Opinion
4:21-CV-00149-JAR
08-03-2021
MEMORANDUM AND ORDER
JOHN A. ROSS UNITED STATES DISTRICT JUDGE
This matter is before the Court on Defendant Belden, Inc.'s (“Belden”) Motion to Dismiss Plaintiff's First Amended Complaint. (Doc. 18). The motion is fully briefed and ready for disposition. For the reasons discussed below, the motion will be granted in part and denied in part.
All facts in this section are taken from the First Amended Complaint (Doc. 16) and accepted as true for purposes of Belden's motion to dismiss.
Belden is a large manufacturer in the electronics industry. Plaintiff Kia Mackey (“Mackey”) was a Belden employee from 2019 to 2020. On December 11, 2020, Mackey received a notice from Belden stating that her Personally Identifiable Information (“PII”) may have been exposed in a data breach. The letter indicated that on November 12, 2020, Belden information technology professionals detected unusual activity and determined that Belden had been the target of a sophisticated attack by an outside party (the “Data Breach”). A few days later, Belden learned that the outside party accessed servers containing certain current and former employees' PII, including but not limited to social security numbers and bank account information. Belden offered 24 months of identity theft monitoring and protection services to the effected individuals.
Weeks after the Data Breach, TurboTax notified Mackey that individuals had attempted to file a tax return on her behalf using her social security number. Mackey, individually and on behalf of similarly situated individuals, seeks damages against Belden on various grounds including negligence, breach of implied contract, and breach of fiduciary duty, among other claims. Belden has moved to dismiss each of these counts and broadly contends that Mackey lacks standing.
II. LEGAL STANDARD
When ruling on a motion to dismiss for failure to state a claim under Fed.R.Civ.P. 12(b)(6), this Court must “accept the allegations contained in the complaint as true and all reasonable inferences from the complaint must be drawn in favor of the nonmoving party.” Young v. City of St. Charles, 244 F.3d 623, 627 (8th Cir. 2001). To survive the motion to dismiss, the First Amended Complaint “must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). While detailed factual allegations are not necessary at this stage, Mackey's obligation to provide the grounds of her entitlement to relief “requires more than labels and conclusions.” Twombly, 550 U.S. at 555. Dismissal is warranted, moreover, if the First Amended Complaint is “fatally flawed in [its] legal premises and designed to fail, thereby sparing litigants the burden of unnecessary pretrial and trial activity.” Young, 244 F.3d at 627 (citing Neitzke v. Williams, 490 U.S. 319, 326-27 (1989)).
III. CHOICE OF LAW
Mackey suggests that Missouri law governs this dispute because Belden is headquartered in Missouri and the “decisions or actions that gave rise to the underlying facts at issue . . . were presumably made or taken in Missouri.” (Doc. 16 at ¶ 22). Belden responds that each claim in the class action requires an individualized choice-of-law analysis, and Mackey's claims should be governed by the law of her home state of Indiana. See In re St. Jude Med., Inc., 425 F.3d 1116, 1120 (8th Cir. 2005) (citing Phillips Petroleum Co. v. Shutts, 472 U.S. 797, 822-23 (1985)). Belden also argues that this is a false conflict because the claims fail under both Indiana and Missouri law. (Doc. 19 at 11). See Ronnoco Coffee, LLC v. Westfeldt Brothers, Inc., 939 F.3d 914, 920 (8th Cir. 2019) (citation omitted) (“[W]here the laws of the two jurisdictions would produce the same result on the particular issue presented, there is a ‘false conflict,' and the Court should avoid the choice-of-law question.”).
District courts sitting in diversity apply the choice-of-law rules of the forum state. Winter v. Novartis Pharms. Corp., 739 F.3d 405, 410 (8th Cir. 2014) (citation omitted); see also Cicle v. Chase Bank USA, 583 F.3d 549, 553 (8th Cir. 2009) (applying same rule in Class Action Fairness Act case). Missouri has adopted the Restatement (Second) of Conflict of Laws and this Court must accordingly apply the “most significant relationship” test in a tort action. See Perras v. H&R Block, Inc., No. 12-00450-CV-W-BP, 2013 WL 11541919, at *3 (W.D. Mo. Nov. 13, 2013) (“Missouri has generally adopted the Restatement (Second) of Conflict of Laws.”). The test requires consideration of four factors: the place where the injury occurred; the place where the conduct causing the injury occurred; the domicile, residence, nationality, place of incorporation and place of business of the parties; and the place where the relationship, if any, between the parties is centered. Winter, 739 F.3d at 410; see RESTATEMENT (SECOND) OF CONFLICT OF LAWS § 145 (1971). Missouri courts have adopted a presumption that “the state with the most significant relationship is the state where the injury occurred.” Dorman v. Emerson Elec. Co., 23 F.3d 1354, 1358 (8th Cir. 1994); see RESTATEMENT (SECOND) OF CONFLICT OF LAWS § 146 (1971). Mackey has also made certain claims which may sound in contract, requiring this Court to consider five factors: the place of contracting; the place of negotiating the contract; the place of performance; the location of the subject matter of the contract; and the domicile, residence, nationality, place of incorporation and place of business of the parties. Zafer Chiropractic & Sports Injs., P.A. v. Hermann, 501 S.W.3d 545, 551 (Mo.Ct.App. 2016) (citations omitted); see RESTATEMENT (SECOND) OF CONFLICT OF LAWS § 188 (1971).
First, this Court finds that a genuine conflict between Missouri and Indiana law exists. The First Amended Complaint implicates various state law issues where Missouri and Indiana have adopted materially different rules. Belden contends, for example, that Indiana does not recognize employers and employees as having a special relationship. (Doc. 19 at 12). Though Indiana law does appear to recognize a duty of disclosure as to risks of physical harm or pecuniary loss. N. Ind. Pub. Serv. Co. v. Bloom, 847 N.E.2d 175, 187 (Ind. 2006); see RESTATEMENT (SECOND) OF AGENCY § 435 (1958). Missouri courts, however, routinely consider the employer-employee relationship among those special relationships creating a duty in tort. See, e.g., Hudson v. Riverport Performance Arts Ctr., 37 S.W.2d 261, 264 (Mo.Ct.App. 2000) (citation omitted). Indiana law also does not appear to recognize an exception to the economic loss doctrine for special relationships. See U.S. Bank, N.A. v. Integrity Land Title Corp., 929 N.E.2d 742, 745-46 (Ind. 2010) (recognizing certain exceptions to economic loss doctrine). These distinctions are central to the disposition of Mackey's negligence claim.
