Opinion
Civil No. 22-973 (JRT/ECW)
2023-01-12
Bryan L. Bleichner, Christopher P. Renz, Philip Joseph Krzeski, CHESTNUT CAMBRONNE PA, 100 Washington Avenue South, Suite 1700, Minneapolis, MN 55401, Gary M. Klinger, MILBERG COLEMAN BRYSON PHILLIPS GROSSMAN PLLC, 227 West Monroe Street, Suite 2100, Chicago, IL 60606, for Plaintiff. Jessica J. Nelson, Luke J. Wolf, Thomas W. Hayde, SPENCER FANE LLP, 100 South Fifth Street, Suite 2500, Minneapolis, MN 55402, for Defendant.
Bryan L. Bleichner, Christopher P. Renz, Philip Joseph Krzeski, CHESTNUT CAMBRONNE PA, 100 Washington Avenue South, Suite 1700, Minneapolis, MN 55401, Gary M. Klinger, MILBERG COLEMAN BRYSON PHILLIPS GROSSMAN PLLC, 227 West Monroe Street, Suite 2100, Chicago, IL 60606, for Plaintiff. Jessica J. Nelson, Luke J. Wolf, Thomas W. Hayde, SPENCER FANE LLP, 100 South Fifth Street, Suite 2500, Minneapolis, MN 55402, for Defendant.
MEMORANDUM OPINION AND ORDER DENYING DEFENDANT'S MOTION TO DISMISS
JOHN R. TUNHEIM, United States District Judge
Plaintiff Billy Perry brings this action against Defendant Bay & Bay Transportation Services, Inc., alleging negligence, negligence per se, and breach of implied contract. Perry's claims stem from a ransomware attack in November 2021 on Bay & Bay's network that resulted in unauthorized access to their computer systems and customer and employee data. Perry brings claims individually and on behalf of a putative nationwide class of all employees and consumers affected by the data breach that resulted in the theft of their personal information, seeking damages, costs and attorney fees, and injunctive relief to require Bay & Bay to implement certain data security measures. Bay & Bay now moves to dismiss the action.
The Court will deny Bay & Bay's motion to dismiss in all respects. Perry has Article III standing because his claims are plausible and establish an actual and concrete injury and threat of future harm that is fairly traceable to Bay & Bay's conduct, and the company's pre-litigation offer does not deprive him of standing. Further, Perry has alleged sufficient facts at this stage to support the negligence elements of damages or causation, and that Bay & Bay entered into an implied contract.
BACKGROUND
For the purposes of this motion to dismiss, the Court takes Perry's factual allegations as true. See Cormack v. Settle-Beshears, 474 F.3d 528, 531 (8th Cir. 2007).
Defendant Bay & Bay is a nationwide trucking and logistics company that delivers supply chain solutions to businesses. (Compl. ¶ 19, April 15, 2022, Docket No. 1.) Plaintiff Billy Perry, an individual citizen of the State of Minnesota, applied for employment with Bay & Bay and as a condition of employment, provided Bay & Bay with private information. (Id. ¶¶ 17, 28.) Perry alleges that Bay & Bay required customers and/or employees (prospective, current, and former) to provide sensitive personal and private information such as: full name, residential address, social security number, date of birth, driver's license, and direct deposit information ("Private Information" or "PI"). (Id. ¶ 21.) Through the course of its business, Bay & Bay acquired and stored Perry and Class Members' Private Information and promised to provide confidentiality and adequate security through their applicable privacy policy and through other disclosures. (Id. ¶¶ 22-25.)
Bay & Bay disputes that Perry provided his direct deposit information because he was never actually offered employment with the company.
According to Perry, Bay & Bay's privacy policy promises to, among other things, "adopt and maintain "appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our site." (Compl. ¶ 26).
On or about January 5, 2022, Bay & Bay discovered suspicious activity on its IT systems. (Id. ¶ 32.) Following this discovery, Bay & Bay launched an investigation and learned that in or around November 2021, unauthorized parties accessed files containing Private Information via a ransomware attack ("data breach") and published Private Information on the dark web. (Id. ¶¶ 1, 33.)
