Opinion
1:22-cv-675
05-23-2023
EDWARD KOELLER and KEVIN CHEEK, individually and on behalf of all others similarly situated, Plaintiffs, v. NUMRICH GUN PARTS CORPORATION, Defendant.
WEITZ & LUXENBERG, P.C. JAMES J. BILSBORROW, ESQ. Attorneys for Plaintiffs TURKE & STRAUSS LLP RAINA C. BORRELLI, ESQ. Attorneys for Plaintiffs MULLEN COUGHLIN LLC JAMES F. MONAGLE, ESQ. Attorneys for Defendant SMITH, SOVIK, KENDRICK & SUGNET, P.C. KAREN G. FELTER, ESQ. Attorneys for Defendant
WEITZ & LUXENBERG, P.C.
JAMES J. BILSBORROW, ESQ.
Attorneys for Plaintiffs
TURKE & STRAUSS LLP
RAINA C. BORRELLI, ESQ.
Attorneys for Plaintiffs
MULLEN COUGHLIN LLC
JAMES F. MONAGLE, ESQ.
Attorneys for Defendant
SMITH, SOVIK, KENDRICK & SUGNET, P.C.
KAREN G. FELTER, ESQ.
Attorneys for Defendant
DECISION AND ORDER
DAVID N. HURD, U.S. DISTRICT JUDGE
I. INTRODUCTION
On June 24, 2022, Edward Koeller filed this putative class action against Numrich Gun Parts Corporation (“Numrich” or “defendant”) alleging that defendant failed to properly protect his sensitive information from disclosure arising from a data breach. Dkt. No. 1.
On October 21, 2022, Koeller filed an amended complaint as of right. Dkt. No. 20. Thereafter, the Court accepted Koeller's second amended complaint for filing. Dkt. No. 25. The second amended complaint, now the operative pleading, names Kevin Cheek as an additional plaintiff. See id.
On December 16, 2022, Numrich moved to dismiss Koeller and Cheek's (collectively “plaintiffs”) second amended complaint under Federal Rules of Civil Procedure (“Rule”) 12(b)(1) and 12(b)(6). Dkt. No. 26. In the alternative, defendant has moved to strike immaterial and impertinent allegations pursuant to Rule 12(f). Id. The motion has been fully briefed and will be considered on the basis of the submissions without oral argument.
II. BACKGROUND
Numrich is a well-known firearm parts and weapons retailer. Compl. ¶¶ 1, 122. Defendant sells gun parts that replace and modify the components for dangerous weapons, including bayonets, scabbards, gun magazines, stocks, suppressers, muzzle brakes and gun sights and components. Id. ¶ 5. Defendant sells these gun parts to customers through its e-commerce website, www.gunpartscorp.com. Id. ¶¶ 12, 33.
To complete a purchase on Numrich's e-commerce website, customers are required provide their name, address, payment card number, card security code, and expiration date (collectively “PCD”). Compl. ¶¶ 12, 16. Defendant collects and maintains this information pursuant to its Privacy Policy. Id. ¶ 35. Defendant's Privacy Policy promises to use reasonable measures to safeguard customers' PCD from theft and misuse. Id. ¶¶ 34-36.
On or around March 28, 2022, Numrich became aware of suspicious activity on its e-commerce website. Compl. ¶ 12. In response, defendant began an investigation into the cause of the suspicious activity. Id. The investigation revealed that a data breach occurred between January 23, 2022, and April 5, 2022. Id. After discovering the data breach, defendant did not shut down e-commerce through its website. Id. ¶ 15.
As part of the data breach, hackers gained access to at least 45,169 of Numrich's customers' PCD. Compl. ¶¶ 1, 12. Plaintiffs maintain that cybercriminals were able to breach defendant's e-commerce website because defendant failed to maintain reasonable security safeguards and protocols to protect its customers' PCD. Id. ¶ 17.
On or around June 6, 2022, over two months after discovering the breach and nearly five months after the start of the breach, Numrich began notifying breach victims that their PCD was compromised. Compl. ¶ 19. Plaintiffs, as customers of defendant, received notices that their PCD was exposed as a result of the data breach. Id. ¶¶ 21, 51, 58. According to plaintiffs, defendant's breach notice deliberately underplayed the breach's severity and misrepresented that defendant was unaware of any actual misuse of information related to the breach. Id. ¶ 20.
