Opinion
MDL No. 19-md-2879
10-26-2020
IN RE: MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY BREACH LITIGATION THIS DOCUMENT RELATES TO: ALL CONSUMER ACTIONS
MEMORANDUM OPINION
This Multidistrict Litigation ("MDL") involves five separate litigation tracks, including the consolidated complaint filed by the Consumer Plaintiffs ("Plaintiffs" or "Consumer Plaintiffs") against Marriott International, Inc. ("Marriott") and related entities following one of the largest data breaches in history. The Plaintiffs named Accenture LLP ("Accenture"), a third-party provider of information technology ("IT") services to Starwood Hotels & Resorts ("Starwood"), an entity subsequently acquired by Marriott, as a defendant in their consolidated complaint and argue that Accenture is liable for injuries sustained as a result of the data breach under various states' theories of tort law. In essence, the Consumer Plaintiffs allege that, in Accenture's contract with Starwood, Accenture intentionally undertook to protect the security of the personal and financial information of Starwood's customers who accessed and updated Starwood's database as part of their making reservations to stay at Starwood properties. Accenture moved to dismiss, arguing that Plaintiffs lack standing and fail to state a claim. Def.'s Mot., ECF No. 465. For the reasons discussed below, Accenture's motion to dismiss the Plaintiffs' claim for negligence per se under Maryland law is granted, but its motion to dismiss the remaining tort claims is denied.
Second Amended Consolidated Complaint ("Compl."), ECF Nos. 413 (sealed), 537 (redacted). The Second Amended Consolidated Complaint is a superseding complaint as to all other complaints in this MDL filed on behalf of consumers. Compl. ¶ 6.
Plaintiffs named both Accenture LLP and Accenture plc as defendants in the complaint. However, the Court ratified an agreement wherein the Plaintiffs agreed to dismiss Accenture plc without prejudice in exchange for Accenture LLP's willingness to cooperate with discovery requests and for assurance that Plaintiffs are able to amend their complaint to name Accenture plc if the Plaintiffs "discover[] information that demonstrates that Accenture plc and/or Accenture Limited International is subject to the jurisdiction of this Court." Stipulation 3, ECF No. 523.
The motion has been fully briefed. See ECF Nos. 465-1, 495, 502 (sealed, unredacted versions. The docket also reflects redacted versions of the filings, ECF Nos. 464, 481, 504). A hearing is not necessary. See Loc. R. 105.6 (D. Md. 2018).
Factual Background
For purposes of considering Accenture's motion to dismiss, this Court takes the facts alleged in the Second Amended Consolidated Complaint as true. See Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009). In 2009, Accenture contracted to provide IT support to Starwood in the form of: "development, testing, maintenance, and running of the applications, . . . server and storage management, data center management, end-user computing, network management and service desk management." Compl. ¶ 242. Starwood and Accenture renewed their contract in 2015. Compl. ¶ 244. After Marriott acquired Starwood in 2016, Accenture continued to provide IT services to Starwood and thereafter to Marriott and continued to manage the operation of Starwood's guest reservation database, which Marriott hosted on its hardware in a data center in Phoenix, Arizona. Compl. ¶¶ 247-48.
Accenture was responsible for outlining and implementing Starwood's IT policies. Specifically, Accenture set policies for corporate firewalls, monitored alarm systems and the transmission of information from extrinsic sources, and performed quarterly audits of Starwood's IT systems to ensure that its procedures were being executed properly. Compl. ¶ 249. Some of the policies that Accenture developed echo its role in "managing Starwood's networks and identifying security threats," such as the infrastructure patch management procedure and the security work instructions for generic account remediation. Compl. ¶ 250.
Starwood and Accenture both recognized Accenture's role in protecting the personal identifying information of guests whose data was stored on Starwood's guest reservation database. Starwood's "IT Security Event & Incident Response Plan" included an explanation of Accenture's duties, stating that "Accenture identifies and analyzes suspicious activity and creates security alerts directed to the Information Risk & Security's Incident Management team." Compl. ¶ 251. Accenture recently described this role in a public filing, in which it acknowledged that it often stores and manages sensitive or confidential client personal data, the unauthorized disclosure of which, whether at the hands of hackers, or caused by employee negligence or other causes, could expose the firm to legal liability. Compl. ¶ 254.
Accenture U.S. SEC 2018 Form 10-K at 11, https://www.accenture.com/_acnmedia/PDF-89/Accenture-2018-10-K.pdf (last accessed August 8, 2020).
On September 7, 2018, the IBM Guardium tool alerted Accenture and Marriott that there had been an "unusual query" on the Starwood guest reservation database. Compl. ¶¶ 177-78. On November 30, 2018, Marriott announced that it was the target of one of the largest data breaches in history. Compl. ¶ 1. An investigation revealed the troubling news that hackers had obtained unauthorized access to Starwood's database and had been extracting data from it for over four years. Compl. ¶¶ 1-2, 146. During this four-year data breach, hackers allegedly stole names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender information, arrival and departure information, reservation dates, communication preferences, payment card numbers, payment card expiration dates, and tools needed to decrypt cardholder data. Compl. ¶ 2. Further, several files that hackers "exfiltrated" (which is techno-speak for surreptitiously removed) were deleted, so Marriott does not fully know how much data was stolen. Compl. ¶ 2. In total, Marriott disclosed that the breach impacted at least 383 million guest records, including nearly 24 million passport numbers and information about more than 9 million credit and debit cards. Compl. ¶ 3.
Consumer Plaintiffs across the country began filing suits against Marriott, which were consolidated in this MDL. MDL Transfer Order, ECF No. 1. The Consumer Plaintiffs and Marriott selected ten "bellwether" claims to test the sufficiency of the pleadings. Selection of Bellwether Claims, ECF No. 368. The Consumer Plaintiffs and Marriott each identified five claims, each one consisting of a cause of action based on the law of a particular state that had been pleaded in the Second Amended Consolidated Complaint. Id. On February 21, 2020, I issued a Memorandum Opinion granting in part and denying in part Marriott's motion to dismiss the bellwether Consumer Plaintiffs' claims. ECF No. 540, published at In re Marriott International, Inc., Customer Data Security Breach Litigation, 440 F. Supp. 3d 447 (D. Md. 2020).
The proceedings against Accenture at issue here proceeded on a different track. Consumer Plaintiffs allege two counts against Accenture for negligence and negligence per se stemming from Accenture's role in the Marriott data breach. Compl. ¶¶ 1342-53. The Consumer Plaintiffs allege that Accenture: knew that the database stored confidential information, was specifically tasked with identifying security threats to prevent disclosure of this sensitive information, failed to identify those threats, and was directly and proximately responsible for causing the data breach. Compl. ¶¶ 1342-53. Consumer Plaintiffs allege that because of the breach, they have spent time, money, and effort mitigating the risks associated with identity fraud, have lost the value of their personal information, and have overpaid for Marriott's services. Compl. ¶¶ 1342-56; Pls.' Opp'n 19 n.12, ECF No. 495.
Accenture moves to dismiss the tort claims against it. To focus the issues, the parties have selected specific plaintiffs and jurisdictions to test the claims. Specifically, the parties' briefing focuses on negligence claims under the laws of Maryland, Connecticut, and Florida, and negligence per se claims under the laws of Maryland, Connecticut, and Georgia. Joint Status Report, ECF No. 438. Accenture argues that the Plaintiffs lack standing and fail to a state claim upon which relief can be granted and therefore moves to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Def.'s Br. Supp. Mot. Dismiss ("Def.'s Br.") 1-2, ECF No. 465-1.
The named plaintiffs from these states are plaintiffs Amarena (Connecticut), Lawrence (Florida), Bittner (Florida), Hevener (Florida), Long (Georgia), Viggiano (Georgia), Miller (Georgia), Maldini (Maryland), and Ryans (Maryland). Compl. ¶¶ 32, 37-39, 52-53.
Accenture also argued that their parent company, Accenture plc, should be dismissed as a defendant pursuant to Federal Rule of Procedure 12(b)(2), but Plaintiffs subsequently dismissed Accenture plc without prejudice. See supra note 2.
Standard of Review
Under Fed. R. Civ. P. 12(b)(1), the plaintiff bears the burden of proving subject matter jurisdiction by a preponderance of the evidence. U.S. ex rel. Vuyyuru v. Jadhav, 555 F.3d 337, 347-48 (4th Cir. 2009). In a facial challenge to subject matter jurisdiction, as Accenture asserts here, "the facts alleged in the complaint are taken as true, and the motion must be denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction." Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009).
Fed. R. Civ. P. 12(b)(6) provides for the dismissal of a complaint for "failure to state a claim upon which relief can be granted." This rule's purpose "'is to test the sufficiency of a complaint' and not to 'resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses.'" Presley v. City of Charlottesville, 464 F.3d 480, 483 (4th Cir. 2006) (quoting Edwards v. City of Goldsboro, 178 F.3d 231, 243 (4th Cir. 1999)). To survive a motion to dismiss, a complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief[.]" Fed. R. Civ. P. 8(a)(2). Specifically, Consumer Plaintiffs must establish "facial plausibility" by pleading "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). However, "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007)). But at this juncture, the Plaintiffs are only obligated to plead their claims, not prove them. Therefore, I must accept the well-pleaded facts as alleged in their complaint as true. See Aziz v. Alcolac, 658 F.3d 388, 390 (4th Cir. 2011). And, I must construe the factual allegations "in the light most favorable to [the] plaintiff." Adcock v. Freightliner LLC, 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango, 743 F.2d 1060, 1062 (4th Cir. 1984)).
Discussion
Consumer Plaintiffs assert claims of negligence and negligence per se. Accenture moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(1), arguing that Plaintiffs lack standing because they have not sufficiently alleged that they have suffered injury that was caused by Accenture. Def.'s Mot. 1. Accenture also moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(6), arguing that all Plaintiffs' negligence claims must be dismissed because both the economic loss doctrine and the special relationship requirement absolves Accenture from owing the Plaintiffs a duty of care. Further, Accenture argues that Plaintiffs have failed to sufficiently plead breach, causation, and damages for their negligence claims. Lastly, Accenture argues that Plaintiffs' negligence per se claims must be dismissed because violation of Section 5 of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. § 45, is not sufficient to serve as the predicate for negligence per se. Def.'s Br. 1-3.
Plaintiffs Have Standing to Sue
To satisfy constitutional standing requirements, a plaintiff must have suffered an "injury in fact," that has a causal connection to the conduct complained of and which can be "redressed by a favorable decision." Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992) (quoting Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976)). Article III standing must be found to exist before a court may address the merits. Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 94 (1998). When a defendant challenges a plaintiff's standing at the motion to dismiss stage, I must "accept as true all material allegations of the complaint and construe the complaint in favor of the complaining party." S. Walk at Broadlands Homeowner's Ass'n, Inc. v. OpenBand at Broadlands, LLC, 713 F.3d 175, 181-82 (4th Cir. 2013) (quoting David v. Alphin, 704 F.3d 327, 333 (4th Cir. 2013).
Consumer Plaintiffs have alleged: that the data breach was perpetrated by criminal hackers who gained access to the database as a result of Accenture's negligence; that each named representative's personal identifying information (including payment card information), which was stored on the Starwood guest reservation database was compromised; that several bellwether Plaintiffs (and one class representative, Hevener), have experienced misuse of their personal information as a result of the breach; and that all Plaintiffs face imminent substantial risk of identity theft as a result of the breach. Compl. ¶¶ 1342-53.
