Opinion
24-cv-11338-DJC
12-02-2024
DEREK BONEWIT, on behalf of himself and all others similarly situated, Plaintiffs, v. NEW-INDY CONTAINERBOARD LLC, Defendant.
MEMORANDUM AND ORDER
DENISE J. CASPER, UNITED STATES DISTRICT JUDGE.
I. Introduction
Plaintiff Derek Bonewit (“Bonewit”) has filed this putative class action lawsuit against Defendant New-Indy Containerboard LLC (“New-Indy”) alleging claims of negligence (Count I), negligence per se (Count II), breach of implied contract (Count III), breach of the implied covenant of good faith and fair dealing (Count IV), breach of fiduciary duty (Count V), and seeking declaratory judgment and injunctive relief (Count VI) arising out of a data security breach in which plaintiffs' personal identifiable information (“PII”) may have been accessed by a third-party. D. 25. New-Indy has moved to dismiss the amended complaint under Fed.R.Civ.P. 12(b)(6). D. 27. For the reasons discussed below, the Court ALLOWS New-Indy's motion to dismiss.
II. Standard of Review
On a motion to dismiss pursuant to Fed.R.Civ.P. 12(b)(6), the Court must determine if the facts alleged “plausibly narrate a claim for relief.” Germanowski v. Harris, 854 F.3d 68, 71 (1st Cir. 2017) (internal quotation marks and citation omitted). Reading the complaint “as a whole,” the Court must conduct a two-step, context-specific inquiry. Garda-Catalan v. United States, 734 F.3d 100, 103 (1st Cir. 2013). First, the Court must perform a close reading of the claim to distinguish the factual allegations from the conclusory legal allegations contained therein. Id. Factual allegations must be accepted as true, while conclusory legal conclusions are not entitled credit. Id. Second, the Court must determine whether the factual allegations present a “reasonable inference that the defendant is liable for the misconduct alleged.” Haley v. City of Boston, 657 F.3d 39, 46 (1st Cir. 2011) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). In sum, the complaint must provide sufficient factual allegations for the Court to find the claim “plausible on its face.” Garda-Catalan, 734 F.3d at 103 (quoting Iqbal, 556 U.S. at 678).
III. Factual Background
The following facts are drawn from Bonewit's amended complaint, D. 25, and are accepted as true for the purpose of resolving the motion to dismiss.
On or around November 25, 2023, New-Indy learned of a data breach of its network and determined that an unknown actor “may have accessed” personal identifiable information (“PII”), that New-Indy had collected and stored from its employees and their beneficiaries on its unencrypted, internet-accessible network. D. 25 ¶¶ 3-6. On or around February 13, 2024, reports surfaced that New-Indy had been attacked by the ALPHV/BlackCat ransomware group, which claimed to have exfiltrated approximately 82 gigabytes of data from New-Indy, including PII. Id. ¶ 7. The ALPHV/BlackCat group posted on their website that “[b]ecause of a misunderstanding and inability to negotiate, we share information with you” and stated that about 82gb of information was stolen from New-Indy. Id. ¶ 8.
On March 7, 2024, New-Indy sent a notification to various state Attorney-Generals notifying them of the data breach. Id. ¶ 9. On that same date, New-Indy also sent a notice of the breach to Bonewit which stated in relevant part that New-Indy was aware that “a limited amount of information related to employees and beneficiaries, kept in the normal course of business, may have been accessed by an unauthorized third party” and the “potentially accessed information may have included your first and last name, in combination with your Social Security number and/or driver's license number.” Id. ¶¶ 10, 12, 31. In response to the data breach incident, New-Indy stated that it had taken steps to address the incident and offered one year of credit monitoring and identify protection through Experian. Id. ¶¶ 35, 70.
