Opinion
21-CV-2210-KAM-SJB
07-21-2023
IN RE GEICO CUSTOMER DATA BREACH LITIGATION
REPORT & RECOMMENDATION
SANKET J. BULSARA, United States Magistrate Judge.
This is a consolidated putative class action filed after third parties gained access to driver's license numbers through GEICO's online insurance sales website. The putative class is composed of consumers whose personal information (including their driver's license numbers) was allegedly exposed by GEICO, and they have raised a variety of state law claims-negligence, negligence per se, intrusion upon seclusion, and a claim under New York's General Business Law § 349-and a violation of the federal Driver's Privacy Protection Act. GEICO has moved to dismiss the claims on a variety of grounds, and also asserts that the representative plaintiffs lack standing. (Mot. to Dismiss dated Nov. 4, 2022 (“Defs. Mot.”), Dkt. No. 73). For the reasons outlined below, the Court respectfully recommends the motion to dismiss be granted in part and denied in part.
FACTUAL BACKGROUND AND PROCEDURAL HISTORY
For the purposes of this motion, the Court is “required to treat” the Complaint's “factual allegations as true, drawing all reasonable inferences in favor of [Plaintiffs] to the extent that the inferences are plausibly supported by allegations of fact.” In re Hain Celestial Grp., Inc. Sec. Litig., 20 F.4th 131, 133 (2d Cir. 2021). The Court “therefore recite[s] the substance of the allegations as if they represented true facts, with the understanding that these are not findings of the court, as we have no way of knowing at this stage what are the true facts.” Id.
Defendants Government Employees Insurance Company, GEICO Casualty Company, GEICO Indemnity Company, and GEICO General Insurance Company (together, “GEICO”) sell private passenger automobile insurance policies. (Consolidated Class Action Compl. dated May 20, 2022 (“Compl.”), Dkt. No. 61 ¶ 4). GEICO collects and stores personal information (“PI”) from prospective clients and current and former customers as part of its regular business practices, including during the quoting, application, or claims handling processes. (Id. ¶ 53). Specifically, GEICO obtains an individual's name, address, phone number, social security number, and- most relevant here-driver's license number (“DLN”). (Id.).
As part of its sales efforts, GEICO provides insurance quotes to consumers through its online sales system on its publicly accessible website. (Id. ¶ 4). Plaintiffs allege that GEICO added a feature to its online sales platform whereby an individual's DLN would auto-populate when any user “enter[ed] a bare minimum of publicly available information about that individual.” (Id. ¶ 6). That is, GEICO's quoting feature asked a visitor to the site for their name, date of birth, and address; once a visitor entered that basic information-which Plaintiffs claim is easily attainable and available on public databases at no cost-the system automatically displayed DLNs which either GEICO held or were provided from third party hosts. (Id. ¶¶ 58-59). Because GEICO did not require verification that the person accessing the system was actually the individual whose information was being revealed, third parties used automated processes, or “bots,” on the instant quote feature to obtain unauthorized access to individuals' DLNs. (Compl. ¶¶ 60-61).
These DLNs are highly valuable to cybercriminals because they are long-lasting and difficult to change, and because their disclosure often goes undetected. (Id. ¶¶ 83, 89). Stolen DLNs can be used to “craft curated social engineering phishing attacks” designed to manipulate a victim. (Id. ¶¶ 85, 91). For example, a fraudster could orchestrate a scam by sending an email impersonating the DMV, requesting the person verify his/her DLN, to obtain even more private information. The additional information is then aggregated into a “fullz” profile-that is, a complete or “full” identity profile-enabling cybercriminals to commit identity theft and other types of fraud. (Id. ¶ 85 & n.16). Here, fraudsters used DLNs to make fraudulent claims for government benefits (and more specifically, unemployment benefits), open bank accounts, transfer bank funds, and make credit card charges. (Id. ¶¶ 18-24, 31, 33-34, 42-43). Plaintiffs contend that many class members “never applied for insurance with [GEICO]” or were necessarily aware of GEICO's existence, and their personal information was stored by GEICO “unbeknownst” to them. (Id. ¶¶ 60, 156).
On February 16, 2021, the New York State Department of Financial Services (“DFS”) issued an “alert regarding an ongoing systemic and aggressive campaign to engage with public-facing insurance websites-particularly those that offer instant online automobile insurance quotes-to obtain non-public information, in particular unredacted driver's license numbers.” (Compl. ¶ 71). According to the DFS, the unauthorized collection of DLNs was “part of a growing fraud campaign targeting pandemic and unemployment benefits.” (Id.). The scheme was discovered after insurers noticed an unusual number of abandoned or cancelled insurance quote applications. (Id. ¶ 72).
On April 9, 2021, GEICO notified individuals that their DLNs were compromised in a data security incident (“Data Disclosure” or “Incident”). (Id. ¶ 69). The Notice stated:
We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you - which they acquired elsewhere -to obtain unauthorized access to your driver's license number through the online sales system on our website. We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.(Notice of Data Breach dated Apr. 9, 2021 (“Notice”), attached as Ex. C to Defs. Mot., at 1). It further advised that “[a]s soon as GEICO became aware of the issue,” it “secured the affected website” and “implemented-and continue[s] to implement-additional security enhancements to help prevent future fraud.” (Notice at 1). Recipients of the Notice were given the opportunity to enroll in a one-year subscription to an identity theft monitoring and resolution service. (Id.).
Although the Notice of Data Breach states that third parties accessed the DLNs from January 21, 2021 through March 1, 2021, the Complaint alleges the relevant timeframe is November 24, 2020 through March 1, 2021. (E.g., Compl. ¶¶ 10, 69).
Subsequently, five overlapping proposed class action lawsuits were filed in three federal courts alleging claims arising from the Data Disclosure. Four suits-Mirvis, Brody, Viscardi, and Connelly-were consolidated in this District as “In re GEICO Customer Data Breach Litigation.” (See Order dated Oct. 26, 2021, Dkt. No. 39; Order dated Nov. 9, 2021, Dkt. 21-CV-6091).
The five cases are: Mirvis v. Berkshire Hathaway, Inc., No. 21-CV-2210 (E.D.N.Y.); Vennerholm II v. GEICO Cas. Co., No. 3:21-CV-806 (S.D. Cal.); Brody v. Berkshire Hathaway, Inc., No. 21-CV-2481 (E.D.N.Y.); Viscardi v. Gov't Emps. Ins. Co., No. 21-CV-2540 (E.D.N.Y.); and Connelly v. Gov't Emps. Ins. Co., No. 8:21-CV-1152 (D. Md.).
Plaintiffs Michael Viscardi, Kathleen Dorety, and William Morgan brought this suit against GEICO on their own behalf and as proposed class representatives for a class of all New York or U.S. residents whose DLN was subject to the Data Disclosure.(Compl.). Each Plaintiff alleges he or she received the Notice, and that his or her DLN was obtained, used, and disclosed by GEICO. (Compl. ¶¶ 15, 28, 39). They allege, in the aftermath of the Data Disclosure, cybercriminals fraudulently filed a claim for unemployment in each of their names, (id. ¶¶ 18, 31, 42), attempted to transfer Viscardi's funds into an unauthorized account, (id. ¶ 21), made fraudulent charges on Viscardi's credit cards, (id. ¶¶ 23-24), and fraudulently opened a bank account in Dorety's name. (Id. ¶ 34). As a result, Plaintiffs have spent countless hours to “monitor[] accounts” and “deal[] with the fallout of the Data Disclosure,” and suffered “actual identity theft”; incurred “time and expenses interacting with government agencies,” “scrutinizing bank statements, credit card statements, and credit reports,” and “monitoring bank accounts”; lost personal data and property, because of compromised personal information; and suffered injury to their privacy rights. (Id. ¶¶ 25-26, 36-37, 46-47).
As alleged in the Complaint, Plaintiffs purport to bring the action on behalf of the following classes: “All residents [of New York or the United States] whose driver's license information was disclosed in the GEICO Data Disclosure occurring in or around the period between November 24, 2020 and March 1, 2021, including all persons who received notice of the GEICO Data Disclosure.” (Compl. ¶ 124).
Because the Complaint does not identify Plaintiffs Mirvis, Brody, or Connelly- and thereby appears to no longer pursue claims on their behalf-GEICO seeks to dismiss them, (Mem. of Law in Supp. of Defs.' Mot. (“Defs. Mem.”), attached as Ex. 5 to Defs. Mot., at 5 n.3), and Plaintiffs have filed no objection to this dismissal.
Plaintiffs set forth six claims in the Complaint. Count I alleges a violation of the Driver's Privacy Protection Act (“DPPA”), and Count II is a negligence claim. Count III is for negligence per se, based upon alleged duties owed under Section 5 of the Federal Trade Commission Act (“FTCA”), Gramm-Leach-Bliley Act (“GLBA”), and Section 349 of New York's General Business Law (“GBL”). Count IV pleads a violation of GBL § 349, and Count V is a common law privacy claim for intrusion upon seclusion. Count VI is a claim for declaratory and injunctive relief. (Compl. ¶¶ 133-206).
GEICO moved to dismiss the Complaint for failure to allege subject matter jurisdiction and failure to state a claim, pursuant to Federal Rule of Civil Procedure 12(b)(1) and 12(b)(6).
