Opinion
No. CA015177.
Memorandum Dated November 30, 2004.
NATURE OF PROCEEDINGS
Plaintiff, Deborah Kuhn ("plaintiff" or "Kuhn"), individually and as a representative of all persons similarly situated, brings this action alleging that her identity was stolen as a result of Capital One's ("defendant" or "defendants") failure to adequately respond to a security breach of a retail website server which compromised her VISA account. Kuhn's complaint seeks recovery under theories of Breach of Contract (Count I), Breach of the Implied Covenant of Good Faith and Fair Dealing (Count II), Negligence (Count III), Misrepresentation (Count IV), Breach of Fiduciary Duty (Count V), Invasion of Privacy (Count VI), and violation of G.L.c. 93A (Count VII). Capital One Bank now moves for summary judgment as to all counts. For the reasons set forth below, Capital One's motion for summary judgment is ALLOWED.
Hereinafter, the defendants — Capital One Financial Corporation, Inc., Capital One Services, Inc., and Capital One Bank — will be referred to collectively as Capital One.
If the named representative in a putative class cannot maintain a cause of action, then the class is not viable. Doe v. Governor, 381 Mass. 702, 704-05 (1980). Therefore, the motion for summary judgment is allowed as to plaintiff, Deborah Kuhn, individually, and all persons similarly situated.
FACTUAL BACKGROUND
The summary judgment record reveals the following relevant facts. An unidentified computer hacker broke into a merchant's website server. On June 18, 2001, Capital One was advised that plaintiff's Capital One VISA credit card was compromised as a result of this incident. On that same day, via a telephone message, Capital One informed Kuhn of the incident and shut down her account. Plaintiff spoke with a Capital One representative later that day who allegedly informed her that no further action was necessary on her part. Capital One also. sent Kuhn a letter informing her of steps she could take to prevent additional fraudulent charges on her account. Within days of the computer hacking incident, approximately eighteen (18) fraudulent accounts were opened in plaintiff's name and $25,000 was wrongfully charged.
DISCUSSION I. Rule 56(f)
The thrust of Capital One's motion is that the undisputed facts fail to establish any link between the theft of plaintiff's account information and any "action or inaction" on the part of Capital One. Initially, plaintiff argues that she needs additional discovery to adequately respond to defendant's motion. When a party, as here, "claims an inability to respond to an opponent's summary judgment motion because of incomplete discovery, [Mass.R.Civ.P. 56(f)] looms large." Resolution Trust Corp. v. North Bridge Assoc., Inc., 22 F.3d 1198, 1202 (1st Cir. 1994) (discussing federal counterpart Fed.R.Civ.P. 56(f)). Rule 56(f) is a "procedural escape hatch," Argentieri v. Fisher Landscapes, Inc., 15 F.Sup.2d 55, 60 (D.Mass. 1998), that describes "a method of buying time for a party who, when confronted by a summary judgment motion, can demonstrate an authentic need for, and an entitlement to, an additional interval in which to marshal facts essential to mount an opposition." Resolution Trust Corp., supra at 1203. The rule is "intended to safeguard against judges swinging the summary judgment axe too hastily." Id. In order to succeed on, and benefit from a Rule 56(f) motion, the movant must, as a general matter, articulate by affidavit a plausible basis for the belief that discoverable materials probably exist which would influence the outcome of the pending summary judgment motion, see First Nat'l Bank of Boston v. Slade, 379 Mass. 243, 244-45 (1979), and demonstrate that it was diligent in pursuing discovery before the summary judgment initiative surface.
Here, in support of her effort to postpone the summary judgment motion pending further discovery, plaintiff offers the affidavit of her counsel identifying anticipated discovery. The affidavit states that through additional discovery, specifically the depositions of Frankie Barksdale and the defendants, she hopes to obtain information on the nature of the breach and Capital One's response to it. The court, however, is skeptical that these depositions will yield discovery that will influence the outcome of the summary judgment motion. According to the defendant's supporting affidavit submitted by Barksdale, "Capital One does not provide our cardholder's social security numbers, dates of birth, mother's maiden name or PIN numbers to retail establishments, including websites." Additionally, the affiant stated: "I am not aware of any method or manner of fraud whereby one's identity can be stolen using only a credit card number and account expiration date." Moreover, the June 18, 2001 correspondence between Visa Fraud Control and Capital One support defendant's assertion that it was not the source of the security breach and it is not privy to the information plaintiff seeks about the breach. The court is therefore not convinced that "discoverable materials probably exist" that would answer plaintiff's questions and, if they do exist, the court is not convinced that defendant is in possession of them. Thus, plaintiff's Rule 56(f) motion is denied.
