Summary
determining that similar allegations of overpayment under an MMPA claim did not confer standing
Summary of this case from K.A. ex rel. B.W. v. Children's Mercy Hosp.Opinion
Case No. 2:16-cv-04127-NKL
09-06-2016
ROBERT COX, on behalf of himself and all others similarly situated, Plaintiff, v. VALLEY HOPE ASSOCIATION, Defendant.
ORDER
Before the Court is Defendant Valley Hope Association's Motion to Dismiss [Doc. 14]. For the following reasons, the motion is granted.
I. Background
Defendant Valley Hope Association is a healthcare corporation that offers drug, alcohol, and addiction treatment services. In its capacity as a healthcare provider, Valley Hope maintains patient medical information, including sensitive information regarding a patient's treatment and identification. Valley Hope posts the following "Privacy and Confidentiality" notice on its website:
As a drug and alcohol treatment provider we are covered by two distinct federal laws that protect the privacy and confidentiality of information about your health, health care, and payment for services related to your health.
1. Confidentiality of Alcohol and Drug Abuse Patient Information (42 C.F.R. Part 2):[Doc. 1-2, pp. 3-4, ¶ 10].
42 C.F.R. Part 2 protects health information that identifies you as being a patient in a drug or alcohol program, or as having a drug or alcohol problem. This includes persons who have applied for, participated in, or received an interview, counseling, or any other service from a federally assisted alcohol or drug abuse program. This means that we may not acknowledge to a person outside of the program whether you are a current or former patient, nor can we disclose any information identifying you as an alcohol or drug abuser (except under certain conditions which are outlined in this notice).
2. Health Insurance Portability and Accountability Act (HIPAA) Privacy Regulations (45 C.F.R. Parts 160 and 164): HIPAA protects all health information which identifies an individual, not just drug and alcohol information.
On December 30, 2015, a laptop computer owned by Valley Hope was stolen from an employee's vehicle. The laptop contained private treatment and identification information for about 52,076 patients. While the laptop was secured with a password, the information stored on the device was not encrypted.
Two months afterwards, in February 2016, Valley Hope sent a letter to patients—including Plaintiff Robert Cox—informing them of the theft. Cox then filed suit in Missouri state court on March 17, 2016 on behalf of a putative class of similarly-situated individuals. His complaint asserts the following counts:
I. Violation of Missouri's Merchandising Practices Act (MMPA)
II. Breach of Fiduciary Duty
III. Breach of Contract
IV. Negligent Training, Hiring, and Supervision
V. Negligence
On April 28, 2016, Valley Hope removed this case to the Western District of Missouri. Valley Hope's present motion to dismiss followed.
II. Discussion
Valley Hope argues that Cox has not pled an injury for any of his claims. Therefore, Valley Hope contends, Cox has failed to state claims upon which relief can be granted, see Fed.R.Civ.P. 12(b)(6), and his suit must be dismissed in its entirety.
Cox's complaint identifies two ways he was injured by Valley Hope's actions. First, he alleges that the putative class "are at a heightened risk for future identity theft" as a consequence of the stolen laptop. [Doc. 1-2, p. 4, ¶ 16]. Second, Cox contends the class "paid more for medical record privacy protections than they otherwise would have, and . . . paid for medical record privacy protections that they did not receive." Id.
In his allegations made under Count IV, Cox further states that he has "suffered damages, including, without limitation, loss of privacy, confidentiality, embarrassment, humiliation, loss of income, [and] loss of enjoyment of life." [Doc. 1-2, p. 12, ¶ 54]. Yet Cox does not explain these allegations or mention them in his brief. He offers no facts suggesting that his privacy was actually invaded, that he actually suffered embarrassment or humiliation, or that he spent any money as a result of the laptop theft. Therefore, the Court finds that these alleged injuries are conclusory. To the extent Cox faces a future risk of these injuries occurring, such risk falls under Cox's first alleged injury—the "heightened risk for future identity theft."
While the parties' briefing discusses these alleged injuries for purposes of both damages and Article III standing, the Court will first address the latter issue because "Article III standing is a threshold question in every federal court case." United States v. One Lincoln Navigator 1998, 328 F.3d 1011, 1013 (8th Cir. 2003). To show standing, a plaintiff must allege "(1) an injury in fact, which is an invasion of a legally protected interest that is concrete, particularized, and either actual or imminent; (2) causation; and (3) redressability." Curry v. Regents of Univ. of Minnesota, 167 F.3d 420, 422 (8th Cir. 1999).
The Court must therefore determine whether either of the injuries alleged by Cox—his heightened risk of future identity theft or his overpayment for privacy protections—constitutes an injury-in-fact that confers Article III standing in this case.
