Opinion
Civil Action 22-6760 (SDW) (SDA)
07-23-2024
OPINION
SUSAN D. WIGENTON, U.S.D.J.
Before this Court is Defendant Freestyle Software, Inc.'s (“Defendant” or “Freestyle”) Motion to Dismiss (D.E. 49 (“Motion”)) Plaintiff Penn, LLC, d/b/a PulseTV.com's (“Plaintiff”) Amended Complaint (D.E. 47 (“Amended Complaint”)) for failure to state a claim upon which relief can be granted pursuant to Federal Rule of Civil Procedure (“Rule”) 12(b)(6). Jurisdiction is proper pursuant to 28 U.S.C. §§ 1332 and 1367. Venue is proper pursuant to 28 U.S.C. § 1391(b). This opinion is issued without oral argument pursuant to Rule 78. For the reasons stated herein, Defendant's Motion is GRANTED IN PART AND DENIED IN PART.
I. FACTUAL BACKGROUND
This case arises from a data breach. Plaintiff, an online retailer, sells products to its customers through its website, PulseTV.com. (D.E. 47 ¶¶ 1, 11.) Defendant provides e-commerce software and hosting services for hundreds of online stores, including Plaintiff's website. (Id. ¶ 20.) Since in or around March of 2001, Defendant has provided Plaintiff with its SiteLINK system, an internet shopping cart technology that, among other things, provides its users with paymentprocessing services related to bank-card and credit-card transactions. (Id. ¶ 28.)
In or about 2005, Defendant notified Plaintiff that, if it wanted to keep using SiteLINK, Plaintiff would need to move PulseTV.com entirely onto Defendant's web servers. (Id. ¶ 29.) Defendant represented that that transition was necessary for its compliance with the Payment Card Industry Data Security Standard (“PCI Standards”).Plaintiff allegedly relied upon that representation when it agreed to move its website entirely onto Defendant's servers. (Id. ¶ 29.) In the years that followed, Defendant repeatedly reassured Plaintiff-via email, website posts, webinars, and a case study-that SiteLINK was compliant with the PCI Standards. (Id. ¶¶ 4151.) Those affirmations, Plaintiff insists, convinced it to enter into several more iterations of the services agreements. (Id. ¶¶ 30-31.)
According to the Amended Complaint, “[t]he PCI [Standards] are technical and operational requirements that apply to all organizations that store, process, or transmit cardholder data-with guidance for software developers and manufacturers of applications and devices used in those transactions.” (Id. ¶ 19.) These requirements are created and imposed by “credit card industry leaders.” (Id.)
Plaintiff contends that Defendant failed to abide by those promises, however. Specifically, Plaintiff avers that, in August or September 2020, hackers installed RAM scraper malicious software (i.e., malware) on the SiteLINK system. (Id. ¶ 2.) The malware, which “target[ed] credit card information temporarily stored in computer memory before the credit card information [wa]s encrypted,” went undetected until February 2022, at which time a PCI forensic investigator hired by Plaintiff uncovered it along with the apparent flaws in Defendant's software security system. (Id. ¶¶ 4, 52-59.)
Defendant contends that the day after the breach was discovered, it identified and removed the malware. (D.E. 49-1 at 9-10.) By then, Plaintiff asserts, the damage was already done; the data breach compromised the payment card information-including cardholder name and address, primary account number, expiration date, and security code (collectively, “Payment Card Data”)- of over 236,000 of Plaintiff's customers, and after Plaintiff disclosed the data breach to its customers, it experienced losses in excess of $30 million. (Id. ¶¶ 83-84.) More specifically, the Amended Complaint alleges that the data breach caused: Payment Card Data belonging to Plaintiff's customers to be dispersed on the dark web, making it available for sale to bad actors with nefarious and illegal purposes, (id. ¶ 58); a near 50 percent decrease in Plaintiff's forecasted revenue and gross sales volumes, (id. ¶¶ 10, 61); a loss of customers from Plaintiff's email distribution lists, (id. ¶¶ 12, 62, 69-74); and losses of approximately $902 per week advertising revenue, which equates to $117,360.88 over the next five years, (id. ¶ 74). Plaintiff maintains that these losses would have been prevented if Defendant had in place adequate measures to safeguard the Payment Card Data. (Id. ¶¶ 88-90.)
