- 1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA 8 9 John Feins, No. CV-22-00932-PHX-JJT 10 Plaintiff, ORDER 11 v. 12 Goldwater Bank NA, 13 Defendant. 14 15 At issue is Defendant Goldwater Bank, N.A.’s Motion to Dismiss Plaintiff’s 16 Amended Complaint (Doc. 16, Mot.), to which Plaintiff John Feins filed a Response 17 (Doc. 20, Resp.) and Defendant filed a Reply (Doc. 21, Reply). At the Court’s request, the 18 parties also submitted supplemental briefs (Docs. 23, 24). No party requested oral 19 argument, and the Court will resolve the Motion without oral argument. LRCiv 7.2(f). 20 I. BACKGROUND 21 In the Amended Class Action Complaint for Damages, Injunctive, and Equitable 22 Relief (Doc. 15, Am. Compl.), Plaintiff alleges the following facts. Plaintiff—a citizen and 23 resident of New Mexico—was a customer of Defendant—an Arizona bank with its 24 principal office in Arizona. (Am. Compl. ¶¶ 17, 19, 24.) In May 2021, Defendant 25 experienced “an attempted ransomware attack” by hackers (“Data Breach”), and, around 26 November 2021, Defendant notified customers, including Plaintiff, who were potentially 27 affected by the incident. (Am. Compl. ¶¶ 30, 35.) Defendant acknowledged the 28 compromise of sensitive consumer information in the Data Breach. (Am. Compl. ¶ 31.) 1 Specifically, the hackers accessed information containing customers’ Personally 2 Identifiable Information (“PII”), including names, addresses, telephone numbers, Social 3 Security numbers, account numbers, and tax identification numbers. (Am. Compl. ¶ 33.) 4 After an investigation, Defendant reported that the Data Breach compromised the PII of 5 11,376 individuals. (Am. Compl. ¶ 38.) In the November 2021 notification letter, 6 Defendant offered twelve months of identity monitoring services to its customers. (Am. 7 Compl. ¶ 67.) 8 In December 2021, Wells Fargo Bank notified Plaintiff that a fraudulent account 9 was opened in his name, which Plaintiff links to the compromise of his PII in the Data 10 Breach suffered by Defendant. (Am. Compl. ¶ 89.) Plaintiff claims he has experienced an 11 increase in phishing attempts on his email, has spent considerable time on issues related to 12 the Data Breach, and anticipates spending more time and money to mitigate and address 13 harms caused by the Data Breach. (Am. Compl. ¶¶ 92–99.) 14 On behalf of himself and a putative nationwide class, Plaintiff now raises four state 15 law claims against Defendant as a result of the Data Breach: (1) negligence; (2) invasion 16 of privacy; (3) breach of implied contract; (4) unjust enrichment. (Am. Compl. ¶¶ 16, 100.) 17 Plaintiff also raises a fifth claim on behalf of a putative subclass of New Mexico plaintiffs: 18 violations of the New Mexico Unfair Trade Practices Act. (Am. Compl. ¶¶ 16, 100.) 19 Defendant has now filed a Motion to Dismiss for failure to state a claim under Federal Rule 20 of Civil Procedure 12(b)(6). 21 II. LEGAL STANDARD 22 Rule 12(b)(6) is designed to “test[] the legal sufficiency of a claim.” Navarro v. 23 Block, 250 F.3d 729, 732 (9th Cir. 2001). A dismissal under Rule 12(b)(6) for failure to 24 state a claim can be based on either: (1) the lack of a cognizable legal theory; or (2) the 25 absence of sufficient factual allegations to support a cognizable legal theory. Balistreri v. 26 Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1990). When analyzing a complaint for 27 failure to state a claim, the well-pled factual allegations are taken as true and construed in 28 the light most favorable to the nonmoving party. Cousins v. Lockyer, 568 F.3d 1063, 1067 1 (9th Cir. 2009). A plaintiff must allege “enough facts to state a claim to relief that is 2 plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has 3 facial plausibility when the plaintiff pleads factual content that allows the court to draw the 4 reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. 