Bonewit resides in Indiana and worked at New-Indy four years prior to the data breach. Id. ¶¶ 20, 72. Bonewit alleges that he has “spent time dealing with the consequences” of the data breach including verifying the legitimacy of the data breach notice and self-monitoring his accounts, and has suffered from “anxiety and increased concerns for the loss of his privacy” and claims that he will have to worry for the rest of his life “about when and how his sensitive information may be shared or used to his detriment.” Id. ¶¶ 73-74, 77-78.
IV. Procedural History
Bonewit initiated this action on May 21, 2024. D. 1. New-Indy moved to dismiss the initial complaint. D. 15. Bonewit then filed an amended complaint. D. 25. In light of the amended pleading, the Court denied New-Indy's motion to dismiss the initial complaint as moot. D. 29. New-Indy has now moved to dismiss the amended complaint, D. 27. The Court heard the parties on the pending motion and took this matter under advisement. D. 39.
At the hearing, New-Indy requested leave to file supplemental briefing addressing caselaw that Bonewit raised at oral argument that was not included in the briefing, which the Court allowed, and the Court has considered that supplemental letter, D. 40, in deciding the pending motion.
V. Discussion
A. Choice of Law
New-Indy contends that Indiana law applies to this action because Bonewit is an Indiana resident, he worked at an Indiana mill for New-Indy and was residing in Indiana at the time of the data breach. D. 28 at 13. In a diversity action, the choice-of-law rules that apply are those of the forum state, in this case Massachusetts. Klaxon v. Stenton Elec. Mfg. Co., 313 U.S. 487, 496 (1941). Under Massachusetts choice of law analysis, “tort claims are governed by the law of the state in which the injury occurred, unless another state has a more significant relationship to the underlying cause of action.” Watkins v. Omni Life Sci., Inc., 692 F.Supp.2d 170, 174 (D. Mass. 2010). “The first step in a choice of law analysis is to determine whether an actual conflict exists between the substantive laws of the interested jurisdictions.” Reicher v. Berkshire Life Ins. Co. of Am., 360 F.3d 1, 4 (1st Cir. 2004). Here, the parties agree that the substantive law of Massachusetts and Indiana differs as to analyzing state law claims of negligence, negligence per se, breach of implied contract and breach of an implied covenant of good faith and faith dealing. See D. 28 at 13 n.3; D. 30 at 18-19. Although the parties address the claims under both Indiana and Massachusetts law, the parties appear to agree (and is alleged, D. 25 ¶¶ 20, 72-74, 77-78) that Bonewit resided and was injured in Indiana, and, therefore, the Court will apply Indiana law to the claims. See D. 28 at 13-14; D. 30 at 3-4; D. 31-1 at 3; Katz v. Pershing, LLC, 672 F.3d 64, 72 (1st Cir. 2012); Portier v. NEO Tech. Sols., No. 3:17-CV-30111-TSH, 2019 WL 7946103, at *16 n.12 (D. Mass. Dec. 31, 2019), report and recommendation adopted, No.17-cv-30111, 2020 WL 877035, at *1 (D. Mass. Jan. 30, 2020) (reasoning that plaintiffs were injured in Massachusetts because they were located and residing in Massachusetts at the time of the data breach even though the company was located in California).
B. Bonewit Has Not Plausibly Alleged a Compensable Injury
The parties primarily dispute whether Bonewit has plausibly alleged a compensable injury, as required by Indiana law “as an indispensable element of [his] common law claims.” See, e.g., McLaughlin v. Taylor Univ., 23-cv-00527-HAB-SLC, 2024 WL 4274848, at *2 & n.1 (N.D. Ind. Sept. 23, 2024) (citing cases). Bonewit has alleged injuries that include “(i) lost or diminished value of PII; (ii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII; (iii) lost opportunity costs associated with attempting to mitigate the actual consequences of the data breach, including but not limited to lost time[;] (iv) the disclosure of their private information[;] and (v) the continued and certainly increased risk to their PII.” D. 25 ¶ 18. Specifically, Bonewit alleges that he has lost time verifying the legitimacy of the data breach notice and self-monitoring his accounts as well as “anxiety and increased concerns for the loss of his privacy” and “impending injury arising from the substantially increased risk of identity theft and misuse of his PII.” Id. ¶¶ 74, 77-78. New-Indy asserts that Bonewit fails to plead a compensable injury because: (1) he has shown no actual misuse or disclosure of his information and risk of mitigating future harm is insufficient for damages, (2) allegations of lost time are conclusory, (3) injuries based on diminished value of PII are not cognizable and (4) allegations for emotional distress and anxiety are not recognized under Indiana law absent physical harm. See D. 28 at 14-18.
