Opinion
Lead 1:23-cv-01168-RMR-SBP 1:23-cv-01315-RMR-SBP 1:23- cv-01319-RMR-SBP 1:23- cv-01346-RMR-SBP 1:23- cv-01372-RMR-SBP 1:23- cv-01387-RMR-SBP 1:23- cv-01405-RMR-SBP 1:23- cv-01458-RMR 1:23- cv-01462-RMR-SBP 1:23- cv-01556-RMR
08-23-2024
SUSAN OWEN-BROOKS, et al., individually and on behalf of all others similarly situated, Plaintiffs, v. DISH NETWORK CORPORATION and DISH NETWORK LLC, Defendants.
RECOMMENDATION ON MOTION TO DISMISS
Susan Prose, United States Magistrate Judge
In this data breach case, Defendants DISH Network Corporation and DISH Network LLC (collectively, “Defendant” or “DISH”) move (ECF No. 46, the “Motion”) to dismiss Plaintiffs' consolidated, amended class action complaint. (“CAC,” ECF No. 40). Defendant argues pursuant to Federal Rule of Civil Procedure 12(b)(1) a lack of subject matter jurisdiction due to Plaintiffs' lack of standing. In the alternative, if any Plaintiffs have standing, they nonetheless fail to state claims upon which relief may be granted under Rule 12(b)(6). The Motion is referred to this court pursuant to 28 U.S.C. § 636. See ECF No. 47. Plaintiffs oppose. ECF No. 53 (“Resp.”). Defendant has replied. ECF No. 54 (“Reply”). On July 30, 2024, this court heard extensive oral argument and took the Motion under advisement. ECF No. 59 (minutes). The court now respectfully RECOMMENDS that the Motion be granted in part and denied in part, as follows.
I. Background
In their fifty-nine page pleading, eleven named Plaintiffs allege that Defendant experienced a data breach on February 23, 2023 (the “Data Breach”), in which their personally identifiable information and personal health information (“PII” and “PHI,” respectively) was stolen by a criminal group known as the “Black Basta.” CAC at 1-3.
Defendant notified Plaintiffs of the types of data that were stolen concerning each Plaintiff. For instance, Defendant notified Plaintiff Rebecca Dougherty that “the compromised files contained Plaintiff Dougherty's name, payment card information, financial account number, health insurance information, medical information, COVID-19 vaccination status and Social Security number.” CAC ¶ 51 (hereafter, the latter is referred to as “SSN”). It appears that Defendant notified each named Plaintiff that these same categories of information were stolen as to each of them. See, e.g., id. ¶¶ 46, 56, 61, 66, 72, 78, 84, 90, 96, 102.
Plaintiffs also allege “on information and belief” that a wider array of their personal data was stolen in the Data Breach, including “date of birth, physical and email addresses, . . . [and] driver's license or state identification card numbers.” CAC ¶ 8. See also id. ¶ 37 (alleging driver's license information was among the stolen PII). But Plaintiffs do not allege what information supports their belief that this additional data was also stolen in the Data Breach.
Plaintiffs propose to represent three classes: current employees, former employees, and family members whose personal information was stolen in the Data Breach. They bring six claims: (1) negligence; (2) negligence per se; (3) breach of contract (on behalf of only the current and former employees); (4) breach of implied contract (on behalf of only the current and former employees); (5) unjust enrichment; and (6) declaratory judgment.
II. Legal Standards
A. Rule 12(b)(1) Motions
Federal courts are courts of limited jurisdiction. Under Article III of the United States Constitution, federal courts only have jurisdiction to hear certain “cases” and “controversies,” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 157 (2014), rendering them “duty bound to examine facts and law in every lawsuit before them to ensure that they possess subject matter jurisdiction.” The Wilderness Soc. v. Kane Cnty., 632 F.3d 1162, 1179 n.3 (10th Cir. 2011) (Gorsuch, J., concurring). Indeed, courts have an independent obligation to determine whether subject matter jurisdiction exists, even in the absence of a challenge from any party. 1mage Software, Inc. v. Reynolds & Reynolds, Co., 459 F.3d 1044, 1048 (10th Cir. 2006) (citing Arbaugh v. Y & H Corp., 546 U.S. 500 (2006)).
Pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure, a party may bring either a facial or factual attack on subject matter jurisdiction, and a court must dismiss a complaint if it lacks subject matter jurisdiction. See Pueblo of Jemez v. United States, 790 F.3d 1143, 1148 n.4 (10th Cir. 2015). For a facial attack, the court takes the allegations in the complaint as true; for a factual attack, the court may not presume the truthfulness of the complaint's factual allegations and may consider affidavits or other documents to resolve jurisdictional facts. Rural Water Dist. No. 2 v. City of Glenpool, 698 F.3d 1270, 1272 n.1 (10th Cir. 2012) (citing Holt v. United States, 46 F.3d 1000, 1002-03 (10th Cir. 1995)). In this case, Defendant makes a facial attack because although it submits certain materials outside of the pleading (see ECF No. 46-1 through 46-6), it relies on those materials only for its factual background section and Rule 12(b)(6) arguments. When the plaintiff's standing is challenged, the party invoking federal jurisdiction bears the burden of establishing it. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). See also TransUnion LLC v. Ramirez, 594 U.S. 413, 430-31 (2021) (same).
B. Rule 12(b)(6) Motions
Under Rule 12(b)(6), defendants can move to dismiss for “failure to state a claim upon which relief can be granted.” In deciding a motion under Rule 12(b)(6), the court must “accept as true all well-pleaded factual allegations . . . and view these allegations in the light most favorable to the plaintiff.” Casanova v. Ulibarri, 595 F.3d 1120, 1124-25 (10th Cir. 2010) (quoting Smith v. United States, 561 F.3d 1090, 1098 (10th Cir. 2009)). Nevertheless, a plaintiff may not rely on mere labels or conclusions, “and a formulaic recitation of the elements of a cause of action will not do.” BellAtl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). To survive a motion to dismiss, “a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Id. (internal quotation marks omitted). That is, the complaint must include well-pleaded facts that, taken as true, “allow[ ] the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id.
The Twombly/Iqbal pleading standard first requires the court to identify which allegations “are not entitled to the assumption of truth” because, for example, they state legal conclusions or merely recite the elements of a claim. Id. at 679. It next requires the court to assume the truth of the well-pleaded factual allegations “and then determine whether they plausibly give rise to an entitlement to relief.” Id. In this analysis, courts “disregard conclusory statements and look only to whether the remaining, factual allegations plausibly suggest the defendant is liable.” Khalik v. United Air Lines, 671 F.3d 1188, 1191 (10th Cir. 2012). Any “factual allegations that contradict . . . a properly considered document are not well-pleaded facts that the court must accept as true.” GFF Corp. v. Associated Wholesale Grocers, 130 F.3d 1381, 1385 (10th Cir. 1997).
The ultimate duty of the court is to “determine whether the complaint sufficiently alleges facts supporting all the elements necessary to establish an entitlement to relief under the legal theory proposed.” Forest Guardians v. Forsgren, 478 F.3d 1149, 1160 (10th Cir. 2007). “Determining whether a complaint states a plausible claim for relief will . . . be a contextspecific task that requires the reviewing court to draw on its judicial experience and common sense.” Iqbal, 556 U.S. at 679. But “a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and that a recovery is very remote and unlikely.” Clinton v. Sec. Benefit Life Ins. Co., 63 F.4th 1264, 1276 (10th Cir. 2023) (internal quotation marks omitted, quoting Twombly, 550 U.S. at 556), reh'g en banc denied, 83 F.4th 1251 (10th Cir. 2023).
III. Analysis
A. Standing
Federal Rule of Civil Procedure 12(b)(1) permits Defendant to move to dismiss for lack of subject matter jurisdiction, including a lack of standing. A lack of standing deprives a court of subject matter jurisdiction because the judicial power of the federal courts extends only to “cases” or “controversies.” U.S. Const. art. III, § 2. “The doctrine of standing, among others, implements this limit on our authority.” Dep't of Educ. v. Brown, 600 U.S. 551, 561 (2023) (cleaned up). Under that doctrine:
[T]he irreducible constitutional minimum of standing contains three elements that a plaintiff must plead and-ultimately-prove. First, the plaintiff must have suffered an ‘injury in fact' that is both concrete and particularized and actual or imminent, not conjectural or hypothetical. Second, the plaintiff's injury must be fairly traceable to the challenged action of the defendant, meaning that there must be a causal connection between the injury and the conduct complained of. Third, it must be ‘likely,' as opposed to merely ‘speculative,' that the injury will be redressed by a favorable decision.Id. (emphasis added; cleaned up, citing Lujan, 504 U.S. at 560). The injury must be “real rather than abstract.” Id. at 1190 (citing Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016)). “[A] plaintiff must establish that its injury was ‘not the result of the independent action of some third party not before the court.'” Santa Fe Alliance for Pub. Health & Safety v. City of Santa Fe, 993 F.3d 802, 814 (10th Cir. 2021) (quoting Lujan, 504 U.S. at 560). In short, “[o]nly plaintiffs who allege a concrete injury [from the subject of their claims] have standing to sue in federal court.” Acheson Hotels, LLC v. Laufer, 601 U.S. 1, 3 (2023). “And standing is not dispensed in gross; rather, plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek (for example, injunctive relief and damages).” TransUnion, 594 U.S. at 431.