Following full briefing of the present motion, the parties wrote to the Court regarding “supplemental authority” bearing on the motion to dismiss. (See Pls.' Notice dated Nov. 4, 2022, Dkt. No. 77; Letter from Shari Claire Lewis dated Nov. 11, 2022, Dkt. No. 78). The parties did not seek the Court's leave to submit these additional papers which, in any event, do not alter the outcome.
DISCUSSION
“The purpose of a motion to dismiss for failure to state a claim under Rule 12(b)(6) is to test the legal sufficiency of . . . claims for relief.” Amadei v. Nielsen, 348 F.Supp.3d 145, 155 (E.D.N.Y. 2018) (citing Patane v. Clark, 508 F.3d 106, 112 (2d Cir. 2007)). In deciding such a motion, the Court must “construe the complaint liberally, accepting all factual allegations in the complaint as true, and drawing all reasonable inferences in the plaintiff's favor.” Palin v. N.Y. Times Co., 940 F.3d 804, 809 (2d Cir. 2019) (quotations and alteration omitted); Amadei, 348 F.Supp.3d at 155 (“[W]hen reviewing a complaint on a motion to dismiss for failure to state a claim, the court must accept as true all allegations of fact in the complaint and draw all reasonable inferences in favor of [the non-moving party].”).
Once the facts are construed in the light most favorable to the non-moving party-here, Plaintiffs-to avoid dismissal there must be sufficient facts that allege a plausible claim. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (“To survive a motion to dismiss [pursuant to Rule 12(b)(6)], a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” (citation and quotations omitted)). “[A] district court must limit itself to facts stated in the complaint or in documents attached to the complaint as exhibits or incorporated in the complaint by reference. Of course, it may also consider matters of which judicial notice may be taken under Fed.R.Evid. 201.” Kramer v. Time Warner Inc., 937 F.2d 767, 773 (2d Cir. 1991).
“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678. A complaint must contain more than “naked assertion[s] devoid of further factual enhancement.” Id. (citation and quotations omitted). In other words, a plausible claim contains “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id.; Fed.R.Civ.P. 8(a)(2). “Factual allegations must be enough to raise a right to relief above the speculative level . . . on the assumption that all the allegations in the complaint are true (even if doubtful in fact).” Bell Atl. Corp. v. Twombly, 550 U.S. 554, 555 (2007) (internal citations omitted). The determination of whether a party has alleged a plausible claim is “a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Iqbal, 556 U.S. at 679; see also Escamilla v. Young Shing Trading Co., No. 17-CV-652, 2018 WL 1521858, at *2 (E.D.N.Y. Jan. 8, 2018), report and recommendation adopted, 2018 WL 1033249, at *3 (Feb. 23, 2018).
I. Subject Matter Jurisdiction/Standing
“Article III of the Constitution limits ‘[t]he judicial power of the United States' to ‘cases' or ‘controversies,' ensuring that federal courts act only ‘as a necessity in the determination of real, earnest and vital' disputes.” Students for Fair Admissions, Inc. v. President & Fellows of Harvard Coll., 143 S.Ct. 2141, 2157 (2023) (quoting Muskrat v. United States, 219 U.S. 346, 351, 359 (1911)). “To state a case or controversy under Article III, a plaintiff must establish standing.” Id. (quoting Arizona Christian Sch. Tuition Org. v. Winn, 563 U.S. 125, 133 (2011)). “[A] district court must generally resolve material factual disputes and establish that it has federal constitutional jurisdiction, including a determination that the plaintiff has Article III standing, before deciding a case on the merits.” All. for Env't Renewal, Inc. v. Pyramid Crossgates Co., 436 F.3d 82, 85 (2d Cir. 2006) (citing Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 101 (1998)); see also Dep't of Educ. v. Brown, 143 S.Ct. 2343, 2350-51 (2023) (“We have an obligation to assure ourselves of litigants' standing under Article III before proceeding to the merits of a case.” (quotations omitted)).
“The party seeking to invoke the jurisdiction of the court bears the burden of establishing that he has met the requirements of standing.” Jaghory v. N.Y. State Dep't of Educ., 131 F.3d 326, 329 (2d Cir. 1997); see also Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). To establish standing, a plaintiff must plead and-ultimately- prove that he has “suffered an injury in fact-a concrete and imminent harm to a legally protected interest, like property or money-that is fairly traceable to the challenged conduct and likely to be redressed by the lawsuit.” Biden v. Nebraska, 143 S.Ct. 2355, 2365 (2023) (citing Lujan, 504 U.S. at 560-61). These elements are the “irreducible constitutional minimum of standing.” Lujan, 504 U.S. at 560. “[T]o survive a defendant's motion to dismiss for lack of subject matter jurisdiction [under Rule 12(b)(1)], a plaintiff must allege facts ‘that affirmatively and plausibly suggest that it has standing to sue.'” Brady v. Basic Rsch., L.L.C., 101 F.Supp.3d 217, 227 (E.D.N.Y. 2015) (quoting Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d 140, 145 (2d Cir. 2011)); see also Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56 (2d Cir. 2016). But “[w]hen the Rule 12(b)(1) motion is facial, i.e., based solely on the allegations of the complaint or the complaint and exhibits attached to it,” a plaintiff is not required to come forth with evidence supporting her assertion of standing. Carter, 822 F.3d at 56. The plaintiff has, at this stage, no evidentiary burden. Id. “[T]he court must accept as true all material factual allegations in the complaint and refrain from drawing inferences in favor of the party contesting jurisdiction.” Zirogiannis v. Seterus, Inc., 221 F.Supp.3d 292, 297 (E.D.N.Y. 2016) (quotations omitted), aff'd, 707 Fed.Appx. 724, 729 (2d Cir. 2017). In the class action context, each proposed class representative “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 n.6 (2016) (quotations omitted).
“[A] plaintiff must ‘demonstrate standing separately for each form of relief sought.'” TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2210 (2021) (quoting Friends of the Earth, Inc. v. Laidlaw Env't Servs. (TOC), Inc., 528 U.S. 167, 185 (2000)). Plaintiffs' first through fifth causes of action-for a violation of the DPPA, negligence, negligence per se, violation of GBL § 349, and intrusion upon seclusion-seek monetary damages, and their last claim seeks injunctive and declaratory relief. For logical clarity, the Court treats these in reverse order, addressing first whether Plaintiffs have standing to obtain injunctive and declaratory relief, and then whether they have standing to seek damages under the first five claims.
A. Injunctive Relief
a. Injury-in-Fact
To establish an injury in fact, a plaintiff “must show that he or she suffered ‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Spokeo, Inc., 578 U.S. at 339 (quoting Lujan, 504 U.S. at 560); see also Jaghory, 131 F.3d at 330 (“The keystone for determining injury in fact is the requirement that it be distinct and palpable-and, conversely, that it not be abstract or conjectural or hypothetical.” (quoting Laurence H. Tribe, American Constitutional Law § 3-16, at 114 (2d ed. 1988))).
For injunctive relief, the injury-in-fact inquiry is not whether there has been a past injury, but whether there is a risk of future injury. That is because injunctive relief is a remedy “to prevent the harm from occurring.” TransUnion LLC, 141 S.Ct. at 2210. And as such, there must be an indication of “a continuing violation or the imminence of a future violation.” Steel Co., 523 U.S. at 108; see also TransUnion LLC, 141 S.Ct. at 2210 (recognizing that a plaintiff must show the “risk of harm is sufficiently imminent and substantial”); Kreisler v. Second Ave. Diner Corp., 731 F.3d 184, 187 (2d Cir. 2013) (“Plaintiffs seeking injunctive relief must also prove that the identified injury in fact presents a real and immediate threat of repeated injury.” (quotations omitted)). “The prospective-orientation of the analysis is critical: to maintain an action for injunctive relief, a plaintiff ‘cannot rely on past injury . . . but must show a likelihood that he . . . will be injured in the future.'” Berni v. Barilla S.p.A., 964 F.3d 141, 147 (2d Cir. 2020) (quoting Deshawn E. v. Safir, 156 F.3d 340, 344 (2d Cir. 1998)).
The analysis is the same for Plaintiffs' claim for declaratory relief, which along with injunctive relief, is part of Count VI. Dorce v. City of New York, 2 F.4th 82, 95 (2d Cir. 2021) (“Where, as here, plaintiffs seek injunctive or declaratory relief, they cannot rely on past injury to satisfy the injury requirement but must show a likelihood that [they] will be injured in the future. Such an allegation of future injury will be sufficient only if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” (citations and quotations omitted)). GEICO offers no argument unique to the aspect of the claim seeking declaratory relief.
In a case involving a loss of personal information (or a data breach) a court should consider three “non-exhaustive factors” to determine whether plaintiffs have established the necessary future risk of injury:
(1) whether the plaintiffs' data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303 (2d Cir. 2021). These McMorris factors are “instructive for determining whether the risk of injury is imminent, which remains part of the requirement for standing in suits for . . . injunctive relief.” Rand v. Travelers Indem. Co., No. 21-CV-10744, 2022 WL 15523722, at *4 n.2 (S.D.N.Y. Oct. 27, 2022).