Bonewit contends that a split within the federal courts in Indiana about whether an increased risk of future identity theft of PII from a data breach and lost time from monitoring that risk constitutes a compensable injury means that this Court should deny New-Indy's motion to dismiss. Compare Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 639-40 (7th Cir. 2007) (analyzing Indiana law and concluding that allegations of an increased risk of future identity theft and costs of credit monitoring based on personal information exposed in a security breach would not be recognized as a compensable injury under Indiana law absent allegations of actual harm); Aspen Am. Ins. Co. v. Blackbaud, Inc., 624 F.Supp.3d 982, 997-98 (N.D. Ind. 2022) (recognizing that the “risk of future identity theft is not a compensable harm in Indiana” based on Pisciotta and holding that plaintiffs had failed to plead a cognizable injury based on a security breach where hackers obtained PII of their donors and patients but there were no allegations of actual harm); Alonso v. Blue Sky Resorts, LLC, 179 F.Supp.3d 857, 865-66 (S.D. Ind. 2016) (relying upon Pisciotta and concluding that Indiana law does not recognize an injury based upon monitoring a risk of future harm because plaintiffs, whose credit card information was allegedly obtained by hackers, did not allege that their credit card accounts ever had any fraudulent charges); with McLaughlin, 2024 WL 4274848, at *3 (reasoning that courts have been “chipping away at Pisciotta's commands” and concluding that “the increased risk of identity theft that [p]laintiffs now face and the costs to mitigate those risks are cognizable injuries”); Johnson v. Nice Pak Prod., Inc., No. 23-cv-01734-JMS-CSW, 2024 WL 2845928, at *4 (S.D. Ind. June 5, 2024) (reasoning that Pisciotta was decided prior to other courts permitting common law data breach negligence claims and held that plaintiff had alleged compensable injuries because Indiana law specifically allows for damages to include the value of lost time mitigating a data breach).
Although Bonewit relies upon decisions from other Circuits to argue that posting on the dark web constitutes a compensable injury, those cases were not interpreting compensable injury under Indiana law, but Article III standing, D. 30 at 6 (citing cases).
New-Indy relies upon the Seventh Circuit's decision in Pisciotta, 499 F.3d at 637; D. 28 at 15; D. 31-1 at 5-6, in which the Court affirmed the district court's holding that mere exposure of PII from a data security breach and attendant costs for monitoring the potential future risks from that breach was not a compensable injury. See Pisciotta, 499 F.3d at 637. In Pisciotta, plaintiffs had provided their information to Old National Bancorp for banking services and their personal information had been compromised in a data breach, they had paid for credit monitoring, but there were no allegations of actual misuse such as identity theft or fraudulent charges. Id. at 632. In addressing this novel issue under Indiana law, the Seventh Circuit looked to analogous case law in the context of medical monitoring damages in toxic tort liability, where the Indiana Supreme Court had previously declined to recognize a compensable injury based upon mere exposure to a harm. Id. at 638-39; see AlliedSignal, Inc. v. Ott, 785 N.E.2d 1068, 1075 (Ind. 2003) (reasoning that a cause of action does not accrue when mere exposure to asbestos occurs and “it is only when the disease has actually manifested itself (and therefore could be diagnosed by a reasonably experienced physician) that the cause of action accrues”). The Seventh Circuit, therefore, held that the Indiana Supreme Court would not allow the claim to proceed because “[w]ithout more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.” Pisciotta, 499 F.3d at 639.
