.2d 46, 72 (D.D.C. 2004)). But Plaintiffs' claim is neither predicated on nor requires interpretation of the SMART Constitution. Indeed, the Constitution, which is attached as an exhibit to the union's motion to dismiss, nowhere references SMART's data security obligations. Accordingly, the Court need not look to or interpret the Constitution in evaluating Plaintiffs' claims, and Plaintiffs' breach-of-implied-contract claims are not preempted by LMRA § 301.
b. Validity of the Claim
Plaintiffs rest their breach-of-implied-contract claim largely on SMART's receipt of highly sensitive PII and alleged representations concerning data security. Opp'n at 33-34. “Under D.C. law, an implied-in-fact contract contains ‘all necessary elements of a binding agreement,' differing from other contracts ‘only in that it has not been committed to writing' and is instead ‘inferred from the conduct of the parties.'” Camara v. Mastro's Rests. LLC, 952 F.3d 372, 375 (D.C. Cir. 2020). To prevail on a breach-of-implied-contract claim, then, a party must establish “(1) a valid contract between the parties; (2) an obligation or duty arising out of the contract; (3) a breach of that duty; and (4) damages caused by breach.” Shaffer v. Geo. Wash. Univ., 27 F.4th 754, 762 (D.C. Cir. 2022). “[A]ll the necessary elements of an express contract-including offer, acceptance, and consideration-must be shown in order to establish the existence of an implied-in-fact contract.” Paul v. Howard Univ., 754 A.2d 297, 311 (D.C. 2000). SMART contends that the amended complaint flunks these requirements because it fails to show (1) consideration, (2) agreement as to material terms, and (3) intent to be bound. Mot. Dismiss at 25-27. Plaintiffs respond that providing their PII so that SMART could fulfill its union duties was consideration, and that SMART's acceptance of the information manifested assent and an intent to reasonably protect it from unlawful access. Opp'n at 33-36. The Court agrees with Plaintiffs.
“[I]t is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient's assent to protect the information sufficiently.” Attias VII, 2023 WL 5952052, at *6 (quoting Castillo v. Seagate Tech., LLC, No. 16-CV-01958 (RS), 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016)). The Court then joins numerous other courts in concluding that an obligation to “reasonably safeguard the [plaintiffs'] PII from unauthorized access or disclosure” is sufficiently definite to support an implied contract. Am. Compl. ¶ 232; see also, e.g., Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st Cir. 2011). Moreover, SMART's affirmative representation on its website that it “has security measures in place to protect against the loss, misuse[,] or alteration of information collected from visitors to the web site” supports an inference that the organization implicitly promised “its union members, including Plaintiffs and Class Members, that the PII collected from them as a condition of being a union member at SMART would be kept safe, confidential, [and] that the privacy of that information would be maintained,” even if Plaintiffs did not submit their PII through SMART's website. Am. Compl. ¶¶ 29-30. While discovery may show that SMART did provide reasonable safeguards for the data, this potential evidence goes to the question of breach, not whether an implied contract was formed.
SMART does not dispute that, to the extent Plaintiffs have plausibly pled an implied contract, they have also plausibly pled its breach. See Id. ¶ 239 (alleging SMART'S breach). And because “it is enough for the plaintiff to describe the terms of the alleged contract and the nature of the defendant's breach” to “state a claim for breach of contract [sufficient] to survive a Rule 12(b)(6) motion to dismiss,” the Court denies SMART's motion to dismiss Count 3. Francis v. Rehman, 110 A.3d 615, 620 (D.C. 2015) (quoting Nattah v. Bush, 605 F.3d 1052, 1058 (D.C. Cir. 2010)); see also Wright v. Allen, 60 A.3d 749, 753 & n.3 (D.C. 2013).