After being notified that their PCD was compromised, plaintiffs took efforts to remediate the effects of the data breach. Compl. ¶¶ 55, 63. In particular, plaintiffs devoted time and resources to reviewing their accounts for fraud. Id. Plaintiffs also spent time canceling the payment cards associated with their purchases from Numrich. Id.
Plaintiffs now fear for their personal safety following the data breach. Compl. ¶¶ 57, 65. As gun owners, plaintiffs maintain that they are now at risk for burglary and theft because criminals know where they live and that they possess guns. Id. As a result, plaintiffs are experiencing feelings of anxiety, sleep disruption, stress, fear, and frustration. Id.
III. LEGAL STANDARD
A. Rule 12(b)(1)
“A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it.” Makarova v. United States, 201 F.3d 110, 113 (2d Cir. 2000). “The plaintiff bears the burden of proving subject matter jurisdiction by a preponderance of the evidence.” Aurecchione v. Schoolman Transp. Sys., Inc., 426 F.3d 635, 638 (2d Cir. 2005) (citing Luckett v. Bure, 290 F.3d 493, 497 (2d Cir. 2002)).
B. Rule 12(b)(6)
To survive a Rule 12(b)(6) motion to dismiss, the complaint's factual allegations must be enough to elevate the plaintiff's right to relief above the level of speculation. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). So while legal conclusions can provide a framework for the complaint, they must be supported with meaningful allegations of fact. Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009). In short, a complaint must contain “enough facts to state a claim to relief that is plausible on its face.” Twombly, 550 U.S. at 570.
To assess this plausibility requirement, the court must accept as true all of the factual allegations contained in the complaint and draw all reasonable inferences in the non-movant's favor. Erickson v. Pardus, 551 U.S. 89, 94 (2007). In doing so, the court generally confines itself to the facts alleged in the pleading, any documents attached to the complaint or incorporated into it by reference, and matters of which judicial notice may be taken. Goel v. Bunge, Ltd., 820 F.3d 554, 559 (2d Cir. 2016) (quoting Concord Assocs., L.P. v. Ent. Props. Tr., 817 F.3d 46, 51 n.2 (2d Cir. 2016)).
IV. DISCUSSION
Numrich seeks dismissal of plaintiffs' second amended complaint under Rules 12(b)(1) and 12(b)(6). See Def.'s Mem., Dkt. No 26-1 at 6. “When a defendant seeks dismissal under Rule 12(b)(1) ‘as well as on other grounds, the court should consider the Rule 12(b)(1) challenge first since if it must dismiss the complaint for lack of subject matter jurisdiction, the accompanying defenses and objections become moot and do not need to be determined.'” Rosenberg v. LoanDepot, Inc., 2023 WL 1866871, at *2 (S.D.N.Y. Feb. 9, 2023) (quoting Saint-Amour v. Richmond Org., Inc., 388 F.Supp.3d 277, 286 (S.D.N.Y. 2019)); see also Kumpf v. N.Y. State United Tchrs., --F.Supp.3d--, 2022 WL 17155847, at *4 (N.D.N.Y. Nov. 22, 2022). As such, defendant's 12(b)(1) motion will be addressed first.
Pagination corresponds to CM/ECF.
A. Subject Matter Jurisdiction
First, Numrich seeks dismissal of plaintiffs' claims under Rule 12(b)(1). Def.'s Mem. at 9-19. Defendant asserts that “[w]ithout standing to bring their claims, [p]laintiffs are unable to invoke the subject matter jurisdiction of this Court.” Id. at 7.
“Article III, Section 2 of the Constitution limits the subject-matter jurisdiction of the federal courts to ‘Cases' and ‘Controversies.'” SM Kids, LLC v. Google LLC, 963 F.3d 206, 211 (2d Cir. 2020) (citing Dhinsa v. Krueger, 917 F.3d 70, 77 (2d Cir. 2019)). “The standing doctrine, which emerges from Article III, is designed ‘to ensure that federal courts do not exceed their authority as it has been traditionally understood.'” Id. (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)).