See Casey Aff. ¶ 15 (What exactly was the breach that occurred, where did it occur and whose responsibility or fault was it; If the breach occurred at some unknown third-party location, as defendant now claims, why did defendant earlier tell plaintiff's representatives a different story, why did defendant never respond to the quite different assertions in plaintiff's c. 93A letter, and why did government investigators apparently conclude different).
See Casey Aff. ¶ 15 (Did defendant make any inquiry to find out whether any information other than account numbers and expiration dates had been disclosed; Did defendant inquire as to the nature of the "fraudulent activity" that Visa had identified, in particular to find out whether new accounts were opened, rather than simply old accounts being misused by unauthorized persons; Did defendant take any other actions whatsoever to inform itself of what happened, and, in particular, what information of its customers had been disclosed; Did defendant take any other action whatsoever to protect its customers other than by shutting down their Capital One accounts, which was done mainly to protect Capital One from liability for fraudulent charges).
The June 18, 2001 letter from John Corbelletta, Regional Director, Visa U.S. — Fraud Control to the Visa Fraud Investigation Manager provided: "Visa Fraud Control has been informed of an intrusion into an undisclosed website. Several thousand Visa account numbers and expiration dates were downloaded and copied by the intruders. At this point there is no further information that can be released."
II. Summary Judgment
This court grants summary judgment where there is no genuine issue of material fact and the summary judgment record entitles the moving party to judgment as a matter of law. Cassesso v. Commissioner of Correction, 390 Mass. 419, 422 (1983); Mass.R.Civ.P. 56(c). The moving party has the burden of affirmatively demonstrating that a genuine issue of material fact does not exist. Pederson v. Time, Inc., 404 Mass. 14, 16-17 (1989). A party moving for summary judgment who does not bear the burden of proof at trial may demonstrate the absence of a triable issue either by submitting affirmative evidence negating an essential element of the nonmoving party's case or by reference to supporting materials listed in Mass.R.Civ.P. 56(c), unmet by countervailing materials, that essential element of its case at trial. Kourouvacilis v. General Motors Corp., 410 Mass. 706, 716 (1991). Although the supporting materials need not negate an essential element of the claim at issue, they must demonstrate the proof of that element at trial is unlikely to be forthcoming. Id. at 714. A conclusory assertion that the nonmoving party has no evidence is insufficient to meet the moving party's burden. Id. at 715.
Once the moving party establishes the absence of a triable issue, the party opposing the motion must respond and allege specific facts establishing the existence of a genuine issue of material fact in order to defeat the motion. Pederson, 404 Mass. at 17. The nonmoving party cannot defeat the motion for summary judgment by resting on his or her pleadings and mere assertions of disputed facts. LaLonde v. Eissner, 405 Mass. 207, 209 (1989).
Here, the defendants argue that summary judgment should enter on all counts against them as there are no genuine issues of material fact, and because the plaintiff is unable to sustain any actionable conduct as a matter of law. Based on the court's independent review of the summary judgment record and the controlling and applicable legal precedent, the defendants' motion is allowed. The court now discusses each count in turn.
1. Count I — Breach of Contract
To prevail in a breach of contract action a plaintiff must show the following: "(1) a legal obligation of a defendant to the plaintiff, (2) a violation or breach of that right or duty, and (3) consequential injury or damage to the plaintiff." Brown v. Harris, 467 S.E.2d 805, 807 (Va. 1996).
The Capital One website contains a section titled "Fraud Protection and Solutions: Information for Fraud Victims." This section recommends to customers that steps that should be taken in the event of identity theft, including: (1) contacting creditors or lending institutions, (2) contacting the credit bureaus, and (3) filing a police report.
In the present case, the relationship between the parties is governed by Capital One's Privacy Notice and Customer Agreement. The Privacy Notice, as noted by plaintiff, provides, "At Capital One, we appreciate how important privacy is to our customers . . . Also, we can protect you from identity theft, fraud, and unauthorized access to personal information about you." The plaintiff, relying on this language, alleges that Capital One's failure to take steps to prevent her identity theft constituted a breach of the Privacy Notice. Specifically, plaintiff argues that Capital One should have advised her to contact the credit reporting agencies and place a fraud alert on her account.