Bonewit, instead, primarily relies upon Johnson, 2024 WL 2845928, at *3-4; D. 30 at 4, 9, in which a federal district court in Indiana concluded that time and effort spent protecting against and mitigating risks created by a data breach constituted cognizable injuries even when plaintiffs had not alleged any actual misuse of PII. Johnson, 2024 WL 2845928, at *3-4. In Johnson, plaintiffs had provided their PII to the defendant, their employer, and alleged that they had lost “valuable time” from remedying the data breach as well as other injuries including an increased risk of fraud and identity theft. Id. at *1-2. In holding that allegations for lost time constituted a compensable injury, the court relied upon two Seventh Circuit cases which recognized that the risk of identity theft in a data breach can provide Article III standing. Id. at *4; Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (concluding that the time and money spent resolving fraudulent charges as well as the increased risk of fraudulent charges and identity theft are cognizable injuries for Article III standing); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693-94 (7th Cir. 2015) (concluding that plaintiffs had adequately alleged Article III standing based on lost time for remedying fraudulent charges to credit cards involved in a data breach and increased risk of future fraudulent charges and susceptibility to identify theft). Although Johnson reasons that the analysis for determining Article III standing is the same as compensable damages because Indiana law recognizes that damages can include the value of lost time, Johnson, 2024 WL 2845928, at *4, Johnson does not address or distinguish that in both Remijas and Lewert the plaintiffs had alleged that they had spent time monitoring their PII because of fraudulent charges and actual misuse of their PII that had already occurred following the data breach. See id.; Lewert, 819 F.3d at 967 (reasoning that plaintiff who alleged that he has spent time and effort monitoring both his card statements and his other financial information as a guard against fraudulent charges and identity theft had standing where the other named plaintiff had alleged that his card had incurred fraudulent charges); Remijas, 794 F.3d at 691-94 (recognizing that plaintiffs had alleged that they had suffered a substantial risk of harm because 9,200 credit cards had already experienced fraudulent charges and plaintiffs themselves had experienced fraudulent charges following the data breach).
At oral argument, Bonewit also relied upon McLaughlin, 2024 WL 4274848, at *3, a recent district court opinion that follows Johnson, but that case is also distinguishable because there were allegations of actual misuse of the plaintiffs' PII that the court held was “significant” in holding that time, effort and money spent to combat identity theft and monitor the risk of harm constituted a cognizable injury.
Here, neither party has pointed this Court to any decision by the Indiana Supreme or appellate court to adopt or reject the Pisciotta conclusion that Indiana law would not consider the harm caused by mere identity information exposure, coupled with attendant costs to guard against identity theft, to be an existing compensable injury and damages absent allegations of actual misuse of the PII from the data breach. See Pisciotta, 499 F.3d at 635-37. At least three Indiana Superior Court cases have declined to dismiss for lack of injury or damages where plaintiff alleged that their PII was involved in a data breach, at least some of the information had been published on the dark web, and they had spent time remedying and monitoring the harm, but in each of those cases there were also allegations of actual misuse of the PII. See Kralovansky v. Bone, No. 64D01-1912-CT-011594, 2023 WL 8719870, at *4 (Ind. Super. Apr. 24, 2023) (concluding that plaintiff had adequately alleged damages where plaintiff's PII was exposed in a data breach and she alleged actual misuse of her PII including a fraudulent application to open a store credit, inquiries into her credit and worsened credit scores); Paul v. Ardagh Glass, Inc., No. 49D07-2209-CT-031302, 2023 WL 5153147, at *1, 6 (Ind. Super. Jan. 23, 2023) (reasoning that “the ongoing exposure of [plaintiff's] PII on the dark web. . . presents a possibility that [plaintiff] suffered injuries as a result of [defendant's] alleged negligence” and held that the issue of whether plaintiff would be able to recover damages for lost time and credit monitoring in relation to the data breach where plaintiff had experienced fraudulent charges on his credit card “requires a more thorough examination of evidence to determine the extent to which those damages can be compensated”); In re Eskenazi Health Data Incident Litigation, No. 49D01-2111-PL-038870, 2022 WL 20505180, at *13 (Ind. Super. Sep. 02, 2022) (reasoning that dismissal based upon inability to prove damages was premature because plaintiff had plausibly alleged that there were risks of harms that remain where plaintiffs had alleged that their PII was released on the dark web and actual misuse of the PII such as fraudulent charges and issues with identity theft).