In Marriott's motion to dismiss the bellwether claims, it argued that the Consumer Plaintiffs lacked standing. Accenture "incorporate[d] by reference all of Marriott's arguments for why plaintiffs have not alleged injury-in-fact sufficient for Article III standing." Def.'s Reply 12, ECF No. 502. Unsurprisingly, Consumer Plaintiffs "incorporate[d] by reference" their response in opposition to Marriott's motion to dismiss. Pls.' Opp'n 2.
Accenture does not dispute that the alleged injuries could be redressed by a favorable decision. Rather, the challenge is whether the Consumer Plaintiffs have adequately alleged that they suffered injury-in-fact that is traceable to Defendant's conduct.
a. Consumer Plaintiffs have sufficiently pleaded plausible injury-in-fact
The Fourth Circuit has shed light on what type of injuries that arise out of data breaches are constitutionally sufficient to confer Article III standing on plaintiffs. Specifically, it has held that an alleged injury in an identity theft case is constitutionally sufficient under two recognized circumstances: (1) through actual injury of identity theft; or (2) a threatened injury based on substantial risk of future identity theft that is sufficiently imminent. Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018). If either of these tests is met, recoverable damages include the costs incurred in protecting against identity theft. Id. Moreover, other district courts have recognized additional types of injuries that may be sufficient to establish actual or threatened harm that is sufficient to confer standing in cases involving the unauthorized dissemination of plaintiff's data. See In re Facebook, Inc., Consumer Privacy User Profile Litig., 402 F. Supp. 3d 767, 786-87 (N.D. Cal. 2019) (holding that plaintiffs had standing by alleging that they suffered a privacy invasion when Facebook made private information available to third parties who then developed dossiers on the plaintiffs); see also In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014) (finding that plaintiffs were injured when they alleged they did not receive the benefit-of-the-bargain because had they known Adobe was not providing reasonable security, they would not have paid as much for Adobe products).
For the reasons stated in my Memorandum Opinion denying Marriott's motion to dismiss the Consumer Plaintiffs' complaint (which I rely on here), Plaintiffs here have sufficiently alleged injuries as a result of the data breach to establish injury-in-fact for Article III standing. In re Marriott, 440 F. Supp. 3d at 460-67 (finding that bellwether Plaintiffs had sufficiently alleged injury-in-fact based on (1) their allegations of actual and threatened harm in the form of identity theft; (2) their alleged loss in time and money spent to mitigate the harm; (3) their alleged loss in value of their personal information; and (4) their benefit-of-the-bargain and overpayment theories).
b. Consumer Plaintiffs have sufficiently alleged that their injuries-in-fact are traceable to Accenture
Similarly to Marriott's arguments in its motion to dismiss the Consumer Plaintiffs' complaint, Accenture argues that class representative Hevener, who alleged misuse of personal information in the form of fraudulent credit card accounts that were applied for in her name, lacks standing because the injuries are not fairly traceable to Accenture's conduct. Def.'s Br. 24. Accenture argues that because Hevener did not provide a social security number to Marriott, the injuries are not traceable to Accenture because a social security number is required to open a credit card account. Id.
I previously addressed and rejected these arguments in my Memorandum Opinion denying Marriott's motion to dismiss the Consumer Plaintiffs' complaint. In re Marriott, 440 F. Supp. 3d at 466-67. I explained that failure to allege stolen social security numbers is not dispositive when assessing alleged claims of credit card fraud under Fourth Circuit precedent and that cases authored by the Ninth Circuit, Seventh Circuit, and Northern District of California have found allegedly stolen credit card numbers alone sufficient to commit identity theft and fraud. Id. (citing Hutton, 892 F.3d at 623; In re Zappos.com, Inc., 888 F.3d 1020, 1027 (9th Cir. 2018); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016); Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1034 (N.D. Cal. 2019)). For the same reasons, I find that Hevener has adequately alleged that her injuries are traceable to Accenture's conduct.
Failure to State a Claim
As already noted, the Consumer Plaintiffs bring this action against Accenture under two theories of tort liability, negligence and negligence per se. Compl. ¶¶ 1342-56. Accenture argues that Plaintiffs fail to state a claim under a negligence theory because both the economic loss doctrine and the absence of a special relationship between the parties excuses Accenture from owing Plaintiffs a duty to act reasonably, and because the Plaintiffs have not pleaded facts showing that Accenture acted unreasonably in causing Plaintiffs' injuries. Def.'s Br. 1-2. Accenture additionally argues that Plaintiffs fail to state a claim under a negligence per se theory because Congress did not intend Section 5 of the FTC Act to protect customers from the negligent acts of a third-party service provider. Id. I will first address whether the Plaintiffs have sufficiently pleaded a claim of negligence under Maryland, Connecticut, and Florida law. Then I will address whether the Plaintiffs have sufficiently pleaded a claim of negligence per se under Maryland, Connecticut, and Georgia law. As required by Erie Railroad Co. v. Tompkins, 304 U.S. 64, 58 (1938), for each of the claims discussed below, I must apply the law of the relevant state's highest court or, if it has not spoken to the issue, predict how the state's highest court would rule. See Private Mortg. Inv. Servs., Inc. v. Hotel & Club Assocs., Inc., 296 F.3d 308, 312 (4th Cir. 2002).
Economic harms are injuries that are neither to the plaintiffs' persons nor their property. See Exxon Shipping Co. v. Baker, 554 U.S. 471, 509 n. 21 (2008) ("The common law traditionally did not compensate purely economic harms, unaccompanied by injury to person or property.") (citing K. Abraham, Forms and Functions of Tort Law 247-48 (3d ed. 2007)). Here, Plaintiffs allege that they have suffered injuries in the form of lost time and money, but they also have alleged that they lost value in their personal identifying information, i.e., loss in value of a property right. Pls.' Opp'n 4. Plaintiffs argue that the harms they allege are not purely economic losses, citing Hameed-Bolden v. Forever 21 Retail, Inc., No. CV1803019SJOJPRX, 2018 WL 6802818, at *5 (C.D. Cal. Oct. 1, 2018) (noting that loss of value in personal information "may represent 'property damages' as a legal matter," but ultimately finding that plaintiffs failed to establish that the theft of their personal information damaged them in a non-economic manner); and Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1039 (N.D. Cal. 2019) (holding that plaintiffs' alleged loss of time was not an economic injury, and therefore, economic loss rule did not bar negligence claim under California law). In In re Marriott, I found that plaintiff adequately alleged loss of value in personal information to establish injury-in-fact for Article III standing. 440 F. Supp. 3d at 460-62. I ultimately did not decide whether Illinois courts would recognize the loss in value of one's personal information as loss in a property right. Id. at 475-76. I again do not decide this issue under the laws of Maryland, Connecticut, and Florida because even if the harms are purely economic, Plaintiffs have stated a claim under established tort law doctrines of those jurisdictions upon which relief could be granted.
Accenture additionally argues that the Consumer Plaintiffs are requesting this Court to recognize an "unprecedented tort duty." Def.'s Br. 12-16. Accenture contends that the Plaintiffs confuse tort and contract law, inasmuch as no court ever has held that a third-party service provider (like Accenture) that entered into a service-provider contract with an entity (such as its contract with Starwood/Marriott) owes a duty to the entity's customers when those customers claimed to have been injured by the service provider's failure to perform in accordance with its contract. Id. And, for good measure, Accenture argues that if I were to do so now, I would be acting outside of my lane, as an unelected legislature of one, imposing liability under unprecedented circumstances. Id. For the reasons I will explain, I find that Accenture owes the Consumer Plaintiffs a duty of care under established negligence—not contract—law and thereby avoid trespassing into the legislative arena.
Negligence - Maryland
Maryland class representatives Maldini and Ryans allege claims of negligence under Maryland law. See Compl. ¶¶ 52-53, 1342-43. Under Maryland law, plaintiffs can recover for negligence if they can prove the following elements: "(1) that the defendant was under a duty to protect the plaintiff from injury, (2) that the defendant breached that duty, (3) that the plaintiff suffered actual injury or loss, and (4) that the loss or injury proximately resulted from the defendant's breach of the duty." Valentine v. On Target, Inc., 727 A.2d 947, 949 (Md. 1999) (internal quotation marks omitted). Maryland courts define duty as "an obligation, to which the law will give recognition and effect, to conform to a particular standard of conduct toward another." Patton v. United States of America Rugby Football, 851 A.2d 566, 571 (Md. 2004) (internal quotations omitted). Plaintiffs argue that Accenture is liable to them for negligence because it owed them a duty to perform its contract with Starwood reasonably, so as to protect Plaintiffs' personal information. And, they assert, Accenture breached that duty by failing to detect the four-year long data breach and by failing to implement reasonable data security systems. Compl. ¶¶ 1342-46.
a. Plaintiffs have sufficiently pleaded that Accenture owed them a duty of care under Maryland law despite suffering purely economic harms
Maryland courts do not allow plaintiffs to recover for economic loss under a theory of negligence if they did not suffer physical injury, and if they are not in contractual privity with the defendant, unless the plaintiff can establish the equivalent of a contractual relationship sufficient to establish an "intimate nexus" with the defendant. Chicago Title Ins. v. Allfirst Bank, 905 A.2d 366, 377-78 (Md. 2006), Balfour Beatty Infrastructure, Inc. v. Rummel Klepper & Kahl, LLP, 155 A.3d 445, 454 (Md. 2017). As the Maryland Court of Appeals observed in Chicago Title, "the reason for the privity requirement is to 'limit the defendant's risk exposure to an actually foreseeable extent,' allowing a defendant to control the risk to which he or she is exposed." 905 A.2d at 380 (internal citations omitted). An "intimate nexus between the parties" is the equivalent of privity, because it ensures that the plaintiff and defendant were sufficiently close to justify finding a tort duty running from the defendant to the plaintiff. Id. at 379 (citing Jacques v. First Nat'l Bank of Md., 515 A.2d 756, 759-60 (Md. 1986). In other words, when the nexus between a potential plaintiff and the defendant is an "intimate one," it makes the risk of exposure to a claim by that plaintiff "foreseeable," and concomitantly allows the defendant to control the risk of its exposure to that plaintiff. The Maryland Court of Appeals further explained that the intimate relationship between a tort claimant and a defendant approaches privity when it is "such that would allow the defendant to predict its liability exposure." Walpert, Smullian & Blumenthal, P.A. v. Katz, 762 A. 2d 582, 606 (Md. 2000). When deciding whether the relationship between parties is sufficient to establish an intimate nexus, "context is critical." Balfour Beatty Infrastructure v. Rummel Klepper & Kahn, 155 A.3d 445, 457 (Md. 2017). The main consideration is whether there is linking conduct—"enough to show the defendant knew or should have known of the plaintiff's reliance." Id. Accenture argues that the Consumer Plaintiffs have not sufficiently alleged an intimate nexus between the parties.