“Given that standing is an essential element of federal subject matter jurisdiction, it follows that if a plaintiff lacks standing to bring a suit, a court has no subject matter jurisdiction over the case.” Miller v. Syracuse Univ., --F.Supp.3d--, 2023 WL 2572937, at *6 (N.D.N.Y. Mar. 20, 2023) (cleaned up). “In a class action, ‘federal courts lack jurisdiction if no named plaintiff has standing.'” McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 299 (2d Cir. 2021) (quoting Frank v. Gaos, 139 S.Ct. 1041, 1046 (2019)). A plaintiff “must demonstrate standing for each claim that they press and for each form of relief that they seek (for example, injunctive relief and damages).” TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2208 (2021) (citations omitted).
“The Supreme Court has established that the irreducible constitutional minimum of standing consists of three elements.” N.Y. State Corr. Officers & Police Benevolent Assn, Inc. v. Hochul, 607 F.Supp.3d 231, 238 (N.D.N.Y. 2022) (cleaned up). “[T]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” SM Kids, LLC, 963 F.3d at 211 (cleaned up).
Numrich challenges only the injury-in-fact component of standing. See Def.'s Mem. at 11. The injury-in-fact requirement “is ‘a low threshold which helps to ensure that the plaintiff has a personal stake in the outcome of the controversy.'” Miller, 2023 WL 2572937, at *6 (quoting John v. Whole Foods Mkt. Grp., Inc., 858 F.3d 732, 736 (2d Cir. 2017)). “At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support a claim.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992) (cleaned up).
To establish an injury in fact, a plaintiff “must show that he or she suffered ‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Spokeo, Inc., 578 U.S. at 339 (quoting Lujan, 504 U.S. at 560).
Plaintiffs have alleged four distinct injuries. See Pls.' Opp'n, Dkt. No. 27 at 13. First, plaintiffs assert that Numrich's breach resulted in the disclosure of their private information. Id. Second, plaintiffs contend that “Numrich's breach exposed [them] to a risk for identity theft and fraud, justifying their efforts to mitigate that risk by expending resources to review for fraud on their accounts, cancel their cards, and replace them.” Id. Third, plaintiffs maintain that their “fear for their safety given that criminals know where they live and that they own firearms,” amounts to an emotional harm. Id. Finally, plaintiffs assert that they “paid for data security when they bought products from Numrich, an implied ‘benefit of the bargain' Numrich failed to provide and must compensate them for.” Id. at 13-14.
1. Disclosure of Private Information
Plaintiffs first assert that the disclosure of their PCD arising out of the data breach confers standing under Article III. Pls.' Opp'n at 14-15. According to plaintiffs, the loss of their privacy amounts to an injury-in-fact analogous to the privacy tort of public disclosure of private information. Id.
“Certain types of intangible harms have long been judicially cognizable, and are therefore, concrete.” Bohnak v. Marsh & McLennan Cos., Inc., 580 F.Supp.3d 21, 29 (S.D.N.Y. 2022). “Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” Trans Union LLC, 141 S.Ct. at 2204 (citing Spokeo, Inc., 578 U.S. at 340-41). “Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. (collecting cases).
The privacy tort of public disclosure of private information “applies where the defendant gives publicity to a matter concerning the private life of another where the matter involves facts that (a) would be highly offensive to a reasonable person, and (b) are not of legitimate concern to the public.” Bohnak, 580 F.Supp.3d at 29 (cleaned up). Publicity in this context “means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Restatement (Second) of Torts § 652D; see also Miller, 2023 WL 2572937, at *8-9.
Upon review, plaintiffs have plausibly alleged the type of loss in privacy protected by the tort of public disclosure of private information. Plaintiffs assert that they: (1) have a protected interest in the confidentiality and privacy of their PCD; (2) trusted Numrich to use reasonable measures to protect their PCD; and (3) “would not have provided their PCD had they known [d]efendant would not adequately protect their PCD.” Compl. ¶¶ 53, 118, 128.
These allegations are sufficient to demonstrate that the public has no legitimate interest in plaintiffs' PCD and that a reasonable person would find the disclosure of their PCD without authorization or consent “highly offensive.” Granted, one might dispute whether the exposure of plaintiffs' PCD to the cybercriminals was sufficiently “public” under the tort. However, for purposes of this motion to dismiss, it is certainly plausible. See Miller, 2023 WL 2572937, at *9.
