Opinion
C22-0094-KKE
09-13-2024
ORDER GRANTING DEFENDANT'S MOTION FOR SUMMARY JUDGMENT
KYMBERLY K. EVANSON, UNITED STATES DISTRICT JUDGE
This is a data breach putative class action. Defendant McMenamins Inc. (“McMenamins”) moves for summary judgment arguing Plaintiffs have failed to put forth evidence sufficient to raise an issue of material fact on the required elements of their claims. The Court agrees. Plaintiffs fail to identify evidence sufficient to raise a triable issue as to whether they have suffered any actionable harms caused by the breach. Several of Plaintiffs' claims fail for other reasons as well. Defendant's motion for summary judgment is therefore granted and Plaintiffs' motion for summary judgment is denied. The parties' motions in limine and Plaintiffs' motion for class certification are denied as moot.
I. BACKGROUND
A. Undisputed Material Facts
McMenamins “owns and operates a collection of restaurants, brew pubs, hotels, and entertainment venues throughout Oregon and Washington.” Dkt. No. 93-1 at 2. Plaintiffs are former McMenamins employees who were required to provide certain personally identifiable information (“PII”) to McMenamins in connection with their employment. Dkt. No. 87 at 32.
Around December 4, 2021, Conti, a cybercriminal hacker group, exploited a software vulnerability in a tool used by McMenamins to unlawfully gain access to McMenamins' systems. Dkt. No. 110 at 11, Dkt. No. 92 at 7. On December 12, 2021, Conti launched a ransomware attack that rendered nearly all of McMenamins' technology unusable (“Breach”). Dkt. No. 93-1 at 2, 30. A ransom note was left on most computer screens. Dkt. No. 87 at 8, Dkt. No. 93-1 at 111. In that note, Conti stated, “We've downloaded a pack of your internal data and are ready to publish it on out [sic] news website if you do not respond.” Dkt. No. 93-1 at 111. McMenamins received “a list of the files that [Conti] claimed they stole[.]” Dkt. No. 87 at 26. McMenamins confirmed that “the listing of files, the listing of directories, [] were correct files and correct directories” and that some of the listed files “contained personal information, HR files, accounting files, things like that.” Dkt. No. 87 at 17-18.
On December 30, 2021, McMenamins sent a notice to affected employees which stated, “hackers stole certain business records, including human resources/payroll data files for previous employees” and that the stolen files contained
the following categories of employee information: name, address, telephone number, email address, date of birth, race, ethnicity, gender, disability status, medical notes, performance and disciplinary notes, Social Security number, health insurance plan election, income amount, and retirement contribution amounts. It is possible that the hackers accessed or took records with direct-deposit bank account information, but we do not have any indication that they did, in fact, do so.Dkt. No. 93-1 at 5, Dkt. No. 18 ¶ 29. McMenamins never paid the ransom to Conti. Dkt. No. 87 at 25.
McMenamins now states “[t]here is no indication that the hackers accessed direct-deposit bank account information.” Dkt. No. 86 at 3. But the deposition testimony they cite for this proposition does not discuss direct-deposit information. Id. (citing Dkt. No. 87 at 28).
B. Disputed Material Facts
The parties present conflicting evidence via their experts on several aspects of the cause and impact of the Breach. The parties dispute whether the security measures McMenamins had in place to protect employees' PII were reasonable. See generally Dkt. No. 110 at 8-12, Dkt. No. 93-1 at 57-60. They also dispute whether McMenamins could or should have taken certain steps to prevent this intrusion or to identify and stop the intrusion sooner. See generally Dkt. No. 110 at 11-12, Dkt. No. 93-1 at 60.
McMenamins now also disputes whether Conti actually “exfiltrated” this information, arguing that the evidence only shows Conti could have taken this information, not that they actually did. Dkt. No. 86 at 3, Dkt. No. 105 at 2. Plaintiffs point to other testimony in the record to argue the data was in fact taken by Conti. Dkt. No. 92 at 9 (citing Dkt. No. 93-1 at 5, 108).
The parties also dispute whether the PII, assuming Conti took it, was then made available on the dark web. Dkt. No. 86 at 4, Dkt. No. 92 at 9. From December 28, 2021, to May 2024, McMenamins' data breach consultants “conducted threat intelligence monitoring and dark web scans[.]” Dkt. No. 86 at 4, Dkt. No. 110 at 12, Dkt. No. 93-1 at 113-36 (reports from February 2022 to October 2022). The weekly scan reports in the record show the consultants “monitor[ed] deep/dark web forums, marketplaces, paste sites, and threat actor chatrooms for 68 keywords enumerated for McMenamins. Keywords include 31 domains, 33 IP addresses, three free text strings, and one URL.” Dkt. No. 93-1 at 133. Plaintiffs point to two of these notices as evidence that the PII from the Breach was on the dark web. Dkt. No. 92 at 9. Specifically, Plaintiffs rely on the notices stating:
On September 25, 2022, an offer for McMenamins' server information was posted on the online market “market_jmia” for $11 USD....No sensitive information related to McMenamins was found in the post.Dkt. No. 93-1 at 116.
