Opinion
CV-23-00207-PHX-JJT
01-30-2024
ORDER
HONORABLE JOHN J. TUCHI UNITED STATES DISTRICT JUDGE
At issue is Defendant FocusIT LLC's Motion to Dismiss Plaintiff's Amended Class Action Complaint and Motion to Strike Plaintiff's Class Allegation (Doc. 27, MTD), to which Plaintiffs Joshua Quinalty and Alene Motta filed a Response (Doc. 29, Resp.) and Defendant filed a Reply (Doc. 30, Reply). The Court has reviewed the parties' briefs and finds this matter appropriate for decision without oral argument. See LRCiv 7.2(f). For the reasons set forth below, the Court grants Defendant's Motion to Dismiss and grants Plaintiffs leave to file a Second Amended Complaint.
I. BACKGROUND
In the Amended Class Action Complaint for Damages, Injunctive, and Equitable Relief (Doc. 26, Am. Compl.), Plaintiffs allege the following facts. Plaintiff Quinalty and Plaintiff Motta provided Personal Identifying Information (“PII”) to banks and financial institutions. (Am. Compl. ¶¶ 2, 4.) Defendant is a third-party vendor that hosts mortgage origination and loan processing software applications for the banks and financial institutions to whom Plaintiff Quinalty and Plaintiff Motta provided their PII. (Am. Compl. ¶ 2.)
On June 1, 2022, Defendant's system was compromised resulting in PII being available to cybercriminals. (Am. Compl. ¶¶ 38-39.) The PII exposed included names, dates of birth, addresses, and social security numbers of 147,799 individuals. (Am. Compl. ¶ 38.) Defendant became aware of the data breach on August 2, 2022, and began notifying affected individuals on September 28, 2022. (Am. Compl. ¶¶ 37, 45.)
Plaintiff Quinalty alleges two phones were fraudulently purchased using his PII as a result of the data breach. (Am. Compl. ¶ 65.) Plaintiff Quinalty further alleges that he purchased additional credit monitoring services, experienced an increase in spam phone calls, messages, and targeted advertisements, and spent approximately twelve hours responding to the breach. (Am. Compl. ¶¶ 66, 69.)
Plaintiff Motta alleges her PII was also included in the data breach and that she experienced emotional distress as a result. (Am. Compl. ¶¶ 75, 82.) Plaintiff Motta additionally alleges she spent approximately three hours responding to the breach and anticipates spending considerable time and money to mitigate and address the associated harms. (Am. Compl. ¶¶ 79, 83.)
On behalf of themselves and a putative nationwide class-consisting of all individuals residing in the United States whose PII was compromised in the data breach (Am. Compl. ¶ 116)-Plaintiffs raise claims of Negligence and Unjust Enrichment. Plaintiffs additionally bring a claim for a putative subclass of Arizona plaintiffs: violation of the Arizona Consumer Fraud Act. (Am. Compl. ¶¶ 165-75.) Defendant filed a Motion to Dismiss for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted under Rule 12(b)(6).
II. LEGAL STANDARD
A. Subject Matter Jurisdiction
“A motion to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1) may attack either the allegations of the complaint as insufficient to confer upon the court subject matter jurisdiction, or the existence of subject matter jurisdiction in fact.” Renteria v. United States, 452 F.Supp.2d 910, 919 (D. Ariz. 2006) (citing Thornhill Publ'g Co. v. Gen. Tel. & Elecs. Corp., 594 F.2d 730, 733 (9th Cir. 1979)). “Where the jurisdictional issue is separable from the merits of the case, the [court] may consider the evidence presented with respect to the jurisdictional issue and rule on that issue, resolving factual disputes if necessary.” Thornhill, 594 F.2d at 733; see also Autery v. United States, 424 F.3d 944, 956 (9th Cir. 2005) (“With a 12(b)(1) motion, a court may weigh the evidence to determine whether it has jurisdiction.”). The burden of proof is on the party asserting jurisdiction to show that the court has subject matter jurisdiction. See Indus. Tectonics, Inc. v. Aero Alloy, 912 F.2d 1090, 1092 (9th Cir. 1990).
