Opinion
MDL No. PWG-19-2879 This document relates to Case No.: PWG-18-3833
02-07-2020
BANK OF LOUISIANA, Individually and on Behalf of All Others Similarly Situated, Plaintiff, v. MARRIOTT INTERNATIONAL, INC., Defendant.
Andrew C White, Joseph Francis Murphy, Jr, Steven Donald Silverman, William Nelson Sinclair, Silverman Thompson Slutkin and White LLC, Baltimore, MD, Arthur Mahony Murray, Caroline T White, Stephen B Murray, Pro Hac Vice, Murray Law Firm, New Orleans, LA, Brian C Gudmundson, Bryce D Riddle, Pro Hac Vice, Michael J Laird, Zimmerman Reed LLP, Minneapolis, MN, Charles H Van Horn, Katherine M Silverman, Pro Hac Vice, Berman Fink Van Horn PC, Atlanta, GA, Christopher C Gold, Dorothy P Antullis, Stuart A Davidson, Pro Hac Vice, Robbins Geller Rudman and Dowd LLP, Boca Raton, FL, Stephen G. Grygiel, Grygiel Law, LLC, Baltimore, MD, for Plaintiff. Daniel R Warren, Lisa M Ghannoum, Pro Hac Vice, Gilbert S Keteltas, Baker and Hostetler LLP, Cleveland, OH, for Defendant.
Andrew C White, Joseph Francis Murphy, Jr, Steven Donald Silverman, William Nelson Sinclair, Silverman Thompson Slutkin and White LLC, Baltimore, MD, Arthur Mahony Murray, Caroline T White, Stephen B Murray, Pro Hac Vice, Murray Law Firm, New Orleans, LA, Brian C Gudmundson, Bryce D Riddle, Pro Hac Vice, Michael J Laird, Zimmerman Reed LLP, Minneapolis, MN, Charles H Van Horn, Katherine M Silverman, Pro Hac Vice, Berman Fink Van Horn PC, Atlanta, GA, Christopher C Gold, Dorothy P Antullis, Stuart A Davidson, Pro Hac Vice, Robbins Geller Rudman and Dowd LLP, Boca Raton, FL, Stephen G. Grygiel, Grygiel Law, LLC, Baltimore, MD, for Plaintiff.
Daniel R Warren, Lisa M Ghannoum, Pro Hac Vice, Gilbert S Keteltas, Baker and Hostetler LLP, Cleveland, OH, for Defendant.
Editor's Note: Redactions by court.
Paul W. Grimm, United States District Judge
Pending before me is a Multidistrict Litigation ("MDL") action against Marriott International, Inc. and related entities concerning a data breach incident. In re Marriott , No. PWG-19-2879. One of the Plaintiffs in the MDL is the Bank of Louisiana ("BOL"), which seeks relief for harm and injuries arising from a massive cyberattack against a Marriott entity, Starwood Hotels and Resorts. BOL asserts claims under the tort theories of negligence and negligence per se and seeks declaratory and injunctive relief under 28 U.S.C. § 2201. First Am. Compl. ¶¶ 95, 108, 120, 129, ECF No. 306.
Bank of Louisiana brings this action as the representative of a class and seeks certification pursuant to Fed. R. Civ. P. 23(a), (b)(2), (b)(3), and (c)(4). First Am. Compl. ¶ 98. For purposes of this opinion, I will refer to Bank of Louisiana singularly without reference to the entire class, unless otherwise indicated.
All citations are to the MDL, PWG-19-2879 unless otherwise indicated.
Before this Court is Marriott International, Inc.'s ("Marriott") motion to dismiss BOL's first amended complaint ("FAC"). Def.'s Mot. to Dismiss, ECF No. 358-1. Marriott argues that BOL does not have standing to sue, that BOL's negligence claim fails because the economic loss doctrine bars recovery, and that BOL's negligence per se claim fails because Louisiana law (which Marriott says is controlling) does not recognize negligence per se as a standalone claim. Lastly, Marriott argues that BOL's request for declaratory and injunctive relief does not state a separate claim but is merely a request for relief that only is available in connection with other prevailing causes of action. Therefore, Marriott asks that the claim requesting declaratory and injunctive relief be dismissed along with the first two counts. Def.'s Mot. to Dismiss, ii. The motion to dismiss the FAC is fully briefed, ECF Nos. 358-1, 419, 456, 463. A hearing is not necessary. See Loc. R. 105.6 (D. Md. 2018). For the reasons discussed below, BOL has alleged facts sufficient to establish injury and causation under the Article III standing requirements. Additionally, I agree with Marriott that Louisiana law controls, but I find that BOL's claim for negligence is not barred by Louisiana's version of the economic loss doctrine, and therefore, BOL's claim for declaratory and injunctive relief is not dismissed. However, BOL's claim under negligence per se is dismissed because Louisiana does not recognize it as a separate doctrine from negligence.
Factual Background
Marriott is the world's largest hotel chain, operating more than 7,000 properties across the United States and the globe, accounting for over 1.3 million hotel rooms worldwide. First Am. Compl. ¶¶ 1, 29. In 2016, Marriott acquired Starwood Hotels & Resorts Worldwide, LLC, and with that, Starwood's computer database ("database"), which is a repository of Starwood's guests' personal identifying information (including payment card numbers). Id. ¶¶ 30, 59. After acquisition, Marriott gained control over the database and began including information from guests who also stay at Marriott properties. Id. ¶¶ 31-32.