An overview of Maryland cases analyzing the intimate nexus test is worthwhile. In Chicago Title Insurance v. Allfirst Bank, the Maryland Court of Appeals held that the plaintiff, a third-party drawer of a check, and the defendant, a depository bank, had an intimate nexus when the plaintiff sued the bank for misapplying funds to a customer's personal account, instead of applying the funds to the customer's mortgage account, causing the customer to default on his loan. 905 A.2d 366, 381-83 (Md. 2006). The Court held that there was linking conduct showing that the defendant bank knew or should have known that the plaintiff title company expected the proceeds of the check to pay off the loan because the defendant bank had once before received a check from the plaintiff and a payoff request from the new lender. Id. In essence, the prior, similar transactions between the plaintiff and the bank supplied the "critical context" to support a finding of an intimate nexus.
In Walpert, Smullian, & Blumenthal, P.A. v. Katz, the Maryland Court of Appeals affirmed the intermediate appellate court's reversal of a trial court's grant of summary judgment in favor of the accounting firm because Mr. Katz, a non-client of the firm, had demonstrated facts sufficient to allow a jury to find the parties had an intimate nexus. 762 A.2d 582, 608-09 (Md. 2000). The court held that Mr. Katz had presented evidence showing that an intimate nexus existed because the accounting firm was aware that Mr. Katz was going to use their financial report for a particular purpose. Id. Mr. Katz had told the firm that he was going to rely on the report, the firm gave a copy of the report directly to Mr. Katz, and the parties had met face to face. Id. These factual allegations were sufficient to allow a reasonable trier of fact to conclude that the accounting firm either was or should have been aware that Mr. Katz would be relying on their work product. Id. Once again, the particular facts of the case were the key to finding an intimate nexus. And, as importantly, the court held that the issue of liability based on an intimate nexus between the parties is a matter to be determined by the trier of fact. Id. at 608.
As in the above two cases, Consumer Plaintiffs have sufficiently pleaded that there is an intimate nexus between themselves and Accenture. Plaintiffs have met the most important factor for finding an intimate nexus—that the defendant knew or should have known of the specific plaintiff's reliance. Consumer Plaintiffs allege that Accenture explicitly acknowledged in its contract with Starwood that "it had a duty to protect the Personal Information of end-users, defined to include 'guests' and 'customers' of Starwood" and that to fulfill this duty it had an obligation to use nothing less than a "reasonable standard of care." Compl. ¶ 1346. Furthermore, Plaintiffs allege that Accenture publicly acknowledged Plaintiffs' reliance on its job performance when, in public filings, it recognized the potential legal liability it could incur if a hacker were to gain unauthorized access to the confidential information stored on the systems it develops for its clients. Compl. ¶ 254.
Accenture argues that Walpert is distinguishable because in holding that the parties had an intimate nexus, the court emphasized that the firm met with Mr. Katz face to face and that Mr. Katz communicated his intention to rely on their work product. Def.'s Reply 4. It is true that Plaintiffs here do not allege that they met face to face with Accenture, nor do they contend that they explicitly told Accenture of their reliance. However, what they did allege is sufficient to allow a reasonable fact-finder to conclude that Accenture knew or should have known that these Plaintiffs were foreseeable victims who relied on Accenture's contractual obligation to Starwood that it would use reasonable care. Moreover, unlike the accounting firm in Walpert, Accenture explicitly recognized its duty to use reasonable care in its contract with Starwood and named a specific class of individuals whose information it was bound to protect. Compl. ¶ 1346 (quoting Accenture's promise to Starwood that it would implement measures to prevent unauthorized disclosure of personal information of end-users, defined to include Consumer Plaintiffs, "in no event using less than a reasonable standard of care"). Additionally, as was the case with respect to the defendant bank in Chicago Title, which was on notice of plaintiff's reliance because of a previous transaction, Accenture too should have known of Consumer Plaintiffs' reliance because Starwood was the target of previous data breaches. Compl. ¶ 139 (alleging that "both Starwood and Marriott, among many other high-profile hotel chains, were targeted in other data breaches by hackers in the months and years before the Data Breach was discovered").
Lastly, Accenture argues that negligence claims are barred by the intimate nexus requirement when a plaintiff sues a third-party service provider and the plaintiff is unaware of the service provider's existence. Def.'s Reply 4. Accenture reasons that in Chicago Title and in Walpert, the court found a nexus because in both cases, the plaintiff was a specific person (as opposed to an indeterminate class of people), and the liability was based on one specific transaction. Id. But this added requirement is a product of Accenture's wishful thinking, not the law of Maryland. As noted, when determining whether an intimate nexus is an acceptable equivalent to contractual privity in order to support imposition of tort liability, the context is critical. Chicago Title and Walpert are contextually different than this case. They did not involve claims by a class of individuals whose injury—if the defendant failed to exercise reasonable care—was admittedly foreseeable to the defendant; they involved individuals. The Maryland Courts do not require that the defendant be aware of the specific person who relied on its exercise of reasonable care, so long as that person, known or unknown, is not part of an indeterminant class of persons who might (unforeseeably) file claims against it, and so long as it is able to predict its liability exposure to an individual member of the foreseeable class and govern its conduct accordingly. And, if a defendant—like Accenture—is aware of a determinant class of potential claimants, whose interests as a group it contractually undertook to protect through the exercise of reasonable care, it can hardly complain when, as a result of its alleged failure to live up to its promise, a member of that class sues them. Its liability in such circumstances is entirely foreseeable because, as alleged, Accenture specifically contracted with Starwood to protect the personal information of this class of potential claimants—Starwood customers—who entered their information on Starwood's on-line reservation system. Compl. ¶¶ 254, 1346. Plaintiffs allege that they are not simply members of the public at large, i.e., an indeterminate class of people, but rather a nationwide class of individuals whose personal information Accenture explicitly assumed the responsibility of protecting, namely Starwood's "guests" and "customers." Compl. ¶¶ 251-54, 276. In the context of this case, Plaintiffs have sufficiently alleged an intimate nexus, which is the equivalent of contractual privity, to support their Maryland tort liability claims.
b. Plaintiffs have sufficiently pleaded that Accenture owed them a duty of care under Maryland law despite the special relationship doctrine
The second obstacle that Plaintiffs must overcome to survive Accenture's motion to dismiss is Maryland's rule that, absent a special relationship, a defendant does not owe a duty to the general public to protect them from the actions of third parties. Warr v. JMGM Grp., LLC, 70 A.3d 347, 358 (Md. 2013). To recover, the plaintiff must have a special relationship with the defendant, regardless whether harm to the plaintiff was foreseeable, unless a plaintiff can establish that the defendant had control over the third party. Id. ("We have consistently recognized that, in the absence of control or a special relationship, there can be no duty to an injured person for harm caused by a third party.").
Warr thoroughly analyzes Maryland's rule requiring a special relationship to exist between a plaintiff and a defendant. In that case, the Maryland Court of Appeals rejected the Warrs' invitation to adopt dram shop liability in Maryland. 70 A.3d 347. The Warrs were car accident victims suing a tavern because one of its employees served alcohol to a visibly intoxicated patron, who later drove drunk, causing a car accident. Id. at 349-50. The Warrs argued that the tavern breached its duty to "not furnish alcohol to intoxicated persons." Id. at 349. The Court of Appeals held that the tavern did not owe a duty to the Warrs, "as members of the general public," to control the actions of a third party. Id. at 364.
There is no special relationship between Accenture and the Plaintiffs that would require Accenture to protect them from the actions of a third party. Restatement (Second) of Torts § 314 (1965) (listing the special relationships that give rise to a duty to protect to include common carriers, innkeepers, and a possessor of land who holds it open to the public). And Plaintiffs do not assert that such a special relationship exists. However, Plaintiffs argue that the special relationship rule does not apply here because: (1) they do not seek to hold Accenture liable for failing to control the actions of third parties (hackers), but rather seek to hold Accenture liable for negligently creating the risk of harm; (2) Accenture had control over Starwood's and Marriott's data security functions; and (3) Plaintiffs are not simply members of the general public. Pls.' Opp'n 12-14. I shall address each of these arguments in turn.
Plaintiffs ask that I take judicial notice of an Investigative Report, ECF No. 495-1, which they obtained after filing their complaint. Pls.' Opp'n 13 n.8. The Federal Rules of Evidence allow courts to take judicial notice of a fact that is not subject to reasonable dispute at any stage of the proceeding. Fed. R. Evid. 201 (b)-(d); see Zak v. Chelsea Therapeutics Int'l, Ltd., 780 F.3d 597. 607 (4th Cir. 2015) ("[C]ourts are permitted to consider facts and documents subject to judicial notice without converting the motion to dismiss into one for summary judgment."). However, Accenture opposes the request, arguing that it is subject to "reasonable dispute" and is therefore ineligible for judicial notice. Def.'s Reply 10 n.5. Because the matter is in dispute, and because I do not rely on the document in my ruling, I decline to take judicial notice of the requested document. I note that even if I were to take notice of the existence of the document, I "may not take judicial notice of the truth of matters outside the challenged pleading." Clarke v. DynCorp Intern. LLC, 962 F. Supp. 2d 781, 787 (D. Md. 2013) (citing E.I. du Pont de Nemours & Co. v. Kolon Indus., 637 F.3d 435, 449-50 (4th Cir. 2011)).
First, Plaintiffs argue that because Accenture actively created a risk by voluntarily assuming the duty of protecting them from the very thing that caused them harm—hacking—and then negligently failed to protect their data, the special relationship rule is inapposite. The Warrs similarly argued that they did not seek to hold the defendant (tavern) liable for actions of the third party (driver) who caused the injury, but instead sought to hold the tavern liable for its own conduct, which created or increased a risk of injury. Warr, 70 A.3d at 355-56. The Warr court was unpersuaded and emphasized "the general rule that there is no duty to control a third person's conduct so as to prevent personal harm to another, unless a 'special relationship' exists either between the actor and the third person or between the actor and the person injured . . . ." 70 A.3d at 356-57 (quoting Ashburn v. Anne Arundel Cty., 510 A.2d 1078, 1083 (1986)). The Warr court noted that whether a defendant actively creates a risk, or merely passively creates it, is a distinction without a difference where there is no affirmative act of control. 70 A.3d at 356 n.11. Plaintiffs' assertion that Accenture "voluntarily assumed [an] obligation to provide reasonable data security that was in fact intended to prevent criminal hackers from stealing Plaintiffs' Personal Information," Pls.' Opp'n 12, is not sufficient in Maryland to sidestep the special relationship requirement.
Second, Plaintiffs argue that because Accenture had control over Starwood's and Marriott's data functions, they do not need to be in a special relationship for Accenture to owe them a duty of reasonable care. Pls.' Opp'n 12. Maryland courts have held that an actor does not have an obligation to exercise his ability to control the actions of a third party, even if the actor "has the ability to control the conduct of a third person, and could do so with only the most trivial of efforts." Lamb v. Hopkins, 492 A.2d 1297, 1300 n.4 (Md. 1985) (citing Restatement (Second) of Torts § 315 cmt. b (1965). In Warr, the Court of Appeals stated that "[a] tavern owner who provides alcohol to an intoxicated patron does not exercise control over the conduct of the patron, in driving or walking." 70 A.3d at 355.
Therefore, Maryland courts do not impose a duty to control the actions of others, even if the defendant could exercise control over the third party. Here, Consumer Plaintiffs have not pleaded that Accenture had the ability to control the hacker. Not only does Accenture not have the duty to control an unidentified third-party hacker, even if it could, Maryland law also would not require it to exercise that control to avoid liability for the harm a hacker may cause.