On a data breach notice letter dated February 9, 2022, Perry was notified by Bay & Bay that his Private Information was compromised in a data breach. (Id. ¶ 17.) Perry alleges that some 7,500 individuals were victims of the data breach. (Id. ¶ 34). Perry alleges he and Class Members provided their Private Information to Bay & Bay with the reasonable expectation and mutual understanding that Bay & Bay would comply with its obligations to keep such information confidential and secure from unauthorized access, and that data security obligations were particularly important given the substantial increase in cyberattacks and Bay & Bay's previous cyberattack in 2018. (Id. ¶¶ 35-41.)
Bay & Bay disputes that criminals successfully obtained Perry's information, instead asserting that after discovering the unauthorized access it notified all individuals who were potentially affected, including Perry.
As a result of the data breach, Bay & Bay directed Perry to take certain steps to protect his Private Information and otherwise mitigate his damages. (Id. ¶ 87.) Bay & Bay offered a credit monitoring and identity theft insurance program of which Perry enrolled. (Id. ¶ 88.) Perry alleges that he spends approximately 3-4 hours per week dealing with the consequences of the data breach, including self-monitoring his bank and credit accounts, communicating with his bank, and exploring credit monitoring and identity theft insurance options, and has spent time verifying the legitimacy of the notice of data breach letter, of which "time has been lost forever and cannot be recaptured." (Id.) Perry further alleges that as a result of the data breach he fell victim to a bank scam where cyberthieves used his PI to contact him and impersonate his bank and scam him out of $500. (Id. ¶ 89.)
Perry commenced the instant action on March 17, 2022. In his complaint, he seeks damages under three causes of action: (1) negligence, (2) negligence per se under the Federal Trade Commission Act, and (3) breach of implied contract. (Id. ¶¶ 124-149.) Perry also seeks injunctive and equitable relief to require Bay & Bay to implement certain data security measures. (Id. ¶ 134). Perry contends that Bay & Bay failed to comply with the Federal Trade Commission Act's established cyber-security guidelines for businesses and industry standards, and such neglect presents Perry and Class Members with a present and substantially increased risk of fraud and identity theft. (Id. ¶¶ 50-63).
Bay & Bay now moves to dismiss the action on two grounds. First, as a threshold issue, Bay & Bay argues that Perry lacks Article III standing under Federal Rule of Civil Procedure 12(b)(1) because Perry does not and cannot allege an actual injury traceable to the data breach, nor can he allege a concrete injury or impending risk of future harm that has not already been fully redressed by the benefits provided by Bay & Bay through its identity theft monitoring and insurance reimbursement coverage program ("credit monitoring services"). Second, Bay & Bay argues that Perry has failed to state a claim upon which relief can be granted pursuant to Rule 12(b)(6) because he fails to allege sufficient facts to support the negligence elements of damages or causation, or that Bay & Bay entered into an implied contract.
DISCUSSION
I. RULE 12(B)(1) SUBJECT MATTER JURISDICTION
A. Standard Of Review
A Rule 12(b)(1) motion challenges the Court's subject matter jurisdiction and requires the Court to examine whether it has authority to decide the claims. The party seeking to invoke a federal court's subject matter jurisdiction bears the burden of showing, by a preponderance of the evidence, that the court has jurisdiction. Schubert v. Auto Owners Ins. Co., 649 F.3d 817, 822 (8th Cir. 2011). A court must dismiss an action if it lacks subject matter jurisdiction. Fed. R. Civ. P. 12(h)(3). "A court deciding a motion under Rule 12(b)(1) must distinguish between a 'facial attack' and a 'factual attack.' " Osborn v. United States, 918 F.2d 724, 729 n.6 (8th Cir. 1990). In deciding a facial attack, "the court restricts itself to the face of the pleadings, and the non-moving party receives the same protections as it would defending against a motion brought under Rule 12(b)(6)." Id. (citations omitted). The Court, therefore, may also consider "materials that are necessarily embraced by the pleadings." Carlsen v. GameStop, Inc., 833 F.3d 903, 908 (8th Cir. 2016). The Court accepts as true all facts alleged in the complaint construing all reasonable inferences in the plaintiff's favor. Id. "The general rule is that a complaint should not be dismissed unless it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief." Osborn, 918 F.2d at 729 n.6 (citations and internal quotation marks omitted). "In a factual attack, the court considers matters outside the pleadings, and the non-moving party does not have the benefit of 12(b)(6) safeguards." Id. (citations omitted).