A. Heightened Risk for Future Identity Theft
Cox first asserts he has been harmed by the theft of Valley Hope's laptop because there is a real and serious threat that his personal data will be misused. Whether this threat can be considered "imminent" under Article III, however, is a matter of degree: the United States Supreme Court has found that an injury is imminent only where it "is not too speculative" and "is certainly impending." Lujan v. Defenders of Wildlife, 504 U.S. 555, 564 n. 2 (1992). "Time and again the Supreme Court has reminded lower courts that speculation and conjecture are not injuries cognizable under Article III." Wallace v. ConAgra Foods, Inc., 747 F.3d 1025, 1031 (8th Cir. 2014) (citing Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 1148 (2013)).
In Clapper, the Supreme Court further clarified the point where an injury becomes too speculative. The plaintiffs in that case—a collection of legal and human rights organizations—sought to challenge Section 702 of the Foreign Intelligence Surveillance Act of 1978, 50 U.S.C. § 1881a, which allows the federal government to conduct surveillance on certain individuals outside of the United States. The plaintiffs argued that they could establish injury-in-fact; because they regularly communicated with colleagues and clients located abroad, some of whom were likely targets of surveillance, the statute forced them to implement burdensome security measures to protect the confidentiality of these communications. Id. at 1146.
The Supreme Court disagreed and held that the plaintiffs' alleged injury was not "certainly impending." Id. at 1148. Rather, according to the decision, this injury "relie[d] on a highly attenuated chain of possibilities:" it required an assumption that the government was surveilling the plaintiffs' communications, that this action was being conducted under the challenged statute, and that sensitive communications would actually be intercepted. The Supreme Court emphasized that these assumptions were not based on "specific facts" but instead "rest[ed] on speculation about the decisions of independent actors." Id.
The principles reinforced in Clapper are applicable to Cox's case. As in Clapper, Cox has claimed an injury—the risk of future identity theft—that is based solely on a speculative string of assumptions. For Cox to be the victim of identity theft, the person who stole the employee's laptop must be able to unlock it, or alternatively must convey the laptop to someone with the capacity to do so. The laptop must then be unlocked and searched for personal information, which must include information pertaining to Cox. This information must then be used for malicious purposes. Considering that these assumptions rest not on purported facts but on speculation about independent actors, i.e. not the defendant, the Court cannot say Cox faces a serious risk of harm such that his injury is "certainly impending."
In his complaint, Cox does not allege whether the laptop actually contained any of his information.
Nevertheless, Cox argues that there is a "recent trend" among district courts to grant Article III standing in data breach cases. [Doc. 25, p. 4] (quoting McLoughlin v. People's United Bank, Inc., 2009 WL 2843269, at *4 (D. Conn. Aug. 31, 2009)). Yet the cases he cites largely contain evidence or allegations that a breach actually occurred—that personal data was actually maliciously stolen or viewed. Cox's complaint only alleges that a laptop was stolen, and that this laptop in turn contained personal patient information. Nowhere in Cox's complaint or brief does he allege that Valley Hope's laptop was stolen for the purpose of obtaining this information or that the information was ever viewed.
See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1206 (N.D. Cal. 2014) ("[H]ackers reached the databases containing customers' personal information" and "then spent up to several weeks removing customer data."); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015) ("The plaintiffs allege that the hackers deliberately targeted [the defendant] in order to obtain their credit-card information."); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 966 (7th Cir. 2016) (plaintiffs alleged that personal information was actually accessed and some plaintiffs experienced fraud); In re Anthem, Inc. Data Breach Litig., 2016 WL 3029783, at *3 (N.D. Cal. May 27, 2016) ("[C]yberattackers . . . extract[ed] massive amounts of data from [the defendant's] database."); Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (plaintiffs were victims of a "sophisticated, intentional and malicious" intrusion); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 955 (S.D. Cal. 2014) ("[H]ackers accessed [the defendant's] Network . . . thereby stealing the Personal Information of millions of [the defendant's] customers, including Plaintiffs."); Moyer v. Michaels Stores, Inc., 2014 WL 3511500, at *5 (N.D. Ill. July 14, 2014) ("The allegation that [a putative class member] incurred fraudulent credit card charges makes this case analogous to cases where the Court found a sufficiently imminent risk of injury."); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142 (9th Cir. 2010) (finding an injury-in-fact "[o]n these facts," which included allegations that one of the plaintiffs' social security numbers was used to open a new account). Cox cites only one case containing no allegations of misuse or malicious intent: McLoughlin v. People's United Bank, Inc., 2009 WL 2843269 (D. Conn. Aug. 31, 2009). Yet McLoughlin relied on the Second Circuit's "permissive" standard for standing, id. at *4, that was criticized in Clapper. See Clapper, 133 S. Ct. at 1151.