5 Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556). “The plausibility 6 standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer 7 possibility that a defendant has acted unlawfully.” Id. 8 “While a complaint attacked by a Rule 12(b)(6) motion does not need detailed 9 factual allegations, a plaintiff’s obligation to provide the grounds of his entitlement to relief 10 requires more than labels and conclusions, and a formulaic recitation of the elements of a 11 cause of action will not do.” Twombly, 550 U.S. at 555 (cleaned up and citations omitted). 12 Legal conclusions couched as factual allegations are not entitled to the assumption of truth 13 and therefore are insufficient to defeat a motion to dismiss for failure to state a claim. Iqbal, 14 556 U.S. at 679–80. However, “a well-pleaded complaint may proceed even if it strikes a 15 savvy judge that actual proof of those facts is improbable, and that ‘recovery is very remote 16 and unlikely.’” Twombly, 550 U.S. at 556 (quoting Scheuer v. Rhodes, 416 U.S. 232, 236 17 (1974)). 18 III. ANALYSIS 19 A. Choice of Law 20 To begin with, in their initial briefs, both parties cited legal authority principally 21 from outside Arizona and neither party engaged in a choice of law analysis under Arizona 22 law. See Patton v. Cox, 276 F.3d 493, 495 (9th Cir. 2002) (stating that a federal court sitting 23 in diversity must apply the forum state’s choice of law rules to determine the controlling 24 substantive law). The starting point of any examination as to whether Plaintiff has stated a 25 claim is to determine (and support by way of sufficient analysis) the applicable substantive 26 state law—whether that is Arizona law, New Mexico law, or some other law—or show 27 there is no meaningful difference. The determination must be made through analysis on a 28 claim-by-claim basis, see Keene Corp. v. Ins. Co. of N. Am., 597 F. Supp. 934, 941 (D.D.C. 1 1984), and the parties cannot simply stipulate to the applicable state law without showing 2 it is the appropriate one under the applicable choice of law rules, see, e.g., Phillips 3 Petroleum Co. v. Shutts, 472 U.S. 797, 821 (1985). The Court therefore ordered a 4 supplemental brief from each party addressing the choice of law for each of Plaintiff’s 5 claims (Doc. 22), which the parties timely filed (Docs. 23, 24).1 6 With regard to Plaintiff’s tort claims for negligence and invasion of privacy, 7 “Arizona courts apply the principles of the Restatement (Second) of Conflict of Laws 8 [(“Restatement”)] to determine the controlling law for multistate torts.” Bates v. Super. Ct. 9 of Ariz., 749 P.2d 1367, 1369 (Ariz. 1988). Section 6 of the Restatement delineates the 10 following general factors to consider when choosing the applicable rule of law: 11 (a) the needs of the interstate and international systems, (b) the relevant policies of the forum, 12 (c) the relevant policies of other interested states and the relative interests of 13 those states in the determination of the particular issue, 14 (d) the protection of justified expectations, (e) the basic policies underlying the particular field of law, 15 (f) certainty, predictability and uniformity of result, and 16 (g) ease in the determination and application of the law to be applied. 17 Restatement § 6(2). 18 Restatement § 145 gives guidance for the application of the § 6 factors to tort claims. 19 Section 145 provides that courts are to resolve tort issues under the law of 20 the state having the most significant relationship to both the occurrence and the parties with respect to any particular question. Section 145(2) lists some 21 of the contacts which are to be considered in determining the choice of law 22 applicable to a given issue. Those especially relevant contacts include: 23 1 Plaintiff brings this case as a putative class action. As the Court noted in its prior Order 24 (Doc. 22), if this case proceeds to class certification, Plaintiff will then have the burden under Federal Rule of Civil Procedure 23 to conduct a choice of law analysis for each 25 surviving claim involving the home states of Defendant and all the class action Plaintiffs; in other words, Plaintiff will be required to show that common questions of law 26 predominate and “cannot meet this burden when the various laws have not been identified and compared.” Gariety v. Grant Thornton, LLP, 368 F.3d 356, 370 (4th Cir. 2004); see 27 also Cole v. Gen. Motors Corp., 484 F.3d 717, 725 (5th Cir. 2007) (finding that plaintiffs did not sufficiently demonstrate predominance where they argued that the applicable state 28 laws are “virtually the same” but failed to undertake the required “extensive analysis” of variations in state law). 