The court notes at the outset that the representations made in the Privacy Notice and Customer Agreement were limited to plaintiff's Capital One account. The court finds no references to accounts held outside of Capital One. Indeed, the language contained in the Opt-Out Notice to the Privacy Notice emphasizes the fact that the information is applicable only to plaintiff's Capital One account. Accordingly, the court will limit its analysis of the breach of contract claim to the activity surrounding plaintiff's Capital One account.
The Opt-Out Notice provides:
If you have other credit card accounts or other types of accounts with us, such as certificates of deposit, money markets, car loans, or home loans, you must opt out separately for each account. You will receive a separate Opt-Out Notice for each account you have with us, but you can make your selections for each account on the same phone call.
If you have a joint account, your opt-out choices will apply to each person on the account.
If you have become a Capital One customer through another company, any opt-out choices you have made with the other company will not automatically apply to your Capital One account now because we have a different privacy policy and your choices may be different now.
If your state's privacy law provides for different rights or requires a different procedure in order for you to exercise your privacy rights under those laws, we will explain your rights to you when you call the toll-free number listed below.
Next, the court disagrees with plaintiff's interpretation of the Privacy Notice. The language relied on by plaintiff was contained in the section "Why we may collect and share information." The language, read within this context, merely suggests that if a customer is willing to share certain confidential information, Capital One would be in a better position to protect the customer against fraud, identity theft, and unauthorized use. Thus, unlike plaintiff, the court finds no guarantee against illicit use contained in the Privacy Notice. Furthermore, the Privacy Notice provides the website address — www.CapitalOne.com — for those who would like to learn more about Capital One's privacy policy. The inclusion of this information should have made plaintiff aware that the Privacy Notice was not the sole source of information pertaining to Capital One's privacy principles. Moreover, if plaintiff had accessed Capital One's website, she would have discovered the information she claims Capital One failed to provide. Additionally, the Customer Agreement, in the section titled "Lost or Stolen Cards or Account Access Checks," also contains information about illicit use. The Customer Agreement, read together with the Privacy Notice, openly acknowledges the possibility of identity theft and makes no guarantees against its occurrence.
The Capital One website contains a section titled "Fraud Protection and Solutions: Information for Fraud Victims." This section recommends to customers that steps that should be taken in the event of identity theft, including: (1) contacting creditors or lending institutions, (2) contacting the credit bureaus, and (3) filing a police report.
Finally, regarding the customer's liability for wrongful charges, the Customer Agreement provides, "Your liability for unauthorized use of your cards or account access checks will not exceed $50. You will not be liable for unauthorized use that occurs after you notify us." Consistent with this statement, Capital One has not held plaintiff liable for the fraudulent charges made on her Capital One account. Therefore, Capital One's actions — shutting down her account and giving her prompt notice — satisfied its obligations set out in the Privacy Notice and Customer Agreement. Consequently, plaintiff's breach of contract claim must fail.
2. Count II — Breach of the Implied Covenant of Good Faith and Fair Dealing
Every contract under Virginia law contains an implied covenant of good faith and fair dealing. See Pennsylvania Life Ins. Co. v. Bumbrey, 665 F.Sup. 1190, 1195 (E.D.Va. 1987). However, under Virginia law an implied covenant of good faith and fair dealing "cannot be vehicle for rewriting an unambiguous contract in order to create duties that do not otherwise exist." Ward's Equipment, Inc. v. New Holland North America, Inc., 493 S.E.2d 516, 520 (1997).
The Customer Agreement provides in pertinent part: "Applicable Law. This Agreement will be governed by Virginia Law and Federal Law." Thus, Counts I and II, which sound in contract, will be governed by Virginia and Federal Law. The remaining counts, which sound in tort, will be governed by Massachusetts law.
Here, plaintiff argues that her breach of contract claim, "is further supported by the fact that Capital One breached its promise to protect the plaintiff from identity theft or further fraud and acted unreasonably — even irrationally — in its advising her." The court finds that Capital One made no such blanket promise. Rather, Capital One stated, as provided in the Privacy Notice, "We can protect you from identity theft, fraud, and unauthorized use." The use of the word can suggests an ability to do something, hardly the kind of guarantee that will or shall reasonably would have implied. Indeed, the court finds that through its efforts — giving plaintiff prompt notice of the breach and shutting down her account — Capital One fulfilled its obligations contained in the Privacy Notice. To find otherwise would result in, "rewriting an unambiguous contract in order to create duties that do not otherwise exist," an improper purpose of the implied covenant of good faith and fair dealing. Therefore, Capital One's motion for summary judgment as to Count II is allowed.