Nonetheless, “[a]n allegation of future injury may suffice [as a concrete harm] if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” Driehaus, 573 U.S. at 158 (internal quotation marks omitted, quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n.5 (2013)). “As a general principle, ‘concrete' is not necessarily synonymous with ‘tangible.' Though concreteness may be more easily satisfied for tangible injuries like physical or monetary harms, intangible injuries . . . may nevertheless be concrete for standing purposes.” Lupia v. Medicredit, Inc., 8 F.4th 1184, 1191 (10th Cir. 2021) (cleaned up, quoting Spokeo, 578 U.S. at 340); Id. at 1193 (finding that the plaintiff sufficiently alleged a concrete harm based upon “intrusion upon seclusion” to have Article III standing to bring a claim under the Fair Debt Collection Practices Act). “In determining whether an intangible harm is sufficiently concrete to constitute an injury in fact, [the court] looks to both history and to the judgment of Congress. The [Supreme] Court has explained: history and tradition offer a meaningful guide to the types of cases that Article III empowers federal courts to consider.” Id. at 1191 (cleaned up, citations omitted) (citing Spokeo and TransUnion, 594 U.S. at 424). Specifically, the court
consider[s] whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts. Stated another way, this inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury.Id. (cleaned up, citations omitted). “Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion, 594 U.S. at 425.
In this case, the named Plaintiffs allege a variety ofpresent harms resulted from the Data Breach, and they also allege intangible (future) harms from an increased risk of identity theft due to the Data Breach. Thus, the main questions for evaluating Plaintiffs' standing are: (1) When are present harms fairly traceable to a data breach, and (2) When are future risks of fraud (using the stolen or lost data) sufficiently concrete to support standing?
1. Legal Standards for Standing in Data Breach Cases
The Tenth Circuit has not yet ruled on standing in the data breach context, but there is a plethora of such cases from other circuit courts, district courts within the Tenth Circuit, and this court. Defendant relies most heavily on recent decisions from sister courts within the Tenth Circuit. Motion at 9-19; Reply at 7-11. Plaintiffs instead rely primarily on the circuit court decisions and would distinguish many of Defendant's cases on the facts. Resp. at 9-17.
References to page numbers in the ECF filings are to the pdf, not to any native page numbering.
Defendant prefers the district court opinions within this circuit because those cases require data breach plaintiffs to allege actual misuse of their stolen information, to find the risk of future harm sufficiently concrete for purposes of standing. Several circuit court decisions that Plaintiffs cite would not necessarily require actual misuse in order to support standing, if other facts show the risk is sufficiently concrete. As will be seen below, this difference in the legal standard matters for six of the named Plaintiffs whose only traceable harms are time spent addressing the Data Breach, and the fear and anxiety they have suffered from the Data Breach. The difference in legal standard most clearly matters for two Plaintiffs (Ms. Dougherty and Mr. Abraham) who do not allege any actual misuse of their stolen information, and for standing purposes rely entirely on their time spent, fear, and anxiety.
Meanwhile, shortly after the briefing was complete in this case, this court addressed standing in another data breach case: Maser v. Commonspirit Health, No. 23-cv-01073-RM-SBP, 2024 WL 2863579 (D. Colo. Apr. 16, 2024), objection pending. In Maser, this court found several circuit decisions persuasive in outlining the legal standards. The circuit cases are the most appropriate place to start, since the Tenth Circuit-if or when it is called upon to address the issue-likely would begin there as well.
Indeed, as will be seen below, the district court cases on which Defendant relies likewise begin with the persuasive guidance from the circuit courts. See, e.g., Deevers v. Wing Fin. Servs., LLC, No. 22-cv-0550-CVE-JFJ, 2023 WL 6133181, at *4-7 (N.D. Okla. Sept. 19, 2023) (citing extensively Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022)).
The Third Circuit helpfully summarizes the data breach cases as typically-though not exclusively-focusing on three factors:
Courts rely on a number of factors in determining whether an injury is imminent- meaning it poses a substantial risk of harm-versus hypothetical in the data breach context. These non-exhaustive factors can serve as useful guideposts, with no single factor being dispositive to our inquiry. Among them is whether the data breach was intentional. * * *
Courts also consider whether the data was misused. * * * Of note, misuse is not necessarily required. The Seventh Circuit has found standing despite no allegations of misuse, holding that it was sufficient that a data breach increased the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions.
* * *
Further, courts consider whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft. For instance, disclosure of social security numbers, birth dates, and names is more likely to create a risk of identity theft or fraud. By contrast, the disclosure of financial information alone, without corresponding personal information, is insufficient. This is because financial information alone generally cannot be used to commit identity theft or fraud.Clemens v. ExecuPharm Inc., 48 F.4th 146, 153-54 (3d Cir. 2022) (emphasis added, cleaned up, citations omitted, collecting cases). See also McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 301-03 (2d Cir. 2021) (focusing on the same three non-exclusive factors for standing in data breach cases).
In other words, for purposes of analyzing Article III standing, data breach cases largely organize along three axes:
(x) intentionality of breach (“targeted” vs. “untargeted”);
(y) fraud-sensitivity of the exposed data; and
(z) whether there is already actual misuse of the data (fairly traceable to the data breach), or instead only a risk of future misuse (i.e., only intangible harm).
A “targeted” breach is one in which an unauthorized person (or persons) intentionally hacks into a defendant's network to take the personal information in its possession, or otherwise intentionally finds a way to steal the information that is in a specific defendant's possession. See, e.g., Clemens, 48 F.4th at 153 (collecting cases). An “untargeted” breach occurs inadvertently, when, for instance, an employee loses a laptop containing customers' or employees' unencrypted data.
With respect to the last category, if the plaintiff alleges only a risk of future misuse- intangible harm-then, consistent with TransUnion, Clemens further holds that “if the theory of injury is an unauthorized exposure of personally identifying information that results in an increased risk of identity theft or fraud, that harm is closely related to that contemplated by privacy torts that are well-ensconced in the fabric of American law.” Id. at 155 (quotation marks omitted).
But “the mere existence of a common law analog for the asserted harm does not necessarily end our inquiry. In a suit premised on the mere risk of future harm-that is, where the alleged injury-in-fact is imminent rather than actual-we must also consider the type of relief sought.” Id. (quotation marks omitted). As to injunctive relief, a risk of future harm may suffice if it is “sufficiently imminent and substantial.” Clemens, 48 F.4th at 155 (quoting TransUnion, 594 U.S. at 436; Clapper, 568 U.S. at 414 n.5). But for damages based only on a risk of future harm, the plaintiff must allege some “additional, currently felt concrete harms” for standing. “For example, if the plaintiff's knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services.” Id. at 156 (citing TransUnion, 495 U.S. at 436 n.7, analogizing to the tort of intentional infliction of emotional distress). See also McMorris, 995 F.3d at 303.
Of course, merely alleging emotional distress and mitigation expenses-without alleging a substantial risk of future fraud-does not in itself satisfy the concrete injury requirement:
[W]here plaintiffs have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury. This notion stems from the Supreme Court's guidance in Clapper, where it noted that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” [ Clapper,] 568 U.S. at 416.McMorris, 995 F.3d at 303 (cleaned up, citing inter alia In re SuperValu, Inc., 870 F.3d 763, 771 (8th Cir. 2017)).
Thus, cases that involve targeted breaches, fraud-sensitive data, and actual misuse (as to at least one named plaintiff) easily meet the Article III standing requirement at the pleading phase. See, e.g., Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 370 (1st Cir. 2023) (finding standing based on targeted theft of patients' data that included SSNs, where a named plaintiff alleged she suffered actual tax return fraud as a result); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 965 (7th Cir. 2016) (finding standing where breach was targeted, credit and debit card data was stolen, and the plaintiffs alleged actual misuse of their credit or debit accounts after the breach); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (finding standing based on hackers' theft of customers' credit card numbers and actual fraudulent use of many of those accounts).