"[M]aterials embraced by the complaint include documents whose contents are alleged in a complaint and whose authenticity no party questions, but which are not physically attached to the pleadings." Zean v. Fairview Health Servs., 858 F.3d 520, 526 (8th Cir. 2017) (quotation omitted).
B. Article III Standing
Bay & Bay presents both a facial and factual attack on the Court's subject matter jurisdiction by asserting a deficiency in the pleadings and by presenting a declaration that provides evidence of Perry's employment application, its credit monitoring services, and the data breach letter sent to Perry. Since these documents are necessarily embraced, as the contents of these documents are alleged in the Complaint and are undisputed by the parties, the Court may consider them.
To bring a claim in federal court, a plaintiff must have Article III standing. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 559, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). This means that there must be an actual controversy between the parties. See Genesis Healthcare Corp. v. Symczyk, 569 U.S. 66, 71, 133 S.Ct. 1523, 185 L.Ed.2d 636 (2013). To have Article III standing, the plaintiff "must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, 578 U.S. 330, 338, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016). When a defendant makes a facial attack on the plaintiff's Article III standing under Rule 12(b)(1), the standard of review is the same as a motion to dismiss brought under Rule 12(b)(6). Stalley v. Catholic Health Initiatives, 509 F.3d 517, 521 (8th Cir. 2007). A plaintiff must "demonstrate standing separately for each form of relief sought." TransUnion LLC v. Ramirez, — U.S. —, 141 S. Ct. 2190, 2210, 210 L.Ed.2d 568 (2021) (quoting Friends of the Earth, Inc. v. Laidlaw Environmental Services, Inc., 528 U.S. 167, 185, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000)).
Bay & Bay's main arguments attacking Perry's Article III standing center on the requirements of injury in fact and traceability. To establish injury in fact, a plaintiff must show that he suffered an injury "that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.' " Spokeo, 578 U.S. at 339, 136 S.Ct. 1540 (quoting Lujan, 504 U.S. at 560, 112 S.Ct. 2130). For an injury to be "particularized," it "must affect the plaintiff in a personal and individual way." Id. A future injury may constitute an injury in fact, but only if the plaintiff demonstrates that "the threatened injury is certainly impending, or there is a substantial risk that the harm will occur." In re SuperValu, Inc., 870 F.3d 763, 769 (8th Cir. 2017) (internal quotations omitted).
1. Standing for Injunctive and Equitable Relief
Here, Perry seeks injunctive and equitable relief to require Bay & Bay to make improvements to its data security systems, to provide future annual audits, and to provide adequate credit monitoring services funded by Bay & Bay. To establish standing for this forward-looking relief, Perry must allege a "sufficiently imminent and substantial" risk of harm that would be avoided if the sought-after relief was granted. TransUnion, 141 S. Ct. at 2210. Perry has done so here.
An increased risk of identity theft is more likely to constitute an injury in fact where there is evidence that a third party has accessed PI and/or already fraudulently used the data. See Attias v. Carefirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017) ("Here . . . an unauthorized party has already accessed personally identifying data on CareFirst's servers, and it is much less speculative—at the very least, it is plausible—to infer that this party has both the intent and the ability to use that data for ill."); In re Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625, 639 n.19 (3d Cir. 2017) (explaining, in dicta, that in accordance with the Seventh Circuit's decision in Remijas, a material risk of harm to all plaintiffs existed because one plaintiff alleged that he had already been a victim of identity theft as a result of the breach). Perry alleges just that in this case, by alleging fraud or misuse of his PI through the publishing of such information on the dark web and through an alleged bank scam where cyberthieves used his PI disclosed in Bay & Bay's data breach to contact him and impersonate his bank and scam him out of $500. As such, Perry sufficiently alleges that his PI was misused, and such misuse strengthens the plausibility of a substantial risk of identity theft.