1 1. The place where the injury occurred; 2 2. The place where the conduct causing the injury occurred; 3. The domicile, residence, nationality, place of incorporation and place of 3 business of the parties; 4 4. The place where the relationship, if any, between the parties is centered. Bates, 749 P.2d at 1370. 5 6 With regard to Plaintiff’s claims of breach of implied contract and unjust 7 enrichment, Arizona again looks to the Restatement to determine the controlling law in a 8 multi-state contract case. Swanson v. Image Bank, Inc., 77 P.3d 439, 441 (Ariz. 2003). 9 Section 188 of the Restatement provides, in relevant part: 10 (1) The rights and duties of the parties with respect to an issue in contract 11 are determined by the local law of the state which, with respect to that issue, has the most significant relationship to the transaction and the parties 12 under the principles stated in § 6. 13 (2) In the absence of an effective choice of law by the parties (see § 187), 14 the contacts to be taken into account in applying the principles of § 6 to determine the law applicable to an issue include: 15 16 (a) the place of contracting, (b) the place of negotiation of the contract, 17 (c) the place of performance, 18 (d) the location of the subject matter of the contract, and (e) the domicil, residence, nationality, place of incorporation and place 19 of business of the parties. 20 These contacts are to be evaluated according to their relative importance 21 with respect to the particular issue. 22 Restatement § 188. Comment e of § 188 notes that the place of contracting “is the place 23 where occurred the last act necessary . . . to give the contract binding effect,” and this, 24 standing alone, “is a relatively insignificant contact.” Id. cmt. e. However, the state where 25 the contract is to be performed “has an obvious interest in the nature of the performance.” 26 Id. 27 In considering the claim of a plaintiff from one state—here, New Mexico—and a 28 defendant from another—here, Arizona—the Court must first decide if there is a true 1 conflict between the law of the two states as applied to the plaintiff’s claim. See Waggoner 2 v. Snow, Becker, Kroll, Klaris & Krauss, 991 F.2d 1501, 1506 (9th Cir. 1993). If so, the 3 Court must apply the law of the state that has a significant contact or aggregation of 4 contacts to the particular claim. See Bates, 749 P.2d at 1370. 5 In his supplemental brief, Plaintiff contends that, although the parties have not 6 engaged in discovery yet and many facts remain to be uncovered, Arizona law likely 7 applies to his tort and contract-based claims, both because (1) a consideration of the factual 8 allegations in the Amended Complaint leads to the conclusion that Arizona has the most 9 significant relationship with the occurrence underlying the alleged torts and the transaction 10 underlying the alleged contract-based claims, and (2) in the absence of discovery 11 identifying the location of a data breach, courts have applied the law of the forum state in 12 data breach cases. (Doc. 23 at 1–4.) In reaching this conclusion, Plaintiff points to, among 13 others, the fact that because Defendant is located in Arizona, “the relevant data is likely 14 collected and stored in Arizona” and “decisions, policies, and promises relating to data 15 security were made there.” (Doc. 23 at 4.) 16 In its supplemental brief, Defendant takes the view that “there is no outcome 17 determinative difference and thus no conflict” between the laws of Arizona and New 18 Mexico. (Doc. 24 at 2.) The Court agrees with Defendant’s later clarification that there are 19 differences in the applicable laws of the two states—for example, with regard to the scope 20 of duty provided by the states’ law in a negligence claim.2 (Doc. 24 at 5.) But Defendant 21 contends that the differences do not matter to the Court’s resolution of Defendant’s motion 22 to dismiss. 