At the opposite end, standing is easily found to be lacking in cases that involve untargeted breaches (or at least lack clarity on that issue), data that is not in itself financially-sensitive, and no actual misuse. See, e.g., Beck v. McDonald, 848 F.3d 262, 267-68 (4th Cir. 2017).
Cases that fall between those two poles-like this case does-come to varying conclusions depending on the alleged facts. For instance, where a plaintiff asserts no actual misuse of the information, several circuit courts have nonetheless found standing, but only if the breach was targeted, the stolen data was financially-sensitive, and the plaintiff alleges at least some present emotional distress or mitigation expense. See, e.g., Pruchnicki v. Envision Healthcare Corp., 845 Fed.Appx. 613, 614 (9th Cir. 2021) (reflecting that the district court found standing where the plaintiff alleged a targeted data breach, future risk of fraud, and mitigation time and expense, and affirming dismissal for failure to adequately allege damages to state a claim); In re Zappos.com, Inc., 888 F.3d 1020, 1027 (9th Cir. 2018) (finding standing in a targeted data breach case, in which the plaintiffs whose claims were at issue in the appeal alleged only a risk of future harm, but the stolen data included their credit card numbers); Krottner v. Starbucks Corp., 628 F.3d 1139, 1140-43 (9th Cir. 2010) (finding standing where a laptop was stolen from the defendant, containing unencrypted names, addresses and SSNs; allegations of an increased risk of future fraud combined with present anxiety and mitigation expenses sufficed). See also Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 285-86 (2d Cir. 2023) (finding standing based on targeted theft of plaintiff's name and SSN, and the risk of future fraud combined with presently-felt mitigation expenses).
The district court opinion in Pruchnicki makes plain that the stolen data included names, birthdates, driver's license numbers, and SSNs. Pruchnicki v. Envision Healthcare Corp., 439 F.Supp.3d 1226, 1229 (D. Nev. 2020), aff'd, 845 Fed.Appx. 613 (9th Cir. 2021).
In Maser, this court did not have to reach whether actual misuse is always required for standing. The plaintiff in that case alleged actual misuse; she just did not allege when that misuse occurred or how it related to the types of information stolen in that case, which did not include financially-sensitive data. Maser, 2024 WL 2863579, at *7. And because the stolen information was not financially-sensitive, the plaintiff in that case also could not rely on a risk of future harm or her alleged present harms. Id. at *7-8.
But in this case, the Data Breach does involve financially-sensitive information (SSNs, payment card information, and financial account numbers); several of the named Plaintiffs allege actual misuse, but as will be seen below, it is not traceable to the Data Breach; and two named Plaintiffs do not allege actual misuse. Thus, this court must decide whether actual misuse of the stolen information is required for standing.
In the hearing, Defendant argued there is a circuit split on the question of whether data breach plaintiffs must allege actual misuse of their stolen information in order to have standing. Defendant argues that the Ninth Circuit-which decided three of the cases cited above-is the only circuit that does not require actual misuse. But even after TransUnion, at least the Second and Third Circuits have likewise not required actual misuse. See Bohnak, 79 F.4th at 288 (concluding that McMorris, in which the Second Circuit so held, remains good law after TransUnion); Clemens, 48 F.4th at 154 (citing Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007)). It thus appears that at least the Second, Third, Seventh, and Ninth Circuits do not necessarily require actual misuse (unless they have changed their position after TransUnion, a question that is unnecessary to reach here).
More persuasively, however, Defendant notes that several district courts within the Tenth Circuit have required actual misuse in order to find a data breach plaintiff has standing. For instance, Defendant cites Blood v. Labette County Medical Center, No. 5:22-CV-04036-HLT-KGG, 2022 WL 11745549 (D. Kan. Oct. 20, 2022); C.C. v. Med-Data Inc., No. 21-2301-DDC-GEB, 2022 WL 970862 (D. Kan. Mar. 31, 2022); Deevers v. Wing Financial Services, LLC, No. 22-CV-0550-CVE-JFJ, 2023 WL 6133181 (N.D. Okla. Sept. 19, 2023); McCombs v. Delta Grp. Electronics, Inc., 676 F.Supp.3d 1064 (D.N.M. June 9, 2023); and Legg v. Leaders Life Ins. Co., 574 F.Supp.3d 985, 992-93 (W.D. Okla. 2021).
In Blood, the court stated that “multiple Circuits have held that without actual misuse of stolen information, plaintiffs lack standing.” Blood, 2022 WL 11745549, at *7 (emphasis original, citing inter alia Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1340-44 (11th Cir. 2021); Med-Data Inc., 2022 WL 970862, at *4; Legg, 574 F.Supp.3d at 990). Blood is correct that our sister courts (or at least many of them) have so concluded, particularly after TransUnion. This court joins them in predicting that the Tenth Circuit will require data breach plaintiffs to allege actual misuse of their stolen data in order to find that they have standing to bring claims for damages.
Blood and Legg recognize, nonetheless, that the Second Circuit does not require actual misuse. Blood, 2022 WL 11745549 at *7 (citing McMorris, 995 F.3d at 300); Legg, 574 F.Supp.3d at 991 (citing McMorris, 995 F.3d at 298-99, 303-04).
Defendant also cites Masterson v. IMA Fin. Grp., Inc., No. 23-cv-02223-HLT-ADM, 2023 WL 8647157 (D. Kan. Dec. 14, 2023), but that case does not expressly analyze whether actual misuse is always required so much as it simply finds the allegations in that case were not traceable to the defendant's data breach. The same is true of the case to which Defendant points in its Notice of Supplemental Authority, ECF No. 60, Zerbe v. IMA Fin. Grp., Inc., No. 2:24-CV-02026-HLT-GEB, 2024 WL 3677395, at *6 (D. Kan. Aug. 6, 2024).
Some of the cases that Defendant cites within the Tenth Circuit do not expressly address whether actual misuse is required for standing to seek injunctive relief, apparently because the plaintiffs therein did not seek such relief. See, e.g., Blood, 2022 WL 11745549, at *2 (noting the plaintiffs claimed they had been damaged and had a risk of future damages).
This court further predicts that the Tenth Circuit will also require actual misuse in order to find standing to seek injunctive relief as well. Standing to seek injunctive relief can be premised on “a material risk of future harm.” TransUnion, 594 U.S. at 435. “[A] person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” Id. (citing inter alia Clapper, 568 U.S. at 414 n.5). And when financially-sensitive information (SSNs, for instance) is stolen in a recent data breach (such as occurred here), the risk of future harm may be both imminent and substantial.
But even for claims seeking only injunctive relief, there must still be fair traceability between the risk of future harm and the particular data breach at issue, or the particular defendant's conduct. This court agrees with the reasoning of its sister courts in (for instance) Legg, 574 F.Supp.3d at 991, and Ruskiewicz v. Oklahoma City Univ., No. CIV-23-303-D, 2023 WL 6471716, at *2-3 (W.D. Okla. Oct. 4, 2023), that without at least some alleged misuse of the stolen information following the data breach in question, the risk of future identity theft is not fairly traceable even for claims seeking only injunctive relief. To hold otherwise would effectively allow anyone whose financially-sensitive information has been subject to a data breach to bring claims for injunctive relief against every entity who had their information stolen from its possession-and at this point, such a broad conception could encompass nearly every individual in the United States. Accordingly, this court concludes that Plaintiffs must allege actual misuse to have standing to seek either damages or injunctive relief.
But “actual misuse” is a much broader category than Defendant argues here. Defendant would limit “actual misuse” to actual unauthorized charges, accounts, or other actual theft, i.e., to actual harm. Reply at 12-13. But even unauthorized attempts to open accounts or to make unauthorized charges constitute “actual misuse” for purposes of standing. See, e.g., Tsao, 986 F.3d at 1340 (discussing Krottner, 628 F.3d at 1142, in which the attempt to open a bank account sufficed as misuse); McCombs, 676 F.Supp.3d at 1070 (same); Masterson, 2023 WL 8647157, at *4 n.4 (rejecting argument that plaintiff must allege they “actually paid the unauthorized charges” because “injury for the purpose of Article III standing is not limited to financial harm,” citing TransUnion, 594 U.S. at 434-35); Deevers, 2023 WL 6133181, at *5-6 (with respect to plaintiffs whose “data may have been subject to a data breach, but have not faced actual harm,” “the majority of courts, including district courts in this circuit, have concluded that plaintiffs must allege actual misuse . . . to demonstrate they face an imminent risk of fraud,” emphasis added). See also Blood, 2022 WL 11745549, at *7 (citing Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 387-91 (6th Cir. 2016), in which “three unauthorized attempts to open credit cards in [plaintiff's] name” constituted misuse). Med-Data would appear to require even less to find actual misuse, in recognizing that pleading one's stolen data “was being advertised and sold online” would “adequately plead[] that their information has been accessed and/or misused.” 2022 WL 970862, at *7 (discussing In re 21st Century Oncology Customer Data Sec. Breach Litig., 380 F.Supp.2d 1243, 1255 (M.D. Fla. 2019)).