Finally, and more persuasively, the Consumer Plaintiffs argue that they are not merely members of the general public, and therefore they do not need to establish that they had a special relationship with Accenture. Pls.' Opp'n 12. The Court of Appeals in Warr emphasized that the tavern "did not owe a duty to the Warrs, as members of the general public." 70 A.3d at 364 (emphasis added). When analyzing other contexts in which the court declined to impose a duty to control the actions of third parties, the court explained the importance of not imposing a duty to protect the general public because "such a concept would encompass an indeterminate number of individuals." Id. at 358; see also id. at 361 (rejecting extending the duty because "[o]ne cannot be expected to owe a duty to the world at large to protect it against the actions of third parties . . . .").
However, I need not predict what the Maryland Court of Appeals would hold in this case with respect to the Consumer Plaintiffs' arguments regarding the applicability of the special relationship doctrine, because they have sufficiently argued that Accenture owed them a duty by virtue of Section 5 of the FTC Act, 15 U.S.C. § 45. Pls.' Opp'n 21 n.13.
Under Maryland law, "[a] 'special duty' to protect another from the acts of a third party can be created '(1) by statute or rule; (2) by contractual or other private relationship; or (3) indirectly or impliedly by virtue of the relationship between the tortfeasor and a third party.'" Johnson v. PNC Bank, N.A., No. CV ELH-19-3136, 2020 WL 1491355, at *5 (D. Md. Mar. 27, 2020) (quoting Remsburg v. Montgomery, 831 A.2d 18, 27 (2003)) (internal quotation marks and citations omitted). Therefore, because the Consumer Plaintiffs have sufficiently pleaded that Section 5 of the FTC Act serves as the predicate to Maryland's version of negligence per se, they have pleaded that Accenture owed them a statutory duty to protect them from the actions of third-party hackers.
Maryland abides by the "Statute or Ordinance Rule"; instead of recognizing a separate cause of action of negligence per se, a statute or an ordinance can permit a plaintiff to prove that a defendant owed the plaintiff a duty, and that a defendant breached that duty. See Kiriakos v. Phillips, 139 A.3d 1006, 1016 (2016) ("The Statute or Ordinance Rule is not a means to establishing negligence per se but only prima facie evidence of negligence."). Under Maryland law, to successfully plead that defendant's violation of a law or ordinance is evidence of negligence, a plaintiff must establish that: (1) they are members of a specific class of people that the statute or ordinance is designed to protect; and (2) that violation of the statute or ordinance proximately caused their injury. Id. Here, Consumer Plaintiffs allege that Accenture owed them a duty by virtue of Section 5 of the FTC Act, 15 U.S.C. § 45.
Accenture first makes general arguments as to why Section 5 cannot serve as the predicate for negligence per se, and second, makes Maryland-specific arguments. First, Accenture argues that "section 5 is designed to protect 'consumer[s]' and 'competitors[s]' from 'unfair trade practice[s],'" and because Consumer Plaintiffs are neither consumers nor competitors of Accenture, they are not within the class of persons Section 5 was designed to protect. Def.'s Br. 20 (citing FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 244 (1972)). Consumer Plaintiffs argue that they "are consumers, and courts routinely recognize the failure to adequately secure consumers' Personal Information is a violation of the FTC Act." Pls.' Opp'n 20 (emphasis in original).
Plaintiffs are members of the class that Section 5 of the FTC was designed to protect. Section 5 makes unlawful any "[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a)(1). Numerous courts have held that Section 5 of the FTC Act was designed to protect the consumer whose data was compromised by the negligent actions of a defendant. See In re Equifax, Inc., Customer Data Security Breach Litig., 362 F. Supp. 3d 1295, 1327 (N.D. Ga. 2019); In re Arby's Rest. Grp. Inc. Litig., No. 1:17-CV-0514-AT, 2018 WL 2128441, at *8 (N.D. Ga. Mar. 5, 2018); In re The Home Depot, Inc., Customer Data Sec. Breach Litig., 2016 WL 2897520, at *4 (N.D. Ga. May 17, 2016); see also First Choice Fed. Credit Union v. Wendy's Co., No. 16-506, 2017 WL 9487086, at *4 (W.D. Pa. Feb. 13, 2017), report and recommendation adopted, 2017 WL 1190500 (W.D. Pa. Mar. 31, 2017) (following Home Depot and declining to dismiss negligence per se claim based on Section 5 of the FTC Act). Plaintiffs allege that Accenture, like the defendants in these cases, was specifically tasked with protecting their data and breached that duty by violating the FTC Act's requirement of implementing adequate security standards to safeguard consumers' personal information. Compl. ¶¶ 1344, 1354.
To support its argument, Accenture cites to a Seventh Circuit Court of Appeals data breach case, which held that the card-issuing banks could not hold the retail merchant liable for alleged violations of the FTC Act. Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 819 n.7 (7th Cir. 2018). Community Bank of Trenton is distinguishable from the present case. There, the plaintiff banks that had issued credit cards to consumers, sought to hold a retail merchant that had been subject to a data breach liable for the costs associated with protecting their card-holding customers from identity theft. The court noted that the plaintiff banks did not adequately allege a negligence per se claim based on the FTC Act because the class of plaintiffs were not customers of the merchant and because the "FTCA arguments are too underdeveloped to consider." 887 F.3d at 819 n.7. But here, the Consumer Plaintiffs were customers of Starwood/Marriott, which, in turn, was a customer of Accenture; Starwood/Marriott simply outsourced the protection of their customers' data to Accenture, which contractually agreed to accept this responsibility. The Consumer Plaintiffs adequately have alleged that they are members of the class that Section 5 of the FTC Act was designed to protect.
Next, Accenture argues that the FTC Act cannot serve as the predicate for a negligence claim based on the violation of a statute because it does not "proscribe a particular standard of care." Def.'s Br. 22. However, several courts have rejected this argument, finding that data breach plaintiffs adequately had pleaded claims of negligence per se based on alleged violations of Section 5 of the FTC act.
For example, in FTC v. Wyndham Worldwide Corp., a case with more than a passing similarity to this case, the Third Circuit affirmed the FTC's enforcement of Section 5 of the FTC Act in data breach cases, which that agency had been doing since 2005. 799 F.3d 236, 240 (3d Cir. 2015) ("The Federal Trade Commission Act prohibits 'unfair or deceptive acts or practices in or affecting commerce.' 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity practices that failed to protect consumer data against hackers."). In that case, Wyndham Worldwide, a hotel and hospitality company, was the subject of multiple cyberattacks that compromised the personal information of hundreds of thousands of its customers. Id. The FTC brought suit against Wyndham for inadequate cybersecurity practices. Id. at 242. Wyndham challenged the authority for the FTC to do so, but the FTC's action was affirmed by both a New Jersey District Court and the Third Circuit. Id. at 259.
The Third Circuit first found that the allegations regarding Wyndham's cybersecurity practices, including that it had an allegedly misleading privacy policy that overstated its cybersecurity protections, fell within the plain meaning of "unfair" practices in the text of Section 5 of the FTC Act. Id. at 246-47. Further, the court held that Wyndham had fair notice that its conduct could fall within the meaning of the statute based on a "cost-benefit analysis that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity." Id. at 255 (internal citations omitted). Considering the alleged deficiency of Wyndham's cybersecurity practices, the court found that they had fair notice that their conduct could violate the FTC Act. This conclusion was reinforced by an FTC guidebook published in 2007, Protecting Personal Information: A Guide for Business, which provides recommendations on cybersecurity best practices, and by FTC complaints and consent decrees in administrative cases raising unfairness claims based on inadequate cybersecurity practices. Id. at 255-57. See also In re TJX Companies Retail Sec. Breach Litig., 564 F.3d 489, 498-99 (1st Cir. 2009), as amended on reh'g in part (May 5, 2009) (applying FTC precedent for scope of duty under Massachusetts law based on Section 5 of FTC act in data breach case).
Accenture's posture in this case is no different than Wyndham's was in FTC v. Wyndham Worldwide Corp. Plaintiffs allege that Accenture's contractual promise to Starwood/Marriott to use reasonable security practices overstated its actual cybersecurity protections and falls within the meaning of "unfair" practices of Section 5 of the FTC Act. Compl. ¶¶ 1351-52. Further, Plaintiffs allege that because the FTC has initiated 12 actions against companies for deficient security practices, the FTC Act was intended to provide a standard of conduct that companies should follow. Compl. ¶ 259 n.126 (citing https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/privacy-security-enforcement). Additionally, Plaintiffs allege that Accenture had sufficient notice that its conduct could fall within the meaning of the statute, because, like Wyndham, Accenture explicitly acknowledged the risks associated with protecting the personal information of its clients' guests. Compl. ¶ 254.
Accenture also makes Maryland-specific arguments as to why the Consumer Plaintiffs cannot use Section 5 as the predicate for their negligence claim based on the alleged violation of a statute. Accenture argues that "courts in this District have nonetheless recognized that the absence of a private right of action in the FTC Act means it should not support a tort duty." Def.'s Reply 11 (citing Flynn v. Everything Yogurt, 1993 WL 454355, at *5 (D. Md. Sept. 14, 1993); Day v. United Bank, 2018 WL 3707833, at *7 (D. Md. Aug. 3, 2016)); Def.'s Br. 19 (citing Betskoff v. Enterprise Rent A Car Co. of Baltimore, LLC, 2012 WL 32575, at *7 (D. Md. Jan 4, 2012)).
In Betskoff, Judge Hollander of this Court held that the plaintiff could not maintain an action based on defendant's violation of the FTC Act because "the FTC Act contains no provision that authorizes aggrieved individuals to file suit on their own behalf." 2012 WL 32575, at *7. However, the plaintiff in that case did not sue under a state law theory of negligence, but instead used the FTC Act directly as the sole medium through which to hold the defendant liable. Therefore, this case is not on point because Plaintiffs here assert a common law theory of negligence that is well established under Maryland state law.
In Flynn, the plaintiffs alleged that the FTC Act and its accompanying franchise regulations established that the defendant owed them a duty and that the defendant breached that duty. 1993 WL 454355 at *5. This Court dismissed plaintiff's cause of action after employing the test for deciding whether violation of a statute or ordinance provides evidence of negligence (whether plaintiff is a member of the class for whose protection the statute was enacted and whether the harm suffered was of the kind the statute was designed to prevent), because it held that the plaintiff was not a member of the class for whose protection the statute was enacted. Id. at 4-5. Accenture mistakenly relies on this case as if it categorically held that a violation of the FTC Act cannot be a basis for a Maryland negligence claim where liability is predicated on the violation of an ordinance, or a general negligence claim where the defendant's breach of duty flowed exclusively from the violation of a statute or ordinance. It did neither. Rather, an accurate reading of the decision clearly shows that Judge Hargrove's ruling was narrow—that the plaintiff was not a member of the class of individuals intended to be protected by the FTC Act. Id. at *5. As explained above, Consumer Plaintiffs are members of the class for whose protection the FTC Act was enacted.
