Summary
In Holmes, several former customers of the Countrywide Financial Corporation filed suit due to the illegal disclosure of their personal financial information.
Summary of this case from Ind. Ins. Co. v. DemetreOpinion
CASE NO. 5:08-CV-00205-R
07-12-2012
MATTHEW HOLMES, et al. PLAINTIFFS v. COUNTRYWIDE FINANCIAL CORP., et al. DEFENDANTS
MEMORANDUM AND ORDER
Defendants Countrywide Financial Corporation, Countrywide Bank, FSB, Countrywide Home Loans, Inc., Bank of America Corporation, and Full Spectrum Lending Division (collectively "Countrywide" or "Defendants") have moved to dismiss the present action (DN 52). Plaintiffs Matthew and Danielle Holmes and John and Terra Stiers (collectively "Plaintiffs") have responded (DN 53) and Defendants have replied (DN 54). This matter is now ripe for adjudication. For the reasons that follow, Defendants' motion is GRANTED.
BACKGROUND
The present controversy involves the theft of sensitive personal and financial information from millions of Countrywide's customers. The theft prompted a series of class-action lawsuits followed by a class-action settlement, over which this Court presided. Plaintiffs were litigants within the original framework of the class-action lawsuit but opted out of the settlement. Instead, they continued with their individual action against Countrywide. After a substantial delay in the proceedings, Plaintiffs filed an amended complaint that disposed of their class-action allegations. DN 44. Plaintiffs' Second Amended Complaint ("SAC") followed, alleging claims of unjust enrichment, fraud, breach of contract, breach of the covenants of good faith and fair dealing, breach of state security notification laws, conspiracy, violations of the New Jersey and Kentucky consumer fraud laws, and violations of the Fair Credit Reporting Act. SAC, DN 50. Countrywide now moves to dismiss the SAC.
The material facts are not in dispute. In August of 2008, an FBI investigation uncovered a scheme, two years in the making, by Countrywide employee Renee L. Rebollo Jr. ("Rebollo") to download and steal confidential information from its customers. All told, Rebollo removed personal data on 2.4 million loan customers from Countrywide's computer database. The confidential information included customers' dates of birth, social security numbers, banking information, credit history, and employment information. Rebollo passed the data on to known and unknown third parties in exchange for payments of $70,000.
After learning of the security breach, Countrywide sent notification letters to individuals whose information was compromised ("Countrywide Letter"). The Countrywide Letter contained the following language:
We are writing to inform that we recently became aware that a Countrywide employee (now former) may have sold unauthorized personal information about you to a third party. Based on a joint investigation conducted by Countrywide and law enforcement authorities, it was determined that the customer information involved in this incident included your name, address, Social Security number, mortgage loan number, and various other loan application information.Countrywide Letter, DN 50-5 p. 2. The correspondence offered each recipient two years of free credit monitoring. Countrywide Letter, DN 50-5. Despite the breadth of Rebollo's deception, scant evidence exists demonstrating that either he or his compatriots misused the customers' information or engaged in any kind of financial fraud.
Matthew and Danielle Holmes (collectively "the Holmes"), residents of New Jersey, applied for and received a home loan and mortgage in October of 2007 through Mortgage Now, Inc. Their mortgage was transferred to Countrywide in November of 2007. SAC, DN 50 ¶ 63. In September of 2008, the Holmes received a letter from Beneficial Care of HSBC Auto Finance ("Beneficial Letter") informing them that a recent credit request for an automobile loan had been denied. Beneficial Letter, DN 50-4; SAC, DN 50 ¶ 69. The Holmes had not applied for a loan with HSBC Auto Finance. The next day, the Holmes received the Countrywide Letter informing them that their personal information had been compromised. In response to these two mailings, the Holmes purchased independent credit monitoring protection at the cost of $14.95 per month. SAC, DN 50 ¶ 83. In the SAC, they represent that the Beneficial Letter proves their confidential information was misappropriated.
In December of 2006, John and Terra Stiers (collectively "the Stiers") purchased a home in Richmond, Kentucky, with a mortgage that was eventually transferred to Countrywide. SAC, DN 50 ¶ 15. Shortly after they received the Countrywide Letter, the Stiers were bombarded with calls from telemarketers and direct mailings for educational loans and home refinancing. SAC, DN 50 ¶ 16. To curb these unwanted solicitations, the Stiers canceled their telephone service at a cost of $250 to $300. SAC, DN 50 ¶ 15. They also spent substantial time researching this case and the hazards of identity theft. SAC, DN 50 ¶ 15.
In January of 2009, the Holmes filed a putative class action complaint against Countrywide on their own behalf and those similarly situated. DN 1. Prior to the Holmes' action, similar lawsuits around the country were initiated against Countrywide. On December 2, 2008, the Judicial Panel on Multidistrict Litigation ("MDL") entered an order assigning all cases to this Court for coordinated or consolidated pretrial proceedings. On January 9, 2009, the Court ordered the Holmes' case to be joined with the other MDL cases pending against Countrywide.
On January 21, 2009, a proposed settlement for the MDL plaintiffs was submitted to the Court for review. On February 13, 2009, the Holmes filed an amended complaint, adding 22 new plaintiffs including the Stiers. DN 23. This faction led by the Holmes then lodged objections to the proposed settlement. On July 19, 2010, the Court granted class certification to the proposed settlement class. Many members of the Holmes' lawsuit accepted the settlement, but on June 24, 2010, the Holmes and the Stiers provided notice that they would opt out.
On February 24, 2012, Plaintiffs filed an amended complaint, eliminating the class-action allegation. The amended complaint was subsequently withdrawn and replaced by the SAC on March 2, 2012. This motion to dismiss followed.
STANDARD
"When considering a motion to dismiss pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure, the district court must accept all of the allegations in the complaint as true, and construe the complaint liberally in favor of the plaintiff." Lawrence v. Chancery Court of Tenn., 188 F.3d 687, 691 (6th Cir. 1999) (citing Miller v. Currie, 50 F.3d 373, 377 (6th Cir. 1995)).