In November 2018, Marriott announced that it was the victim of a data breach of enormous proportions. Id. ¶ 16. Marriott was first alerted to suspicious activity within the Starwood database in September 2018. Id. ¶ 14. A forensic investigation revealed that hackers had obtained access to Starwood's database for over four years before Marriott discovered the invasion. Id. ¶ 45. Intruders gained access to the database and stole personal identifying information of hundreds of millions of customers including [Redacted] unique encrypted payment card numbers and [Redacted] unencrypted payment card numbers. Id. ¶¶ 13, 19. Marriott is alleged to have eliminated the vulnerabilities from the database by [Redacted]. Id. ¶ 14.
BOL is an FDIC-insured bank, whose principal (and based on the pleadings, the only) place of business is in Louisiana (with locations in the city of New Orleans and three parishes within the state). Id. ¶ 27. In December 2018, BOL received a Compromised Account Management System ("CAMS") alert, notifying it that some of the payment cards it issued to its customers could be at risk because of the Marriott data breach. Id. ¶ 95. BOL pleads that it was under both a legal and business obligation to immediately respond, causing it to incur costs to "cancel or reissue credit and debit cards," "refund or credit any cardholder to cover the cost of any unauthorized transaction relating to the Marriott Data Breach," and "increase fraud monitoring efforts." Id. ¶ 21. BOL argues that had Marriott had a reasonable data security program, it could have prevented the breach altogether or detected the hackers' presence much earlier. Id. ¶ 48. BOL brings this action because it argues that the injuries it incurred were directly and proximately caused by Marriott's negligently vulnerable database. Id. ¶¶ 13, 22
Standard of Review
To survive a motion to dismiss, a complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Specifically, BOL must establish "facial plausibility" by pleading "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). However, "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. But at this juncture, BOL is only obligated to plead its claims, not prove them. Therefore, I must accept the well-pleaded facts as alleged in BOL's complaint as true. See Aziz v. Alcolac , 658 F.3d 388, 390 (4th Cir. 2011). And, I must construe the factual allegations "in the light most favorable to [the] plaintiff." Adcock v. Freightliner LLC , 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango , 743 F.2d 1060, 1062 (4th Cir. 1984) ).
Discussion
BOL asserts claims of negligence and negligence per se, and requests, as a separate count, declaratory and injunctive relief. Marriott moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(1), arguing that BOL lacks standing because it has not sufficiently alleged that it has suffered injury that was caused by Marriott. Def.'s Mot. to Dismiss 1. Marriott also moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(6), arguing that BOL has not stated a claim upon which relief can be granted because Louisiana's version of the economic loss doctrine prevents recovery under BOL's negligence claim, because Louisiana does not recognize the cause of action of negligence per se, and because declaratory and injunctive relief is not a stand-alone claim that can survive independently from some other viable claim. Id.
Plaintiffs Have Standing to Sue
To satisfy constitutional standing requirements, a plaintiff must have suffered an "injury in fact," that has a causal connection to the conduct complained of and can be "redressed by a favorable decision." Lujan v. Defenders of Wildlife , 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). Article III standing must be found to exist before a court may address the merits. Steel Co. v. Citizens for a Better Environment , 523 U.S. 83, 94, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998).
BOL received a Compromised Account Management System ("CAMS") alert warning that payment cards it had issued may have been compromised by hackers in the Marriott data breach and were at risk of being used for fraud. First Am. Compl. ¶ 96; Pl.'s Opp. 6, ECF No. 419; Pl.'s Surreply 1, ECF No. 463. Importantly, BOL has alleged (but just barely) that some of the cards covered by the CAMS alert were, in fact, used to make fraudulent charges. First Am. Compl ¶¶ 21, 27, 95, 96.
BOL alleges that it has suffered multiple types of harm in response to the data breach: reimbursement of fraudulent charges on debit and credit cards; costs associated with cancelling and reissuing debit and credit cards; operational expenses incurred from investigating efforts in response to the CAMS alert; and costs associated with increased fraud monitoring efforts. First Am. Compl. ¶¶ 21-22, 95-97. The latter three can be associated with attempting to prevent reasonably foreseeable future fraud, while the first is in direct response to actual fraudulent charges. Pl.'s Opp. 10.
Plaintiffs Have Alleged Plausible Injury in Fact
There are two types of harm that can satisfy Article III standing requirements; actual harm and threatened harm. Friends of the Earth, Inc. v. Gaston Copper Recycling Corp. , 204 F.3d 149, 160 (4th Cir. 2000) (en banc). Marriott argues that BOL has not alleged sufficient injury in fact to support Article III standing. Def.'s Mot. to Dismiss 5. Specifically, Marriott argues that BOL's allegations that it "chose to cancel and reissue payment cards after receiving a CAMS alert" was to "mitigate a perceived risk that fraud might occur in the future," as opposed to allegations that show BOL had incurred costs as a result of "threatened harm of future identity theft [that] was ‘certainly impending’ " as required by the Fourth Circuit. Beck v. McDonald , 848 F.3d 262, 275 (4th Cir. 2017) ; Id.
