Opinion
Civil Action 20-3383
06-22-2023
JENNIFER CLEMENS, Plaintiff, v. EXECUPHARM, INC., et al., Defendants.
MEMORANDUM
GERALD J. PAPPERT, J.
Jennifer Clemens, individually and on behalf of a purported class, sued ExecuPharm, Inc. and parent Parexel International Corporation over a data breach at ExecuPharm. Defendants move to dismiss the Complaint pursuant to Federal Rule of Civil Procedure 12(b)(6). For the reasons that follow, the Court grants Defendants' Motion with respect to Counts Two, Five, Six and all other claims against Parexel, and denies it with respect to Counts One, Three, Four and Seven against ExecuPharm. Clemens may amend her Complaint consistent with the accompanying Order.
I
A
i
Clemens worked at ExecuPharm from February to November of 2016 and provided the company “significant amounts of her personal and financial information” as a “condition of her employment.” (Compl. ¶¶ 56-57, 59, ECF 1.) She signed an employment agreement “[a]s a further condition of her employment.” (Id. at ¶ 58.) In it, ExecuPharm agreed to “take appropriate measures to protect the confidentiality and security of all personal information.” (Id.) Although Clemens left the company years prior, ExecuPharm retained her sensitive personal information until at least March 13, 2020. (Id. at ¶ 59.) On that date, ExecuPharm's server was hacked by the CLOP ransomware group. (Id. at ¶¶ 1, 11, 14, 31.) CLOP organized a successful email phishing scheme to obtain server access and encrypt data by installing malware. (Id. at ¶ 13.) It accessed thousands of individuals' sensitive information, including full names, home addresses, social security numbers, taxpayer IDs, credit card and bank information, beneficiary information and, in some cases, passport copies. (Id. at ¶¶ 12, 4.) It then demanded a ransom from ExecuPharm in exchange for data decryption tools and threatened to release the data if the ransom was not timely paid. (Id. at ¶ 13.)
On April 26, CLOP made at least some of the information it stole available for download on the “dark web.” (Id. at ¶¶ 2, 15, 29.) “[T]he download links contained nearly 123,000 files and 162 gigabytes of data, including nearly 19,000 files of correspondence involving ExecuPharm and Parexel; more than 80,600 e-mail correspondences; financial, accounting, user documents of ExecuPharm's employees and managers; and a complete backup file of ExecuPharm's document management system.” (Id. at ¶ 29.) Clemens alleges she learned in an email from ExecuPharm on March 20 that her information was accessed during CLOP's data breach and ExecuPharm “confirm[ed]” in an April 26 email “that her family's most sensitive personal and financial [information] was ‘shared on the dark web.'” (Id. at ¶¶ 60, 64.)
According to the Complaint, ExecuPharm's March 20 email stated: “Unfortunately, we now believe sensitive information has been accessed, including social security numbers, banking information (copy of a personal check for direct deposit), driver's license, date of birth, home address, spouse's name, beneficiary information (including social security numbers) and payroll tax forms (such as W-2 and W-4). For some employees, copies of passports also were accessed.” (Compl. ¶ 18.) The email appended a pdf of a March 18 letter to former employees, which explained to recipients “[i]f you are receiving this . . . we believe you may be among the group of former employees impacted by this incident.” (Id. at ¶ 16 (emphasis added).) ExecuPharm's April 26 email stated it had “become aware that the information accessed by the cyberattackers has been shared on the dark web”-it does not appear to have said anything about Clemens's or her family's data specifically. (Id. at ¶ 30.)
ii
After the breach, ExecuPharm offered free identity monitoring services for one year to all potentially affected current and former employees. (Id. at ¶¶ 24, 65.) Clemens took advantage of these services, but also purchased additional services for herself and her family at a cost of $39.99 per month. (Id. at ¶ 71.) Since the breach, Clemens “has spent significant time and effort reviewing her financial accounts, bank records, and credit reports for unauthorized activity and will continue to do so.” (Id. at ¶¶ 61, 67-69.) She has occasionally missed work in order to pursue mitigative measures. (Id. at ¶ 70.) Once, after she changed her family's bank account numbers, she was delayed from accessing her funds due to a mistake by the bank. (Id. at ¶ 69.)
