Opinion
CV-22-96-GF-BMM
03-02-2023
JANICE TEETER, individually, and on behalf of all others similarly situated, Plaintiff, v. EASTERSEALS-GOODWILL NORTHERN ROCKY MOUNTAIN, INC., Defendant.
ORDER
Brian Morris, United States District Court Chief Judge
INTRODUCTION
Plaintiff Janice Teeter (“Teeter”) filed this action on behalf of herself and putative class members on October 10, 2022. (Doc. 1.) Defendant Easter-Seals Goodwill Northern Rocky Mountain (“ESGW”) moves the Court to dismiss the action on the basis that Teeter lacks standing and has failed to state a claim for relief. (Doc. 10.) The Court conducted a motion hearing on January 25, 2023. (Doc. 23.)
FACTUAL AND LEGAL BACKGROUND
ESGW is a private, nonprofit organization serving low-income families and children and adults with disabilities in Idaho, Montana, Utah, and Wyoming. (Doc. 11 at 9.) Teeter lives in Montana and used to work for ESGW. (Id. at 10.) This action arises from an ESGW data breach involving the financial information and Social Security numbers of a reported 7,552 individuals from approximately October 12, 2021, through November 11, 2021. (Id. at 6.)
Teeter claims that ESGW collected, stored, and “assured reasonable security” over her and class members' personal health information (“PHI”) and personal identifying information (“PII”) as part of their employment. (Doc. 17 at 7.) Teeter alleges that ESGW failed to take reasonable measures to assure the security of this information. (Id. at 8.) ESGW detected the unauthorized account activity as early as July 20, 2022. (Id. at 7.) ESGW did not report this activity to Teeter until it sent her a letter dated September 16, 2022. (Id.)
Teeter alleges that she and class members suffered harm that includes the following injuries: identity theft; loss of an opportunity to determine how their PHI/PII and financial information is used; and compromise, publication, and/or theft of personal information. (Id. at 8.) Teeter additionally asserts out-of-pocket expenses and lost time associated with the prevention, detection, and recovery from the breach, as well as “continued risk” to their PHI/PII and “future costs.” (Id.) Teeter also claims “lost continuity in relation to [her and putative class members'] healthcare.” (Id.)
ESGW's Chief Legal and Privacy Officer, John Martin, stated in a declaration that the hackers do not appear to have targeted “personal information of private persons during the data security incident.” (Martin Decl., Doc. 12-1 ¶ 5.) Martin states that the “threat actors” used search terms such as “accounts payable,” “ach,” “invoice,” “direct deposit” to search the accessed ESGW systems. (Id. ¶ 4.) Martin infers that the hackers' motive was to “obtain business information about ESGW or its business partners rather than private individuals.” (Id.)
The notice letter that ESGW sent Teeter and putative class members stated that there “is no evidence that any of your information has been misused.” (Doc. 11 at 10.) The notice offered a free identity-theft and fraud detection service through Equifax. (Id.) This service included credit monitoring, credit reports, WebScan notifications, automatic fraud alerts, identity restoration, and $1 million in identity theft insurance. (Id.) ESGW alleges that Teeter never enrolled or attempted to enroll in the service. (Id. at 10-11.)
Teeter brought this suit against ESGW on October 11, 2022. (Doc. 1.) Teeter argues that ESGW failed properly to store and secure her and at least 7,551 others' PHI and PII. (Id. at 2.) Teeter pleads her claims as a putative class action, with a nationwide class and a Montana subclass. (Id. at 9-15.) Teeter alleges seven causes of action: (I) negligence; (II) negligence per se; (III) invasion of privacy; (IV) breach of confidence; (V) breach of implied contract; (VI) breach of the implied covenant of good faith and fair dealing; and (VII) unjust enrichment. (Id. at 3356.) Teeter seeks class certification, damages, injunctive relief, and attorney's fees. (Id. at 57-60.)
ESGW filed a motion to dismiss on December 14, 2022. (Doc. 10.) The motion seeks dismissal under Fed.R.Civ.P. 12(b)(1) and 12(b)(6). (Doc. 11 at 35.) Teeter filed a Response on January 3, 2023. (Doc. 17.) ESGW filed a Reply on January 17, 2023. (Doc. 20.) The Court conducted a motion hearing on January 25, 2023. (Doc. 23.)
LEGAL STANDARD
To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). A claim possesses facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. Id.
DISCUSSION
ESGW moves to dismiss Teeter's action on the basis that Teeter lacks Article III standing and that the Complaint fails to state a cause of action. (Doc. 11 at 9-10.) Teeter argues that the Complaint proves sufficient to establish standing and state a claim. (Doc. 17 at 6.)