On February 8, [2022,] the email generalinfo@mcmenamins[.]com was listed in a market for leaked databases via Telegram. The same email was listed in a market of leaked databases via DB Leaks, a channel that provides compromised databases, on February 28. There were no associated passwords present.Id. at 135. In contrast, McMenamins cites the same scans to argue that, despite more than three years of monitoring, none of Plaintiffs' PII was ever detected on the dark web. Dkt. No. 105 at 2.
Finally, the parties dispute whether Plaintiffs' PII was ever actually misused in a manner that resulted in cognizable harms. Plaintiffs allege that since the Breach, they each suffered the following “actual misuse of their PII”:
• Plaintiff Leonard “suffered a $400 fraudulent credit card charge”
• Plaintiff Frazier “suffered a fraudulent address change with his automobile creditor, as well as an unauthorized attempt to access his email account”
• Plaintiff Frye “suffered a drop in his credit score, as well as an increase in robocalls and spam texts”Dkt. No. 92 at 10 (internal quotations omitted). In a notice of supplemental facts filed on September 6, 2024, Plaintiff Frazier submitted two emails purporting to show that “loan applications had been submitted in his name, one of which was approved.” Dkt. No. 112 ¶ 2 (citing Dkt. No. 113). Plaintiffs also allege the value of their PII has been diminished, they have had to mitigate the risk of future harm, and that they have suffered emotional distress. Dkt. No. 92 at 1823.
C. Procedural History
On January 28, 2022, Plaintiffs sued McMenamins. Dkt. No. 1. On May 13, 2022, Plaintiffs filed the operative amended class action complaint. Dkt. No. 18. Plaintiffs' claims seek two types of relief: “(1) retrospective damages resulting from the theft of their PII, and (2) prospective injunctive relief requiring McMenamins to strengthen its data security systems and procedures.” Dkt. No. 24 at 4.
Plaintiffs seek damages as part of their claims for unjust enrichment, breach of fiduciary duty, breach of confidence, and bailment (Dkt. No. 18 ¶¶ 187, 195, 206, 214); injunctive relief as part of their claim for declaratory relief (id. ¶ 227); and both damages and injunctive relief as part of their claims for negligence, breach of contract, breach of implied contract, and violation of the Washington Consumer Protection Act (“CPA”) (id. ¶¶ 147-48, 158, 178-79, 223).
McMenamins moved to dismiss under Federal Rule of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction, arguing that Plaintiffs lacked standing to assert their damages claims because their alleged harms were too speculative. Dkt. No. 24 at 4. In response, Plaintiffs argued that they suffered three harms that constituted injuries-in-fact: (1) the “increased risk” of identity theft caused by the Breach, “requiring them to take mitigatory action they otherwise would not have to take”; (2) “the diminution in value of the Private Information belonging to Plaintiffs and the Class that remains in the possession and control of Defendant”; and (3) the “actual misuse” of former Plaintiff deGrasse's PII by cybercriminals. Id.
Before voluntarily dismissing his claims under Federal Rule of Civil Procedure 41 (Dkt. No. 56), deGrasse had alleged “unauthorized individuals charged Mr. deGrasse's Visa credit card account for more than $1000 under multiple merchant names[.]” Dkt. No. 18 ¶ 14.
United States District Judge Barbara J. Rothstein denied the motion to dismiss. Dkt. No. 24. Judge Rothstein found that Plaintiffs had standing to allege “actual harm resulting from the theft of Plaintiffs' PII itself.” Id. at 9. Judge Rothstein also concluded that Plaintiffs had standing to seek injunctive relief. Id. at 11. But, relying on TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), Judge Rothstein rejected Plaintiffs' claim for “increased risk” of identity theft and any monitoring or emotional distress arising from this risk, ruling that such a risk was insufficiently concrete to satisfy the injury-in-fact requirement for Article III standing. Id. at 7-8. The case was then transferred to this Court.
The parties conducted discovery and this Court adjudicated multiple discovery disputes. Dkt. Nos. 60, 62, 64. McMenamins now moves for summary judgment. Dkt. No. 86. Plaintiffs move for partial summary judgment on liability (Dkt. No. 84), and for class certification under Federal Rule of Civil Procedure 23(b)(2) and (3). Dkt. No. 81. On August 7, 2024, the Court heard oral argument on all three motions. Dkt. No. 111.
II. ANALYSIS
The Court has subject matter jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d), which means the Court is sitting in diversity and will apply substantive Washington state law. Eiess v. USAA Fed. Sav. Bank, 404 F.Supp.3d 1240, 1249 (N.D. Cal. 2019).
A. Legal Standard on Motions for Summary Judgment
Summary judgment is appropriate only when “the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(a). The Court does not make credibility determinations or weigh the evidence at this stage. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255 (1986). The sole inquiry is “whether the evidence presents a sufficient disagreement to require submission to a jury or whether it is so one-sided that one party must prevail as a matter of law.” Id. at 251-52.