At oral argument, Bonewit also relied upon Z.D. v. Cmty. Health Network, Inc., 217 N.E.3d 527, 539 (Ind. 2023), in which the Indiana Supreme Court considered a disclosure of private medical information that was sent to the wrong party and then posted on Facebook and concluded that plaintiff “may assert negligence-based claims when their private information is mishandled.” Id. at 539. Although the court held that the emotional distress damages were not cognizable, the court remanded for consideration of plaintiff's pecuniary damages for loss of income and rent because plaintiff had to move out of her home based on the disclosure of the diagnosis and strain it put on her relationship. Id. at 530, 539. Z.D. did not address the types of damages at issue here predicated upon risk of future identity theft and monitoring damages, but even so, unlike in Z.D., Bonewit has not alleged any such concrete harms and damages from the exposure of his information. See D. 40 at 1.
Here, taking all inferences in Bonewit's favor as the Court must at this stage, Bonewit has plausibly alleged that his information was published on the dark web based upon ALPHV's ransomware posting stating that “we share information with you” and what appears to be an upload date of February 13, 2024 of 81.8 GB of data. D. 25 ¶ 8. Although Bonewit has alleged that he has lost time from self-monitoring his data, Bonewit has not alleged any actual misuse of his PII or other concrete harm. See D. 25 ¶¶ 74, 77, 78. As discussed above, aside from Johnson, in the cases that held allegations of increased risk of future identity theft and lost time from monitoring that risk were sufficient to comprise a compensable injury, there was at least an allegation of actual misuse to substantiate the time involved in monitoring the threats to the PII and remedying the damages, which is unlike the allegations here. See McLaughlin, 2024 WL 4274848, at *3 (declining to dismiss claims based upon lack of compensable damages because “time and effort that data breach victims must expend is a real injury” where there were allegations of actual misuse of the PII); Paul, 2023 WL 5153147, at *6 (declining to dismiss claims based upon lack of compensable damages where plaintiff has plausibly alleged actual misuse of his PII). As currently pled, the Court concludes that Bonewit has not plausibly alleged a compensable injury at the motion to dismiss stage based upon the risk of potential future harm and lost time from selfmonitoring his PII in the absence of any allegations of actual misuse or other concrete harm. See, e.g., Pisciotta, 499 F.3d at 640.
The Court also agrees that Bonewit's alleged damages based upon diminished value of PII is not a compensable harm. See D. 25 ¶ 18; see, e.g., Silha v. ACT, Inc., 807 F.3d 169, 175 (7th Cir. 2015) (affirming dismissal of allegations based on diminished value of PII because plaintiffs did not allege that they had lost anything of value and plaintiffs must allege more than just what defendant stands to gain). Here, Bonewit relies upon general allegations of PII”s value on the black market, but has not alleged that Bonewit's PII has lost value in legitimate markets or explained how the hacker's possession of PII diminishes its value. See McLaughlin, 2024 WL 4274848, at *4 (concluding that plaintiffs had not alleged a cognizable injury based upon diminished value of PII because plaintiffs had only alleged general allegations of the value of PII on the black market but had not alleged that the PII had lost value and, therefore, the basis for their claim was too speculative). Accordingly, for all the reasons stated above, the Court dismisses Bonewit's claims for lack of compensable injury.