Clemens also says she sought and paid for counseling to cope with stress and anxiety caused by the breach. (Id. at ¶ 72.) She believes that “[g]iven the highly-sensitive nature of the information stolen, the value of [her] [p]ersonal [i]nformation has been diminished and she remains at substantial and imminent risk of future harm.” (Id. at ¶¶ 73, 97.) But she does not allege she has experienced any identity theft or fraud. See generally (id.). According to Clemens, many breach victims “have already experienced significant harms . . . including, but not limited to, identity theft, financial fraud, tax fraud, medical and healthcare fraud, unauthorized financial accounts or lines of credit opened in their names, and fraudulent payment card purchases.” (Id. at ¶ 81.) Victims other than herself have also spent time, money and effort monitoring their accounts and protecting their information. (Id.)
B
Clemens sued ExecuPharm and Parexel on July 10, 2020 seeking relief individually and on behalf of a class of individuals whose personal information was compromised by the breach. (Id. at ¶ 100.) Her Complaint asserts claims of negligence (Count I), negligence per se (Count II), breach of implied contract (Count III) and breach of contract (Count IV) against both Defendants and breach of fiduciary duty (Count V) and breach of confidence (Count VI) against ExecuPharm. See generally (id. at ¶¶ 11656). It also seeks declaratory judgment that Defendants' existing data security measures fail to comply with their duties of care and an instruction that Defendants implement and maintain industry-standard data security measures moving forward. (Id. at ¶¶ 157-61.)
II
A
To avoid dismissal for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6), a complaint must contain facts sufficient to state a claim that is facially “plausible.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim has facial plausibility when the facts pleaded permit a court to make the reasonable inference that a defendant is liable for the alleged misconduct. Id. If the court can infer only the possibility of misconduct from the “well-pleaded” facts-those supported by sufficient factual content to make them facially plausible-the complaint has not shown the pleader is entitled to relief. Id. at 679 (quoting Fed.R.Civ.P. 8(a)(2)); Schuchardt v. President of the United States, 839 F.3d 336, 347 (3d Cir. 2016).
Determining plausibility is a “context-specific task” requiring a court to use its judicial “experience and common sense.” Schuchardt, 839 F.3d at 347 (quoting Iqbal, 556 U.S. at 675). The court disregards a complaint's legal conclusions, assumes well-pleaded facts are true and then determines whether those facts plausibly entitle the pleader to relief. Connelly v. Lane Constr. Corp., 809 F.3d 780, 787 (3d Cir. 2016); Schuchardt, 839 F.3d at 347. In doing so, the court construes well-pleaded facts in the light most favorable to the plaintiff and draws reasonable inferences from them. Connelly, 809 F.3d at 790.
B
Clemens alleges that her Employment Agreement with ExecuPharm controls the choice of law in this case. (Compl. ¶ 111-112.) Defendants argue that the provision cannot be binding on tort claims because (1) the Agreement expired when Clemens's employment ended and (2) the choice of law provision was narrow, precluding its application to tort claims. (Mot. 5.)
A federal court exercising diversity jurisdiction must apply the choice of law rules of the forum state. Kruzits v. Okuma Mach. Tool, Inc., 40 F.3d 52, 55 (3d Cir. 1994). In Pennsylvania, courts will “generally honor the intent of the contacting parties and enforce choice of law provisions in contracts executed by them.” Id. The parties agreed that the Employment Agreement “shall be governed by the laws of the Commonwealth of Pennsylvania” and that any action “pertaining to . . . Employee's employment” shall be brought exclusively in Pennsylvania state courts or this District. (Empl. Agreement 7, ECF 33-1.)
Clemens's claims clearly “pertain to” her employment, as ExecuPharm possessed her confidential information because she was an employee. The agreement that “any action brought under or pertaining to this Agreement . . . shall be brought exclusively in . . .” courts sitting in Pennsylvania is sufficiently broad as it embraces all aspects of the legal relationship. See, e.g., SKF USA Inc. v. Okkerse, 992 F.Supp.2d 432, 448 n.8 (E.D. Pa. 2014) (citing cases and finding a nearly identical provision sufficiently encompassed tort claims). Defendants argue that, once Clemens' employment ended, so too did their obligation to resolve disputes under Pennsylvania law. (Mot. 5.)