The Court will, however, enter summary judgment “against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial.” Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986). Once the moving party has carried its burden under Rule 56, “the nonmoving party must come forward with specific facts showing that there is a genuine issue for trial.” Matsushita Elec. Indus. Co., Ltd. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986) (cleaned up). “An issue is ‘genuine' only if there is sufficient evidence for a reasonable fact finder to find for the non-moving party.” Far Out Prods., Inc. v. Oskar, 247 F.3d 986, 992 (9th Cir. 2001) (citing Anderson, 477 U.S. at 248-49). Metaphysical doubt is insufficient, Matsushita, 475 U.S. at 586, as are conclusory, non-specific allegations, Lujan v. Nat'l Wildlife Fed'n, 497 U.S. 871, 888-89 (1990).
While tempting to skip the legal standard for summary judgment due to its familiarity and rote recitation in opinions and briefs, this standard is what distinguishes nearly all cases cited by Plaintiffs in opposition to McMenamins' motion and is the through-line in the Court's analysis below. Recognizing that the law concerning cybersecurity is rapidly expanding, the authority relied on by Plaintiffs to establish the sufficiency of their claims is nearly all in the context of motions to dismiss. While Plaintiffs' alleged injuries may have been (in part) sufficiently pleaded for standing purposes (see Dkt. No. 24), at this stage of the case, specific evidence is required to establish disputed issues for trial. Because Plaintiffs have failed to offer such evidence, and for the other reasons identified below, Federal Rule of Civil Procedure 56 requires dismissal of their claims.
B. The Breach of Confidence Claim Is Dismissed.
McMenamins is correct that Washington does not recognize a cause of action for “breach of confidence.” Nienaber v. Overlake Hosp. Med. Ctr., No. 2:23-CV-01159-TL, 2024 WL 2133709, at *11 (W.D. Wash. May 13, 2024). Plaintiffs do not respond to this argument raised in McMenamins' motion. See generally Dkt. No. 92 at 2. Accordingly, the breach of confidence claim is dismissed.
C. The Unjust Enrichment Claim Is Dismissed.
McMenamins argues that Plaintiffs' unjust enrichment claim is precluded by Plaintiffs' employment contracts and that Plaintiffs have failed to show a benefit conferred by Plaintiffs that McMenamins unjustly retained. The Court agrees.
An unjust enrichment claim requires three elements:
a benefit conferred upon the defendant by the plaintiff; an appreciation or knowledge by the defendant of the benefit; and the acceptance or retention by the defendant of the benefit under such circumstances as to make it inequitable for the defendant to retain the benefit without the payment of its value.Young v. Young, 191 P.3d 1258, 1262 (Wash. 2008). Plaintiffs correctly note that some courts have recognized that an unjust enrichment claim could arise out of a data breach case at the pleading stage. See, e.g., In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1145 (C.D. Cal. 2021) (unjust enrichment claim survived motion to dismiss where “Plaintiffs alleged that they paid Defendants money for Defendants' services and expected that a portion of their payments would go toward ‘data management and security'”). But Plaintiffs make no such allegations here.
Rather, Plaintiffs' complaint does not define the benefit allegedly conferred upon McMenamins via the provision of their PII, or how McMenamins has retained it unjustly. The complaint cryptically alleges, “Defendant profited from Plaintiffs' purchases and used Plaintiffs' and Class member's Private Information for business purposes.” Dkt. No. 18 ¶ 181. This boilerplate allegation has no apparent connection to the facts of this case. In their opposition to McMenamins' motion, Plaintiffs reframe the argument as: McMenamins “‘received the benefits of Plaintiffs' labor[,]' and it would be ‘inequitable' to allow the employer to ‘retain the money it saved by shirking data-security.'” Dkt. No. 92 at 15 (quoting Sackin v. Transperfect Glob., Inc., 278 F.Supp.3d 739, 751 (S.D.N.Y. 2017)).
Even accepting Plaintiffs' claim that McMenamins “shirk[ed] data-security” (Dkt. No. 931 at 57-60), Plaintiffs point to no evidence in the record establishing that McMenamins saved money from insufficient cybersecurity policies or that any such hypothetical savings relates to or was derived from Plaintiffs' labor. Pengbo Xiao v. Feast Buffet, Inc., 387 F.Supp.3d 1181, 1191 (W.D. Wash. 2019) (“[U]njust enrichment requires that a defendant received a right of benefit that belonged to the plaintiff.”). To the contrary, Plaintiffs do not cite the record in response to Defendant's motion on this claim at all. See Dkt. No. 92 at 15. As the nonmoving party, Plaintiffs bear the burden of identifying “with reasonable particularity the evidence that precludes summary judgment.” Keenan v. Allan, 91 F.3d 1275, 1279 (9th Cir. 1996) (quoting Richards v. Combined Ins. Co., 55 F.3d 247, 251 (7th Cir. 1995)). Because Plaintiffs have failed to do so, their unjust enrichment claim is dismissed.