23 The Court agrees with Plaintiff that, at this early stage, the allegations point to the 24 application of Arizona law to both Plaintiff’s tort and contract-based claims. The Court 25 will thus apply Arizona law to the extent possible, using out-of-state sources as persuasive 26 authority in the absence of on-point Arizona law. 27 2 The scope of duty element in a negligence claim is even more varied when taking into account the laws of all the states, as may be required in the formation of a class of 28 nationwide plaintiffs. Likewise, there are differences, from minor to significant, in the scope of damages that can be sought in a negligence claim among the different states. 1 B. Count One: Negligence 2 Aside from challenging Plaintiff’s damages allegations, which the Court will 3 address below, Defendant argues that Plaintiff fails to state a claim for negligence, focusing 4 on a contention that Plaintiff does not allege sufficient facts from which the Court can 5 plausibly infer proximate cause. (Mot. at 8.) Under Arizona law, “‘[t]o establish a claim 6 for negligence, a plaintiff must prove . . . : (1) a duty requiring the defendant to conform to 7 a certain standard of care; (2) a breach by the defendant of that standard; (3) a causal 8 connection between the defendant’s conduct and the resulting injury; and (4) actual 9 damages.’” Diaz v. Phoenix Lubrication Serv., Inc., 230 P.3d 718, 721 (Ariz. Ct. App. 10 2010) (quoting Gipson v. Kasey, 150 P.3d 228, 230 (Ariz. 2007)). “The proximate cause 11 of an injury is that which, in a natural and continuous sequence, unbroken by any efficient 12 intervening cause, produces an injury, and without which the injury would not have 13 occurred.” Robertson v. Sixpence Inns of Am., 789 P.2d 1040, 1047 (Ariz. 1990) (citations 14 omitted). Proximate cause may be found even where the defendant’s act or omission is not 15 the singular cause of injury. Wisener v. State, 598 P.2d 511, 513 (Ariz. 1979). 16 Plaintiff alleges that the Data Breach has a causal relationship with two incidents: 17 (1) a fraudulent account opened in his name at Well Fargo, and (2) an increase in phishing 18 attacks on his email account purporting to be Wells Fargo. (Reply at 6.) Plaintiff argues 19 that the fraudulent account was opened in his name seven months after the Data Breach, in 20 which his PII was taken from Defendant, so the Data Breach could have been the proximate 21 cause of the proceeding incidents. (Resp. at 10.) Defendant maintains that Plaintiff’s 22 allegations are mere speculation based on a purely temporal connection, which is 23 insufficient to show causation. (Reply at 6.) Defendant also contends that, in December 24 2021, Wells Fargo itself reported a data breach incident when Plaintiff was a customer 25 there.3 (Mot. at 9.) 26 27 3 The Court declines to take judicial notice of the California Office of the Attorney General’s database identifying Wells Fargo data breaches, as proffered by Defendant. 28 Thus, Defendant’s contention in its Motion regarding a data breach incident at Wells Fargo is a hypothetical argument at this stage. 1 Taking Plaintiff’s allegations as true for the purpose of resolving Defendant’s 2 Motion to Dismiss, the Court need only find it plausible that Plaintiff’s alleged injury was 3 proximately caused by the Data Breach. See Stollenwerk v. Tri-West Health Care Alliance, 4 254 Fed. App’x 664, 668 (9th Cir. 2007) (finding a causal relationship when hard drives 5 containing claimant’s personal information were stolen and an identity fraud incident 6 happened afterwards). Plaintiff’s factual allegations are sufficient for the Court plausibly 7 infer a connection between the Data Breach and Plaintiff’s alleged two incidents. 8 Accordingly, the Court will deny Defendant’s request to dismiss the negligence claim 9 (Count 1) based on insufficient allegations of proximate cause. 