Opinion
Civil Action 3:17-CV-186-CHB
03-31-2023
ANDREA K. SAVIDGE, et al., Plaintiffs, v. PHARM-SAVE, INC., Defendant.
MEMORANDUM OPINION AND ORDER
CLARIA HORN BOOM, UNITED STATES DISTRICT COURT JUDGE
Several motions are pending before the Court. First, Defendant Pharm-Save, Inc. (“Pharm-Save”) has submitted three Motions for Partial Summary Judgment. [R. 135; R. 136; R. 137]. Plaintiffs Andrea Savidge and Beth Lynch filed a consolidated response to the motions [R. 149] and Pharm-Save did the same in reply [R. 153]. Pharm-Save next filed two Motions to Exclude Testimony Pursuant to Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993). [R. 138; R. 139]. Plaintiffs again filed a single response [R. 150] and Pharm-Save replied [R. 154]. In addition, Plaintiffs have moved for class certification. [R. 144]. Pharm-Save responded in opposition [R. 155], and Plaintiffs replied [R. 158]. Lastly, Plaintiffs have requested oral argument on all outstanding motions. [R. 160]. After Pharm-Save responded [R. 163], Plaintiffs did not reply.
For the following reasons, the Court will grant Pharm-Save's Motion for Partial Summary Judgment on Plaintiffs' NCUDTPA claim [R. 135]; grant Pharm-Save's Motion for Partial Summary Judgment on Plaintiffs' Intrusion Upon Seclusion claim [R. 136]; deny without prejudice Pharm-Save's Motion for Partial Summary Judgment on Plaintiffs' claimed damages for increased risk of future harm [R. 137]; grant in part and deny in part both of Pharm-Save's Motions to Exclude Testimony [R. 138]; [R. 139]; deny without prejudice Plaintiffs' Motion for Class Certification [R. 144]; and deny Plaintiffs' Motion for Oral Argument [R. 160].
I. BACKGROUND
Plaintiffs Andrea Savidge and Beth Lynch, both Kentucky residents at all relevant times, were employees of Pharm-Save, a corporation organized under the laws of North Carolina with its principal place of business in the state of North Carolina, from 2013 to 2015 and from 2013 to 2014, respectively. [R. 1-1, p. 3, ¶¶ 7-8]. On March 3, 2016, after their employment had ended, Plaintiffs' “sensitive and personal information contained in their Form W-2 Wage and Tax Statement(s) was compromised via a data security breach[.]” Id. at 4, ¶ 11. This data breach occurred when Pharm-Save fell victim to a phishing scheme perpetrated by cybercriminals. Id. at 7, ¶ 21. According to the Complaint, one or more Pharm-Save employees released Plaintiffs' personally identifiable information (“PII”) to cybercriminals posing as company executives. Id.
Pharm-Save promptly notified affected employees, including Lynch and Savidge, via letter. Id. at 7-8, ¶ 24. Pharm-Save explained the security breach and told employees, “[i]t is possible that the criminal(s) may have filed or may try to file fraudulent tax refunds in the names of our employees.” Id. at 21, 24. Pharm-Save also offered employees “a complimentary two-year membership of Experian's ProtectMyID Alert,” which it explained “helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.” Id. The letters contained instructions on how to activate the ProtectMyID service. Id.
In a letter dated March 29, 2016, the IRS notified Savidge that it had received a federal income tax return for the 2015 tax year with her name and social security number. Id. at 28. However, the IRS stated that, “[t]o protect you from identity theft, we need to verify your identity before we process your return.” Id. The IRS also wrote, “[w]e won't process this . . . tax return until we hear from you.” Id. Indeed, the tax return was fraudulent. Id. at 9.
In 2017, Plaintiffs sued Pharm-Save and Neil Medical Group, Inc. in Kentucky state court, alleging several causes of action related to the theft of their PII. [R. 1, p. 2]. Pharm-Save timely removed the action to this Court [R. 1], and simultaneously filed a motion to dismiss [R. 5]. The previously assigned district judge granted the motion in part, leaving only two live claims: negligence and breach of implied contract. [R. 26, p. 27]. The Court also denied without prejudice Pharm-Save's motion to dismiss Neil Medical Group, Inc. for lack of personal jurisdiction, id., and granted Plaintiffs' motion for leave to file an amended complaint, id. at 28. Plaintiffs filed an amended complaint that advanced four new legal theories centered on Pharm-Save's alleged mishandling of Plaintiffs' PII. [R. 27]. Pharm-Save moved to dismiss all the new counts pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure [R. 30], which the Court granted. See [R. 72]. In addition, following limited discovery, Neil Medical Group renewed its motion to dismiss for lack of personal jurisdiction [R. 51], which the Court likewise granted. See [R. 69].
With leave from the assigned magistrate judge [R. 103], Plaintiffs filed their second amended complaint on July 1, 2021, raising two new causes of action: violations of the North Carolina Unfair and Deceptive Trade Practices Act (NCUDTPA) and intrusion upon seclusion. [R. 104]. To date, four of Plaintiffs' claims remain: negligence, breach of implied contract, NCUDTPA violations, and intrusion upon seclusion. Because Pharm-Save challenge Plaintiffs' NCUDTPA and intrusion upon seclusion claims, which the Court will dismiss for the reasons outlined herein, only their negligence and breach of implied contract claims remain.
II. ANALYSIS
A. SUMMARY JUDGMENT MOTIONS
In three motions for partial relief, Pharm-Save seeks summary judgment on two of Plaintiffs' remaining claims-NCUDTPA [R. 135] and intrusion upon seclusion [R. 136]-and on Plaintiffs' claimed damages for increased risk of future harm [R. 137].
Under Federal Rule of Civil Procedure 56, a court may grant summary judgment if it finds “there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” FED. R. CIV. P. 56(a). “A genuine dispute of material fact exists ‘if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.'” Winkler v. Madison County, 893 F.3d 877, 890 (6th Cir. 2018) (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)).
The moving party bears the initial burden “of informing the district court of the basis for its motion, and identifying those portions of ‘the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any,' which it believes demonstrate the absence of a genuine issue of material fact.” Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986); see also Anderson, 477 U.S. at 256. That burden may be satisfied by demonstrating that there is an absence of evidence to support an essential element of the non-moving party's case for which he or she bears the burden of proof. Maxwell v. FCA US, LLC, No. 22-1356, 2023 WL 246836, at *2 (6th Cir. 2023) (citing Celotex Corp., 477 U.S. at 323).
Once the moving party satisfies this burden, the non-moving party must then produce “specific facts, supported by the evidence in the record, upon which a reasonable jury could find there to be a genuine fact issue for trial.” Bill Call Ford, Inc. v. Ford Motor Co., 48 F.3d 201, 205 (6th Cir. 1995) (citation omitted); see also Winkler, 893 F.3d at 890. “The evidence of the nonmovant is to be believed, and all justifiable inferences are to be drawn in his favor.” Anderson, 477 U.S. at 255. However, the Court is not obligated to “search the entire record to establish that it is bereft of a genuine issue of material fact.” In re Morris, 260 F.3d 654, 655 (6th Cir. 2001). Rather, “the nonmoving party has an affirmative duty to direct the court's attention to those specific portions of the record upon which it seeks to rely to create a genuine issue of material fact.” Id.
In fact, the Federal Rules of Civil Procedure require the non-moving party to present specific facts showing that a genuine factual issue exists by “citing to particular parts of materials in the record including depositions, documents, electronically stored information, affidavits or declarations, stipulations (including those made for purposes of the motion only), admissions, interrogatory answers, or other materials” or by “showing that the materials cited do not establish the absence . . . of a genuine dispute.” FED. R. CIV. P. 56(c)(1). “The mere existence of a scintilla of evidence in support of the [non-moving party's] position will be insufficient; there must be evidence on which the jury could reasonably find for the [non-moving party].” Anderson, 477 U.S. at 252. Ultimately, if the record, taken as a whole, could not lead the trier of fact to find for the nonmoving party, then there is no genuine issue of material fact and summary judgment is appropriate. Matsushita Elec., 475 U.S. at 587 (citation omitted).
i. North Carolina Unfair and Deceptive Trade Practices Act (NCUDTPA) Claims [R. 135]
The North Carolina Unfair and Deceptive Trade Practices Act (“NCUDTPA”) states:
Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful.N.C. Gen. Stat. Ann. § 75-1.1 (2021). Relatedly, the North Carolina Identity Theft Protection Act (“NCITPA”) provides, in relevant part:
(a) Except as provided in subsection (b) of this section, a business may not do any of the following:
(1) Intentionally communicate or otherwise make available to the general public an individual's social security number.
...
(6) Sell, lease, loan, trade, rent, or otherwise intentionally disclose an individual's social security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number.
...
(b) Subsection (a) of this section shall not apply in the following instances:
...
(2) To the collection, use, or release of a social security number for internal verification or administrative purposes.N.C. Gen. Stat. Ann. §§ 75-62(a)(1), (a)(6), (b)(2).
“[A]ny NCITPA claim must proceed through the NCUDTPA.” In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742, at *35 (D.N.J. Dec. 16, 2021). The NCITPA “provides a cause of action under the [NC]UDTPA when a business intentionally disclose[s] an individual's social security number to a third party without written consent to the disclosure from the individual,” and “when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number.” Rogers v. Keffer, Inc., 243 F.Supp.3d 650, 661 (E.D. N.C. 2017) (citing N.C. Gen. Stat. Ann. § 75-62(a)(6)); see also N.C. Gen. Stat. Ann. § 75-62(d) (“A violation of this section is a violation of G.S. 75-1.1.).“The NCITPA also provides a cause of action under the [NC]UDTPA for failing to notify the victim of a security breach.” Rogers, 243 F.Supp.3d at 662 (citing N.C. Gen. Stat. § 75-65).
Pharm-Save acknowledges “[a] violation of the NCITPA is also a violation of the UDTPA.” [R. 135-1, p. 6].
Also relevant in this case is Section 75-65 of the NCITPA, which states:
(b) . . . [A]ny business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.N.C. Gen. Stat. Ann. § 75-65. Other than generally alleging a failure to notify in their Second Amended Complaint, Plaintiffs have adduced no evidence upon which a reasonable jury could find that Pharm-Save violated this section of the statute. “Issues adverted to in a perfunctory manner, unaccompanied by some effort at developed argumentation, are deemed waived.”McPherson v. Kelsey, 125 F.3d 989, 995-96 (6th Cir. 1997) (citation omitted). “It is not sufficient for a party to mention a possible argument in the most skeletal way, leaving the court to . . . put flesh on its bones.” Id. In any case, the record demonstrates that Pharm-Save notified the North Carolina Attorney General's Office, the Lenoir County Sheriff's Department, and all affected employees and/or former employees within days of Neil Medical Group's IT Director, Chad Benefield, discovering the breach. See [R. 135-8 (Lenoir County Sheriff's Office Incident/Investigation Report dated 3/24/16)]; [R. 135-9 (Memorandum to All NMG Employees)]; [R. 135-10 (Timeline)]. Pharm-Save cannot be liable under Section 75-65(b).
Plaintiffs allege Pharm-Save violated the NCITPA, and thereby the NCUDTPA, by “soliciting and collecting . . . sensitive and confidential PII with knowledge that such information would not be adequately protected; and by gathering [the] sensitive information in an unsecure electronic environment,” [R. 104 (Second Amended Class Action Complaint) (“Second Amended Complaint”), ¶¶ 13, 11], failing to “discover[] and then disclose the Data Breach to Plaintiffs and the North Carolina Class Members in a timely and accurate manner,” id. at 12, “[f]ailing to prevent the PII . . . from falling into unauthorized hands,” id. at 13(a), “[f]ailing to make reasonable efforts to safeguard and protect the PII/PHI, particularly Social Security numbers, . . . by implementing any kind of training regarding phishing with its workforce,” id. at 13(b), and concealing, suppressing, and omitting material facts of the data breach, id. at 14.