B. Failure to State a Claim for Relief
Rule 12(b)(6) is designed to “test[] the legal sufficiency of a claim.” Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). A dismissal under Rule 12(b)(6) for failure to state a claim can be based on either: (1) the lack of a cognizable legal theory; or (2) the absence of sufficient factual allegations to support a cognizable legal theory. Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990). When analyzing a complaint for failure to state a claim, the well-pled factual allegations are taken as true and construed in the light most favorable to the nonmoving party. Cousins v. Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). A plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556). “The plausibility standard is not akin to a ‘probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id.
“While a complaint attacked by a Rule 12(b)(6) motion does not need detailed factual allegations, a plaintiff's obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555 (cleaned up and citations omitted). Legal conclusions couched as factual allegations are not entitled to the assumption of truth and therefore are insufficient to defeat a motion to dismiss for failure to state a claim. Iqbal, 556 U.S. at 679-80. However, “a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and that ‘recovery is very remote and unlikely.'” Twombly, 550 U.S. at 556 (quoting Scheuer v. Rhodes, 416 U.S. 232, 236 (1974)).
III. ANALYSIS
A. Standing
Defendant first argues Plaintiffs' claims should be dismissed under Rule 12(b)(1) for lack of standing. Article III courts are limited to deciding “cases” and “controversies.” U.S. Const. art. III, § 2. Article III of the Constitution requires that one have “the core component of standing.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). To have standing under Article III, a plaintiff must show: (1) an injury in fact that is (a) concrete and particularized and (b) actual or imminent; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, not merely speculative, that the injury will be redressed by decision in the plaintiff's favor. Maya v. Centex Corp., 658 F.3d 1060, 1067 (9th Cir. 2011). A complaint that fails to allege facts sufficient to establish standing requires dismissal for lack of subject matter jurisdiction under Rule 12(b)(1). See, e.g., Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1123 (9th Cir. 2010).
To establish an injury in fact, “a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339-40 (2016) (citation and quotation marks omitted). A “concrete” and “particularized” injury must be “real,” not “abstract,” id., and “must affect the plaintiff in a personal and individual way.” Lujan, 504 U.S. at 560 n.1. To be “actual or imminent,” a threatened injury must be “certainly impending”- “allegations of possible future injury are not sufficient.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013) (cleaned up).
Here, Defendant claims Plaintiffs have not alleged any injuries. Plaintiff Quinalty, however, alleges phones were fraudulently purchased using his PII as a result of the breach. Plaintiff Quinalty further alleges he purchased credit monitoring services as a result of the breach. This plausibly constitutes a cognizable injury by way of a reasonable expenditure for harm Plaintiff Quinalty allegedly suffered from the breach. See In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *8 (D. Ariz. Dec. 20, 2017) (“A person whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened.” (internal citation omitted)). Accordingly, Plaintiff Quinalty alleges sufficient facts to establish standing.
Although Defendant contends that one of the alleged fraudulent purchases occurred before Defendant had possession of Plaintiff Quinalty's data, Defendant does not dispute that the other alleged fraudulent purchase occurred after Defendant had possession.
Additionally, Plaintiff Motta alleges she suffered emotional distress because of the data breach. (Am. Compl. ¶ 82.) Specifically, Plaintiff Motta alleges she experienced anxiety and remains “very concerned” about identity theft and fraud. (Am. Compl. ¶ 82.) Emotional distress is a sufficiently concrete injury to establish standing. Goz v. Allied Collection Servs., Inc., 812 Fed.Appx. 544, 545 (9th Cir. 2020).
Plaintiff Motta further alleges she is exposed to the future harm that her PII will be disclosed to unauthorized parties and that she could suffer identity theft. (Am. Compl. ¶¶ 82, 89.) To establish a future harm as concrete, the exposure to the risk of future harm must cause a separate concrete harm itself. TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021); Clemens v. ExecuPharm Inc., 48 F.4th 146, 155 (3d Cir. 2022). For example, the Clemens court held that if a plaintiff's knowledge of the substantial risk of identity theft causes her to presently experience emotional distress, then the plaintiff has alleged a concrete injury. Id. at 156. Here, Plaintiff Motta alleges the data breach exposed her to the future risk of identity theft. She further alleges the exposure to the future risk of identity theft caused her emotional distress. Therefore, Plaintiff Motta's alleged exposure to the future risk of identity theft is a sufficient injury in fact to establish standing.