3. Count III — Negligence
Capital One claims that it is entitled to summary judgment because plaintiff has failed to adduce any evidence of negligence. "In any negligence cause of action, there are four elements on which plaintiffs must adduce adequate evidence to prevail. Plaintiffs must show: (1) the existence of a legal duty owed by defendant to plaintiff; (2) a breach of that duty; (3) proximate or legal cause; and (4) actual damage or injury." Nelson v. Massachusetts Port Authority, 55 Mass.App.Ct. 433, 435 (2002), citing Jorgenson v. Massachusetts Port Authority, 905 F.2d 515, 522 (1st Cir. 1990). "Although summary judgment is seldom sought or granted in negligence cases, it may be appropriate in some instances . . . For example, where the party who does not have the burden of proof at trial establishes that the other party could not prove an essential element of its claim, summary judgment may be appropriate." Nelson, 55 Mass.App.Ct. at 435.
Here, Capital One argues that plaintiff has failed to demonstrate that it caused her identity theft. In support of its argument, defendant offers the affidavit of Frankie Barksdale, the Senior Manager for Client Management at Capital One's Fraud Operations. The Barksdale affidavit stated, "Capital One does not provide our cardholders' social security numbers, dates of birth, mother's maiden name or PIN numbers to retail establishments, including websites . . . I am not aware of any method or manner of fraud whereby one's identity can be stolen using only a credit card account number and expiration date." Plaintiff, in response, argues that due to the prevalence of identity theft, plaintiff's harm was foreseeable and, consequently, Capital One had a duty to protect her from the "harm which resulted from identity theft or at least advise her how to protect herself."
The court finds that the defendant has demonstrated the absence of a triable issue and plaintiff, in response, has failed to produce countervailing evidence. Plaintiff's response amounts to nothing more than bare assertions. There is nothing in the record that even suggests that Capital One caused plaintiff's identity theft. According, defendants' motion for summary judgment as to Count III is allowed.
4. Count IV — Misrepresentation
Plaintiff's misrepresentation claim is based primarily on the assertion that due to Capital One's knowledge about the prevalence of identity theft, advising plaintiff that she need not "take any further action" amounted to misrepresentation. A defendant can only be found liable for negligent misrepresentation if "in the course of his business. . . . [he] supplies false information for the guidance of others in their business transactions, [such a person] is subject to liability for pecuniary loss caused to [the others] by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information." Restatement (Second) of Torts § 552(1) (1977). "Honesty requires only that the maker of a representation speak in good faith and without consciousness of a lack of any basis for belief in the truth or accuracy of what he says." Restatement (Second) of Torts § 552(1) comment a (1977). "[T]he defendant is subject to liability if, but only if, he has failed to exercise the care or competence of a reasonable [person] in obtaining or communicating the information." Id. at comment e.
Given the limited extent of its knowledge about the security breach — specifically, that only plaintiff's credit card account number and expiration date had been stolen — Capital One argues that plaintiff cannot show misrepresentation. The court finds that Capital One's knowledge about identify theft in general, in the absence of any other evidence, is insufficient to amount to misrepresentation in the instant case. Indeed, the record offers no evidence whatever to support plaintiff's claim of misrepresentation. To the contrary, the record indicates that Capital One's actions were reasonable under the circumstances. On June 18, 2001, a letter from John Corbelletta, Regional Director of Visa U.S. — Fraud Control, informed Capital One of the website intrusion at issue. The letter stated, "Several thousand Visa account numbers and expiration dates were downloaded and copied by the intruders. At this point, there is no further information that can be released." Based on this information, Capital One was justified in limiting its response to the protection of plaintiff's Capital One account. Accordingly, Capital One is entitled to summary judgment on Count IV with respect to the claim of misrepresentation.
Count V — Breach of Fiduciary Duty
In seeking summary judgment on Count V, Capital One argues that it owed no fiduciary duty to plaintiff. Fiduciary duties are recognized to exist in several relationships — attorney and client, trustee and beneficiary, physician and patient, business partners, promoters, or directors and a corporation, and employer and employee. Warsofsky v. Sherman, 326 Mass. 290, 292 (1950). In addition to these particular relationships, fiduciary duties may also arise "when one reposes faith, confidence, and trust in another's judgment and advice." Fassihi v. Sommers, Schwartz, Silver Tyler, P.C., 107 Mich.App. 509 (1981), cited in Schaeffer v. Cohen, Rosenthal, Price, Mirkin, Jennings Berg, P.C., 405 Mass. 506, 513 (1989). Traditionally, Massachusetts courts have viewed a bank's relationship to its customers simply as one of creditor and debtor, a relationship which imposes no duty to counsel or make disclosures to the customer. See, e.g., National Shawmut Bank v. Hallett, 322 Mass. 596 (1948). Furthermore, one party cannot unilaterally transform a business relationship into a fiduciary relationship by reposing trust and confidence in another. Broomfield v. Kosow, 349 Mass. 749 (1965).