In its Summary Judgment Motion [R. 135], Pharm-Save argues Plaintiffs' NCUDTPA claims fail because Plaintiffs are not North Carolina citizens, and therefore not entitled to the statute's protections. [R. 135-1, p. 6]. Further, Pharm-Save posits that even if the Plaintiffs were consumers within the NCUDPTA's scope, their claims would fail because they cannot show that Pharm-Save violated the NCITPA by inadvertently disclosing their PII. Id. at 5 (citing Joy v. MERSCORP, Inc., 935 F.Supp.2d 848, 863 (E.D. N.C. 2013); Dalton v. Camp, 548 S.E.2d 704, 711 (N.C. 2001)).
The Court turns first to Pharm-Save's argument that Plaintiffs, as Kentucky citizens, are outside the NCUDTPA's scope. Plaintiffs' responsive arguments rely largely on those they raise in their motion for class certification. See [R. 149, pp. 19-20] (“To be clear, Plaintiffs do not seek relief for themselves under the NCUDTPA. However, . . . Plaintiffs are adequate and proper representatives of a class that includes hundreds of North Carolina citizens.”) (emphasis in original). Plaintiffs further acknowledge that “courts in the Sixth Circuit-including this Court- typically view the question of whether a litigant can represent class members from other states, under other states' laws, as one-and-the-same as the class certification question.” Id. at 19.
Pharm-Save argues that by “enacting G.S. 75-16 and G.S. 75-16.1, [the North Carolina] Legislature intended to establish an effective private cause of action for aggrieved consumers in this State.” [R. 135-1, p. 6] (citing Marshall v. Miller, 276 S.E.2d 397, 400 (N.C. 1981)) (emphasis in original). Pharm-Save correctly acknowledges that individual consumers (and not merely business entities) may bring claims under the NCUDTPA. See Elliott v. Am. States Ins. Co., 883 F.3d 384, 396 (4th Cir. 2018) (noting “an individual may file an independent § 75-1.1 claim, or may file a § 75-1.1 claim that relies on a violation of [a companion statute]”); In re Am. Med. Collection Agency, 2021 WL 5937742 at *35 (“[A] private plaintiff may sue for a violation of the NCITPA[.]”). But Pharm-Save is otherwise misguided, as “the original NC UDTPA ha[s] been amended to remove the restrictive language ‘within the state,' and [] since then, the NC UDTPA has been found applicable ‘to the full extent permissible under conflicts of law principles and the Constitution.'” In re On-Site Fuel Serv., Inc., No. 18-04196-NPO, 2020 WL 3712868, at *30 (Bankr. S.D.Miss. May 8, 2020) (citing Hardee's Food Sys., Inc. v. Beardmore, No. 5:96-CV-508-BR(2), 1997 WL 33825259, at *3 (E.D. N.C. June 6, 1997)).
When the geographical limitation was removed, “courts [] determined that the General Assembly sought thereby to expand the coverage of section 75-1.1 to the limits of section 1-75.4(4) of the North Carolina long-arm statute.” The ‘In' Porters, S.A. v. Hanes Printables, Inc., 663 F.Supp. 494, 501 (M.D. N.C. 1987); see also Hardee's Food, 1997 WL 33825259 at *3 (allowing foreign plaintiff's claims to proceed under the NCUDTPA where there is “an in[-]state defendant and [plaintiff] is injured by the defendant's in-state activities.”); Verona v. U.S. Bancorp, No. 7:09-CV-057-BR, 2011 WL 1252935, at *15 (E.D. N.C. Mar. 29, 2011) (declining to dismiss foreign plaintiffs' NCUDTPA claim where corporate defendant “is a North Carolina corporation,” its “communications with plaintiffs emanated from North Carolina,” and “the alleged ‘unfair and deceptive acts also took place in and emanated from [the company's] headquarters in Wilmington, North Carolina'”); In re Flonase Antitrust Litig., 692 F.Supp.2d 524, 540 (E.D. Pa. 2010) (denying motion to dismiss foreign plaintiff's claim under the NCUDTPA against resident defendant). As it now reads, nothing in the plain language of the NCUDTPA indicates that a plaintiff must be a citizen of North Carolina to bring a claim thereunder, and Plaintiffs' claims plainly fall within the NCITPA and NCUDTPA's scope.
Plaintiffs next argue that Pharm-Save's motion is inappropriate in light of Magistrate Judge Edwards's prior ruling on Plaintiffs' motion to amend their complaint over Pharm-Save's objection. [R. 149, pp. 14-15]. According to Plaintiffs, because Judge Edwards already resolved “Defendant's futility argument and held that Plaintiffs' Second Amended Complaint would survive a motion to dismiss,” id. at 15, that ruling “is the law-of-the-case on the question of whether Plaintiffs' claims fail as a matter of law[,]” id. at 16. Plaintiffs offer that they “do not dispute the truism that a motion to dismiss is not the same exact thing as a motion for summary judgment. However, the difference between the two concerns evidence; the law does not change from one motion to the next.” [R. 149, p. 16].
The law, however, certainly changes from one to the next-the 12(b)(6) dismissal standard differs greatly from the summary judgment standard. Plaintiffs cite to several cases outside the Sixth Circuit purportedly supporting their position, the most persuasive being the D.C. Circuit's determination that “a summary judgment motion may not be made on the same grounds and with the same showing that led to the denial of a previous motion to dismiss” even where “different language is used in a summary judgment motion than in a previous motion to dismiss, if the same legal theory supports both motions.” PDKLabs Inc. v. Ashcroft, 338 F.Supp.2d 1, 6-7 (D.D.C. 2004). The court continued, “disposition of the motion to dismiss may serve as the law of the case and on these grounds, a court may similarly dispose of a motion for summary judgment.” Id. Even if this Court were bound by the D.C. Circuit's holding, it is distinguishable from this case for at least two reasons. First, Pharm-Save's response [R. 98] in opposition to Plaintiffs' motion to amend [R. 96] was not a motion to dismiss. There has been no prior motion to dismiss by Pharm-Save on this claim and, consequently, no denial of a prior motion to dismiss under the same legal theory that Pharm-Save presents now. Second, the D.C. Circuit was careful to use permissive language, and did not hold that a court must dispose of a motion for summary judgment in the same way it did a prior motion to dismiss, but simply that it could.
More importantly, the Sixth Circuit has expressly rejected Plaintiffs' argument as applicable here. See Miller v. Maddox, 866 F.3d 386, 389-90 (6th Cir. 2017) (“[T]his court's prior holding on a motion to dismiss does not establish the law of the case for purposes of summary judgment, when the complaint has been supplemented by discovery.”); In re B & P Baird Holdings, Inc., 759 Fed.Appx. 468, 477-78 (6th Cir. 2019) (“We have held that the law of the case doctrine does not apply to earlier proceedings where a different legal standard governs.”); Devlin v. Kalm, 630 Fed.Appx. 534, 539 (6th Cir. 2015) (“[A] decision ‘on a motion to dismiss does not establish the law of the case for purposes of summary judgment when the complaint has been supplemented by discovery.' . . . In this instance, considerable discovery supplements the pleadings, leaving the law-of-the-case doctrine with no role to play.”) (quoting McKenzie v. Bellsouth Telecomm., Inc., 219 F.3d 508, 513 (6th Cir. 2000)).
Put simply, Judge Edwards's order granting Plaintiffs' motion to amend has no bearing on the Court's consideration of Pharm-Save's present motion for summary judgment. Judge Edwards's ruling was not on a motion to dismiss, her analysis was governed by a different legal standard, and the law-of-the-case doctrine is entirely inapplicable.
Turning, at last, to the merits of Pharm-Save's NCUDTPA summary judgment motion, it argues “there is no evidence that Houghton intentionally communicated Plaintiffs' information to the general public or intentionally disclosed the information to a third party,” [R. 135-1, p. 7] (emphasis in original), as required by the NCITPA. See N.C. Gen. Stat. Ann. § 75-62(a)(6). Pharm-Save also relies on the “absolute statutory defense to an NCITPA claim,” arguing that where, as here, “disclosure of PII is done for internal verification or administrative purposes, it does not constitute a violation of the NCITPA.” [R. 135-1, p. 6].
The Court agrees with Pharm-Save that it could not have violated Section (b)(6) of the NCITPA if Houghton did not intend to disclose the W-2s to a third party when she emailed them to a recipient that appeared to be Steve Farrar. The statute provides that a business may not “intentionally disclose an individual's social security number to a third party . . . when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number.” N.C. Gen. Stat. Ann. § 75-62(a)(6) (emphasis added). “Under North Carolina law, if the language of a statute is unambiguous, the court must give effect to the plain meaning of the words without resorting to judicial construction.” Speaks v. U.S. Tobacco Coop., Inc., 486 F.Supp.3d 974, 982 (E.D. N.C. 2020), aff'd, 31 F.4th 838 (4th Cir. 2022) (citations omitted) (cleaned up). In doing so, the court must “presume that the General Assembly carefully chose each word used in drafting the legislation.” Id. First, and most simply, the plain language of the statute specifically makes unlawful “intentional disclosure,” and not “disclosure” generally, to a third party, indicating that an accidental disclosure to a third party would not implicate Section 75-62(a)(6).
It logically follows that, to determine whether a disclosing party “knows or in the exercise of reasonable diligence” would believe the third-party recipient lacks a legitimate purpose, the disclosing party must have intended to disclose the social security numbers to the third party in the first place. In other words, one cannot unintentionally disclose another's social security number while also knowing the mistaken recipient lacks a legitimate purpose for obtaining it. “It is a basic canon of statutory interpretation that ‘[e]very word in the statute is presumed to have meaning' and that courts should ‘give effect to all the words to avoid an interpretation which would render words superfluous or redundant.'” In re Vill. Apothecary, Inc., 45 F.4th 940, 948 (6th Cir. 2022) (citations omitted). The only way to reconcile the second portion of the statute-that “the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number”-is to first recognize the statute's clear “intentional disclosure” requirement.
Plaintiffs point to no evidence that would allow a reasonable jury to find that Houghton's disclosure to a third party was intentional. Rather, the record indisputably supports a finding that Houghton intended to send the requested W-2s to Steve Farrar. See, e.g., [R. 155-4 (Deposition of Barbara Houghton) (“Houghton Deposition”), p. 53] (“Q. Was this an email that you thought you were sending to Steve Farrah on March 3rd, 2016? A. Yes, sir.... Q. Okay. So you -- you seek clarification and you ask whether the W-2s that - who you thought was Steve was looking for were for all three companies; is that right? A. Yes, sir.”); id. at 70 (“Q. I'm not saying you knew it at the time, but we know now it was not Steve Farrar. So this person here, what did you say to them in response? . . . A. I was replying to Steve Farrar that it -- I said, okay. It will take a few minutes, but I will scan [the Ww-2s] -- I said then and send to you. Thanks.”); id. at 77-78 (Q. Okay. So could you tell the difference as between these two emails as to who you sent them to? . . . A. Okay. That's how -- I just thought I was sending them to Steve Farrar[.]”). During Houghton's deposition, Pharm-Save's counsel even acknowledged that the phishing email, at least at that time, displayed the name “Steve Farrar” in the “from” line. See id. at 43-44. (“Q. So this particular email you received, it says Steve Farrar's name, and then it has this stuff here, this [dbranton] email address; is that correct? A. Yes, sir.”); see also [R. 137-5 (March 3, 2016 Email showing “Steve Farrar” as sender)]. Plaintiffs have failed to raise any genuine issues of material fact as to whether Houghton intentionally disclosed the W-2s to a third party, making summary judgment appropriate.
Next, although Plaintiffs do not explicitly argue that Pharm-Save is liable under Section 75-62(a)(1) in either their Second Amended Complaint or in their response to Pharm-Save's summary judgment motion, Pharm-Save does address that provision of the statute in its motion, see [R. 135-1, p. 6], and Plaintiffs hang their hats on Curry v. Schletter Inc., No. 1:17-CV-0001-MR-DLH, 2018 WL 1472485, at *6 (W.D. N.C. Mar. 26, 2018), which puts the provision squarely in issue. The Court will, therefore, briefly address it. A business will be liable under Section (a)(1) if it “intentionally communicate[s] or otherwise make[s] available to the general public an individual's social security number.” N.C. Gen. Stat. Ann. § 75-62(a)(1). In Curry, the Western District of North Carolina, in deciding a motion to dismiss, considered Section 75-62(a)(1) and determined on similar facts as here that the defendant's “communication, while solicited under false pretenses, was intentionally made” because it “was not a case of a data breach, wherein a hacker infiltrated the Defendant's computer systems and stole the Plaintiffs' information, but rather was a case of data disclosure, wherein the Defendant intentionally responded to an email request[.]'” 2018 WL 1472485, at *6 (emphasis in original). In other words, the court found the defendant acted with the requisite intent simply by transmitting the data, and the defendant's subjective belief behind the communication was irrelevant.