As the Court has observed in the past, Wright and Francis are in some tension with the D.C. Court of Appeals' earlier decisions in Cahn v. Antioch University, 482 A.2d 120 (D.C. 1984), and Osbourne v. Capital City Mortgage Corp., 727 A.2d 322 (D.C. 1999), which appeared to require proof of actual damages to state a claim for breach of contract. See Attias v. CareFirst, Inc. (“Attias V”), 518 F.Supp.3d 43, 52 (D.D.C. 2021). However, as in Attias V, the Court will “defer to the most recent decisions of the state's highest court” and allow Plaintiffs' breach-of-contract claims to proceed. Id. (quoting Easaw v. Newport, 253 F.Supp.3d 22, 34 (D.D.C. 2017)).
4. Unjust Enrichment
Count 4 of the amended complaint alleges that SMART was unjustly enriched by Plaintiffs' submission of their PII. Am. Compl. ¶¶ 243-54. To state a claim for unjust enrichment, Plaintiffs must show “(1) [they] conferred a benefit on the defendant; (2) the defendant retains the benefit; and (3) under the circumstances, the defendant's retention of the benefit is unjust.” Peart, 972 A.2d at 813-14. This “quasi-contract” is “not really a contract, but a legal obligation closely akin to a duty to make restitution.” Bloomgarden v. Coyer, 479 F.2d 201, 210 (D.C. Cir. 1973). “In general, a plaintiff cannot maintain an unjust enrichment claim concerning an aspect of the parties' relationship that was governed by a contract.” Smith v. Rubicon Advisors, LLC, 254 F.Supp.3d 245, 249-50 (D.D.C. 2017) (citing In re APA Assessment Fee Litig., 766 F.3d at 46); see also Bloomgarden, 479 F.2d at 210 (noting that this principle extends to implied contracts). Here, the Court need not consider whether Plaintiffs may plead unjust enrichment in the alternative to their breach-of-implied-contract claim because they have failed to plead unjust enrichment as a matter of law.
Plaintiffs assert that they conferred a benefit on SMART in the form of valuable PII and that the union's retention of benefits derived from the information is unjust given its failure to secure that information against breach. Opp'n at 37-38. This argument suffers from three defects.
First, even assuming Plaintiffs' data has some intrinsic value, the amended complaint does not explain how SMART “derived a substantial economic benefit” from receiving or retaining it beyond “perform[ing] the services it provides.” Am. Compl. ¶ 35. Nor does it say how performing those services benefitted SMART rather than Plaintiffs as its members. Second, though Plaintiffs allege that the data breach somehow shows they were “not fully compensate[d]” for their PII, id. ¶ 247, they do not allege that they provided the union their PII with an understanding that they would be paid for it. Where, as here, a “plaintiff did not contemplate a personal fee, or the defendant could not have reasonably supposed that he did,” restitution is an inappropriate remedy. See Bloomgarden, 479 F.2d at 211-12. And third, under D.C. law, “unjust enrichment should be limited or denied if ‘the proper measure of recovery poses insurmountable difficulties of calculation.'” Salem Media Grp., Inc. v. Awan, 301 A.3d 633, 660 (D.C. 2023) (deciding that a defamation plaintiff could not seek disgorgement of profits from a defamatory book because it would be impossible to determine how much profit came from the defamatory statements alone). It is unclear from the amended complaint what funds Plaintiffs request when they ask for “refunds, restitution, and/or damages . . . and/or an order proportionally disgorging all profits, benefits, and other compensation obtained by Defendant from its wrongful conduct.” Am. Compl. ¶ 253. Though Plaintiffs restate several harms they allegedly experienced as a result of the breach, id. ¶ 252, “[w]here there has been an unjust enrichment, the plaintiff's remedy is restitution, which is typically measured by reference to the defendant's gain rather than the plaintiffs loss.” Peart, 972 A.2d at 820. Plaintiffs' failure to state what exactly SMART gained is therefore fatal to their unjust enrichment claim.