To survive a Rule 12(b)(6) motion to dismiss, the complaint must include "only enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007); see also Ashcroft v. Iqbal, 129 S. Ct. 1937, 1950 (2009). The "[f]actual allegations in the complaint must be enough to raise a right to relief above the speculative level on the assumption that all the allegations in the complaint are true." Twombly, 550 U.S. at 555 (internal citation and quotation marks omitted). A plaintiff must allege sufficient factual allegations to give the defendant fair notice concerning the nature of the claim and the grounds upon which it rests. Id.
Furthermore, "a plaintiff's obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Id. A court is not bound to accept "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements." Iqbal, 129 S. Ct. at 1949.
DISCUSSION
Plaintiffs advance a variety of injuries resulting from Countrywide's actions. In the SAC, they assert their confidential information was sold to unknown individuals who may misuse it in the future. SAC, DN 50 ¶ 7. Plaintiffs further allege the security breach at Countrywide forced them to take measures to protect themselves from identity theft. SAC, DN 50 ¶ 14. The receipt of the Beneficial Letter prompted the Holmes to enroll in a credit monitoring service. SAC, DN 50 ¶ 14. The Stiers spent time researching identity theft and cancelled their telephone service after being inundated with calls from telemarketers. SAC, DN 50 ¶ 15. Plaintiffs propose numerous legal avenues to recover for these harms.
Countrywide moves to dismiss on two bases. First, Countrywide states that cases alleging risk of future identity theft routinely collapse under the weight of a Rule 12(b)(6) motion when the victims fail to present a loss arising from the defendants' misdeeds. The company likens this matter to unsuccessful identity theft cases, insisting Plaintiffs have not alleged a cognizable injury. Second, Countrywide attacks the individual theories of recovery contained within the SAC. Following a discussion of Article III standing, the Court divides its analysis accordingly.
I. Article III Standing
The digitization of personal information, along with increased internet usage, has dramatically increased the risks and frequency of identity theft. Prepare Statement of the Federal Trade Commission on Identity Theft Before the Subcomm. on Tech., Terrorism and Gov't Infor., 106th Cong. (2000) (statement of Jodie Bernstein, Director of Consumer Protection, Federal Trade Commission). The FTC has estimated that 5% of adults are affected by identity theft, resulting in annual losses to consumers of $53 billion. Reesa Benkoff, Developments in Banking and Financial Law: 2005, 25 Ann. Rev. Banking & Fin. L. 127, 130 (2006). With an ever increasing number of criminals engaging in identity theft, consumers have not been content to sit idly by when their personal information is mishandled. They have commenced scores of lawsuits to hold businesses and financial institutions accountable when their confidential information is jeopardized.
Risk-of-theft-of-identity cases are typically lodged against businesses maintaining customer information like credit card numbers, social security numbers, addresses, and dates of birth. The actions arise when these businesses misplace or lose large amounts of sensitive information through accident or during security breaches. See, e.g., Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) (customers brought suit against supermarket chain where hackers stole customer's financial information); Krottner v. Starbucks Corp. (Krottner II), 406 F. App'x 129 (9th Cir. 2010) (employees of coffee retailer brought suit when employer's laptop, containing employees' personal data, was stolen); Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705, 706-07 (S.D. Ohio 2007) (computer equipment from a mortgage loan service provider was stolen). The plaintiffs customarily seek to recover their expenditures on credit monitoring, credit and debit card cancellation fees, and repayment for unauthorized charges. E.g., Anderson, 659 F.3d at 151. The fulcrum upon which these decisions pivot is consistently whether the plaintiffs have expressed an injury sufficient to proceed past a motion to dismiss.
Many courts jettison these cases on Article III standing. Because an increased risk of identity theft involves a future injury, some jurisdictions find the plaintiffs have not suffered an "actual and imminent" injury as is constitutionally required. Instead, the courts conclude that the injury of identity theft may never come to pass and is therefore too speculative to satisfy constitutional standing. See, e.g., Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1051-53 (E.D. Mo. 2009); Randolph v. ING Life Ins. and Annuity Co., 486 F. Supp. 2d 1, 7-8 (D.D.C. 2007); Bell v. Acxiom Corp., No. 4:06-CV-00485-WRW, 2006 WL 2850042, at *1-2 (E.D. Ark. Oct. 3, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684, 689-90 (S.D. Ohio 2006). Since federal courts are burdened with the "independent obligation to investigate and police the boundaries of their own jurisdiction," Douglas v. E.G. Baldwin & Assocs., Inc., 150 F.3d 604, 607 (6th Cir. 1998), abrogated on other grounds by Arbaugh v. Y & H Corp., 546 U.S. 500, 515-16 (2006), they repeatedly spurn attempts to recover for a "risk of identity theft."
The Sixth Circuit addressed Article III standing for risk of identity theft in Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008). There, a plaintiff brought suit when her personal information was posted on a municipality's website and then stolen by an identity thief. Id. at 435. She sought to recover sums for credit monitoring services to prevent further injury and future identity theft. Id. at 436. The Sixth Circuit confirmed that the increased risk of identity theft and the monitoring satisfied the requisite injury necessary for constitutional standing. Id. at 438. Other circuits have made similar decisions and permitted these cases to advance past the initial hurdle of constitutional standing. See Krottner II, 406 F. App'x 129, 130-31 (9th Cir. 2010); Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 633-34 (7th Cir. 2007).
With this precedent, the Court finds Plaintiffs' injuries satisfy Article III's requirement of an "actual and imminent injury." The Holmes maintain that following the Beneficial and Countrywide Letters they purchased credit monitoring services to ensure they would not be the targets of identity thieves. The Stiers expended sums when they had their telephone service changed as a result of increased solicitations. These damages are enough to establish the Court's jurisdiction. See Lambert, 517 F.3d at 433; Pisciotta, 499 F.3d at 634.