Plaintiffs allege the Class, however, has a common injury because their data was included in the breach. (Am. Compl. ¶ 123) (“Plaintiffs' claims are typical of the claims of other members of the Class in that Plaintiffs like every member of the class had their PII compromised in the Defendant's Data Breach.”). Exposure to the breach alone is not a sufficiently concrete injury to establish standing. Namely, unlike the unique injuries pled by Plaintiff Quinalty and Plaintiff Motta, Plaintiffs allege the Class only suffered harm because their data was subject to the breach. Plaintiffs do not allege the Class suffered actual identity theft, suffered emotional distress because of the risk of identity theft, or incurred out-of-pocket expenses because of the breach. Therefore, Plaintiffs have not alleged sufficient facts to establish standing for the Class.
Accordingly, under Rule 12(b)(1), the Court grants Defendant's Motion to Dismiss only as to the Class.
B. Negligence
1. Duty and Breach
Defendant first argues Plaintiffs fail to adequately plead duty and breach. Defendant specifically argues Plaintiffs fail to allege a relationship that creates a duty because Plaintiffs were not Defendant's direct customers. (MTD at 9-10.) Plaintiffs, however, argue Defendant had a duty to use reasonable means to secure its systems and networks because Defendant undertook the responsibility to maintain and secure their PII. (Resp. at 10-11.) Plaintiffs further argue that public policy, through 15 U.S.C. § 45, establishes a duty of care. (Resp. at 10-11.)
In Arizona, several special relationships can give rise to a duty, including relationships based on contract, familial relations, or conduct undertaken by the defendant. Stanley v. McCarver, 92 P.3d 849, 853 (Ariz. 2004). However, liability based on such an undertaking requires that the defendant undertook conduct directly with or for the plaintiff. Cal-Am Props. v. Edais Eng'g Inc., 509 P.3d 386, 390 (Ariz. 2022) (citing McCarver, 92 P.3d at 853).
Here, Plaintiffs allege Defendant obtained Plaintiffs' PII from the banks and financial institutions that Defendant services. (Am. Compl. ¶ 2.) Plaintiffs do not allege, however, that Defendant obtained PII directly from Plaintiffs, or for Plaintiffs' benefit. Therefore, a duty does not arise based solely on Defendant obtaining Plaintiffs' PII from financial institutions.
Additionally, Arizona generally follows the Restatement (Second) of Torts §§ 323 and 324A, which provide in part that one who undertakes gratuitously or for consideration, to render services to another which he should recognize as necessary for the protection of the other's person or things, or a third person or his things, can be subject to liability for physical harm resulting from his failure to exercise reasonable care to perform his undertaking. Guerra v. State, 348 P.3d 423, 425 (Ariz. 2015). The requirement of physical harm for liability based on negligent undertaking was affirmed by the Arizona Supreme Court in Cal-Am Props. 509 P.3d at 391. (“We decline to extend § 324A's reach beyond what it expressly contemplates: liability for physical harm to the people or property that the services sought to protect.”). Here, Plaintiffs do not allege any physical harm. A duty to Plaintiffs thus does not arise based on a negligent performance of an undertaking as defined in the Restatement.
Further, public policy, through state and federal statutes, can be a source of duty. Cal-Am Props., 509 P.3d at 390. Plaintiffs rely on 15 U.S.C. § 45, which recites that “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45(a)(1). Plaintiffs then argue Defendant breached its duty by failing to provide fair computer systems and data security practices to safeguard Plaintiffs' PII. (Resp. at 11.) Yet, assuming 15 U.S.C. § 45 creates a duty, Plaintiffs do not allege any facts explaining how or why Defendant's data security practices were unfair or deceptive. Although Plaintiffs allege Defendant failed to comply with industry standards, Plaintiffs do not plead any industry standards.
Ultimately, Plaintiffs' broad characterization of Defendant's conduct as unfair or deceptive is conclusory. Therefore, even if 15 U.S.C. § 45 creates a duty, Plaintiffs fail to allege sufficient facts from which the Court could infer Defendant breached a duty.
Accordingly, Plaintiffs fail to plead facts sufficient to establish duty and breach in their negligence claim.