Lastly, in Day, Judge Xinis of this Court held that the plaintiff could not sustain an action in negligence based on an alleged violation of the Anti-Assignment Act, 41 U.S.C. § 6305. 2018 WL 3707833 at *7. She quite correctly reasoned that the plaintiff's allegations that a bank owed him a "general duty" based on the statute to exercise reasonable care was insufficient to fulfill the requirement that when a plaintiff alleges purely economic loss, he must have an intimate nexus with the defendant. Id. However, as explained above, Consumer Plaintiffs have sufficiently pleaded that they had an intimate nexus with Accenture. As for whether the plaintiff, a surety, suffered an injury that placed it within the class of individuals intended to be protected by the Anti-Assignment Act, Judge Xinis held that the surety was not, as that Act's protection was limited to the United States Government, not private sureties. Id. at *6-7. Her opinion had nothing to do with the FTC Act. Accordingly, Day provides no succor to Accenture in its effort to undermine the Consumer Plaintiffs' argument that they may rely on the FTC Act to support their Maryland negligence claim.
In sum, the Consumer Plaintiffs have sufficiently pleaded the element of duty to support a negligence claim under Maryland law.
Negligence - Connecticut
Connecticut class representative Amarena alleges a claim of negligence under Connecticut law. See Compl. ¶¶ 32, 1342-43. Unsurprisingly, under Connecticut law, a cause of action in negligence is comprised of four elements: duty; breach of duty; causation; and actual injury. Mirjavadi v. Vakilzadeh, 74 A.3d 1278, 1287 (Conn. 2013). The existence of a duty is a legal conclusion that begins with a threshold inquiry: "whether the specific harm alleged by the plaintiff was foreseeable to the defendant." Id. at 1288 (quoting Sic v. Nunan, 54 A.3d 553, 558 (Conn. 2012)). A finding of foreseeability does not end the inquiry, however. "[T]he test for the existence of a legal duty entails (1) a determination of whether an ordinary person in the defendant's position, knowing what the defendant knew or should have known, would anticipate that harm of the general nature of that suffered was likely to result, and (2) a determination, on the basis of a public policy analysis, of whether the defendant's responsibility for its negligent conduct should extend to the particular consequences or particular plaintiff in the case." Id.
Connecticut courts engage in a four-factor test to determine whether public policy supports the imposition of a tort duty: "(1) the normal expectations of the participants in the activity under review; (2) the public policy of encouraging participation in the activity, while weighing the safety of the participants; (3) the avoidance of increased litigation; and (4) the decisions of other jurisdictions." Ruiz v. Victory Properties, LLC, 107 A.3d 381, 392-93 (Conn. 2015) (quoting Monk v. Temple George Assocs., LLC, 869 A.2d 187, 187 (Conn. 2005)).
Plaintiff argues that Accenture is liable to her for negligence because Accenture owed her a duty to reasonably protect her personal information and breached that duty by failing to detect the four-year-long data breach and by failing to implement reasonable data security systems. Compl. ¶¶ 1342-46.
a. Plaintiff has sufficiently pleaded that Accenture owed Amarena a duty of care under Connecticut law despite suffering purely economic losses
Amarena has met her initial burden, having sufficiently pleaded that Accenture's negligence caused foreseeable harm and that Plaintiff was a foreseeable victim. Compl. ¶¶ 252, 1346 (alleging that Accenture was specifically tasked with identifying security threats to Starwood's systems and alleging that Accenture recognized Marriott guests as foreseeable victims of a data breach). Therefore, I shall continue to the public policy analysis, which includes the consideration of purely economic losses.
Under Connecticut law, "the economic loss doctrine bars negligence claims that arise out of and are dependent on breach of contract claims that result only in economic loss." Ulbrich v. Groth, 78 A.3d 76, 100 (Conn. 2013). The doctrine bars tort claims if the defendant's duty to the plaintiff arises exclusively out of the contractual relationship, but it does not bar tort claims that arise from conduct independent of the contract. Id. at 97. And other limitations or exceptions may apply. Aliki Foods, LLC v. Otter Valley Foods, Inc., 726 F. Supp. 2d 159, 165-67 (D. Conn. 2010). Underlying the doctrine is the premise that it "holds the aggrieved party to the bargain it struck in its contract by preventing it from bringing a tort action for what is really the breach of a contractual duty." Id. at 165. It therefore aims to "protect[ ] the parties' expectancy interests and encourages them to build cost considerations into their contracts in the first place." Id.
Connecticut courts hold that the first policy factor, the expectations of the parties, weighs in favor of the plaintiff when the harm is not ancillary to the defendant's actions and when the plaintiff does not already have a statutory remedy. In RK Constructors, Inc. v. Fusco Corp., the court rejected a corporate plaintiff's negligence claim that asserted economic loss when the defendant general contractor's negligence caused the plaintiff's workers' compensation premiums to increase. 650 A.2d 153 (Conn. 1994). The court held that when analyzing the expectations of the parties, "what is relevant . . . is the measure of attenuation between [the defendant's] conduct, on the one hand, and the consequences to and the identity of the plaintiff, on the other hand." Id. at 156-57. The court reasoned that the connection between the corporate plaintiff and the defendant contractor was too tenuous because it was plaintiff's employee who was injured by the defendant's conduct, and the increased workers' compensation premiums and lost dividends were attenuated collateral consequences with respect to the corporate plaintiff that employed the injured worker. Id. at 157.
In Lawrence v. O and G Industries, Inc., the court concluded that public policy barred the imposition of a duty of care on defendants when their negligence caused an explosion at a power plant where the plaintiffs were employed, resulting in the plaintiffs incurring economic losses of lost wages. 126 A.3d 569 (Conn. 2015). The court reasoned that the expectations of the parties favored the defendants because a statutory remedy exists under Connecticut law for persons who become unemployed through no fault of their own. Id. at 579-80. Usually in that circumstance, plaintiffs would be able to recover unemployment insurance benefits pursuant to Conn. Gen. Stat. § 31-222 (2017). The court distinguished a Connecticut Superior Court case and a District of Connecticut case that permitted the plaintiff to recover economic losses in the absence of contractual privity, personal injury, or property damage. The court explained that in those cases, the expectations-of-the-parties factor weighed in favor of the plaintiff when the defendant's negligence directly caused the plaintiff to suffer economic losses in connection with the performance of their own contracts with a third party. Id. at 578 n.13 (citing Insurance Co. of North America v. Town of Manchester, 17 F. Supp. 2d 81 (D. Conn. 1998); A.M. Rizzo Contractors, Inc. v. William Foley, Inc., Superior Court, judicial district of Stamford-Norwalk, Complex Litigation Docket, Docket No. X05-CV-106004577-S, 2011 WL 1105799 (January 13, 2011)). The Lawrence court found that the Insurance Co. of North America and A.M. Rizzo Contractors cases were distinguishable because the plaintiffs in those cases suffered economic injuries directly caused by the defendants' negligence, while in the case before it, the plaintiff's economic injuries were "at least one step further removed from the negligence of the defendants and, therefore, in a more attenuated and remote position." Id.
Amarena has sufficiently pleaded that the expectations-of-the-parties factor weighs in favor of finding that Accenture owed a duty of care. Amarena argues that the harm caused by Accenture's negligence is not remote, attenuated, or indirect, because Accenture promised to adhere to a reasonable standard of care when protecting the personal identifying information that Marriotts' guests disclosed during their on-line contact with Marriott. When, as alleged, Accenture failed to do so, she suffered injuries directly connected with that alleged breach. Pls.' Opp'n 8. Further, Amarena alleges that when she accessed Marriott's website, she expected that her personal data would be adequately protected and stored. Compl. ¶¶ 273-75. Additionally, there is no Connecticut statutory remedy that the Consumer Plaintiff could assert to recover for Accenture's negligence. Lastly, Amarena has pleaded that Accenture should have expected to owe her a duty of reasonable care because its negligence caused direct economic loss with respect to her contractual relationship with Marriott, which is the very type of injury that Accenture acknowledged was foreseeable in a recent public filing. Compl. ¶ 254 (alleging that Accenture acknowledged that its actions could affect the safety of its clients' customer's personal information). Based on these allegations, I find that the relationship between Accenture and Amarena is less attenuated than the relationship between the parties in RK Constructors, Inc. and Lawrence, respectively. Therefore, although those cases found no duty existed for economic losses based on the dissimilar facts that were presented, the Connecticut court articulated a legal framework for when a plaintiff, such as Amarena, could establish a direct nexus that would support a finding of a tort duty. Under this legal framework, I find that the Connecticut Consumer Plaintiff Amarena has sufficiently alleged facts to establish that the expectations-of-the-parties factor weighs in favor of finding that Accenture owed her a duty of care.
Connecticut courts evaluate the second and third factors, "the public policy of encouraging participation in the activity, while weighing the safety of the participants" and "the avoidance of increased litigation," together because they are "analytically related." Lawrence, 126 A.3d at 580. Connecticut courts analyze these factors by deciding whether the inevitable increase in litigation (by increasing the pool of plaintiffs whenever a court recognizes a new tort duty) would be offset by a corresponding increase in safety. Id. The Lawrence court reasoned that expanding the liability of construction company defendants to include a duty to plaintiffs that work in the building where an accident occurs, and who lose wages as a result of the accident, will not provide an increase in safety. In so holding, the court reasoned that because companies like the defendants are already extensively regulated, and parties who suffer physical injury or property damage can already hold defendants liable through negligence claims based on an existing tort duty, there is no safety concern that would be alleviated by imposing a duty. Id.
In contrast, if finding a new tort duty would incentivize defendants to change their future actions in a manner that enhances public safety, then finding a new tort duty would be justified, because it would lead to an increase in safety. For example, in Ruiz v. Victory Properties, LLC, a case where a child injured another child with a piece of cement found in the common areas of the defendant's property, the Connecticut Supreme Court held that landlords have a duty to keep common areas in an apartment building in a reasonably safe condition. 107 A.3d at 394. The Ruiz court held that "rather than unnecessarily and unwisely increasing litigation, imposing a duty in this case will likely prompt landlords to act more responsibly toward their tenants in the interest of preventing foreseeable harm caused by unsafe conditions in areas where tenants are known to recreate or otherwise congregate." Id. Similarly, in Monk v. Temple George Associates, LLC, the Connecticut Supreme Court imposed a duty of care on the owner of a parking lot for an attack on the plaintiff by a third party. 869 A.2d at 188-89. The Monk court reasoned that litigation costs could increase "anytime a court establishes a potential ground for recovery" but that imposing a duty in that case would "protect customers by encouraging businesses to take reasonable care to decrease the likelihood of crime occurring on their premises" and that "[i]f, in fact, imposing a duty of care has that result," litigation was "unlikely to increase" and "may even decrease." Id. at 187-88 (emphasis in original).
A finding that, under Connecticut law, Accenture owes a tort duty to the class of consumer plaintiffs that Amarena seeks to represent would produce a corresponding increase in consumer safety. Absent such a finding, Connecticut consumers would have no recourse against a company that, like Accenture, contractually agreed to take reasonable measures to protect their personal financial information. This is in stark contrast to the situation faced by the workers injured by the negligence of a construction company, who have alternative avenues of recovery. Additionally, Accenture argues that its contractual obligations with Marriott already "set forth Accenture's data security obligations and remedies for breaching their obligations," which it apparently views as sufficient to protect consumers without the need to actually extend its tort duty of care to the consumers themselves. Def.'s Reply 6-7. In the abstract, perhaps, but since Marriott has not (yet) filed a cross-claim against Accenture, its failure to enforce Accenture's contractual obligation of due care does nothing at all to protect consumer plaintiffs against Accenture's alleged failures. For that reason, recognizing a tort duty of care owed to the consumer plaintiffs would incentivize Accenture to up its game when fulfilling its obligations to protect the personal financial data of its contractual clients' customers. This would result in fewer data breaches, and fewer data breach lawsuits.
