Opinion
23-cv-01131-VC
08-16-2023
JOHN PRUTSMAN, et al., Plaintiffs, v. NONSTOP ADMINISTRATION AND INSURANCE SERVICES, INC., Defendant.
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS
RE: DKT. NO. 39
VINCE CHHABRIA UNITED STATES DISTRICT JUDGE
Nonstop's motion to dismiss is granted in part and denied in part. This order assumes the reader's familiarity with the factual allegations, the relevant law, and the parties' arguments.
1. The plaintiffs' sole allegation in support of their claim for breach of fiduciary duty is that Nonstop “became a fiduciary by its undertaking and guardianship of the PHI/PII[.]” Dkt. No. 38 at 30. This is nowhere near adequate to allege the existence of a fiduciary duty, and so Count III must be dismissed.
The parties spend most of their briefing on this claim debating whether the California courts have decided that insurance brokers are generally not fiduciaries. See Vu v. Prudential Property Casualty Insurance Company, 26 Cal.4th 1142, 1150-1151 (2001) (“The insurer-insured relationship ... is not a true ‘fiduciary relationship[.]'”); Hydro-Mill Company, Inc. v. Hayward, Tilton & Rolapp Insurance Associates Inc., 115 Cal.App.4th 1145, 1158 (2004) (“[i]f an insurer is not a fiduciary, then arguably, neither is a broker.”). This is beside the point here. The question of fiduciary duty is fact-intensive, and the plaintiffs' singular and conclusory allegation does not cut it in any event.
2. An intrusion upon seclusion occurs when “[o]ne intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, [and] is [then] subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Restatement (Second) of Torts § 652B (emphasis added). And a claim for invasion of privacy under the California Constitution requires “a reasonable expectation of privacy, and conduct by the defendant constituting a serious invasion of privacy.” Hill v. National Collegiate Athletic Association, 7 Cal.4th 1, 39-40 (1994) (emphasis added). “The analysis for these two tort claims is functionally identical[.]” In re Facebook, Inc., Consumer Privacy User Profile Litigation, 402 F.Supp.3d 767, 797 (N.D. Cal. 2019). Nothing in the complaint suggests that Nonstop was anything but negligent and passive.
At the hearing, counsel for the plaintiffs insisted that this Court should follow In re Ambry Genetics Data Breach Litigation. 567 F.Supp.3d 1130, 1143 (C.D. Cal. 2021). But In re Ambry offers no discussion or reasoning, and cites to no authority, for its conclusion that merely negligent conduct can support a claim of invasion of privacy. Id. at 24. The decision quotes the plaintiffs' boilerplate allegation that the defendants “intentionally, willfully, recklessly, or negligently” failed to adequately protect Ambry's data systems, proclaims that allegation suffices, and moves on. Id. In re Ambry is therefore not persuasive. Count VII is dismissed.
3. The plaintiffs purport to seek restitution under California's Unfair Competition Law, but the complaint offers no basis for such a remedy here-there are no allegations of profits or ill-gotten gains that Nonstop must be disgorged of to restore the plaintiffs to their position prior to the data breach. Count X is thus dismissed.
4. Nonstop argues that the plaintiffs have not adequately alleged that it is the type of business to which the California Consumer Privacy Act applies. While it's true that the complaint does little more than recite the relevant criteria, this is enough at the pleading stage to suggest that Nonstop is subject to the Act. Nonstop also argues that, in any event, the plaintiffs fail to state a claim because Nonstop has already cured the alleged violations. But this argument is premised on the fact that Nonstop said it had cured the violation in its letter response to the plaintiffs' notice. This does not render implausible the plaintiffs' allegations to the contrary. The motion is therefore denied as to Count VIII.