2. Damages
Defendant further argues Plaintiffs fail to allege sufficient damages. The Court disagrees as to Plaintiff Quinalty but agrees that Plaintiff Motta does not sufficiently plead damages.
Negligence damages must be actual and appreciable, non-speculative, and more than merely the threat of future harm. CDT, Inc. v. Addison, Roberts & Ludwig, 7 P.3d 979, 982-83 (Ariz.Ct.App. 2000). Plaintiff Motta alleges damages of time spent responding to the data breach, a diminution in the value of her PII, the likely theft of her PII, imminent and impending injury arising from the increased risk of identity theft and fraud, and emotional distress as a result of the breach. (Am. Compl. ¶ 81.)
Generally, lost time alone will not be cognizable as damages. Pruchnicki v. Envision Healthcare Corp., 439 F.Supp.3d 1226, 1233 (D. Nev. 2020) (“[T]he court finds that tangible, out-of-pocket expenses are required in order for lost time spent monitoring credit to be cognizable as damages.”); Plaintiffs v. MGM Resorts Int'l, 638 F.Supp.3d 1175, 1192 (D. Nev. 2022) (“Lost time alone does not establish compensable damages.”); Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 45 (D. Ariz. 2021). Here, Plaintiff Motta does not allege out-of-pocket expenses, or any other tangible harm that supplements her allegation of lost time. Therefore, Plaintiff Motta's allegation of lost time is insufficient to establish damages.
A plaintiff can establish the diminished value of PII as a cognizable injury if the plaintiff shows a “robust market” for the PII and that the plaintiff has been deprived of the ability to sell personal data on the market. Svenson v. Google Inc., No. 13-cv-04080-BLF, 2015 WL 1503429, at 5* (N.D. Cal. Apr. 1, 2015) (citing In re Facebook Privacy Litig., 572 Fed. App'x 494 (9th Cir. 2014)). Here, Plaintiffs allege stolen PII is one of the most valuable commodities on the “criminal information black market.” (Am. Compl. ¶ 90.) Plaintiff Motta, however, does not allege she can no longer sell her personal data on the market, nor does she allege she ever has, intends to, or intended to, sell her personal data. Further, Plaintiffs do not allege any market for their PII other than the “black market.” See Griffey, 562 F.Supp.3d at 46 (“This Court declines to recognize the ‘dark web' as a legitimate market by which individuals may sell their information.”). Therefore, Plaintiff Motta's allegation of diminished PII value is insufficient to establish damages.
Also, threats of future harm, such as the likely theft of PII, and imminent and impending injury arising from the increased risk of identity theft and fraud, are not cognizable harms on their own. Griffey, 562 F.Supp.3d at 46. Plaintiff Motta does not allege that her PII has been stolen, that her identity has been stolen, or that she has experienced identity fraud. Therefore, Plaintiff Motta's allegations that theft of her PII is likely, and that she is at an increased risk of identity theft and fraud, are insufficient to establish damages.
Concerning Plaintiff Motta's alleged emotional distress, Arizona applies the “zone of danger” test to determine whether damages for negligent infliction of emotional distress are proper. Rodriguez v. Fox News Network, L.L.C., 356 P.3d 322, 325 (Ariz.Ct.App. 2015). Such a claim requires the plaintiff to prove that he or she “witnessed an injury to a closely related person, suffered mental anguish manifested as physical injury, and was within the zone of danger so as to be subjected to an unreasonable risk of bodily harm created by the defendant.” Id. Plaintiff Motta does not allege any exposure to physical injury, or any risk of bodily harm created by Defendant. Therefore, Plaintiff Motta's allegation of emotional distress resulting from the data breach fails to establish damages.
Accordingly, the Court grants Defendant's Motion to Dismiss as to Plaintiff Quinalty's negligence claim because he fails to adequately allege duty and breach. The Court also grants Defendant's motion as to Plaintiff Motta's negligence claim because she fails to adequately allege duty and breach and further fails to adequately allege damages.
