Opinion
Index 511490/21
01-27-2021
LISA SIMMONS and KELLY PETERSON-SMALL, individually and on behalf of all others similarly situated, Plaintiffs, v. ASSISTCARE HOME HEALTH SERVICES LLC, d/b/a Preferred Home Care of New York/Preferred Gold, Defendant.
Unpublished Opinion
PRESENT: HON. LARRY D.MARTIN, Justice.
Larry Martin, Judge
The following e-filed papers read herein: NYSCEF Nos. Notice of Motion/Order to Show Cause/ Petition/Cross Motion and Affidavits (Affirmations) Annexed _ 16, 19-23 Opposing Affidavits (Affirmations).------------- ------ Affidavits/Affirmations In Reply ------ ---------------------------- Other Papers:.---------------------------- --------------------------- Upon the foregoing papers, defendant Assistcare Home Health Services LLC, d/b/a Preferred Home Care of New York/Preferred Gold moves for an order: (1) pursuant to CPLR 7503 (a), compelling plaintiff Kelly Peterson-Small to commence an arbitration proceeding before the American Arbitration Association for the disputes raised by her in this action; (2) upon compelling arbitration, staying the instant action, including the non- 2 arbitrable claims of plaintiff Lisa Simmons;: or (3) in the alternative, dismissing the complaint pursuant to CPLR 3211 (a) (I), (a) (5) and (a) (7). Plaintiffs commenced this putative class action to recover damages and for injunctive relief based upon a eyberattack against defendant's computer network which exposed the private and sensitive personal information maintained therein of plaintiffs and other putative class members. Defendant is a provider of home health aide services. Between October 2018 and November 2019, Simmons :served as a caregiver whose payroll, personnel and other records were administered by defendant. Peterson-Small was employed by defendant as an RN Coordinator from approximately 2016 until August 2019. In conjunction with their association and/or employment with defendant, plaintiffs were required to submit certain personal information, including dates of birth, social security numbers, bank account numbers and health information, which data was maintained on defendant's computer network. On September 9, 2019, following her termination from employment with defendant, Peterson-Small entered into a Confidential Separation and General Release Agreement (Separation Agreement) whereby Peterson-Small agreed to waive and release any and all claims she may have against defendant in exchange for separation benefits. Specifically, defendant was released from all claims that arose out of or were related to Peterson-Small's employment with defendant or the termination of Peterson-Small's employment including, but not limited to, all wrongful discharge claims, tprt claims, claims for breach of contract, common law claims and all claims for attorneys' fees and costs, arising in law or equity, whether known, suspected or unknown, and however 3 originating or existing, from the beginning of time to the date of the Separation Agreement's execution (September 9, 2019). The Separation Agreement further provided that any disputes thereunder shall be submitted to final and binding arbitration before the American Arbitration Association in New York. By letter dated March 10, 2021, plaintiffs were notified that on January 9, 2021.. defendant identified a disruption Within its computer network and learned that an unauthorized third-party had hacked the network and was able to access and acquire certain files on defendant's database between January 8, 2021 and January 10, 2021. Plaintiffs were notified that the type of information accessed varied depending on the individual, but may have included names, contacts and demographic information such as addresses, emails, phone numbers, dates of birth, financial information such as bank account numbers and Social Security numbers. In their complaint, filed on May 14, 2021, plaintiffs allege that the data breach was the result of defendant's failure to protect its network in accordance with Federal Trade Commission guidelines and industry standards. According to the complaint, Simmons believes that a claim for unemployment insurance benefits was fraudulently filed using her identity, forcing her to expend approximately four hours to address this fraudulent claim, including contacting the New York Department of Labor to dispute the claim. Simmons alleges that she has experienced a substantial increase in scam phone calls and emails, receiving approximately six seam phone calls and five scam emails each day, all of which appear to be placed with the intent to