Plaintiff's primary business is email-subscription driven and relies on its ability to maintain long-term relationships with repeat customers. (Id. ¶ 70.) According to the Amended Complaint, 95 percent of Plaintiff's e-commerce sales are generated by sending emails to people on its distribution list, and each time Plaintiff sent a notification to its customers regarding the data breach, “it experienced a near immediate loss in email subscriptions and further decreases in sales.” (Id. ¶¶ 62, 70.) Plaintiff estimates that approximately 55,439 typical buyers, each with an average lifetime value of approximately $165, have unsubscribed from the distribution list as a result of the data breach, and that approximately 11,055 VIP buyers, each with an average lifetime value of $370.19, have unsubscribed from the distribution list. (Id. ¶¶ 71-72.)
II. PROCEDURAL HISTORY
On November 23, 2022, Plaintiff filed with this Court a 12-count complaint against Defendant. (D.E. 1 (“Complaint”).) On February 21, 2023, Defendant filed a motion to dismiss the Complaint, which this Court granted in part and denied in part on September 15, 2023. (D.E. 38, 39.) Plaintiff filed the Amended Complaint on November 14, 2023, alleging against Defendant the following four claims: negligence/gross negligence (Count I); breach of contract (Count II); breach of the implied covenant of good faith and fair dealing (Count III); and negligent misrepresentation (Count IV). (See generally D.E. 47.) On December 12, 2023, Defendant moved to dismiss the Amended Complaint, and the parties completed briefing. (D.E. 49, 53, 56.)
III. LEGAL STANDARD
To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief,” Fed.R.Civ.P. 8(a)(2), in order to “give the defendant fair notice of what the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (internal quotation marks omitted). The factual allegations, accepted as true, must be sufficient to “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Determining whether the allegations in a complaint constitute a “plausible” claim is a “context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Id. at 679.
In considering a motion to dismiss pursuant to Rule 12(b)(6), a district court must conduct a three-step analysis. First, it must “tak[e] note of the elements a plaintiff must plead to state a claim.” Oakwood Lab'ys LLC v. Thanoo, 999 F.3d 892, 904 (3d Cir. 2021) (alteration in original) (quoting Santiago v. Warminster Twp., 629 F.3d 121, 130 (3d Cir. 2010)). Second, the court “disregard[s] threadbare recitals of the elements of a cause of action, legal conclusions, and conclusory statements.” Id. (quoting James v. City of Wilkes-Barre, 700 F.3d 675, 681 (3d Cir. 2012)); see also Twombly, 550 U.S. at 555 (“[C]ourts ‘are not bound to accept as true a legal conclusion couched as a factual allegation.”). Third, the court assumes the veracity of all well-pleaded factual allegations, “constru[es] them in the light most favorable to the plaintiff, and draw[s] all reasonable inferences in the plaintiff's favor.” Lutz v. Portfolio Recovery Assocs., LLC, 49 F.4th 323, 328 (3d Cir. 2022) (citations omitted). “If, after completing this process, the complaint alleges ‘enough fact[s] to raise a reasonable expectation that discovery will reveal evidence of' the necessary elements of a claim, then it plausibly pleads a claim.” Id. (alteration in original) (quoting Twombly, 550 U.S. at 556). If, however, the “well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct,” the complaint should be dismissed for failing to “show[] that the pleader is entitled to relief” as required by Rule 8(a)(2). Id.
IV. DISCUSSION
Although Plaintiff's contract-based claims may proceed, it has once again failed to state a claim sounding in negligence. This Court elaborates further below.