The concerns that the Lawrence court had about flooding the courts with lawsuits are not justified here. In Lawrence, the court reasoned that "the nature of the damages at issue presents difficulties in proof that would vary by individual employees' employment circumstances." 126 A.3d at 581. Here, however, the relationship between the Consumer Plaintiffs' injuries and Accenture's negligence is not attenuated, and Accenture's liability does not depend on variations in each individual's relationship with Marriott. Each Consumer Plaintiff shares a common relationship with Marriott, as a guest who provided their personal financial information to the Starwood/Marriott guest databases when they registered or made a reservation.
Amarena argues that the last factor, decisions from other jurisdictions, "is not directly applicable given the dearth of case law addressing the issue presented here." Pls.' Opp'n 9 n.5. Accenture cites two data breach cases in which courts dismissed the claims of plaintiffs because they had tenuous relationships with the defendant, but neither case is directly on point. First, in Hammond v. The Bank of New York Mellon Corp., the court concluded that the defendant did not owe the plaintiffs a duty of care since "[n]one of the named Plaintiffs had any direct dealings with Defendant," "banks owe no duty of care to their non-customers," and because "Plaintiffs gave their personal data over to [institutional clients of Defendant], which, in turn, forwarded the data to Defendant (which stored the data on the tapes that ultimately were lost or stolen)." 2010 WL 2643307, at *9 (S.D.N.Y. June 25, 2010). First, Hammond is distinguishable because the principal reason why the case was dismissed was the court's holding that the plaintiffs did not have Article III standing, and only noting in passing that "[s]ummary judgment for Defendant would be granted because, among other reasons, Plaintiffs cannot establish that Defendant owed them any duty." Id. The case is also distinguishable because the third parties (who the plaintiffs had entrusted with their personal information) did not employ the defendant as a data security contractor for the purposes of protecting the plaintiffs' data, but merely employed the defendant to process its payments. See generally Second Am. Class Action Compl., Hammond v. The Bank of New York Mellon Corp., 2009 WL 1618381 (S.D.N.Y.). Similarly, the other case that Accenture cites suffers from a similar distinguishable characteristic. Willingham v. Global Payments, Inc., 2013 WL 440702, at *1-2 (N.D. Ga. Feb. 5, 2013) (explaining that the defendant is a credit-card processor, whose connection with the plaintiffs is that the plaintiffs "entered into a retail transaction with a merchant who contracts with [Defendant] for credit card processing").
Neither Accenture nor the Consumer Plaintiff has pointed to a case in which the defendant was a data security contractor, specifically tasked with protecting the plaintiffs' data, who failed to perform its contractual obligations, resulting in a data breach. Therefore, this factor weighs in favor of neither party.
For the foregoing reasons, the Connecticut Consumer Plaintiff Amarena has sufficiently pleaded that public policy considerations weigh in favor of finding that Accenture owed them a duty of reasonable care under Connecticut law.
b. Plaintiff has sufficiently pleaded that Accenture owed a duty of care under Connecticut law despite not having a special relationship with Accenture
Under Connecticut law, "absent a special relationship of custody or control, there is no duty to protect a third person from the conduct of another." Kaminski v. Fairfield, 578 A.2d 1048, 1051 (Conn. 1990).
Accenture cites Jarmie v. Troncale, 50 A.3d 802 (Conn. 2012) to support its argument that, because Accenture and Consumer Plaintiffs do not have a special relationship, Accenture cannot be held liable for failing to control the actions of unidentified hackers. Def.'s Br. 11. However, Jarmie is not helpful to this analysis because the special relationship rule is discussed in a context that is substantially different from the facts of this case. In Jarmie, a motorist that had been injured in an auto accident with a person that was a patient of the defendant doctor sued the doctor and the doctor's employer for failing to warn the patient that her medical condition made it unsafe for her to operate a motor vehicle. 50 A.3d at 804-05. The Connecticut court stressed that the foreseeability of injury to a particular plaintiff is an important (albeit not sufficient) component in determining whether a defendant owed that plaintiff a duty of care. Id. at 809 ("[O]ur threshold inquiry has always been whether the specific harm alleged by the plaintiff was foreseeable to the defendant. The ultimate test of the existence of the duty to use care is found in the foreseeability that harm may result if it is not exercised."). It then held that the identity of a person injured by the negligence of a driver who was a patient of a doctor was "unidentifiable," and therefore not a foreseeable victim. Id. at 810. But part of the rationale for its duty of care ruling was the court's recognition that Connecticut has enacted legislation restricting negligence suits against doctors to narrow the grounds on which doctors may be sued, in light of a "crisis in medical malpractice insurance rates." Id. at 810. Because the rationale for the Jarmie case was inextricably intertwined with the special status of health care professionals and the unique protections given them under Connecticut statutory and tort law, this case is of little value as a precedent in this case. And, importantly, as I repeatedly have noted, plaintiffs have pleaded that the consumer plaintiffs were neither unknown nor unknowable victims, as Accenture specifically undertook to exercise due care to protect their personal information, and acknowledged the foreseeability of their injuries should it fail to live up to its contractual obligations of due care. Pls.' Opp'n 12. Therefore, Jarmie does not require the dismissal of the Connecticut consumer claims.
Neither are the plaintiffs asserting that they are trying to hold Accenture liable for failing to control the actions of third parties (the hackers), so the Connecticut Supreme Court's decision in Kaminski v. Town of Fairfield is no bar to the Connecticut consumers' negligence claims. See 578 A.2d 1049 (Conn. 1990) (holding that parents of mentally ill adult son had no duty to control the violent conduct of their son to protect a police officer injured when called to take the son to the hospital for a medical evaluation); Pls.' Opp'n 12.
Accenture also cites Waters v. Autuori for the proposition that it cannot be held liable to third parties for the negligent performance of contractual duties unless the plaintiff incurs physical harm. Waters v. Autuori, 676 A.2d 357 (Conn. 1996). In that case, the plaintiff argued that § 324A of the Restatement (Second) of Torts provided a basis for finding that the American Institute of Certified Public Accountants ("AICPA") owed an unknown third party who relied on the opinion of a CPA a duty of care, because the AICPA promulgated professional accounting standards. Id. at 363. However, the court disagreed and held that § 324A could not be the basis for finding that the plaintiff was owed a duty of care. Id. at 364.
This section states in relevant part: "[o]ne who undertakes, gratuitously or for consideration, to render services to another which he should recognize as necessary for the protection of a third person or his things, is subject to liability to the third person for physical harm resulting from his failure to exercise reasonable care to protect his undertaking." Restatement (Second) of Torts § 324A (1965).
It is worth noting that the Supreme Court of Connecticut began its discussion of whether the AICPA owed the plaintiffs a tort duty of care with these comments: "There can be no actionable negligence, however, unless there exists a cognizable duty of care. Whether a duty of care exists is a question of law to be decided by the court. The starting point of our analysis, therefore, is an examination of the allegations in the plaintiff's complaint to determine, whether, if proven, they establish a cognizable duty of care." Id. at 360 (internal citations omitted). The allegations made by the Plaintiffs in this case make it clear that the Connecticut consumers do not contend that § 324A is the basis for finding that Accenture owed them a duty of care. Instead, they pleaded and here argue that one of the reasons Accenture should have foreseen Plaintiffs as victims is because of Accenture's recognition of Consumer Plaintiffs' existence in its contract with Marriott and awareness of the injuries the Consumer Plaintiffs would suffer if Accenture failed to fulfill its contractual obligations to Marriott, which it acknowledged in its public filings. Furthermore, the Waters court reasoned that finding a duty of care based solely on the promulgation of the professional accounting standards was unwise as a matter of public policy because the plaintiff was a third party, who was neither "specifically identifiable nor has any relationship with the AICPA aside from reliance on the professional opinion of a certified public accountant who allegedly relied on published AICPA standards." Id. at 364. However, as I explained in the section analyzing the economic loss doctrine, the public policy factors that the Connecticut courts consider weigh in favor of finding that Accenture owed the Consumer Plaintiff a duty, and designated class representative Amarena alleges that she is not a mere member of the general public. Compl. ¶ 276 (defining plaintiffs as persons "whose Personal Information was compromised in the Data Breach").
In sum, the Consumer Plaintiffs have sufficiently pleaded the element of duty to support a negligence claim under Connecticut law.
Negligence - Florida
Florida class representatives Lawrence, Bittner, and Hevener ("Florida Consumer Plaintiffs") allege claims of negligence under Florida law. See Compl. ¶¶ 34-36, 1342-43. Florida law recognizes the same familiar elements of a negligence claim: duty, breach of that duty, proximate cause, and actual loss or damage. Jackson Hewitt, Inc. v. Kaman, 100 So. 3d 19, 27-28 (Fla. Dist. Ct. App. 2011). Whether a duty exists is a question of law, while the other three elements are questions for the trier of fact. Id. at 28. Plaintiffs argue that Accenture is liable to them for negligence because Accenture owed them a duty to reasonably protect their personal information and breached that duty by failing to detect the four-year-long data breach and failing to implement reasonable data security systems. Compl. ¶¶ 1342-46.
a. Plaintiffs have sufficiently pleaded that Accenture owed them a duty of care under Florida law despite alleging that they suffered only economic losses
In Tiara Condominium Ass'n, Inc. v. Marsh & McLennan Companies, 110 So. 3d 399 (Fla. 2013), the Florida Supreme Court extensively discussed the economic loss rule as it applies to tort actions. The court noted that the rule originated in products liability law, but had, over time, been extended more broadly to negligence claims in general. Id. at 401-07. So much so, it concluded, that the rule had been applied to cases far afield from the circumstances that justified the rule in the first place. Id. at 406-07. Because of this concern, the court held: "Having reviewed the origin and original purpose of the economic loss rule, and what has been described as the unprincipled extension of the rule, we now take this final step and hold that the economic loss rule applies only in the products liability context. We thus recede from our prior rulings to the extent that they have applied the economic loss rule to cases other than products liability." Id. at 407.
In Tank Tech, Inc. v. Valley Tank Testing, L.L.C., 244 So. 3d 383 (Fla. Dist. Ct. App. 2018) (decided after Tiara), the Florida Court of Appeals summarized the law regarding the creation of a tort duty of care as follows:
"Florida . . . recognizes that a legal duty will arise whenever a human endeavor creates a generalized and foreseeable risk of harming others." Thus "[w]here a defendant's conduct creates a foreseeable zone of risk, the law generally will recognize a duty placed upon [the] defendant either to lessen the risk or see that sufficient precautions are taken to protect others from the harm that the risk poses." Indeed, "each defendant who creates a risk is required to exercise prudent foresight whenever others may be injured as a result. This requirement of reasonable, general foresight is the core of the duty element."Id. at 393 (quoting McCain v. Fla. Power Corp., 593 So. 2d 500, 503 (Fla. 1992)) (internal citations omitted, emphasis in original). However, Florida law further requires that if the plaintiff brings a negligence claim that seeks to recover only for economic loss, "there must be some sort of link between the parties or some other extraordinary circumstance that justifies the recognition of such a claim." Id.