Courts “presume as a matter of contract interpretation that the parties did not intend a pivotal dispute resolution provision to terminate for all purposes upon the expiration of the agreement,” Littleton Fin. Printing Div., a Div. of Litton Bus. Sys., Inc. v. N.L.R.B., 501 U.S. 190, 208 (1991), and “neither termination nor cancellation affect [contractual] terms that relate to the settlement of disputes or choice of law of forum selection clauses.” Cottman Ave. PRP Grp. v. AMEC Foster Wheeler Envtl. Infrastructure Inc., 439 F.Supp.3d 407, 435 (E.D. Pa. 2020) (quoting 13 Corbin on Contracts § 67.2, at 12 (rev. ed. 2003)). This remains true “despite the absence of language expressly providing for the survival of these provisions.” Id. (quoting TriState HVAC Equip., LLC v. Big Belly Solar, Inc., 752 F.Supp.2d 517, 535 (E.D. Pa. 2010)). For these reasons, the Agreement's choice of law provision governs, and Clemens's claims will be analyzed under Pennsylvania law.
III
Clemens alleges four claims against Parexel: Negligence, Negligence per se, Breach of Implied Contract, and the request for declaratory judgment. Defendants argue that the corporate veil shields Parexel from any liability for ExecuPharm's actions. (Mot. 6-7). Clemens counters that the claims against Parexel are brought on behalf of the putative class of Plaintiffs who worked for Parexel when it negligently turned over their confidential information to ExecuPharm for storage. (Resp. 23-25, ECF 34.)
In her Response, Clemens concedes that she does not personally have a claim against Parexel. (Id. at 24.) Clemens is the only nominal plaintiff in this action. When “no nominal plaintiff has standing on any issue against one of multiple defendants, a suit for damages may not be maintained as a class action against that defendant.” Haas v. Pittsburgh Nat. Bank, 526 F.2d 1083, 1095 (3d Cir. 1975). Because Clemens herself has not stated a claim against Parexel and her alleged injuries are not “fairly traceable” to its conduct, she does not have standing to bring claims against it on behalf of a putative class to which she does not belong. See Rabin v. NASDAQ OMX PHLX, LLC, 182 F.Supp.3d 220, 229-230 (E.D. Pa. 2016). All claims alleged against Parexel are dismissed without prejudice.
IV
A
Defendants move to dismiss Clemens's negligence claim against ExecuPharm under Florida law. (Mot. 8). For the reasons discussed supra, Florida law does not apply. Defendants concede that Pennsylvania law recognizes a duty to “exercise reasonable care in collecting and storing [] personal and financial information on its computer systems.” Dittman v. UPMC, 196 A.3d 1036, 1056 (Pa. 2018); see (Mot. 8). In Dittman, defendants “undertook the collection and storage of [their employees'] requested sensitive personal data without implementing adequate security measures to protect against data breaches, including encrypting data properly, establishing adequate firewalls, and implementing adequate authentication protocol.” Dittman, 196 A.3d at 1048. Because the Pennsylvania Supreme Court found “criminal acts of third parties in executing the data breach” did not preclude the employer's liability, Clemens has adequately alleged a negligence claim against ExecuPharm. Id.
B
Clemens brings against ExecuPharm a separate count of negligence per se. (Compl. ¶¶ 129-135.) Negligence per se is the law's acknowledgement that “through an individual's violation of a statute or ordinance, it is possible to show that the individual breached his duty to behave as a reasonable person,” or negligent. McCloud v. McLaughlin, 837 A.2d 541, 545 (Pa. Super. Ct. 2002). As ExeuPharm correctly points out, under Pennsylvania law, negligence per se is a theory of negligence, not a standalone claim. See, e.g., Simmons v. Simpson House, Inc., 224 F.Supp.3d. 406, 1 (E.D. Pa. 2016); In Re Rutter's Inc. Data Security Breach Litigation, 511 F.Supp.3d 514, 531 (M.D. Pa. 2021) (collecting cases).
Because it is subsumed by Clemens's general negligence claim in Count I, Count II is dismissed without prejudice to Clemens's ability to employ a negligence per se theory to satisfy the duty and breach elements of general negligence. See In Re Rutters, 511 F.Supp.3d. at 532. The Court need not address the merits of that theory at this time.