II. Allegations of injury
Even if Plaintiffs have constitutional standing, they may still have failed to describe a basis for relief. Courts confirming their constitutional jurisdiction in risk-of-identity-theft cases have gone on to dismiss the action because the injury was not recompensable under state law. See Krottner II, 406 F. App'x at 130-31 ("As an initial matter, our holding that Plaintiffs–Appellants pled an injury-in-fact for purposes of Article III standing does not establish that they adequately pled damages for purposes of their state-law claims."); Pisciotta, 499 F.3d at 634-40 (Seventh Circuit affirmed the court's jurisdiction over credit monitoring claim but dismissed the suit because of insufficient injury). Countrywide encourages the Court to follow suit and rule that neither Kentucky nor New Jersey law would recognize the alleged injuries.
Plaintiffs declare their damages are condoned by state law. The Holmes point to the monthly payments for credit monitoring to subvert future identity theft. SAC, DN 50 ¶ 83. They assert this measure was justified considering the Beneficial Letter's implications and Rebollo's elaborate scheme to hijack their information. SAC, DN 50 ¶ 83. The Holmes contend their injuries flow not just from credit monitoring payments but also from possible identity theft at some later date. As for the Stiers, the damages they incurred include their phone cancellation fees and the time spent researching the hazards of identity theft. SAC, DN ¶ 15. The Stiers profess that these expenditures of money and time are recoverable.
The dispositive inquiry is whether courts in Kentucky and New Jersey would authorize the following injuries: the risk of future identity theft, payments for credit monitoring, telephone cancellation charges, and time spent monitoring credit and financial accounts. Each is discussed separately below.
A. Risk of Future Identity Theft
It is an understatement to say that courts are skeptical of litigants' claims for risk of future identity theft. Many jurisdictions have refused to recognize the injury as a legitimate claim for relief. See, e.g., Pinero v. Jackson Hewitt Tax Service Inc., 594 F. Supp. 2d 710, 714-16 (E.D. La. 2009) (possibility that personal information was at increased risk did not constitute an actual injury); Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 913-14 (N.D. Cal. 2009) (risk of future identity theft did not rise to the level of harm necessary for negligence claim); Kahle, 486 F. Supp. 2d at 712-13 (where no evidence of actual identity theft existed, injury was purely speculative); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1020-21 (D. Minn. 2006) (plaintiff did not articulate a proper claim for negligence when the only injury was the anticipation of future injury). The animosity toward these types of lawsuits encompasses the most common scenarios where financial information is put at risk: instances where personal information is lost or misplaced through carelessness, e.g., Giordano v. Wachovia Securities, LLC, No. 06-CV-476-JBS, 2006 WL 2177036, at *5 (D.N.J. July 31, 2006) (personal information lost when package sent through the mail could not be accounted for), and instances where criminals penetrate a company's computer system and steal information, e.g., Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1049 (E.D. Mo. 2009) (hackers gained access to database and tried to extort money from company for safe return of customers' information).
A prime example of the aversion toward recovery for risk of future identity theft is contained in Pinero v. Jackson Hewitt Tax Service Inc. There, the plaintiff sued a tax preparation company for the mishandling of tax documents with sensitive information. 594 F. Supp. 2d at 713. The company explained that its customers' tax documents were stolen and then discarded in a public dumpster, where they were then found and turned over to a local television station. Id. The plaintiff brought suit under Louisiana law but was rebuffed by the district court. Id. at 715. Citing the absence of financial damages to the plaintiff, the district court concluded her claims of injury were overly speculative. Id. The ruling in Pinero tracks those in other states where allegations of future risk of identity theft are found wanting when courts measure the injury. See Ponder v. Pfizer, Inc., 522 F. Supp. 2d 793, 798 n. 5 (M.D. La. 2007) (for theft-of-identity cases, "the injury accrues when the compromised data are actually used by a third party to steal someone's identity"); Forbes, 420 F. Supp. 2d at 1020 ("[T]hreat of future harm, not yet realized, will not satisfy the damage requirement.") (citation and quotation marks omitted).
Kentucky and New Jersey law preclude recovery for speculative or illusory damages. See Giordano, 2006 WL 2177036, at *4-5; Prozel & Steigman v. Int'l Fruit Distrib., 171 F. Supp. 196, 200 (D.N.J. 1959); Spencer v. Woods, 282 S.W.2d 851, 852 (Ky. 1955). Thus, an increased threat of an injury that may never materialize cannot satisfy the injury requirement for either of these states. Plaintiffs have not cited to a decision in any jurisdiction where a court allowed a suit to proceed past a Rule 12 motion when the only injury alleged was the increased risk of identity theft. Indeed, Plaintiffs expend most of their response emphasizing their payments to credit monitoring services and the telephone company.
The Court more thoroughly discusses the states' law on risk of future injury in the next section.
The unfavorable legal precedent from Kentucky, New Jersey, and other states prompts the Court to reject a naked claim of increased risk of identity theft. Plaintiffs must offer additional damages for a cognizable injury under either state's law.
B. Credit Monitoring Services
Plaintiffs stake much of their response on the Holmes' payments for credit monitoring. Repeatedly, they argue the expenditures constitute an actual injury and a reasonable step to mitigate the exposure to potential identity theft. Countrywide asserts that prophylactic payments, such as those for credit monitoring, are not recoverable under Kentucky and New Jersey law.
The disfavor for injuries related to risk of identity theft bleeds over to thwart most attempts to recover payments for credit monitoring. An example of this proposition is Krottner v. Starbucks Corp. (Krottner I), No. 09-CV-0216-RAJ, 2009 WL 7382290, at *1 (W.D. Wash. Aug. 14, 2009) aff'd by 406 F. App'x 129 (9th Cir. 2010). There, a laptop containing the personal financial information for the employees of coffee retailer Starbucks was stolen. Id. Three plaintiff-employees filed a class-action complaint against Starbucks for failure to secure their private information. Id. at *1-2. Even though several employees had expended sums on credit monitoring services, the district court granted summary judgment in favor of Starbucks because Washington state law did not "recognize a cause of action or remedy in which the sole injury is an increased risk of a future harm (whether or not accompanied by monitoring costs)." Id. at *7. The Ninth Circuit affirmed the decision. See Krottner II, 406 F. App'x at 131.