Here, all three factors weigh in favor of finding that Plaintiffs have alleged injuryin-fact sufficient to obtain an injunction. First, Plaintiffs have alleged that their data- DLNs-was exposed as a result of a targeted attack on GEICO's platform: “an ongoing and concerted campaign by fraudsters to engage with insurers' online quoting platforms to obtain driver's license numbers.” (Compl. ¶ 71; see also id. ¶ 93). Second, the Complaint is replete with examples of actual misuse of Plaintiffs' DLNs. (E.g., id. ¶¶ 20, 31, 42 (fraudulent claim for unemployment benefits); id. ¶ 21 (attempt to transfer funds into unauthorized bank account); id. ¶ 34 (fraudulently opened bank account)). And that establishes the importance and sensitivity of the DLNs, which Plaintiffs also separately allege in describing their value to criminals. (See id. ¶¶ 82-95).
Thus, “Plaintiffs face a real risk of misuse of their information following a data breach when their information is deliberately taken by thieves intending to use the information to their financial advantage-i.e., exposed in a targeted attack rather than inadvertently. And the actual misuse of a portion of the stolen information increases the risk that other information will be misused in the future.” Webb v. Injured Workers Pharmacy, LLC, No. 22-1896, 2023 WL 4285814, at *6 (1st Cir. June 30, 2023); see also Rand, 2022 WL 15523722, at *5 (finding that plaintiff alleged an “objectively reasonable likelihood that an injury will result” from automatic disclosure of driver's license numbers in online quotes). None of GEICO's arguments, (Defs. Mem. at 10-11), are to the contrary. Though they contend that the DLNs and GEICO cannot be connected to the injury-a point which is more about traceability than injury-in-fact-that is precisely what the Complaint alleges. The representative Plaintiffs have repeatedly alleged that this breach caused the specific harms like false applications for benefits in their name. (E.g., Compl. ¶ 20 (“Viscardi is self-employed and did not apply for unemployment benefits. Plaintiff Viscardi's PI, i.e., his driver's license number, was disclosed in GEICO's Data Disclosure and was used to make fraudulent claims for unemployment benefits in his name[.]”)). This also demonstrates that GEICO's argument that there was no actual misuse of the DLNs-an assertion that it repeats throughout its briefing- is simply baseless.
Nor is the failure to eliminate other causes, (Defs. Mem. at 10-11), or other actors-again a traceability argument-pertinent to this inquiry.
GEICO uses selective quotation and out-of-context excerpts to concoct the argument that DLNs are not sensitive and courts have so held. For example, GEICO cites Antman v. Uber Technologies, Inc., for the proposition that “[w]ithout a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.” No. 3:15-CV-01175, 2015 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015). In Antman, the court declined to accept plaintiff's argument that “harm can come from the misappropriation of a name and a driver's license,” because the complaint failed to include allegations in that regard, and the court-quite reasonably-could not merely rely on counsel's assertions of harm. Id. In other words, the court did not hold categorically that DLNs could never be sensitive or highly valuable, but rather that plaintiffs failed to make that showing. Similarly, in In re Uber Technologies, Inc., Data Security Breach Litigation, the court held plaintiffs failed to establish a credible risk of immediate harm because they did not explain how gaining access to one's basic contact information and DLN creates such a risk-for example, they did not describe “the way in which hackers could commandeer their accounts and identities using the information taken.” No. 18-ML-2826, 2019 WL 6522843, at *4 (C.D. Cal. Aug. 19, 2019). But here, there are allegations aplenty, explaining how DLNs can and were used to acquire additional sensitive information.
Cases cited by GEICO involving credit card numberse.g., Whalen v. Michael Stores Inc., 153 F.Supp.3d 577 (E.D.N.Y. 2015), aff'd, 689 Fed.Appx. 89, 91 (2d Cir. 2017)-are likewise inapposite because credit card numbers, once stolen, can be deactivated, and new numbers obtained. The same cannot be said for DLNs.
b. Traceability
“The ‘causal connection' element of Article III standing, i.e., the requirement that the plaintiff's injury be ‘fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court,' does not create an onerous standard.” Carter, 822 F.3d at 55-56 (cleaned up) (quoting Lujan, 504 U.S. at 560). “[I]t is a standard lower than that of proximate causation.” Id. “The traceability requirement focuses on whether the asserted injury could have been a consequence of the actions of the defendant[.]” Chevron Corp. v. Donziger, 833 F.3d 74, 121 (2d Cir. 2016).
Here, the Complaint alleges-for each Plaintiff-that their injuries are “temporally and logically connected” to the data derived from GEICO's disclosure; that is, GEICO disclosed their DLNs “shortly before” they experienced the fraud “specifically linked to driver's license numbers.” (Compl. ¶¶ 22, 35, 45). These allegations are sufficient to establish the minimal causal connection. E.g., In re USAA Data Sec. Litig., 621 F.Supp.3d 454, 465 n.3 (S.D.N.Y. 2022) (finding plaintiffs satisfied traceability by alleging “that ‘immediately' after the data breach, they suffered the very types of fraudulent activities that are allegedly typically associated with the theft of driver's license numbers: fraudulent insurance and unemployment claims”).
GEICO argues the “alleged unsuccessful employment claims cannot plausibly be traced back to the Incident,” and may have been caused by an unrelated breach. (Defs. Mem. at 16). Counsel's argument is flatly inconsistent with the Notice GEICO issued following the Incident, which concedes GEICO had “reason to believe” the exposed DLNs “could be used to fraudulently apply for unemployment benefits.” (Notice at 1; Compl. ¶¶ 29-30); see Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015) (“It is enough at this stage of the litigation [to establish causation] that Neiman Marcus admitted that 350,000 cards might have been exposed and that it contacted members of the class to tell them they were at risk.”). And as noted, the Complaint alleges causation that can be traced to GEICO-shortly after GEICO's disclosure of the DLNs Plaintiffs suffered the injuries they allege, and they were of a type-namely fraudulent applications for unemployment benefits in their name- specifically linked to unauthorized use of DLNs. (Compl. ¶¶ 22, 35, 45).
In any event, a defendant's speculation about potential other data breaches as causing the plaintiffs' harm does not defeat standing. See In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018) (“That hackers might have stolen Plaintiffs' PII in unrelated breaches, and that Plaintiffs might suffer identity theft or fraud caused by the data stolen in those other breaches (rather than the data stolen from Zappos), is less about standing and more about the merits of causation and damages.”); Remijas, 794 F.3d at 696 (“The fact that Target or some other store might have caused the plaintiffs' private information to be exposed does nothing to negate the plaintiffs' standing to sue.”).
In that vein, GEICO also argues that if the Plaintiffs were indeed victims of banking, credit card, or other fraud, that could not be accomplished without additional data breaches-because such fraud requires social security numbers, for example. And as such, GEICO argues Plaintiffs cannot trace their injury to GEICO's disclosure of DLNs. (Defs. Mem. at 16-17). In other words, one cannot fraudulently apply for a credit card or open a bank account in another person's name using a DLN alone. GEICO misapprehends the traceability standard. “[T]he plaintiff need not prove that the defendant was the sole cause of his injury as long as harm is a ‘predictable effect' of the defendant's actions on the decisions of third parties.” Rieves v. Town of Smyrna, 67 F.4th 856, 862 (6th Cir. 2023) (quoting Dep't of Com. v. New York, 139 S.Ct. 2551, 2566 (2019)); see also Carter, 822 F.3d at 55-56 (“A defendant's conduct that injures a plaintiff but does so only indirectly, after intervening conduct by another person, may suffice for Article III standing.”). And thus, it is sufficient for Plaintiffs to allege that DLNs are a mere gateway to other kinds of personal information and a step to effectuating the ultimate injury (i.e., that DLNs that can then be used “to craft curated social engineering phishing attacks” or “to open fraudulent bank accounts and credit and debit cards”). (Compl. ¶ 83 (emphasis omitted); id. ¶ 91); e.g., Park v. Am. Fam. Life Ins. Co., 608 F.Supp.3d 755, 757 (W.D. Wis. 2022) (finding plaintiff established “traceability” under Article III where plaintiff “recognize[d] that the drivers' license numbers alone would not be sufficient to forge an identity, but allege[d] that drivers' license numbers, in addition to other personal information already gathered from other sources, can provide an opening for fraud, including applying for credit cards or loans or opening bank accounts”); In re GE/CBPS Data Breach Litig., No. 20-CV-2903, 2021 WL 3406374, at *7 (S.D.N.Y. Aug. 4, 2021) (finding standing where plaintiff alleged that exposure of his email address, phone number, employee identification number, and home address “provide[d] hackers the means to commit fraud or identity theft by way of a social engineering attack”); In re U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 60 (D.C. Cir. 2019) (“[E]ven if the breaches in question did not expose all information necessary to make fraudulent charges on victims' existing financial accounts, the personal data the hackers did manage to obtain is enough, by itself, to enable several forms of identity theft. That fact, combined with the allegations that at least some of the stolen information was actually misused after the breaches, suffices to support a reasonable inference that . . . Plaintiffs' risk of future identity theft is traceable to the . . . cyberattacks.”).
c. Redressability
Where “[t]he requested injunction, by its terms, seeks to prevent future data breaches” as opposed to preventing “future harm stemming from the Data Breach that already occurred,” Miller v. Syracuse Univ., No. 5:21-CV-1073, 2023 WL 2572937, at *11 (N.D.N.Y. Mar. 20, 2023), redressability turns on whether Plaintiffs have alleged that it is “likely,” as opposed to merely “speculative,” that injuries will be remedied by the relief sought. Lujan, 504 U.S. at 561.