A. Count II: Breach of Contract
To state a claim for breach of contract under New Jersey law, a plaintiff must allege that “the parties entered into a valid contract, that the defendant failed to perform his obligations under the contract[,] and that the plaintiff sustained damages as a result.” Fed Cetera, LLC v. Nat'l Credit Servs., Inc., 938 F.3d 466, 469 (3d Cir. 2019) (quoting Murphy v. Implicito, 920 A.2d 678, 689 (N.J.Super.Ct.App.Div. 2007)); Globe Mot. Co. v. Igdalev, 139 A.3d 57, 64 (N.J. 2016).
As discussed in this Court's previous Opinion, the operative agreement between the parties (D.E. 47-6 (the “Agreement”)) contains a confidentiality provision.Here, the Amended Complaint, once again, sufficiently asserts that Defendant breached it. According to the Amended Complaint, Defendant was required to safeguard “the data provided by [Plaintiff] . . . by using the same degree of protection that such party uses to protect similar proprietary confidential information, but in no event less than reasonable care,” (id.; D.E. 47 ¶ 99); the Payment Card Data of Plaintiff's customers was seemingly provided to Defendant via Plaintiff's e-commerce shopping cart, (D.E. 47 ¶¶ 1-2); and by failing to either comply with the PCI standards or employ reasonable measures to safeguard the Payment Card Data, Defendant breached the confidentiality provision and caused damages to Plaintiff, (id. ¶¶ 49-50, 60-78).
The confidentiality provision states:
You acknowledge that the Software, Service, the terms of this Agreement, and any other proprietary or confidential information provided to You by U.S. (“Our Confidential Information”) constitutes valuable proprietary information and trade secrets of Ours and/or Our licensors. We acknowledge that the data provided by You or Your Users (“Your Confidential Information”) constitutes valuable proprietary information and trade secrets of Yours or Your Users. Each party agrees to preserve the confidential nature of the other party's Confidential Information in confidence, solely for its use in furtherance of this Agreement, and by using the same degree of protection that such party uses to protect similar proprietary and confidential information, but in no event less than reasonable care. . . . Each receiving party agrees to promptly report any breaches of this section to the disclosing party.(Id. at 15.)
Defendant presses several arguments that, it contends, justify dismissal of Count II. They are unpersuasive.
First, Defendant spills much ink arguing that the confidentiality provision does not extend to Plaintiff's customers' Payment Card Data. “Your Users,” Defendant argues, includes only “person(s) assigned a unique user identification that can utilize [Defendant's] Software under th[e] Agreement,” and Plaintiff, Defendant continues, had only one such user identification. (D.E. 491 at 16.) It is premature for this Court to reach that conclusion. As an initial matter, unique user identification is not a defined term in the Agreement, and to define that term-and thereafter discern who constitutes a User-would require analysis of information beyond the scope of the Amended Complaint and the documents integral thereto. Moreover, without the benefit of discovery, it is unclear to this Court whether it need even determine the scope of “Your Users.” To the extent Plaintiff is able show through discovery that it provided the customers' Payment Card Data-perhaps because the data passed from its customers through its website-then the discussion of “Your Users” is of little import.
Defendant claims that Exhibit D conclusively demonstrates that Plaintiff was assigned one unique user identification and password. (See D.E. 47-4 at 8.) Not so. Exhibit D indicates that Plaintiff had an “Admin User Name” and an “Admin Password” for the “SiteLINK Store Setup.” (Id.) Without more, this Court cannot infer whether “Admin User Name” is the same as “unique user identification,” let alone whether it is the only unique user identification that could utilize Defendant's software under the Agreement.
At this stage, this Court must rely on the unambiguousconfidentiality provision and the well-pleaded factual allegations. By its terms, that provision covers “the data provided by [Plaintiff] or [Plaintiff's] Users,” (D.E. 47-6 at 15), and the Amended Complaint and the inferences that can be drawn therefrom indicate that the Payment Card Data was provided through the shopping cart on Plaintiff's website. As such, Plaintiff adequately alleges that the confidentiality provision applied to the Payment Card Data.