C
Clemens alleges breach of implied and express contract in Counts III and IV against ExecuPharm, respectively.
1
Defendants argue that Count IV, breach of express contract, must be dismissed because the Employment Agreement terminated before the data breach occurred, relieving ExecuPharm of its obligation to “take appropriate measures to protect the confidentiality and security of all personal data.” (Mot. 18; Empl. Agreement.)
To support their argument, Defendants cite the “traditional principles” of contract law that “contractual obligations will cease, in the ordinary course, upon termination of [the] agreement” and that “courts should not construe ambiguous writings to create lifetime promises” reiterated in M&G Polymers USA, LLC v. Tackett. 574 U.S. 427, 441-42 (2015). Clemens argues that, because employees were bound to keep ExecuPharm's sensitive information secret after the life of the contract under the non-compete clause, “the only reasonable interpretation” of the data protection provision is that it too must extend beyond the life of the contract. (Resp. 17.) She argues that “because ExecuPharm elected to retain Plaintiff's personal information even after she left the company, it was obligated to keep her data confidential in accord with its contractual promise.” (Id.)
“The paramount goal of contract interpretation is to determine the intent of the parties.” Baldwin v. UPMC, 636 F.3d 69, 75 (3d Cir. 2011). At the motion to dismiss stage, the Court's interpretation of a contract as a matter of law is appropriate only when “the claims under which the plaintiff seeks relief are barred by the unambiguous terms of a contract attached to the pleading....” Jaskey Fin. & Leasing v. Display Data Corp., 564 F.Supp. 160, 163 (E.D. Pa. 1983). Unambiguous contracts are “capable of only one objectively reasonable interpretation,” Baldwin, 636 F.3d at 76.
The data protection provision of the Agreement does not have a defined duration, unlike the other provisions concerning confidentiality. In M&G Polymers, cited by ExecuPharm, the Supreme Court noted that “contracts that are silent as to their duration will ordinarily be treated . . . as operative for a reasonable time.” M&G Polymers, 574 U.S. at 441. District courts are “not permitted to go beyond the facts alleged in the Complaint and the documents on which the claims made therein were based” when ruling on a motion to dismiss. In re Burlington Coat Factory Sec. Litig., 114 F.3d 1410, 1424-25 (3d Cir. 1997). In light of the parties' argued interpretations and given that data protection provisions like this have “assumed a new prominence,” the Court cannot at this stage determine the parties' reasonable intent as a matter of law and denies the motion with respect to Count IV. Clemens v. ExecuPharm, Inc., 48 F.4th 146, 156 (3d Cir. 2022). 2
In Pennsylvania, a plaintiff may not maintain a claim for breach of implied contract where they also allege a written contract “governing the same subject matter.” Baer v. Chase, 392 F.3d 609, 616-17 (3d Cir. 2004). Clemens concedes this point and argues that Counts III and IV are alleged in the alternative, pursuant to Fed.R.Civ.P. 8(d). (Resp. 18.)
Under Pennsylvania law, “an implied contract arises when parties agree on the obligation to be incurred, but their intention, instead of being expressed in words, is inferred from the relationship between the parties and their conduct in light of the surrounding circumstances.” Giuliani v. Polysciences, Inc., 275 F.Supp.3d 564, 578 (E.D. Pa. 2017). Even if the data protection provision of the Agreement does not apply to these facts, ExecuPharm could have impliedly agreed that any use of data outside the employment period was to be similarly protected, in light of the relationship between the parties and their conduct. For now, Clemens has adequately stated a claim for breach of implied contract.
D
To state a claim for breach of fiduciary duty, a plaintiff must establish that the parties were in a fiduciary relationship. eToll, Inc. v. Elias/Savion Advertising, Inc., 811 A.2d 10, 22 (Pa. Super. Ct. 2002). An employer-employee relationship, without more, does not give rise to a fiduciary duty. See Wasseff v. NIH, No. 16-703, 2017 WL 495795, at *12 (E.D. Pa. Feb. 6, 2017) (quoting United States v. Kensington Hosp., 760 F.Supp. 1120, 1133 (E.D. Pa. 1991)).