At oral argument, Bonewit conceded that his negligence-based claims predicated upon emotional distress damages were not recoverable under Indiana law. See, e.g., Z.D., 217 N.E.3d at 538-39 (reasoning that, under the modified impact rule, the plaintiff is “preclude[d] recovery for emotional distress unless the plaintiff sustained a direct physical impact from the negligence” which plaintiff had not alleged); Rubendall v. Cmty. Hosp. of Anderson & Madison Cnty., 202 N.E.3d 1151, 1156 (Ind.Ct.App. Feb. 1, 2023) (concluding that the modified impact rule operates to bar a claim for emotional distress damages in a negligence action based on a breach of medical privacy where the plaintiff cannot show that they personally sustained a physical impact). The Court agrees that Bonewit cannot sustain his claim based upon emotional distress damages as he has not alleged any physical harm from the data breach as required under Indiana law. See generally D. 25.
In the absence of a compensable injury pled, to the extent New-Indy raised other grounds for dismissal of the common law claims, see D. 28 at 18-24, the Court does not address those additional grounds.
C. Declaratory Judgment and Injunctive Relief
New-Indy also seeks to dismiss Bonewit's claim for declaratory and injunctive relief, claiming the declaratory relief that Bonewit seeks would serve no useful purpose as Bonewit is asking this Court for a declaration that New-Indy was liable for negligence. D. 28 at 24-25. Bonewit seeks a declaration that (1) New-Indy owes a legal duty to secure the PII of Bonewit, (2) New-Indy continues to breach this legal duty by failing to employ reasonable measures to secure employees' and beneficiaries' PII, and (3) these ongoing breaches continue to cause Bonewit harm. See D. 25 ¶ 162. Specifically, Bonewit alleges that New-Indy's data security measures are inadequate because the New-Indy has failed to encrypt the PII stored on an internet-accessible network and New-Indy has failed to delete PII it has no reasonable need to maintain. Id. ¶ 161. Bonewit has further sought injunctive relief requiring New-Indy to implement adequate security protocols because Bonewit will otherwise lack an adequate remedy if there is another data breach. Id. ¶¶ 163-64.
The Declaratory Judgment Act gives federal courts the discretion to declare the parties' rights. See 28 U.S.C. § 2201 et seq. A request for declaratory relief is moot if no substantial controversy of sufficient immediacy and reality exists to warrant the issuance of a declaratory judgment. See, e.g., Warsaw Orthopedic, Inc. v. Sasso, No. 18-cv-437 JD, 2019 WL 428574, at *3 (N.D. Ind. Jan. 31, 2019), affd, 977 F.3d 1224 (Fed. Cir. 2020) (reasoning that the declaratory judgment was inappropriate because the state court had already entered judgment and there would be no benefit served).
Here, Bonewit's request for declaratory judgment does not appear to be asking for relief for New-Indy's past acts and seems to seek to redress allegedly ongoing breaches concerning New-Indy's security measures that affects PII. Given its conclusion that Bonewit has failed to allege compensable injury based upon the current data breach at issue, the Court declines to exercise its discretion here as to declaratory judgment, see Hummel v. St. Joseph Cnty. Bd. of Comm'rs, 57 F.Supp.3d 902, 918 (N.D. Ind. 2014), affd sub nom. Hummel v. St. Joseph Cnty. Bd. of Comm'rs, 817 F.3d 1010, 1023 (7th Cir. 2016) (denying requests for declaratory judgment and injunctive relief because the plaintiffs have no remaining underlying claims) and declines the request for injunctive relief given that there is no reasonable likelihood of success on the merits in light of the dismissal of the claims. Accordingly, Bonewit's claim for declaratory judgment and request for injunctive relief is also dismissed.
VI. Conclusion
For the foregoing reasons, the Court ALLOWS New-Indy's motion to dismiss, D. 27, without prejudice.
So Ordered.