10 C. Count Two: Invasion of Privacy 11 Defendant next argues that Plaintiff cannot establish an invasion of privacy claim 12 because (1) Defendant did not disclose Plaintiff’s PII, but rather hackers stole it; and 13 (2) even if the Data Breach amounts to disclosure, such disclosure was not made public. 14 (Mot. at 9–10.) 15 To begin with, of the four classifications of the tort of invasion of privacy laid out 16 in the Restatement (Second) of Torts § 652, Plaintiff appears to allege the tort of intrusion 17 upon seclusion. Arizona recognizes such a cause of action against a party who 18 “intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another 19 or his private affairs” and that intrusion “would be highly offensive to a reasonable person.” 20 Hart v. Seven Resorts Inc., 947 P.2d 846, 854 (Ariz. Ct. App. 1997) (citing Restatement 21 (2d) of Torts § 652B). Invasion of privacy contemplates a true invasion, such as “opening 22 [] private or personal mail, searching [a] safe or [] wallet, examining [a] private bank 23 account, or compelling [] by forged court order to permit an inspection of [] personal 24 documents.” Restatement (Second) of Torts § 652B cmt. b. 25 Plaintiff argues that, although Defendant has not shared details about the Data 26 Breach, it is plausible that Defendant disclosed Plaintiff’s PII by responding to a phishing 27 email. (Resp. at 12.) Plaintiff posits that responding to a phishing email amounts to an 28 intentional act of disclosure, which is sufficient for Plaintiff to seek damages for an 1 intrusion upon seclusion. (Resp. at 12.) Defendant counters that Plaintiff alleges a 2 ransomware attack caused the Data Breach, which does not amount to an active disclosure 3 by Defendant. (Reply at 7–8.) Defendant also contends that Plaintiff fails to allege any 4 facts to support the otherwise conclusory allegation that Plaintiff’s PII was intentionally 5 disclosed to the public.4 (Reply at 8.) 6 As Plaintiff argues, how a data breach occurs may be material in determining 7 whether a defendant intentionally disclosed private information. If a third-party hacked 8 into Defendant’s network to obtain Plaintiff’s PII, the hacker plausibly engaged in an 9 intrusion upon seclusion. But in that instance, Defendant did not intrude upon Plaintiff’s 10 private affairs by intentionally disclosing Plaintiff’s PII, and an invasion of privacy claim 11 fails. See, e.g., Purvis v. Aveanna Healthcare LLC, 563 F. Supp. 3d 1360, 1377 (N.D. Ga. 12 2021) (holding that a plaintiff failed to state an invasion of privacy claim by alleging a third 13 party carried out a data breach and the defendant “failed to take sufficient precautions to 14 prevent this intrusion”). By contrast, if a defendant took an action to intentionally leak a 15 plaintiff’s PII—an allegation not contained in the Amended Complaint—it is plausible 16 such action could amount to an intrusion upon the plaintiff’s seclusion by the defendant. 17 See, e.g., Curry v. Schletter Inc., 2018 WL 1472485, at *5 (W.D.N.C. Mar. 26, 2018). 18 The Court finds this case akin to Purvis, 563 F. Supp. 3d at 1377. Plaintiff in this 19 case, as in Purvis, does not allege non-conclusory facts showing Defendant intended any 20 PII disclosure; indeed, Plaintiff alleges that his PII “was contained, stored, and managed 21 electronically by [Defendant’s] records, computers, and databases that was intended to be 22 secured from unauthorized access to third-parties.” (Am. Compl. ¶ 131.) The “central 23 narrative” of Plaintiff’s allegations is that Defendant failed “to adequately secure and 24 safeguard” Plaintiff’s PII from hackers (Am. Compl. ¶ 133). Purvis, 563 F. Supp. 3d at 25 1377. This is not sufficient to show Defendant intentionally intruded upon Plaintiff’s 26 27 4 The intrusion upon seclusion classification of the tort of invasion of privacy does not 28 require that the personal information be widely published, as Defendant seems to argue, but rather that the information simply be disclosed to the public. 1 private affairs when, as Plaintiff alleges, Plaintiff’s PII was stolen. (E.g. Am. Compl. ¶ 36.) 