Plaintiffs seek an injunction directing GEICO to correct its data security practices, refrain from storing or making accessible personal information, and to “comply with [its] duties of care [by] implement[ing] and maintain[ing] reasonable security measures.” (Compl. ¶ 206). Such measures include, for example, ordering GEICO “not to make PI available on their instant quote webpage,” or to “purge, delete, and destroy” any data not necessary for the provision of services. (Id.). They also seek a declaration that GEICO's “existing security measures do not comply with [its] duties of care to provide adequate security.” (Id.).
GEICO argues the proposed injunction will not redress any threat of future harm because it could not “motivate GEICO to change its practices, as [it] already took immediate action to remedy the unintentional disclosure by disabling the autopopulation.” (Defs. Mem. at 18). As a result, it claims there is no “ongoing misconduct.” (Id.). But aside from the assertion made by counsel in GEICO's brief, this alleged remediation is not mentioned anywhere in the Complaint, the Notice of Data Breach, or in any declaration or affidavit appended to the motion, and so is not in any way supported by evidence in the present record. See Hall v. Bd. of Sch. Comm'rs of Conecuh Cnty., 656 F.2d 999, 1001 (5th Cir. 1981) (“To defeat jurisdiction on [the] basis [of voluntary cessation], however, defendants must offer more than their mere profession that the conduct has ceased and will not be revived.”); Sheely v. MRI Radiology Network, P.A., 505 F.3d 1173, 1184 (11th Cir. 2007) (“The formidable, heavy burden of persuading the court that the challenged conduct cannot reasonably be expected to start up again lies with the party asserting mootness. A defendant's assertion that it has no intention of reinstating the challenged practice does not suffice to make a case moot[.]” (quotations and citations omitted)). In contrast, the Complaint alleges that there is a “continued risk to [Plaintiffs'] PI, which remains in the possession of [GEICO] and is subject to further compromise so long as Defendants fail to undertake appropriate measures to protect the PI in their possession.” (Compl. ¶ 115). Plaintiffs allege-and GEICO has provided nothing to the contrary-that GEICO has “announced few, if any changes” to its data infrastructure or its decision to disclose their information. (Id. ¶ 203). Those allegations suggest that an injunction along the lines proposed by Plaintiffs would have ameliorative effects. See, e.g., In re USAA Data Sec. Litig., 621 F.Supp.3d at 473 (“Because plaintiffs plausibly allege the continued inadequacy of USAA's security measures, they plausibly allege that they face a substantial risk of future harm if USAA's security shortcomings are not redressed, making this dispute sufficiently real and immediate with respect to the parties' legal relations, which are adverse.” (cleaned up) (quotations omitted)); cf. In re Zappos.com, Inc., 888 F.3d at 1030 (“And at least some of their requested injunctive relief would limit the extent of the threatened injury by helping Plaintiffs to monitor their credit and the like.”).
The Notice of Data Breach merely states, in vague and conclusory fashion, that GEICO has “secured the affected website” and “implemented-and continue[s] to implement-additional security enhancements to help prevent future fraud and illegal activities” on its website. (Notice at 1). Nor is it clear from the Notice what is meant by assurance that GEICO “secured the website.” (See id.).
B. Damages
a. Injury-in-Fact
“[I]n a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm-at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 141 S.Ct. at 2210-11; see also Maddox v. Bank of N.Y. Mellon Tr. Co., N.A., 19 F.4th 58, 64 (2d Cir. 2021) (“TransUnion established that in suits for damages plaintiffs cannot establish Article III standing by relying entirely on a statutory violation or risk of future harm[.]”).
Plaintiffs also allege some additional harms, but the Court concludes that the allegations about these injuries are insufficient, standing alone, to establish injury. For example, Plaintiffs allege they suffered “anxiety” and “emotional distress” as a result of GEICO's misconduct. (Compl. ¶ 167). But they offer no reason why (or how) the disclosure of their data has caused them such distress, and as such, they have failed to establish a “concrete and particularized” harm. Maddox, 19 F.4th at 66 (“A perfunctory allegation of emotional distress . . . is insufficient to plausibly allege constitutional standing.”); Gross v. TransUnion, LLC, 607 F.Supp.3d 269, 273 (E.D.N.Y. 2022) (“[P]laintiff's injuries cannot create standing ‘because bare allegations of confusion and anxiety do not qualify as injuries in fact'” (citing Garland v. Orlans, PC, 999 F.3d 432, 440 (6th Cir. 2021))). Plaintiffs also allege as an injury the “loss in value of [their] personal data.” (E.g., Compl. ¶¶ 46-47). However, they “do not allege that they attempted to sell their personal information and were forced to accept a decreased price, nor do they allege any details as to how their specific, personal information has been devalued because of the breach.” In re Practicefirst Data Breach Litig., No. 21-CV-790, 2022 WL 354544, at *7 (W.D.N.Y. Feb. 2, 2022), report and recommendation adopted, 2022 WL 3045319, at *1 (Aug. 1, 2022). And, in the absence of such factual allegations, diminution in value of personal data cannot constitute injury. Cooper v. Bonobos, Inc., No. 21-CV-854, 2022 WL 170622, at *5 (S.D.N.Y. Jan. 19, 2022).
For any one cause of action for damages, a plaintiff need only establish one injury. See In re Zappos.com, Inc., 888 F.3d at 1030 n.15. Plaintiffs allege a number of past injuries that entitle them to damages, without tying them to a particular claim. This is ordinarily insufficient-Mahon v. Ticor Title Ins. Co., 683 F.3d 59, 64 (2d Cir. 2012) (“[A] plaintiff must demonstrate standing for each claim she seeks to press. Thus, with respect to each asserted claim, a plaintiff must always have suffered a distinct and palpable injury to herself.” (quotations and citations omitted))-because a cause of action may provide only entitlement to a certain kind of damages. However, here Defendants, except for the DPPA claim, also do not identify a particular kind of injury necessary for standing (for example, by arguing that emotional harm is insufficient injury for a GBL claim). As such, with the exception of the DPPA claim, the Court assumes-and has no basis to conclude otherwise-that should Plaintiffs establish any one of their putative injuries that would be a sufficient injury for all of their damages claims. And they have established such an injury.
Because “[a]ny monetary loss suffered by the plaintiff,” Carter, 822 F.3d at 55, is a concrete harm, “the time and money spent to respond to a data breach may satisfy the injury-in-fact requirement.” Rand, 2022 WL 15523722, at *3 (citing Rudolph v. Hudson's Bay Co., No. 18-CV-8472, 2019 WL 2023713, at *6-*7 (S.D.N.Y. May 7, 2019)). Here, each of the Plaintiffs spent significant time, effort, and resources addressing the allegedly fraudulent bank accounts, credit card charges, and unemployment claims taken out in their names. (E.g., Compl. ¶¶ 18-21, 25-26 (alleging Viscardi spent time and money to resolve two fraudulent applications for unemployment benefits and an unauthorized attempt to transfer funds from his bank account); id. ¶¶ 32-34 (alleging Dorety filed two police reports and “spent substantial time interacting with TD Bank” to address fraudulent bank account and claim for unemployment benefits); id. ¶¶ 43, 46-47 (alleging Morgan lost time and money to address a fraudulent claim for unemployment benefits)).
GEICO contends that Viscardi's allegations regarding harms occurring after May 6, 2021-the date he entered this action-cannot be considered in determining standing. (Defs. Mem. at 8 n.7). But the Court need not, and does not, rely on post-May 6, 2021 events to conclude he has standing.
The Second Circuit did hold that “where plaintiffs have shown a substantial risk of future identity theft or fraud, any expenses they have reasonably incurred to mitigate that risk likewise qualify as injury in fact.” McMorris, 995 F.3d at 303 (quotations omitted). On the other hand, where plaintiffs “have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.” Id. McMorris was decided before TransUnion, where the Supreme Court held that for damages standing, the “mere risk of future harm standing alone cannot qualify as a concrete as a concrete harm-at least until the exposure to the risk of future harm itself causes a separate concrete harm.” 141 S.Ct. at 2211. As a result, some courts have called into question whether a party only alleging future risk of injury under McMorris has standing to obtain damages. E.g., Bohnak v. Marsh & McLennan Cos., Inc., 580 F.Supp.3d 21, 29 (S.D.N.Y. 2022); In re Practicefirst Data Breach Litig., 2022 WL 354544, at *4. But that is not this case. Plaintiffs here have suffered the concrete injury required by TransUnion, because they incurred actual mitigation costs-for example, time and efforts spent freezing credit, scrutinizing bank statements and credit card statements, and monitoring accounts for fraudulent activity, (Compl. ¶¶ 26, 37, 44, 47)-based on the heightened substantial risk of additional harm. And they have not simply incurred expenses in the absence of such risk. E.g., Cooper, 2022 WL 170622, at *5 (“As Cooper does not show a substantial risk of future identity theft or fraud, it follows a fortiori that he cannot rely on his own expenses to secure standing.”). But the Court need not resolve that in light of the other injury identified-“the injury-in-fact necessary for standing need not be large; an identifiable trifle will suffice.” In re Methyl Tertiary Butyl Ether (MTBE) Prods. Liab. Litig., 725 F.3d 65, 105 (2d Cir. 2013) (quotations omitted). As such, their injury is not solely predicated on a future risk of harm.