D. The Bailment Claim Is Dismissed.
The parties agree that a bailment claim in Washington requires that “personalty is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled.” Dkt. No. 86 at 22, Dkt. No. 92 at 17; Gingrich v. Unigard Sec. Ins. Co., 788 P.2d 1096, 1101 (Wash.Ct.App. 1990). Plaintiffs do not show any express or implied contract to redeliver the PII. The only support for Plaintiffs' claimed expectation of redelivery of the PII is the Employee Benefits Security Administration's cybersecurity program “best practices” document that recommends a policy for “data disposal.” Dkt. No. 92 at 17 (citing Dkt. No. 93-1 at 174). There is no evidence these best practices apply to the PII here, and even if they did, Plaintiffs fail to show how these recommended practices create an actual or implied contract between Plaintiffs and McMenamins for the return of their PII. Thus, the bailment claim is dismissed.
E. The Contract Claims Are Dismissed.
In Washington, “[a] breach of contract is actionable only if the contract imposes a duty, the duty is breached, and the breach proximately causes damage to the claimant.” Nw. Indep. Forest Mfrs. v. Dep't of Lab. & Indus., 899 P.2d 6, 9 (Wash.Ct.App. 1995). Plaintiffs argue McMenamins breached the Electronic Access & Usage Policy (“E-Policy”). Dkt. No. 92 at 12. But it is undisputed that the E-Policy includes no promises by McMenamins toward its employees. See Dkt. No. 93-1 at 167-71 (E-Policy). Instead, it is a policy on how employees should handle PII that they may encounter in the course of their employment. See id. There is no express contract regarding McMenamins' duty to secure Plaintiffs' PII, thus Plaintiffs' breach of contract claim is dismissed.
Plaintiffs also contend that McMenamins entered an implied contract to protect employees' PII when it conditioned Plaintiffs' employment upon the provision of PII for federal work authorization purposes. Dkt. No. 92 at 14. In Washington, “an implied contract exists when parties make ‘an agreement depending for its existence on some act or conduct of party sought to be charged and arising by implication from circumstances which, according to common understanding, show mutual intention on part of parties to contract with each other.'” Pengbo Xiao, 387 F.Supp.3d at 1192 (quoting Johnson v. Nasi, 309 P.2d 380, 382 (Wash. 1957)). Plaintiffs identify no evidence showing a mutual intent to enter a contract that would obligate McMenamins to prevent a data breach. See Dkt. No. 86 at 21 (compiling deposition testimony where each Plaintiff admits McMenamins never made any representations about protecting their PII); Krottner v. Starbucks Corp., 406 Fed.Appx. 129, 131 (9th Cir. 2010) (finding documents could not lead to an implied contract when plaintiffs “do not allege that they read or even saw the documents”).
In response to McMenamins' motion, Plaintiffs rely on cases in which courts have recognized an implied contract arising out of a data breach, but again, these cases were decided at the pleading stage and under different state law. See Kirsten v. Cal. Pizza Kitchen, Inc., No. 2:21-CV-09578-DOC-KES, 2022 WL 16894503, at *5 (C.D. Cal. July 29, 2022) (finding implied contract claim survived under California law on a motion to dismiss); Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) (same). This authority cannot save Plaintiffs' claim at summary judgment where they have failed to identify evidence of an implied contract.
In sum, there is no evidence giving rise to an express or implied contract regarding McMenamins' treatment of Plaintiffs' PII. Further, and as explained below (infra Section II(F)), even if there were, Plaintiffs cannot show damages, another required element for any contract claim. The contract claims are therefore dismissed.
F. The Negligence, Breach of Fiduciary Duty, and CPA Claims Fail for Lack of Cognizable Injury or Causation.
Each of the remaining causes of action requires Plaintiffs to prove injury or harm proximately caused by the Breach. See, e.g., Michaels v. CH2M Hill, Inc., 257 P.3d 532, 542 (Wash. 2011) (elements of a negligence claim); Miller v. U.S. Bank of Wash., N.A., 865 P.2d 536, 543 (Wash.Ct.App. 1994), as corrected (Feb. 22, 1994) (elements of breach of fiduciary duty claim); Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 719 P.2d 531, 540 (1986) (elements of a CPA claim). “Under Washington law, ‘[a]ctual loss or damage is an essential element in the formulation of the traditional elements necessary for a cause of action in negligence.. ..The mere danger of future harm, unaccompanied by present damage, will not support a negligence action.'” Krottner, 406 Fed.Appx. at 131 (citing Gazija v. Nicholas Jerns Co., 543 P.2d 338, 341 (Wash. 1975)).