This conclusion does not conflict with Plaintiffs' cited authorities. In every cited case upholding a claim of unjust enrichment in the data breach context, the defendant clearly “profited from [the plaintiff's] purchase” of goods or services. Rudolph v. Hudson's Bay Co., No. 18-CV-8472 (PKC), 2019 WL 2023713, at *12 (S.D.N.Y. May 7, 2019); see also In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d at 1145 (“Plaintiffs allege that they paid Defendants money for Defendants' services, and expected that a portion of their payments would go toward ‘data management and security.'”); In re Unite Here, 2024 WL 3413941, at *13 (“If plaintiffs' payment of this union dues included a requirement that a portion of the dues would go to data security . . . and defendant instead shirked that duty (resulting in the data's theft), defendant would have arguably been unjustly enriched to the extent of those improper savings.”). It is unclear whether the D.C. Court of Appeals would allow unjust enrichment claims to proceed on such a theory. But even if it did, the amended complaint does not identify any profit reaped by SMART that is attributable to use of Plaintiffs' data, nor does it allege that Plaintiffs gave SMART any money that should have been used for data security. The Court will therefore grant SMART's motion to dismiss Count 4.
C. Statutory Claims
Finally, Angus brings claims under the California Unfair Competition Law (“UCL”) and California Consumer Privacy Act (“CCPA”) on behalf of a putative California subclass. The UCL prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising[.]” Cal. Bus. & Prof. Code § 17200. The CCPA requires “business[es] that collect[] a consumer's personal information [to] implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure[.]” Cal. Civ. Code § 1798.100. SMART moves to dismiss both claims on the ground that these statutes, largely created for consumer protection, do not apply to it as a labor union. Mot. Dismiss at 31-32, 35-36. Angus responds that discovery is needed to determine whether SMART is engaged in commercial business practices as alleged in the amended complaint. Opp'n at 38-39, 41-42. Again, the Court must begin with a choice-of-law analysis. See In re APA Assessment Fee Litig., 766 F.3d at 51 (applying choice-of-law analysis to statutory consumer protection claim); Pietrangelo v. Wilmer Cutler Pickering Hale & Dorr, LLP, 68 A.3d 697, 713-14 (D.C. 2013) (same). It concludes that there is no true conflict, so D.C. law applies, under which Angus does not have a cause of action.
The Court first finds that both California and the District of Columbia have an interest in having their laws applied. California has an interest in applying the UCL, which “manifest[s] California's obvious interest in protecting its residents from fraud.” In re APA Assessment Fee Litigation, 766 F.3d at 52 (internal quotation marks omitted). The District of Columbia has a similar interest manifested in its Consumer Protection Procedures Act (“DCPPA”), D.C. Code §§ 28-3901 et seq., which “prohibits a wide variety of deceptive trade practices perpetrated against consumers,” In re APA Assessment Fee Litigation, 766 F.3d at 52 (quoting Busby v. Capital One, N.A., 772 F.Supp.2d 268, 279 (D.D.C. 2011)).
Both jurisdictions also have an interest in applying their data security laws-for California, the CCPA, and for the District of Columbia, the Consumer Security Breach Notification Act (“CSBA”), codified as amended at D.C. Code § 28-3851, et seq. As relevant here, the CSBA requires entities that “possess personal information of an individual residing in the District” to implement “reasonable security safeguards.” D.C. Code. §§ 28-3852.01. These jurisdictions maintain these interests regardless of whether their substantive laws provide or withhold liability in this particular situation. See In re APA Assessment Fee Litig., 766 F.3d at 52 (“A ‘rule which exempts the actor from liability for harmful conduct' may embody an interest in protecting ‘defendants against being harassed by such actions.'” (quoting Restatement (Second) of Conflict of Laws § 145 cmt. c (1971)). As a result, because more than one jurisdiction has an interest in the dispute, the next issue is whether their laws are in true conflict.