Plaintiffs understandably rely on Curry and urge the Court to make a similar finding-that Houghton's intentional transmission of the W-2s in response to an email from “Steve Farrar” with an email address including “dbranton” is sufficient to satisfy the “intentional” element of Section (a)(1). See [R. 149, p. 21]. Perhaps it would be appropriate to do so. Importantly, however, the Curry court determined, at the pleading stage, that it was “not implausible that the Defendant's actions in responding to this phishing scam effectively made the Plaintiffs' Social Security numbers ‘available to the general public.'” Id. Here, however, the data breach occurred more than eight years ago, discovery has closed, and there is no evidence at all that any employee's Social Security number has been made available to the general public as a result of the breach. Thus, even if, consistent with Curry, the Court were to find that Houghton acted with the requisite intent under Section (a)(1) when she intentionally emailed the W-2s, summary judgment would still be appropriate because Plaintiffs have not raised a genuine issue of material fact concerning whether any Social Security numbers were made available to the general public.
If the Court is incorrect on its analysis under Section 75-62(a)(6), or if Plaintiffs' claims initially survive under 75-62(a)(1), summary judgment will still be appropriate because Pharm-Save is entitled to the carveout delineated in Section 75-62(b)(2). As stated, the NCITPA provides that where “the collection, use, or release of a social security number for internal verification or administrative purposes,” Section 75-62(a) “shall not apply” N.C. Gen. Stat. Ann. § 75-62(b)(2).
As a preliminary matter, Plaintiffs suggest that because Pharm-Save did not specifically plead § 75-62(b)(2) as an affirmative defense in its Answer, the defense is waived. The Court disagrees. True, in its Answer, Pharm-Save merely asserted that Plaintiffs' “claims for violation of the NCUDTPA fail to state claims upon which relief can be granted.” [R. 105, p. 3]. “A district court may, in its discretion, allow a defendant to raise an affirmative defense for the first time in a motion for summary judgment if doing so does not result in surprise or prejudice to the plaintiff.” Rogers v. I.R.S., 822 F.3d 854, 856-57 (6th Cir. 2016) (citations omitted); see also Smith v. Sushka, 117 F.3d 965, 969 (6th Cir.1997) (“Failure to raise an affirmative defense by responsive pleading does not always result in waiver. The purpose of Rule 8(c) of the Federal Rules of Civil Procedure is to give the opposing party notice of the affirmative defense and a chance to respond.”). To determine whether prejudice will result from allowing a defendant to raise an affirmative defense at this late stage, the Court considers whether doing so would “require the opponent to expend significant additional resources to conduct discovery and prepare for trial; significantly delay the resolution of the dispute; or prevent the plaintiff from bringing a timely action in another jurisdiction.” Phelps v. McClellan, 30 F.3d 658, 662-63 (6th Cir. 1994).
Here, for the reasons articulated above, the Court would grant summary judgment for Pharm-Save on Plaintiffs' NCUDTPA claims before even considering this affirmative defense because, without question, Houghton did not intend to disclose the W-2s to a third party as required under Section (a)(6) or to the general public as required under Section (a)(1). Allowing Pharm-Save to assert this affirmative defense in its motion for summary judgment will, therefore, not require Plaintiffs to expend any additional resources for discovery or trial purposes, as this claim will not proceed. In any event, even considering the carveout under Section (b)(2) as an affirmative defense, Plaintiffs fail to show any resulting surprise or prejudice. Plaintiffs have already obtained discovery on these issues. Although Plaintiffs submit they are “surprised by this affirmative defense's sudden appearance” and “would be prejudiced by having to challenge it after the close of discovery,” they do not specifically articulate how they would be so prejudiced. See Rogers, 822 F.3d at 857 (“Because we agree with the district court that under the circumstances of this case, Rogers cannot establish the existence of prejudice, we are unable to say the district court abused the discretion afforded it when it permitted the IRS to assert the defense.”). The Court finds that neither prejudice nor surprise would result from allowing Pharm-Save to assert this affirmative defense at this stage. Pharm-Save has always claimed that Houghton was tricked into sending the W-2s to “dbranton” posing as Steve Farrar and that she believed she was transmitting them to Steve Farrar for “account reconciliation,” a patently administrative purpose. The Court will allow Pharm-Save to assert, and will consider, its internal verification and/or administrative purpose defense.
Pharm-Save submits, “Ms. Houghton only acted because she thought [the phishing email] was a request from Pharm-Save's treasurer, Steve Farrar. The request by the company's treasurer Steve Farrar for W-2 forms was for ‘accounting reconciliation,' which squarely falls under company internal verification or administrative purposes.” [R. 135-1, p. 8]. Plaintiffs counter that Pharm-Save is not entitled to this defense because Houghton's mistaken belief that she was performing an administrative purpose is insufficient for purposes of the statute's safe harbor. [R. 149, p. 21].
On this point, neither party offers instructive case law. Plaintiffs again rely on Curry, which Pharm-Save argues is inapposite because it resolved a motion to dismiss. The court in Curry noted a defendant's “assertion that its action in providing the W-2 information to a cybercriminal constitutes a disclosure for ‘internal administrative purposes' is an affirmative defense which requires development of the factual record.” 2018 WL 1472485 at *6. For that reason, among others, the court denied the defendant's motion to dismiss the plaintiff's claims under the NCITPA. Id. Similarly, in Fisher v. Communication Workers of America, the court found “the NCITPA [] does not require that the communication of Social Security numbers be done for the purpose of providing them to the general public or facilitating identity theft” and that, “while it is true that a complaint should be dismissed if it discloses an unconditional affirmative defense that defeats the claims asserted . . . Defendants' assertion that [a] Bulletin Board [that made the plaintiffs' Social Security numbers available to the public] was used for internal administrative purposes (and, therefore, falls outside the ambit of the NCITPA) presents a factual dispute as to an affirmative defense, which the Court may not resolve at [the pleading stage].” 2008 WL 4754850 at *6.
Neither case is particularly helpful to the Court's analysis here, as both courts considered the defendants' administrative purpose or internal verification defense at the pleading stage, before they could properly engage the merits. As mentioned, the parties provide no instructive case law at the summary judgment stage and, in fairness, the Court could locate none. Plaintiffs argue that although the statute provides an absolute defense for “the collection, use, or release of a social security number for internal verification or administrative purposes,” N.C. Gen. Stat. Ann. § 75-62(b)(2), it does not explicitly offer such a defense where the collection, use, or release was merely intended for internal verification or administrative purposes, but the end use turned out to be fraudulent. However, the North Carolina General Assembly's use of “purposes” convinces the Court that Plaintiffs' argument must fail. Again, where a statute's language is unambiguous, the court must give effect to its plain meaning and “presume that the General Assembly carefully chose each word used in drafting the legislation.” Speaks, 486 F.Supp.3d at 982.
Considering the plain language of the statute, the Court finds that Pharm-Save is entitled to the statutory defense. A “purpose” is “an intention or aim; a reason for doing something or for allowing something to happen.” Purpose, CAMBRIDGE DICTIONARY (2023). The undisputed evidence in this case demonstrates that Houghton at all times believed she was transmitting the employee W-2s to Pharm-Save's treasurer, Steve Farrar, for purposes of “account reconciliation.”Although Houghton's belief was mistaken, she nevertheless acted for an internal verification or administrative purpose. The Court must presume that the North Carolina General Assembly “carefully chose” to use the term “purpose,” which implies an element of intent. For these reasons, the Court finds that Pharm-Save has demonstrated its entitlement to the statutory defense enumerated in N.C. Gen. Stat. Ann. § 75-62(b)(2) as a matter of law.
See, e.g., [R. 155-4 (Deposition of Barbara Houghton) (“Houghton Deposition”), p. 53] (“Q. Was this an email that you thought you were sending to Steve Farrah on March 3rd, 2016? A. Yes, sir.... Q. Okay. So you -- you seek clarification and you ask whether the W-2s that - who you thought was Steve was looking for were for all three companies; is that right? A. Yes, sir.”); id. at 70 (“Q. I'm not saying you knew it at the time, but we know now it was not Steve Farrar. So this person here, what did you say to them in response? . . . A. I was replying to Steve Farrar that it -- I said, okay. It will take a few minutes, but I will scan [the W-2s] -- I said then and send to you. Thanks.”); id. at 77-78 (Q. Okay. So could you tell the difference as between these two emails as to who you sent them to? . . . A. Okay. That's how -- I just thought I was sending them to Steve Farrar[.]”); id. at 43-44. (“Q. So this particular email you received, it says Steve Farrar's name, and then it has this stuff here, this [dbranton] email address; is that correct? A. Yes, sir.”); see also [R. 137-5 (March 3, 2016 Email showing “Steve Farrar” as sender)].
In sum, the Court finds that because Houghton did not intentionally disclose the W-2s to third parties, Pharm-Save cannot be liable under N.C. Gen. Stat. Ann. § 75-62(a)(6). Alternatively, even if Section 75-62(a) is implicated, applying the statute as written and considering the evidence in the light most favorable to Plaintiffs, there is nothing upon which the Court could find that Houghton transmitted employees' W-2s to the fraudulent “dbranton” email address (posing as Steve Farrar) for any reason other than for internal verification or administrative purposes. Pharm-Save would therefore be entitled to the statutory defense outlined in N.C. Gen. Stat. Ann. § 75-62(b)(2). Accordingly, the Court will grant Pharm-Save's motion for summary judgment [R. 135] on Plaintiffs' NCUDTPA claims.
ii. Intrusion Upon Seclusion Claim [R. 136]
The Court now turns to Pharm-Save's Motion for Summary Judgment on Plaintiffs' intrusion upon seclusion claim. “When sitting in diversity, federal courts are required to apply the substantive law of the states in which they reside.” In re Darvocet, Darvon, & Propoxyphene Prod. Liab. Litig., 756 F.3d 917, 937 (6th Cir. 2014) (citing Erie R. Co, v. Tompkins, 304 U.S. 64, 78 (1938)). Kentucky follows the Restatement on the elements for a claim of intrusion upon seclusion. See Restatement (Second) of Torts § 652B (1977). “[T]o prevail on a claim for intrusion upon seclusion, a plaintiff must show ‘(1) an intentional intrusion by the defendant, (2) into a matter the plaintiff has a right to keep private, (3) which is highly offensive to a reasonable person.'” Wells v. Craig & Landreth Cars, Inc., No. 3:10-CV-376, 2012 WL 6487392, at *5 (W.D. Ky. Dec. 13, 2012) (citing Smith v. Bob Smith Chevrolet, Inc., 275 F.Supp.2d 808 (W.D. Ky. 2003)).
“What constitutes a private matter is dependent upon whether the plaintiff has a reasonable expectation of privacy in the subject information.” Wiles v. Ascom Transp. Sys., Inc., 478 Fed.Appx. 283, 294 (6th Cir. 2012) (citation omitted). Examples of intrusion include “an unauthorized investigation into an individual's private concerns such as opening private mail, searching a person's safe or wallet, examining a person's bank account, or presenting a forged court order to permit inspection of personal documents.” Singapore Ministry of Health v. Farrera-Brochez, No. CV 5:19-051-DCR, 2019 WL 6332136, at *2 (E.D. Ky. Nov. 25, 2019) (citing Restatement (Second) Torts § 652B (1976) and counting cases).