Defendant attempts to inject ambiguity by arguing that “User” cannot include an “end user” because the Agreement specifically states that “[n]o end user or other person or entity not a party to this Agreement shall be considered a third party beneficiary of this Agreement.” (D.E. 49-1 at 16-17.) This provision only evinces an intent to prevent third parties from receiving “a right to performance” under the contract. Broadway Maint. Corp. v. Rutgers, State Univ., 447 A.2d 906 (N.J. 1982) (citing Restatement (Second) of Contracts § 302 (1979)). In other words, the provision renders third parties as “incidental beneficiar[ies], [who] hav[e] no contractual standing.” Id. This inquiry is distinct from whether Plaintiff, a party to the contract, has a right to sue Defendant for failing to meet its obligations under the contract.
Second, Defendant insists that the confidentiality provision cannot cover Plaintiff's customers' data because such a reading “would arrogate [Payment Card Data] to the legal status of a trade secret.” (D.E. 49-1 at 17.) These concerns are misplaced. For one thing, the parties' agreed-upon definition of proprietary or confidential information is irrelevant for purposes of determining what constitutes a trade secret. See Thanoo, 999 F.3d at 905 (explaining what a plaintiff must allege to plausibly support a finding that information constitutes a trade secret); see also Capricorn Mgmt. Sys., Inc. v. Gov't Emps. Ins. Co., No. 15-2926, 2019 WL 5694256, at *17 (E.D.N.Y. July 22, 2019) (“[A] trade secret is defined by law . . . not by contract.” (citations omitted)). In any event, a defendant may breach a contract for disclosing confidential information even when disclosing that information does not constitute misappropriation of a trade secret. Thanoo, 999 F.3d at 904 n.10 (“Breach of contract . . . claims can survive even if a trade secret misappropriation claim does not, as long as the scope of the contractually-identified information is broader than the statutorily-defined trade secret information.” (citing Bro-Tech Corp. v. Thermax, Inc., 651 F.Supp.2d 378, 418 (E.D. Pa. 2009))).
Third, Defendant again asserts that certain provisions in the Agreement limit or completely bar the damages that Plaintiff seeks to recover. (D.E. 49-1 at 19-21.) This Court previously held that that argument was premature, however, and Defendant has presented no new arguments that persuade this Court to deviate from its prior analysis.
As this Court noted in its earlier Opinion, to determine whether terms of a contract are unconscionable and, thus, unenforceable, New Jersey courts consider several factors:
[W]e look not only to its adhesive nature, but also to the subject matter of the contract, the parties' relative bargaining positions, the degree of economic compulsion motivating the adhering party, and the public interests affected by the contract. Where the provision limits a party's liability, we pay particular attention to any inequality in the bargaining power and status of the parties, as well as the substance of the contract. The first leading principle is that contractual exemption from liability for negligence is rarely allowed to stand where the contracting parties are not on roughly equal bargaining terms. The farther apart the contracting parties are in their relative strength the greater is the probability that the exculpatory clause will be held invalid.(D.E. 38 at 10 (quoting Lucier v. Williams, 841 A.2d 907, 911 (N.J.Super.Ct.App.Div. 2004).)
The “classic contract of adhesion” is one that “was presented to [the plaintiff] on a standardized pre-printed form, prepared by [the defendant], on a take-it-or-leave-it basis, without any opportunity for him to negotiate or modify any of its terms.” Lucier, 841 A.2d at 912.
Here, the Amended Complaint contains factual allegations sufficient to suggest that Defendant-which at the time was hosting PulseTV.com entirely on its web servers-presented to Plaintiff the revised standardized terms along with invoices. These facts suggest that there was an imbalance in bargaining power, an increased reliance on Defendant, and little opportunity to negotiate or modify the terms. Accordingly, at this nascent stage of the litigation, Plaintiff adequately allege that the limitation on liability provision was unconscionable.