Mackey's claim that Belden violated the covenant of good faith and fair dealing would also fail under Indiana law because such a covenant would not necessarily be implied in a contract for the exchange of PII. Old Nat'l Bank v. Kelly, 31 N.E.3d 522, 531 (Ind.Ct.App. 2015) (citation omitted) (“Indiana law does not impose a generalized duty of good faith and fair dealing on every contract.”). Missouri law, as discussed further below, imposes such a covenant in every contract. Arbors Sugar Creek Homeowners Assoc. v. Jefferson Bank & Trust Co., Inc., 464 S.W.3d 177, 185 (Mo. banc 2015) (citation omitted) (“Under Missouri law, a duty of good faith and fair dealing is implied in every contract.”).
Second, this Court holds that Missouri law applies to Mackey's claims. This Court recognizes the presumption that the state where the injury occurred is typically the state with the most significant relationship. But this Court concurs with the various other courts who have concluded that such presumption can be overcome in the data breach context. See, e.g., Veridian Credit Union v. Eddie Bauer, LLC, 259 F.Supp.3d 1140, 1153 (W.D. Wash. 2017) (“[T]he location of the alleged harm was fortuitous, and the place of injury does not play an important role in the court's choice of law analysis here.”); Nat'l Union Fire Ins. Co. of Pittsburgh v. Tyco Integrated Sec., No. 13-CV-80371, 2015 WL 3905018, at *13 (S.D. Fla. June 25, 2015) (“Although the harm resulting from the injury manifested in Connecticut, the asserted cause of action and theory of liability did not.”).
Comments to the Restatement (Second) of Conflict of Laws specifically discuss situations in which the place of injury “will not play an important role”:
This will be so, for example, when the place of injury can be said to be fortuitous or when for other reasons it bears little relation to the occurrence and the parties with respect to the particular issue. This will also be so when . . . there may be little reason in logic or persuasiveness to say that one state rather than another is the place of injury, or when . . . injury has occurred in two or more states. RESTATEMENT (SECOND) OF CONFLICT OF LAWS § 145, cmt. e (1971).This case offers a quintessential example of when the location of the plaintiff's injury is fortuitous and the law of the place where the defendant's conduct occurred should be given more weight. Belden is headquartered in Missouri; the Data Breach occurred in Missouri; the allegedly negligent actions by Belden resulting in the Data Breach occurred in Missouri. Mackey's living in Indiana cannot overcome these clear, significant contacts to Missouri. Applying Missouri law is particularly appropriate given the Restatement (Second) of Conflict of Law's recommendation that courts broadly consider the “certainty, predictability and uniformity of result, and ease in the determination and application of the law to be applied.” RESTATEMENT (SECOND) OF CONFLICT OF LAWS § 6(f), (g) (1971). Because Missouri has the most significant contacts to the Data Breach despite Mackey residing in Indiana, this Court will apply Missouri law to Mackey's claims. Belden should not be surprised by the application of the law of the state where it is located. See In re Target Corp. Customer Data Sec. Breach Litig., 309 F.R.D. 482, 486 (D. Minn. 2015) (internal quotation omitted) (“Target can not claim surprise by the application of Minnesota law to conduct emanating from Minnesota.”).
This Court also finds that Missouri law applies to Mackey's claims sounding in contract for similar reasons. While the Court has very limited information regarding the circumstances surrounding the implied contract alleged by Mackey (discussed further below), Mackey's PII was in Belden's control and subject to decisions by Belden in Missouri, justifying application of Missouri law. See In re Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2019 WL 3410382, at *15 (D. Ore. July 29, 2019) (“Under the facts of this data breach, the Court finds the choice-of-law interests better served by applying Washington law, where Premera is located, the data was maintained, the data security was allegedly inferior, and the breach occurred.”); Willingham v. Global Payments, Inc., No. 1:12-CV-01157-RWS, 2013 WL 440702, at *15 (N.D.Ga. Feb. 5, 2013) (“Defendant's principal place of business is in Georgia, the data breach occurred in Georgia, and to the extent, if any, Defendant breached a duty to consumers, it did so in Georgia.”).
IV. JURISDICTION
A. Class Action Fairness Act
Mackey pleads that federal jurisdiction exists pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d) (“CAFA”). (Doc. 16 at ¶ 19). Under CAFA, federal jurisdiction requires an aggregate amount in controversy over $5 million and minimal diversity (i.e., one plaintiff and one defendant are citizens of different states). CAFA also recognizes narrow exceptions to this jurisdiction, including when there are less than 100 proposed plaintiffs. See Downing v. Riceland Foods, Inc., 298 F.R.D. 587, 590 (E.D. Mo. 2014). Mackey bears the burden of establishing jurisdiction under CAFA. Westerfeld v. Indep. Processing, LLC, 621 F.3d 819, 822 (8th Cir. 2010).
Mackey has alleged that “there are more than 100 Class members, at least one Class member is a citizen of a state different from that of Defendant, and the amount in controversy exceeds $5 million, exclusive of interest and costs.” (Doc. 16 at ¶ 19). Belden has not challenged the existence of subject matter jurisdiction under CAFA. At this juncture, this Court assumes that these allegations are true and that a reasonable factfinder could conclude that damages are greater than $5 million. See Grawitch v. Charter Commc'ns, Inc., 750 F.3d 956, 960-61 (8th Cir. 2014). This Court will continue to assess the presence of jurisdiction in this case as the factual record develops.
B. Standing
Belden contends that Mackey lacks standing to pursue this action. A putative class action can proceed as long as one named plaintiff has standing. See Horne v. Flores, 557 U.S. 433, 446 (2009). A court deciding if subject matter jurisdiction exists must first distinguish between a facial and factual attack on jurisdiction. Osborn v. United States, 918 F.2d 724, 729 n.6 (8th Cir. 1990) (citation omitted). Belden argues that the allegations in Mackey's First Amended Complaint, taken as true, are insufficient to establish standing. This is a facial attack on standing, meaning the Court “restricts itself to the face of the pleadings and the non-moving party receives the same protections as it would defending against a motion brought under Rule 12(b)(6).” Branson Label, Inc. v. City of Branson, Mo., 793 F.3d 910, 914 (8th Cir. 2015) (citation omitted).