Krottner I is not an outlier. Construing the reach of state law and the requirement to show a compensable injury, case after case has discarded claims by litigants to collect damages for the electronic monitoring of their financial accounts and credit history. See, e.g., Hammond v. The Bank of New York Mellon Corp., No. 08-CV-6060-RMB, 2010 WL 2643307, at *13 (S.D.N.Y. June 25, 2010) (plaintiff did not allege sufficient injury under New York law for standing even where he had paid for credit monitoring); Shafran v. Harley-Davidson, Inc., No. 07-CV-01365-GBD, 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) ("Courts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy."); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273, 277 (S.D.N.Y. 2008) (attempt to create fund for credit monitoring for potential identity theft victims after the one-year monitoring services lapsed not recognized an injury); Ponder, 522 F. Supp. 2d at 795 (dismissing claims for the cost of past credit monitoring because such damages were speculative); Hendricks v. DSW Shoe Warehouse Inc., 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006) ("There is no existing Michigan statutory or case law authority to support plaintiff's position that the purchase of credit monitoring constitutes either actual damages or a cognizable loss."); Paul v. Providence Health System-Oregon, 273 P.3d 106, 110-11 (Or. 2012) (injury of credit monitoring costs were not covered by Oregon law); Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702, 708 (D.C. 2009) (credit monitoring and other security measures were inadequate injury for constitutional standing). For courts trying to construe if a particular jurisdiction would condone recovery for credit monitoring, the legal landscape tilts in favor of dismissing lawsuits that request such relief.
Through the lens of this precedent, the Court reviews if Kentucky or New Jersey law would recognize payments for credit monitoring as a legal injury. Federal courts sitting in diversity have used a variety of techniques to discern whether state law would authorize such a claim. E.g., Pisciotta, 499 F.3d at 634-39 (reviewing state statutes, precedent from state courts, and decisions from other jurisdictions). Principally however, they have examined analogous areas of state law such as claims for medical monitoring. See id. at 239; Stollenwerk v. Tri-West Health Care Alliance, 254 F. App'x 664, 665-66 (9th Cir. 2007); Krottner I, 2009 WL 7382290, at *8. Medical monitoring "aids presently healthy plaintiffs who have been exposed to an increased risk of future harm to detect and treat any resultant harm at an early stage." Sutton v. St. Jude Med. S.C., Inc., 419 F.3d 568, 571 (6th Cir. 2005). Many plaintiffs argue that much like medical monitoring, credit monitoring is a way to protect oneself from the future risk of identity theft. Courts located in states with a tradition of medical monitoring have applied the analogy, albeit with differing results. Compare Stollenwerk, 254 F. App'x at 665-66 (remanding decision to district court to apply medical monitoring for Arizona law), with Ruiz, 622 F. Supp. 2d at 914 (rejecting plaintiff's analogy to California's medical monitoring law), and Caudle, 580 F. Supp. 2d at 281 (rejecting comparison to medical monitoring law from New York because the state's "interest in protecting the health of its citizens is stronger than in the protection of property"). Where states do not permit medical monitoring, or require the risk of future harm to be accompanied by present harm, the comparisons to medical monitoring are unsuccessful. See Pisciotta, 499 F.3d at 638-39 (no credit monitoring claim under Indiana law because "no cause of action accrues . . ., until a plaintiff reasonably could have been diagnosed with an actual exposure-related illness or disease"); Krottner I, 2009 WL 7382290, at *8 (rejecting medical monitoring analogy when Washington does not have standalone medical monitoring claims).
With regards to Kentucky law, Plaintiffs cite no legal decisions within the state that have addressed credit monitoring. The decisions the Court has reviewed cause it to doubt the Kentucky Supreme Court would endorse recovery for such payments. Of particular note, plaintiffs attempting to collect for an increased risk of future injury under Kentucky law may only do so if they have also suffered a present injury. See Wood v. Wyeth-Ayerst Laboratories, Div. of American Home Products, 82 S.W.3d 849, 852 (Ky. 2002); Capital Holding Corp. v. Bailey, 873 S.W.2d 187 (Ky. 1994). This precedent controls the current controversy because credit monitoring, by its very nature, is a prophylactic measure to forestall or prevent the occurrence of a future injury. See Krottner II, 406 F. App'x at 131 (where Washington law did not sanction damages for the mere danger of future harm, litigants could not recover for future injury); Pisciotta, 499 F.3d at 638 (where Indiana law did not permit recovery for future, anticipated harm, credit monitoring services suit was dismissed). The legal tenor of future injuries means Kentucky courts would not condone payments for credit monitoring unless Plaintiffs' identities were actually stolen and then used to their financial detriment. As no such representation exists in the SAC, Kentucky law precludes recovery.
Courts applying New Jersey law have twice addressed whether the state would authorize a claim to collect credit monitoring payments; both answered in the negative. In Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011), the Third Circuit dismissed a lawsuit alleging threat of future identity theft where the plaintiffs had expended resources on credit monitoring programs. Id. at 43-44. A federal district court in New Jersey reacted similarly when it rejected a lawsuit trying to create a fund for credit monitoring after sensitive information was put at risk. Giordano, 2006 WL 2177036, at *5. While Reilly and Giordano are factually distinguishable, they represent the best prediction of how New Jersey courts would decide the issue.
New Jersey's treatment of the risk of future injury counsels against Plaintiffs' claim for credit monitoring as well. Litigants under the state's laws may not recover for future harm where an injury has not materialized, unless they are able to "quantify or otherwise show the likelihood of future harm as a matter of probability." Karol v. Berkow, 603 A.2d 547, 551 (N.J. Super. App. 1992) (addressing future risk of harm in the medical context). The Beneficial Letter is the only evidence that might show a threat of identity theft. Still, Plaintiffs concede this attempt to secure an automobile loan was unsuccessful and did not result in any actual injury. The only costs Plaintiffs incurred were their own expenditures to diminish the possibility of future harm. They make no claim that their identities were stolen or that they can quantify the likelihood that their identities will be stolen in the future. In fact, the period of time between the Beneficial Letter and the SAC accentuates the implausibility of Plaintiffs' position that they are still at risk for identity theft. Under these circumstances, New Jersey law would not permit a claim for credit monitoring. See Giordano, 2006 WL 2177036, at *3 n. 4 (rejecting the analogy of medical monitoring under New Jersey).