During discovery, BOL produced the CAMS alert to Marriott. Marriott now has new arguments concerning the factual propriety of BOL's allegations that it incurred injury due to fraudulent activity on its cards. Marriott also recognizes that a motion to dismiss is an inappropriate time to consider facts extrinsic to the complaint and asks the Court to "reserve resolution of the standing issue until focused fact discovery on standing is completed." Def.'s Reply 3, ECF No. 456. Given the factual parsimoniousness of BOL's allegations about the harm it has incurred (which it was in a position of being able to plead with far greater specificity, especially with respect to the cards it had issued that had incurred unauthorized or fraudulent activity and the reimbursements paid by BOL as a result), I share Marriott's concerns about whether BOL will be able to support its frugal allegations with concrete facts. But because I find that BOL's allegations are just sufficient enough to survive a motion to dismiss, I will not reserve my findings on standing, but instead will reconsider them when, inevitably, they are raised again by Marriott during summary judgment practice.
The Fourth Circuit has shed light on what type of injuries that arise out of data breaches are constitutionally sufficient to confer Article III standing on plaintiffs. Specifically, it has held that an alleged injury in an identity theft case is constitutionally sufficient under two recognized circumstances: through actual injury of identity theft or a threatened injury based on substantial risk of future identity theft that is sufficiently imminent (including the costs of protecting against the same). Beck , 848 F.3d at 275 ; Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc. , 892 F.3d 613, 622 (4th Cir. 2018).
The Fourth Circuit has addressed certain types of data breach injuries raised by the plaintiffs in the cases before them. But those cases do not constitute the universe of justiciable injuries that may occur in data breach cases. Other courts have recognized additional types of injuries that may be sufficient to establish actual or threatened harm in cases involving the unauthorized dissemination of plaintiff's data. See In re Facebook, Inc., Consumer Privacy User Profile Litig. , 402 F. Supp. 3d 767, 786-87 (N.D. Cal. 2019) (holding that plaintiffs had standing by alleging that they suffered a privacy invasion when Facebook made private information available to third parties who then developed dossiers on the plaintiffs); see also In re Adobe Sys., Inc. Privacy Litig. , 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014) (finding that plaintiffs were injured when they alleged they did not receive the benefit-of-the-bargain because had they known Adobe was not providing reasonable security, they would not have paid as much for Adobe products). But, for purposes of this opinion, analogizing the holdings of Hutton and Beck to alleged injuries other than those previously considered by the Fourth Circuit is unnecessary because BOL alleges very similar injuries to the plaintiffs in those cases.
BOL has alleged the first type of injury sufficiently because it asserts that it has suffered injury stemming from actual identity theft in the form of unauthorized credit card charges. Hutton , 892 F.3d at 622 (holding that plaintiffs had alleged sufficient injury because they "allege that they have already suffered actual harm in the form of identity theft and credit card fraud"); First Am. Compl. ¶¶ 21-22, 95-97.
BOL's allegations also sufficiently set forth an imminent future threat of fraudulent activity that put it far outside the insufficient standing allegations in Beck , (a stolen laptop containing patient medical records, but no allegations of actual or imminent identity theft) and more closely mirror the facts in Hutton . In Beck , an unknown actor stole a laptop containing pathology reports from a Veterans Administration Medical Center and the plaintiffs argued that their injury was the "increased risk of future identity theft." Beck , 848 F.3d at 274. The Fourth Circuit held that the plaintiff's theory of injury was too speculative because they had alleged neither "that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, ..., that the thief stole the laptop with the intent to steal their private information." Id. In Hutton , the Fourth Circuit held that the plaintiffs had sufficiently alleged imminent threat of injury because the plaintiffs alleged that "their data has been stolen, accessed, and used in a fraudulent manner." 892 F.3d at 622.
Here, BOL has alleged that the Starwood database was compromised with the specific intent to steal the payment card information because, unlike in Beck ,"[a]s a result of the Marriott Data Breach, payment card data was exposed to nefarious parties who were capable of and in some instances actually committed fraud," and that "[t]he hackers copied and stole [Redacted] unique encrypted payment card numbers." First Am. Compl. ¶ 19 (emphasis in original). See Beck , 848 F.3d at 274 (referencing a Sixth Circuit holding that where plaintiffs alleged "hackers broke into Nationwide's computer network and stole the personal information of Plaintiffs and 1.1 million others," the plaintiffs had established the data thief intentionally stole the personal information) (quoting Galaria v. Nationwide Mut. Ins. Co. , 663 Fed.Appx. 384, 386 (6th Cir. 2016) ).