C. Unjust Enrichment
Next, Defendant argues Plaintiffs have not stated an unjust enrichment claim because the facts pled do not plausibly imply an unjust enrichment on Defendant's part or an impoverishment on their part. (MTD at 13.) Under Arizona law, “[u]njust enrichment occurs when one party has and retains money or benefits that in justice and equity belong to another.” Loiselle v. Cosas Mgmt. Group, LLC, 228 P.3d 943, 946 (Ariz.Ct.App. 2010). To plead an unjust enrichment claim, a party must allege: “(1) an enrichment, (2) an impoverishment, (3) a connection between the enrichment and the impoverishment, (4) the absence of justification for the enrichment and the impoverishment, and (5) the absence of a remedy provided at law.” Span v. Maricopa Cnty. Treasurer, 437 P.3d 881, 886 (Ariz.Ct.App. 2019).
Here, Plaintiffs allege they were impoverished because they received unreasonable data security from Defendant. (Am. Compl. ¶¶ 160-62.) Plaintiffs specifically argue the data security received was unreasonable because Defendant's security system was defeated by a phishing scam, credentials of one of Defendant's employees were available on the dark web, and Defendant had to rely on a third party to identify the breach. (Resp. at 14.) This is conclusory, however. Namely, allegations that Defendant's system was defeated by a phishing scam and that an employee's data was on the dark web only indicate that the data breach happened, not that the data security Plaintiffs received was unreasonable. Additionally, Plaintiffs' allegation that a third party notified Defendant of the breach establishes that a third party identified the breach before Defendant, but not that Defendant's security was unreasonable. Plaintiffs also allege Defendant failed to comply with industry standards, but do not indicate which industry standards were allegedly violated, or how Defendant failed to comply. See Feins v. Goldwater Bank NA, No. CV-22-00932-PHX-JJT, 2022 WL 17552440, at *7 (D. Ariz. Dec. 9, 2022).
Accordingly, Plaintiffs fail to adequately plead unjust enrichment because Plaintiffs' conclusory statements that they received unreasonable data security are insufficient to establish impoverishment. Therefore, Defendant's motion to dismiss is granted as to Plaintiffs' claim for unjust enrichment.
D. Arizona Consumer Fraud Act
Defendant further alleges Plaintiffs fail to establish a claim for violation of the Arizona Consumer Fraud Act, A.R.S. § 44-1521 et seq. (MTD 14-16.) To succeed on a claim of consumer fraud, a plaintiff must show “1) a false promise or misrepresentation made in connection with the sale or advertisement of “merchandise,” and 2) consequent and proximate injury resulting from the misrepresentation.” Watts v. Medicis Pharm. Corp., 365 P.3d 944, 953 (Ariz. 2016). “[T]he overwhelming authority in Arizona specifically requires proof of actual reliance.” Stratton v. Am. Med. Sec., Inc., 266 F.R.D. 340, 349 (D. Ariz. 2009).
Here, Plaintiffs allege they “relied on the affirmatively misrepresented and concealed facts and incurred damages as a consequent and proximate result.” (Am. Compl. ¶ 174.) Plaintiffs, however, fail to allege any facts indicating they were aware of Defendant's contracts, website, privacy policy, or advertising at the time they provided their PII to Defendant's clients. Therefore, the claim under the Arizona Consumer Fraud Act must fail.
IV. CONCLUSION
Plaintiff Quinalty and Plaintiff Motta have alleged sufficient injuries to establish standing on behalf of themselves but have failed to allege sufficient injuries to establish standing on behalf of the Class. Also, Plaintiffs fail to state facts that plausibly show independent claims for negligence, unjust enrichment, or violation of the Arizona Consumer Fraud Act. But if a defective complaint can be cured, a plaintiff is entitled to amend the complaint before it is dismissed. See Lopez v. Smith, 203 F.3d 1122, 1127-30 (9th Cir. 2000). Because it is possible that Plaintiffs could allege facts to adequately plead their claims or establish standing for the Class, the Court grants leave to file a Second Amended Complaint. See id. If any such amendment fails to cure the defects in Plaintiffs' claims, the Court will dismiss that portion of the Second Amended Complaint with prejudice.
IT IS THEREFORE ORDERED granting Defendant's Motion to Dismiss Plaintiffs' Amended Complaint (Doc. 27).
IT IS FURTHER ORDERED granting Plaintiffs leave to amend their complaint, should they wish to do so. Plaintiffs shall file any Second Amended Complaint no later than 21 days from the date of this Order.