Bay & Bay points to SuperValu I to assert that "allegations that criminals are buying and selling information, and that data breaches facilitate identity theft are not sufficient to establish that the risk of plaintiffs suffering future identify theft is substantial." (Def. Mem. Supp. Mot. Dismiss at 8, Apr. 28, 2022, Docket No. 12.) In that case, the Eighth Circuit found that plaintiffs failed to factually support their bare allegation that data breaches facilitate identity theft, having rested their claim solely on a 2007 GAO report. SuperValu I, 870 F.3d at 770. Bay & Bay likens SuperValu I to the instant case, asserting that Perry's allegation that data breaches create a substantial risk of identity theft is factually bare and only grounded in the GAO report, a general recounting of the types of fraud that could occur.
This GAO report is a report from the Government Accountability Office reviewing issues related to risks of harm from data breaches and consumer options to address such harm. SuperValu I, 870 F.3d at 770.
Supervalu I is, however, distinguishable. Importantly, the GAO report that plaintiffs relied on in SuperValu I concluded that compromised credit or debit card information, like the card information in that case, generally could not be used alone to open unauthorized new accounts. SuperValu I, 870 F.3d at 770-71. As such, pursuant to the factual evidence relied on in the complaint, there was little to no risk that anyone would use the card information stolen to open unauthorized accounts in the plaintiffs' names. Id. The court concluded that because the report found that data breaches are unlikely to result in account fraud, it does not support the allegation that defendants' data breaches created a substantial risk that plaintiffs will suffer credit or debit card fraud. Id. at 771. Contrary to Bay & Bay's contention, here the compromised PI included information such as social security numbers, which could ostensibly result in opening unauthorized accounts. Because the SuperValu Court indicated that the type of information stolen can be important in determining standing in a data breach case, see id. at 770, it is significant that the information here could be and has allegedly already been used to perpetuate fraud. In such instance, Perry has alleged that he has already experienced harm from the data breach by way of the bank scam which exposes him to a material risk of future harm that is concrete and imminent. That is enough to satisfy the standing requirement.
In sum, Perry has demonstrated standing for his injunctive and equitable relief claims, thus Bay & Bay's motion to dismiss as to these claims must be denied.
2. Standing for Monetary Relief
Perry also seeks various monetary damages flowing from Bay & Bay's conduct. As the Spokeo Court explained, certain harms readily qualify as concrete injuries under Article III. The most obvious are traditional tangible harms, such as physical harms and monetary harms. See Spokeo, 578 U. S. at 340-341, 136 S.Ct. 1540. If a defendant has caused physical or monetary injury to the plaintiff, the plaintiff has suffered a concrete injury in fact under Article III. TransUnion, 141 S. Ct. at 2204.
Bay & Bay contends that Perry's allegations of harm are conclusory and speculative and do not establish an impending threat of injury, especially considering that Bay & Bay has offered complimentary credit monitoring services for up to twelve months which fully redresses Perry's alleged injuries.
Bay & Bay cites several out of circuit cases for the proposition that when a defendant provides redress for a plaintiff's alleged injuries before he files suit, the plaintiff lacks standing for such claims on the ground that there is no concrete injury alleged that has not already been fully redressed. Bay & Bay further provides that this Court has recognized this principle in Johnson v. Bobcat, 175 F. Supp. 3d 1130, 1137 (D. Minn. 2016). In that case, however, this Court held that the refund at issue did not deprive the plaintiff of standing, because the plaintiff had clearly alleged concrete injuries beyond the amount of the refund offered (i.e., specific consequential and incidental damages). Id. at 1139.
Perry has sufficiently alleged concrete injuries stemming from the data breach which is allegedly the result of Bay & Bay's failure to protect his PI to avoid dismissal. First, Perry alleges that his PI has been disclosed to cybercriminals, such injury having a "close relationship" to a harm "traditionally recognized as providing a basis for lawsuits in American courts." TransUnion, 141 S.Ct. at 2204 (establishing that traditional harms recognized as providing a basis for Article III standing include "reputational harms, disclosure of private information, and intrusion upon seclusion."). Next, Perry has alleged and described how his PI has already been misused, having been published on the dark web and used for the bank scam. Lastly, Perry alleges that he and Class Members have spent time monitoring the effects of the data breach, which qualifies as a concrete injury because he alleges a substantial and imminent risk of identity theft based on the misuse that has already occurred.