GEICO argues Plaintiffs cannot recover mitigation costs and lost time because they are too speculative. (Defs. Mem. at 12-13). But, in so doing, GEICO misapprehends the Complaint. Here, Plaintiffs are seeking relief for the costs incurred and associated with remedying actual fraud that has already materialized-for example, the time and money to communicate with banks to deal with a fraudulent account-not the costs expended to mitigate a future threat of identity theft. (See Compl. ¶¶ 15, 2526, 36-37, 46-47). And so, “[e]ven absent a risk of future identity theft, such ‘concrete and particularized losses based on actual time spent responding to' the already-occurred identity thefts are sufficient to demonstrate a concrete injury for the purpose of Article III standing.” In re USAA Data Sec. Litig., 621 F.Supp.3d at 466 (emphasis added); see also Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (“The plaintiffs have standing because the data theft may have led them to pay money for credit-monitoring services, because unauthorized withdrawals from their accounts cause a loss (the time value of money) even when banks later restore the principal, and because the value of one's own time needed to set things straight is a loss from an opportunity-cost perspective. These injuries can justify money damages, just as they support standing.”).
Moreover, GEICO's characterization of Plaintiffs' harms as “unsuccessful attempts at identity theft” not resulting in any concrete injury, (Defs. Mem. at 8-9), is simply inaccurate. The Complaint plainly alleges that each Plaintiff was “notif[ied] . . . of a fraudulent claim for unemployment benefits made in [his/her] name.” (Compl. ¶¶ 18, 31, 42).
With respect to the DPPA claim, the analysis is somewhat distinct.
“The DPPA generally restricts state departments of motor vehicles (‘DMVs') from disclosing personal information drawn from motor vehicle records . . . to prevent its misuse.” Gordon v. Softech Int'l, Inc., 726 F.3d 42, 45 (2d Cir. 2013). The DPPA also regulates “the resale and redisclosure of drivers' personal information by private persons who have obtained that information from a state DMV.” Reno v. Condon, 528 U.S. 141, 146 (2000) (citing 18 U.S.C. § 2721(c)). Such individuals or entities are “subject to a duty of reasonable care before disclosing DPPA-protected personal information.” Gordon, 726 F.3d at 56-57. A re-discloser or re-seller (i.e., one who discloses information to subsequent downstream users) is liable under the DPPA for a third-party recipient's impermissible use of the information. See id. The statute contains a private right of action for individuals whose information is disclosed in violation of the statute. 18 U.S.C. § 2724.
Plaintiffs cannot establish a cognizable injury for their DPPA claim simply by pleading a statutory violation; irrespective of the violation, a concrete injury is still required to meet the Article III requirement. TransUnion, 141 S.Ct. at 2205. A DPPA violation may result in a loss of privacy-that is at least how Plaintiffs have framed their injury. (Compl. ¶¶ 62-68, 123). Indeed, Congress enacted the DPPA because it was “[c]oncerned that personal information collected by States in the licensing of motor vehicle drivers was being released-even sold-with resulting loss of privacy for many persons.” Maracich v. Spears, 570 U.S. 48, 51-52 (2013).
Such intangible injuries may be sufficiently “concrete” to establish an injury-in-fact. Spokeo, Inc., 578 U.S. at 340. “Central to assessing concreteness is whether the asserted harm has a ‘close relationship' to a harm traditionally recognized as providing a basis for a lawsuit in American courts,”-“includ[ing], for example, . . . disclosure of private information[] and intrusion upon seclusion.” TransUnion, 141 S.Ct. at 2200, 2204. And “[t]hat inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury.” Id.
And relevant here, the tort of public disclosure of private information (“PDPI”) applies where the defendant “gives publicity to a matter concerning the private life of another” where the matter publicized involves facts that “(a) would be highly offensive to a reasonable person, and (b) [are] not of legitimate concern to the public.”
Restatement (Second) of Torts § 652D; TransUnion, 141 S.Ct. at 2204 (recognizing common law privacy tort of “disclosure of private information”); Cox Broad. Corp. v. Cohn, 420 U.S. 469, 489, 493 n.22 (1975) (identifying four branches of common law privacy torts, including “the tort of public disclosure”).
GEICO highlights differences between PDPI and the alleged injury here-namely, that Plaintiffs' data has not been “publicized” to the public at large. (Defs. Mem. at 12; Reply Mem. of Law in Further Supp. of Defs.' Mot. (“Defs. Reply”), Dkt. No. 75 at 2). As a threshold matter, GEICO's authorities on this point are inapposite or unpersuasive or both. But in any event, an “exact duplicate” between the DPPA and the common law tort is not required. TransUnion, 141 S.Ct. at 2204; see also Garey v. James S. Farrin, P.C., 35 F.4th 917, 922 (4th Cir. 2022) (“The Defendants point out some differences between the common law privacy torts and the DPPA, but our inquiry does not require an exact duplicate in American history and tradition. At bottom, the DPPA is aimed squarely at the right of the plaintiff, in the phrase coined by Judge Cooley, ‘to be let alone.'” (quotations and citations omitted)).
In In Re Practicefirst Data Breach Litigation, (Defs. Mem. at 12; Defs. Reply at 2), the court found plaintiffs failed to demonstrate injury where a “complaint allege[d] that a massive amount of data was copied by a hacker and held hostage for payment of a fee.” 2022 WL 354544, at *7. But the basis for so doing was the absence of allegations that the data was “specifically viewed by any one person, let alone that it was disclosed ‘publicly.'” Id. Similarly, the court in Williams v. Portfolio Recovery Associates, LLC found no sufficient common law analogue because the data in that case was, like in TransUnion, never published. No. 21-CV-5656, 2022 WL 256510, at *3 (E.D.N.Y. Jan. 27, 2022). In contrast, here, the data was published, stolen, and allegedly used. And in neither of these cases, or the others cited by GEICO, was the common-law analogue rejected in the context of a DPPA claim.
Moreover, numerous federal courts-including several courts of appeals-have held that an alleged violation of the DPPA can constitute an injury-in-fact because of the intrusion on personal privacy. See, e.g., Garey, 35 F.4th at 922; Heglund v. Aitkin Cnty., 871 F.3d 572, 578 (8th Cir. 2017) (“An individual's control of information concerning her person-the privacy interest the [Plaintiffs] claim here-was a cognizable interest at common law.”); accord Taylor v. Acxiom Corp., 612 F.3d 325, 340 n.15 (5th Cir. 2010). As such, the Court concludes Plaintiffs have established that a DPPA violation has sufficiently “close relationship” to a common law tort such that the statutory violation does constitute an Article III injury.
b. Traceability and Redressability
GEICO makes no independent traceability or redressability arguments with respect to any of the claims seeking damages.
It is clear that an award of statutory or nominal damages will sufficiently redress Plaintiffs' past injuries. Uzuegbunam v. Preczewski, 141 S.Ct. 792, 802 (2021); Jaffe v. Bank of Am., N.A., 197 F.Supp.3d 523, 529 (S.D.N.Y. 2016) (“[T]he award of statutory damages to compensate plaintiffs for their injuries would redress these injuries.”). And there is no fair argument that Plaintiffs' injury would not be traceable to the data breach, as explained above. Supra at 13-16.
GEICO heavily relies upon two out-of-circuit cases to advance its standing argumentsBaysal v. Midvale Indem. Co., No. 21-CV-394, 2022 WL 1155295 (W.D. Wis. Apr. 19, 2022) and Greenstein v. Noblr Reciprocal Exch., 585 F.Supp.3d 1220, 1228 (N.D. Cal. 2022). (See, e.g., Defs. Mem. at 9, 11, 16-18; Defs. Reply at 4). The Court has addressed the substance of these courts' conclusions in the preceding discussion, but notes that the cases are also factually inapposite. The courts in Baysal and Greenstein found that the harm caused by disclosure of plaintiffs' DLNs was too speculative, and therefore did not satisfy the injury-in-fact or traceability requirements of standing. 2022 WL 1155295, at *2-*3; 585 F.Supp.3d at 1227-32. But in neither case had plaintiffs alleged an actual past injury (e.g., actual misuse of the DLNs resulting in plaintiffs incurring discernable costs). Indeed, the Baysal court noted: “[T]he court does not mean to suggest that access to confidential driver's license numbers could not cause sufficient injury to satisfy Article III standing, but only that without allegations of specific, concrete examples of causal injury or of rampant fraud more generally using this data, as in the case of stolen credit card information, plaintiffs have failed to make that showing.” 2022 WL 1155295, at *3 n.2. And in Greenstein the actual harm allegedly suffered was limited-to a diminution in the value of personal information, privacy loss, and a risk of future harm from information misuse-so any credit monitoring was precautionary, not required, and no actual misuse of information had been alleged. Greenstein, 585 F.Supp.3d at 1228 (“In addition, neither the professional credit monitoring system, nor the rest of the named Plaintiffs and Class Members have detected any form of actual fraud or identity theft that was successfully executed.”). But again, here Plaintiffs have alleged they incurred costs associated with actual identity theft-for example, the fraudulent claims for government benefits and the opening of fake accounts and the costs of the associated remediation-and they have detailed the ways in which DLNs, in conjunction with other personal information, were actually used to commit fraud.
GEICO separately attempts to dismiss each of the claims asserted by Plaintiffs. Each claim is discussed herein.
II. DPPA
The DPPA provides for a civil cause of action against any person who (1) knowingly obtains, discloses, or uses personal information; (2) from a motor vehicle record; (3) for a purpose not permitted under the DPPA. 18 U.S.C. § 2724. Notably, “personal information” is defined to include “driver identification number[s],” 18 U.S.C. § 2725(3), and as such, disclosure of DLNs falls within the statute's purview.