Federal jurisdiction is limited to “Cases” and “Controversies” under Article III, § 2 of the United States Constitution. The Supreme Court has interpreted this jurisdictional limit as requiring that plaintiffs establish their standing to sue. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). The “irreducible constitutional minimum” of standing has three elements: the plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision. Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (citation omitted). At the pleadings stage, plaintiff has the burden of clearly alleging facts demonstrating each element. Id. While Belden only claims Mackey fails to meet the traceability requirement, this Court has an independent obligation to ensure it has subject matter jurisdiction.
It is readily apparently that Mackey's injuries are likely to be redressed by a favorable judicial decision, and Belden does not argue otherwise. Therefore, this Court will not separately discuss redressability.
Injury in Fact
To establish injury in fact, Mackey must demonstrate that she suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560. Courts have struggled to apply the injury in fact requirement of standing to data breaches. See, e.g., Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046, 1050 (E.D. Mo. 2009) (“Whether individuals have Article III standing to bring these [data breach] lawsuits in federal court is a question that has been raised in many venues, to which divergent answers have been given.”). Mackey alleges that she suffered injuries including: (a) diminution in the value of her PII; (b) loss of her privacy; (c) time spent directly attributable to the Data Breach; and (d) imminent and impending injury arising from the increased risk of fraud and identity theft. (Doc. 16 at ¶ 18). This Court finds that Mackey has sufficiently plead that she suffered injury in fact due to the nature of the PII stolen and because individuals have already attempted to file a tax return on her behalf using the stolen data.
The Supreme Court has clearly recognized that future injury can be sufficient to establish standing if such injury is “clearly impending” or there is a “substantial risk the harm will occur.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n.5 (2013). In In re SuperValu, Inc., the Eighth Circuit determined that the presence of clearly impending injury in the data breach context “turn[s] on the substance of the allegations before each court.” 870 F.3d 763, 769 (8th Cir. 2017). The court found no imminent injury but specifically noted that the stolen data did “not include any [PII], such as social security numbers.” Id. at 770 (emphasis added). The Eighth Circuit ultimately held there was no substantial risk of identity theft because, among other reasons, “there is little to no risk that anyone will use the Card Information stolen in these data breaches to open unauthorized accounts.” Id. By comparison, Mackey had PII including her social security number stolen and individuals appear to have already used this information to attempt to file a tax return on her behalf. See Portier v. NEO Tech. Sols., No. 3:17-CV-30111-TSH, 2019 WL 7946103, at *12 (D. Mass. Dec. 31, 2019) (“Because Social Security numbers are the gold standard for identity theft, their theft is significant.”). This is not a “speculative, hypothetical harm.” Kuehl v. Sellner, 887 F.3d 845, 851 (8th Cir. 2018). The Court finds that injury is clearly imminent where PII including social security numbers has been stolen by hackers and unauthorized persons have already attempted to use such information to falsely file a tax return on a plaintiff's behalf.
This Court also finds that Mackey suffered actual injury when she spent hours speaking with TurboTax regarding the false tax return. Mackey also alleges that she “spent and continues to spend additional time reviewing her credit monitoring service results.” (Doc. 16 at ¶¶ 16-17). This Court recognizes that Mackey “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm.” Clapper, 568 U.S. at 402. But Mackey is not manufacturing anything; her data was stolen by sophisticated hackers, and she claims to have taken necessary and appropriate action to prevent further damages. See In re Supervalu, Inc., 870 F.3d at 772 (“[D]efendants do not contest that identity theft constitutes an actual, concrete, and particularized injury.”). This Court finds that Mackey suffered injury in fact by expending time and resources in responding to an actual attempted identity theft.
Traceability
Belden argues that Mackey's injuries are not fairly traceable to any conduct by Belden because the First Amended Complaint “does not identify a single alleged deficiency in Belden's data security practices, and does not allege anything about what steps Belden could have, but did not take, to prevent the [Data Breach].” (Doc. 19 at 9). At the outset, this Court disagrees with Belden's characterization of Mackey's allegations. The First Amended Complaint includes the following statements, all of which speak directly to the alleged deficiencies in Belden's security practices:
• Belden failed to employ reasonable and appropriate measures to protect against unauthorized access to confidential employee data. Belden's security policies and practices constitute unfair acts or practices prohibited by Section 5 of the [Federal Trade Commission Act], 15 U.S.C. § 45. (Doc. 16 at ¶ 51).
• The Data Breach was a direct and proximate result of Belden's failure to: (a) properly safeguard and protect Plaintiff's and Class members' PII from unauthorized access, use and disclosure, as required by various state and federal regulations, industry practices, and common law; (b) establish and implement appropriate administrative, technical,
and physical safeguards to ensure the security and confidentiality of Plaintiff's and Class members' PII; and (c) protect against reasonably foreseeable threats to the security or integrity of such information. (Id. at ¶ 54).
• Had [Belden] remedied the deficiencies in its data security systems and adopted security measures recommended by experts in the field, it would have prevented the intrusions into its systems and, ultimately, the theft of PII. (Id. at ¶ 56).
Mackey's burden to establish traceability is “relatively modest at this stage of litigation.” Bennett v. Spear, 520 U.S. 154, 171 (1997). In In re Supervalu, Inc., the Eighth Circuit explained how plaintiffs met the traceability requirement: “Defendants failed to secure customer Card Information on their network; their network was subsequently hacked; customer Card Information was stolen by the hackers; and Holmes became the victim of identity theft after the data breaches.” 870 F.3d at 772. Similarly, as alleged by Mackey, Belden failed to secure current and former employees' PII; its servers were hacked; PII was stolen by the hackers; and Mackey became the victim of attempted identity theft after the Data Breach. This is sufficient to establish traceability. The Supreme Court has made clear that “[p]roximate causation is not a requirement of Article III standing.” Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014). Belden's arguments regarding traceability are more suited towards Mackey's negligence claim than the issue of standing.