In their Second Amended Complaint, Plaintiffs allege “the Data Breach at the hands of Defendant constitutes an intentional interference with [their] interest in solitude or seclusion[.]” [R. 104, ¶ 26]. In its Motion for Summary Judgment on this claim [R. 136], Pharm-Save argues no reasonable jury could find that it intentionally intruded upon the Plaintiffs' privacy because Barbara Houghton did not intend to disclose employees' W-2 forms to cybercriminals. [R. 136-1, pp. 7, 6]. Pharm-Save offers that an essential element of the tort of intrusion upon seclusion is “an intentional intrusion,” and that “Plaintiffs have no proof of intent.” Id. at 5. In addition, Pharm-Save contends that “Social Security numbers are not private for purposes of an invasion-of-privacy tort,” citing several cases outside the Sixth Circuit for support. Id. at 7.
In response, Plaintiffs position that Houghton need not have intended to disclose their PII to cybercriminals, but merely intended to transmit the W-2s, whatever the purpose for doing so. [R. 149, p. 21]. Plaintiffs also dispute Pharm-Save's claim that disclosure of an individual's Social Security number cannot give rise to an intrusion upon seclusion claim. Id. at 27.
At the center of the parties' summary judgment arguments is their dispute over the applicability of McKenzie v. Allconnect, Inc., 369 F.Supp.3d 810 (E.D. Ky. 2019), in which a court in the Eastern District of Kentucky denied a motion to dismiss an intrusion upon seclusion claim on similar facts as here. In McKenzie, the defendant-employer fell victim to a similar W-2 phishing scheme as here, and the targeted employee “thought he or she was sending the information to [defendant's] president and not to third-party tricksters.” Id. at 822. Even so, the court found that such a mistaken belief “does not conclusively demonstrate that the [] employee did not act intentionally,” because “[a] defendant's actions may be intentional when the [d]efendant acts with such reckless disregard for the privacy of the plaintiff that the actions rise to the level of being an intentional tort.” Id. In addition to addressing the intent element of the tort of intrusion upon seclusion, McKenzie clearly recognized a privacy interest in “employees' W-2 information, including employees' names, addresses, social security numbers, and wage information.” Id. at 814.
In reaching its decision, the McKenzie court relied on an earlier case out of this district, Smith v. Bob Smith Chevrolet, Inc., 275 F.Supp.2d 808, 822 (W.D. Ky. 2003), which Plaintiffs also cite but Pharm-Save suggests, as it did with McKenzie, is not supported by Kentucky law, [R. 153, p. 8]. In Smith, the plaintiff entered into a purchase agreement with the defendant car dealership, but an employee at the dealership miscalculated a discount owed to the plaintiff, which ultimately led to a dispute over the agreed-upon sale price. 275 F.Supp.2d at 812. After the dispute arose, the dealership, without the plaintiff's authorization, ran a consumer report on the plaintiff. Id. The plaintiff sued the dealership in state court to enforce the sale contract, and later brought a federal suit for intrusion upon seclusion related to the unauthorized consumer report. Id. at 813. In resolving the defendant dealership's motion for summary judgment on the intrusion upon seclusion claim, the court opined:
The issue, then, is has Plaintiff [] raised a question of fact as to whether Smith Chevrolet intentionally invaded Plaintiff's credit report and whether that invasion was highly offensive to a reasonable person? The Court finds the evidence as to whether Smith Chevrolet intentionally violated Plaintiff's privacy is shaky at best. Rather, it appears Smith Chevrolet's actions were more likely negligent or careless. Plaintiff has, however, put forth evidence which, at trial, could show that Smith Chevrolet acted with such reckless disregard for Plaintiff's privacy as to amount to an intentional tort. In the alternative, it may turn out that Smith Chevrolet genuinely thought he was taking actions that were in accordance with the law and therefore the Plaintiff's effort to paint Smith Chevrolet as a reckless, malicious operation will fail. Finally, on these facts, the Court cannot rule as a matter of law that the Smith Chevrolet's actions were not “highly offensive to a reasonable person.” The Court will therefore deny Smith Chevrolet's motion for summary judgment as to the intrusion upon seclusion claim.Id. at 822.
Pharm-Save argues Smith is not sound law because it does not cite any Kentucky cases that approve recklessness for intrusion upon seclusion. [R. 153, p. 8]. True, the court considered it before any Kentucky courts had. The court therefore employed the Restatement and predicted, in the first instance, how Kentucky's highest court would proceed:
The Supreme Court of Kentucky adopted the principles for invasion of privacy as enunciated in the Restatement (Second) of Torts (1976) in McCall v. Courier-Journal and Louisville Times Co., 623 S.W.2d 882, 887 (Ky. 1981).
...
Other than summarily adopting intrusion upon seclusion as a cause of action, no Kentucky court in a published opinion has explained in any detail the elements required to meet this standard. This is therefore a question of first impression in Kentucky and the Court must predict how Kentucky's highest court would decide the issue. See Davis v. Ford, 244 F.Supp.2d 784 (W.D.Ky.2003); Dinsmore Instrument Co. v. Bombardier, Inc., 199 F.3d 318, 320 (6th Cir. 1999). Because Kentucky has adopted the Restatement version of the tort, Kentucky's highest court would likely adopt the definitions there. According to the Restatement, the standard for “intrusion upon seclusion” is an “intentional intrusion, physical or otherwise, upon the solitude or seclusion of another . . . if the intrusion would be highly offensive to a reasonable person.” Restatement (Second) of Torts § 652B (1977). Thus it appears that, in order to prevail on his claim for intrusion upon seclusion, Plaintiff must show (1) an intentional intrusion by the defendant, (2) into a matter the plaintiff has a right to keep private, (3) which is highly offensive to a reasonable person. Restatement (Second) of Torts § 652B; see also W. Page Keeton et al., Prosser and Keeton on the Law of Torts § 117 at 854-56; 62A Am.Jr.2d Privacy § 48 (1990).Smith, 275 F.Supp.2d at 821-22. After explicitly providing that a plaintiff must show “an intentional intrusion,” however, the Smith court determined, without any support, that “it appears [defendant's] actions were more likely negligent or careless. Plaintiff has, however, put forth evidence which, at trial, could show that [defendant] acted with such reckless disregard for Plaintiff's privacy as to amount to an intentional tort.” Id. at 822.
In the twenty years since Smith issued, no Kentucky court has squarely addressed whether recklessness is sufficient to meet the intent element for an intrusion upon seclusion claim. Some federal courts have, however, relied on Smith and found that “‘[a] defendant's actions may be intentional when the Defendant acts with such reckless disregard for the privacy of the plaintiff that the actions rise to the level of being an intentional tort.'” Bowen v. Paxton Media Grp., LLC, No. 5:21-CV-00143-GNS, 2022 WL 4110319, at *7 (W.D. Ky. Sept. 8, 2022) (citing Smith, 275 F.Supp.2d at 822); see also McKenzie, 369 F.Supp.3d at 819 (same); Barnett v. Bank of Am., N.A., No. 3:20-CV-272-RJC-DSC, 2021 WL 2187950, at *7 (W.D. N.C. May 28, 2021) (“[U]nder Kentucky law . . . A defendant's actions may be intentional when the Defendant acts with such reckless disregard for the privacy of the plaintiff that the actions rise to the level of being an intentional tort.”).
Even so, other federal courts analyzing Kentucky law, and some Kentucky state courts, have looked to the Kentucky Supreme Court's adoption of the Restatement in McCall to define intrusion upon seclusion without mention of Smith's recklessness standard. See, e.g., Pearce v. Whitenack, 440 S.W.3d 392, 400-01 (Ky. Ct. App. 2014) (“[T]he Kentucky Supreme Court adopted the Restatement (Second) of Torts § 652A in [McCall]. In so doing, the court incorporated the Restatement's rule concerning Intrusion upon Seclusion, § 652B: ‘[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.'”); Ghassomians v. Ashland Indep. Sch. Dist., 55 F.Supp.2d 675, 692-693 (E.D. Ky. 1998) (noting McCall's adoption of “the general invasion of privacy principals found in the Restatement” and reciting § 652B's definition for intrusion upon seclusion); Mod. Hair Salon, Inc. v. Calvin Mitchell, Inc., No. 2015-CA-001417-MR, 2017 WL 544637, at *5 (Ky. Ct. App. Feb. 10, 2017) (same); Clark v. Teamsters Loc. Union 651, 349 F.Supp.3d 605, 622 (E.D. Ky. 2018) (defining intrusion upon seclusion as “intentional intrusion, physical or otherwise, upon the solitude or seclusion of another . . . if the intrusion would be highly offensive to a reasonable person”).
Moreover, federal and state courts outside Kentucky that follow the Restatement have found that conduct must be intentional to give rise to an intrusion upon seclusion claim. See O'Donnell v. United States, 891 F.2d 1079, 1083 (3d Cir. 1989) (defining “intentional intrusion” by giving “intent” the meaning provided in the Restatement: “that the actor desires to cause the consequences of his act, or that he believes that the consequences are substantially certain to result from it” and, because the Restatement does not define “intrusion,” looking to its ordinary meaning: “to thrust oneself in without invitation, permission, or welcome”); Mitchell v. Baltimore Sun Co., 164 Md.App. 497, 522 (2005) (“Intrusion upon seclusion has been defined as: The intentional intrusion upon the solitude or seclusion of another or his private affairs or concerns that would be highly offensive to a reasonable person.... Intent is clearly required; the tort cannot be committed by unintended conduct amounting merely to a lack of due care.”) (cleaned up) (citations omitted); Mauri v. Smith, 324 Or. 476, 483-84 (1996) (“A person acts intentionally when he or she either desires to cause the consequence of an act or believes that the consequence is substantially certain to result from the act. By definition, then, an actor commits an intentional intrusion if the actor either desires to cause an unauthorized intrusion or believes that an unauthorized intrusion is substantially certain to result from committing the invasive act in question.”); Parnoff v. Aquarion Water Co. of Connecticut, 188 Conn.App. 153, 174 (2019) (“We thus conclude, as other courts have, that an actor commits an intentional intrusion if he believes, or is substantially certain, that he lacks the necessary legal or personal permission to commit the intrusive act.”); Doe v. Hosp. of Univ. of Pennsylvania, 546 F.Supp.3d 336, 352 (E.D. Pa. 2021) (finding, for purposes of intrusion upon seclusion, “the intrusion, as well as the action, must be intentional.... Therefore, absent allegations that the defendants made the intrusion believing that they lacked legal or personal permission to do so, an intrusion upon seclusion claim must fail”).
The Court, therefore, is not convinced that Smith correctly predicted how the Kentucky Supreme Court would interpret an “intentional intrusion.” Again, the Smith court, without citing any supporting authority, found that reckless conduct could give rise to an intrusion upon seclusion claim immediately after it predicted the Kentucky Supreme Court would adopt the Restatement's definition for intrusion upon seclusion and require a plaintiff to prove “an intentional intrusion.” Smith, 275 F.Supp.2d at 822. This Court agrees with Smith's interpretation of the Restatement in finding that, to prevail on a claim for intrusion upon seclusion, a plaintiff must show “(1) an intentional intrusion by the defendant, (2) into a matter the plaintiff has a right to keep private, (3) which is highly offensive to a reasonable person.” Id. But the Court declines to extend Smith's holding that a reckless disregard for the plaintiffs' privacy can amount to an unlawful intrusion upon seclusion and finds, instead, that an “intentional intrusion” requires just that-intentional, and not reckless, conduct.
Adopting, instead, the majority approach of other courts in Kentucky and in other states interpreting the Restatement, the Court finds that Pharm-Save will be liable for an intentional intrusion only if the Houghton “desire[d] to cause the consequences of [her] act” or “believe[d] that the consequences [were] substantially certain to result from it.” Restatement (Second) of Torts § 8A (1965). As previously discussed with respect to Plaintiffs' NCUDTPA claims, the undisputed evidence in this case shows that Houghton never suspected an unauthorized intrusion would result from her transmission of the W-2s, as she at all times believed she was communicating with Pharm-Save's treasurer, Steve Farrar. Even though her belief was mistaken, and even if her failure to recognize the phishing scam was negligent, there is no evidence on which a reasonable jury could find Houghton desired to cause an unauthorized intrusion or was substantially certain such an intrusion would result.
See supra n.3.