Beck is further distinguished by the fact that "even after extensive discovery," there was no evidence that the stolen information had "been accessed or misused or that [the plaintiffs had] suffered identity theft." 848 F.3d at 274. This litigation is in its early stages, and I am bound by the facts as alleged as well as the reasonable inferences that may be drawn from them, both of which favor BOL. As alleged, the cyber thieves targeted payment card information and, even though some it may have been encrypted, some of it was not. The only reasonable inference to draw from this is that they did not do so out of idle curiosity, but rather to access the payment card information and commit fraud. This is confirmed by the alleged fact that payment card information actually has been accessed, and used in a fraudulent manner, and BOL has had to reimburse some of its customers for these unauthorized charges. First Am. Compl. ¶ 96. And, given the length of time that the hackers were free to roam the electronic corridors of Marriott's all too accommodating database, it is not at all speculative or hypothetical to infer that now that all that payment card information is out in cyberspace, there will be future efforts to commit additional fraud. It does not seem either farfetched or gratuitous for BOL to take proactive steps to stop this by cancelling and reissuing the cards identified in the CAMS report, as BOL alleged that it had. Therefore, BOL has alleged sufficient injury stemming from both actual identity fraud and costs associated with an imminent threat of future identity fraud.
Beck involved two groups of plaintiffs, the Beck plaintiffs who were at the Fourth Circuit on appeal from a motion for summary judgement, and the Watson plaintiffs who were at the Fourth Circuit on appeal from a motion to dismiss. 848 F.3d at 268. Although the court discussed the standing arguments of both groups, it's discussion of the Beck plaintiffs' standing arguments is more detailed. In the interest of brevity, I will limit my discussion to the facts relating to the Beck plaintiffs.
Plaintiff has Plausibly Linked its Injuries to Marriott
Marriott also argues that BOL has failed to allege that its injuries are fairly traceable to Marriott because "BOL does not allege any facts linking the fraudulent charges it allegedly reimbursed to the Marriott cyberattack." Def.'s Mot. to Dismiss 10.
Hutton is again instructive. 892 F.3d 613. In that case, optometrists brought suit against the National Board of Examiners in Optometry and alleged that unauthorized applications for fraudulent card accounts had been opened in their names using information they gave the Board years earlier. Id. at 623. Marriott is correct that Hutton is distinguishable because there, "the Plaintiffs allege that amongst the group of optometrists, the NBEO is the only common source that collected and continued to store social security numbers that were required to open a credit card account, and also stored outdated personal information ... during the relevant time periods." 892 F.3d at 623. Marriott argues that because BOL is also a plaintiff in the Equifax data breach litigation, and has alleged that its payment cards were implicated in that cyberattack as well, BOL must distinguish between the two attacks and eliminate the possibility that Equifax, not Marriott, was the cause of BOL's injury. Def.'s Mot. to Dismiss 10.
Bank of La., et al. v. Equifax, Inc. , No. ECF 1, ¶ 2 (N.D. Ga. Sept. 22, 2017).
However, as I have already said, BOL is not, at this stage in the proceedings, required to prove its damages, but merely to plead facts from which they seem plausible. Moreover, the "fairly traceable standard is not equivalent to a requirement of tort causation." Friends of the Earth, Inc. v. Gaston Copper Recycling Corp. , 204 F.3d 149, 161 (4th Cir. 2000) (internal quotation marks omitted). It must simply be plausible that the Marriott data breach was the cause of BOL's injury. Here, BOL has alleged as much. First Am. Compl. ¶ 96 (alleging that "Plaintiff received a CAMS alert from Visa informing it that cards it issued may have been compromised in the Marriott Data Breach").
Failure to State a Claim
As already noted, BOL brings this action against Marriott pursuant to two theories of liability, negligence and negligence per se, and asks, as a third count, for declaratory and injunctive relief. First Am. Compl. ¶¶ 108, 120. Defendants argue that Plaintiffs fail to state a claim under all three causes of action.
Choice of Law
Both parties agree that Maryland's choice of law rules apply to determine which state's substantive law governs BOL's claims. However, the parties disagree on which states' substantive law Maryland's choice of law rules require this Court to apply. BOL argues that Maryland law may apply because Marriott's negligent acts were committed in Maryland or, alternatively, Connecticut law may apply because Starwood's negligent acts were committed in Connecticut. Pl.'s Opp. 12. Marriott argues that Louisiana law applies because that is the state where the alleged injury to the plaintiff occurred. Def.'s Mot. to Dismiss 11. As a threshold matter, I must decide whether Maryland, Louisiana, or Connecticut law governs BOL's claims.
"In an action based upon diversity of citizenship, the relevant state law controls. The district court must apply the law of the forum state, including its choice of law rules." Limbach Co., LLC v. Zurich Am. Ins. Co. , 396 F.3d 358, 361 (4th Cir. 2005) (citing Erie R.R. Co. v. Tompkins , 304 U.S. 64, 78, 58 S.Ct. 817, 82 L.Ed. 1188 (1938) ). Because Maryland is the state where BOL initiated this action, Maryland is the forum state. In re Air Crash Disaster Near Chicago, Ill , 644 F.2d 594, 610 (7th Cir. 1981) ("[T]he choice-of-law rules to be used are those choice-of-law rules of the states where the actions were originally filed.); Compl. 1, ECF No. 1, in PWG-18-3833. Therefore, I look to Maryland law to determine what state law applies to the causes of actions asserted by BOL. Cremi v. Brown , 955 F. Supp. 499, 522 (D. Md. 1997) ("This Court is obligated to follow Maryland's choice of law rules in determining which jurisdiction's substantive law applies to the Bank's state law claims in this case for ... negligence.").