Plaintiffs do not allege they have suffered direct financial losses because of the Breach, nor does any Plaintiff allege their identity has been stolen. As such, and consistent with Judge Rothstein's order (Dkt. No. 24), Plaintiffs rely on instances of alleged “actual misuse” of their PII as the anchor for their injury theories. Because these allegations are the lynchpin of their alleged harms, the Court will first consider whether Plaintiffs have raised a disputed fact as to whether any actual misuse of their PII was proximately caused by the Breach. The Court will then turn to Plaintiffs' four injury theories: (1) diminution in value of PII; (2) mitigating imminent and substantial risk of data misuse; (3) breach of contract; and (4) emotional distress. Dkt. No. 92 at 18.
Plaintiffs do not identify emotional distress injury as one of their enumerated injury theories (Dkt. No. 92 at 18), but include it in their opposition (id. at 23).
1. Plaintiffs do not show any “actual misuse” of their PII caused by the Breach.
“Washington recognizes two elements to proximate cause: cause in fact and legal causation.” Wuthrich v. King Cnty., 366 P.3d 926, 930 (Wash. 2016) (cleaned up). Cause in fact, the element at issue, “refers to the ‘but for' consequences of an act-the physical connection between an act and an injury.” Id. “While the question of cause in fact is generally for the jury, when the facts are undisputed and the inferences therefrom are plain and incapable of reasonable doubt or difference of opinion, factual causation may become a question of law for the court.” Baughn v. Honda Motor Co., 727 P.2d 655, 664 (Wash. 1986).
As the party with the burden of proof at trial for each element, Plaintiffs must “go beyond the pleadings and by [their] own affidavits, or by the depositions, answers to interrogatories, and admissions on file, designate specific facts showing that” a reasonable jury could find their PII was misused because of the Breach. Celotex, 477 U.S. at 324 (cleaned up). “[Plaintiffs] must produce at least some significant probative evidence tending to support the complaint.” Smolen v. Deloitte, Haskins & Sells, 921 F.2d 959, 963 (9th Cir.1990) (quotations omitted). While both parties primarily rely on cases considering injuries in data breach cases at the motion-to-dismiss stage, Plaintiffs cannot rest on the allegations in the pleadings to overcome a motion for summary judgment. See Ghebreselassie v. Coleman Sec. Serv., 829 F.2d 892, 898 (9th Cir.1987), cert. denied, 487 U.S. 1234 (1988).
Construing the facts in Plaintiffs' favor, the Court finds Plaintiffs have failed to raise a genuine issue of fact as to whether Plaintiffs' PII was misused as a result of the Breach.
The Court construes all the disputed facts in Plaintiffs' favor, including that McMenamins had inadequate security measures in place, that Plaintiffs' PII was in fact exfiltrated, and that it was posted on the dark web.
Beginning with Plaintiff Leonard, the only misuse of PII he claims is a fraudulent $400 credit card charge. Dkt. No. 92 at 19. Dispositively, the parties agree that Leonard's credit card information was not revealed in the Breach. Id. at 19 n.2. It is also undisputed that the fraudulent charge was fully refunded. Dkt. No. 93-1 at 156. Further, as Plaintiffs acknowledged at oral argument, Judge Rothstein rejected a similar claim from former Plaintiff deGrasse as “implausibly” related to the Breach. Dkt. No. 24 at 7. Plaintiffs argue that they “have since provided evidence regarding how the PII stolen in the Data Breach can be ‘merged with other data' to propagate identify theft schemes.” Dkt. No. 92 at 19 n.2 (citing Dkt. No. 93-1 at 55-56). But the cited portion of Plaintiffs' expert report merely explains that stolen data may be merged over time and resold. Dkt. No. 93-1 at 56. There is nothing in this portion of the report, or any other part of the report, that explains how a hacker could have used any of the PII here to obtain Leonard's credit card information. Moreover, McMenamins' expert showed each piece of PII from the Breach, except Leonard's social security number, is publicly available and that “he had personal data exposed in three (3) other data breaches potentially predating the [Breach].” Dkt. No. 110 at 15-20. Plaintiffs do not rebut this evidence. In sum, there is no evidence that this fraudulent credit card charge was related to the Breach at all, let alone caused by the Breach.
Plaintiffs' expert's declaration that “full name, SSN, DOB, and at least one recent address is frequently used to create and file fraudulent business entities, open bank accounts and be used for fraudulent wire transfers” does not connect the PII here with credit card fraud. Dkt. No. 93-1 at 62. Similarly, the expert's example of how a stolen identity may first appear online (id. at 63), fails to explain how a bad actor could make a fraudulent credit card charge without the credit card information.