Lastly, even if this Court were to adopt Smith's recklessness standard, the facts of this case could not lead a reasonable jury to find that Houghton acted with such disregard for Plaintiffs' privacy as to amount to an intentional tort. The Restatement offers that “reckless disregard” can be found where an actor “does an act or intentionally fails to do an act which it is his duty to the other to do, knowing or having reason to know of facts which would lead a reasonable [person] to realize, not only that [the] conduct creates an unreasonable risk . . . but also that such risk is substantially greater than that which is necessary to make [the] conduct negligent.” Restatement (Second) of Torts § 500 (1965).
As previously discussed, all evidence produced in this case demonstrates that Houghton sincerely believed she was communicating with Steve Farrar, whose name appeared in the signature line of the email from “dbranton.” See supra n.3. Houghton testified at her deposition that because she and Farrar worked in different offices, their primary communication was via email. See [R. 136-2 (Deposition of Barbara Houghton) (“Houghton Deposition”), p. 14, subpp. 47-49]. For Farrar to email her with a work-related request such as this was not, therefore, out of the ordinary, especially given that Farrar had informed his subordinates that he would be out of town the week the data breach occurred. See [R. 137-4 (February 28, 2016 Email from Steve Farrar), p. 1]. To be sure, there is certainly evidence upon which a reasonable jury could find that many of Houghton's actions on the day of March 3, 2016 were negligent. Even so, “[r]ecklessness, unlike negligence, requires a conscious choice of a course of action, with knowledge or a reason to know that it will create serious danger to others.” Childers v. Geile, 367 S.W.3d 576, 580 (Ky. 2012) (citation omitted). Plaintiffs have not created a genuine issue of material fact to survive summary judgment on the issue of recklessness.
Because no reasonable jury could find that Pharm-Save intentionally intruded upon Plaintiffs' seclusion when Houghton mistakenly transmitted their W-2s to phishing scammer “dbranton,” rather than Steve Farrar, and nor could a reasonable jury find that Houghton acted with reckless disregard for the privacy of the Plaintiffs, the Court will grant Pharm-Save's motion for summary judgment [R. 136] on Plaintiffs' intrusion upon seclusion claims.
iii. Claimed Damages for Increased Risk of Future Harm [R. 137]
Pharm-Save first sought dismissal of Plaintiffs' claims related to an increased risk of future harm nearly five years ago, in its first dispositive motion filed March 27, 2017. See [R. 5]. The previously assigned district judge denied that motion and allowed Plaintiffs to develop their claimed damages through discovery, having distinguished potentially cognizable injuries from non-cognizable injuries to determine if the Plaintiffs sufficiently pled a negligence cause of action to survive Pharm-Save' 12(b)(6) Motion to Dismiss. [R. 26, p. 7-12]. The Court provided then:
The Court agrees that Plaintiffs' allegations about heightened risks and the possibility of future harm are insufficient. Kentucky law is clear that “[a] cause of action does not exist until the conduct causes injury that produces loss or damage.” Capital Holding Corp. v. Bailey, 873 S.W.2d 187, 192 (Ky. 1994) (emphasis added). Accordingly, “Kentucky law . . . prohibits the possibility of future harm from constituting an element of damages if that possibility is considered outside the realm of damages for mental anguish.” Gill v. Burress, 382 S.W.3d 57, 64 (Ky. Ct. App. 2012). Indeed, this Court has previously held that “an increased threat of an injury that may never materialize cannot satisfy the injury requirement” for damages under Kentucky law. Holmes v. Countrywide Fin. Corp., No. 5:08-CV-00205-R, 2012 WL 2873892, at *6 (W.D. Ky. July 12, 2012) (Russell, J.). Similarly, federal courts deciding data breach cases have held that a risk of future harm is insufficient to plead cognizable injury. See Krottner v. Starbucks Corp., 406 F. App'x. 129, 131 (9th Cir. 2010) (“The alleged injuries here stem from the danger of future harm. Even Shamasa, the only plaintiff who claims his personal information has been misused, alleges no loss related to the attempt to open a bank account in his name.”). Therefore, Plaintiffs' allegations regarding future harm they may suffer are insufficient.Id.
In its November 8, 2021 Memorandum Opinion and Order denying Pharm-Save's first motion for summary judgment after the action was reassigned, the Court determined that, “[p]ursuant to the law-of-the-case doctrine, the Court's 2017 Order dictates this Court's decision.” [R. 122, p. 7]. Under the law-of-the-case doctrine, “findings made at one stage in the litigation should not be reconsidered at subsequent stages of that same litigation.” Burley v. Gagacki, 834 F.3d 606, 618 (6th Cir. 2016) (citations omitted). The doctrine dictates that “issues, once decided, should be reopened only in extraordinary circumstances.” Hayden v. Rhode Island, 13 F.App'x. 301, 302 (6th Cir. 2001) (citations omitted). Consistency and judicial economy are its key policy principles. See Edmonds v. Smith, 922 F.3d 737, 740 (6th Cir. 2019). Absent a finding of abuse of discretion, the Court's application of the law-of-the-case doctrine will not be overturned on appeal. Pac. Emps. Ins. Co. v. Sav-a-Lot of Winchester, 291 F.3d 392, 398 (6th Cir. 2002) (citations omitted).
Examining the 2017 order, the Court determined it “did not broadly bar, in opposition of Kentucky law, a right to compensation for an increased risk of harm” and that “Plaintiffs may not seek damages for non-cognizable injuries, but may pursue damages for future risk of harm for any cognizable injuries suffered if the required evidentiary burden is met.” [R. 122, pp. 7-8]. The Court reemphasized that Kentucky law does not recognize a separate claim for “increased likelihood of future harm.” [R. 122, p. 7 (citing Smith v. Windstream Commc'ns, Inc., No. Civ. 11-272-GFVT, 2013 WL 3233488, at *2 (E.D. Ky. June 25, 2013); Rainer v. Union Carbide Corp., 402 F.3d 608, 619 (6th Cir. 2005) (reviewing Kentucky case law and explaining that a cause of action does not develop until actual harm is realized)]. Rather, the Court explained, “increased likelihood of future harm is a consideration if and when a jury decides to award damages for an injury caused by the defendant's conduct.” Id. (citing Smith, 2013 WL 3233488 at *2).
The Court then explained that the right to have a jury consider whether damages for increased risk of future harm is appropriate “is limited to realized injuries and the Plaintiffs must produce substantial evidence of probative value to support it.” Id. (citing Capital Holding, 873 S.W.2d at 193-95; Nance v. Wal-Mart Stores, Inc., No. Civ. 5:10-CV-00061-R, 2011 WL 3361338, at *2 (W.D. Ky. Aug. 4, 2011) (explaining that the plaintiff has the burden of providing “substantial evidence of probative value” before a jury “may consider and compensate for the increased likelihood of future complications”). Finally, the Court noted that federal courts, including this Court, have broadly held that future costs arising from a realized injury are recoverable if there is an evidentiary basis for the jury's award. Id. at 6 (citing Smith v. Ehticon, Inc., No. 6:20-CV-222-REW-HAI, 2021 WL 4098408, at *13 (E.D. Ky. Sept. 2, 2021); Maiden v. DeGroote, No. CIV.A. 4:04CV-84, 2007 WL 2318881, at *1 (W.D. Ky. Aug. 10, 2007); Brooks v. Caterpillar Glob. Mining Am., LLC, No. 4:14CV-00022-JHM, 2016 WL 3680861, at *4 (W.D. Ky. July 7, 2016).
The Court is now convinced that it erred, in part, in reaching this conclusion. When first examining this issue, the Court considered only one data-breach case outside the Sixth Circuit to conclude “federal courts deciding data breach cases have held that a risk of future harm is insufficient to plead cognizable injury.” [R. 26, p. 12] (citing Krottner v. Starbucks Corp., 406 F. App'x. 129, 131 (9th Cir. 2010)). Other federal courts have, however, reached the opposite conclusion and found the increased security threat brought by a data breach is, itself, a cognizable injury that may be compensable. See Bohnak v. Marsh & McLennan Cos., Inc., 580 F.Supp.3d 21, 29 (S.D.N.Y. 2022) (“[T]he data breach's exposure of Plaintiffs' PII causes a separate concrete harm, analogous to that associated with the common-law tort of public disclosure of private information.”); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 691-94 (7th Cir. 2015) (finding two future injuries stemming from data breach were sufficiently imminent to establish standing: the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft).
Relying on the 2017 Order, the Court's November 2021 ruling essentially provided that, in order to have standing to seek damages for an increased risk of future harm, the Plaintiffs first had to show they were entitled to damages for out-of-pocket expenses. Upon further consideration, the Court finds this is not entirely accurate. The Supreme Court created a two-part test to determine when the risk of harm gives rise to Article III standing: (1) the plaintiff must show there is material risk of concrete harm; and (2) the plaintiff must demonstrate “some other injury” they suffered stemming from that risk. TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2211 (2021); see also Bowen v. Paxton Media Grp., LLC, No. 5:21-CV-00143-GNS, 2022 WL 4110319, at *4 (W.D. Ky. Sept. 8, 2022).
That “other injury” may be the emotional distress caused by the threat of identity theft. See In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., No. 21-MD-02994-RAR, 2022 WL 1468057, at *7 (S.D. Fla. May 10, 2022) (finding plaintiffs' allegations of “suffering of emotional distress related to possible identity theft and the cost of the increased time Plaintiffs have spent and must continue to spend reviewing their financial information” sufficient to confer standing in conjunction with the threat of future injury). In other words, so long as Plaintiffs can show they are at a material risk of concrete harm, and that they have suffered any other harm from that risk- not, as the Court previously held, out-of-pocket expenses specifically-they may be entitled to damages for an increased risk of future harm if they make a sufficient showing of that entitlement at trial.
The Court will once again reiterate its previous holding that increased risk of future harm is not a stand-alone claim in Kentucky. However, allowing the jury to consider the possibility of such damages would not be to recognize “a separate claim for increased likelihood of future harm.” [R. 122, p. 7 (citing Smith v. Windstream Commc'ns, Inc., No. Civ. 11-272-GFVT, 2013 WL 3233488, at *2 (E.D. Ky. June 25, 2013); Rainer v. Union Carbide Corp., 402 F.3d 608, 619 (6th Cir. 2005)]. Any jury's decision to award damages for Plaintiffs' increased risk of future harm will be contingent upon a sufficient evidentiary showing of material risk of concrete harm and “some other injury” they have suffered, which may be emotional distress. TransUnion, 141 S.Ct. at 2211; Bowen, 2022 WL 4110319 at *4. Put differently, and in summation, a jury may consider whether Plaintiffs are entitled to compensation for their increased risk of future harm as long as they can show a material risk of concrete harm coupled with any realized injury-which could be emotional harm, lost out-of-pocket expenses, or “some other injury.” TransUnion, 141 S.Ct. at 2211.
Based on the foregoing clarification of the Court's previous rulings, Pharm-Save's motion [R. 137] will be denied without prejudice. Because the motion and responsive briefs were informed by the Court's prior rulings on this issue, the Court finds it would be inappropriate to now rule on the merits before allowing the parties to reform their arguments. If, considering the Court's present ruling, Pharm-Save seeks to renew its request for summary judgment on Plaintiffs' damages claims for increased risk of future harm, Pharm-Save is free to do so within thirty (30) days of this Order's entry. Standard response and reply times shall apply. Such a motion, and any responsive brief from the Plaintiffs, shall acknowledge the Court's present clarification, must be tailored to Plaintiffs' two remaining claims, and must be supported by relevant, factually analogous case law.
B. DAUBERT MOTIONS
Pharm-Save has submitted motions to exclude the testimony of two of Plaintiffs' experts, Daniel Korczyk [R. 138] and Vincent D'Agostino [R. 139], pursuant to Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993). Plaintiffs seek to admit the testimony of these experts for purposes of proving their claimed damages and the standard of care Pharm-Save allegedly breached in failing to adequately safeguard its employees' private information.