Some courts have criticized analogizing a sensitive data breach with the public disclosure of private information because the tort historically required a showing of a willful disclosure. See In re Practicefirst Data Breach Litig., 2022 WL 354544, at *7 n.10 (W.D.N.Y. Feb. 2, 2022), report and recommendation adopted, 2022 WL 3045319 (W.D.N.Y. Aug. 1, 2022). Here, plaintiffs' allegations that Numrich misrepresented that it would maintain adequate data privacy and security practices and procedures to safeguard its customers' sensitive information is “sufficiently analogous to willful disclosure required to state the common-law tort.” Miller, 2023 WL 2572937, at *9.
In any event, “the Supreme Court is clear that the common-law analogue need not be an ‘exact duplicate.'” Rand v. Travelers Indem. Co., --F.Supp.3d--, 2022 WL 15523722, at *4 (S.D.N.Y. Oct. 27, 2022); see also Bohnak, 580 F.Supp.3d at 30; In re USAA Data Sec. Litig., --F.Supp.3d--, 2022 WL 3348527, at *5 (S.D.N.Y. Aug. 12, 2022). Accordingly, at this early stage of the litigation, plaintiffs' allegations sufficiently resemble the type of loss in privacy protected by the tort of public disclosure of private information. As a result, plaintiffs have plausibly alleged an injury-in-fact for purposes of Article III standing.
While plaintiffs assert three other injuries-in-fact, “the Court need not analyze the sufficiency of those allegations” because plaintiffs have already shown a distinct injury-in-fact fairly traceable to the conduct of Numrich. Miller, 2023 WL 2572937, at *10.
Plaintiffs are also seeking injunctive relief in addition to monetary relief. See Compl. ¶¶ 25, 131. As noted supra, a plaintiff must demonstrate standing for each type of relief sought. Here, Numrich does not dispute that plaintiffs have standing to seek injunctive relief. Rather, defendant's memorandum only argues that plaintiffs do not have standing to seek damages.
B. Failure to State a Claim
Numrich also seeks dismissal of plaintiffs' claims under Rule 12(b)(6) for failure to state a claim. Def.'s Mem. at 20. Defendant argues that plaintiffs have “failed to plead sufficient facts to support any of the causes of action set forth in the Second Amended Complaint.” Id. Plaintiffs' causes of action include: (1) negligence; (2) breach of implied contract; (3) unjust enrichment; and (4) violation of New York General Business Law § 349. See Compl. ¶¶ 92-131.
1. Negligence (Count I)
First, Numrich advocates for dismissal of plaintiffs' negligence claim. Def.'s Mem. at 20-22. Defendant argues that dismissal of plaintiffs' negligence claim is warranted because plaintiffs have “failed to show any breach of a duty and any damages resulting from such a breach.” Id. at 20.
To properly plead a negligence claim under New York law, a plaintiff must plausibly allege that “(1) the defendant owed the plaintiff a cognizable duty of care; (2) the defendant breached that duty; and (3) the plaintiff suffered damage as a proximate result.” Ferreira v. City of Binghamton, 975 F.3d 255, 266 (2d Cir. 2020) (quoting Williams v. Utica Coll. of Syracuse Univ., 453 F.3d 112, 116 (2d Cir. 2006)).
a. Breach of Duty
Numrich argues that even assuming it “has a common law duty to safeguard customer data,” plaintiffs have nonetheless failed to plausibly allege a breach of that duty. Def.'s Mem. at 21. Defendant maintains that plaintiffs “have pled only threadbare elements of [their] claim, supported by conclusory allegations that Numrich failed to follow industry guidelines and breached its duty.” Id.
Plaintiffs also allege that Numrich owed to them “a duty to notify them within a reasonable timeframe of any breach to the security of their PCD,” and “a duty to timely and accurately” disclose the “scope, nature, and occurrence of the Data Breach.” Compl. ¶ 95. Defendant does not dispute these alleged duties in its memorandum of law. See Def.'s Mem. at 21.