Defendant insists that this Court should reach a different conclusion by consulting the parties' 2012 services agreement, which is appended to the Amended Complaint as Exhibit D. (D.E. 56 at 9-10.) Defendant places far too much weight on that document. Although it apparently shows that Plaintiff's co-founder negotiated the 2012 services agreement, that agreement is inoperative-its terms indicate that it expired in January of 2015. (D.E. 47-4 at 8.) Even if this Court did consider that document, it could not draw from it the inferences and conclusions that Defendant suggests. It is axiomatic that this Court must construe the facts “in the light most favorable to the plaintiff, and draw[] all reasonable inferences in the plaintiff's favor.” Lutz, 49 F.4th at 328 (citations omitted). At a later stage when the factual record is more fully developed, this Court may be able to discern the parties' relative bargaining positions and the degree of economic compulsion motivating the adhering party. That is precisely what the court held in Mark Hones v. Sturm, Ruger & Company, Inc., No. 22-1233, 2024 WL 1307148, at *5 (D. Conn. Mar. 27, 2024), the case that Defendant specifically highlighted for this Court in its Notice of Supplemental Authority filed April 3, 2024. (D.E. 59 at 9-10.)
B. Breach of the Implied Covenant of Good Faith and Fair Dealing (Count III)
To the extent that the confidentiality provision does not apply to the Payment Card Data, Plaintiff has adequately stated, in the alternative, a claim for breach of the implied covenant of good faith and fair dealing.
“[E]very contract in New Jersey contains an implied covenant of good faith and fair dealing,” under which “neither party shall do anything [that] will have the effect of destroying or injuring the right of the party to receive the fruits of the contract[.]” Kalogeras v. 239 Broad Ave., LLC, 997 A.2d 943, 953 (N.J. 2010) (second alteration in original) (citations and quotation marks omitted). Although there are “myriad forms of conduct that may constitute a violation of the covenant of good faith and fair dealing,” Brunswick Hills Racquet Club, Inc. v. Route 18 Shopping Ctr. Assocs., 864 A.2d 387, 396 (N.J. 2005), courts in New Jersey generally recognize a breach of the implied covenant of good faith and fair dealing in three circumstances: “(1) when the contract does not provide a term necessary to fulfill the parties' expectations; (2) when bad faith served as a pretext for the exercise of a contractual right to terminate; and (3) when the contract expressly provides a party with discretion regarding its performance,” Seidenberg v. Summit Bank, 791 A.2d 1068, 1078 (N.J.Super.Ct.App.Div. 2002) (internal citations omitted). The first situation applies here, and thus, this Court must determine whether a necessary term is missing.
A “necessary term” need not be one that is essential to the formation of a contract, such as price, Baer v. Chase, 392 F.3d 609, 619 (3d Cir. 2004); rather, it is one that “‘the parties must have intended . . . because [it is] necessary to give business efficacy' to the contract,” Seidenberg v. Summit Bank, 791 A.2d 1068, 1076-77 ( N.J.Super.Ct.App.Div. 2002). In other words, it “may fill in the gaps.” Fields v. Thompson Printing Co., Inc., 363 F.3d 259, 271-72 (3d Cir. 2004). “Central to th[e] inquiry of ascertaining what, if any, terms are implied is the intent of the parties. Intent may be determined by examination of the contract and in particular the setting in which it was executed.” Onderdonk v. Presbyterian Homes of N.J., 425 A.2d 1057, 1063 (N.J. 1981). Although “[e]ach case is fact-sensitive,” courts must be careful not to construe too broadly the implied covenant or “to impose a set of morals on the marketplace,” thereby “‘introduc[ing] uncertainty into a carefully structured contractual relationship' by balancing equities.” Brunswick Hills Racquet Club, 864 A.2d at 396, 399 (citations omitted).
Here, the Amended Complaint alleges that: Defendant insisted that it was necessary for PCI compliance that Plaintiff move its e-commerce store onto Defendant's web servers; Defendant represented to Plaintiff throughout their yearslong business relationship that SiteLINK was PCI compliant and would “protect [Plaintiff's] customer's data and [Plaintiff's] brand”; in a 2013 case study, Defendant touted the SiteLINK service provided to Plaintiff as PCI complaint; Defendant sent Plaintiff's owner, Anisa Ali, several emails in which it stated that its services were PCI compliant; and Plaintiff relied on these representations when it entered into several iterations of the Agreement with Defendant. Such allegations indicate that the parties' Agreement was missing a necessary term-i.e., a term imposing on Defendant an obligation to take appropriate measures to safeguard Plaintiff's consumers' Payment Card Data.Defendant's Motion will accordingly be denied as to Count III.