Plaintiff Frazier's claims of actual misuse fare no better. First, he alleges his address was improperly changed with his auto lender (Dkt. No. 92 at 19), but there is no dispute that Frazier's auto loan information was not compromised in the Breach. Second, Frazier claims he received a notification to his Gmail account that “one of [his] tablets was trying to be accessed by an unknown location.” Dkt. No. 93-1 at 163. But again, Plaintiffs make no effort to explain how attempted access to Frazier's tablet (which he immediately denied (Dkt. No. 87 at 81)) is at all related to any PII potentially taken in the Breach. Finally, Frazier has belatedly proffered two emails claiming that loan applications were submitted in his name. Dkt. No. 112 ¶ 2. But Frazier does not claim that any loan application was in fact submitted, that any loan was approved, or that he suffered any adverse impact because of the two emails. Dkt. No. 113 at 1. Rather, the emails appear to be spam messages trying to entice Frazier to click a link without any apparent connection to the Breach. Dkt. No. 113 at 5-8. Such messages standing alone are not actionable. See e.g., I.C. v. Zynga, Inc., 600 F.Supp.3d 1034, 1052 (N.D. Cal. 2022) (“phishing attacks” and “various forms of spam” merely present “attempts” of identity theft and “cannot plausibly be considered independent injuries” under TransUnion, 594 U.S. at 436). This is especially true where, as here, there is no evidence that such attempts were successful. Id. (“Even assuming that these acts are fairly traceable to the Zynga data breach, plaintiffs do not allege that any of these attempts succeeded, again something they would presumably know.”); see also Krottner, 406 Fed.Appx. at 131 (finding no cognizable harm from a data breach when plaintiff “alleges no loss related to the attempt to open a bank account in his name”).
Nor do Plaintiffs rebut McMenamins' evidence that Frazier's address was publicly available or that “he received notice that his personal data had been compromised at least four different times before the [Breach].” Dkt. No. 110 at 15, 16, 28. Frazier has thus failed to raise a triable issue as to whether his PII has been misused because of the Breach. See Triton Energy Corp. v. Square D Co., 68 F.3d 1216, 1221 (9th Cir. 1995) (evidence to establish a genuine issue of material fact must be “of sufficient ‘quantum and quality'” to survive summary judgment).
Finally, there is no evidence connecting the Breach with Plaintiff Frye's alleged drop in credit score or increase in spam calls. In his deposition, Frye admitted the drop in his credit score was likely from his student loans coming due. Dkt. No. 93-1 at 140. And Plaintiffs' expert offers no testimony about how access to Frye's PII alone could have impacted his credit score. As to the spam calls, Plaintiffs do not provide any evidence, or even explanation, for how the Breach could have led to increased spam calls. McMenamins' expert identified many locations where Frye's phone number was publicly available before the Breach (Dkt. No. 110 at 22-23), which Plaintiffs do not address. Moreover, many courts in this circuit have ruled that “receipt of spam texts, calls, and emails and [a plaintiff's] time spent ‘sifting through' this unwanted information does not constitute injury-in-fact for standing.” Black v. IEC Grp., Inc., No. 1:23-CV-00384-AKB, 2024 WL 3623361, at *6 (D. Idaho July 30, 2024); Zynga, 600 F.Supp.3d at 1051 (collecting cases); Jackson v. Loews Hotels, Inc., No. ED CV 18-827-DMG, 2019 WL 6721637, at *4 (C.D. Cal. July 24, 2019) (collecting cases). Plaintiffs do not address this authority or provide any reason to depart from it here.
Along with the flaws outlined above, the record lacks specifics about when or how each claimed misuse occurred. Plaintiffs' expert opines on many topics related to cybersecurity generally, but she does not opine specifically about any Plaintiff's alleged injury or explain how the allegedly stolen PII could be used to carry out any of the claimed misuse. See Dkt. No. 92 at 24-25. To survive summary judgment, Plaintiffs need only provide enough evidence “for a reasonable fact finder to find for the non-moving party.” Far Out Prods., 247 F.3d at 992. Yet Plaintiffs have failed to do so. See, e.g., Brit. Airways Bd. v. Boeing Co., 585 F.2d 946, 951-53 (9th Cir. 1978) (affirming the trial court's grant of defendant's motion for summary judgment when plaintiff's evidence could not show a product defect could have caused a plane crash); Triton Energy Corp, 68 F.3d at 1221 (affirming summary judgment for defendant when “[a]t best [plaintiff's] evidence merely suggests [] a weak possibility”).
2. Without evidence of actual misuse caused by the Breach, Plaintiffs cannot show their PII has diminished in value.
The parties dispute whether the diminution in value of PII is a cognizable injury and, if it is, whether Plaintiffs have provided sufficient evidence to support this injury at summary judgment.
Multiple courts have recognized this theory of injury for standing purposes at the motion-to-dismiss stage. See Doe v. Microsoft Corp., No. C23-0718-JCC, 2023 WL 8780879, at *4 (W.D. Wash. Dec. 19, 2023) (applying California law and collecting cases). That said, neither party cites any authority substantiating or undermining such a claim on the merits. Assuming, without deciding, that this theory is cognizable under Washington law, the parties agree there are two elements necessary to show PII has diminished in value: (1) the existence of a market for the PII, and (2) an impairment of Plaintiffs' ability to participate in that market. Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 46 (D. Ariz. 2021).