Concerns over federalism and comity further impede the Court from recognizing a claim for credit monitoring. "Federal courts are loathe to fiddle around with state law. Though district courts may try to determine how the state courts would rule on an unclear area of state law, district courts are encouraged to dismiss actions based on novel state law claims." Insolia v. Philip Morris Inc., 216 F.3d 596, 607 (7th Cir. 2000). "'[W]hen given a choice between an interpretation of state law which reasonably restricts liability, and one which greatly expands liability, [the district court] should choose the narrower and more reasonable path.'" Aarti Hospitality, LLC v. City of Grove City, Ohio, 350 F. App'x 1, 6 (6th Cir. 2009) (quoting Combs v. Int'l Ins. Co., 354 F.3d 568, 577 (6th Cir. 2004)). Plaintiffs offer no precedent from either state to show they would legitimize a cause of action for credit monitoring. In the name of judicial restraint, the Court will not expand the reach of either state's law to include an action for credit monitoring. Cf. Pisciotta, 499 F.3d at 639-40 (refusing to recognize a cause of action for credit monitoring services under Indiana law where there was no precedent on point and court did not desire to "invent what would be a truly novel tort claim").
Rather than cite to legal precedent from the relevant jurisdictions in support of their claim, Plaintiffs make repeated references to the First Circuit opinion of Anderson v. Hannaford Bros. Co. They contend the similarities between Anderson and the instant suit warrant the repudiation of this motion. The Court is unconvinced.
In Anderson, a grocery store chain's electronic payment processing system was breached by hackers and millions of customers' credit and debit card numbers were taken. 659 F.3d at 154. A group of customers brought a class action lawsuit against the grocer pursuant to Maine law. The customer-plaintiffs cited numerous injuries to the class, including more than 1,800 unauthorized charges to their accounts, payments to replace their canceled cards, overdraft charges, lost reward points, fees for credit monitoring, and time spent protecting themselves from fraud. Id. at 155. The court of appeals reversed the district court's grant of summary judgment because the customer-plaintiffs could recover for the mitigation expenses of card replacement and credit monitoring services. Id. at 162. It decided that the security breach and the fraudulent charges justified the expenses since the customers' personal information had been exposed not just to a hypothetical risk but real misuse. Id. at 164. The mitigation measures they undertook were reasonable and recoverable under Maine law since the grocer's customers suffered numerous fraudulent charges. Id. at 166-67.
Plaintiffs belabor the sophisticated criminal conduct of Rebollo. SAC, DN ¶ 92. They also claim their personal information was actually accessed and sold by Rebollo to third parties, justifying their cautionary payments. Plaintiffs declare that the current matter tracks the concerns highlighted in Anderson, which compels the Court to find the threat of injury sufficient to justify the Holmes' credit monitoring payments.
The similarities between Anderson and the present matter have less to do with the harm suffered by the individuals whose personal information was accessed and more to do with the sophistication of the theft. Plaintiffs are correct to characterize both thefts as intricate robberies perpetrated by seasoned criminals; but, the comparison evaporates there. In Anderson, the plaintiffs who brought suit endured measurable financial injuries from the miscreants that absconded with their personal information. Fraudulent charges were made in the plaintiffs' financial accounts originating from locations across the globe. The plaintiffs were required to pay replacement fees to their financial institutions for new debit and credit cards. They were charged overdraft fees when the criminals withdrew amounts in excess of the sums in their accounts. The extent and numerosity of these financial injuries exhibited actual misuse and identity theft.
The only information misuse experienced by the Plaintiffs was the rejected loan application the Holmes received. Unlike Anderson, no unauthorized charges were made to Plaintiffs' financial accounts and there were no attempts to take funds already in their possession. Plaintiffs suffered no direct financial burden as a result of Rebollo's criminal acts. Though the Holmes try to make hay out of the failed attempt to set up an automobile loan, they do not assert the act caused them any direct losses or affected their credit in any way. Simply put, the victims in Anderson were faced with a much graver threat to their personal information and resources. Plaintiffs' experience, as explained in the SAC, was not analogous.
Nor does the proof of misuse offered by Plaintiffs demonstrate their expenditures were injurious. Unsuccessful attempts by unknown parties to open financial accounts are not enough to support a claim for credit monitoring damages without a direct financial detriment to the victim. See, e.g., Krottner II, 406 F. App'x at 131 (grant of dismissal proper even though perpetrator tried to open a bank account in plaintiff's name); Slaughter v. AON Consulting, Inc., No. 10C-09-001 FSS, 2012 WL 1415772, at *2 (Del. Super. Ct. Jan. 31, 2012) (no actual, demonstrable injury shown by plaintiff where unknown parties attempted to opened a cell phone and credit cards in plaintiff's name). Accordingly, the Beneficial Letter and the alleged misappropriation of the Holmes' personal information do not bolster the proposed injury of credit monitoring.
Plaintiffs petition the Court to recognize a novel injury under the laws of Kentucky and New Jersey. They provide no legal decision, controlling or persuasive, that prompts the Court to heed their advice. The states' laws on future injuries, the past decisions on risk of identity theft, and the principles of federalism induce the Court to discard Plaintiffs' arguments. Since credit monitoring expenses are not compensable injuries under these circumstances, Plaintiffs have failed to state a claim in this regard.
C. Telephone Cancellation Fees
As for the Stiers' attempt to recoup phone cancellation fees, Plaintiffs offer no precedent from any jurisdiction that the termination of telephone service due to an increase in telemarketing calls is compensable in a suit for identity theft. Despite an extensive search, the Court has failed to encounter any relevant case law that would justify the reimbursement of such an expense under any legal theory.