Belden relies almost exclusively on Springmeyer v. Marriott Int'l, No. 20-CV-867-PWG, 2021 WL 809894 (D. Md. Mar. 3, 2021). In Springmeyer, the court found that plaintiffs in a data breach class action lacked standing because they “failed to allege any facts describing Marriott's cybersecurity or steps that it could have or should have taken to prevent this data breach.” Id. at *3. First, as described above, this Court finds that Mackey has adequately proposed actions Belden could have taken to prevent the Data Breach. Second, this Court finds the Springmeyer decision unpersuasive. At the motion to dismiss stage, Mackey cannot be expected to have access to detailed information regarding Belden's cybersecurity practices. Instead, this Court must “presum[e] that general allegations embrace those specific facts that are necessary to support the claim.” Lujan, 504 U.S. at 561 (citation omitted). If after discovery Mackey is unable to identify specific actions Belden should have taken to prevent the Data Breach, Belden may renew this argument on a motion for summary judgment. See In re Target Corp. Customer Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1159 (D. Minn. 2014) (“Should discovery fail to bear out Plaintiffs' allegations, Target may move for summary judgment on the issue.”). Because Mackey has suffered a concrete, particularized injury fairly traceable to Belden's conduct, this Court holds that standing exists.
V. ANALYSIS
Count One: Negligence
Duty
In the first count of the First Amended Complaint, Mackey alleges that Belden breached its duty to exercise reasonable care in protecting employees' PII. (Doc. 16 at ¶¶ 77-97). Belden moves to dismiss on the grounds that it did not owe Mackey any duty and the economic loss doctrine bars the claim. To prevail on a claim for negligence under Missouri law, the plaintiff must first establish that the defendant owed a duty. Peters v. Wady Indus., Inc., 489 S.W.3d 784, 793 (Mo. banc 2016). Belden accurately notes that no court applying Missouri law appears to have recognized a general, common law duty to safeguard information from a criminal cyberattack. (Doc. 19 at 11). This Court predicts, however, that the Missouri Supreme Court would recognize that Belden had a duty to protect Mackey's PII because of their special relationship as employer and employee and as a result of Belden's alleged conduct.
Under Missouri law, a duty can (1) be prescribed by the legislature; (2) arise because the common law imposes a duty based on the relationship between the parties or particular set of circumstances; or (3) exist because a party has assumed a duty by contract or conduct. Scales v. Whitaker, 615 S.W.3d 425, 431 (Mo.Ct.App. 2020) (citations omitted). Ultimately, the “touchstone for the creation of a duty is foreseeability.” Wieland v. Owner-Operator Servs., Inc., 540 S.W.3d 845, 848 (Mo. banc 2018) (citation omitted). Parties typically lack a duty to protect others from the intentional, criminal acts of third parties because such acts are rarely foreseeable. Id.
Exceptions to this rule exist, particularly when there is a special relationship between the defendant and the victim. See RESTATEMENT (SECOND) OF TORTS § 302B, cmt. e (“There are, however, situations in which the actor, as a reasonable man, is required to anticipate and guard against the intentional, or even criminal, misconduct of others.”). Missouri courts have consistently recognized that such a “special relationship” sometimes exists between employer and employee. See Faheen by and through Hebron v. City Parking Corp., 734 S.W.2d 270, 272 (Mo.Ct.App. 1987) (“Special relationships which are recognized in Missouri include innkeeper-guest, common carrier-passenger, school-student, and sometimes employer-employee.”); see also Myron Green Corp. v. Dir. of Revenue, 567 S.W.3d 161, 165 (Mo. banc 2019) (“The special relationship between the bank and its employees does not extend to Myron Green and the bank employees.”).
Admittedly, as noted by Belden, Missouri courts typically state that the employee-employee relationship is “sometimes” a special relationship. Belden argues that the scope of the special relationship is limited to circumstances involving an employee's physical safety. In this Court's view, applicable precedent does not justify such a restrictive interpretation. The “concept of a special relationship exists when one entrusts himself to the protection of another and relies upon that person to provide a place of safety.” Faheen, 734 S.W.2d at 274; see also Phelps v. Bross, 73 S.W.3d 651, 658 (Mo.Ct.App. 2002) (Special relationships “include those in which a party entrusts himself to the protection of another and relies upon that person to provide a place of safety.”).
As alleged in the First Amended Complaint, Mackey entrusted her sensitive PII to Belden as part of the employer-employee relationship. Mackey accordingly relied on Belden to protect her PII. This Court sees no principled reason to limit the scope of the employer-employee special relationship to matters of physical safety and does not believe the Missouri Supreme Court would draw such a line. Compare Claybon v. Midwest Petroleum Co., 819 S.W.2d 742, 745 (Mo.Ct.App. 1991) (finding no special relationship where plaintiff was applicant for employment and only on premises as member of general public). Some courts have recognized that duties under the employer-employee special relationship include protection of PII. See, e.g., Portier, 2019 WL 7946103, at *17 (finding special relationship existed between employer and employee under California law); Corona v. Sony Pictures Ent., Inc., No. 14-CV-09600 RGK (Ex), 2015 WL 3916744, at *5 (same). This Court finds that Missouri law also embraces such a duty.
Other courts have reasonably held that employers embrace a duty to protect employees' PII by requiring employees to submit PII as a condition of employment. See Dittman v. UPMC, 196 A.3d 1036, 1048 (Pa. 2018) (holding data breach was “within the scope of the risk” created by the employer in requiring that employees provide their PII). Mackey has specifically alleged that Belden “required [Mackey] and Class members to provide their PII” and “[i]mplied in these exchanges was a promise by [Belden] to ensure that the PII of [Mackey] and the Class members in its possession was only used to provide the agreed-upon compensation and other employment benefits.” (Doc. 16 at ¶¶ 88-89). While this Court lacks meaningful information regarding Mackey's express employment agreement (if any) or the nature of Belden's PII submission requirements, the present allegations are sufficient to establish a duty at the motion to dismiss stage.
If an employee suffers physical injury from a criminal attack because an employer negligently fails to secure its premises, damages may be available under Missouri tort law because the employee entrusted his or her physical safety to the employer. Meanwhile, Belden contends that if the same employer negligently fails to implement adequate cybersecurity measures, allowing a hacker to access the employer's servers and steal employees' PII, damages are unavailable because no duty exists. Missouri tort law principles do not support the drawing of such a line between physical and digital safety. As alleged in the First Amended Complaint, Mackey and her co-workers entrusted their sensitive PII to Belden as a condition of employment. Belden accordingly assumed a duty to adequately protect the PII, much like Belden has a duty to protect its employees from physical harm at the workplace. This Court holds that the special relationship between employer and employee under Missouri law imposes a duty on the employer to protect employees' PII provided as a condition of employment.