For tort claims, Maryland applies the lex loci delicti rule. Philip Morris, Inc. v. Angeletti , 358 Md. 689, 752 A.2d 200, 230 (2000). This rule dictates "that in a conflict of law situation ... ‘where the events giving rise to a tort action occur in more than one State, we apply the law of the State where the injury[,] the last event required to constitute the tort[,] occurred.’ " Erie Ins. Exch. v. Heffernan , 399 Md. 598, 925 A.2d 636, 648–49 (2007) (quoting Laboratory Corp. of America v. Hood , 395 Md. 608, 911 A.2d 841, 845 (2006) ). BOL has pleaded that its principal place of business is in the city of New Orleans, and that it has only five branches, located in Orleans, Jefferson, and St. Tammany Parishes. First Am. Compl. ¶ 27. Far from being a national or even regional banking presence, BOL's business is local, and entirely within Louisiana. Therefore, any loss it felt was in Louisiana. Id. Nevertheless, BOL argues that the place of the wrong, as opposed to the place where the loss was felt, is the place of injury and therefore, either Maryland or Connecticut substantive law should govern. I disagree.
As Fed. R. Evid. 201 allows, I take judicial notice of the fact that the State of Louisiana has 64 parishes, its equivalent of a county. 28 U.S.C. § 98 (1984) (dividing 64 parishes into three judicial districts). BOL has pleaded that it has branches in but three of them.
First, BOL argues that under Cremi , the law of the state where the wrong originated is the law that should apply here. 955 F. Supp. 499 ; Pl.'s Opp. 12. However, Cremi is distinguishable. In that case, Judge Kaufman of this Court acknowledged that "[i]t appears that Maryland courts have not yet specifically spoken as to the issue of where the ‘wrong’ occurs in cases of pecuniary injury resulting from fraud, negligent misrepresentation or commercial negligence, when the alleged wrongful act or omission occurred in one jurisdiction and the ‘loss’ by plaintiff in another jurisdiction." Id. at 522. This Court held that Maryland courts likely would decide that under lex loci delicti the injury was where the wrongful acts took place, as opposed to where injury was felt. Id. at 522–24. However, Judge Kaufman focused the analysis of the choice of law question in the context of the plaintiff's multi-state misrepresentation claims. Id. ; Hardwire LLC v. Goodyear Tire & Rubber Co , 360 F. Supp. 2d 728, 735 (D. Md. 2005) (summarizing the holding of Cremi as "in multi-state misrepresentation cases... the place of the wrong is the place where the alleged misrepresentations or other wrongful acts took place"). The justifications used by the court in Cremi do not apply here because BOL did not bring a multi-state misrepresentation claim.
Maryland's choice of law rules for negligence claims are settled. Maryland's choice of law rules dictate that for negligence claims, "[w]here the events giving rise to a tort action occur in more than one state, the court must apply ‘the law of the State where the injury—the last event required to constitute the tort—occurred.’ " Ben-Joseph v. Mt. Airy Auto Transporters, LLC , 529 F. Supp. 2d 604, 606 (D. Md. 2008) (quoting Laboratory Corp. of America v. Hood , 395 Md. 608, 911 A.2d 841, 845 (2006) ). Accord , Restatement (First) of Conflict of Laws § 377 (1934) ("The place of the wrong is in the state where the last event necessary to make an actor liable for an alleged tort takes place."). The defendant in Ben-Joseph made a similar argument to BOL's. There, the defendant argued that because the negligent car repair, which allegedly caused brake failure, took place in Maryland, that Maryland law should apply even though injury was felt in New Jersey during a car accident caused by the brake failure. Id. at 606. The court disagreed because "plaintiff's cause of action ... would not exist but for Mt. Airy's truck colliding with the Lincoln Town Car in which plaintiff was a passenger." Id. at 607. The same is true here. Marriott's negligence may have occurred in a state other than Louisiana, but BOL's claim would not exist without injury. Because its injury was felt in Louisiana, Louisiana law governs BOL's substantive claims for negligence and negligence per se.
As Judge Motz of this Court noted, "[T]he First Restatement of Conflict of laws, while of merely historical interest elsewhere, continues to provide guidance for the determination of lexi [sic] loci delicti questions in Maryland." Ben-Joseph , 529 F. Supp. 2d at 606 n.3 (citing Hood , 911 A.2d at 845 ).