All the relevant statutes appear to foreclose Angus's suit because SMART is a labor union, not a commercial business. The DCPPA reads:
An action brought by a person under this subsection against a nonprofit organization shall not be based on membership in such organization, membership services, training or credentialing activities, sale of publications of the nonprofit organization, medical or legal malpractice, or any other transaction, interaction, or dispute not arising from the purchase or sale of consumer goods or services in the ordinary course of business.D.C. Code § 28-3905(k)(5). This provision also applies to enforcement of the CSBA. See D.C. Code § 28-3853 (providing that a violation of the CSBA is enforceable as an “unfair or deceptive trade practice” pursuant to the DCPPA). The DCPPA defines a “nonprofit organization” as an entity that “[i]s neither organized nor operating, in whole or in significant part, for profit.” Id. § 28-3901(a)(14). Similarly, the CCPA applies only to “businesses],” Cal. Civ. Code § 1798.150, and defines a business as “[a] sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Cal. Civ. Code § 1798.140(d)(1). As for the UCL, both state and federal courts in California have found it inapplicable to voluntary member associations unless the dispute arises from the sale of goods. See That v. Alders Maint. Ass'n, 142 Cal.Rptr.3d 458, 464 (Cal.Ct.App. 2012) (finding that a homeowners' association was not subject to the UCL because the association “d[id] not participate as a business in the commercial market, much less compete in it”); Babb v. California Tchrs. Ass'n, 378 F.Supp.3d 857, 882 n.13 (C.D. Cal. 2019), affd sub nom. Martin v. California Tchrs. Ass'n, No. 19-55761, 2022 WL 256360 (9th Cir. Jan. 26, 2022) (“[T]he UCL claim fails because the Union Defendants are not a ‘business' and collecting agency fees in compliance with state law is not a ‘business act or practice.'”); Bermudez v. Serv. Emps. Int'l Union, Loc. 521, No. 18-CV-04312 (VC), 2019 WL 1615414, at *1, n.1 (N.D. Cal. Apr. 16, 2019). Because SMART's purported failures to “implement and maintain reasonable security and privacy measures” is not alleged to have arisen from the sale of goods, Angus's UCL claim would similarly fail. See Am. Compl. ¶¶ 258, 261. Therefore, application of any of these laws would “produce the identical result as D.C. law,” so there is no true conflict and D.C. law applies by default. Pietrangelo, 68 A.3d at 714.
Angus's primary response is that discovery is necessary to determine whether SMART is “organized or operated for the profit or financial benefit of its owners,” Am. Compl. ¶ 269, as she alleges in the complaint. See Opp'n at 38-39, 41-42. But the Court need not “accept as true the complaint's factual allegations insofar as they contradict exhibits to the complaint or matters subject to judicial notice.” Kaempe v. Myers, 367 F.3d 958, 963 (D.C. Cir. 2004). SMART's public filings with the Internal Revenue Service, of which the Court may take judicial notice, confirm that it is tax exempt organization pursuant to 26 U.S.C. § 501(c)(5). See International Association of Sheet Metal Air Rail and Transportation Workers, Internal Revenue Serv., https://perma.cc/79L6-8AHB (EIN: 46-4039786); Arab v. Blinken, 600 F.Supp.3d 59, 63 n.1 (D.D.C. 2022) (“The Court may take judicial notice of information posted on official public websites of government agencies.” (citing Cannon v. District of Columbia, 717 F.3d 200, 205 n.2 (D.C. Cir. 2013))). And a 501(c)(5) organization must, by law, “[h]ave no net earnings inuring to the benefit of any member.” 26 C.F.R. § 1.501(c)(5)-1(a). Because SMART is a nonprofit and Angus's claim does not “aris[e] from the purchase or sale of consumer goods or services,” the DCCPA, like the CCPA and UCL, does not provide a cause of action. D.C. Code § 28-3905(k)(5). Accordingly, the Court will dismiss Counts 5 and 6 of the amended complaint.
* * *
In conclusion, Keown has plausibly alleged a common-law negligence claim (Count 1), and both Plaintiffs have alleged a breach-of-implied-contract claim (Count 3) against SMART. The Court will dismiss all other counts for failure to state a claim.
IV. Conclusion
For these reasons, it is hereby
ORDERED that [ECF No. 13] Defendant's Motion to Dismiss is GRANTED in part and DENIED in part. The Court hereby dismisses Counts 2, 4, 5, and 6 as they apply to both plaintiffs and dismisses Count 1 as it applies to Plaintiff Angus. It is further
ORDERED that SMART shall file an Answer to the remaining claims by October 3, 2024.
SO ORDERED.