Economic Loss Doctrine
Missouri courts have adopted the economic loss doctrine, which “bars recovery of purely pecuniary losses in tort where the injury results from a breach of a contractual duty.” Dubinsky v. Mermart, LLC, 595 F.3d 812, 819 (8th Cir. 2010) (internal quotations omitted); see also Trademark Med., LLC v. Birchwood Labs., Inc., 22 F.Supp.3d 998, 1002 (E.D. Mo. 2014). Courts outside this jurisdiction have reached different conclusions as to whether the economic loss doctrine bars a negligence claim in a data breach case. See generally In re Capital One Data Sec. Breach Litig., 488 F.Supp.3d 374, 393-401 (E.D. Va. 2020) (applying economic loss doctrine under various state laws in data breach MDL).
Applying Missouri law, this Court finds that the economic loss doctrine does not bar Mackey's negligence claim for two reasons. First, the economic loss doctrine primarily applies where damages are “contractual in nature.” Autry Moran Chevrolet Cadillac, Inc. v. RJF Agencies, Inc., 332 S.W.3d 184, 192 (Mo.Ct.App. 2010); see also Dannix Painting, LLC v. Sherwin-Williams Co., 732 F.3d 902, 906 (8th Cir. 2013) (internal quotation omitted) (“Expanding tort principles into the commercial arena risks drowning contract law in a sea of tort.”). While Mackey has alleged an implied contract regarding the PII, the existence of which Belden disputes, the negligence claim is not contractual in nature. As discussed above, Belden's duty arises out of the parties' special relationship, not any particular employment agreement. Barring negligence claims in data breach cases under the economic loss doctrine would leave victims with no recourse in cases where the parties lack a relevant contractual arrangement.
A reasonable argument can be made that Mackey should not be entitled to recover both in tort and for breach of the alleged implied-in-fact contract. If a factfinder ultimately concludes that Mackey should recover for breach of an implied-in-fact contract, it would be appropriate to reconsider whether the economic loss doctrine bars recovery on Mackey's negligence claim.
Second, Missouri courts recognize an exception to the economic loss doctrine where there is a special relationship between the parties. Id. at 193; see also Owen Cont'l Dev., LLC v. Village Green Mgmt. Co., No. 4:11-CV-1195-FRB, 2011 WL 5330412, at *2-3 (E.D. Mo. Nov. 4, 2011). This Court has determined that Belden had a duty to protect Mackey's PII pursuant to their special relationship as employer and employee, meaning the economic loss doctrine does not bar Mackey's negligence claim. Compare Cmty. Bank of Trenton v. Schnuck's Mkts., Inc., 887 F.3d 803, 818 (7th Cir. 2018) (finding exception for special relationships does not apply to standard business relationships). Tes Court recognizes that, in certain instances, Missouri courts have suggested this special relationship must be fiduciary in nature. See Dannix Painting, 732 F.3d at 905. But the Court believes a special relationship establishing a tort duty, as between Mackey and Belden here, is sufficient to overcome the economic loss doctrine under Missouri law in the case of a data breach. See Bus. Men's Assurance Co. of Am. v. Graham, 891 S.W.2d 438, 453 (Mo. App. 1994) (“The action may be in tort . . . if the party sues for breach of a duty recognized by the law or arising from the relationship or status the parties have created by agreement.”). Accordingly, Belden's motion to dismiss will be denied as to Count One.
Belden also contends that Mackey cannot establish negligence per se. (Doc. 19 at 13). Mackey has clarified that the First Amended Complaint does not allege negligence per se. (Doc. 20 at 5 n.9).
Count Two: Breach of Implied Contract
Mackey alleges that an implied-in-fact contract existed requiring Belden to adequately protect its employees' PII. (Doc. 16 at ¶¶ 98-111). Belden claims that Mackey “does not plead any facts that plausibly support a meeting of the minds or mutual assent with Belden regarding the security of her PII.” (Doc. 19 at 15). Mackey replies that Missouri law does not require the formalities of offer and acceptance to establish an implied-in-fact contract. (Doc. 20 at 9).
Under Missouri law, an implied-in-fact contract may arise when parties “manifest their promises by language or conduct which is not explicit.” Westerhold v. Mullenix Corp., 777 S.W.2d 257, 263 (Mo.Ct.App. 1989). An implied in fact contract clearly requires a “meeting of the minds on essential terms.” Nickel v. Stephens Coll., 480 S.W.3d 390, 397 n.6 (Mo.Ct.App. 2015). This is distinct from a quasi-contract, or contract implied in law, which does not require an intent to be bound. See Am. Eagle Waste Indus., LLC v. St. Louis Cty., 379 S.W.3d 813, 828 (Mo. banc 2012). The question before this Court is whether Mackey has plausibly alleged a meeting of the minds between her and Belden regarding the protection of her PII.
The First Amended Complaint repeatedly alleges that Belden obtained Mackey's PII as a condition of employment. The supposed breach of this implied contract occurred when Belden “fail[ed] to reasonably safeguard and protect” the PII. (Doc. 16 at ¶ 107). Mackey further claims that Belden's “failure to implement adequate measures . . . violated the purpose of the [implied] agreement between the parties.” (Id. at ¶ 108). Considering the requirements for an implied-in-fact contract under Missouri law, there must have been a meeting of the minds as to Belden's obligation to reasonably safeguard and protect the PII in order for a breach to have occurred. Mackey never specifies any language or conduct by Belden indicating that Belden had accepted this essential term of the implied contract. Instead, Mackey appears to argue that the protection of her PII was implied in the transaction, and she “would not have provided and entrusted [her] PII to [Belden] in the absence” of such implied contract.