In In re Pawn America, the Court similarly concluded that plaintiffs had standing to pursue monetary relief because they alleged disclosure of their PI and described how that information had been disclosed due to Pawn America's negligence, alleged emotional distress directly caused by theft of their private information, an injury where damages is readily available, at least one plaintiff alleged out-of-pocket costs and all alleged that they spent time and other resources mitigating the effects of the breach. In re Pawn America Consumer Data Breach Litig., No. 21-CV-2554, 2022 WL 3159874 at *3-4 (D. Minn. Aug. 8, 2022). The Court further concluded that since traceability is a threshold inquiry, for the purposes of establishing standing, plaintiffs adequately alleged a connection between the data breach and the alleged injuries. Id. at *5.
Further, Perry has generally established that his injuries are fairly traceable to Bay & Bay's conduct. Perry has alleged at least one monetary harm: a $500 bank scam that resulted after cyberthieves used his PI disclosed in Bay & Bay's data breach to contact him. Such harm is not accounted for in Bay & Bay's credit monitoring services and thus the monitoring service does not fully redress the alleged harm Perry has suffered.
Bay & Bay failed to secure customer and prospective employees' Private Information on their network, their network was subsequently hacked, Private Information was stolen by the hackers, and Perry became the victim of a bank scam after the data breaches. At this stage of the litigation, "we presum[e] that [these] general allegations embrace those specific facts that are necessary to support" a link between Perry's fraudulent charge and the data breaches. SuperValu, 870 F.3d at 772 (quoting Bennett v. Spear, 520 U.S. 154, 168, 117 S.Ct. 1154, 137 L.Ed.2d 281 (1997) (first alteration in the original) (quoting Lujan, 504 U.S. at 561, 112 S.Ct. 2130)). Bay & Bay's argument that Perry did not provide his bank information is of no moment for establishing standing; Perry provided certain information to Bay & Bay that was stolen and thereafter misused. Therefore, Perry pleads an injury in fact that is fairly traceable to Bay & Bay's conduct, the alleged lack of adequate safeguards to protect his PI. Thus, the Court concludes that Perry has met his burden, "which is relatively modest at this stage of the litigation," of alleging that bank scam is fairly traceable to Bay & Bay's data breach. SuperValu I, 870 F.3d at 772 (internal citation and quotation omitted). The Court will deny Bay & Bay's motion to dismiss for lack of standing.
II. RULE 12(B)(6) FAILURE TO STATE A CLAIM
A. Standard of Review
In the alternative, Bay & Bay moves to dismiss the complaint pursuant to Rule 12(b)(6) for failure to state a claim. In reviewing a motion to dismiss brought under Federal Rule of Civil Procedure 12(b)(6), the Court considers all facts alleged in the complaint as true to determine if the complaint states a " 'claim to relief that is plausible on its face.' " Braden v. Wal-Mart Stores, Inc., 588 F.3d 585, 594 (8th Cir. 2009) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009)). To survive a motion to dismiss, a complaint must provide more than " 'labels and conclusions' or 'a formulaic recitation of the elements of a cause of action.' " Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)). Although the Court accepts the complaint's factual allegations as true, it is "not bound to accept as true a legal conclusion couched as a factual allegation." Twombly, 550 U.S. at 555, 127 S.Ct. 1955 (internal quotation mark omitted).
"A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. "Where a complaint pleads facts that are merely consistent with a defendant's liability, it stops short of the line between possibility and plausibility," and therefore must be dismissed. Id. (internal quotation marks omitted). Finally, Rule 12(b)(6) "authorizes a court to dismiss a claim on the basis of a dispositive issue of law." Neitzke v. Williams, 490 U.S. 319, 326, 109 S.Ct. 1827, 104 L.Ed.2d 338 (1989).
B. FTCA Section 5
Perry's negligence per se claim is grounded in Bay & Bay's alleged violation of Section 5 of the FTCA, which prohibits engaging in "unfair methods of competition" and "unfair or deceptive acts or practices" in or affecting commerce. 15 U.S.C. § 45(a)(1). Bay & Bay first argues that Perry's negligence per se claim fails as a matter of law because the FTCA does not establish a fixed standard of care. Bay & Bay asserts that Section 5 of the FTCA falls far short of establishing a specific and ascertainable standard of conduct because the terms "unfair methods of competition" and "unfair or deceptive acts or practices" are vague and amorphous, indeed by design, and thus does not delineate the requisite fixed standard of care sufficient to support a claim for negligence per se.