“Admissibility in federal court, including the admissibility of expert testimony, is determined by federal standards even when a case . . . is tried in diversity.” Commins v. Genie Indus., Inc., No. 3:16-CV-00608-GNS-RSE, 2020 WL 1189937 (W.D. Ky. Mar. 12, 2020) (citation omitted). As a result, Federal Rule of Evidence 702, which governs the use of expert testimony, guides the Court's analysis. Rule 702 provides:
A witness who is qualified as an expert by knowledge, skill, experience, training, or education, may testify in the form of an opinion or otherwise if:
(a) the expert's scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) the testimony is based on sufficient facts or data;
(c) the testimony is the product of reliable principles and methods; and
(d) the expert has reliably applied the principles and methods to the facts of the case.Fed. R. Evid. 702. Under this rule, as amended, the trial judge is the gatekeeper, ensuring that expert testimony satisfies the requirements of reliability and relevance. See Daubert v. Merrell Dow Pharm., Inc., 509 U.S. 579, 597 (1993) (recognizing “a gatekeeping role for the judge” under Rule 702). The Sixth Circuit has found that, based on the language of Rule 702, an expert's opinion is admissible if it satisfies three requirements:
First, the witness must be qualified by “knowledge, skill, experience, training, or education.” Fed.R.Evid. 702. Second, the testimony must be relevant, meaning that it “will assist the trier of fact to understand the evidence or to determine a fact in issue.” Id. Third, the testimony must be reliable. Id.In re Scrap Metal Antitrust Litig., 527 F.3d 517, 528-29 (6th Cir. 2008); see also EEOC v. R&L Carriers, Inc., No. 1:17-CV-515, 2023 WL 2652383, at *2 (S.D. Ohio Mar. 27, 2023) (same).
“Experts are permitted wide latitude in their opinions, including those not based on firsthand knowledge, so long as ‘the expert's opinion [has] a reliable basis in the knowledge and experience of the discipline.'” Jahn v. Equine Servs., PSC, 233 F.3d 382, 388 (6th Cir. 2000) (quoting Daubert, 509 U.S. at 592). Accordingly, the Court's role is to examine “not the qualifications of a witness in the abstract, but whether those qualifications provide a foundation for a witness to answer a specific question.” Berry v. City of Detroit, 25 F.3d 1342, 1351 (6th Cir. 1994). Ultimately, “a witness is not a qualified expert simply because he self-identifies as such,” and courts “take a liberal view of what knowledge, skill, experience, training, or education is sufficient to satisfy the requirement.” Bradley v. Ameristep, Inc., 800 F.3d 205, 208-09 (6th Cir. 2015).
Rule 702 also guides the trial court by providing general standards to assess reliability: whether the testimony is based upon “sufficient facts or data,” whether the testimony is the “product of reliable principles and methods,” and whether the expert “has applied the principles and methods reliably to the facts of the case.” FED. R. EVID. 702. In addition, the Supreme Court has provided a non-exclusive checklist for trial courts to consult in evaluating the reliability of expert testimony, including: “testing, peer review, publication, error rates, the existence and maintenance of standards controlling the technique's operation, and general acceptance in the relevant scientific community.” United States v. Langan, 263 F.3d 613, 621 (6th Cir. 2001) (citing Daubert, 509 U.S. at 593-94). “The test of reliability is ‘flexible,' and the Daubert factors do not constitute a ‘definitive checklist or test,' but may be tailored to the facts of a particular case.” In re Scrap Metal Antitrust Litig., 527 F.3d at 529 (quoting Kumho Tire Co. v. Carmichael, 526 U.S. 137, 150 (1999)). The proponent of the testimony bears the burden of establishing its admissibility by a preponderance of proof. Nelson v. Tenn. Gas Pipeline Co., 243 F.3d 244, 251 (6th Cir. 2001) (citing Daubert, 509 U.S. at 592 n.10).
That being said, “[a]ny doubts regarding the admissibility of an expert's testimony should be resolved in favor of admissibility.” In re E. I. du Pont de Nemours & Co. C-8 Pers. Injury Litig., 337 F.Supp.3d 728, 739 (S.D. Ohio 2015) (citations omitted); see also Marmo v. Tyson Fresh Meats, Inc., 457 F.3d 748, 758 (8th Cir. 2006) (“Courts should resolve doubts regarding the usefulness of an expert's testimony in favor of admissibility.”). In other words, “rejection of expert testimony is the exception, rather than the rule, and [courts] will generally permit testimony based on allegedly erroneous facts when there is some support for those facts in the record.” In re Scrap Metal Antitrust Litig., 527 F.3d at 530 (citation omitted).
i. Daniel Korczyk [R. 138]
Plaintiffs have retained Daniel Korcsyk, a Certified Public Accountant (CPA), to calculate and testify to their alleged damages. Korczyk offers various damages figures, including “valuations of time necessary to mitigate against the possibility of future harm, out-of-pocket costs necessary to mitigate against future harm, the value of PII itself, and the value attendant to Defendant's invasion of Plaintiffs' privacy itself.” [R 150, p. 8].
Pharm-Save first argues generally that “all of Korczyk's opinions seem to be based on misguided legal interpretations that he is undeniably unqualified to offer” because he is not a lawyer. [R. 138, p. 5]. In addition, Pharm-Save argues that Korczyk is not qualified to provide expert opinions on the value of PII and the costs necessary to mitigate against possible future harm to it. Id. at 9, 8. Pharm-Save takes issue with the fact that Korczyk lacks “any specialized training or experience in valuing PII.” Id. at 9-10. Pharm-Save also seeks to discredit Korczyk's findings by suggesting he utilized Google to formulate them. Id. at 10. In response, Plaintiffs list Korczyk's many qualifications and experience in the field of accounting, forensic accounting, and finance and suggests he is highly qualified to offer expert testimony. [R. 150, p. 6].
a. Qualifications
As a preliminary matter, the Court agrees with Pharm-Save that, to the extent Plaintiffs seek to elicit testimony from Korczyk regarding any legal opinions, he is not qualified to do so. As stated, Korczyk is a Certified Public Accountant who has significant experience conducting forensic financial investigations and testifying on matters concerning accounting, valuations, and economic damages. See generally [R. 112-1, p. 3 (Expert Report of Daniel Korczyk) (“Korczyk Report”)]. But experience testifying in the courtroom does not qualify Korczyk, as a non-lawyer, to give legal opinions. Korczyk has neither legal education nor training that would qualify him to testify on any matters requiring legal expertise. The Court will therefore grant Pharm-Save's motion to the extent it seeks to exclude Korczyk's testimony concerning legal opinions or conclusions.
The Court believes, however, that Korczyk is qualified to offer projections concerning the cost of future protection of Plaintiffs' PII. His curriculum vitae (CV) reflects that he possesses the knowledge, skill, experience, training, and education to testify on the subject. As mentioned, Korczyk is a CPA licensed in the state of Georgia. [R. 112-1 (Expert Report of Daniel Korczyk) (“Korczyk Report”), p. 3]. Id. He holds a bachelor's degree in management from the University of Notre Dame, and a master's degree in finance from DePaul University. Id. Korczyk has earned the specialty designations “Accredited in Business Valuations” and “Certified in Financial Forensics,” both granted by the American Institute of Certified Public Accountants. Id. He has also been designated as an Accredited Senior Appraiser by the American Society of Appraisers. Id. Korczyk has nearly forty years of experience in public accounting, including forensic accounting, and finance, with specific experience dealing with valuating economic damages, business valuations, due diligence services, corporate finance, and bankruptcy consulting. Id.
Importantly, Korczyk has testified in previous cases, including data breach cases, as an economic damages and forensics expert. Id. As Plaintiffs note, another court out of the Middle District of Florida deemed Korczyk sufficiently qualified to testify over similar Daubert objections as here. See In re Brinker Data Incident Litig., No. 3:18-CV-686-TJC-MCR, 2021 WL 1405508, at *3 (M.D. Fla. Apr. 14, 2021) (“Further, Korczyk's expertise would be helpful to a jury because it provides a starting point to decide damages in a context unfamiliar to many. The Court finds that Korczyk possesses ‘specialized knowledge' that ‘will help the trier of fact to understand the evidence or to determine a fact in issue.'”). Here, the Court likewise finds that Korczyk's education, training, and experience qualify him to testify as to the projected cost to protect Plaintiffs' PII, including “the value of Plaintiffs' time to mitigate against possible future nefarious events ensuing from the Breach.” [R. 109-5 (“Korczyk Report”), p. 9]. Korczyk's testimony will be particularly relevant if the Plaintiffs show they are entitled to damages for their increased risk of future harm at trial. The Court will note, however, that its Daubert ruling on this point is subject to modification, if necessary, based on its ruling on any renewed motion by Pharm-Save for summary judgment on Plaintiffs' claimed damages for increased risk of future harm.
Notwithstanding, Korczyk's Report further provides that “[a]nother of the Damage Elements in this Matter is the value of the Personal Identifiable Information stolen.” Id. Pharm-Save takes issue with Korczyk testifying on the value of Plaintiffs' PII both because he is unqualified to do so and because the testimony could “only confuse and mislead the jury” since “this Court has already resolved Plaintiffs' so-called ‘property interest' in their PII.” [R. 138, p. 9]. Pharm-Save's point is well taken. Whether or not Korczyk is qualified to testify as to this type of valuation of PII, as will be discussed in Section B(i)(c) below, such testimony is irrelevant in light of this Court's December 1, 2017 order [R. 26].
b. Reliability
As mentioned, the Court's “gatekeeping inquiry must be ‘tied to the facts of a particular case.'” Kumho, 526 U.S. at 150 (quoting Daubert, 509 U.S. at 591). However, the Court is not “required to admit expert testimony ‘that is connected to existing data only by the ipse dixit of the expert. A court may conclude that there is simply too great an analytical gap between the data and the opinion proffered.'” Nelson v. Tenn. Gas Pipeline Co., 243 F.3d 244, 254 (6th Cir. 2001) (quoting GE v. Joiner, 522 U.S. 136, 146 (1997)). That said, “although ‘nothing in either Daubert or the Federal Rules of Evidence requires a district court to admit opinion evidence which is connected to existing data only by the ipse dixit of the expert,' Gen. Elec. Co. v. Joiner, 522 U.S. 136, 146 (1997), a court must be sure not ‘to exclude an expert's testimony on the ground that the court believes one version of the facts and not the other.'” In re Scrap Metal Antitrust Litig., 527 F.3d at 529. In general, “[v]igorous cross-examination, presentation of contrary evidence, and careful instruction on the burden of proof are the traditional and appropriate means of attacking shaky but admissible evidence.” Daubert, 509 U.S. at 596.
Pharm-Save spends much of its motion to exclude disputing the reliability of Korczyk's research and calculation methodology, arguing the sources he relies upon give no indication that they were peer-reviewed, [R. 138, p. 12], that he performed much of his research simply using Google, Id. at 10, and that he “attempts to pass off [Brian] Krebs' research and conclusions as his own,” Id. Korczyk, however, supports his findings with reputable sources, including government websites such as the Bureau of Labor Statistics, U.S. Department of Commerce, and Federal Trade Commission (FTC), see [R. 109-5 (“Korczyk Report”), p. 10 n.31, n.35, n.42]. And nowhere in his Report does Korczyk suggest that Krebs's work, which Korczyk does rely on, is his own.
As for his methodology, Korczyk employs the “Market Approach” to determine, based on averaging labor rates, the value of Plaintiffs' time to mitigate against future nefarious use of their PII and to estimate future out-of-pocket expenses necessary to do so. Id. at 9-10. Korczyk's Report explains that data-breach victims “are thrust into activities that include time-consuming personal monitoring of web sites and account statements, dealing with the closing of accounts, making phone calls, filing reports, registering for professional services, and other time-intensive activities” and that “[c]omputation of damages related to time consumption can be calculated through the multiplication of supportable hours and rates per hour.” Id. at 10.
Korczyk's Report explains that the “Market Approach” follows “a long-standing, published and peer-reviewed approach” and that “[m]uch has been published in the damages, forensics and valuation literature about this approach.” [R. 109-5 (“Korczyk Report”), p. 5 n.16].