Belden relies on the Third Circuit Court of Appeals' logic in Longenecker-Wells v. Benecard Servs., Inc., which this Court finds somewhat persuasive. 658 Fed.Appx. 659 (3d Cir. 2016). The court explained:
Plaintiffs have failed to plead any facts supporting their contention that an implied contract arose between the parties other than that Benecard required Plaintiffs' personal information as a prerequisite to employment. This requirement alone did not create a contractual promise to safeguard that information, especially from third party hackers. Id. at 662 (emphasis added).The Third Circuit contrasted these facts with Enslin v. The Coca-Cola Co., where plaintiffs argued that the employer through “privacy policies, codes of conduct, company security practices, and other conduct” had “implicitly promised to safeguard” the employees' PII. 136 F.Supp.3d 654, 675 (E.D. Pa. 2015).
Numerous courts in similar circumstances, however, have declined to dismiss an implied breach of contract claim. In In re Target Data Security Breach Litigation, the court determined that “the terms of the alleged implied contract is a factual question that a jury must determine.” 66 F.Supp.3d 1154, 1176-77 (D. Minn. 2014); see also Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st Cir. 2011) (“A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract.”); Sackin v. TransPerfect Global, Inc., 278 F.Supp.3d 739, 750 (S.D.N.Y. 2017) (“Transperfect required and obtained the PII as part of the employment relationship, evincing an implicit promise by TransPerfect to act reasonably to keep its employees' PII safe.”).
This Court broadly agrees with the sentiment expressed by the court in Castillo v. Seagate Tech., LLC: “[I]t is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient's assent to the protect the information sufficiently.” No. 16-CV-01958-RS, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016). This Court finds that Mackey has plausibly alleged the existence and breach of an implied-in-fact contract requiring Belden to adequately secure its employees' PII. Whether such a contract actually existed is a question of fact inappropriate for resolution at the motion to dismiss stage. See Estate of Briggs, 449 S.W.3d 421, 425 (Mo.Ct.App. 2014) (citation omitted).
Count Three: Breach of Confidence
Mackey argues that she suffered a breach of confidence due to Belden's failure to adequately protect her PII. (Doc. 16 at ¶¶ 112-125). Belden seeks dismissal on the grounds that Missouri law only recognizes such claims in connection with disclosure of trade secrets or related information. This Court agrees that dismissal is appropriate because under Missouri law breach of confidence claims are clearly limited to disclosure or communication of trade secrets or other confidential business information. On the Court's review, Missouri courts have only recognized the validity of this claim in the trade secret context. See, e.g., Nat'l Rejectors, Inc. v. Trieman, 409 S.W.2d 1, 35 (Mo. banc 1966). Mackey correctly notes that, in at least one instance, a court has found that “an action for breach of a confidential relationship need not rise to the level of a trade secret.” Neil and Spencer Holdings, Ltd. v. Kleen-Rite, Inc., 479 F.Supp. 164, 171 (E.D. Mo. 1979); see also RESTATEMENT (FIRST) OF TORTS § 757, cmt b (1939). But Kleen-Rite still involved the alleged theft of confidential business information. There is no indication that a cause of action for breach of confidence extends to the theft of employees' PII by third-party hackers. See Ashley Cty. v. Pfizer, Inc., 552 F.3d 659, 673 (8th Cir. 2009) (citation omitted) (“It is not the role of a federal court to expand state law in ways not foreshadowed by state precedent.”).
Count Four: Invasion of Privacy
Mackey contends that Belden invaded her privacy by committing a tortious intrusion on seclusion. (Doc. 16 at ¶¶ 126-141). Belden argues that the claim fails under Missouri law because Belden did not obtain Mackey's PII by unreasonable means. (Doc. 19 at 16-17). Mackey responds that Belden in fact employed unreasonable means by misrepresenting that the PII would be adequately protected. (Doc. 20 at 16).
A tortious intrusion on seclusion claim requires the following elements: (1) the existence of a secret and private subject matter; (2) a right in the plaintiff to keep that subject matter private; and (3) the obtaining by the defendant of such information by unreasonable means. Crow v. Crawford & Co., 259 S.W.3d 104, 120 (Mo.Ct.App.2008). It is clear that Mackey's PII is a private subject matter which she has a right to keep private; the more difficult question is whether she has plausibly alleged that Belden obtained her PII by unreasonable means. To clarify, the requirement for intrusion on seclusion is not that Belden was unreasonable in handling the PII, but that Belden unreasonably obtained the PII.
The tort for invasion of privacy actually encompasses four separate causes of action: (1) intrusion on seclusion; (2) public disclosure of private embarrassing facts; (3) publicly placing plaintiff in a false light; and (4) appropriation of plaintiff's name or likeness. St. Anthony's Med. Ctr. v. H.S.H., 974 S.W.2d 606, 609 (Mo.Ct.App. 1998). It is apparent, and Mackey has clarified, that her claim is one of intrusion on seclusion.
It is necessary and reasonable for an employer to obtain an employee's PII in order to provide compensation and benefits. See Howard v. Frost Nat'l Bank, 458 S.W.3d 849, 854-55 (Mo.Ct.App. 2015) (No intrusion on seclusion occurred where “Appellants themselves disclosed [their financial information] to Respondent in the context of their financial relationship.”). Subsequent negligence in handling the PII does not render the initial acquisition unreasonable. Mackey's bare allegation that Belden “acted with a knowing state of mind when it permitted the Data Breach because it knew its information security practices were inadequate” does not render the initial obtaining of Mackey's PII unreasonable. (Doc. 16 at ¶ 134). See St. Anthony's Med. Ctr. v. H.S.H., 974 S.W.2d 606, 609 (Mo.Ct.App. 1998) (“St. Anthony's did not unreasonably obtain defendant's medical records through . . . unreasonable means. In the ordinary course of business, St. Anthony's obtained defendant's medical records as documentation of medical services.”). Because Mackey has not plausibly alleged that Belden obtained her PII through a method “objectionable to the reasonable [person], ” her invasion of privacy claim fails as a matter of law. Corcoran v. Sw. Bell Tel. Co., 572 S.W.2d 212, 215 (Mo.Ct.App. 1978).
Count Five: Breach of Fiduciary Duty
Mackey alleges that Belden breached its fiduciary duty to its employees by failing to adequately secure their PII. (Doc. 16 at ¶¶ 142-49). Belden seeks dismissal on the grounds that no fiduciary duty existed between the parties. (Doc. 19 at 17). Mackey responds that whether a fiduciary relationship existed is a question of fact which this Court should not consider at this stage of litigation. (Doc. 20 at 17).