These cases reiterate the need for careful analysis of whether Plaintiffs allege facts that show the alleged misuse of their information is fairly traceable to the defendant's data breach. For instance, in Blood the plaintiffs alleged a concrete injury in actual, unauthorized charges to their bank account, but they did not allege how the stolen types of information (including SSNs) could be used to access their bank account. The court would not infer a connection between the two, and the claims therefore failed for lack of traceability. Blood, 2022 WL 11745549 at *3.
2. Do the Named Plaintiffs Have Standing to Seek Damages?
Applying these legal standards to the allegations here, as for the first factor under Clemens, the Data Breach was targeted, i.e., intentional. A band of Russian cybercriminals allegedly targeted Defendant because of the size of personal information it would have on its network. As for the second factor: the stolen information included financially-sensitive data of Plaintiffs in the form of their SSNs, payment card information, and financial account numbers.
The fight in this case is only as to the third factor-the alleged harm(s). Of the eleven named Plaintiffs, two assert time spent, fear, and anxiety, but they do not assert actual misuse of their personal information: Ms. Dougherty and Mr. Abraham. Because this court joins with its many sister courts who conclude that the Tenth Circuit will require actual misuse to find standing in data breach cases, Ms. Dougherty and Mr. Abraham's claims should be dismissed for lack of standing.
Next we have two Plaintiffs who assert not only time spent, fear, and anxiety, but also actual misuse in the form of increased spam communications: Ms. Cook and Ms. Bane. But in this case, an increase in spam communications does not plausibly allege misuse of their stolen information. Plaintiffs do not allege that their phone numbers were stolen in the Data Breach. And while they allege on information and belief that their email addresses were stolen in the Data Breach, their other allegations make that implausible. Each named Plaintiff alleges the specific types of information that Defendant identified as stolen in its notices of the Data Breach. CAC ¶¶ 46, 56, 61, 66, 72, 78, 84, 90, 96, 102. Plaintiffs' allegations of the notices do not identify email addresses as among the stolen data. Id. Plaintiffs also recognize that Defendant obtained a forensic investigation into the impact of the Data Breach before sending the notices. Id. ¶¶ 4-6, 40, 41. While Plaintiffs assert that Defendant failed to promptly notify them of the Data Breach, they do not appear to allege that Defendant failed to properly investigate the impact of the Data Breach, or that the forensic investigation it obtained was faulty.
Defendant compiled a table of each named Plaintiff's alleged harms, cross-referencing the paragraphs of the Consolidated Amended Complaint. Motion at 29 (Appendix 1 to the Motion). This court nevertheless reviewed each Plaintiff's fact allegations in the CAC. The allegations of harm that are not specific to the named Plaintiffs (CAC at 30-59) also provide background information on how thieves can use the Internet to obtain additional information necessary to steal their victims' identities for fraud, but that background does not address the problems with standing identified in this Recommendation.
Defendant attaches the template it used for notifying each affected individual, including Plaintiffs. ECF No. 46-2. Defendant also attaches a website of the Office of the Maine Attorney General where that template is publicly available to support their contention that this court can consider the template notice without converting the Motion to a motion for summary judgment. ECF No. 46-3, 46-1 (request for judicial notice). Plaintiffs do not appear to dispute that, but this court does not see any reason to consider the template notice for purposes of resolving the Motion. Defendant cites it only as background. Motion at 7. It does not cite the Maine Attorney General webpage in the Motion, nor does either side request judicial notice thereof.
Nor will this court infer that the “spammers” misused Plaintiffs' information stolen in the Data Breach to obtain their phone numbers and email addresses. While that is conceivable, it is equally conceivable that the spammers obtained Plaintiffs' phone numbers and email addresses independently from other sources. These Plaintiffs' claims accordingly fail for lack of traceability.
Next in severity of alleged harm is Ms. Turley. In addition to time spent, fear and anxiety, and spam, Ms. Turley also alleges that she “has received notifications from two credit monitoring sites stating that her personal information is present for sale on the dark web.” CAC ¶ 91. This may or may not plausibly allege a present or risk of future injury (see Med-Data, 2022 WL 970862, at *7), but without any allegation as to when she received the notifications and what types of her personal information are for sale, her claims fail for lack of traceability to the Data Breach.
At the hearing, Plaintiffs' counsel argued that standing does not require specific allegations of the dates when the harms occurred because the CAC alleges those harms occurred “as a result of' the Data Breach. But in the data breach context-in which Plaintiffs do not allege Defendant was unique in possessing Plaintiffs' personal information, or that this was the first time their information was stolen in a data breach-alleging misuse was “a result of' the Defendant's Data Breach is too conclusory and is not a well-pleaded fact that the court must accept as true. See Iqbal, 556 U.S. at 679 (determining plausibility “will . . . be a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.').
Next, Mr. Cruse alleges that he was “denied a new job during a security clearance check because his information was found on the dark web.' CAC ¶ 79. This is a concrete harm, but Mr. Cruse does not allege when it occurred. He also does not allege what type(s) of his personal information that were found on the dark web caused him to be denied the job. Without such allegations, his claims fail for lack of traceability.
This leaves Plaintiffs Mr. Clark, Ms. Jenkins, Ms. Vest, Mr. Cardenas, and Ms. Looney. These Plaintiffs allege at least one form of misuse that courts generally consider to be “actual misuse”: attempted identity theft or charges, actual unauthorized charges, and unauthorized loan applications or so-called “hard” inquiries on their credit reports for loan applications that the Plaintiffs did not initiate.
Ms. Jenkins alleges an unauthorized attempt to open accounts in her name and nine “credit inquiries on her credit report for lines of credit that she never opened”-and this court reasonably infers that those were nine lines of credit for which she also did not apply. But she does not allege when those harms occurred. Her claims fail for lack of traceability.
Plaintiffs' counsel informed the court that during the hearing, his staff contacted the client and obtained the dates that these events occurred. But even if Plaintiffs had attempted to collect and state these facts in their written response brief, this would not suffice to amend the complaint. See, e.g., Abdulina v. Eberl's Temp. Servs., Inc., 79 F.Supp.3d 1201, 1206 (D. Colo. 2015) (“Plaintiff, however, cannot amend her complaint by adding factual allegations in response to Defendant's motion to dismiss.”).
Ms. Looney “recently noticed hard inquiries on her and her husband's credit report, which they did not authorize.” CAC ¶ 103. The complaint does not spell out what a “hard inquiry” is, but Plaintiffs' Response states that SSNs (and financial card or account numbers) are used to make credit inquiries. Resp. at 17. The court takes judicial notice that a “hard inquiry” for a credit report occurs when the consumer applies for credit and gives their consent for the inquiry. See, e.g., Hard Inquiry: Definition, How It Works, Impact on Credit Score (investopedia.com); Understanding Hard Inquiries on Your Credit Report | Equifax. The court infers that an SSN is required for loan applications. Ms. Looney's SSN (and those of her children) is among the types of financially-sensitive information stolen in the Data Breach. But even assuming in Ms. Looney's favor that “recently” necessarily means after the Data Breach, she only alleges that is when she noticed the hard inquiries. She does not allege when the hard inquiries actually occurred. Her claims accordingly fail for lack of traceability.
Mr. Clark (a former employee) alleges that he “was the victim of fraud when an unknown individual tried to obtain unemployment benefits using his name in or around June 2023, and when an unknown individual tried to purchase items using his credit card. Furthermore, Plaintiff Clark was notified by his password manager that his personal information was found on the dark web.” CAC ¶ 73. Although the latter harms are not traceable here without alleging the dates they occurred, and it would be better for Mr. Clark to also allege the specific types of personal information that were used in the fraudulent unemployment application, this court takes judicial notice of the fact that an unemployment application would require a Social Security Number.Mr. Clark therefore plausibly alleges a traceable harm in someone trying to obtain unemployment benefits in his name a few months after the Data Breach. Mr. Clark has standing.