Consequently, the increased risk of identity theft alleged by Cox does not provide him Article III standing.
B. Overpayment
Under his second basis for injury-in-fact, Cox asserts that the putative class "(1) paid more for privacy and confidentiality than they otherwise would have, and (2) paid for privacy protections that they did not receive." [Doc. 1-2, p. 9, ¶ 39]. "In this respect," Cox continues, "members of the Class have not received the benefit of their bargain." Id.
For purposes of Article III, "palpable economic injuries have long been recognized as sufficient to lay the basis for standing." Sierra Club v. Morton, 405 U.S. 727, 733-34 (1972). Accordingly, where a plaintiff alleges that he actually paid more for a product or service that he otherwise should have, or would have, this allegation may properly convey federal jurisdiction. See Gen. Motors Corp. v. Tracy, 519 U.S. 278, 286 (1997) (consumers who overpaid for gas due to discriminatory tax laws have Article III standing).
Nevertheless, some courts appear to categorically reject the theory that standing can be premised on an overpayment. See Veal v. Citrus World, Inc., 2013 WL 120761, at *4 (N.D. Ala. Jan. 8, 2013) ("Many courts have held that "benefit of the bargain" theories of injury like plaintiff's, where a plaintiff claims to have paid more for a product than the plaintiff would have paid had the plaintiff been fully informed (or that the plaintiff would not have purchased the product at all), do not confer standing."). For purposes of this order, however, the Court will assume that a consumer who overpays for a product or service, at least under certain circumstances, may satisfy Article III's standing requirement.
Yet the federal courts routinely deny standing where complaints contain broad, conclusory allegations of overpayment. See, e.g., Carlsen v. GameStop, Inc., 112 F. Supp. 3d 855, 862 (D. Minn. 2015) (no injury-in-fact where the "Plaintiff only allege[d] a general theory of overpayment"). Instead, "courts have required plaintiffs to allege something more than overpaying for a defective product." In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089, 1093 (N.D. Cal. 2013). Additional facts that offer "something more" include, for example, (1) allegations that the overpayment stemmed from the defendant's discrimination, deception, or misrepresentation, In re Simply Orange Juice Mktg. & Sales Practices Litig., 2013 WL 781785, at *4 (W.D. Mo. Mar. 1, 2013); (2) allegations that the plaintiff would not have purchased the product, if he knew the true price, Fleisher v. Phoenix Life Ins. Co., 997 F. Supp. 2d 230, 237 (S.D.N.Y. 2014); (3) allegations that establish a monetary difference between the value paid and the value obtained, Austin-Spearman v. AARP & AARP Servs. Inc., 119 F. Supp. 3d 1, 11-12 (D.D.C. 2015); and (4) allegations that the plaintiff expressly contracted to pay more money for a service he did not receive, In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588, at *5 (N.D. Ill. Sept. 3, 2013). Cox has offered no such allegation. He does not allege or argue that Valley Hope expressly charged him more for its security services, offered its core addiction treatment services at a cheaper price to customers who waived security protections, or that Cox would never have purchased any services from Hope Valley if he knew the true value of its security measures.
Under his MMPA claim, however, Cox argues that Valley Hope acted deceptively by "(1) representing to its patients that [Valley Hope] will not disclose patients' sensitive personal health information to an unauthorized third party or parties; (2) failing to implement security measures such as data encryption; and (3) failing to train personnel." [Doc. 1-2, pp. 8-9, ¶ 34]. Yet these allegations bear no causal relationship to Cox's purported overpayment. Cox's complaint does not contend that Valley Hope actually disclosed any sensitive information. The complaint also offers no allegation that Valley Hope made any representations about encrypting patient data or training personnel in a particular manner. Accordingly, Cox has not alleged he overpaid for Valley Hope's services based on a deceptive misrepresentation.
These pleading deficiencies cripple Cox's case. While the Eighth Circuit has not determined where an overpayment may confer Article III standing, district courts within the Eighth Circuit have emphasized, in line with the above cases, that a bare allegation of overpayment is insufficient to maintain standing on a data breach claim. Two recent decisions are illustrative. First, in In re SuperValu, Inc., 2016 WL 81792 (D. Minn. Jan. 7, 2016), hackers allegedly breached a payment-processing network operated by the defendants, all retail grocery store operators, and in the process gained access to the plaintiffs' confidential credit information. Because the defendants' security measures had been compromised, the plaintiffs argued they overpaid for their purchases and thus had been injured. The District Court for the District of Minnesota disagreed. It observed that "[t]his theory is consistently rejected in data breach cases where plaintiffs have not alleged that the value of the goods or services they purchased was diminished as a result of the data breach." Id. (citing cases). Therefore, because the "Plaintiffs [did] not allege that the Data Breach diminished the value of the groceries or other goods they purchased," they could not establish an injury-in-fact. Id.