Plaintiffs allege that Numrich breached its duty to safeguard their personal information by failing to exercise reasonable care in: (1) securing and handling their PCD; (2) supervising its agents, contractors, vendors, and suppliers; and (3) timely notifying plaintiffs that their PCD was compromised as a result of the data breach. Compl. ¶ 99. Plaintiffs assert that defendant “knew or should have known that its computer systems and data security practices were inadequate,” “and that risk of a data breach or cyber-attack were highly likely and foreseeable.” Id. ¶ 130.
Accepting these allegations as true, plaintiffs have plausibly alleged a breach of duty. In fact, courts have found similar allegations sufficient to plausibly allege a breach of the duty to safeguard personal information. See, e.g., Toretto v. Donnelley Fin. Sols., Inc., 583 F.Supp.3d 570, 595 (S.D.N.Y. 2022) (finding allegations sufficient to sustain a negligence claim where the complaint alleged that the defendant failed to implement security systems sufficient to protect personal information and was aware that it was the target of cybersecurity threats). As such, plaintiffs have sufficiently alleged that Numrich breached its duty to protect their personal information from disclosure.
b. Damages
Next, Numrich argues that plaintiffs have failed to properly “plead facts showing actual harm resulting from the security incident.” Def.'s Mem. at 21. According to defendant, plaintiffs' alleged injuries are “purely speculative and hypothetical, which is legally insufficient to maintain a negligence claim.” Id. at 21-22.
“ [E]ven when a plaintiff s allegations are sufficient to support standing, the plaintiff must also plead cognizable damages to survive a defendant's motion to dismiss under Rule 12(b)(6). In re USAA Data Sec. Litig., 2022 WL 3348527, at *8 (citing Doe v. Chao, 540 U.S. 614, 624-25 (2004)).
Plaintiffs allege that they have suffered or will suffer damages, including “monetary damages arising from unauthorized charges on their debit or credit cards,” “damages from identity theft, which may take months, if not years to discover and detect,” “loss of time spent addressing the present and ongoing risk of identity theft and financial fraud,” and “embarrassment, humiliation, frustration, emotional distress, and concern for their own personal safety.” Compl. ¶ 100.
For purposes of this motion to dismiss, plaintiffs' allegations are sufficient to demonstrate damages. Granted, plaintiffs' allegations are thin, and discovery may well reveal that plaintiffs did not suffer any actual or ascertainable damages. However, in drawing all reasonable inferences in plaintiffs' favor, plaintiffs have plausibly alleged damages resulting from the data breach. Especially so in light of Numrich's failure to advance specific arguments or provide any legal basis on which to conclude that each of plaintiffs' alleged injuries are insufficient. Accordingly, defendant's argument that plaintiffs' allegations are “purely speculative and hypothetical” must be rejected. As a result, defendant's motion to dismiss plaintiffs' negligence claim shall be denied.
2. Breach of Implied Contract (Count II)
Numrich advocates for dismissal of plaintiffs' breach of implied contract claim on the basis that “there are no facts in the Second Amended Complaint showing mutual assent to an implied contract that included data security.” Def.'s Mem. at 23. According to defendant, data security was merely incidental to plaintiffs' purchases of firearm parts on its e-commerce website. Id.
Under New York law, “[a]n implied contract, like an express contract, requires ‘consideration, mutual assent, legal capacity and legal subject matter.'” Sackin v. TransPerfect Glob., Inc., 278 F.Supp.3d 739, 750 (S.D.N.Y. 2017) (citation omitted). “The element of mutual assent . . . must be inferred from the facts and circumstances of each case, including such factors as the specific conduct of the parties, industry custom, and course of dealing.” Nadel v. Play-By-Play Toys & Novelties, Inc., 208 F.3d 368, 376 n.5 (2d Cir. 2000) (citation omitted); see also Walkie Check Prods., LLC v. ViacomCBS Inc., 2022 WL 2306943, at *10 (S.D.N.Y. June 27, 2022). The conduct of a party indicates assent if the party intends to engage in such conduct and knows that such conduct gives rise to an inference of assent. See Wallace v. Health Quest Sys., Inc., 2021 WL 1109727, at *10 (S.D.N.Y. Mar. 23, 2021) (citation omitted).