Mr. Clark alleges that he is a citizen of Colorado. He does not allege in which state the unauthorized application was filed. But as an example, the Colorado Department of Labor and Employment requires an SSN in order to apply for unemployment benefits. Claimant Login | CDLE (state.co.us). See, e.g., Winzler v. Toyota Motor Sales U.S.A., Inc., 681 F.3d 1208, 121213 (10th Cir. 2012) (taking judicial notice of the existence of “documents filed with [an agency] and now available on the agency's public website”); Buhendwa v. Regional Transp. Dist., 82 F.Supp.3d 1259, 1266 n.2 (D. Colo. 2015) (“The court may take judicial notice of the contents of an agency's website”).
Ms. Vest (a former employee) alleges she “noticed three hard inquiries on her credit report that she did not authorize, each having taken place soon after the Data Breach. Specifically, the inquiries occurred in April, June, and July 2023. CAC ¶ 97. This plausibly alleges actual misuse that is fairly traceable to Defendant's Data Breach. Ms. Vest has standing.
Ms. Vest also alleges that she “witnessed $50 transferred from her PayPal account without her authorization and was recently notified through her credit monitoring account that her personal information is now for sale on the dark web.” CAC ¶ 97. But Ms. Vest was employed by Defendant twenty years ago. Id. ¶ 95. She has not plausibly allege how her twenty-year-old stolen information would lead to theft from her PayPal account. And she also does not allege what type(s) of personal information are on the dark web.
Mr. Cardenas (a current employee) alleges he “was the victim of fraud when he began receiving letters from various lending institutions claiming that unknown individuals had been applying for car loans using his name and information. Plaintiff Cardenas also suffered fraud when his bank notified him that an unknown individual charged $125.00 to his debit card in another state in or around August 2023.” CAC ¶ 67. His information stolen in the Data Breach includes his “payment card information, financial account number . . . and Social Security Number.” Id. ¶ 66. The attempts to obtain car loans are not traceable here because Mr. Cardenas does not allege when they occurred. But the unauthorized charge to his debit card is fairly traceable, and therefore Mr. Cardenas has standing.
Accordingly, this court respectfully RECOMMENDS that the Motion to dismiss be granted as to all named Plaintiffs' claims for damages and injunctive relief for lack of standing, except as to Mr. Clark, Ms. Vest, and Mr. Cardenas.
B. Defendant's Rule 12(b)(6) Arguments
The court first notes that this section of analysis refers only to the three Plaintiffs with standing: Mr. Clark, Ms. Vest, and Mr. Cardenas. They are current and former employees; none of the family-member Plaintiffs have standing. There is accordingly no reason to discuss whether any of the claims are plausible as to family members. Nor does this discussion address the claims of any of the other named Plaintiffs who lack standing.
Defendant argues that Plaintiffs fail to state plausible claims for relief as to all six of their counts: negligence, negligence per se, breach of contract (employees only), breach of implied contract (employees only), unjust enrichment, and declaratory judgment. Motion at 15-20. This aspect of Defendant's Motion is a tall order, considering the amount of time and ink spent on Defendant's challenge to Plaintiffs' standing.
The Motion itself reflects that the scope of its Rule 12(b)(6) argument is a bit ambitious. For instance, Defendant devotes only a paragraph to the complex question of choice of law for a putative class action involving Plaintiffs of different states. Motion at 20. Defendant also attempts to treat Plaintiffs' express and implied contract claims together, but these are plainly different legal theories, the factual bases for which are not identical. The express contract claim, for instance, relies on Defendant's Privacy Policy as forming a part of its express contracts with Plaintiffs. CAC ¶¶ 220-222. While the implied contract claim incorporates those allegations by reference (Id. ¶ 229), this claim does not expressly rely on the Privacy Policy. Instead, Plaintiffs allege that an implied contract was created when they “entrust[ed] DISH with their highly sensitive Private Information” with the understanding “that DISH would adequately safeguard” that information, including by several implied promises. Id. ¶¶ 230-35. Other than noting that the elements of express and implied contract claims differ only in whether the contract is based on conduct or on a written contract (Motion at 23), Defendant devotes only one paragraph of argument-citing only a single case from the Central District of Illinois-to the implied contract claim. Motion at 24. The Reply similarly allocates only a single paragraph to the implied contract claim, addressing only one factual basis (Defendant's notice of privacy policies for only California employees) and not the rest of the claim. Reply at 19.
Defendant cites inter alia Gordon v. Chipotle Mex. Grill, Inc., 344 F.Supp.3d 1231, 1244-45 (D. Colo. 2018), on choice of law, but the recommendation that the order adopted (in relevant part) on that issue analyzed the question in detail with respect to the several states of the plaintiffs in that action. Gordon v. Chipotle Mex. Grill, Inc., No. 17-cv-1415-CMA-MLC, 2018 WL 3653173, at *10-18 (D. Colo. Aug. 1, 2018). Here, Plaintiffs do not directly address choice of law. They cite Colorado law for some issues, but not for others. Resp. at 11-20. It does not appear that Plaintiffs concede Colorado law necessarily governs as to all Plaintiffs.
Defendant likewise devotes just one paragraph each to the unjust enrichment and declaratory judgment claims. Id. at 24-25. Finally, the Motion purports to address the complex relationship between negligence and contract-the economic loss doctrine-in only a footnote. Id. at 22 n.6. In its Reply, Defendant points out that Plaintiffs do not address the economic loss doctrine, but generally speaking, arguments raised only in footnotes are not sufficiently developed to warrant consideration by the court. Estate of Jensen by Jensen v. Clyde, 989 F.3d 848, 852 n.1 (10th Cir. 2021) (“Arguments raised in a perfunctory manner, such as in a footnote, are waived.”); Gutierrez v. Cobos, 841 F.3d 895, 902 (10th Cir. 2016) (arguments not raised until reply brief are waived). And of course, while the oral argument in this case was lengthy, it was not an opportunity for either side to add substantive arguments.
Courts “routinely have declined to consider arguments that are not raised, or are inadequately presented, in an appellant's opening brief.” Bronson v. Swensen, 500 F.3d 1099, 1104 (10th Cir. 2007). The Tenth Circuit has found that devoting a single paragraph to an issue and citing only an out-of-circuit case without explanation is inadequate. See Am. Petroleum Inst. v. United States Dep't of Interior, 81 F.4th 1048, 1064 n.11 (10th Cir. 2023). On this basis alone, this court could recommend denying the Motion as to at least the implied contract and declaratory judgment claims, if not also the unjust enrichment claim. However, in the interest of completeness for this Recommendation, this court proceeds to consider the claims as follows.
1. Implied Contract
Plaintiffs adequately plead facts to support a plausible implied contract claim. “To prevail on a claim for breach of implied contract, a plaintiff must demonstrate (1) the existence of a contract; (2) the plaintiff's performance, or justification for the plaintiff's non-performance; (3) the defendant's failure to perform the contract; and (4) damages.” Kluth v. Spurlock, 693 F.Supp.3d 1133, 1173 (D. Colo. 2023), opinion withdrawn in part on recon., No. 21-cv-03417-NYW-SBP, 2024 WL 1858502 (D. Colo. Apr. 29, 2024).
For simplicity's sake and only for the purposes of this Recommendation, because Colorado arguably has the strongest connection and interest in the case because Defendant is headquartered here, and one of the Plaintiffs whose claims are addressed in this section (Mr. Clark) lives in the state, this court applies Colorado law. See, e.g., Gordon, 2018 WL 3653173, at *10-18.
Although Defendant argues that no implied contract exists, the allegations adequately allege that, in their employment relationship with DISH, the parties' conduct evinces an implied agreement for Plaintiffs to “entrust DISH with their highly sensitive Private Information,” in which they “understood that DISH would adequately safeguard” that information, including by several implied promises. Id. ¶¶ 230-35. As Plaintiffs note, the existence of an implied contract is generally a question of fact for a jury to decide. See, e.g., Tuttle v. ANR Freight Sys., Inc., 797 P.2d 825, 827 (Colo.App. 1990).
Defendant also takes issue with the allegations of breach, but its argument ignores that Plaintiffs allege they agreed to entrust their personal information to Defendant, and their intent and understanding that Defendant would adequately protect that information on its network. Plaintiffs allege Defendant did not do so, i.e., that it breached the implied agreement to protect Plaintiffs' information. And as to damages, the three Plaintiffs who have standing plausibly allege damages in time spent addressing the Data Breach and the misuse of their information that they allege occurred after and because of the Data Breach. Accordingly, this court RECOMMENDS that the Motion be denied as to the implied contract claim of the three Plaintiffs who have standing.