Contrary to Bay & Bay's contentions, the term "unfair or deceptive acts or practices" is not too vague to establish a fixed standard of care—the term encompasses acts or practices that cause or are likely to cause reasonably foreseeable injury within the United States or involve material conduct. 15 U.S.C. § 45(4)(A). Perry has sufficiently alleged that Bay & Bay's failure to adequately protect his and putative Class Members' PI provided to the company caused reasonably foreseeable injury because failing to protect such information resulted in the data being compromised and misused, and one concrete harm flowing from this failure is the bank scam. It is plausibly foreseeable that failing to protect PI that a company requires as a condition of prospective employment or doing business and stores on their cyber networks can result in unauthorized access and misuse.
At this time, the Court does not make an ultimate determination as to the issue of foreseeability of the data breach. Rather, it merely concludes that the Plaintiff has plausibly plead foreseeability for the purposes of this Motion to Dismiss. Proving foreseeability of a data breach is an open and separate question for a later stage of the litigation.
In fact, the FTCA has indicated that certain cybersecurity practices are "unfair" under the statute. See Consumer Data Protection: Hearing Before the Subcomm. on Com., Mfg. & Trade of the H. Comm. on Energy & Com., 2011 WL 2358081 at *6 (June 15, 2011) (statement of Edith Ramirez, Comm'r, FTC) ("[T]he Commission enforces the FTC Act's proscription against unfair or deceptive acts or practices in cases where a business ['s] . . . failure to employ reasonable security measures causes or is likely to cause substantial consumer injury."); Data Theft Issues: Hearing Before the Subcomm. on Com., Mfg. & Trade of the H. Comm. on Energy & Com., 2011 WL 1971214 at *7 (May 4, 2011) (statement of David C. Vladeck, Director, FTC Bureau of Consumer Prot.) (same). Thus, Section 5 of the FTCA is not too amorphous and vague to establish a fixed standard of care.
Next, Bay & Bay argues that even if the FTCA did establish a fixed standard of care, Minnesota law does not recognize a negligence per se claim based on a civil statute that does not provide a private right of action. Bay & Bay's argument is unavailing.
Certainly, not all penal statutes establish a tort duty of care under all circumstances. Kronzer v. First Nat. Bank of Minneapolis, 305 Minn. 415, 235 N.W.2d 187, 193 (1975). In Minnesota, a violation of a statute or regulation gives rise to negligence per se if (1) the person harmed by that violation is among those the legislature sought to protect and (2) the harm suffered is of the type the statute or regulation was intended to prevent. Anderson v. State, Dep't of Nat. Res., 693 N.W.2d 181, 189-90 (Minn. 2005); Alderman's Inc. v. Shanks, 536 N.W.2d 4, 8 (Minn. 1995). If these standards are met, then the statute or regulation "imposes a fixed duty of care, so its breach constitutes conclusive evidence of negligence." Alderman's, 536 N.W.2d at 8 (quoting Pacific Indem. Co. v. Thompson-Yaeger, Inc., 260 N.W.2d 548, 558-59 (Minn. 1977)). As such, Minnesota law permits negligence per se claims premised on statutes like the FTCA that do not explicitly confer a private right of action if the well-established two-part test is satisfied. See Alderman's, 536 N.W.2d at 8; see also Engvall v. Soo Line Railroad Co., 632 N.W.2d 560, 568-69 (Minn. 2001) (establishing that while a federal statute may not by its own terms confer a private right of action, this "merely means that [such statutes] do not provide statutory causes of action, and that a party suing for violation of [them] must do so under a common law action").
Here, Perry's allegations that Bay & Bay was negligent in not protecting PI could reasonably fall under the harm contemplated by the statute and the class of persons the statute intended to protect. A company's failure to protect PI—which may constitute an unfair act under the FTCA—plausibly is the type of injury the FTCA was designed to prevent. In fact, the Federal Trade Commission has previously used this authority to bring a number of enforcement actions against companies that have purportedly failed to protect consumer financial data against hackers. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 240 (3d Cir. 2015). In other words, Bay & Bay's alleged failure to adequately protect PI and the resulting disclosure may very well constitute the type of harm intended to be protected by FTCA.