Plaintiffs have sufficiently pled each of these elements, and GEICO has not established that any exception permitting disclosure applies to its conduct.
Plaintiffs allege GEICO knowingly disclosed their DLNs by “choosing” to add the auto-populate feature to its already-existing online quote application, thereby intending to make the DLNs easily obtainable to anyone capable of accessing the internet who entered basic information. (Compl. ¶¶ 6, 8, 59, 78). As for the second element, Plaintiffs allege GEICO obtained their DLNs “from motor vehicle records directly from state agencies or through resellers or third party prefill services who sell such records.” (Id. ¶ 156). And third, the Complaint supports the inference that the disclosure was for an improper commercial purpose, namely to reduce the time necessary to complete the quotation process and increase GEICO's sales volume and revenue. (Id. ¶¶ 5-8, 13). Plaintiffs contend GEICO is subject to the DPPA as a “re-discloser” of personal information, and it breached its duty of care because it should have known of the inherent risks in the auto-populate feature, especially in light of the prevalence of such breaches in the insurance industry at the height of the pandemic. (Id. ¶¶ 157, 160). Plaintiffs have, therefore, stated each of the elements needed for a claim under the DPPA.
None of GEICO's arguments to the contrary have merit.
First, GEICO argues the Complaint fails to allege it knowingly disclosed Plaintiffs' DLNs. (Defs. Mem. at 20). GEICO attempts to craft a specific intent requirement onto the statute. None exists. No portion of the statute imposes that requirement. “Voluntary action, not knowledge of illegality or potential consequences, is sufficient to satisfy the mens rea element of the DPPA.” Senne v. Vill. of Palatine, 695 F.3d 597, 603 (7th Cir. 2012); see also Pichler v. UNITE, 542 F.3d 380, 396 (3d Cir. 2008) (affirming district court's finding that DPPA violation “does not require proof that a defendant had any appreciation that its conduct was impermissible,” noting that contrary view “simply does not fit into the DPPA's statutory scheme”); Enslin v. CocaCola Co., 136 F.Supp.3d 654, 670 (E.D. Pa. 2015) (“A ‘knowing disclosure' of [a person's driving information] requires the defendant to take some ‘voluntary action' to disclose the information. This requirement does not mean, however, that the disclosing party knows that the disclosure is potentially illegal, nor must third parties actually see the disclosed information for the disclosure to constitute a violation.” (citation omitted)), aff'd, 739 Fed.Appx. 91, 93 (3d Cir. 2018).
In this vein, GEICO attempts to equate its disclosure of Plaintiffs' DLNs to unauthorized “theft” or hacking by third parties. For example, it relies upon Enslin which involved the theft of 55 laptops containing employees' personal information, and where the court held that “privately holding [PI], even in an unsecured manner, does not constitute a ‘voluntary disclosure' under the DPPA.” 136 F.Supp.3d at 671; (Defs. Mem. at 20). But Enslin rejected the statutory interpretation being advanced by GEICO. The reason that there was no “voluntary disclosure,” and no DPPA violation, was because there was no transmission of information at all-not because defendants failed to possess a heightened mens rea. GEICO similarly cites Allen v. Vertafore, Inc., (Defs. Mem. at 20-21), but the situation was the same there. No. 4:20-CV-4139, 2021 WL 3148870, at *4 (S.D. Tex. June 14, 2021) (“[T]he facts alleged in the Complaint describe Vertafore as having stored the data on servers under Vertafore's control, meaning the data was never actually knowingly disclosed to anyone outside of Vertafore.”), report and recommendation adopted, 2021 WL 3144469, at *1 (July 23, 2021), aff'd, 28 F.4th 613, 615 (5th Cir. 2022), cert. denied, 143 S.Ct. 109 (2022).
GEICO does not fit within these precedents for more material reasons; it mischaracterizes the allegations in the Complaint to downplay its role in the Data Disclosure. Plaintiffs' allegations are not that GEICO was a passive bystander attacked by a third party-which is akin to theft, since the information is secured but nonetheless taken-but instead that GEICO affirmatively displayed DLNs and Plaintiffs' information, and did so without any safeguards. (Compl. ¶¶ 77-78). GEICO published Plaintiffs' DLNs on a public website, virtually placing the information in plain view of any digital “passer-by.” By auto-populating DLNs in its quoting application, it voluntarily made such information visible to the general public-even if it did not know of the resulting harm. This is not a case where unauthorized third-party users merely managed to access an unsecured system; instead, GEICO committed an affirmative act that “granted or facilitated” that access. Allen, 28 F.4th at 617.
Plaintiffs have adequately alleged GEICO knowingly disclosed their DLNs. E.g., Rand, 2022 WL 15523722, at *6 (“Travelers's voluntary decision to auto-populate its quote responses with driver's license numbers constitutes a ‘knowing disclosure' of personal information [under the DPPA].”); In re USAA Data Sec. Litig., 621 F.Supp.3d at 468 (“USAA's voluntary decision to automatically pre-fill its quote forms with driver's license numbers constitutes a ‘knowing disclosure' of personal information.”).
Second, GEICO incorrectly asserts any disclosure was exempt from liability. “Notwithstanding these default rules of non-disclosure, the DPPA [enumerates] fourteen ‘permissible uses'-exceptions from the default rule-for which personal information may be obtained, disclosed, used, or resold.” Gordon, 726 F.3d at 45.
These exceptions are to be read narrowly “to preserve the primary operation” of the DPPA's provisions. Maracich, 570 U.S. at 60-61 (“Unless commanded by the text, [the DPPA's 14 exceptions] ought not operate to the farthest reach of their linguistic possibilities if that result would contravene the statutory design . . . of protecting an individual's right to privacy in his or her motor vehicle records.”). Relevant here is the “insurance exception,” which permits disclosure of personal information “[f]or use by any insurer . . . in connection with claims investigation activities, antifraud activities, rating or underwriting.” 18 U.S.C. § 2721(b)(6).
GEICO says that the Complaint acknowledges that its disclosure was for a permissible purpose (insurance underwriting), and therefore there is no DPPA violation. (Defs. Mem. at 22 (citing Compl. ¶ 68)). But the portion of the pleading it relies on makes no such admission, and in fact, says quite the opposite: “By knowingly using the PI of Plaintiffs and the Class for sales and marketing purposes, and by knowingly disclosing that PI to the public, Defendants ran afoul the purpose of DPPA, and threatened the privacy and safety of licensed drivers, for whose protection the statute was enacted.” (Compl. ¶ 68). So the Complaint says GEICO's purpose was improper and says it was disclosed for sales and marketing, and says nothing about underwriting activities (which is what the exception requires for it to apply). GEICO's purpose argument appears to rely on facts outside the Complaint, in other words. And as such, its entitlement to this exception cannot be resolved on a motion to dismiss. That is, Plaintiffs' assertion in the Complaint that no exception applies, (id. ¶ 144), is sufficient to survive the motion to dismiss.
Moreover, Plaintiffs' factual allegations-when taken together as true and drawing all reasonable inferences in their favor-support the plausible inference that GEICO disclosed their DLNs for an improper profit-seeking purpose, irrespective of whether GEICO also had a permissible purpose. (E.g., id. ¶ 5 (alleging GEICO puts its “own economic interests ahead of consumers' privacy interests”); id. ¶ 6 (describing GEICO's motive as “greas[ing] the wheels of its online insurance sales”); id. ¶ 7 (“GEICO had offered online insurance quotes to applicants long before it incorporated this autopopulation feature, but added the auto-population feature to its online sales system in order to gain competitive advantage in its sales process.”); id. ¶ 13 (referencing “illegal profit-seeking conduct)). And the DPPA “contains no language that would excuse an impermissible use merely because it was executed in conjunction with a permissible purpose.” Pichler, 542 F.3d at 395 (quotations omitted). In other words, if GEICO used or disclosed a person's information for several purposes-both permissible ones (for example, to conduct underwriting) and impermissible ones-it would still be liable for that impermissible purpose. Id.
GEICO's overreliance on Allen, (Defs. Mem. at 23), pervades this argument as well. Although the court did dismiss the DPPA claim because it found the disclosure came within the “insurance exception,” plaintiffs there failed to allege any facts explaining the improper purpose. 2021 WL 3148870, at *4. Plaintiffs have alleged such facts here. And in Armstrong v. Allied Insurance Co., the plaintiff failed to state a DPPA claim because his complaint alleged an improper rating of his insurance policy, not a misuse of personal information, which is what the statute protects. No. 5:14-CV-424, 2014 WL 12591844, at *4 (C.D. Cal. Aug. 19, 2014). But, again, here there is an alleged misuse.
The Court therefore recommends that the motion to dismiss the DPPA claim be denied.
III. Negligence
“To show negligence under New York state law, a plaintiff must demonstrate ‘(1) the defendant owed the plaintiff a cognizable duty of care; (2) the defendant breached that duty; and (3) the plaintiff suffered damage as a proximate result.'” Ferreira v. City of Binghamton, 975 F.3d 255, 266 (2d Cir. 2020) (quoting Williams v. Utica Coll. of Syracuse Univ., 453 F.3d 112, 116 (2d Cir. 2006)). The Court evaluates each of these elements in turn.