2 As a result, the Court will dismiss Plaintiff’s invasion of privacy claim (Count 2). 3 D. Count Three: Breach of Implied Contract 4 Defendant next challenges Plaintiff’s breach of implied contract claim, arguing both 5 that the Amended Complaint contains no nonconclusory allegations regarding what the 6 supposed implied contract terms were and that, to the extent Plaintiff claims Defendant did 7 not comply with its own privacy policy, that policy is simply a promise to do what the law 8 requires and could not have created a separate implied agreement between Defendant and 9 Plaintiff. (Mot. at 12–14.) The Court agrees with both arguments. 10 Under Arizona law, “[t]he distinction between an express contract and one implied 11 in fact is that in the former the undertaking is made by words written or spoken, while in 12 the latter conduct rather than words conveys the necessary assent and undertakings.” 13 Barmat v. John & Jane Doe Partners A-D, 747 P.2d 1218, 1220 (Ariz. 1987) (quoting 1 14 A. Corbin, Corbin on Contracts § 18, at 43 (1963)). Aside from an agreement establishing 15 the relationship between the parties, one party may have a duty to the other under the 16 applicable law. For example, in relationships between professionals and their clients, “the 17 law imposes special duties to all within the foreseeable range of harm as a matter of public 18 policy, regardless of whether there is a contract, express or implied, and generally 19 regardless of what its covenants may be,” and “breaches of such duties are generally 20 recognized as torts.” Id. at 1221–22. That is, “the essential nature of actions to recover for 21 the breach of such duties is not one ‘arising out of contract.’” Id. at 1222. 22 Although no account application, express contract, or other document is identified 23 in the Amended Complaint, the Court can infer from the Amended Complaint that Plaintiff 24 signed a document establishing some business relationship with Defendant (and disclosed 25 his PII in the process). The document was the “mere inducement creating the state of things 26 [the relationship] that furnishes the occasion for the [alleged] tort,” id., that is, the alleged 27 breach of the duty to keep Plaintiff’s PII secure. Indeed, in his negligence claim, Plaintiff 28 alleges in multiple ways in the Amended Complaint that Defendant “had a duty under 1 common law to have procedures in place to detect and prevent the loss or unauthorized 2 dissemination of Plaintiffs’ and Class Members’ PII.” (Am. Compl. ¶ 114.) Beyond 3 implying the establishment of an account with Defendant and identifying Defendant’s 4 common law duties arising from the relationship, Plaintiff does not make any non- 5 conclusory factual allegations in the Amended Complaint as to conduct on the part of 6 Defendant that somehow established an implied in fact contract with Plaintiff, let alone 7 what the terms of that supposed additional contract were. Cf. Ariz. Bd. of Regents v. Ariz. 8 York Refrigeration Co. 565 P.2d 518, 521 (Ariz. 1977) (finding an implied in fact contract 9 was formed where, beyond an initial contract for repair of a steam boiler, an insurer 10 engaged in conduct authorizing and directing additional repairs to be made by the 11 contractor). 12 Relatedly, to the extent Plaintiff contends that Defendant breached some implied 13 contract by not complying with its own written policies, the allegations do not suffice to 14 show that any such non-compliance was beyond what was legally mandated. See In re 15 Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at 16 *3 (D. Ariz. Dec. 20, 2017) (concluding that because the privacy policy “could not be read 17 as a promise to do anything above and beyond what is required by law” and the defendant 18 “was already under a preexisting duty to protect [the plaintiff’s] information,” no implied 19 contract was formed). For these reasons, Plaintiff’s breach of implied contract claim (Count 20 3) fails, and the Court will dismiss it. 21 E. Count Four: Unjust Enrichment 22 Next, Defendant argues that Plaintiff has not stated an unjust enrichment claim 23 because the facts pled do not plausibly imply an unjust enrichment on Defendant’s part or 24 an impoverishment on his part. (Mot. at 14–15.) Under Arizona law, “[u]njust enrichment 25 occurs when one party has and retains money or benefits that in justice and equity belong 26 to another.” Loiselle v. Cosas Mgmt. Group, LLC, 228 P.3d 943, 946 (Ariz. Ct. App. 2010). 