Bay & Bay cites SuperValu II and notes that the Eighth Circuit made clear that allowing a negligence per se claim based on Section 5 of the FTCA "would be inconsistent with Congress's anticipated enforcement scheme." In re SuperValu ("SuperValu II"), 925 F.3d 955, 964 (8th Cir. 2019). However, the SuperValu II court was applying Illinois law and explicitly noted that whether a defendant has a legal duty is "a question of state law." SuperValu II, 925 F.3d at 963-64. In this lens, the Court analyzed Illinois negligence requirements and found several of those conditions "absent" in the facts of that case, concluding that "Illinois is unlikely to recognize a legal duty enforceable through a negligence action arising from the FTCA." Id. at 964. Thus, contrary to Bay & Bay's proposition, the Eighth Circuit in SuperValu II did not have the occasion to consider whether a negligence per se claim based on Section 5 is colorable under Minnesota law.
As of now, Perry has sufficiently alleged that Bay & Bay's violation of Section 5 constitutes negligence per se under Minnesota law. Because the Court so concludes, Bay & Bay's motion to dismiss in this respect is denied.
C. Negligence & Negligence Per Se
Bay & Bay contends that as to Perry's negligence and negligence per se claims, he fails to allege sufficient facts to support the element of damages and similarly fails to plead facts to establish causation. To state a valid cause of action for negligence under Minnesota law, a plaintiff must demonstrate "(1) the existence of a duty of care, (2) a breach of that duty, (3) an injury, and (4) that the breach of the duty of care was a proximate cause of the injury." Domagala v. Rolland, 805 N.W.2d 14, 22 (Minn. 2011) (citing Funchess v. Cecil Newman Corp., 632 N.W.2d 666, 672 (Minn. 2001)); Lubbers v. Anderson, 539 N.W.2d 398, 401 (Minn. 1995).
Although negligence per se may be pleaded separately from negligence, the two causes of action are inseparably intertwined. Anderson, 693 N.W.2d at 189. While the standard for ordinary negligence is "the traditional standard of the reasonable man of ordinary prudence, negligence per se may exist when the reasonable person standard is supplanted by a standard of care established by the legislature." Seim v. Garavalia, 306 N.W.2d 806, 810 (Minn. 1981) (internal quotations omitted). Stated another way, in negligence per se cases, courts "adopt as the standard of conduct of a reasonable man the requirements of a legislative enactment or an administrative regulation." Restatement (Second) of Torts § 286. In either action, a plaintiff must still prove that he was injured, and that the defendant's conduct was a proximate cause of their injury.
Perry incorrectly asserts that the issue of damages is one for summary judgement after discovery has occurred and not appropriate for a motion to dismiss. PI. Mem. Opp. Mot. Dismiss at 29, May 19, 2022, Docket No. 19) (citing Lorix v. Crompton Corp., 736 N.W.2d 619, 635 (Minn. 2007)). While state law is applicable to the substance of the three causes of action, Bay & Bay is correct that damages are an element of Perry's causes of action that must be sufficiently plead based on the Iqbal/Twombly plausibility standard.
Here, Perry has sufficiently pleaded injury and causation. Perry alleges that he and class members suffered some loss: compromised PI published on the dark web, lost time and resources mitigating the effects of the data breach and in at least one instance, misuse of PI materialized when cyberthieves used Perry's PI to contact him and commit the bank scam. This constitutes a cognizable injury.
Further, the Court construes all inferences at this stage in favor of the plaintiff. As such, Perry has plausibly alleged that Perry's sensitive PI would not have been disclosed to cyberthieves had Bay & Bay's not failed to establish adequate data-security systems. Therefore, Perry has sufficiently alleged that Bay & Bay's alleged negligent conduct was the proximate cause of Perry's monetary loss because the cyberthieves used information from the breach to commit the bank scam.