A. Duty
“The definition and scope of an alleged tortfeasor's duty owed to a plaintiff is a question of law.” Pasternack v. Lab. Corp. of Am. Holdings, 27 N.Y.3d 817, 825 (2016); Aegis Ins. Servs., Inc. v. 7 World Trade Co., L.P., 737 F.3d 166, 177 (2d Cir. 2013). “At common law, New York courts evaluate the duty of care by balancing several factors, including ‘the reasonable expectations of parties and society generally, the proliferation of claims, the likelihood of unlimited or insurer-like liability, disproportionate risk and reparation allocation, and public policies affecting the expansion or limitation of new channels of liability.'” In re USAA Data Sec. Litig., 621 F.Supp.3d at 469 (quoting Hamilton v. Beretta U.S.A. Corp., 96 N.Y.2d 222, 232 (2001)). “A critical consideration in determining whether a duty exists is whether ‘the defendant's relationship with either the tortfeasor or the plaintiff places the defendant in the best position to protect against the risk of harm.'” Davis v. S. Nassau Cmtys. Hosp., 26 N.Y.3d 563, 572 (2015) (quoting Hamilton, 96 N.Y.2d at 233).
GEICO argues Plaintiffs were mere “strangers” and lacked a “direct relationship” with GEICO and, as such, a duty of reasonable care does not arise. (Defs. Mem. at 2526 (noting the Complaint does not allege that any Plaintiff is a GEICO policyholder, visited its website, or accessed its instant quote platform)). That argument is unpersuasive because it ignores GEICO's interactions with Plaintiffs' information, even if it did not interact with Plaintiffs themselves. Plaintiffs were not strangers to GEICO.
Plaintiffs' DLNs were collected and stored by GEICO “unbeknownst” to them. (Compl. ¶¶ 109, 156-57). GEICO, “aware of the importance of safeguarding” Plaintiffs' information-as reflected by the Notice and in its assurances that its “physical safeguards, procedural controls and data access controls protect [consumers'] data from unauthorized access,” (id. ¶¶ 109, 155)-had knowledge that due care was owed in protecting the information in its possession. By collecting and storing Plaintiffs' data- without their knowledge of such collection or their control over the security measures protecting that data-GEICO had a duty to Plaintiffs. Toretto v. Donnelley Fin. Sols., Inc., 583 F.Supp.3d 570, 594 (S.D.N.Y. 2022) (“Mediant received Plaintiffs' personal information while providing its services and stored that information on its servers. Mediant is in the best position to protect information on its own servers from data breach. Further, the SAC alleges that Mediant understood the importance of data security to its business, knew it was the target of cyber-attacks, and touted its data security to current and potential customers.”).
GEICO relies on Hammond v. The Bank of New York Mellon Corp., No. 08-CV-6060, 2010 WL 2643307 (S.D.N.Y. June 25, 2010), in support of its claim that a duty does not exist because Plaintiffs lack direct dealings with GEICO. But as the court in Toretto pointed out, Hammond is unpersuasive. It was decided in 2010, when many courts had yet to conclude loss of identity information was a cognizable injury. 583 F.Supp.3d at 594-95 (“Data breach jurisprudence has developed significantly in the last twelve years. Numerous courts applying New York law have denied motions to dismiss negligence claims in data breach cases.”) (collecting cases). And Hammond also did not consider the factors New York courts balance in evaluating whether a duty exists. Id.
B. Breach, Proximate Causation, and Damages
Plaintiffs sufficiently allege GEICO breached this duty by “failing to adopt, implement, and maintain fair, reasonable, or adequate security measures” despite “reasonably foreseeable internal and external risks.” (Compl. ¶¶ 78, 162); e.g., In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *8 (finding similar allegations “sufficient to sustain a negligence claim”) (collecting cases).
As for proximate causation, a plaintiff “must generally show that the defendant's negligence was a substantial cause of the events which produced the injury.” Derdiarian v. Felix Contracting Corp., 51 N.Y.2d 308, 315 (1980). Proximate causation is a highly fact-specific determination that is often not amenable to resolution on a motion to dismiss. Id.; Sawyer v. Wight, 196 F.Supp.2d 220, 227 (E.D.N.Y. 2002) (“Proximate causation is a factual question left to the fact finder.”).
Here, Plaintiffs allege GEICO disclosed their DLNs “shortly before” experiencing attempts at identity theft and fraud. (E.g., Compl. ¶ 35). GEICO's Notice acknowledged that the disclosure “could be used” to commit fraud. (Id. ¶ 10; Notice at 1). And there are other allegations-including the 2021 DFS alert-suggesting DLNs obtained via online insurance quote websites were widely used by fraudsters to commit fraud, especially in the context of government benefits. (Compl. ¶¶ 71-78). This fraud, in turn, caused Plaintiffs to incur time and expense in remediation. (Id. ¶¶ 26, 34, 37, 44, 47, 102). These allegations, in total, permit the plausible inference that GEICO's disclosure of DLNs was a substantial cause of Plaintiffs' damages.
As for damages, GEICO repeats its traceability argument-that Plaintiffs' alleged damages are too speculative. (Defs. Mem. at 29). The Court has already rejected that argument. See supra at 13-16. And while it is true that, damages be “reasonably certain,” Plaintiffs allegedly incurred costs relating to the mitigation of the actual already-occurred fraud. Supra at 19-22. At this stage, that is sufficient to permit the claim to move forward. In re USAA Data Sec. Litig., 621 F.Supp.3d at 470-71; In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *9 (finding that plaintiffs' allegations of injury-including “expenses and/or time spent on credit monitoring and identity theft insurance; time spent scrutinizing bank statements, credit card statements, and credit reports”-were sufficient to show they incurred concrete damages as a proximate result of a data breach on a motion to dismiss); (see also Compl. ¶ 167).
IV. Negligence Per Se
“In New York, the ‘unexcused omission' or violation of a duty imposed by statute for the benefit of a particular class ‘is negligence itself.'” Chen v. United States, 854 F.2d 622, 627 (2d Cir. 1988) (quoting Martin v. Herzog, 228 N.Y. 164, 168 (1920)). But not every statutory violation constitutes negligence per se; “the statute must evidence an intention, express or implied, that from disregard of its command a liability for resultant damages shall arise which would not exist but for the statute.” Timperio v. Bronx-Lebanon Hosp. Ctr., 384 F.Supp.3d 425, 434 (S.D.N.Y. 2019) (quoting German by German v. Fed. Home Loan Mortg. Corp., 896 F.Supp. 1385, 1397 (S.D.N.Y. 1995)). In other words, there must be some implied or express private right of action in the underlying statute itself.
Plaintiffs' negligence per se claim is based on alleged violations of the FTCA, GLBA, and GBL § 349. (Compl. ¶¶ 172-73). GEICO argues Plaintiffs' negligence per se claim must fail because neither the FTCA nor GLBA contain private rights of action. The Court agrees. “Section 5 [of the FTCA] does not provide a private right of action; instead, the FTCA confers exclusive enforcement authority on the Federal Trade Commission.” In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *10 (citing Alfred Dunhill Ltd. v. Interstate Cigar Co., 499 F.2d 232, 237 (2d Cir. 1974) (“[T]he provisions of the Federal Trade Commission Act may be enforced only by the Federal Trade Commission. Nowhere does the Act bestow upon either competitors or consumers standing to enforce its provisions.”)). The GLBA likewise does not afford an express private right of action. Barroga-Hayes v. Susan D. Settenbrino, P.C., No. 10-CV-5298, 2012 WL 1118194, at *5 (E.D.N.Y. Mar. 30, 2012) (“Congress made clear that no private individual may seek to enforce the GLBA's provisions.”) (collecting cases).
And courts in New York and this Circuit have declined to imply a private cause of action. See, e.g., Rider v. Uphold HQ Inc., No. 22-CV-1602, 2023 WL 2163208, at *7 (S.D.N.Y. Feb. 22, 2023) (dismissing negligence per se claim for violations of the FTCA and GLBA because “a decision to allow such a claim would effectively afford a private right of action that the statute does not recognize-contravening the legislative scheme”); Cohen v. Ne. Radiology, P.C., No. 20-CV-1202, 2021 WL 293123, at *7 (S.D.N.Y. Jan. 28, 2021) (“That [the] statutory scheme [does not] create[] a private right of action weighs heavily against implying a private right of action necessary to sustain a negligence per se claim based upon . . . the FTC Act.”). Nor is the Court aware of any other court, despite many an opportunity to do so, finding that a negligence per se claim can be based on an underlying FTCA or GLBA violation.
As for using GBL § 349 as a predicate, the Court is recommending dismissal of that claim, as discussed below. And as such, any claim for negligence per se based upon GBL § 349 must also necessarily fail. Cf. Johnson v. Hunter Warfield, Inc., No. 22-CV-122, 2022 WL 1421815, at *4 n.4 (N.D.N.Y. May 5, 2022) (“[P]laintiff's . . . negligence per se claim fails because it is based on an alleged violation of the FDCPA, which the Court has already determined is meritless.”).