27 To plead an unjust enrichment claim, a party must allege: “(1) an enrichment, (2) an 28 impoverishment, (3) a connection between the enrichment and the impoverishment, (4) the 1 absence of justification for the enrichment and the impoverishment, and (5) the absence of 2 a remedy provided at law.” Span v. Maricopa Cnty. Treasurer, 437 P.3d 881, 886 (Ariz. 3 Ct. App. 2019). 4 Plaintiff alleges that the Data Breach shows Defendant employed inadequate 5 security and safeguards to protect Plaintiff’s PII. (Resp. at 16.) Because Plaintiff paid 6 Defendant money for its services and expected part of his payment to be for data protection, 7 Plaintiff asserts Defendant was unjustly enriched by failing to protect his data. (Resp. 8 at 16.) In its Motion, Defendant argues that Plaintiff’s claim errantly relies on the premise 9 that because the Data Breach occurred, Defendant’s data security services were inadequate. 10 (Mot. at 15.) In other words, aside from the fact that a Data Breach occurred, Defendant 11 contends the Complaint does not contain non-conclusory factual allegations to support the 12 conclusion that Defendant did not provide what it allegedly promised—measures to protect 13 customer data in accordance with industry standards—and without such allegations, 14 Plaintiff was not impoverished and Defendant was not unjustly enriched. (Mot. at 15.) 15 As alleged by Plaintiff, Defendant’s privacy policy provides that Defendant will 16 take “reasonable steps” to retain, safeguard and protect clients’ PII. (Am. Compl. ¶ 139.) 17 Other than the fact that the Data Breach occurred, Plaintiff does not allege any facts to 18 show that Defendant failed to take reasonable steps to protect PII, for example by alleging 19 Defendant either failed to have or follow a privacy policy. The Court agrees with Defendant 20 that a data security infrastructure in accordance with industry standards does not 21 completely preclude the possibility of a data breach, and conversely a data breach does not 22 by itself demonstrate an inadequate data security infrastructure. See Griffey v. Magellan 23 Health Inc., 562 F. Supp. 3d 34, 50 (D. Ariz. 2021) (“[T]he existence of an adequate data 24 security infrastructure and two data breaches in the same year are not mutually exclusive.”) 25 To the extent Defendant derived an enrichment for its privacy policy, it was not unjust 26 because it was subject to terms and conditions set forth in the service agreement. Plaintiff 27 thus fails to state a claim for unjust enrichment (Count 4) and the Court will dismiss it. 28 1 F. Count Five: New Mexico Unfair Trade Practices Act 2 Defendant also challenges Plaintiff’s claim under the New Mexico Unfair Trade 3 Practices Act (NMUPA) because, among other things, Plaintiff fails to allege 4 nonconclusory facts showing that Defendant’s representations in its privacy policy were 5 false. (Mot. at 16.) The relevant section of NMUPA prohibits unfair or deceptive trade 6 practices, including “any false or misleading oral or written statement, visual description 7 or other representation of any kind knowingly made in connection with the sale . . . of 8 goods or services or in the extension of credit . . . by any person in the regular course of 9 his trade or commerce, which may, tends to or does deceive or mislead any person.” 10 NMUPA § 57-12-2(D). 