When a plaintiff asserts breach of fiduciary duty as a tort claim, they must establish that such a duty existed and the defending party breached the duty, resulting in harm. Zakibe v. Ahrens & McCarron, Inc., 28 S.W.3d 373, 381 (Mo.Ct.App. 2000) (citation omitted). The existence of a fiduciary duty is a question of law, while the breach of that duty is a question of fact. Western Blue Print Co., LLC v. Roberts, 367 S.W.3d 7, 15 (Mo. banc 2012). Under Missouri law, certain relationships automatically establish a fiduciary relationship. Alternatively, a fiduciary relationship exists if the following five elements are met:
(1) [O]ne party must be subservient to the dominant mind and will of the other party as a result of age, state of health, illiteracy, mental disability, or ignorance; (2) things of value such as land, monies, a business, or other things of value, which are the prop\erty of the subservient party, must be possessed or managed by the dominant party; (3) there must be a surrender of independence by the subservient party to the dominant party; (4) there must be an automatic and habitual manipulation of the actions of the subservient party by the dominant party; and (5) there must be a showing that the subservient party places a trust and confidence in the dominant party. A.G. Edwards & Sons, Inc. v. Drew, 978 S.W.2d 386, 394 (Mo.Ct.App. 1998) (citation omitted).
There appear to be no Missouri cases holding that an employer inherently owes fiduciary duties to its employees. See Elkhart Metal, Fabricating, Inc. v. Martin, No. 14-CV-00705, 2015 WL 1604852, at *4 (E.D. Mo. Apr. 9, 2015) (“There are no Missouri cases, however, that stand for the proposition that an employer corporation necessarily owes fiduciary duties to its employees as a matter of law.”). Mackey has not plausibly alleged, moreover, that a fiduciary duty existed based on the five elements outlined by the court in Drew. Mackey has not alleged, for example, that she was “subservient to the dominant mind and will of the other party as a result of age, state of health, illiteracy, mental disability, or ignorance.” Drew, 978 S.W.2d at 394; see also Dibrill v. Normandy Assocs., Inc., 383 S.W.3d 77, 86-87 (Mo.Ct.App. 2012) (finding nursing home owed no fiduciary duty to elderly resident). This Court finds that Mackey has not plausibly alleged that Belden owed her a fiduciary duty.
Count Six: Breach of Covenant of Good Faith and Fair Dealing
Mackey alleges that Belden breached its covenant of good faith and fair dealing by failing to adequately protect its employees' PII. (Doc. 16 at ¶¶ 150-165). Belden seeks dismissal on the grounds that Mackey has failed to allege bad faith or arbitrary and capricious action. (Doc. 19 at 18). Mackey responds that a lack of diligence can constitute bad faith. (Doc. 20 at 18).
Missouri law implies a duty of good faith and fair dealing in every contract. Arbors Sugar Creek Homeowners Assoc. v. Jefferson Bank & Trust Co., Inc., 464 S.W.3d 177, 185 (Mo. banc 2015) (citation omitted). The duty establishes that discretion in a contract “must not be exercised to deprive the other party of the benefit of the contractual relationship or evade the spirit of the bargain.” City of St. Joseph v. Lake Contrary Sewer Dist., 251 S.W.3d 362, 370 (Mo.Ct.App. 2008). The covenant, however, is not an “overflowing cornucopia of wished-for legal duties; indeed, the covenant cannot give rise to obligations not otherwise contained in a contract's express terms.” Comprehensive Care Corp. v. RehabCare Corp., 98 F.3d 1063, 1066 (8th Cir. 1996).
This Court determined that Mackey has plausibly alleged the existence of an implied-in-fact contract requiring Belden to safeguard her PII. Mackey further alleges that Belden “had discretion in the specifics of how it met the applicable laws and industry standards” and committed acts or omissions which “unfairly interfered with [Mackey's] and Class members' right to receive the full benefit of their contracts.” (Doc. 16 at ¶¶ 158, 162). Mackey also alleges that Belden “acted with a knowing state of mind when it permitted the Data Breach because it knew its information security practices were inadequate.” (Id. at ¶ 134). At this early stage of litigation, this Court finds that Mackey has sufficiently alleged that Belden abused its discretion under the supposed implied contract by failing to adequately secure PII. See RESTATEMENT (SECOND) OF CONTRACTS § 205, cmt. d (1981) (recognizing “lack of diligence” and “willful rendering of imperfect performance” as types of bad faith).
Count Seven: Declaratory and Injunctive Relief
Mackey seeks declaratory relief under the Declaratory Judgment Act, 28 U.S.C. § 2201, and injunctive relief requiring Belden to take various actions to secure employees' PII. (Doc. 16 at ¶¶ 166-175). Belden claims that (1) declaratory and injunctive relief are remedies, not independent grounds for relief; (2) such relief is only appropriate where the plaintiff lacks an adequate remedy at law; and (3) the request is duplicative of the breach of implied contract claim. (Doc. 19 at 19).
Mackey essentially seeks a declaration that Belden has breached its duties and implied contractual obligations. This Court has denied Belden's motion to dismiss as to these claims. Accordingly, any potential declaratory relief would merely duplicate relief available under Counts One and Two of the First Amended Complaint. See Amerisure Mut. Ins. Co. v. Maschmeyer Landscapers, Inc., No. 4:06-CV-1308 (CEJ), 2007 WL 2811089, at * (E.D. Mo. Sept. 24, 2007) (citation omitted) (“A petition seeking declaratory judgment that alleges breach of duties and obligations under the terms of a contract and asks the court to declare those terms breached is nothing more than a petition claiming breach of contract.”). Therefore, this Court will dismiss Mackey's request for declaratory relief as duplicative.