First, Plaintiffs must show “a market for their personal information exists[.]” Dkt. No. 105 at 5, Dkt. No. 92 at 18. Their expert declaration creates an issue of material fact on whether there is a market for Plaintiffs' PII. Dkt. No. 93-1 at 26 (“The breached employee data is in consistent high demand and therefore carries a high value in the criminal underworlds.”).
Second, Plaintiffs must show their “ability to participate in the economic marketplace is impaired[.]” Dkt. No. 92 at 19, Dkt. No. 86 at 14. Plaintiffs argue impairment can be shown through “actual and potential future misuse of their PII.” Dkt. No. 92 at 19. In contrast, McMenamins asserts that impairment requires proof that Plaintiffs either sold or intended to sell their PII. Dkt. No. 86 at 15, Dkt. No. 105 at 5-7. Courts have evaluated the impairment prong at the pleading stage using various tests. Compare Quinalty v. FocusIT LLC, No. CV-23-00207-PHX-JJT, 2024 WL 342454, at *5 (D. Ariz. Jan. 30, 2024) (“allegation of diminished PII value is insufficient to establish damages” when plaintiff “does not allege she can no longer sell her personal data on the market, nor does she allege she ever has, intends to, or intended to sell her personal data”), with Smallman v. MGM Resorts Int'l, 638 F.Supp.3d 1175, 1191 (D. Nev. 2022) (finding PII is not valued solely by its sale to “the highest bidder, but rather in the economic benefit the consumer derives from being able to purchase goods and services remotely and without the need to pay in cash or a check” (quoting In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 462 (D. Md. 2020))). Neither party provides authority applying a test for impairment at summary judgment.
At this stage, no matter how impairment is measured, Plaintiffs need to provide more than mere allegations. Lewis, 518 U.S. at 358 (“In response to a summary judgment motion.. .plaintiff can no longer rest on such mere allegations, but must set forth by affidavit or other evidence specific facts, which for purposes of the summary judgment motion will be taken to be true.”). They fail to do so. Even if Plaintiffs are correct that misuse of PII could establish impairment of Plaintiffs' ability to participate in the marketplace, as detailed above, Plaintiffs fail to provide evidence of actual misuse caused by the Breach. See Section II(E)(1).
In sum, Plaintiffs fail to show their ability to participate in any market for PII, whether it be the black market or the daily use of their PII, has been impaired by the Breach. The diminution of value theory fails.
3. Without evidence of actual misuse caused by the Breach, Plaintiffs' mitigation injury theory fails.
Plaintiffs claim they have been harmed by “a material risk of future harm that is imminent and substantial” and “the separate harm of losing time and money mitigating against these actualized risks.” Dkt. No. 92 at 22. The Court previously found these harms were inadequately alleged and that Plaintiffs did not have standing to seek recovery for these injuries. Dkt. No. 24 at 7-8. Specifically, the Court held “in the absence of any indication that hackers have attempted to misuse Plaintiffs' PII... Plaintiffs have not adequately alleged that identity theft is ‘certainly impending'” and “the increased risk of identity theft allegedly faced by Plaintiffs cannot constitute concrete harm sufficient for standing.” Id. at 8. Plaintiffs argue that because they now have evidence to show their “PII was actually misused, this creates a disputed fact as to whether the risk of future harm rose to the level of ‘certainly impending' and whether Plaintiffs' mitigation efforts were warranted.” Dkt. No. 92 at 21. As explained above, Plaintiffs do not provide any evidence that the Breach caused any actual misuse nor provide evidence that identify theft is certainly impending. See supra Section II(F)(1). Accordingly, their mitigation injury fails. See TransUnion, 594 U.S. at 438 (finding injury too speculative for standing when plaintiffs failed to evidence facts that would make a future injury likely to occur).
4. Plaintiffs' “breach of contract” injury theory fails.
Plaintiffs urge the Court to find that the alleged breach of contract by itself satisfies the injury element for each of these causes of action. Dkt. No. 92 at 22-23. The Court already determined there was no express or implied contract between the parties regarding Plaintiffs' PII. See supra Section II(E). Thus, there is no contract that was breached by McMenamins, and this injury theory fails.
Moreover, a breach of contract alone is not enough to establish contract damages, contrary to Plaintiffs' claims. Promedev, LLC v. Wilson, No. C22-1063JLR, 2024 WL 1606667, at *2 (W.D. Wash. Apr. 12, 2024) (“Mere proof that there was a breach of contract without more will not support a verdict in favor of a [claimant], even for nominal damages.”) (quoting DC Farms, LLC v. Conagra Foods Lamb Weston, Inc., 317 P.3d 543, 553 (Wash.Ct.App. 2014)). This is not a viable injury theory.