In Tank Tech, the plaintiff, Tank Tech, and the defendant, Valley Tank, were not in contractual privity with one another, but both had contracts with Circle K to provide services related to underground petroleum storage tanks ("USTs"). 244 So.3d at 386-87. Tank Tech's contract with Circle K required them to repair any damage to the USTs, regardless of who caused the damage. Id. at 388. When Tank Tech had to repair cracks in USTs allegedly caused by Valley Tank's negligence, they sought to recover money spent to repair the tanks. Id. at 394. The court held that there was not a sufficient link between Tank Tech and Valley Tank because "Tank Tech's injury did not flow from Valley Tank's testing of the USTs. Instead, Tank Tech seeks to recover the money it spent in repairing the USTs, an expense that was the result of a negotiated contract between Tank Tech and Circle K." Id.
The court in Tank Tech also reasoned that no extraordinary circumstance was present, requiring Valley Tank to owe a duty to Tank Tech, because "no property right was involved . . . Tank Tech has no special and unique interest that would constitute an extraordinary circumstance warranting the imposition of a duty on Valley Tank." 244 So. 3d at 394. As previously mentioned, the Florida Consumer Plaintiffs allege a loss in value of their personal identifying information, a right that I would consider an intangible property right. See In re Marriott, 440 F. Supp. 3d at 475 n.11. Because I find that Accenture owed the Florida Consumer Plaintiffs a duty by way of a link between the parties, a finding on whether there existed extraordinary circumstances is not necessary, so I need not decide this issue under Florida law. However, I find the circumstances here analogous to those in Curd v. Mosaic Fertilizer, LLC, where the Florida Supreme Court held that extraordinary circumstances existed, warranting the finding that the defendant owed the plaintiffs a duty to protect them from economic loss. 39 So.3d 1216, 1228 (Fla. 2010) (holding that a fertilizer company owed commercial fishermen a duty to protect the fishermen's economic expectation in the marine life (a property right not shared by the public as a whole) which was damaged by the defendant's negligent release of pollutants).
The Florida Consumer Plaintiffs have adequately pleaded that there was a sufficient link between themselves and Accenture to establish that Accenture owed them a duty of care. Unlike in Tank Tech, the Florida Consumer Plaintiffs have alleged that their injuries directly flowed from Accenture's negligence. Compl. ¶ 1349. Additionally, their injuries were not caused by the Florida Consumer Plaintiffs' contractual obligation to a third party, like in Tank Tech, but were directly incurred in the form of losing the value of their personal financial information, spending time and money preventing identity theft, and, for Florida Class representative Hevener, suffering identity theft in the form of unauthorized credit card applications in her name. Compl. ¶¶ 36, 1349. Therefore, the Florida Consumer Plaintiffs have established the requisite "link" between themselves and Accenture to meet the requirements of Tank Tech for bringing a negligence claim against Accenture.
b. Plaintiffs have sufficiently pleaded that Accenture owed them a duty of care under Florida law despite not having a special relationship with Accenture
To recover in negligence for the criminal acts of a third party, Florida law requires that the defendant have a special relationship to the injured plaintiff or that the defendant have control over "some aspect of the criminal act." Knight v. Merhige, 133 So. 3d 1140, 1144 (Fla. Dist. Ct. App. 2014). "Generally, there is no duty to control the conduct of a third person to prevent [that person] from causing physical harm to another." Carney v. Gambel, 751 So. 2d 653, 654 (Fla. Dist. Ct. App. 1999). "Absent a special relationship between a defendant and a plaintiff, a duty to protect a plaintiff from 'the conduct of a third party may [also] arise if the defendant is in actual or constructive control of: (1) the instrumentality of the harm; (2) the premises upon which the tort is committed; or (3) the person who committed the tort.'" Knight, 133 So. 3d at 1146 (quoting Aguila v. Hilton, Inc., 878 So. 2d 392, 398 (Fla. Dist. Ct. App. 2004)).
Again, the Florida Consumer Plaintiffs do not contend that they have a special relationship with Accenture as that requirement is found in the Restatement (Second) of Torts § 314 (1965). However, they argue that: (1) they are not members of the general public; (2) they are not seeking to hold Accenture liable for failing to control a third person's conduct but instead for its own negligence in providing data security services to Marriott/Starwood that allowed their personal financial information to be compromised; and (3) an exception to the special relationship rule applies because Accenture did have control over the data that was stolen. Pls.' Opp'n 12.
In Knight v. Merhige, the defendant parents invited their adult son, who had a long history of mental illness and violence directed towards his family and others, to a Thanksgiving dinner where the son shot and killed several family members. 133 So. 3d at 1142-43. The court held that adult parents did not owe a duty to the plaintiffs. First, the court held that parents are not required to control the actions of their adult children simply by having parental status. Id. at 1146-47. Next, the court addressed the plaintiffs' argument that because the defendants' created a foreseeable zone of risk with an affirmative act, this was "sufficient to sustain liability for the criminal acts of another." Id. at 1148. The court acknowledged the possibility of finding a tort duty through this theory, but ultimately held that public policy advised against finding that the defendants owed the plaintiffs a duty. Id. at 1149.
Accenture does not dispute that Knight acknowledges the possibility of finding a duty based on an affirmative act that creates a foreseeable zone of risk. However, Accenture cites Demelus v. King Motor Co. of Fort Lauderdale, 24 So. 3d 759 (Fla. Dist. Ct. App. 2009), for the proposition that Accenture's implementation of inadequate security practices is not what Knight would consider "an affirmative act sufficient to remove plaintiffs from the realm of the special relationship rule." Def.'s Reply 9. However, Demelus is distinguishable for at least two reasons. First, it was decided on a motion for summary judgment after a robust factual record had been developed that allowed the court to carefully consider the particular facts of the case, and assess whether they created a tort duty of care; it was not decided on a motion to dismiss where the pleadings alone provide the context, and where the court does not evaluate competing evidence, but must instead draw all reasonable inferences in favor of the plaintiffs. Second, the court held that negligent security practices at an auto dealership were not affirmative acts because King Motors kept the vehicles behind a locked, gated lot and kept the car keys in a locked building. Demelus, 24 So. 3d at 764-65. The court distinguished this from a case involving the affirmative act of performing negligent security practices by someone responsible for protecting ultra-hazardous materials, such as anthrax which, (when inhaled) is deadly and "therefore, it was foreseeable that harm would result from negligent security." Id. at 756. The court contrasted that with negligent security at an auto dealership because "automobiles are ubiquitous in our society" and because a risk of harm created by an automobile only exists when the car is turned on and driven. Id. Lastly, the court reasoned that insufficient security practices at an auto dealership did not amount to an affirmative act because the defendant's actions did not create the risk to which the plaintiff was exposed, i.e., the risk of getting in a car accident already existed. Id. ("Because the risk of being injured in an automobile accident already existed when Demelus chose to travel on the public roads, the fact that King Motor kept its cars secured on its premises makes Demelus's risk of injury no worse. Because King Motor kept its vehicles secured, it did not create a risk of third-party criminal conduct.").
Here, Plaintiffs pleaded that Accenture created a foreseeable risk of harm with the affirmative act of maintaining negligent security practices, sufficient to give rise to a duty to protect the Consumer Plaintiffs' data from hackers. First, failing to fulfill its contractual obligation to prevent the very risk that it was hired to protect against and with the prior knowledge of the harm that it could cause to the customers of its clients that would flow from its failure, created a risk of harm that would not have existed but for Accenture's own negligent security practices. Compl. ¶ 1343 ("Accenture knew that its failure to secure its clients' networks or detect and identify IT security threats could result in the exposure of Plaintiffs' and class members' Personal Information and cause significant harm, which Accenture acknowledged in its own public filings."). Second, unlike an automobile, which presents a risk only during the time that its engine is running and it is being driven, the Consumer Plaintiffs allege that the risk to them flowing from the disclosure of personal identifying information extends for an indeterminate amount of time. See Compl. ¶ 1349 (alleging that Consumer Plaintiffs will suffer "impending injury flowing from potential fraud and identity theft posed by their Personal Information being in the possession of one or many unauthorized third parties.)
In sum, the Consumer Plaintiffs have sufficiently pleaded the element of duty to support a negligence claim under Florida law.
Negligence Per Se - Maryland
Maryland class representatives Maldini and Ryans allege claims of negligence per se under Maryland law. See Compl. ¶¶ 52-53, 1353. Accenture argues, and the Consumer Plaintiffs do not dispute, that Maryland does not recognize negligence per se as an independent cause of action, and a violation of a statute or ordinance can only be indicative of evidence of negligence. Def.'s Br. 19 n.7; Pls.' Opp'n 21 n.13. Therefore, Accenture's motion to dismiss the Consumer Plaintiffs' negligence per se claim under Maryland law is granted, and this count is dismissed.
Negligence Per Se - Connecticut
Connecticut class representative Amarena alleges a claim of negligence per se under Connecticut law. See Compl. ¶¶ 32, 1351-53. Under Connecticut law, to state a claim for negligence per se, plaintiffs must allege that the plaintiff was within the class of persons whom the statute was designed to protect, and the harm was of the type the statute was designed to prevent. Coastline Terminals of Connecticut, Inc. v. USX Corp., 156 F. Supp. 2d 203, 210 (D. Conn. 2001). The statutory basis for a negligence per se claim need not provide for a private right of action. Id. (citing Walker v. Barrett, No. CV990169673, 1999 WL 1063189 (Conn. Super. Ct. Nov. 8, 1999)). Plaintiffs argue that unfair practices, as interpreted and enforced by the FTC, include failure to use reasonable measures to protect personal information. Compl. ¶ 1352. Plaintiffs allege that Accenture's failure to do so constitutes negligence per se. Id. at 1353.
Accenture asserts the same arguments that I rejected in the Negligence - Maryland section, supra, and argues that because the FTC Act does not proscribe a particular standard of care, Plaintiffs' negligence per se claim under Connecticut law must be dismissed. Def.'s Br. 22. For the reasons discussed above, I find that the FTC Act can provide a predicate for a negligence per se claim under Connecticut law as well. Therefore, Accenture's motion to dismiss the Consumer Plaintiffs' negligence per se claim based on Connecticut law is denied.
I note that under Connecticut law, "[a]n injured party must prove duty, breach, proximate cause and damages in order to establish a negligence per se action." Coastline Terminals, 156 F. Supp. 2d at 211. As discussed in the final section of this opinion, Plaintiffs have adequately pleaded breach, causation, and damages to survive a dismissal motion.
Negligence Per Se - Georgia
Georgia class representatives Long, Viggiano, and Miller allege claims of negligence per se under Georgia law. See Compl. ¶¶ 37-39, 1351-52. "It is well-settled that Georgia law allows the adoption of a statute or regulation as a standard of conduct so that its violation becomes negligence per se." Pulte Home v. Simerly, 746 S.E.2d 173, 179 (Ga. Ct. App. 2013) (citing Rockefeller v. Kaiser Found. Health Plan of Ga., 554 S.E.2d 623, 626 (Ga. Ct. App. 2001)). Plaintiffs argue that unfair practices, as interpreted and enforced by the FTC, include failure to use reasonable measures to protect personal information. Compl. ¶¶ 1352-55. Plaintiffs allege that Accenture's failure to do so constitutes negligence per se. Id. at 1353.