It is true that Perry will need to later prove that Bay & Bay's alleged negligence is the proximate cause of his injury. In Minnesota, "a party's negligence is the proximate cause of an injury, if the act is one which the party ought, in the exercise of ordinary care, to have anticipated was likely to result in injury to others and the defendant's conduct was a substantial factor in bringing about the injury." McDougall v. CRC Indus., Inc., 523 F. Supp. 3d 1061, 1072 (D. Minn. 2021) (quoting Lubbers v. Anderson, 539 N.W.2d at 401) (internal quotations omitted). Here, reasonable minds can arrive at multiple conclusions. First, there are arguably many alternative causes of the injury. For example, bank scams such as the one Perry fell victim to may happen in the ordinary course of life, even without data breaches. Information such as one's name, phone number, or even birthdate is readily accessible without an individual's information having been compromised by an entity that possesses it. Second, Perry does not state when the bank scam occurred. If the bank scam happened prior to the data breach, there is no causation. See In re SuperValu, Inc., Customer Data Sec. Breach Litig., No. 14-MD-2586, 2018 WL 1189327, at *13 (D. Minn. Mar. 7, 2018), aff'd sub nom. In re SuperValu, Inc., 925 F.3d 955 (8th Cir. 2019).
However, Perry has nevertheless sufficiently pleaded his claim to survive this Motion to Dismiss. Whether he can, in fact, prove that the Bay & Bay's conduct was the proximate cause is an issue to be resolved at a later stage, in which discovery will play a key role in developing this issue.
Ultimately, the Court concludes that Perry's negligence and negligence per se claims establish causation and damages. Bay & Bay's motion to dismiss for failure to state a claim upon which relief can be granted as to these claims is thus denied.
D. Implied Contract
Finally, Bay & Bay asserts that Perry does not allege any facts to establish that Bay & Bay intended to or entered into an implied contract with Perry, who was merely a job applicant, much less that he provided the requisite consideration. Bay & Bay disputes that the plain language of their privacy policy creates an implied contract because it only applies to their website and all products and services offered by Bay & Bay. Since Perry does not allege that he accessed the website or provided information through the site or purchased products or services, the policy does not apply to him. Additionally, even if the policy did apply to Perry, Bay & Bay argues that the policy's language is too vague to constitute a contractual offer.
Under Minnesota law, a breach of contract claim has four elements: "(1) formation of a contract; (2) performance by plaintiff of any conditions precedent; (3) a material breach of the contract by defendant; and (4) damages." Gen. Mills Operations, LLC v. Five Star Custom Foods, Ltd., 703 F.3d 1104, 1107 (8th Cir. 2013). Under the common law of Minnesota, contracts of any sort can be implied in fact and can be oral or written. See McArdle v. Williams, 193 Minn. 433, 258 N.W. 818, 820-21 (1935) (noting that contracts may be written, oral, implied from the actions of the parties, or some combination thereof). Equally uncontroversial in the law of contracts is that the formation of an implied contract is evaluated objectively. Holman Erection Co. v. Orville E. Madsen & Sons, 330 N.W.2d 693, 695 (Minn. 1983). In other words, an intent to be contractually bound is determined by the objective manifestations of the parties' words, conduct, and documents, and not by their subjective intent. See id.
While it is a close call, Perry sufficiently alleges factual circumstances to meet contractual elements of formation, performance of conditions precedent, breach, and damages, however slight. Perry was a prospective employee who was required to provide certain Private Information to Bay & Bay to be considered for employment. The contractual offer is the exchange of PI (Perry) for employment consideration (Bay & Bay). Upon Perry applying and providing this information, and Bay & Bay accepting and considering him for employment, the parties mutually assented to an implied contract.
Bay & Bay provided consideration by promising to consider Perry for employment, while Perry provided consideration by providing valuable property, his PI. By mandating this exchange of information, it is plausible that Bay & Bay made an implied promise to keep the PI secure. Bay & Bay breached this implied contract when it failed to keep this promise and a data breach occurred. Lastly, Perry can arguably establish damages because he allegedly suffered injuries that included loss of the benefit of the bargain, monetary loss, and diminution of value of the PI.
At this stage, Perry has alleged enough to move forward with his breach of implied contract claim and thus the Court will deny Bay & Bay's motion in this respect.
CONCLUSION
Because Perry has Article III standing and has alleged sufficient facts at this stage to support the negligence elements of damages and causation and that Bay & Bay entered into an implied contract, Bay & Bay's motion to dismiss is denied.
ORDER
Based on the foregoing, and all the files, records, and proceedings herein, IT IS HEREBY ORDERED that Defendant Bay & Bay's Motion to Dismiss [Docket No. 10] is DENIED.