Clemens notes that the sine qua non of a fiduciary relationship “is the relinquishment of property or valuable information to a party in a superior position or a position of trust.” (Resp. 19) (citing Yenchi v. Ameriprise Fin., Inc., 161 A.3d 811, 820 (Pa. 2017)). While true, the Pennsylvania Supreme Court has emphasized that such an agreement “cannot be reduced to a particular set of facts or circumstances.” Yenchi, 161 A.3d at 820. Because Clemens has failed to allege any circumstances that distinguish this relationship from any other employer-employee relationship and specifically refers to it as one of “employment,” her claims cannot survive the motion to dismiss. See (Compl. ¶¶ 147-151). Clemens can amend Count V to the extent she can allege facts to establish the necessary heightened relationship.
E
A breach of confidence is the “unconsented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship.” Kamal v. J. Crew Grp., Inc., 918 F.3d 102, 114 (3d Cir. 2019). As with her breach of fiduciary duty claim, Clemens's allegations in Count VI focus solely on her relationship to ExecuPharm as its employee and do not separately allege a “confidential relationship.” See Kamal, 918 F.3d at 114; (Compl. ¶¶ 152-56).
The Pennsylvania Supreme Court has held that a “confidential relationship” exists when one party has “‘reposed a special confidence in . . . another to the extent that the parties do not deal with each other on equal terms.'” Harold ex rel. Harold v. McGann, 406 F.Supp.2d 562, 571 (E.D. Pa. 2005) (quoting In re Clark's Estate, 359 A.2d 777, 781 (Pa. 1976)). This occurs when there is an “overmastering dominance on one side, or weakness, dependence or justifiable trust, on the other.” Id. A business association may be the basis of a confidential relationship “only if one party surrenders substantial control over some portion of his affairs to the other.” Id. (quoting In re Scott's Estate, 316 A.3d 883, 886 (Pa. 1974)). Clemens has not stated a claim for breach of confidence because she does not allege a confidential relationship. She may amend Count VI to properly allege such a relationship, if possible.
F
Lastly, Clemens asserts a claim for relief under 28 U.S.C. § 2201 et. seq., the Declaratory Judgment Act. (Compl. ¶¶ 157-161). In a case of actual controversy within its jurisdiction, “any court of the United States . . . may declare the rights and other legal relations of any interested party seeking such declaration, whether further relief is or could be sought.” 28 U.S.C. § 2201(a). When entertaining a claim under the Declaratory Judgment Act, courts must consider: “(1) the likelihood that the declaration will resolve the uncertainty of obligation which gave rise to the controversy; (2) the convenience of the parties; (3) the public interest in a settlement of the uncertainty of obligation; and (4) the availability and relative convenience of other remedies.” Terra Nova Ins. Co. Ltd. v. 900 Bar. Inc., 887 F.2d 1213, 1224 (3d Cir. 1989).
Where there is “some overlap” between plaintiffs' declaratory judgment claim and other substantive claims, courts may refuse to dismiss the declaratory judgment claim if the plaintiffs' “remaining claims have not been fully developed . . . [and] the Court cannot fully evaluate the extent of the overlap to determine whether declaratory judgment would serve [any] useful purpose in clarifying the legal rights and relationships at issue.” Baker v. Deutschland GmbH, 240 F.Supp.3d 341, 350 (M.D.Pa. 2016) (citing Fleisher v. Fiber Composites, LLC, No. 12-1326, 2012 WL 5381381, at *12-13 (E.D. Pa. Nov. 2, 2012)).
Clemens seeks a declaration that the Defendants' existing security measures “do not comply with their obligations and duties of care” and an instruction that Defendants should implement and maintain industry-standard measures. See (Compl. ¶ 161). The requested declaration overlaps with the rest of Clemens's Complaint, and the viability of declaratory relief will depend on the outcome of Plaintiff's surviving substantive claims. See Orpis v. Sincera Reproductive Medicine, No. 21-3072, 2022 WL 1639417, at * 14 (E.D. Pa. May 24, 2022). Because those claims have not been fully developed, dismissal of Clemens's claims under the Declaratory Judgment Act at this stage would be premature.
An appropriate Order follows.