The Court did locate decisions that stand for the opposite proposition. Several courts have held that parties at risk for identity theft do not state a legitimate injury where the only harm cited is an increase in junk mail and unwanted telephonic/electronic correspondences. See, e.g., Allison v. Aetna, Inc., 09-CV-2560, 2010 WL 3719243, at *6 (E.D. Pa. Mar. 9, 2010) (receipt of spam emails was not enough for Article III standing); Cherny v. Emigrant Bank, 604 F. Supp. 2d 605, 607 (S.D.N.Y. 2009) (customer's receipt of spam mail and e-mail was insufficient injury to state a claim); Bell v. Acxiom Corp., No. 4:06-CV-00485-WRW, 2006 WL 2850042, at *1-2 (E.D. Ark. Oct. 3, 2006) (increase risk of junk mail was not actionable); Smith v. Chase, 293 A.D. 2d 598, 600-01 (N.Y. App. Div. 2002) (receipt of unwanted telephone solicitations and junk mail was not injurious).
In light of this precedent, the annoyance of unwanted telephone calls cannot form the basis of an injury. Even if Countrywide's actions caused the Stiers' personal information to be stolen, they were not harmed by the repeated telephone calls. The Court struggles to grasp how the cancellation of the Stiers' telephone services to avoid the calls would be recompensable if they were not protecting themselves from suffering further legal injury. Moreover, the Stiers do not claim the telephone solicitations resulted in any financial harm other than their own decision to change telephone carriers. Kentucky law would not permit the Stiers to mitigate the annoyance of telemarketing phone calls by expending resources and then collect those costs from Countrywide. See Wood, 82 S.W.3d at 852; Capital Holding, 873 S.W.2d at 187.
D. Time Spent Monitoring Credit
Plaintiffs argue that the Stiers spent time monitoring their credit, researching identity theft, and learning about this case. SAC, DN 50 ¶ 15. Plaintiffs seemingly contend that the hours expended engaging in these activities may form the foundation for a compensable injury. See Plaintiffs Response, DN 53-1 p. 11, 19. No precedent from any jurisdiction is offered to fortify this proposition.
Courts considering risk-of-identity-theft cases uniformly reject attempts to recover for the time the plaintiffs spent self-monitoring financial accounts and credit history. See, e.g., Amburgy, 671 F. Supp. 2d at 1054-56; Pinero, 594 F. Supp. 2d at 718-19; Ruiz, 622 F. Supp. 2d at 917-18; Shafran, 2008 WL 763177, at *2-3; Forbes, 420 F. Supp. 2d at 1021. Even Anderson, the decision to which Plaintiffs repeatedly cite, acknowledges that litigants in theft-of-identity cases must show they spent more than just their own "time or effort" to articulate a compensable legal injury. 659 F.3d at 162. This precedent leads the Court to dismiss this claim to the extent it appears in the SAC.
III. Causes of Action
The SAC contains the state-law claims of unjust enrichment, fraud, breach of contract, breach of the covenants of good faith and fair dealing, breach of state security notification laws, violations of the New Jersey and Kentucky consumer fraud laws, and conspiracy. SAC, DN 50. It also contains allegations of intentional and negligent violation of the Fair Credit Reporting Act. SAC, DN 50. Countrywide unearths flaws in each theory of recovery and asks the Court to dismiss them. Notwithstanding its conclusions above, the Court discusses each separately.
A. Unjust Enrichment
Plaintiffs allege Countrywide was unjustly enriched by its actions. They claim Countrywide collected application and processing fees relating to applications for mortgages, as well as fees for credit monitoring services being offered by Countrywide and its subsidiary. SAC, DN 50 ¶ 125. Countrywide moves to dismiss because the SAC's allegations do not support this claim.
For unjust enrichment, a party must show that (1) a benefit has been conferred upon a defendant at a plaintiff's expense, (2) the resulting appreciation of the benefit by the defendant, and (3) the inequitable retention of the benefit without compensation to the plaintiff. VRG Corp. v. GKN Realty Corp., 641 A.2d 519, 526 (N.J. 1994); Jones v. Sparks, No.2008-CA-002006, 2009 WL 3321370, at *3 (Ky. Ct. App. Oct.16, 2009). Both states preclude the doctrine of unjust enrichment where there is an explicit contract that is the subject of the dispute. E.g., DBA Distribution Servs., Inc. v. All Source Freight Solutions, Inc., No. 11-CV-3901-JAP, 2012 WL 845929, at *5 (D.N.J. Mar. 13, 2012); Codell Constr. Co. v. Kentucky, 566 S.W.2d 161, 165 (Ky. Ct. App. 1977).
With this claim, Plaintiffs are attempting to recover the "fees and payments that Plaintiffs made to Countrywide throughout the term of their relationship because such payments were made with both the implicit and explicit assurances that Countrywide would safeguard their personal information." Plaintiffs Response, DN 53-1 p. 19; see SAC, DN 50 ¶ 126. Put another way, Plaintiffs seek to set aside their contractual agreements with Countrywide and recover the mortgage payments because implicit within those sums was remuneration for safeguarding their confidential data. Underlying this unjust enrichment claim are express provisions of the mortgage agreement, specifically those that require Plaintiffs to make monthly mortgage payments and those that oblige Countrywide to protect Plaintiffs' personal information. See SAC, DN 50 ¶¶ 64-66. "[W]hen a valid, express contract covers the subject matter of the parties' dispute, a plaintiff cannot recover under a quasi-contract theory such as unjust enrichment." DBA Distribution, 2012 WL 845929, at *5 (citations and quotation marks omitted). The claim for unjust enrichment can proceed no further because certain segments of the mortgage agreement comprise its foundation. See Fruit Growers Express Co. v. Citizens Ice & Fuel Co., 112 S.W.2d 54, 56 (Ky. 1937) (claim for unjust enrichment cannot lie where a written contract references the same subject matter).
This ruling vitiates the unjust enrichment claim. Plaintiffs have shown no benefit conferred on Countrywide that was not already part of the express contractual agreement or non-recoverable under state law.
B. Common Law Fraud
Plaintiffs assert a claim of common law fraud under Kentucky and New Jersey law. They allege Countrywide made material misrepresentations about the storage of their personal information and the severity of Rebollo's breach. SAC, DN 50 ¶¶ 130-32. Plaintiffs say these fraudulent statements entitle them to recover the amounts they paid for credit monitoring services and telephone cancellation fees.