BOL's second argument that law other than Louisiana's should apply to its substantive claims is that under Malinowski v. Lichter Group, LLC , 2015 WL 1129522 (D. Md. March 11, 2015), when "choice-of-law questions are complex and fact specific, courts typically apply Maryland law at the motion to dismiss stage." Pl.'s Opp. 12. This argument fails as well. First, the choice of law questions presented here are not as complex as those in Malinowski . There, the named plaintiffs were citizens of New York and Pennsylvania, so this Court reasoned that "the law of either of those states, or the law of any state in which a Plan participant is a citizen, may apply." 2015 WL 1129522, at *4. Further factual development was necessary to determine what state law should apply, so Judge Quarles held that the choice of law question "may be properly deferred until after the parties have engaged in discovery," and Maryland law was applied to resolve the pending motion to dismiss. Id. Here, however, there is no factual dispute as to where BOL incurred injury—Louisiana. Malinowski is further distinguished by the fact that both parties analyzed their claims under Maryland law in their briefing. Id. at *3. Courts applying Maryland's choice of law rules only use Maryland law to evaluate substantive law claims as a default when both parties only cite Maryland law in their briefing. See Fidelity & Guar. Life Ins. Co. v. United Advisory Grp., Inc. , 2014 WL 346630, at *4 (D. Md. Jan. 29, 2014) (applying Maryland law to the motion before the court and deferring the decision about what law governs substantive claims because the state of injury was not alleged and because both parties cite Maryland law in their briefs); see also Cremi , 955 F. Supp. at 521–22 (declining to apply the law of Mexico and Cayman Islands when it was not briefed). Here, Marriott has briefed Louisiana law as well as Maryland's. Therefore, Louisiana law applies to BOL's substantive claims.
BOL suggests that Connecticut law may apply to its claims, but it is not briefed. For this reason, and the reasons stated above, I also decline to apply Connecticut law. Fidelity & Guar. Life Ins. Co. v. United Advisory Grp., Inc. , 2014 WL 346630, at *4 n.19 (D. Md. Jan. 29, 2014) (declining to apply Illinois law even though one of the parties cited the elements of a breach of contract claim under Illinois law, because it was "without analysis").
Negligence; Economic Loss Rule
The economic loss rule is a doctrine in tort law that operates to preclude a plaintiff from recovering when the only damages alleged are economic, meaning that there was no injury to person or property. 8 Bus. & Com. Litig. Fed. Cts. § 89:7 (4th ed.). Marriott argues that because of this doctrine, BOL should be precluded from recovery. Def.'s Mot. to Dismiss 12. Neither party disputes that the injuries BOL seeks to recover are economic.
Louisiana does not employ the economic loss doctrine in the strict sense that it is applied in other states. Instead, Louisiana courts employ a "duty-risk" analysis. Plaintiffs that sue defendants for only economic damages must prove that there is an "ease of association between the rule of conduct, the risk of injury, and the loss sought to be recovered." PPG Industries, Inc. v. Bean Dredging , 447 So.2d 1058, 1061 (La. 1984). Louisiana judges must additionally "consider the particular case in the terms of the moral, social and economic values involved." Id. The aim of this approach is to prevent the "imposition of responsibility on the tortfeasor for such damages [that] could create liability ‘in an indeterminate amount for an indeterminate time to an indeterminate class,’ " by determining whether a defendant is liable to a plaintiff on a strictly case-by-case basis. Id. (quoting Ultramares Corp. v. Touche , 255 N.Y. 170, 174 N.E. 441, 444 (1931) ).
Several cases are instructive. In PPG Industries , a customer of a pipeline owner sued a dredging contractor to recover economic damages allegedly resulting from the contractor's negligent damage to the pipeline. Id. PPG sued because the pipeline owner could not deliver on their contract and therefore PPG had to obtain fuel from another supplier at an escalated price. On appeal from defendant Bean's successful no cause of action exception (a term of Louisiana civil procedure equivalent to a motion to dismiss for failure to state a claim upon which relief can be granted), the Supreme Court of Louisiana affirmed by establishing a duty-risk analysis and holding that "[i]t is highly unlikely that the moral, social and economic considerations underlying the imposition of a duty not to negligently injure property encompass the risk that a third party who has contracted with the owner of the injured property will thereby suffer an economic loss." Id. The court found it persuasive that PPG's "only interest in the pipeline damaged by the tortfeasor's negligence arose from a contract to purchase gas from the pipeline owner." Id. Lastly, the court reasoned that allowing PPG to recover would expose the negligent dredging contractor to indeterminate liability such as, for example, PPG employees who could recover for damages if they were laid off while PPG sought another source of fuel that it could not afford without layoffs. Id.
The Supreme Court of Louisiana more recently conducted the duty-risk analysis when an electric utility company brought a subrogation action to recover money it paid to reimburse its customers, who sustained physical damage to their electrical equipment, against a truck operator that negligently damaged a utility pole, resulting in a power surge that damaged the customer's electrical equipment. Cleco Corp. v. Johnson , 795 So.2d 302 (La. 2001). The court reversed a grant of no cause of action in favor of the truck driver, and remanded for further proceedings because "[a] trier of fact may find that there is an ease of association between a person who damages an electrical pole, causing a power surge and the damage to electrical equipment in the homes and businesses supplied with power by the damaged electrical pole." Id. at 306. The court reversed for two reasons. First, the court distinguished PPG Industries because "[t]here [was] ... no ‘indeterminate class’ " since Cleco specifically alleged "that it compensated one hundred eighty-seven customers." Id. at 306. Second, the court reversed because as alleged, "a trier of fact may conclude that it is foreseeable that [damage to electrical lines] could cause a power surge which would harm electrical customers' equipment." Id. at 307.