Plaintiffs allege that they accepted Numrich's offer to purchase firearm parts through its e-commerce website and as a condition to making a purchase, they were required to provide defendant with their PCD. Compl. ¶¶ 102-03. In so doing, plaintiffs maintain that they entered into implied contracts with defendant “pursuant to which [d]efendant agreed to safeguard and protect such information and to timely and accurately notify [p]laintiffs . . . if their data had been breached and compromised.” Id. ¶ 103.
Plaintiffs have plausibly alleged mutual assent to an implied contract. Indeed, other courts in this Circuit have found similar allegations sufficient for purposes of a motion to dismiss. See, e.g., Miller, 2023 WL 2572937, at *19-20 (holding that the plaintiff plausibly stated a claim for breach of an implied contract where the plaintiff, with the expectation that their sensitive information would be protected, provided their sensitive information to the defendant in order to receive defendant's services). As the court in Sackin recognized, in our day and age of data and identity theft, it is difficult to imagine how the mandatory receipt of sensitive information would not imply the recipient's assent to protect the information. 278 F.Supp.3d at 751. Accordingly, Numrich's motion to dismiss plaintiffs' breach of implied contract claim shall be denied.
Numrich also argues that plaintiffs “cannot show the required element of damages.” Def.'s Mem. at 23. Defendant repeats the same argument that it set forth with respect to plaintiffs' negligence claim-that plaintiffs' “claimed damages are wholly speculative and contingent on uncertain future events.” Id. Defendant's argument is unpersuasive in this context as well. As determined supra, plaintiffs have plausibly alleged cognizable damages. See Sackin, 278 F.Supp.3d at 751; In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *12 (S.D.N.Y. Aug. 4, 2021).
3. Unjust Enrichment (Count III)
Numrich moves to dismiss plaintiffs' unjust enrichment claim on the basis that “[t]here is nothing unjust about Numrich retaining payment in exchange for goods.” Def.'s Mem. at 23-24.
“Under New York law, a plaintiff seeking damages for a claim of unjust enrichment must establish three elements: ‘(1) that the defendant benefitted; (2) at the plaintiff's expense; and (3) that equity and good conscience require restitution.'” Digizip.com, Inc. v. Verizon Servs. Corp., 139 F.Supp.3d 670, 682 (S.D.N.Y. 2015) (quoting Beth Israel Med. Ctr. v. Horizon Blue Cross & Blue Shield of N.J., Inc., 448 F.3d 573, 586 (2d Cir. 2006)).
Plaintiffs allege that they conferred a benefit to Numrich in the form of payments through defendant's website and that defendant retained this benefit despite not adequately protecting their PCD. Compl. ¶¶ 116, 118. Plaintiffs maintain that they “would not have provided their PCD had they known [d]efendant would not adequately protect their PCD.” Id. ¶ 118.
Plaintiffs have sufficiently stated a claim for unjust enrichment. Relevant here, “[c]ourts have concluded that the failure to secure a plaintiff's data can give rise to an unjust enrichment claim.” Rudolph v. Hudson's Bay Co., 2019 WL 2023713, at *12 (S.D.N.Y. May 7, 2019). These courts “reason that a defendant has accepted the benefits accompanying plaintiff's data, but does so at the plaintiff's expense by not implementing adequate safeguards, thus making it ‘inequitable and unconscionable' to permit defendant to retain funds that it saved by ‘shirking data-security' and leaving the plaintiff ‘to suffer the consequences.'” Id. at *12 (citation omitted); see also Wallace, 2021 WL 1109727, at *11. Accordingly, plaintiffs have plausibly alleged an unjust enrichment claim. As a result, Numrich's motion to dismiss this claim shall be denied.
4. General Business Law § 349 (Count IV)
Lastly, Numrich seeks dismissal of plaintiffs' New York General Business Law § 349 (“Section 349”) claim. Def.'s Mem. at 24-27. Defendant argues that dismissal of this claim is warranted because plaintiffs have not plausibly alleged that they were deceived in New York State. Id. at 25.
Section 349 “is a broad consumer protection measure that prohibits deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state.” Chery v. Conduent Educ. Servs., LLC, 581 F.Supp.3d 436, 449 (N.D.N.Y. 2022) (cleaned up). “To establish a violation of Section 349, the plaintiff must prove the defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result.” Id. (citing Koch v. Acker, Merrall & Condit Co., 967 N.E.2d 675, 675 (2012)).