5. Plaintiffs' emotional distress injury theory fails.
Plaintiffs argue the injury prong of the negligence, breach of fiduciary duty, and CPA claims is met by the deposition testimony that each Plaintiff has experienced increased anxiety or worry since the Breach. Dkt. No. 92 at 23. There are at least three reasons this theory fails. First, emotional distress damages are not recoverable under the CPA. Wash. St. Physicians Ins. Exch. & Ass'n. v. Fisons Corp., 858 P.2d 1054, 1064-66 (Wash. 1993) (en banc). Second, Plaintiffs' allegation of emotional harm is one sentence in their complaint (Dkt. No. 18 ¶ 116) and Judge Rothstein already found this allegation insufficient for standing purposes. Dkt. No. 24 at 8.
Third, even if the emotional distress damages survived the motion to dismiss, Plaintiffs fail to provide sufficient evidence to support their claimed damages. In Washington, to recover for emotional distress damages when no physical injury occurred, a plaintiff must show the emotional distress was: “(1) within the scope of foreseeable harm of the negligent conduct, (2) a reasonable reaction given the circumstances, and (3) manifested by objective physical symptomology.” Bylsma v. Burger King Corp., 293 P.3d 1168, 1170 (Wash. 2013); Nord v. Shoreline Sav. Ass'n, 805 P.2d 800, 805 (Wash. 1991) (acknowledging objective symptoms are required for non-intentional torts). Plaintiffs' anemic deposition testimony that they experience “worry” or “anxiety” from certain actions (Dkt. No. 92 at 23), is insufficient to survive summary judgment and any claim for damages from emotional distress are dismissed. See, e.g., Nagarajan v. Lian, No. 82644-1-I, 2023 WL 1777237, at *3 (Wash.Ct.App. Feb. 6, 2023) (affirming summary judgment dismissal of negligent infliction of emotional distress claim when the only evidence was plaintiff's deposition testimony “where he testified that he suffered nightmares, difficult sleeping, and financial pressure”) (unpublished).
Plaintiffs rely on Zhang v. American Gem Seafoods, Inc., 339 F.3d 1020 (9th Cir. 2003) to argue testimony alone on emotional distress damages can create a genuine dispute of material fact. Dkt. No. 92 at 23. But Zhang was decided under federal employment law, not Washington common law. 339 F.3d at 1023. Regardless, Plaintiffs' testimony is insufficient to raise a triable issue for the reasons stated above.
In sum, Plaintiffs do not show any evidence that a cognizable injury could have resulted from the Breach. Accordingly, the negligence, breach of fiduciary duty, and CPA claims are dismissed.
G. The Declaratory Judgment Claim Is Dismissed.
Because the Court dismisses each cause of action, Plaintiffs' request for declaratory judgment also fails. See Jones v. Ford Motor Co., No. 3:21-CV-05666-DGE, 2022 WL 1423646, at *5 (W.D. Wash. May 5, 2022) (“Without an underlying cause of action, there is no claim for declaratory relief.” (cleaned up)), aff'd, 85 F.4th 570 (9th Cir. 2023).
H. The Motion for Class Certification Is Denied as Moot.
When dispositive motions and motions for class certification are filed concurrently, “[u]nder the proper circumstances-where it is more practicable to do so and where the parties will not suffer significant prejudice-the district court has discretion to rule on a motion for summary judgment before it decides the certification issue.” Saeger v. Pac. Life Ins. Co., 305 Fed.Appx. 492, 493 (9th Cir. 2008) (quoting Wright v. Schock, 742 F.2d 541, 543-44 (9th Cir. 1984)). During oral argument, the Court asked each party which pending motion, of the three, it should decide first. Unsurprisingly, both parties expressed a preference for any dispositive order in their favor to bind any future class, but neither party identified any prejudice that would be suffered if the Court ruled on a dispositive motion before addressing class certification.
By moving for summary judgment while simultaneously opposing class certification, McMenamins risked that a ruling in its favor would only bind the named plaintiffs. Wright, 742 F.2d at 544 (“Where the defendant assumes the risk that summary judgment in his favor will have only stare decisis effect on the members of the putative class, it is within the discretion of the district court to rule on the summary judgment motion first.”). McMenamins declined to waive its objection to class certification, which could have allowed a ruling in its favor to bind the class.
Because neither party identified any prejudice, the Court found it most efficient to rule on McMenamins' motion for summary judgment first. See, e.g., Schwarzschild v. Tse, 69 F.3d 293, 297 (9th Cir. 1995) (“[W]hen defendants obtain summary judgment before the class has been properly certified or before notice has been sent.. .the district court's decision binds only the named plaintiffs.”); Estakhrian v. Obenstine, 859 Fed.Appx. 121, 122 (9th Cir. 2021) (affirming ruling on summary judgment before class certification). Since the motion for summary judgment is granted and this case is dismissed, the pending motion for class certification is denied as moot.
III. CONCLUSION
For these reasons, the Court GRANTS Defendant's motion for summary judgment. Dkt. No. 86. The Court will enter judgment in Defendant's favor.
Because this order resolves the case in full, Plaintiffs' motion for partial summary judgment is denied. Dkt. No. 84. Plaintiffs' motion for class certification (Dkt. No. 81) and the parties' pending motions in limine (Dkt. Nos. 114, 115) are DENIED as MOOT.