2. Express Contract
Plaintiffs have not plausibly alleged a claim for breach of express contract. As briefly noted above, Plaintiffs rely on Defendant's Privacy Policy as the express contract. But Defendant attaches a copy thereof to the Motion, the authenticity of which Plaintiffs do not deny. The court considers that document without converting the Motion, as a document referenced in and central to the CAC without converting the Motion to a motion for summary judgment. Gee v. Pacheco, 627 F.3d 1178, 1186 (10th Cir. 2010). And as also noted above, when such a document contradicts the allegations in the complaint, the document's terms control. GFF Corp., 130 F.3d at 1384-86 (finding that a document referenced in, but not attached to, complaint controlled over the plaintiff's allegations, without converting the motion to one for summary judgment); cf. Brokers' Choice of Am., Inc. v. NBC Universal, Inc., 861 F.3d 1081, 1105 (10th Cir. 2017) (“although we accept all well-pleaded allegations as true and draw all reasonable inferences in favor of the plaintiff, if there is a conflict between the allegations in the complaint and the content of the attached exhibit, the exhibit controls”). For the reasons Defendant notes in its Motion, the Privacy Policy does not apply to employees. See ECF No. 46-4 at 2 (the Privacy Policy applies to “you as a subscriber to or user of our Services”). This court respectfully RECOMMENDS granting the Motion to dismiss the breach of express contract claim.
3. Negligence
The elements of a negligence claim are “a legal duty of care on the defendant's part, breach of that duty, injury to the plaintiff, and causation, i.e., that the defendant's breach caused the plaintiff's injury.” Univ. of Denver v. Doe, 547 P.3d 1129, 1145 (Colo. 2024) (quoting HealthONE v. Rodriguez ex rel. Rodriguez, 50 P.3d 879, 888 (Colo. 2002)). “A negligence claim will fail if it is rooted in circumstances for which the law imposes no duty of care upon the defendant.” Id. (internal quotation mark omitted). Here, Defendant argues that Plaintiffs do not allege a duty, cognizable (i.e., “physical”) injury, or causation.
As to duty, Plaintiffs allege “DISH knowingly collected, came into possession of, and maintained Plaintiffs' and Class Members' Private Information, and had a duty to exercise reasonable care in safeguarding, securing, and protecting such information from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.” CAC ¶ 184. Defendant argues there is no such duty under Colorado common law. Motion at 20-21. It cites Gordon v. Chipotle Mex. Grill, Inc., 2018 WL 3653173, at *16 (D. Colo. Aug. 1, 2018), report and recommendation adopted in part, 344 F.Supp.3d at 1244-45; and Bellwether Community Credit Union v. Chipotle Mex. Grill, Inc., 353 F.Supp.3d 1070, 1084 (D. Colo. 2018) (“there is no basis in Colorado statutory or common law for imposing a duty of care related to data security”).
But in the Chipotle cases, employees were not involved. Plaintiffs allege (CAC ¶ 194) and argue that as their current or former employer, Defendant is in a “special relationship” with them. Resp. at 18 (citing N.M. ex rel Lopez v. Trujillo, 397 P.3d 370, 374 (Colo. 2017)). As the Colorado Supreme Court held:
In nonfeasance [(passive inaction of failure to protect)] cases the existence of a duty has been recognized only during the last century in situations involving a limited group of special relationships between parties. Such relationships are predicated on a “definite relation” between the parties that is of such a character that social policy justifies the imposition of a duty to act. A duty to act might arise, for example, in a situation in which two parties are in a relationship of dependence or mutual dependence.
To date, we have recognized only the following types of special relationships: . . . employer/employee. * * * Applying the foregoing principles, we have generally declined to impose a duty of care in cases involving a defendant's nonfeasance, absent a special relationship between the parties.Trujillo, 397 P.3d at 374 (internal quotation marks and citations omitted, citing inter alia Univ. of Denver v. Whitlock, 744 P.2d 54, 58 (Colo. 1987)).
Plaintiffs do not cite any Colorado cases that actually apply the special relationship doctrine in a matter involving an employer and employee. In this court's research, it has found only DerKevorkian v. Lionbridge Techs., Inc., 316 Fed.Appx. 727 (10th Cir. 2008), in which the Tenth Circuit noted that “[t]he parties do not cite to us, nor are we aware of, any Colorado case stating that an at-will employer-employee relationship should give rise to a confidential relationship indicative of a fiduciary duty [otherwise referred to as a special relationship] in anything close to the circumstances of this case.” Id. at 738. The court in that case therefore had to “consider whether Lionbridge's acceptance of DerKevorkian in the PRP [a Permanent Resident Program maintained by the defendant] created such a duty,” and only found a special relationship because the defendant undertook an additional duty in that program. Id. at 738-39. This leaves the state of the “special relationship” between employer and employee somewhat unclear on the current briefing.
This court does not fault Plaintiffs for not delving into more detail on this issue, given the large number of issues that Defendant attempts to cover in the Motion.
Plaintiffs further argue that this court should develop the law and find a duty to safeguard personal information, independent of the special relationship. Id. at 18-19 (citing HealthOne, 50 P.3d at 888). “A court's determination that the defendant did or did not owe a legal duty to the plaintiff is ‘an expression of the sum total of those considerations of policy which lead the law to say that the plaintiff is [or is not] entitled to protection.'” Univ. of Denver, 547 P.3d at 1146 (quoting Whitlock, 744 P.2d at 57). “This requires the exercise of a ‘prudential judgment' based on the particular circumstances of the case.” Id. Plaintiffs cite several out-of-circuit cases as recognizing an employer's duty to protect its employees' PHI/PII and a common law duty to safeguard confidential personal information that is in a company's possession. Resp. at 19.
Thus, the question is if the “special relationship” of employer and employee does not impose a duty in tort for Defendant to safeguard employees' PHI and PII in its possession, would Colorado otherwise recognize such a tort duty? This court finds this question not ripe for resolution for two reasons.
First, Plaintiffs are also pursuing an implied contract claim, which this court recommends allowing to go forward. Despite Defendant having initially raised the economic loss doctrine in only a footnote, that doctrine is an important demarcation between contract and tort claims in Colorado law. See, e.g., BRW, Inc. v. Dufficy & Sons, Inc., 99 P.3d 66, 74 (Colo. 2004). And so, while Plaintiffs are pursuing both negligence and implied contract claims concerning the same subject, and no discovery has yet been done to provide a fuller factual context, this court finds it premature to decide whether Colorado's law of special relationship applies and imposes the duty that Plaintiffs assert it does, or whether Colorado otherwise recognizes such a tort duty. Second, this court respectfully finds this question is a matter of potentially wide application and importance to the state, and the present briefing is inadequate for this court even to determine that it can predict how the state's highest court would rule on the matter-known as an “Erie -guess.” Pehle v. Farm Bureau Life Ins. Co., 397 F.3d 897, 901-02 (10th Cir. 2005) (referring to Erie RR Co. v. Tompkins, 304 U.S. 64 (1938)).
Defendant also argues that Plaintiffs do not allege a cognizable injury required for a negligence claim because they do not allege physical injury to themselves or their property. But Plaintiffs point out that at least some of them (including Mr. Clark, who has standing) allege physical conditions from the fear and anxiety that they have experienced due to the Data Breach, CAC ¶ 75, and in their Response, they point to Colwell v. Mentzer Invs., Inc., 973 P.2d 631, 638 (Colo.App. 1998). In the Motion, Defendant cites a case from this court that post-dates Colwell and finds that “generalized symptoms such as headaches [and] insomnia . . . are insufficient.” Atesepoyi v. Tandy Corp., 51 F.Supp.2d 1120, 1127 (D. Colo. 1999) (emphasis added). But Atesepoyi recognizes that “a serious physical manifestation” would be a cognizable injury to support a negligence claim. Id. (emphasis added). Here, Mr. Clark alleges that he has had “chronic migraines and lack of sleep” due to anxiety from the Data Breach. CAC ¶ 75. Defendant does not point to any authorities finding chronic migraines are not a serious physical manifestation for purposes of the injury element of a negligence claim.
However, to the extent Plaintiffs argue that they meet the injury standards for a negligence claim because they have alleged Defendant acted willfully or wantonly (Resp. at 20 citing CAC ¶ 186), this court disagrees. The well-pleaded facts do not plausibly allege that level of intent.