obtain personal information to commit identity theft by way of a social engineering attack. Peterson-Small alleges that she has 4 experienced multiple unauthorized and fraudulent charges to her TD Bank, debit card and, starting in February 2021, suffered fraudulent charges from Apple, PC Richard & Son, and Western Union. Peterson-Small also maintains that since January 2021, she similarly has experienced a substantial increase in scam phone calls and emails, In their complaint, plaintiffs set forth causes of action for negligence, breach of implied contract, violation of General Business Law [GBL] § 349 and breach of confidence. Defendant presently moves to compel Peterson-Small to submit her claims to arbitration in accordance with the Separation Agreement and to stay the action pending arbitration of, alternatively, for dismissal of the complaint pursuant to GPL 3211 (a) (1); (5) and (7). Arbitration is strongly favored under New York law (Matter of Nationwide Gen. Ins. Co. v Investors Ins, Co. of Am., 37 NY24 91, 95 [1975]). Any doubts as to whether an issue is arbitrable will be resolved in favor of arbitration (Matter of Smith Barney Shearson v Saeharow, 91 N.Y.2d 39, 49-50 [1997]). "It is. of course for the court in the first instance to determine whether parties have agreed to submit their disputes to arbitration and, if so, whether the disputes generally come within the scope of their arbitration agreement" (Sisters- of St. John the Baptist, Providence Rest Convent v Geraghty Constructor, 67 N.Y.2d 997, 999 [1986]). A "reasonable relationship" must exist between the subject matter of the dispute and the general subject matter of the agreement (Matter of Nationwide Gen. Iris. Co, v. Investors Ins. Co. of Am., 37N.Y.2d 91, 96 [1975]). The court's inquiry ends "where the requisite relationship is established 5 between the subject matter of the dispute and the subject matter of the underlying agreement to arbitrate" (Sisters of St. John the Baptist, Providence Rest Convent, 67 N.Y.2d at 999). Here, the Separation Agreement expressly covers only those claims arising from Peterson-Small's employment which accrued up to "the: date of the execution" of the agreement, or September 9, 2019. While Peterson-Small's provision of her personal information was made in conjunction with her employment, her claims against defendant did not arise until the security breach occurred in January 2021. Because plaintiffs' claims arose after the date of the execution of the Separation Agreement, they are outside the scope of the agreement and the mandatory arbitration provision is thus inapplicable. As a result, those parts of defendant's motion to compel arbitration and stay this action pending arbitration are denied. In considering a motion to dismiss a complaint pursuant to CPLR 3211 (a) (7), the court must accept the facts as alleged in the complaint as true, accord the plaintiff the benefit of every possible favorable inference, and determine only whether the facts as alleged fit within any cognizable legal theory (see Leon v Martinez, 84 N.Y.2d 83, 88 [1994]; Meyer v North Shore-Long Is. Jewish Health SYS., Inc., 137 A.D.3d 880, 880-881 [2d Dept 2016]; Cecal v. Leader, 74 A.D.3d 1180, 1181 [2dDept 2010]). The court "is not concerned with determinations of fact or the likelihood of success on the merits" (Deter v Acampora, 207 A.D.2d 477, 477 [2d Dept 1994]). "Whether a plaintiff can ultimately establish its allegations is not part of the calculus in determining a motion to dismiss" (EBCI, Inc. v Goldman Sachs & Co., 5 N.Y.3d 11, 19 [2005]). Although a complaint may 6 be inartfully drawn, illogical or even informal, it will be '"deemed to allege whatever cause of action can be implied from its statement by fair and reasonable intendment"' (Shields v School of Law, Hofstra Univ., 77A.D.2d 867, 868 [2d Dept 1980], quoting Lupinski v Village of llion, 59 A.D.2d 1050, 1050 [4th Dept 1977]). However, "allegations consisting of bare legal conclusions as well as factual claims flatly contradicted by documentary evidence are not entitled to arty such consideration" (Garter v Board of Trustees of State Univ. of NY, 38 A.D.3d 833, 834 [2d Dept 2007], quoting Haas v Cornell Univ., 94 N.Y.2d 87, 91 [1999]), CPLR 3013 provides that "[s]tatements in a pleading shall be sufficiently particular to give the court and parties notice of the transactions, occurrences, or series of transactions or occurrences, intended to be proved and the material elements of each cause of action or defense." Thus, conclusory allegations will not suffice (see DiMauro v Metropolitan Suburban Bus Authority, 105 A.D.2d 236, 239 [2d Deptl984]; Fowler v American Lawyer Media, Inc., 306 A.D.2d 113, 113 [1st Dept 2003]; Sharijf v. Murray, 33 A.D.3d 688 [2nd Dept 2006]). Dismissal under CPLR 3211 (a) (7) "is warranted if the plaintiff fails to assert facts in support of an element of the claim, or if the factual allegations and inferences to be drawn from them do not allow for an enforceable right of recovery" (Connaughton v Chipotle Mexican Grill, Inc., 29 N.Y.3d 137, 142 [2017]). A motion to dismiss a complaint pursuant to CPLR 3211 (a) (1) may be granted where the documentary evidence submitted by the moving party utterly refutes the factual allegations of the complaint and conclusively establishes a defense to the claims as a matter of law (see Goshen v Mutual Life Ins. Co. of N.Y., 98N.Y.2d 314, 326 [2002]). 7 Negligence The elements of negligence are "(1) a duty owed by the defendant to the plaintiff, (2) a breach thereof, and (3) injury proximately resulting therefrom" (Solomon v City of New York, 66 N.Y.2d 1026, 1027 [1985]). "The existence and scope of a duty of care is a question of law for the courts entailing the consideration of relevant policy factors" (Church v Callanan Indus., 99 N.Y.2d 104, 110-111 [2002]). Plaintiffs allege defendant had a duty of care to use reasonable means to secure: and safeguard its computer network, including a duty to implement processes by which it could detect a breach of its security systems in a reasonably expeditious period of time and to give prompt notice to those affected in the case of such breach. Plaintiffs also allege that defendant had a duty independent of any contractual relationship with plaintiffs to comply with statutory requirements and industry standards to safeguard the information. Plaintiffs further allege that defendant breached its duties by failing to employ reasonable measures to protect the information from disclosure, by failing to adopt, implement, arid maintain adequate security measures; failing to adequately monitor the security of their computer networks and systems; failing to periodically ensure that their network system had plans in place to maintain reasonable data security safeguards; failing to adequately train its employees to recognize and contain cyberattacks; allowing unauthorized access to the private information; failing to detect in a timely manner that the information had been compromised; failing to timely notify plaintiffs about the cyberattack regarding what type of private information had been compromised so that 8 they could take appropriate steps to mitigate the potential for identity theft and other damages; and failing to have mitigation and back-up plans in place in the event of a cyberattack and data breach, Plaintiffs also allege that they and other putative class members have suffered cognizable damages. In addition to loss of time and expenses associated with credit monitoring, plaintiffs allege that their personal information has a monetary value on the '"black market," and the exposure of their information on the black market was diminished as a result of the data breach. Based on the foregoing allegations, the court finds plaintiffs have stated a cause of action for negligence. Plaintiffs' negligence claim is not barred by the "economic loss rule” as they have alleged a special relationship with defendant, who was in the best: position to minimize the risk of exposure Of plaintiffs' personal information (cf 532 Madison Ave. Gourmet Foods v Finlandia Ctr., 96 N.Y.2d 280, 289 [2001]), and that defendant had a duty (based in statute and industry standards) independent of any separate contractual duty to employ the proper safeguards against exposure of plaintiffs' personal information (see Sackin v TransPerfect Global Inc., 278 F.Supp.3d 739, 750- 751 [SD NY 2017]). Breach of Implied Contract "An implied-in-fact contract requires the same elements as an express contract including, consideration, mutual assent, legal capacity, and legal subject matter. Like an express contract, an implied-in-fact contract requires a showing that there was a meeting, of the minds" (Smahaj v Retrieval-Masters Creditors Bur., Inc., 69 Misc.3d 597, 607 9 [Sup Ct, Westchester County 2020] [citations and internal quotation marks omitted). "A contract implied in fact may result as an inference from the facts and circumstances of the case, although not formally stated in words, and is derived from the presumed intention of the parties as indicated by their conduct" (Jenizura v Jemzurd, 