While Cleco Corp. is distinguishable from the case at bar because it involved recovery for physical damages rather than purely economic damages, it is helpful nonetheless because the court engaged in the same duty-risk analysis that it employs when a plaintiff seeks purely economic damages. 795 So.2d 302. Cleco Corp . suggests that the Louisiana Supreme Court likely would find that Marriott's alleged negligence in connection with the security features of its database was the direct cause of the fraudulent charges to the payment cards of BOL's customers, and that BOL's allegation that it reimbursed those customers for their losses established its right to recover in subrogation (at least for those reimbursements) for purposes of applying its duty-risk analysis. But the Louisiana Supreme Court's discussion in Cleco Corp . is not as clear a predictor of whether it would find, as it did in Cleco Corp ., that BOL's customers had a cause of action against Marriott in negligence to recover for the damages that BOL was subrogated to, since they did not involve physical damage to property, as was the case in Cleco Corp . and PPG Industries. As next will be seen, however, subsequent Louisiana Appellate Court decisions provide clearer guidance on that issue.
The third Louisiana case that is helpful here is one brought by crawfish processors and buyers against a pesticide marketer and sellers of rice seed, to recover economic damages incurred when they were unable to purchase crawfish from Louisiana crawfish farmers due to the pesticide nearly devastating the entire 1999 crawfish crop. Phillips v. G & H Seed Co. , 66 So.3d 507 (La. Ct. App. 2011). The Court of Appeal of Louisiana reversed and remanded a grant of summary judgment because the trial court had felt obligated by precedent to apply a per se proprietary interest rule instead of the duty-risk analysis. In doing so, the Court of Appeal announced a full-throated endorsement of the duty-risk analysis to determine whether a plaintiff can recover economic damages in a tort action. Phillips , 66 So.3d at 516. The court reasoned that under the duty-risk approach, the most important issue is "whether the defendant stands in any real relationship to the plaintiff as to create any legally recognized obligation of conduct for the plaintiff's benefit." Id. at 515 (citing W. Keeton, D. Dobbs, R. Keeton, and D. Owen, Prosser and Keeton on the Law of Torts 42 (5th ed. 1984)). The court also reasoned that recovery should be permitted when, among other factors, there is no risk of double compensation to the plaintiff because the plaintiff is unable to protect him or herself from the risk of economic harm through contract (such as insurance), indemnity, or by increasing the price of their goods. Id. (citing Frank L. Maraist & Thomas C. Galligan, Louisiana Tort Law , § 5.09 (1996)). The court concluded that under the duty-risk analysis, "recovery [is] available in certain circumstances for limited groups of people with a special interest in or relationship with the damaged property, whose damages were a particularly foreseeable result of the tortious conduct of the defendant." Id. at 516. It is this analysis that provides the greatest support for the viability of BOL's tort claims against Marriott for its allegedly negligent failure to protect the sensitive payment card information of BOL customers who sustained unauthorized charges to their BOL-issued payment cards, and for which BOL reimbursed them.
Here, BOL is attempting to recover economic damages stemming from the Marriott data breach. These damages were incurred because BOL issued some of the many credit and debit cards that were compromised due to Marriott's alleged negligent storage of the data containing those numbers. First Am. Compl. ¶¶ 21–22. As a result, BOL alleges, it was forced to reimburse cardholders for fraudulent activity, and incur costs to prevent cardholders from falling victim to such activity. First Am. Compl. ¶¶ 95-97.
BOL plausibly has alleged facts from which a reasonable trier of fact may find that there is an ease of association between a data collector, who, as Marriott did here, collects for its own economic advantage (on an explicit promise to securely maintain the data collected) payment card information, and negligently fails to protect the security of the data collected, resulting in economic loss to the payment card holder—and the issuer of the payment cards, who incurs damage when reimbursing its customers for unauthorized charges and takes further steps to mitigate the risk of foreseeable future payment card fraud. As alleged, the facts of this case most closely resemble those of Cleco Corp. and Phillips . Here, BOL had no ability to avoid a relationship with Marriott. It could not dictate to its customers where they could and could not use their payment cards. Moreover, given Marriott's collection of payment card information from its customers on its promise to maintain it securely, the economic damages incurred by those customers and BOL (contractually obligated to reimburse them for unauthorized charges on those payment cards) from its alleged negligence in failing to do so is a "particularly foreseeable result of the tortious conduct" of Marriott. Phillips , 66 So.3d at 516. First Am. Compl. ¶¶ 20-21, 52. The ease of association between the exposure of credit card information to cyber thieves and BOL's costs expended to mitigate credit card fraud is even less attenuated than the association in Phillips between the damaged crawfish and the crawfish buyers' economic loss because there, the crawfish buyers had no contract with the crawfish farmers. Here, BOL alleges it has a legal obligation to reimburse its customers for fraudulent charges and has a duty to its customers to expend reasonable efforts to protect them. First Am. Compl. ¶ 88.