5. Nonstop argues that the plaintiffs have not adequately alleged that their “confidential medical information”-as opposed to their personal identifying information-was “actually viewed by an unauthorized third party,” and so their claim under the California Confidentiality of Medical Information Act must be dismissed. But the plaintiffs allege that, “as part of providing health insurance services,” Nonstop “acquired, collected and stored” the plaintiffs' confidential medical information, such as diagnoses, prescription medications, numeric codes used to identify services and procedures, among others. See Dkt. No. 38 at 2-3. They then allege that a data breach occurred, which Nonstop investigated and confirmed, and during which the plaintiffs' medical treatment and diagnosis information was accessed by an unauthorized third party. Dkt. No. 38 at 13-14. They also allege that a “data breach forum reported that 45,532 lines of data were posted online as a sample of the breach by cybercriminals,” and that individual plaintiffs have had fraudulent transactions on their accounts or significant drops in their credit scores. See Dkt. No. 38 at 5, 13-14 (emphasis added). Given the type of information Nonstop allegedly had in its systems, and given the apparent scale of the data breach, it is plausible that confidential medical information was among the information viewed by unauthorized third parties. The motion to dismiss is denied as to Count IX.
6. Nonstop argues that the claim under the California Customer Records Act fails because the plaintiffs have not sufficiently alleged the inadequacy of Nonstop's security measures or that Nonstop's notice of the security breach was unreasonably delayed. The plaintiffs allege that Nonstop failed to adequately encrypt their data, monitor user activity to identify possible threats, and train its employees not to store sensitive information longer than necessary. Dkt. No. 38 at 20, 25-26. They also cite an academic source suggesting that “[i]n almost all cases, the data breaches that occurred could have been prevented by proper planning and the correct design and implementation of appropriate security solutions.” Dkt. No. 38 at 23. Finally, the plaintiffs allege that, although Nonstop discovered the cyberattack on December 22, 2022, it did not begin to notify the plaintiffs until February 22, 2023, with some plaintiffs not being notified until March 6, 2023. Dkt. No. 38 at 3. Although these allegations are not slam-dunks, they suffice to support the inference that Nonstop did not have adequate security measures in place and that it unreasonably delayed in notifying the plaintiffs of the breach. The motion is therefore denied as to Count XI.
7. Nonstop argues that the Alaska Personal Information Protection Act, Colorado Security Breach Notification Act, and New York Information Security Breach and Notification Act do not create private rights of action. The plaintiffs concede as much as to the Alaska statute, and so Count VI is dismissed.
As to the Colorado statute, the plaintiffs argue that the statute's permissive language (“[t]he attorney general may bring an action .. to address violations of this section”) and its non-exclusionary language (“[t]he provisions of this section are not exclusive and do not relieve a covered entity ... from compliance with all other applicable . law”) suggest the statute creates a private right of action. Colo. Rev. Stat. §§ 6-1-716(4). As counsel for the plaintiffs seemed to concede at the hearing, however, the non-exclusionary provision is most reasonably interpreted as a reference to the conduct the statute proscribes, not to who is charged with its enforcement. And the use of passive language is most reasonably understood as referring to the Attorney General's discretion in enforcing the statute, not as a suggestion that others may do so too. See In re Arthur J. Gallagher Data Breach Litigation, 631 F.Supp.3d 573 (N.D. Ill. 2022). Count XII is dismissed.
The same goes for the New York statute, which says that “whenever the attorney general shall believe from evidence satisfactory to him or her that there is a violation of this article he or she may bring an action in the name and on behalf of the people of the state of New York.” N.Y. Gen. Bus. §§ 899-aa(6)(a), (10); see Miller v. Syracuse University, __ F.Supp.3d __, 2023 WL 2572937, *14 (N.D. N.Y. 2023). Count XIV is dismissed.
8. Finally, the claims under Alaska's Consumer Protection Act, Colorado's Consumer Protection Act, and New York's General Business Law (Counts V, XIII, and XV) are dismissed because the plaintiffs come nowhere close to alleging fraud with particularity.
In sum, the motion to dismiss is GRANTED as to Counts III, V, VI, VII, X, XII, XIII, XIV, and XV and DENIED as to Counts VIII, IX, and XI. Discovery may proceed immediately as to the latter, as well as to Counts I, II, and IV, which Nonstop did not move to dismiss. As discussed at the hearing, if the plaintiffs wish to proceed on the current complaint, they may seek leave to amend at a later time, should discovery uncover facts that support the dismissed claims. If the plaintiffs choose to amend now, they must file an amended complaint within 21 days of this order. Nonstop's response is due within 21 days of the filing of the amended complaint.
IT IS SO ORDERED.