As to the requested injunctive relief, however, Mackey alleges employees' PII remains in Belden's possession and vulnerable to further data breaches. (Doc. 16 at ¶¶ 59, 171-74). The purpose of injunctive relief is to “prevent actual or threatened acts that constitute real injury.” State ex rel. Gardner v. Stelzer, 568 S.W.3d 48, 51 (Mo.Ct.App. 2019) (internal quotations omitted). A party seeking injunctive relief must demonstrate that there is no adequate remedy at law and irreparable harm will result if the injunction is not awarded. Suppes v. Curators of Univ. of Missouri, 613 S.W.3d 836, 847 (Mo.Ct.App. 2020) (citation omitted). While Mackey has not utilized these specific words, she has clearly alleged that her PII remains in Belden's possession and at risk of further disclosure if this Court does not provide injunctive relief. This Court is permitting Mackey to proceed on claims of negligence and breach of implied contract, among others, potentially establishing an underlying cause of action warranting the remedy of injunctive relief. See id. (citation omitted) (“An injunction is a remedy, not a cause of action; thus, an injunction must be based on a recognized and pleaded legal theory.”). Accordingly, at this early stage of litigation, this Court declines to dismiss the request for injunctive relief.
Count Eight: Violation of the Indiana Deceptive Consumer Sales Act
Mackey argues that Belden violated the Indiana Deceptive Consumer Sales Act, IND. CODE §§ 24-5-0.5-1 et seq. (“IDCSA”). (Doc. 16 at ¶¶ 176-192). Belden seeks dismissal on the grounds that (1) the IDCSA only applies to qualifying consumer transactions; (2) Mackey has failed to plead an incurable deceptive act; and (3) Mackey fails to allege a specific statement upon which she detrimentally relied. (Doc. 19 at 20-21). Mackey essentially responds that discovery is necessary and dismissal at this stage of litigation would be inappropriate. (Doc. 20 at 20).
The IDCSA “provides recourse to consumers for practices deemed deceptive consumer transactions.” Pickens v. New York Life Ins. Co., No. 2:17-CV-190-TLS, 2019 WL 4740829, at *4 (N.D. Ind. Sept. 27, 2019). A “consumer transaction” is defined as a “sale, lease, assignment, award by chance, or other disposition of an item of personal property, real property, a service, or an intangible . . . to a person for purposes that are primarily familial, charitable, agricultural, or household.” IND. CODE § 24-5-0.5-2(a)(1). The First Amended Complaint appears to assert that Belden's offer of employment constituted a “service” under this definition. (Doc. 16 at ¶ 179). This Court recognizes that the IDCSA should be “liberally construed and applied to promote its purposes and policies.” IND. CODE § 24-5-0.5-1.
Even under such a liberal construction, it is readily apparent that Belden's employment of Mackey does not constitute a “consumer transaction” under the plain meaning of the IDCSA. Mackey identifies no precedent suggesting otherwise. The First Amended Complaint alleges that Mackey was a Belden employee, not consumer. Mackey did not purchase any product from Belden for personal use. See McLeskey v. Morris Invest., No. 1:18-CV-02797-JPH-TAB, 2020 WL 3315996, at *6 (S.D. Ind. June 18, 2020) (holding purchase of investment properties was not consumer transaction); In re Syngenta AG MIR 162 Corn Litig., MDL No, 2591, 2017 WL 2080601, at *11 (D. Kan. May 15, 2017) (holding commercial resellers are not consumers under IDCSA). Simply put, the IDCSA's purpose is to protect consumers from suppliers who commit deceptive sales acts, not protect employees from employers who fail to adequately secure PII. See Kesling v. Huber Nissan, Inc., 997 N.E.2d 327, 334 (Ind. 2013). Mackey's IDCSA claim can be dismissed on these grounds.
The Court also finds that Mackey has failed to make the necessary allegations to support her claim of an “incurable deceptive act.” (Doc. 16 at ¶ 181). The IDCSA recognizes claims for both “uncured and incurable deceptive acts.” IND. CODE § 24-5-0.5-5(a). A claim for an uncured act requires notice to the supplier, and there is no allegation that Mackey provided such notice. See Bray v. Gamestop Corp., No. 1:17-CV-1365, 2018 WL 11226516, at *6 (D. Del. Mar. 16, 2018). An incurable deceptive act, meanwhile, requires a “scheme, artifice, or device with intent to defraud or mislead” and is accordingly subject to the heightened pleading standards for fraud under Fed.R.Civ.P. 9(b). See McKinney v. State, 693 N.E.2d 65, 68 (Ind. 1998) (“Intent to defraud or mislead is thus clearly an element of an incurable deceptive act.”). Mackey has partially recited the essential elements of fraud in the First Amended Complaint but has not specified the “time, place, and content of the defendant's false representations, as well as the details of the defendant's fraudulent acts, including when the acts occurred, who engaged in them, and what was obtained as a result.” Streambend Props. II, LLC v. Ivy Tower Minneapolis, LLC, 781 F.3d 1003, 1013 (8th Cir. 2015) (citation omitted). Mackey has not identified, for example, specific statements by Belden indicating that her PII would be secured. Accordingly, Mackey's IDCSA claim can also be dismissed for failing to meet the pleading requirements for an alleged incurable deceptive act.
VI. CONCLUSION
As alleged in the First Amended Complaint, Mackey and the potential Class members were employees of Belden whose PII was stolen from Belden's servers by sophisticated criminals. Unauthorized individuals have already used Mackey's hacked social security number to attempt to file a tax return on her behalf. This Court finds that Mackey has standing to proceed because she has already suffered actual injury in fact, is at imminent risk of further injury, and such injuries are fairly traceable to Belden's conduct.
The First Amended Complaint seeks to hold Belden responsible for these injuries under various legal theories. Certain of these claims, such as breach of fiduciary duty, breach of confidence, and intrusion on seclusion, simply do not apply to the circumstances at hand under Missouri law. Mackey is also not entitled to protection under the IDCSA because she did not participate in a qualifying consumer transaction and failed to meet the statute's pleading requirements for an incurable deceptive act. This Court finds, however, that Mackey may potentially recover for Belden's alleged negligence in failing to protect its systems and for breaching an implied-in-fact agreement to adequately secure employees' PII. Injunctive relief may also be appropriate if Mackey can demonstrate that she remains at risk of further injury. Therefore, Mackey will be permitted to proceed on her claims of negligence and breach of implied contract (Counts One and Two) while seeking the remedy of injunctive relief (Count Seven), among others.
Accordingly, IT IS HEREBY ORDERED that Defendant Belden, Inc.'s Motion to Dismiss Plaintiff's First Amended Complaint (Doc. 18) is GRANTED in part and DENIED in part. The motion is granted as to Counts Three, Four, Five, Seven (as to the request for declaratory relief only), and Eight. The motion is denied in all other respects.