Courts have recognized the Market Approach, or fair market value approach, for calculating damages in other contexts. See Leonard v. Stemtech Int'l Inc, 834 F.3d 376, 391 (3d Cir. 2016) (finding “District Court appropriately denied” Daubert motion seeking to exclude expert's damages calculation in copyright infringement case, which “adopted the recognized fair market value approach”); Metabyte, Inc. v. Canal+Technologies, S.A., No. C-02-05509 RMW, 2005 WL 6032845, at *4 (N.D. Cal. June 17, 2005) (excluding expert's testimony that purported to follow “an accepted ‘market approach'” for business valuation but “deviate[d] from the traditional market-based approach because it oversimplifie[d] what should be a multiple-step analysis”). And while few courts have considered the approach (or any valuation approach) in this context, given the relative novelty of data-breach cases such as this one, the court in Brinker Data found that, at least at the class certification stage, “Korczyk's [averages] methodology is sufficiently supported by data, reliable, and reliably applied.” 2021 WL 1405508 at *3.
Moreover, in Kumho Tire Co. v. Carmichael, 526 U.S. 137 (1999), the Supreme Court recognized that the Daubert factors “may or may not be pertinent in assessing reliability, depending on the nature of the issue, the expert's particular expertise, and the subject of his testimony.” 526 U.S. at 150. Reliability, therefore, is not determined exclusively by a checklist or test. Instead, the Court, when determining if Korczyk's proposed testimony is reliable, must determine whether the offered opinions are “supported by appropriate validation - i.e., ‘good grounds,' based on what is known.” Daubert, 509 U.S. at 590. In other words, “[t]he concept of ‘reliability' implies that an expert's opinion must be based on something ‘more than subjective belief or unsupported speculation.'” Navarro v. P&G, 501 F.Supp.3d 482, 489 (S.D. Ohio 2020) (quoting Daubert, 509 U.S. at 590); see also In re Scrap Metal Antitrust Litig., 527 F.3d at 52930 (“The task for the district court in deciding whether an expert's opinion is reliable is not to determine whether it is correct, but rather to determine whether it rests upon a reliable foundation, as opposed to, say unsupported speculation.”).
The Court believes Korczyk's methodology and proposed testimony concerning the time and expense necessary to mitigate against future unauthorized use of Plaintiffs' PII are supported by appropriate validation “based on what is known” in the new age of cyber security and the measures necessary to protect against malicious actors. Korczyk bases his analysis not only on his research, but on his “knowledge, education, training and experience” in this field. [R. 109-5 (“Korczyk Report”), p. 3]. His experience in finance, including forensic accounting and calculating damages, spans nearly forty years. Id. Korczyk's opinions are a product of his educational background and his practical experience in the field. See Ferris v. Tennessee Log Homes, Inc., No. 4:06-CV-35-M, 2009 WL 1506724, at *10 (W.D. Ky. May 27, 2009) (quoting Zerega Ave. Realty Corp. v. Hanover Ins. Co., No. 04 CIV. 9651(KNF), 2006 WL 1343643 (S.D.N.Y. May 17, 2006)) (“Drawing upon one's education background and practical experience is a reliable methodology through which to develop opinions and reach conclusions about scientific, technical, or other areas of specialized knowledge.”).
Lastly on this point, Pharm-Save argues the figures presented by Korczyk are “nonsensical,” [R. 138, p. 7], but the Court cannot exclude Korczyk's testimony for that reason without “believ[ing] one version of the facts and not the other.” In re Scrap Metal Antitrust Litig., 527 F.3d at 529. The Court finds that Korczyk's Market Approach methodology is a reliable technique to estimate a damages projection using averages. Practically speaking, whether his projection is realistic or “nonsensical,” as Pharm-Save suggests, is a question for the finder of fact. But the Court finds that his methodology and proposed application to this case are reliable.
Notwithstanding, the Court will not allow Plaintiffs to present Korczyk's estimation that “the value of Plaintiffs' personal data stolen in the Breach is equal to $145.80 per Plaintiff.” [R. 112-1 (Second Report of Daniel Korczyk) (“Second Korczyk Report”), p. 10]. As previously stated, the Court will not allow testimony on the value of Plaintiffs' PII generally, so this figure is irrelevant.
c. Relevance - Fit Test
“In terms of relevancy, the trial court should consider ‘whether that reasoning and methodology properly can be applied to the facts at issue.'” Asad v. Cont'l Airlines, Inc., 314 F.Supp.2d 726, 732 (N.D. Ohio 2004) (quoting Kumho, 526 U.S. at 150). The “trial court must ensure that the proposed expert testimony is relevant to the task at hand and that there is a proper fit between the inquiry in the case and the testimony.” Id. “[E]xpert testimony that does not relate to any issue in the case is not relevant and therefore not helpful.” United States v. Bonds, 12 F.3d 540, 555 (6th Cir. 1993). Thus, the issue is whether Korczyk's testimony relates to any issue in the case.
Korczyk estimates that “the value of Plaintiffs' time necessary to mitigate against possible future nefarious events from the Breach is equal to $25.51 per hour per Plaintiff,” and that “the value of Plaintiffs' out-of-pocket costs necessary to mitigate against possible future nefarious events ensuing from the Breach is equal to $2,257.41 per Plaintiff.” [R. 112-1 (Second Report of Daniel Korczyk) (“Second Korczyk Report”), p. 9]. It is plain-and Pharm-Save does not refute- that Korczyk's proposed testimony regarding the projected cost to protect the Plaintiffs' PII indefinitely is highly relevant. His findings go directly to the issue of damages and, just as the court found in Brinker Data Incident, “Korczyk's expertise would be helpful to a jury because it provides a starting point to decide damages in a context unfamiliar to many.” 2021 WL 1405508, at *3. In particular, Korczyk's testimony will be helpful to the jury if it finds that the Plaintiffs reasonable out-of-pocket expenses were due to Pharm-Save's negligence, and if the jury determines Plaintiffs should be entitled to compensation for their increased risk of future harm.
Based on the foregoing, the Court believes Korczyk possesses the “scientific, technical, or other specialized knowledge” to offer an opinion on the projected value of Plaintiffs' time necessary to protect against future harm to their PII at trial. Fed.R.Evid. 702. This figure could help the jury decide damages if they successfully prove liability on either of their remaining claims, and particularly if the jury determines Plaintiffs are entitled to compensation for their increased risk of future harm. Korczyk does not, however, possess the requisite qualifications to offer any legal opinions, and, however qualified to do so, he may not testify as to the value of Plaintiffs' PII itself.
As mentioned above, however, Korczyk's proposed testimony regarding the value of Plaintiffs' PII generally, and the allegedly diminished value due to the data breach, is inappropriate in light of this Court's December 1, 2017 order. [R. 26]. The Court determined then that Plaintiffs “failed to adequately plead injury to their PII itself as a property interest” and could not “plead a cognizable injury due to the diminished value of their PII itself.” Id. at 9, 8. Along the same lines, Korczyk estimates that the value of Plaintiffs' violated privacy is equal to $2,070 per Plaintiff. [R. 112-1 (Second Report of Daniel Korczyk) (“Second Korczyk Report”), p. 37]. Because the Court finds Plaintiffs' invasion of privacy claims fail as a matter of law, it will not allow this testimony. The Court will not allow Plaintiffs to introduce expert testimony concerning the value of their PII, or the value of Plaintiffs' violated privacy, which is not relevant to the remaining claims at issue and would serve only to confuse the jury.
In sum, the Court will allow Korczyk to testify as to his valuations of the time necessary for Plaintiffs to mitigate against the possibility of future harm to their PII and/or the out-of-pocket costs necessary to so mitigate. The Court will not, however, allow Korczyk to testify as to any supposed value of Plainitffs' PII itself or of Plaintiffs' invaded privacy. The Court will therefore grant in part and deny in Pharm-Save's motion to exclude his testimony [R. 138].
ii. Vincent D'Agostino [R. 139]
Vincent D'Agostino is Plaintiffs' “retained standard-of-care expert.” [R. 150, p. 3]. Plaintiffs seek to call D'Agostino at trial to “opine on the relevant standard of care” which private sector companies should have reasonably employed in 2016, when this data breach occurred, and “Defendant's clear deviation therefrom.” Id.
Pharm-Save contends that D'Agostino “provides several unsupported opinions” in his report, but its motion “focuses on two: (1) that [Pharm-Save] ‘violated their duty of care as owed to the plaintiffs' and (2) that Barbara Houghton was ‘grossly negligent.'” [R. 139, p. 6]. Plaintiffs appear to concede the second point in their response. See [R. 150, p. 4 n.1] (“Defendant also seeks exclusion of Mr. D'Agostino's use of the words ‘gross negligence[.]' This argument is well taken, and Plaintiffs will not oppose it; although, Mr. D'Agostino is of course allowed to express an opinion that embraces an ultimate factual issue, such as the standard of care.”). Other than this footnote, the Plaintiffs do not substantively respond to Pharm-Save's motion on this issue. Accordingly, the Court will grant Pharm-Save's motion to the extent it seeks to prevent D'Agostino from testifying to the legal conclusion that Houghton was “grossly negligent.”
The Court will therefore only address Pharm-Save's first argument, that D'Agostino should be precluded from testifying that Pharm-Save violated a duty of care because it failed to follow several “best practices,” below.
a. Qualifications
Vincent D'Agostino is Plaintiffs' “retained testifying standard-of-care expert.” [R. 150, p.
3]. D'Agostino holds a bachelor's degree in political science from Penn State and a juris doctor from Hofstra University. [R. 155-15, p. 5, subp. 15]. He practiced law from 2003 to 2004 before joining the Federal Bureau of Investigation (FBI) in 2004, where he served as a special agent for eleven years. [R. 109-4, (Expert Report of Vincent D'Agostino) (“D'Agostino Report”), p. 2]. D'Agostino's Report provides that he served in the Cyber Crimes Division, where he worked “dozens of breach/unauthorized access investigations.” Id. D'Agostino returned to the private sector in 2015 and began “investigating corporate breach events” for private industry clients. Id.
Since 2017, D'Agostino has served as Global Head of Cyber Forensics and Incident Response at BlueVoyant, a “large cyber defense company with the mission of protecting businesses from ever becoming the victims of a cyber breach event.” Id. In that role, D'Agostino leads a team of investigators who perform “root cause forensic analysis and containment” to determine how security breaches occurred, where a “threat actor may have traversed while in the environment,” and what data may have been impacted. Id. D'Agostino's Report provides that he has “led thousands of these investigations,” from “business email compromises and wire transfer redirects to insider threat cases, theft of intellectual property, malware-based network takeovers and full-scale ransomware attacks.” Id. at 2-3.
Pharm-Save does not contest D'Agostino's competence to provide expert testimony related to cyber security. See [R. 154, p. 2] (“At no point did Pharm-Save argue that D'Agostino was not competent to offer expert testimony-instead, Pharm-Save argued that D'Agostino's opinions were the conclusion of unreliable analysis and were virtually just D'Agostino's subjective thoughts with no cited basis.”). Because the Court finds that D'Agostino has the requisite knowledge, education, and experience to qualify him to testify on matters related to cyber security, including generally accepted methods employed to protect against data breaches, and because Pharm-Save does not dispute his qualifications, the Court will turn to the reliability of D'Agostino's conclusions.
b. Reliability
As mentioned, the Court's “gatekeeping inquiry must be ‘tied to the facts of a particular case.'” Kumho, 526 U.S. at 150 (quoting Daubert, 509 U.S. at 591), and the Court is not “required to admit expert testimony ‘that is connected to existing data only by the ipse dixit of the expert.'” Nelson, 243 F.3d at 254 (quoting Joiner, 522 U.S. at 146). However, “[v]igorous crossexamination, presentation of contrary evidence, and careful instruction on the burden of proof are the traditional and appropriate means of attacking shaky but admissible evidence.” Daubert, 509 U.S. at 596.
Pharm-Save criticizes D'Agostino's findings because he performed “no independent research” outside “a couple of Google searches” to reach them. [R. 139, p. 7]. In response, Plaintiffs submit that “it is well-settled in the Sixth Circuit that expert witnesses need not rely on independent research if they form an opinion within the wheelhouse of their professional expertise[.]” [R. 150, p. 4 (citing Gass v. Marriott Hotel Servs., Inc., 558 F.3d 419, 427-28 (6th Cir. 2009); Dickenson v. Cardiac & Thoracic Surgery of Eastern Tenn., P.C., 388 F.3d 976 (6th Cir. 2004))].