“New York's General Business Law prohibits the use of deceptive acts or practices and false advertising in the conduct of any business, trade or commerce.” Axon v. Florida's Nat. Growers, Inc., 813 Fed.Appx. 701, 704 (2d Cir. 2020) (quotations and brackets omitted) (citing N.Y. Gen. Bus. Law §§ 349 & 350). “To make out a prima facie case under Section 349, a plaintiff must demonstrate that (1) the defendant's deceptive acts were directed at consumers, (2) the acts are misleading in a material way, and (3) the plaintiff has been injured as a result.” Chufen Chen v. Dunkin' Brands, Inc., 954 F.3d 492, 500 (2d Cir. 2020) (quoting Maurizio v. Goldsmith, 230 F.3d 518, 521 (2d Cir. 2000)). Plaintiffs argue GEICO failed to develop “reasonable safeguards to protect this information [i.e., the DLNs] despite its express representations to the contrary.” (Pls.' Opp'n to Defs.' Mot., Dkt. No. 74 at 34). But the only “express representation” in the Complaint is one purportedly made in GEICO's “internal policies and procedures,” which state: “GEICO.com's physical safeguards, procedural controls and data access controls protect your data from unauthorized access.” (Compl. ¶ 155). The Complaint also alleges in conclusory fashion that GEICO engaged in deceptive acts by “omitting, suppressing, and concealing the inadequacy of [its] security protections.” (Id. ¶ 181).
Such conclusory pleading and argument-without explanation about how such a vanillastatement constitutes a deceptive act-is insufficient to state a § 349 claim. Snyder v. Allen, No. 18-CV-8238, 2020 WL 1233815, at *4 (S.D.N.Y. Mar. 13, 2020).
Significantly, it is not alleged that the one statement made by GEICO, recited in Paragraph 155 of the Complaint, was public and directed at consumers. In Cohen, the court found the defendant's failure to disclose purportedly inadequate data security measures-an omission-constituted a “deceptive act or practice” within the meaning of § 349. 2021 WL 293123, at *9. There, the court found that, by touting the adequacy of its security measures, the defendant misled a reasonable consumer into thinking it was providing more adequate data security than it purportedly was. Id. Those security measures were publicly available on the defendant's website. Id. at *8.
In contrast, Plaintiffs have not alleged that the statement about GEICO's security measures was made available to consumers in any form; nor have Plaintiffs alleged that they actually saw any such statement (and it is axiomatic that they could not have because the statement was never public nor distributed). These deficiencies are fatal to the claim: “To establish the requisite causal connection between an alleged written misrepresentation and the resulting injury, [a] plaintiff must plausibly allege that she actually viewed the misleading statement prior to making her decision to purchase, and must set forth where, when and how she came to view it.” Devey v. Big Lots, Inc., No. 21-CV-6688, 2022 WL 6827447, at *4 (W.D.N.Y. Oct. 12, 2022) (quotations omitted) (collecting cases); Himmelstein, McConnell, Gribben, Donoghue & Joseph, LLP v. Matthew Bender & Co., 172 A.D.3d 405, 406 (1st Dep't 2019) (affirming dismissal of GBL § 349 claim where “the complaint fail[ed] to allege that the [plaintiffs] ever saw the allegedly deceptive representations that purportedly harmed them”), aff'd, 37 N.Y.3d 169, 182 (2021).
VI. Intrusion Upon Seclusion
“New York has consistently refused to recognize a common law right of privacy, and hence there is no cause of action of intrusion upon seclusion under New York law.” Hamlett v. Santander Consumer USA Inc., 931 F.Supp.2d 451, 458 (E.D.N.Y. 2013); accord Howell v. N.Y. Post Co., 81 N.Y.2d 115, 123 (1993) (“[I]n this State the right to privacy is governed exclusively by sections 50 and 51 of the Civil Rights Law; we have no common law of privacy.”); see also Hoo-Chong v. Citimortgage, Inc., No. 15-CV-4051, 2016 WL 868814, at *4 (E.D.N.Y. Mar. 7, 2016) (dismissing intrusion claim). Because Plaintiffs' intrusion upon seclusion claim is not recognized, the Court's recommendation is that the dismissal of this claim be with prejudice.
Plaintiffs do not address GEICO's arguments in support of dismissing the intrusion claim in their opposition. “A district court ‘may, and generally will, deem a claim abandoned when a plaintiff fails to respond to a defendant's arguments that the claim should be dismissed.'” Jennings v. Hunt Cos., Inc., 367 F.Supp.3d 66, 69 (S.D.N.Y. 2019) (quoting Felix v. City of New York, 344 F.Supp.3d 644, 654-55 (S.D.N.Y. 2018)) (collecting cases). Accordingly, here, Plaintiffs' abandonment is an independent basis for dismissal. E.g., Randall v. Dish Network, LLC, No. 2:17-CV-5428, 2018 WL 3235543, at *5 (E.D.N.Y. July 2, 2018) (dismissing claims “in light of the Plaintiff's failure to address [them] in his opposition papers”) (collecting cases).
VII. Declaratory & Injunctive Relief
Though Plaintiffs plead declaratory and injunctive relief as a separate count, they are not an independent cause of action. Rather, declaratory judgments and injunctions are specific types of remedies a plaintiff may be awarded when an underlying substantive right has been violated. Chevron Corp. v. Naranjo, 667 F.3d 232, 244 (2d Cir. 2012) (“The [Declaratory Judgment Act] is procedural only, and does not create an independent cause of action.” (quotations and citations omitted)); Budhani v. Monster Energy Co., 527 F.Supp.3d 667, 688 (S.D.N.Y. 2021) (“[A] request for injunctive relief is not an independent cause of action [but] is merely the remedy sought for the legal wrongs alleged in the substantive counts.” (quotations and citations omitted)). Because the Court has concluded Plaintiffs have standing to seek prospective relief, see supra, GEICO's request to dismiss this count-which the Court interprets as a prayer for relief rather than an independent free-standing claim-is denied.* * * *
Thus, an injunction could not be obtained if all the claims were dismissed. But the negligence and DPPA claims survive, for which an injunction and/or declaratory judgment could plausibly be the appropriate remedy.
In a flurry of briefing often lost is the persuasive power of cases with similar facts.
GEICO's briefs cite a bevy of authorities, but many, if not most, are from other Circuits or while generally involving data privacy, hacking or internet security, are not on all fours with the present set of allegations made by these Plaintiffs. Two recent cases decided by the Court's sister-district, the Southern District of New York, are, however, enlightening: In re USAA Data Security Litigation, 621 F.Supp.3d 454, and Rand v. Travelers Indemnity Co., 2022 WL 15523722. Both cases were putative class actions arising out of the disclosure of driver's license numbers by insurance companies United Services Automobile Association and Travelers Indemnity Co. respectively to non-party cybercriminals. Each company designed an online quote platform that auto-populated an individual's driver's license number when “minimal information”-such as a name, address, and date of birth-was entered. 621 F.Supp.3d at 462; 2022 WL 15523722, at *1. The named plaintiffs in both alleged they did not have any relationship of any kind with the insurance companies-they were not members or customers, nor did they ever apply for insurance with either company before. 621 F.Supp.3d at 462; 2022 WL 15523722, at *1. After being notified their DLNs were compromised, the plaintiffs sued, alleging a “loss of privacy” and seeking damages for the “valuable time and resources” expended to guard against “the heightened risk” of fraud. 621 F.Supp.3d at 462-63; 2022 WL 15523722, at *1-*2.
The claims brought in both cases mirrored those here-including claims for negligence and negligence per se, and violations of the DPPA and GBL § 349. In resolving motions to dismiss, Judge Briccetti held-in both cases-that plaintiffs had established Article III standing-including by demonstrating a substantial risk of future identity theft-and also that they stated plausible claims under the DPPA and for negligence and negligence per se. However, he dismissed the GBL claims.
The Court finds the reasoning and result in these factually similar cases instructive. All GEICO can muster in response is that it disagrees with the results in these cases, (Defs. Mem. at 7 n.4; Defs. Reply at 2 n.3; id. at 6-7), but it provides no principled basis to distinguish them. And as such, the Court finds it appropriate to follow them largely, if not entirely, in result.
Unlike In re USAA and Rand, the Court here is recommending that Plaintiffs' negligence per se claim be dismissed. That is because the plaintiffs in those cases based their negligence per se claim in part upon a violation of the DPPA; here, Plaintiffs rely solely on duties imposed by the FTCA and GLBA.
CONCLUSION
For the reasons described above, the Court respectfully recommends GEICO's motion to dismiss be granted in part and denied in part as follows:
1. GEICO's motion to dismiss Counts III (negligence per se), IV (GBL § 349), and V (intrusion upon seclusion) is granted. The dismissal of the intrusion upon seclusion claim should be with prejudice.
2. The motion to dismiss Counts I (DPPA), II (negligence), and VI (declaratory and injunctive relief) is denied.
3. The request to dismiss Plaintiffs Mirvis, Brody, and Connelly is granted.
GEICO contends that the Complaint's various references to attorney's fees should be stricken because certain claims do not provide for such recovery. (Defs. Mem. at 39 n.54). But Plaintiffs' fee request is in the general prayer for relief, (see Compl. at 53), and they do not use the term “attorney's fees” in connection with specific claims, except where the statute actually provides for them. (E.g., id. ¶¶ 149, 185).
Any objections to the Report and Recommendation above must be filed with the Clerk of the Court within 14 days of service of this report. Failure to file objections within the specified time may waive the right to appeal any judgment or order entered by the District Court in reliance on this Report and Recommendation. See 28 U.S.C. § 636(b)(1); Fed.R.Civ.P. 72(b)(2); see also Caidor v. Onondaga County, 517 F.3d 601, 604 (2d Cir. 2008) (“[F]ailure to object timely to a magistrate[ ] [judge's] report operates as a waiver of any further judicial review of the magistrate[ ] [judge's] decision.” (quotations omitted)).
SO ORDERED.