Here, plaintiff asserts that her relationship with Capital One created a fiduciary relationship. Plaintiff maintains that that she relied on the alleged guarantees contained in Capital One's Privacy Notice and, consequently, Capital One abused the trust she placed in it by informing her that she need not take further measures to protect herself. The court does not agree that the generic information contained in Capital One's Privacy Principles was sufficient to create a fiduciary relationship. On the contrary, there are no transactions between plaintiff and Capital One that would take this situation outside of the ordinary debtor-creditor relationship. While plaintiff may have placed trust in Capital One, this unilateral action alone is not capable of transforming this relationship into a fiduciary one. Therefore, Capital One's motion for summary judgment as to Count V is granted.
Count VI — Invasion of Privacy
Capital One asserts that it is entitled to summary judgment on Count VI because it did not invade plaintiffs' privacy. G.L.c. 214, § 1B provides in pertinent part: A person shall have a right against unreasonable, substantial, or serious interference with his privacy. The superior court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages. "The notion of right of privacy is founded on the idea that an individual may hold close certain manuscripts, private letters, family photographs, or private conduct which is no business to the public and the publicizing of which is, therefore, offensive." Cefalu v. Globe Newspaper Co., 8 Mass.App.Ct. 71, 77 (1979). "To prevail on a claim of invasion of privacy, plaintiff must prove that defendants' actions were unreasonable and that their conduct amounted to a substantial or serious interference with her privacy." Zortman v. Bildman, 10 Mass. L. Rptr. 76, 1999 WL 1318959 (Mass.Super.).
Here, plaintiff admits that if "the breach did in fact occur at the vendor level and not at Capital One, and that Capital One had no responsibility for the breach . . . the defendant is probably entitled to summary judgment on the invasion of privacy claim." Plaintiff asserts that the defendant must establish that it did not disclose personal information about the plaintiff. The court is satisfied that Capital One has, through its supporting affidavit, met its burden of showing the absence of a factual question as to whether it played a causal role in plaintiff's identity theft. The plaintiff, in response, has failed to "allege specific facts establishing the existence of a genuine issue of material fact in order to defeat the motion." Accordingly, defendant is entitled to summary judgment as to Count VI.
Count VII — Violations of G.L.c. 93A
Capital One, in seeking summary judgment on Count VII, contends that summary judgment should be granted in its favor because it did not act unfairly or deceptively toward plaintiff as a matter of law. G.L.c. 93A makes unlawful "[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce . . ." In determining whether a practice is unfair within the meaning of Chapter 93A, Section 2, the court must consider whether the practice: (1) falls within the penumbra of some common-law, statutory or other established concept of unfairness; (2) is immoral, unethical, oppressive, or unscrupulous; and (3) causes substantial injury to the consumer. Datacomm Interface, Inc. v. Computerworld, Inc., 396 Mass. 760, 778 (1986). "An unfair or deceptive act or practice goes far beyond the scope of the common law action for fraud and deceit." Dalis v. Buyer Advertising, Inc., 418 Mass. 220, 225 (1994). "An act or practice is deceptive if it possesses a tendency to deceive." Leardi v. Brown, 394 Mass. 151, 156 (1985).
Here, plaintiff maintains that the failure to take steps to protect her from identity theft or to inform her of how to protect herself was unfair and deceptive under G.L.c. 93A. The court does not agree. The plaintiff has failed to show that the defendant's acts were in violation of any statutory or common-law duty, or "within at least the penumbra of some common-law, statutory, or other established concept of unfairness . . . [or] . . . is immoral, unethical, oppressive, or unscrupulous." Datacomm Interface, Inc. 396 Mass. at 778. On the contrary, as noted previously, the court finds that Capital One acted reasonably in response to the theft of plaintiff's account information. Thus, the conduct of Capital One upon which plaintiff relies is insufficient to support a G.L. 93A claim. Therefore, Capital One's motion for summary judgment as to Count VII is allowed.
ORDER
For the foregoing reasons, it is hereby ORDERED that the defendant's motion for summary judgment is ALLOWED as to Counts I — VII.