In short, Defendant has not persuaded this court that the Plaintiffs who have standing have failed to plausibly plead a negligence claim, and this court accordingly RECOMMENDS that the Motion be denied as to that claim.
4. Negligence Per Se
Plaintiffs' negligence per se claim differs from the negligence claim only in asserting that statutes and regulations establish the standard of care, or at least provide evidence thereof:
Negligence per se occurs when a defendant violates a statute adopted for the public's safety and the violation proximately causes a plaintiff's injury. To prevail on a negligence per se claim, a plaintiff must also demonstrate that the statute was intended to protect against the type of injury she suffered and that she is a member of the group of persons the statute was intended to protect. If the statute applies to the defendant's actions, then the statute conclusively establishes the defendant's standard of care and violation of the statute is a breach of [its] duty.Miller v. Crested Butte, LLC, 549 P.3d 228, 234 (Colo. 2024) (cleaned up, citing Scott v. Matlack, Inc., 39 P.3d 1160, 1166 (Colo. 2002)).
Here, Plaintiffs allege that Title II of the Health Insurance Portability and Accountability Act (“HIPAA”), 42 U.S.C. §§ 1301, et seq., and regulations promulgated thereunder in 45 C.F.R. § 164.402, as well as Section 5 of the Federal Trade Commission Act (the “FTC” Act) and the FTC's publications providing cyber-security guidelines to businesses, set the standard of care for Defendant's possession and protection of Plaintiffs' personal information. CAC ¶¶ 106-129. Defendant argues that none of those laws can establish a duty here because they do not create private rights of action.
Plaintiffs counter that Colorado recognizes a statute can “predicate a duty for purposes of negligence” despite not creating a private right of action. Resp. at 20-22 (citing inter alia Dolin v. Contemp. Fin. Sols., Inc., 622 F.Supp.2d 1077, 1085 (D. Colo. 2009); Prymak v. Contemp. Fin. Sols., Inc., No. 07-cv-00103-EWN-KLM, 2007 U.S. Dist. LEXIS 87734, *28 (D. Colo. Nov. 29, 2007)). They also cite cases from outside the Tenth Circuit finding that HIPAA can provide evidence of a standard of care-albeit the defendants in those cases appear to be healthcare providers-and another case finding the FTC Act could establish a duty. Resp. at 20-21 (citing Charlie v. Rehoboth McKinley Christian Health Care Servs., 598 F.Supp.3d 1145, 1159 (D.N.M. 2022)). Defendant replies that Plaintiffs “fail to cite a single case under Colorado law allowing negligence per se claims to be asserted based on a violation of either law.” Reply at 1718. Defendant cites out-of-circuit cases finding either that HIPAA does not create a private right of action, or that the FTC Act and HIPAA cannot support a negligence per se claim. It also argues that Plaintiffs have not demonstrated that they are members of the group that the FTC Act was intended to protect, or that HIPAA is intended to protect their health information from being stolen.
Under Colorado law, a statute can provide evidence of a standard of care for a negligence per se claim, even if the plaintiff does not have a right of action thereunder. See, e.g., Dolin, 622 F.Supp.2d at 1085. In Dolin, the court noted “[t]here is a split in authority as to whether negligence per se claims survive where the relied-upon statutes bar private rights of action, but I ultimately find that Plaintiffs' negligence per se claims do survive dismissal even if they do not have private rights of action under the statutes.” Id. Dolin found persuasive that “[t]he Colorado Supreme Court has provided, ‘[a] statutory cause of action is independent of common-law principles and may, in fact, be inconsistent with those principles....In contrast to a statutory cause of action, the doctrine of negligence per se is part of the common law, created by the courts.'” Id. (quoting Largo Corp. v. Crespin, 727 P.2d 1098, 1107-08 (Colo. 1987), superseded by statute on other grounds as noted in Build It and They Will Drink, Inc. v. Strauch, 253 P.3d 302, 306 (Colo. 2011)). See also Largo, 727 P.2d at 1108 (noting inter alia that “[a] criminal statute may be relied upon to establish negligence per se even though the statute is silent on the issue of civil liability”); Prymak, 2007 U.S. Dist. LEXIS 87734, at *27-28 (“although a[n] individual has no private right of action under most criminal statutes, he may rely upon violation of such statutes to support a negligence per se action,” citing Largo and Bittle v. Brunetti, 750 P.2d 49, 55 (Colo. 1988)). “Similarly, violation of regulatory or safety statutes, such as licensing schemes and highway safety laws, although generally enforceable only by the government, may constitute negligence per se” Id. at *28 (citing Schneider v. Midtown Motor Co., 854 P.2d 1322, 1326 (Colo.App. 1989); Hageman v. TSI, Inc., 786 P.2d 452, 454 (Colo.App. 1989)). Accordingly, Plaintiffs can premise a negligence per se claim on a violation of statute or regulation, irrespective of whether it provides a private right of action.
Defendant also argues that the negligence per se claim must fail in any event because Plaintiffs are not among the groups that these statutes and regulations are intended to protect. But as to Section 5 of the FTC Act, this court agrees with Charlie, that at least at this phase of the case this statute can provide a standard of care or at least evidence thereof. 598 F.Supp.3d at 1159. Although Defendant argues that Plaintiffs have not shown they are among the groups that the FTC Act is intended to protect, as Charlie points out, the FTC Act prohibits in relevant part “unfair . . . acts or practices affecting commerce.” 15 U.S.C. § 45(a)(1). This statute is quite broad. It is much broader than the statutory purposes that SELCO Community Credit Union v. Noodles & Co., 267 F.Supp.3d 1288 (D. Colo. 2017), draws from cases in the enforcement context. Id. at 1297 n.4 (citing FTC v. Raladam Co., 283 U.S. 643, 647-48 (1931); FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 244 (1972)); Motion at 22 (citing SELCO for the proposition that “Colorado law does not permits plaintiffs who are neither competitors nor consumers to recover under a theory of negligence per se based on alleged violation of the FTCA”). To date, it appears that no other decision from this District follows SELCO on this issue. In short, the cases Defendant cites do not persuade this court that it would be appropriate to exclude Plaintiffs from the intended protections of Section 5 of the FTC Act (or regulations promulgated thereunder) on a Rule 12(b)(6) motion.
Defendant's argument as to HIPAA is likewise not persuasive. Plaintiffs point to regulations promulgated under HIPAA that specifically impose “HIPAA security standard rules.” CAC ¶ 120(c) (citing 45 C.F.R. § 164.306(a)(1); Id. ¶ 120(j) (citing 45 C.F.R. § 164.306(a)(94)). Plaintiffs allege their PHI was stolen in the Data Breach, and that Defendant did not comply with HIPAA security standards. Because Defendant did not brief any other argument concerning HIPAA as not establishing or providing evidence of a standard of care for this claim, the court RECOMMENDS that the Motion be denied as to the negligence per se claim.
The court notes that what Defendant seems to be vaguely circling around-without having landed upon in its briefing or oral argument-is that Plaintiffs only assume Defendant is subject to HIPAA. CAC ¶¶ 106-120. HIPAA regulations, however, apply only to entities that are a “health plan,” “health care clearinghouse,” or a “health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter,” and “[w]here provided,” their “business associate[s].” 45 C.F.R. §§ 164.104(a), (b). See also 45 C.F.R. § 164.306(a) (“Covered entities and business associates must do the following,” identifying several data security responsibilities); Charlie, 598 F.Supp.3d at 1160 (noting that “[t]he complaint alleges that Defendant is subject to HIPAA”); Est. of Lillis v. Bd. of Cnty. Comm'rs of Arapahoe Cnty., No. 16-cv-03038-KLM, 2019 WL 3386471, at *3 (D. Colo. July 26, 2019) (concluding that a jail which provided healthcare to prisoners was a covered entity).
It is not plain to this court that, based on the CAC's allegations, Defendant actually is subject to the HIPAA regulations on which Plaintiffs rely to establish the standard of care for their negligence per se claim. As noted above, this is a necessary element of negligence per se. Miller, 549 P.3d at 234 (“If the statute applies to the defendant's actions” then it can be a basis for the standard of care). See also Lombard v. Colo. Outdoor Educ. Ctr., Inc., 187 P.3d 565, 573 (Colo. 2008) (holding that “[n]egligence rests upon the premise that a tortfeasor has a legally imposed duty or a standard of conduct to which he must adhere,” and the underlying principle of negligence per se is that the duty or standard is defined by a statute or ordinance).