11 Plaintiff alleges that Defendant’s privacy policy was false and misleading because 12 the policy represented Defendant “would protect personal information from unauthorized 13 access, it used security measures that comply with federal law, it has implemented 14 safeguards and used secured files, and that it restricts access to PII to only those employees 15 who need to know such information.” (Resp. at 17 (citing Am. Compl. ¶ 161).) As the 16 Court discussed above, the Amended Complaint contains no non-conclusory allegations 17 regarding how any of those terms are false or misleading other than the fact that the Data 18 Breach occurred. As Defendant argues, the fact of a data breach is not sufficient by itself 19 to show that Defendant made false or misleading statements in its privacy policy. 20 See Griffey, 562 F. Supp. 3d at 50. Without more, the claim fails, and the Court will dismiss 21 Count 5. 22 G. Damages 23 The remaining question is whether Plaintiff has adequately alleged damages for its 24 sole remaining claim of negligence. Plaintiff raises at least two species of damages that 25 may apply to his negligence claim: out-of-pocket expenses associated with the prevention, 26 detection, and recovery from identity theft or other unauthorized use of PII (including 27 monitoring services); and diminished value of his PII. (Resp. at 4–8.) 28 1 As a basis for his negligence claim, Plaintiff alleges that as a result of the Data 2 Breach, he is experiencing an increased number of phishing emails and other fraudulent 3 activity on his personal accounts, requiring him to pay for credit monitoring services 4 beyond the one-year of service offered by Defendant. (E.g., Am. Compl. ¶ 67.) This 5 plausibly constitutes a cognizable injury by way of a reasonable expenditure for harm 6 Plaintiff allegedly suffered from the Data Breach and is thus an appropriate prayer for 7 damages arising from his negligence claim. See In re Banner Health Data Breach Litig., 8 2017 WL 673548, at *8 (“A person whose legally protected interests have been endangered 9 by the tortious conduct of another is entitled to recover for expenditures reasonably made 10 or harm suffered in a reasonable effort to avert the harm threatened.” (internal citation 11 omitted)). While uncertain future harm would be insufficient, see, e.g. Krottner v. 12 Starbucks Corp., 406 Fed. App’x 129, 131 (9th Cir. 2010) (applying analogous Washington 13 state law), Plaintiff pleads present damage with sufficient certainty. 14 Courts have also recognized the diminished value of PII as a cognizable injury 15 resulting from a data breach, as small as that value may be. In Svenson v. Google Inc., the 16 district court concluded the diminution of value in PII is a cognizable injury arising from a 17 data breach so long as the plaintiff shows there is a “robust market” for the PII and the 18 plaintiff has been deprived of the ability to sell personal data on the market. 2015 WL 19 1503429 (N.D. Cal. 2015) (citing In re Facebook Privacy Litig., 572 Fed. App’x 494 (9th 20 Cir. 2014)). Here, Plaintiff alleges there is a high demand on the market for PII that includes 21 Social Security numbers (Am. Compl. ¶ 61) and he has plausibly been deprived of the 22 ability to sell his personal data by the Data Breach. As a result, Plaintiff’s prayer for the 23 diminished value of his PII also survives Defendant’s Rule 12(b)(6) challenge. 24 H. No Leave to Amend 25 Because the Court finds the defects in Plaintiffs’ dismissed claims cannot be cured 26 by amendment when considering the context and thoroughness of Plaintiffs’ allegations in 27 the Amended Complaint, the Court will dismiss Counts 2 through 5 without leave to 28 amend. See Lopez v. Smith, 203 F.3d 1122, 1130 (9th Cir. 2000). 1 IT IS THEREFORE ORDERED granting in part and denying in part Defendant Goldwater Bank, N.A.’s Motion to Dismiss Plaintiff's Amended Complaint (Doc. 16). 3 || Counts 2 through 5 of Plaintiff's Amended Complaint (Doc. 15) are dismissed. 4 IT IS FURTHER ORDERED that Defendant shall file an Answer to Count | of 5 || the Amended Complaint (Doc. 15) within the time specified in the Federal Rules of Civil 6 || Procedure. The Court will set a case management conference by separate Order. 7 Dated this 9th day of December, 20272. CN 9 United State@District Judge 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 -15-
Document Info
Docket Number: 2:22-cv-00932
Filed Date: 12/9/2022
Precedential Status: Precedential
Modified Date: 6/19/2024