Taking a similar approach, the District Court for the Eastern District of Missouri rejected an argument that customers had overpaid for the defendant's brokerage services due to a subsequent data breach. Duqum, 2016 WL 3683001, at *6. The Duqum court reached this conclusion after noting that:
Plaintiffs do not allege facts from which a plausible inference could be drawn that Plaintiffs received services from Defendant that were less valuable than those Plaintiffs bargained for. Although they allege in a conclusory fashion that a portion of the brokerage fees they paid to Defendant were for "data management and security," they do not allege any facts showing how any fee they paid was understood by both parties to be allocated toward the protection of customer data. Nor do Plaintiffs allege that the money they paid could have or would have bought a better policy with a more bullet-proof data-security regime.Id. at *7.
Viewed together, In re SuperValu and Duqum stand for the proposition that a party must allege they overpaid for something—either the core product or an ancillary security service—for which they had expressly bargained. In the present case, Cox offers no allegation that the core addiction treatment services he received from Valley Hope have been diminished as a result of the laptop theft. He also does not claim that he specifically paid for security protection. While Cox alleges that Valley Hope posted a notice on its website concerning its statutory privacy obligations, this notice, standing alone, does not form the basis of an Article III injury, in the absence of some showing that Cox overpaid for something he expressly bargained for.
As such, Cox has not established an injury-in-fact based on his overpayment theory.
Arguing otherwise, Cox cites a string of decisions from district courts in the Ninth Circuit, all of which found that allegations of overpayment may constitute an injury-in- fact. Yet the standard established by the Ninth Circuit does not support Article III standing in Cox's case. See Birdsong v. Apple, Inc., 590 F.3d 955 (9th Cir. 2009). In Birdsong, customers who had purchased electronic music devices—iPods—argued that they had overpaid for these devices because their audio features caused hearing loss, thus diminishing their true retail value. The Ninth Circuit determined that the customers lacked standing because they did not allege "that they were deprived of an agreed-upon benefit" or "that [the defendant] made any representations that iPod users could safely listen to music at high volumes for extended periods of time." Id. at 961. Later Ninth Circuit decisions have likewise required that the defendant deceived, misrepresented, or failed to provide an expressly-promised feature of its product. See, e.g., Maya v. Centex Corp., 658 F.3d 1060, 1069 (9th Cir. 2011) (finding an injury-in-fact where the defendants concealed and misrepresented information, causing plaintiffs to overpay for their homes).
Relying on these holdings, the district cases cited by Cox require an allegation of misrepresentation for an overpayment theory to suffice. See In re Google, Inc. Privacy Policy Litig., 2013 WL 6248499, at *8 (N.D. Cal. Dec. 3, 2013) (plaintiffs' claims of overpayment gave them Article III standing because they allegedly relied on the defendant's misrepresentations when purchasing the product); Goodman v. HTC Am., Inc., 2012 WL 2412070, at *5 (W.D. Wash. June 26, 2012) ("Plaintiffs' assertion that they overpaid for their smartphones meets the threshold for injury in fact because [Plaintiffs] allege they would have paid less for the phones had Defendants not misrepresented the relevant features of the phones."); In re Toyota Motor Corp. Unintended Acceleration Mktg., Sales Practices, & Products Liab. Litig., 754 F. Supp. 2d 1145, 1165 (C.D. Cal. 2010) (plaintiffs had standing because their vehicles did not operate as defendant had promised). The Court finds these decisions persuasive. As discussed above, Cox has not alleged that he overpaid for Valley Hope's services due to a purported misrepresentation.
Cox also cites In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) and Doe 1 v. AOL LLC, 719 F. Supp. 2d 1102 (N.D. Cal. 2010), but these cases did not address overpayment in their discussions of Article III standing. --------
Cox therefore lacks Article III standing to maintain his suit in federal court. This case must be remanded to Missouri state court, where Cox originally filed it. See Wallace v. ConAgra Foods, Inc., 747 F.3d 1025, 1033 (8th Cir. 2014) ("If . . . the case did not originate in federal court but was removed there by the defendants, the federal court must remand the case to the state court from whence it came [i]f at any time before final judgment it appears that the district court lacks subject matter jurisdiction.") (quoting 28 U.S.C. § 1447(c)) (internal quotation marks omitted).
III. Conclusion
For the foregoing reasons, Defendant Valley Hope's Motion to Dismiss [Doc. 14] for lack of subject matter jurisdiction is granted. This case is remanded to state court for all further proceedings.
s/ Nanette K. Laughrey
NANETTE K. LAUGHREY
United States District Judge Dated: September 6, 2016
Jefferson City, Missouri