Broadly speaking, fraud requires reliance on a false material representation resulting in harm to a plaintiff. See Ross v. Powell, 206 S.W.3d 327, 330 (Ky. 2006); accord Carroll v. Cellco Partnership, 713 A.2d 509, 516 (N.J. Super. Ct. App. Div. 1998). Plaintiffs' claim for fraud is not actionable because the only financial damages they suffered were self inflicted.
C. Contract, Covenant of Good Faith, Covenant of Fair Dealing
Plaintiffs allege breach of contract and the breach of the covenants of good faith and fair dealing. SAC, DN 50 ¶¶ 135-49. They advance the breach of contract theory under the premise that Countrywide agreed to safeguard their personal information - a term of the contract by which it failed to abide. Plaintiffs state this breach permitted reasonable mitigation efforts on their part under Kentucky and New Jersey law. See Fifth Third Bank v. Waxman, 726 F. Supp. 2d 742, 750 (E.D. Ky. 2010); State v. Ernst & Young, L.L.P., 902 A.2d 338, 348 (N.J. Super. Ct. App. Div. 2006). They also aver Countrywide's failure to secure their personal information constitutes a breach of the covenants of good faith and fair dealing.
Again, Plaintiffs have not alleged a compensable injury under the laws of Kentucky and New Jersey. Rebollo's actions did not cause any direct financial harm to either the Holmes or the Stiers. The financial impact to Plaintiffs is relegated to voluntary expenditures to reduce a future risk. Neither Kentucky nor New Jersey law would recognize these costs to Plaintiffs as recoverable injuries.
Plaintiffs expend most of their efforts on the Holmes' decision to purchase credit monitoring services. They never attempt to link their arguments about the mitigation of damages to the Stiers' cancellation of their telephone service. The Court remains confused how the termination of their telephone service could be characterized as the mitigation of damages since the receipt of unwanted calls is not injurious on its own. See Cherny, 604 F. Supp. 2d at 607.
D. State Security Notification
Plaintiffs propose that Countrywide violated the state security notification laws of New Jersey. SAC, DN 50 ¶¶ 150-62. Citing N.J.S.A. § 56:8-163, Plaintiffs describe how Countrywide failed to abide by the requirement that businesses in the state disclose the breach of computerized records, report the breach to the state police, and provide notice to the affected parties. Id. §. 56:8-163(a). Plaintiffs say the statute allows litigants to hold companies like Countrywide accountable for conduct that fails to secure sensitive information.
The breach notification statutes are regulations promulgated by New Jersey's Director of the Division of Consumer Affairs and are only violated when a company "willfully, knowingly, or recklessly violates" the relevant provisions. Id. §§ 65:8-165, 65:8-166. Insofar as the Court can tell, § 56:8-163 does not provide a private right of action for citizens to enforce its provisions. Plaintiffs offer no precedent to rebut these concerns. The Court will dismiss the claim considering Plaintiffs' silence on the matter.
E. Kentucky's and New Jersey's Consumer Fraud Laws
Kentucky and New Jersey have enacted consumer fraud laws to protect their citizens from deceptive business practices. See KRS § 367, et seq.; N.J.S.A. §. 56:8-1, et seq. Plaintiffs claim that Countrywide's actions contravene these statutory regimes. SAC, DN 50 ¶¶ 168-71. To recover under these statutes, a litigant must suffer an "ascertainable loss of money or property." KRS § 367.220(1); accord N.J.S.A. § 56:8-19 ("Any person who suffers any ascertainable loss of moneys or property . . . ."). This requires litigants to produce "evidence from which a factfinder could find or infer that the plaintiff suffered an actual loss." Thiedemann v. Mercedes-Benz USA, LLC, 872 A.2d 783, 792 (N.J. 2005). Countrywide argues for the dismissal because Plaintiffs have not shown they suffered an ascertainable loss.
Although neither state has examined the term "ascertainable loss" in the context of credit monitoring services, the state of Oregon has had the opportunity to do so. In Paul v. Providence Health System-Oregon, the Supreme Court of Oregon reviewed whether credit monitoring costs incurred by hospital patients were recoverable when the hospital employees negligently jeopardized their personal information. 273 P.3d at 589-90. The group of patients brought suit under Oregon's Unlawful Trade Practices Act ("OTPA") to recover their credit monitoring payments. Id. The OTPA, like Kentucky's and New Jersey's analogues, demands those invoking its provisions suffer an "'ascertainable loss of money or property.'" Id. at 115 (quoting ORS § 646.638(1)). Oregon's highest court held that credit monitoring expenses did not fall within the meaning of "ascertainable loss" since "the expenditure [was] not based on any present harm to plaintiffs' economic interests." Id.
The Court's previous conclusion controls as to whether the Plaintiffs' prophylactic payments may form the basis of an action under Kentucky's and New Jersey's consumer fraud laws. Plaintiffs cannot point to a single case in federal or state court where fees for credit monitoring and telephone cancellation qualify as "ascertainable losses." Providence Health System, the only case to address the subject, validates the earlier ruling that the meager damages Plaintiffs cite are not enough to permit this suit to continue.
Plaintiffs make a last ditch effort to spin an "ascertainable loss" out of the attorneys fees they amassed during this litigation. They claim New Jersey's Consumer Fraud Act permits attorneys fees and costs incurred during the prosecution of a claim to form the basis of an ascertainable loss. Plaintiffs Response, DN 53-1 p. 26-27. Accepting such a theory would allow consumers in New Jersey to bring lawsuits under the state's Consumer Fraud Act without having ever been harmed, financially or otherwise.
Besides being a nonsensical interpretation of the law, Plaintiffs have overlooked the express repudiation of their theory by the New Jersey Supreme Court in Weinberg v. Sprint Corp., 801 A.2d 281 (N.J. 2002). There, the court concluded that attorneys fees under the New Jersey's Consumer Fraud Act are available only where a plaintiff advances beyond a motion for summary judgment and presents an ascertainable-loss argument to a finder of fact. Id. at 292-93. As Plaintiffs cannot muster an ascertainable loss at the motion-to-dismiss stage, attorneys fees may not form the cornerstone of this claim.