Whether the HIPAA security standards apply to Defendant (such that those standards establish the standard of care for negligence per se) is an important question that has significant bearing on the scope of this case. Under these narrow circumstances, this court respectfully recommends that, despite not having raised the argument in its present Motion, Defendant should be permitted to raise this issue in a second motion (whether to dismiss any later-filed amended complaint, or a Rule 12(c) motion), if it believes the argument is warranted under the law and the applicable standard of review.
5. Unjust Enrichment
Defendant argues that Plaintiffs do not plausibly plead an unjust enrichment claim, which
[u]nder Colorado law, . . . require[s]: (1) The defendant received a benefit (2) at the plaintiffs['] expense (3) under circumstances that would make it unjust for the defendant to retain the benefit without commensurate compensation. Injustice in this context requires some type of improper, deceitful, or misleading conduct by the defendant.Gordon, 2018 WL 3653173, at *23, report and recommendation adopted in relevant part, 344 F.Supp.3d at 1249 (cleaned up, citing City of Arvada ex rel. Arvada Police Dep't v. Denver Health & Hosp. Auth., 403 P.3d 609, 616 (Colo. 2017); DCB Constr. Co., Inc. v. Central City Dev. Co., 965 P.2d 115, 119 (Colo. 1998)).
Defendant argues that Plaintiffs have not plausibly alleged that their actions benefitted Defendant in any way relevant to the Data Breach. Plaintiffs respond to the contrary: Defendant needed their personal information to employ them, as a regulation under the FLSA (Fair Labor Standards Act), 29 C.F.R. Part 516, required it to obtain this information, and Defendant needs employees to conduct its business operations. Resp. at 25-26. Plaintiffs further respond that several out-of-state cases have found allegations that an employer's cost-cutting on network security was a benefit conferred by the employees' employment and were therefore sufficient to plead an unjust enrichment claim. Id. And Plaintiffs point to cases from other jurisdictions holding that personal information has monetary or material value in itself. Defendant disputes these arguments, noting that other courts have “routinely rejected the proposition that an individual's personal identifying information has an independent monetary value.” Reply at 20 (quoting In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 592 (N.D. Ill. 2022)).
This court is persuaded that, much as Gordon found with respect to customers whose payment information was stolen (Gordon, 344 F.Supp.3d at 1249), Plaintiffs do not plausibly allege that providing their personal information to Defendant conferred a benefit on Defendant that would be unjust to retain. Certainly, the work that Plaintiffs have done for Defendant is a benefit and has value, but that is not what is at issue here. They do not allege that Defendant failed to pay them their salaries or wages. Nor do they allege that Defendant gained a benefit by, for instance, selling their PII and PHI to third-persons without Plaintiffs' authorization. To the contrary, Plaintiffs acknowledge throughout the CAC that the Data Breach was a ransomware attack.
Plaintiffs allege that ransom demands are the purpose of such attacks. See, e.g., CAC ¶ 132.
At bottom, the basis for Plaintiffs' unjust enrichment claim is that Defendant reaped the full value of their work and cut costs in network security. But Plaintiffs did not confer the costsavings as a benefit; rather, Defendant conferred that benefit upon itself. Although Plaintiffs contend that they would not have worked for Defendant had they known it would use lax network security, Gordon found that a similar allegation (with respect to customers' purchases) was insufficient to plausibly allege unjust enrichment. 344 F.Supp.3d at 1249. This court finds the analysis in Gordon persuasive here as well, particularly as to the current employee Plaintiffs-who apparently continue to work for Defendant despite knowing that it allegedly employs inadequate network security. Accordingly, this court respectfully RECOMMENDS granting the Motion to dismiss the unjust enrichment claim.
6. Declaratory Relief
As noted above, Defendant's argument concerning Plaintiffs' claim for declaratory relief (and prospective injunctive relief) is largely perfunctory. Defendant argues that the claim is duplicative of the negligence and contract claims, will not settle the controversy between the parties, will not clarify the legal relations at issue, and to the extent the claim focuses on injunctive relief, it is not a separate cause of action. Motion at 25 (citing State Farm Fire & Cas. Co. v. Mhoon, 31 F.3d 979, 983 (10th Cir. 1994), and Bellwether, 353 F.Supp.3d at 1088). Defendant also repeats its argument that Plaintiffs do not allege sufficiently concrete risks of future harm to support this claim.
Plaintiffs respond that several court have found that claims for declaratory and injunctive relief are plausible when there is a threat of further injury and harm. Resp. at 26 (citing cases from other federal district courts). Plaintiffs also note that, in Bellwether, United States District Judge William J. Martinez of this court declined to dismiss a declaratory judgment claim and found that it was sufficiently pled pursuant to the Declaratory Relief Act. 28 U.S.C. § 2201. See 353 F.Supp.3d at 1088.
Here, as to Plaintiffs' claims seeking injunctive relief, the court has identified above which substantive claims should survive, for which Plaintiffs can seek both damages and injunctive relief. Plaintiffs' allegations plausibly establish both that they are subject to a future risk of identity theft, and that Defendant has not yet implemented adequate security to protect Plaintiffs' information which remains on Defendants' network. There is no reason to dismiss the injunctive relief portion of Count Six.
And as for the claim for declaratory relief, this court similarly finds that Plaintiffs have stated a plausible claim for relief:
The Declaratory Judgment Act . . . allows a party in an actual case or controversy to ask the court to declare the rights or other legal relations of any interested party seeking such a declaration. The purpose of the Declaratory Judgment Act is to settle actual controversies before they ripen into violations of law or a breach of duty. The Declaratory Judgment Act allows parties who are uncertain of their legal rights to seek a declaration of rights from a federal court prior to injury.Bellwether, 353 F.Supp.3d at 1088 (cleaned up, citing United States v. Fisher-Otis Co., 496 F.2d 1146, 1151 (10th Cir. 1974); Kunkel v. Cont'l Cas. Co., 866 F.2d 1269, 1274 (10th Cir. 1989); MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 138 (2007)).
Here, Plaintiffs' claim for declaratory relief is plausibly supported by the well-pleaded facts demonstrating that Defendant still has their personal information in its possession and has not upgraded its network security practices to adequately protect that information. This court has concluded that three of the named Plaintiffs have alleged sufficient present and future harms to have standing. The declaratory relief claim may turn out to be duplicative of Plaintiffs' other claims, but at this point, the court sees no reason to dismiss it. Because the claim for declaratory relief is adequately pleaded, this court respectfully RECOMMENDS that the Motion be denied with respect to that claim.
IV. Conclusion
For each of the reasons stated above, this court respectfully RECOMMENDS that the Motion (ECF No. 46) to dismiss should be granted in part and denied in part consistent with the foregoing. Specifically:
The Motion should be granted as to the claims of Plaintiffs Dougherty, Abraham, Cruse, Jenkins, Turley, Cook, Bane, and Looney, which should be dismissed without prejudice for lack of standing. This court further RECOMMENDS that these Plaintiffs be given leave to promptly amend their complaint if they can allege facts to address their lack of standing;
The Motion to dismiss for lack of standing should be denied as to Plaintiffs Mr. Clark, Ms. Vest, and Mr. Cardenas. As to these Plaintiffs, the Motion to dismiss for failure to state a claim should be denied as to the claims for negligence, negligence per se, implied contract, and declaratory relief, and granted as to the express contract and unjust enrichment claims. This court further RECOMMENDS that Plaintiffs should be given leave to promptly amend the dismissed claims if they can remedy the flaws noted above.
Finally, this court further RECOMMENDS that with respect to Plaintiffs' negligence per se claim, Defendant should be permitted to raise in a further Rule 12(b)(6) or Rule 12(c) motion the issue of whether HIPAA applies to Defendant.
Rule 72 of the Federal Rules of Civil Procedure provides that within fourteen (14) days after service of a Magistrate Judge's order or recommendation, any party may serve and file written objections with the Clerk of the United States District Court for the District of Colorado. 28 U.S.C. §§ 636(b)(1)(A), (B); Fed.R.Civ.P. 72(a), (b). Failure to make any such objection will result in a waiver of the right to appeal the Magistrate Judge's order or recommendation. See Sinclair Wyo. Ref. Co. v. A & B Builders, Ltd., 989 F.3d 747, 782 (10th Cir. 2021) (firm waiver rule applies to non-dispositive orders); but see Morales-Fernandez v. INS, 418 F.3d 1116, 1119, 1122 (10th Cir. 2005) (firm waiver rule does not apply when the interests of justice require review, including when a “pro se litigant has not been informed of the time period for objecting and the consequences of failing to object”).