Indeed, in the medical malpractice context, the Sixth Circuit has held that “a physician need not demonstrate a familiarity with accepted medical literature or published standards in [an area] of specialization in order for his testimony to be reliable in the sense contemplated by Federal Rule of Evidence 702.” Dickenson, 388 F.3d at 976. Rather, the Court of Appeals determined, “the text of Rule 702 expressly contemplates that an expert may be qualified on the basis of experience.” Id. Revisiting that decision, the Sixth Circuit opined in Gass that “Dickenson stands for the proposition that a medical doctor is generally competent to testify regarding matters within his or her own professional experience. When, however, the doctor strays from such professional knowledge, his or her testimony becomes less reliable, and more likely to be excluded under Rule 702.” 588 F.3d at 427. The Court, in deciding Gass, therefore held that a district court did not abuse its discretion in admitting testimony from two physicians who relied on professional education and experience, rather than independent research. Id. at 28.
Even so, this is not a medical malpractice case, and courts have expressed concerns “about qualifying witnesses as experts on the basis of work experience alone.” Scott v. Deerbrook Ins. Co., 714 F.Supp.2d 670, 674 (E.D. Ky. 2010) (citing United States v. Gallion, 257 F.R.D. 141, 148 (E.D.Ky.2009); Cicero v. Borg-Warner Auto., Inc., 163 F.Supp.2d 743 (E.D. Mich.2001)). Thus, “[i]f an expert witness relies ‘solely or primarily on experience, then the witness must explain how that experience leads to the conclusion reached, why that experience is a sufficient basis for the opinion, and how that experience is reliably applied to the facts.'” Antioch Co. Litigation Trust v. Morgan, 633 Fed.Appx. 296, 300 (6th Cir. 2015) (quoting Fed.R.Evid. 702 advisory committee notes to 2000 amendments). “‘The trial court's gatekeeping function requires more than simply taking the expert's word for it.'” Id. (citing Daubert, 43 F.3d at 1319 (9th Cir.1995)).
Here, Pharm-Save takes issue with D'Agostino's “best practices” or “protocols” he claims Pharm-Save failed to follow because D'Agostino failed to cite any authority behind them. [R. 139, p. 7]. Those protocols include:
1) Lack of Information Security (INFOSEC) Training for all employees to include specialized training for “high risk” employees;
2) Lack of Disclosure of payment/sensitive data internal protocols;
3) Breach Investigation protocols; and
4) Victim Notification[R. 109-4 (Expert Report of Vincent D'Agostino) (“D'Agostino Report”), p. 5].
Importantly, D'Agostino's Report states that his “opinions will consider the actions of the defendant and its employees both before, during and after the breach event in the context of Information Security (INFOSEC) and breach response best practices as they stood in the 2016 time period.” [R. 109-4 (D'Agostino Report”), p. 3]. He does not purport to testify regarding “best practices of today,” when phishing schemes and other cyber attacks are far better known and protected against.
Plaintiffs' response, and a review of D'Agostino's Report, indeed indicate that these “best practices” are gleaned from his professional experience and not from any independent research. D'Agostino must therefore “explain how that experience leads to the conclusion reached, why that experience is a sufficient basis for the opinion, and how that experience is reliably applied to the facts.” Antioch Co. Litigation, 633 Fed.Appx. at 300 (citation omitted).
The Court finds that D'Agostino's Report sufficiently explains how his professional experience led him to determine the “best practices” or standard protocols businesses typically employ to protect against cyber security threats. D'Agostino's Report provides that he “reviewed the facts surrounding this breach event in the context of [his] experience and understanding of information security best practices, cyber as well as post breach investigative best practices which [he has] considered in forming [his] opinions.” [R. 109-4 (“D'Agostino Report”), p. 1]. D'Agostino explains the rationale behind his opinion that the protocols listed should have been followed, providing, first, that “[g]iven her role, Houghton and other employees with similar roles and responsibilities should have, at a minimum, received basic INFOSEC training” which he explains is “designed to allow the employee to identify and mitigate” against these “incredibly common and incredibly unsophisticated” cyber-attacks. Id. at 5-6. D'Agostino offers that “even the most basic training would have sufficed.” Id. at 6. Given his expensive experience investigating data breaches, the Court finds his opinion that providing certain employees with cyber security training was among the standard or “best practices” businesses could employ in 2016 is sufficiently reliable.
A review of the other “best practices” listed by D'Agostino compels the same conclusion. D'Agostino's Report explains that, because of the sensitive nature of certain data, it is best to send such data “in an encrypted state” even where it is transmitted through a secure channel and to a verified recipient. Id. at 8. The Report explains that “[w]hen an individual sends an email containing an unencrypted attachment, those documents can be access [sic] by anyone who accesses the sender or receiver[']s email inbox. This is ill advised [even] when sending an intra organization based email[.]” Id. This sufficiently explains the rationale behind D'Agostino's belief that it was among the “best practices” in 2016 to ensure files were encrypted before being transmitted. Next, D'Agostino's Report suggests that “a proper investigation” into the data breach should have been performed, and the affected individuals should have received a more thorough notice to allow them to “fully comprehend the nature and scope of the confirmed data loss[.]” Id. at 9-10. Again, D'Agostino bases these opinions on his years of experience performing the type of investigation he suggests should have taken place here.
The Court finds that D'Agostino has provided a sufficient basis for his opinions, and whether his proffered “best practices” should have been known to Pharm-Save in 2016 is for the jury to decide. Even “[w]hen a trial judge has doubts about the strength of proffered testimony, exclusion is not the remedy, but rather vigorous cross-examination, presentation of contrary evidence, and careful instruction on the burden of proof are the traditional and appropriate means of attacking shaky but admissible evidence.” Crouch v. John Jewell Aircraft, Inc., No. 3:07-CV-638-DJH, 2016 WL 157464, at *9 (W.D. Ky. Jan. 12, 2016) (citing Daubert, 509 U.S. at 596).
c. Relevance - Fit Test
Finally, once again regarding relevancy, “the trial court should consider ‘whether that reasoning and methodology properly can be applied to the facts at issue.'” Asad, 314 F.Supp.2d at 732 (quoting Kumho, 526 U.S. at 150). The Court is tasked with ensuring “the proposed expert testimony is relevant to the task at hand and that there is a proper fit between the inquiry in the case and the testimony,” Id., as “expert testimony that does not relate to any issue in the case is not relevant and therefore not helpful.” Bonds, 12 F.3d at 555.
Courts have found that “expert testimony is needed if ‘the subject matter is too technical for the lay juror....'” District of Columbia v. Hampton, 666 A.2d 30, 36 (D.C. 1995) (quoting Beard v. Goodyear Tire & Rubber Co., 587 A.2d 195, 200 (D.C. 1991)). “With regard to claims of negligence, expert testimony is required . . . regarding the applicable standard of care, unless the subject matter is ‘within the realm of common knowledge and everyday experience of the jurors.” Lindsey v. D.C., 810 F.Supp.2d 189, 203 (D.D.C. 2011) (internal citation and quotation marks omitted). Put differently, expert testimony is often required “to establish what the standard of care is if the subject in question is so distinctly related to some science, profession[,] or occupation as to be beyond the ken of the average layperson.” Id. (quoting Messina v. District of Columbia, 663 A.2d 535, 538 (D.C. 1995)). Here, the Court finds that D'Agostino's testimony will be helpful to the trier of fact to determine whether Pharm-Save was negligent in failing to protect against the type of phishing scheme Houghton fell victim to, since cyber security-and, in particular, the state of cyber security in 2016, when the phishing scheme was perpetrated-is not “within the realm of common knowledge and everyday experience” of the average juror. Id.
Having determined that D'Agostino possesses the “scientific, technical, or other specialized knowledge” to offer an opinion on the applicable standard of care at issue in this matter, and that his proposed testimony is both reliable and relevant, the Court will deny Pharm-Save's motion to exclude his testimony suggesting it violated several “best practices” known in the industry in 2016. The Court will, however, grant Pharm-Save's motion to the extent it seeks to exclude D'Agostino's opinion that Barbara Houghton was “grossly negligent.” Pharm-Save's motion to exclude D'Agostino's testimony [R. 139] will therefore be granted in part and denied in part.
C. MOTION TO CERTIFY CLASS
Lastly, Plaintiffs seek to certify two separate classes of plaintiffs: (1) those individuals whose W-2s were sent to cybercriminals, and (2) those individuals who “have incurred documented, out-of-pocket expenses related to PII compromise remediation and/or mitigation measures taken on or after March 3, 2016.” [R. 144-1, pp. 19, 20]. In their Motion, Plaintiffs outline the alleged harm they have suffered, and offer that the “injury and damages of Plaintiffs Savidge and Lynch are exactly the sort to which the members of the proposed Class[es] were subjected due to the conduct of Defendants.” [R. 144-1, pp. 12-13]. Pharm-Save opposes class certification, noting that “[t]he overwhelming majority of the putative class members . . . have sustained zero damages.” [R. 155, p. 4] (emphasis removed). Because the only individuals “known at this time who sustained any out-of-pocket expenses are the two [named] Plaintiffs,” who have spent an approximate combined $450 on identity theft protection, Pharm-Save maintains that “this case is the archetype of why class actions are disfavored by courts.” Id.
The party seeking class certification bears the burden of proof. See Falcon, 457 U.S. at 161; Senter v. General Motors Corp., 532 F.2d 511, 522 (6th Cir.), cert. denied, 429 U.S. 870 (1976). Importantly, “[a] class is not maintainable as a class action by virtue of its designation as such in the pleadings.” Am. Med. Sys., 75 F.3d at 1079 (citing Cash v. Swifton Land Corp., 434 F.2d 569, 571 (6th Cir. 1970)). The Court finds additional briefing necessary before it can decide class certification in this case. Specifically, the Court requires that the parties discuss the basis for granting or denying class certification for each of Plaintiffs' remaining claims individually. See Hosp. Auth. Of Metro. Gov't of Nashville & Davidson Cnty., Tennessee v. Momenta Pharms., Inc., 333 F.R.D. 390, 405 (M.D. Tenn. 2019) (“[C]ourts must take into account the claims, defenses, relevant facts, and applicable substantive law, to assess the degree to which resolution of the classwide issues will further each individual class member's claim against the defendant.”) (internal citations and quotation marks omitted).
As it presently stands submitted to the Court, the parties have more generally argued that class certification is, or is not, appropriate in this case. In light of the Court's present rulings dismissing Plaintiffs' NCUDTPA and intrusion upon seclusion claims, however, the Court is concerned that common issues may not predominate over individualized causation and damages inquiries with respect to the putative classes' sole remaining claims-negligence and breach of implied contract-rendering class certification inappropriate. The Court will therefore deny without prejudice Plaintiffs' Motion for Class Certification and allow them to refile a properly supported motion that is specifically tailored to their remaining claims. Should Plaintiffs choose to refile their motion, they must do so within forty-five (45) days of entry of this Order. Standard response and reply times shall apply.
Accordingly, the Court will likewise deny without prejudice Plaintiffs' Motion for Oral Argument [R. 160]. Should the Court determine oral argument would aid in the resolution of any re-filed motion for class certification, the Court will order a hearing at that time.
III. CONCLUSION
Based on the foregoing, IT IS HEREBY ORDERED as follows:
1. Pharm-Save's Motion for Partial Summary Judgment on Plaintiffs' NCUDTPA claim [R. 135] is GRANTED.
2. Pharm-Save's Motion for Partial Summary Judgment on Plaintiffs' Intrusion Upon Seclusion claim [R. 136] is GRANTED.
3. Pharm-Save's Motion for Partial Summary Judgment on Plaintiffs' claimed damages for increased risk of future harm [R. 137] is DENIED without prejudice. Pharm-Save may file a renewed motion within thirty (30) days of entry of this Order.
4. Pharm-Save's Motion to Exclude Testimony of Daniel Korczyk [R. 138] is GRANTED in part and DENIED in part.
5. Pharm-Save's Motion to Exclude Testimony of Vincent D'Agostino [R. 139] is GRANTED in part and DENIED in part.
6. Plaintiffs' Motion for Class Certification [R. 144] is DENIED without prejudice. Plaintiffs may file a renewed motion for class certification within forty-five (45) days of entry of this Order.
7. Plaintiffs' Motion for Oral Argument [R. 160] is DENIED.