Furthermore, the policy considerations for finding that Marriott could be held liable in tort to BOL are stronger than those in PPG Industries . As in Cleco Corp. , BOL is not requesting damages relating to an indeterminate number of payment cards. It seeks to recover for damages related to a specific number of bank cards that were identified in the CAMS report that allegedly were compromised by Marriott's negligence. Additionally, as alleged, BOL clearly is a foreseeable claimant with foreseeable injuries. Id. ¶¶ 84–86. Marriott was aware that its negligence in protecting consumers' payment card data would have direct consequences on banks such as BOL because consumers necessarily contract with banks in order to have credit and debit cards, the identifying particulars of which Marriott stored in its database. BOL also alleged its injury was foreseeable because the litigation over the serial data breaches that have occurred since 2013 widely exposed the consequences that financial institutions incur when consumers' financial data is exposed. Id. ¶ 66. Marriott even cites one such case in its briefing. Def.'s Mot. to Dismiss 10 (arguing that because BOL is a plaintiff in the Equifax litigation, Marriott cannot be alleged to be the cause of BOL's damages for purposes of standing).
There also are strong policy reasons why BOL should be able to sue Marriott in tort for its economic losses that directly and foreseeably resulted from its alleged negligence. Unlike in PPG Industries , where the plaintiff company could have contracted with the pipeline company for indemnification in the event that damage to the pipeline resulted in economic damages from the interruption of availability of natural gas, BOL could not forecast in advance all of the businesses where their customers might use their bank cards and enter into a contract of indemnification with them. With no ability to recover its unreimbursed losses in contract, and considering the "moral, social, and economic values involved, as well as ... the ideal of justice," there are legitimate policy reasons to hold Marriott accountable in tort. PPG Industries , 447 So.2d at 1061. As BOL points out, there are significant policy reasons to hold data collectors accountable for negligently managing consumers' financial data because as data breaches become more frequent and consumer dependence on online commercial transactions becomes increasingly ubiquitous, there must be incentives for data collectors to take appropriate measures to protect consumers' financial information. Pl.'s Opp. 13 n.3.
Therefore, as pleaded, it is plausible that a reasonable fact finder may find that under Louisiana's duty-risk analysis, BOL can recover in a negligence action against Marriott for its economic damages.
Negligence Per Se
BOL also asserted a cause of action against Marriott under the doctrine of negligence per se, which is common law doctrine that permits the plaintiff to prove negligence by showing that a defendant violated a statute that was designed to protect a class of persons, to which the plaintiff belongs, and that the plaintiff suffered the type of harm that the statute was designed to prevent. 14 Bus. & Com. Litig. Fed. Cts. § 151:51 (4th ed.). Here, BOL alleged that Marriott violated Section 5(s) of the FTC Act, 15 U.S.C. § 45, that BOL is a member of a class of plaintiffs that the statute was designed to protect, and that BOL suffered the type of harm that the statute was designed to prevent. First Am. Compl. ¶¶ 120–27.
Marriott argues that Louisiana does not recognize negligence per se as an independent cause of action. Def.'s Mot. to Dismiss 17. BOL agrees that if Louisiana law applies to its claims, a statutory violation may only act as prima facia evidence of negligence. Because, as discussed above, Louisiana law applies to BOL's substantive claims, and because Louisiana does not recognize negligence per se as a separate cause of action, this count is dismissed. Smolinski v. Taulli , 276 So.2d 286, 289 (La. 1973) ("While statutory violations are not in and of themselves definitive of civil liability, they may be guidelines for the court in determining standards of negligence by which civil liability is determined."); Ducote v. Boleware , 216 So.3d 934, 944 (La. App. 2016) ("Louisiana does not recognize the negligence per se doctrine.").
Both BOL and Marriott brief the issue of whether the FCT Act is appropriate to establish a duty upon Marriott to act reasonably, whether BOL is the type of plaintiff the law is intended to protect, and whether BOL has sustained injuries the law was intended to prevent. Since I am permitting the negligence claim to proceed, and since negligence per se is but one method of proving negligence, resolution of its appropriateness in this case is best deferred until after discovery has focused on the facts necessary to make finely tuned determinations of how negligence best may be proved.
Injunctive and Declaratory Relief
Marriott argues that count three, which seeks both declaratory and injunctive relief, should be dismissed because the availability of this relief flows from successfully establishing BOL's negligence and negligence per se claims, both of which Marriott sought to dismiss. Def.'s Mot. to Dismiss 18. Because as discussed above, BOL's negligence claim is not dismissed, Marriott's motion to dismiss this count is denied. Adle-Watts v. Roundpoint Mortg. Serv. Corp. , 2016 WL 3743054, at *7 (D. Md. July 13, 2016) (dismissing Adle-Watt's counts for declaratory and injunctive relief because she had "demonstrated no actionable claims for the wrongs she has alleged").
Conclusion
In sum, Marriott's motion to dismiss is denied, except as to the negligence per se claim. BOL has alleged enough facts to demonstrate that its injuries are sufficient for Article III standing, and those injuries are fairly traceable to Marriott. Additionally, BOL's claim for negligence is not barred by Louisiana's duty-risk analysis and therefore BOL's count requesting declaratory and injunctive relief is not dismissed. However, BOL's negligence per se count is dismissed because Louisiana does not recognize it as an independent cause of action.
ORDER
Accordingly, on this seventh of February, by the United States District Court for the District of Maryland, hereby ORDERED that the Defendant's motion to dismiss, ECF No. 358, is GRANTED in part and DENIED in part. Plaintiff's second count, negligence per se, is dismissed. I will issue a scheduling order and set in a telephone conference to discuss further pretrial proceedings.