Plaintiffs do not argue attorneys fees can bridge the gap of ascertainable losses under Kentucky's consumer fraud laws. They are correct to do so; this Court has previously rejected such a claim. Yates v. Bankers Life & Cas. Ins. Co., 720 F. Supp. 2d 809, 816 (W.D. Ky. 2010).
--------
F. Fair Credit Reporting Act
Plaintiffs invoke the provisions of the Fair Credit Reporting Act ("FCRA") and assert Countrywide has violated its provisions. SAC, DN 50 ¶¶ 172-183. They maintain Countrywide is a consumer credit reporting agency under the FCRA, it failed to maintain reasonable procedures to "furnish" consumer reports, and consumer reports were released in violation of the statute's provisions. Countrywide encourages the Court to dismiss this claim because the prerequisites for the FCRA have not been met.
Congress enacted the FCRA to preside over "consumer reporting agencies" that accumulated credit information on individuals and then make that information available to third parties in "consumer reports." 15 U.S.C. § 1681. Under its provisions, a consumer reporting agency is defined as follows:
The term "consumer reporting agency" means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.15 U.S.C. § 1681a(f). Courts construing who or what qualifies as consumer reporting agencies have restricted the label to the credit reporting bureaus. E.g., Washington v. CSC Credit Services Inc., 199 F.3d 263, 265 (5th Cir. 2000) ("The FCRA governs 'consumer reporting agencies' like Equifax and CSC."). "Consumer reports" are also defined by the statute:
The term "consumer report" means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for--(A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title.15 U.S.C. § 1681a(d)(1)(A)-(C). "A consumer report, therefore, is virtually any information communicated by a 'consumer reporting agency for any one of the purposes enumerated in 1681a and 1681b . . . .'" Hoke v. Retail Credit Corp., 521 F.2d 1079, 1081 (4th Cir. 1975).
Plaintiffs charge that the language in the SAC is adequate to state a claim under the FCRA since Countrywide is a consumer reporting agency and the information disseminated by Rebollo qualifies as a consumer report. Closer scrutiny bears out their mistake. The applicable provisions of the FCRA extend liability only where consumer reports are "furnished" or disseminated in a manner that violates the FCRA. See 15 U.S.C. § 1681b. The Fifth Circuit has elaborated on the harm the FCRA protects against:
[W]e find that the actionable harm the FCRA envisions is improper disclosure, not the mere risk of improper disclosure that arises when "reasonable procedures" areWashington, 199 F.3d at 267. The language of § 1681b indicates that when Congress created the protections of the FCRA, it envisioned "consumer reports" that were "furnished" to third parties in violation of the statute. See 15 U.S.C. § 1681b(a) ("[A]ny consumer reporting agency may furnish a consumer report . . . .") (emphasis added); id. § 1681b(b) ("[C]onditions for furnishing and using consumer reports for employment purposes . . . .") (emphasis added); id. § 1681b(c) ("Furnishing reports in connection with credit or insurance transactions that are not initiated by a consumer . . . .") (emphasis added).
not followed and disclosures are made. Accordingly, a plaintiff bringing a claim that a reporting agency violated the "reasonable procedures" requirement of § 1681e must first show that the reporting agency released the report in violation of § 1681b.
Though "furnish" is not defined in the relevant statutory provisions, a common sense understanding of the word underscores why Countrywide cannot be held to account under the FCRA. The SAC's allegations do not describe a scenario where Countrywide "furnished" anyone with Plaintiffs' financial information. On the contrary, Plaintiffs repeatedly characterize the pertinent events as an elaborate and sophisticated theft by Rebollo. SAC, DN 50 ¶¶ 85-105. The story Plaintiffs tell is not one where Countrywide "transmitted" their private information to unseen parties. See Dightman v. Texas Dept. of Public Safety, No. A-10-CA-776-SS, 2010 WL 4922646, at *4 (W.D. Tex. Nov. 29, 2010) ("While the FCRA does not explicitly define 'furnisher of information,' courts have defined the term broadly to mean 'an entity which transmits information concerning a particular debt owed by a consumer to a consumer reporting agency.'" (quoting Alam v. Sky Recovery Servs., Ltd., No. H-08-2377, 2009 WL 693170 at *4 (S.D. Tex. Mar. 13, 2009))). Rather, the SAC is clear that Rebollo was a ne'er-do-well who independently stole Countrywide's customer information and engaged in a scheme to sell it to his criminal associates. No coherent understanding of the words "furnished" or "transmitted" would implicate Countrywide's action under the FCRA. This allegation is improper.
G. Conspiracy
Plaintiffs pursue an action for civil conspiracy. SAC, DN 50 ¶¶ 163-67. Kentucky and New Jersey recognize claims of civil conspiracy but only where the plaintiffs have alleged an actionable underlying tort. See Hogan v. Goodrich Corp., No. 05-CV-159-C, 2006 WL 149011, at *5 (W.D. Ky. Jan. 17, 2006); Morgan v. Union County Bd. of Chosen Freeholders, 633 A.2d 985, 998 (N.J. Super. Ct. App. Div. 1993). Plaintiffs' failure to set forth an injury pursuant to the law of either state renders this conspiracy claim impotent.
CONCLUSION
The precedent of Kentucky and New Jersey provides no respite for Plaintiffs' allegations. The arguments fall short of convincing the Court that the law of either state would accommodate their illusory injuries. That Plaintiffs cannot provide controlling or persuasive precedent from either jurisdiction on the relevant issues compels the Court to dismiss the novel theories of recovery.
For the foregoing reasons, IT IS HEREBY ORDERED that Defendants' motion to dismiss is GRANTED. The claims against Defendants Countrywide Financial Corporation, Countrywide Bank, FSB, Countrywide Home Loans, Inc., Bank of America Corporation, and Full Spectrum Lending Division are hereby DISMISSED. The Clerk of Court shall strike these parties from the current lawsuit.
________________________
Thomas B. Russell , Senior Judge
United States District Court