In Cruz v. FXDirectDealer, LLC, the Second Circuit addressed Section 349's limiting phrase “in this state.” 720 F.3d 115, 122-23 (2d Cir. 2013). The court held that when determining whether a transaction is within the territorial reach of Section 349, it is appropriate to “focus on the location of the transaction, and in particular the strength of New York's connection to the allegedly deceptive transaction . . . .” Id. at 122. The court concluded that “Section 349's territorial requirement is satisfied as long as ‘some part of the transaction occurred in New York-even if the plaintiff was located elsewhere.” In re AXA Equitable Life Ins. Co. COI Litig., 595 F.Supp.3d 196, 241 (S.D.N.Y. 2022) (quoting Cruz, 720 F.3d at 124).
Measured against this standard, plaintiffs have failed to allege facts plausibly suggesting that the alleged deceptive transactions occurred in New York State. Plaintiffs allege only that Numrich is headquartered in New York State and conducts “business, trade, or commerce” there. Absent from plaintiffs' second amended complaint is any indication that “some part of' the transactions at issue occurred in New York State. Consequently, plaintiffs have failed to demonstrate a sufficient nexus between the alleged deceptive transactions and New York State. See Livingston v. Trustco Bank, 2022 WL 798157, at *19 (N.D.N.Y. Mar. 16, 2022). Accordingly, defendant's motion to dismiss plaintiffs' Section 349 claim shall be granted.
Plaintiffs assert in their memorandum of law that Numrich directs its e-commerce business from its New York headquarters. Pls.' Opp'n at 26. However, plaintiffs' second amended complaint does not allege this. Even if it did, such allegations would likely be insufficient. See Sharpe v. Puritan's Pride, Inc., 2019 WL 188658, at *3 (N.D. Cal. Jan. 14, 2019) (noting that imposing liability under Section 349 “simply because an online transaction was hosted or processed in New York” would lead to an unwarranted expansive reading of the statute).
C. Request to Strike
In the alternative, Numrich has moved under Rule 12(f) to strike portions of plaintiffs' second amended complaint “concerning identity theft and data breaches that have nothing to do with the parties or facts of this case.” Def.'s Mem. at 27.
Under Rule 12(f), a court is permitted to “strike from a pleading . . . any redundant, immaterial, impertinent, or scandalous matter.” FED. R. CIV. P. 12(f). “To succeed on a Rule 12(f) motion, a movant generally must demonstrate that ‘(1) no evidence in support of the allegations would be admissible; (2) that the allegations have no bearing on the issues in the case; and (3) that to permit the allegations to stand would result in prejudice to the movant.'” Jalayer v. Stigliano, 420 F.Supp.3d 58, 64 (E.D.N.Y. 2018) (quoting Roe v. City of N.Y., 151 F.Supp.2d 495, 510 (S.D.N.Y. 2001)). “A court ‘should not tamper with the pleadings unless there is a strong reason for so doing.'” Westwide Winery, Inc. v. SMT Acquisitions, LLC, 511 F.Supp.3d 256, 264 (E.D.N.Y. 2021) (quoting Lipsky v. Comm. United Corp., 551 F.2d 887, 893 (2d Cir. 1976)).
No such strong reason exists here. The allegations at issue are relevant to plaintiffs' asserted claims and damages. Accordingly, Numrich's motion to strike portions of plaintiffs' second amended complaint shall be denied.
V. CONCLUSION
Therefore, it is
ORDERED that
1. Defendant's motion to dismiss in GRANTED in part and DENIED in part;
2. Plaintiffs' New York General Business Law § 349 claim (Count IV) is DISMISSED;
3. Plaintiffs' claims for negligence (Count I), breach of implied contract (Count II), and unjust enrichment (Count III) REMAIN;
4. Defendant's motion to strike under Rule 12(f) is DENIED; and
5. Defendant shall file and serve an answer to the second amended complaint on or before Tuesday, June 6, 2023.
The Clerk of The Court is directed to terminate the pending motion.
IT IS SO ORDERED.