36 N.Y.2d 496, 503-504 [1975] [citations and internal quotation marks omitted]). In their complaint, plaintiffs allege that as a condition of plaintiffs:' employment with defendant and in consideration of plaintiffs' provision of home health services to defendant's clients, plaintiffs agreed to submit their personal, financial, and medical information which defendant implicitly promised to safeguard and protect, keep secure and confidential, and to timely and accurately notify plaintiffs if their data had been breached and compromised. Plaintiffs allege that defendant breached the implied contracts by failing to safeguard and protect private information and by failing to provide timely and accurate notice to them that the information was compromised as a result of the data breach. Affording these allegations a liberal construction, the court finds plaintiffs have sufficiently stated a cause of action for breach of implied contract (see Sackin, 278 F.Supp.3d at 750-751), GBL349 To state a cause of action to recover damages for a violation of GBL 349, the complaint must allege that '"a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice'" (Koch v Acker, Merrall & Condit Co., 18 N.Y.3d 940, 941 [2012], quoting City of New York v Smokes-Spirits.Com, Inc., 12 N.Y.3d 616, 621 [2009]; see Stutman v Chemical Bank, 95 N.Y.2d 24, 29 [2000]; Oswego Laborers' Local 10 214 Pension Fund v. Marine Midland Bank, 85 N.Y.2d 20, 25 [1995]. An act or practice is consumer-oriented when it has "a broader impact on consumers at large" (Oswego Laborers 'Local 214 Pension Fund, 85 N.Y.2d at 25-27; see New York Univ. v Continental Ins, Co., 87 N.Y.2d 308, 320 [1995]). Private contract disputes, unique to the parties, do not fall within the ambit of GBL 349 (see Oswego Laborers 'Local 214 Pension Fund, 85 N.Y.2d at 25; De Guaman v American Hope Group, 163 A.D.3d 915, 917 [2d Dept 2018]). "Nor does the consumer-oriented element depend on the use to be made of the product, as what matters: is whether the defendant's allegedly deceptive act or practice is directed to the: consuming public and the marketplace" (Himmelstein, McConnell, Gribben, Donoghne & Joseph, LLP v Matthew Bender & Co., Inc., 37 N.Y.3d 169, 177 [2021]). "In other words. General Business Law § 349 is focused on the seller's deception and its subsequent impact on consumer decision-making, not on the consumer's ultimate use of a product" (id.). There is no allegation that defendant's representations regarding the security of its database was directed at the consuming public, that the representations were made for the purpose Of inducing the public at large into consuming a product or service or that the representations affected consumer decision-making. The case cited by plaintiffs, Wallace v Health Quest Sys., Inc. (2021 WL 1109727 [SDNY, Mar. 23, 2021, No. 20-CV-545]), is distinguishable in that the plaintiffs therein were customers and patients of the defendant healthcare service and the statements regarding that defendant's privacy practices and data protection were contained in a notice of privacy practices posted on the defendant's website. Here, there is no allegation that statements regarding the security of 11 defendant's network were posted on its website or otherwise advertised or broadcast to the consuming public at large. Breach of Confidence Assuming New York recognizes a claim for breach of confidence against an employer which stores the sensitive personal information of its employees, the court finds plaintiffs have not alleged facts sufficient to state a cause of action since neither defendant: nor one acting in the scope of employment of defendant is alleged to have exposed plaintiffs' information. Rather, the exposure was the result of the criminal actions of a third party (see Doe v Guthrie Clinic, Ltd., 22 N.Y.3d 480, 484-485 [2014]). Accordingly, the court finds plaintiffs- have not sufficiently stated causes of action for violation of GBL 349 or for breach of confidence. Defendant has not otherwise demonstrated that documentary evidence conclusively establishes a complete defense to this action warranting dismissal under CPLR3211 (a) (1) or that grounds for dismissal under CPLR 3211 (a) (5) are applicable here. As a result, that part of defendant's motion to dismiss the complaint is granted only as to plaintiffs' causes of action under GBL 349 and breach of confidence and those causes of action are hereby dismissed. Defendant's motion is otherwise denied in all respects. The foregoing constitutes the decision and order of the court. 12