Under Georgia law, a negligence per se claim must contain an alleged "breach of a legal duty with some ascertainable standard of conduct." Wells Fargo Bank, N.A. v. Jenkins, 744 S.E.2d 686, 688 (Ga. 2013). To evaluate a negligence per se claim, courts must "examine the purposes of the legislation and decide (1) whether the injured person falls within the class of persons it was intended to protect and (2) whether the harm complained of was the harm it was intended to guard against." Potts v. Fid. Fruit & Produce Co., 301 S.E.2d 903, 904 (Ga. Ct. App. 1983).
As mentioned above, federal district courts in Georgia repeatedly have found that plaintiffs have adequately pleaded claims of Georgia negligence per se based on alleged violations of Section 5 of the FTC act in data breach cases. See In re Equifax, Inc., Customer Data Security Breach Litig., 362 F. Supp. 3d 1295, 1327 (N.D. Ga. 2019); In re Arby's Rest. Grp. Inc. Litig., No. 1:17-CV-0514-AT, 2018 WL 2128441, at *5 (N.D. Ga. Mar. 5, 2018); In re The Home Depot, Inc., Customer Data Sec. Breach Litig., 2016 WL 2897520, at *4 (N.D. Ga. May 17, 2016).
For example, in Home Depot, which involved the theft of personal and financial information of 56 million Home Depot customers, the court found that "the Consolidated Class Action Complaint here adequately pleads a violation of Section 5 of the FTC Act, that the Plaintiffs are within the class of persons intended to be protected by the statute, and that the harm suffered is the kind the statute meant to protect." In re: The Home Depot, Inc., Customer Data Sec. Breach Litig., 2016 WL 2897520 at *4. The court also explained that one Georgia case and another that applied Georgia law also suggest that the FTC Act could be the basis of a negligence per se claim. Id. (citing Legacy Acad., Inc. v. Mamilove, LLC, 328 Ga. App. 775, 790 (2014) (holding Georgia negligence per se claim can be based on FTC's franchise rules interpreting Section 5 of the FTC Act), aff'd in part and rev'd in part on other grounds, 771 S.E.2d 868 (2015); Bans Pasta, LLC v. Mirko Franchising, LLC, No. 7:13-cv-00360-JCT, 2014 WL 637762, at *13-14 (W.D. Va. Feb. 12, 2014) (same)).
Accenture makes the same argument as Marriott did in its motion to dismiss the Consumer Plaintiffs' complaint. Accenture acknowledges these cases but argues that two recent Georgia Supreme Court cases (that did not involve the FTC Act) suggest that the Georgia Supreme Court would find that Section 5 of the FTC Act does not create an ascertainable standard of conduct. Def. Mot. 20-22.
First, in Wells Fargo Bank, N.A. v. Jenkins, the plaintiff brought a negligence claim against Wachovia and related banks for allegedly giving her personal information to her husband and allowing her husband to steal her identity. 744 S.E.2d 686, 687 (Ga. 2013). Plaintiff based her negligence claim on a portion of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801(a) and the court dismissed her claim because the statute was a Congressional policy statement as opposed to a statute that required any particular duties. Id. at 688. Second, in Georgia Department of Labor v. McConnell, the Georgia Supreme Court affirmed the dismissal of negligence per se claims brought under two Georgia statutes. 828 S.E.2d 352, 356 (2019). In that case, the court dismissed the plaintiff's claim because the first Georgia statute merely cited legislative findings as opposed to explicitly requiring any conduct, and the second did not apply to the plaintiff's allegations of negligent disclosure. Id. at 358.
Accenture argues that the reasoning of these cases indicates that the Georgia Supreme Court also would decline to find that Section 5 of the FTC Act creates an enforceable duty. However, for the reasons stated in my Memorandum Opinion denying Marriott's motion to dismiss the Consumer Plaintiffs' complaint, I am persuaded that Georgia would recognize that Section 5 of the FTC Act does create a standard of care. In re Marriott, 440 F. Supp. 3d at 481 ("But unlike the statement of policy in Wells Fargo Bank and the legislative findings in McConnell, Section 5 of the FTC Act is a statute that creates enforceable duties. Moreover, this duty is ascertainable as it relates to data breach cases based on the text of the statute and a body of precedent interpreting the statute and applying it to the data [breach] context.").
Therefore, Accenture's motion to dismiss the Consumer Plaintiffs' negligence per se claim based on Georgia law is denied.
I note that under Georgia law, a defendant is not necessarily liable even where a plaintiff establishes negligence per se. See, e.g., Goldstein, Garber & Salama, LLC v. J.B., 797 S.E.2d 87, 91 (Ga. 2017) (recognizing that proximate cause is an element that must be proved in cases involving negligence per se); In re Equifax, 362 F. Supp. 3d at 1328 ("Even if negligence per se is shown, a plaintiff must still prove proximate causation and actual damage to recover."); Central Anesthesia Assocs., P.C. v. Worthy, 333 S.E.2d 829, 831 (Ga. 1985) ("[N]egligence per se supplies only the duty and breach of duty elements of a tort, and the plaintiffs must still prove a causal connection (proximate cause) between the breach of this statutory duty and the injuries sustained . . . as well as their damages."). As discussed in the next section, Plaintiffs have adequately pleaded causation and damages to survive a dismissal motion.
Breach , Causation , and Damages - Maryland , Connecticut , Florida , and Georgia
Maryland, Connecticut, Florida, and Georgia all require that a plaintiff establish four elements to recover in negligence: (1) duty; (2) breach of that duty; (3) causation; and (4) damages. See Valentine, 727 A.2d at 949 (Md. 1999); Mirjavadi, 74 A.3d at 1287 (Conn. 2013); Jackson Hewitt, 100 So.3d at 27-28 (Fla. 2011); Central Anesthesia, 333 S.E.2d at 831 (Ga. 1985). Accenture argues that the Consumer Plaintiffs have not sufficiently pleaded that Accenture acted unreasonably, causing any injuries to the Consumer Plaintiffs. Def.'s Reply 10.
First, Accenture argues that the Plaintiffs failed to allege any "actions Accenture took or failed to take that resulted in the breach" and have thus failed to plead that Accenture breached a duty of reasonable care. Id. However, Plaintiffs have pleaded that Accenture negligently failed to "identify critical security threats such as unauthorized queries on Starwood's guest reservation database and malware specifically designed to access and exfiltrate sensitive information." Compl. ¶ 253. Plaintiffs do not need to particularize the discrete evidentiary details of every action that Accenture took or failed to take at this stage in the cases—their obligation is to plead a sufficient claim, not prove it as Accenture apparently would have it. Wittenberg v. First Indep. Mortg. Co., 599 F. App'x 463, 468 (4th Cir. 2013) (negligence is subject to the Rule 8 pleading standard which "does not require detailed factual allegations."). To survive a motion to dismiss, Plaintiffs cannot merely recite the bare elements of negligence and allege that Accenture acted unreasonably with no factual support. See Ashcroft, 556 U.S. at 678 (holding that, to survive a motion to dismiss, a complaint cannot only contain "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements"). But as I already have noted repeatedly, Plaintiffs have met this burden and sufficiently pleaded that Accenture acted unreasonably by failing to detect a security threat for four years.
Next, Accenture argues that the Consumer Plaintiffs have not adequately pleaded that any unreasonable act on their part caused any injury to the Plaintiffs because the Plaintiffs' "boilerplate allegations" fail to meet the burdens implemented by Fed. R. Civ. P. 8(a). Def.'s Br. 18. Under the laws of Maryland, Connecticut, and Florida, a plaintiff establishes causation when the defendant's conduct was a substantial factor in bringing about the plaintiff's injury. Phelps v. Lankes, 813 A.2d 100, 104 (Conn. Ct. App. 2003) (defining proximate causation as "an actual cause that is a substantial factor in the resulting harm . . . ." (quoting Vona v. Lerner, 804 A.2d 1018, 1025 (Conn. App. Ct. 2002))); Yonce v. SmithKline Beecham Clinical Labs., Inc., 680 A.2d 569, 575-76 (1996) (stating that a plaintiff establishes proximate cause when the defendant's conduct was a substantial factor that brought about the harm); McCain v. Fla. Power Corp., 593 So. 2d 500, 502 (Fla. 1992) (proximate causation "is concerned with whether and to what extent the defendant's conduct foreseeably and substantially caused the specific injury that actually occurred"). Under longstanding Georgia law, the defendant's conduct must be a "contributing factor in bringing about the plaintiff's damages," but it does not require that the contribution be "substantial." John Crane, Inc. v. Jones, 604 S.E.2d 822, 824 (Ga. 2004). A de minimus contribution, however, does not suffice. Scapa Dryer Fabrics, Inc. v. Knight, 788 S.E.2d 421, 425, (Ga. 2016) (citing John Crane, 604 S.E.2d at 825).
Here, Plaintiffs alleged that "Accenture's ongoing failure to maintain adequate security controls to detect and neutralize known and obvious security threats over a four-year period was a direct and proximate cause of the Data Breach." Compl. ¶ 255. Plaintiffs additionally allege that because of the data breach, they incurred injuries, including: identity fraud and theft, costs associated with purchasing protection that prevents identity theft and fraud, losing the value of their personal information, and more. Compl. ¶ 1349. Plaintiffs have alleged that Accenture's failure to detect unauthorized entry to the Starwood guest database caused the breach, and as a result, the Plaintiffs incurred injury. Because I must draw all reasonable inferences in favor of the Plaintiffs, the Plaintiffs' factual allegations that Accenture did not implement reasonable security protocols, which lead to a data breach, adequately plead causation. Adcock, 550 F.3d at 374 (requiring the court to construe all factual allegations "in the light most favorable to [the] plaintiff.").
Lastly, Accenture argues that Plaintiffs have not adequately alleged that they incurred injury, adopting Marriott's argument from its motion to dismiss. In Marriott's motion to dismiss the bellwether claims, it argued, unsuccessfully, that the Consumer Plaintiffs lack standing. But I ruled that the Plaintiffs had established that they suffered injury-in-fact sufficient for Article III standing, which also is sufficient to show that the Plaintiffs adequately pleaded that they suffered injury.
Accordingly, for the foregoing reasons, I shall deny Accenture's motion to dismiss the Consumer Plaintiffs' negligence claims under Maryland, Connecticut, and Florida law, and the Consumer Plaintiffs' negligence per se claims under Connecticut, Florida, and Georgia law.
Conclusion
In sum, Accenture's motion to dismiss is granted in part and denied in part. Consumer Plaintiffs have standing to bring their claims by adequately alleging injury-in-fact and that those injuries are fairly traceable to Accenture's negligence. Consumer Plaintiffs adequately alleged that Accenture owed them a duty of care under Maryland, Connecticut, and Florida law and sufficiently alleged breach of that duty, causation, and damages to support their negligence claims. Plaintiffs also adequately alleged that Section 5 of the FTC Act can serve as a predicate for their tort claims under Connecticut and Georgia law. Consumer Plaintiffs' claim for negligence per se under Maryland law is dismissed. A separate order will follow. October 26, 2020
Date
/S/_________
Paul W. Grimm
United States District Judge