In reaching this conclusion, this Court does not seek to rewrite the express terms of the contract nor to impose upon this contractual relationship between two commercial entities a set of morals. It does, however, hold that, in the absence of an express provision regarding the protection of Plaintiff's customers' Payment Card Data, it was reasonable for Plaintiff to assume that Defendant's conduct and representations evinced an intent to act good faith so as to prevent any unreasonable risk of disclosing such data.
C. Negligence-Based Claims: Negligence/Gross Negligence (Count I) and Negligent Misrepresentation (Count IV)
Because Plaintiff still fails to allege that it was owed a duty independent from the Agreement, its negligence-based claims must be dismissed.
As this Court previously explained, Plaintiff's negligence-based claims all require it to allege, among other elements, that Defendant owed it a duty of reasonable care. To determine whether a defendant owes a duty of reasonable care to a plaintiff, a district court “must first consider the foreseeability of harm to a potential plaintiff and then analyze whether accepted fairness and policy considerations support the imposition of a duty.” Holm v. Purdy, 285 A.3d 857, 867 (N.J. 2022) (quoting Coleman v. Martinez, 254 A.3d 632, 642 (N.J. 2021)). Courts may weigh “the (1) relationship of the parties, (2) nature of the risk, (3) opportunity and ability to exercise care, and (4) public interest.” Id. (quoting Martinez, 254 A.3d at 645). Claims based in negligence, however, generally “do[] not arise from a contractual relationship unless the breaching party owes an independent duty imposed by law.” Saltiel v. GSI Consultants, Inc., 788 A.2d 268, 280 (N.J. 2002) (citations omitted). The independent duty must be “owed to the plaintiff.” Id.
Plaintiff has failed to establish that it was owed any such duty here. First, the PCI standards do not establish a duty independent of the contract; federal courts have routinely rejected that premise when there exists an operative written agreement. See, e.g., First Tech. Cap., Inc. v. BancTec, Inc., No. 16-138, 2017 WL 4296339, at *13 (E.D. Ky. Sept. 26, 2017); Willingham v. Glob. Payments, Inc., No. 12-1157, 2013 WL 440702, at *19 (N.D.Ga. Feb. 5, 2013). Second, although violations of a statute or regulation may constitute evidence of negligence, “statutory or regulatory violations cannot give rise to a negligence claim when there is no independent duty of care between the parties.” MacKenzie v Flagstar Bank, 738 F.3d 486, 495-96 (1st Cir. 2013) (collecting cases); see also Talley v. Danek Med., Inc., 179 F.3d 154, 158 (4th Cir. 1999) (“[T]he negligence per se doctrine does not create new causes of action. Rather, it recognizes a legislatively created standard of care ‘to be exercised where there is an underlying common-law duty.'” (citation omitted)); Gallara v. Koskovich, 836 A.2d 840, 847 (N.J.Super.Ct.App.Div. 2003). Third, to the extent Plaintiff bases its claim on a duty to exercise reasonable care in handling personal identifying information, this Court has previously held that that duty was owed to Plaintiff's customers-not Plaintiff. In other words, Plaintiff's customers are the real parties in interest, and Plaintiff does not “have standing ‘to assert the rights of a third party.'” Zelnick v. Morristown-Beard Sch., 137 A.3d 560, 568 (N.J.Super.Ct.App.Div. 2015) (quoting Abbott v. Burke, 20 A.3d 1018, 1042 (N.J. 2011)).
In sum, Plaintiff's inability to identify any duty owed to it independent of those due under the Agreement dooms its negligence-based tort claims. Consequently, Counts I and IV are dismissed.
V. CONCLUSION
For the reasons set forth above, Defendant's Motion is GRANTED IN PART AND DENIED IN PART. If Plaintiff wishes to amend its claims to cure the defects identified herein, it shall have one final opportunity to do so. In the meantime, the parties shall proceed to discovery regarding the contract-based claims. An appropriate order follows.