I. Standing under 12(b)(1).
ESGW frames its standing arguments as both a facial and as-applied attack. ESGW contends that Teeter has failed to allege any injury because the evidence indicates that the actors responsible for the data breach never targeted employees' PHI or PII. (Doc. 11 at 12-13.) ESGW cites Martin's declaration (Doc. 12-1) regarding the hackers' search terms. (Id.) ESGW asserts that Teeter has failed to establish that she faces either (1) imminent or impending risk of future harm; or (2) actual or concrete harm. Clapper v. Amnesty Int'l, 568 U.S. 398, 408 (2013). (Doc. 11 at 15-20.) ESGW additionally argues that Teeter has not alleged that she suffered any unauthorized use of her information, identify theft, adverse credit impact, or economic harm. (Doc. 11 at 15-20.)
Teeter responds that the Complaint alleges concrete, particularized harm. Teeter relies on Ree v. Zappos.com, Inc., 888 F.3d 1020, 1024 (9th Cir. 2018), for the proposition that future injury establishes standing if it proves “certainly impending” or a plaintiff faces substantial risk that the injury will occur. (Doc. 17 at 10.) Teeter argues that her lost time constitutes a concrete, particularized injury. Teeter cites Zucchero v. Heirloom Roses Inc., No. 4:22-cv-00068 (Doc. 35) (N.D. Cal.), to argue that lost time due to a data breach establishes standing where a company sends a notice encouraging recipients to take steps to protect themselves. (Doc. 17 at 11.)
The mere occurrence of a data breach does not suffice to establish liability. TransUnion LLC v Ramirez, __ U.S. __, 141 S.Ct. 2190, 2210-11 (2021). “[M]ere misappropriation of personal information” similarly fails to establish injury. Pruchnicki v. Envision Healthcare Corp., 845 Fed.Appx. 613, 615 (9th Cir. 2021). The hackers in Zucchero specifically had targeted consumers' financial information. No. 4:22-cv-00068 (Doc. 35 at 6). Teeter, by contrast, has provided no evidence that ESGW's hackers targeted her or class members' protected information. (Doc. 20 at 4.) The Court recognizes the parties' different levels of access to information at this stage of the litigation regarding the data breach and Teeter's alleged injuries. Teeter is entitled to further discovery on this issue. The Court declines to dismiss Teeter's action on standing grounds. The Court will proceed to analyze the merits of Teeter's claims.
II. Failure to State a Claim under 12(b)(6).
ESGW asks the Court to dismiss each of Teeter's seven causes of action. The Court will consider, in turn, each cause of action.
A. Adequacy of Count I: Negligence.
i. Duty.
In determining whether a duty of care exists, Montana courts consider the following two factors: “(1) whether the imposition of that duty comports with public policy, and (2) whether the defendant could have foreseen that his conduct could have resulted in an injury to the plaintiff.” Fisher v. Swift Transp. Co., 181 P.3d 601, 607 (Mont. 2008) (internal citations omitted). A court will weigh the following considerations with respect to the public policy factor: (1) “the moral blame attached to a defendant's conduct;” (2) “the prevention of future harm;” (3) “the extent of the burden placed on the defendant;” (4) “the consequences to the public of imposing such a duty;” and (5) “the availability and cost of insurance for the risk involved.” Id. at 342.
ESGW contends that Teeter has failed to establish a duty necessary to support her negligence claim. ESGW argues that it owes no common-law duty because the Fisher public policy factors militate against a duty: ESGW bears no moral blame, ESGW already is subject to federal and state privacy and security rules, class action litigation would impose a burden on ESGW, and an adverse class action award would hurt the public because it would “significantly impact” ESGW's ability to provide community services. Fisher, 181 P.3d at 607. (Doc. 11 at 22-23.)
Teeter asserts that ESGW possessed a duty to protect her and class members' information under the Fisher factors: (1) ESGW bears moral responsibility for failing to take adequate protections to protect a breach; (2) holding ESGW liable would incentivize it and other organizations to prevent future harm from data breaches; (3) the burden on ESGW would prove reasonable; (4) the public would benefit from imposing a duty on organizations to maintain reasonable data security; and (5) insurance is available for organizations to mitigate their risk. Fisher, 181 P.3d at 607. (Doc. 17 at 13.)
Whether a duty exists presents a question of law. The Court may be required to make a fact-intensive inquiry, however, to determine whether a duty exists to support a common-law negligence claim. Teeter alleges that ESGW failed to take adequate precautions to prevent the data breach; that ESGW bears at least some degree of moral blame for the breach; that holding ESGW liable would not impose too great a burden and would benefit the public; that appropriate insurance is available; and that the consequences of ESGW's breach proved foreseeable. (Doc. 1 at 25-26, 33-36; Doc. 17 at 13-14.) Teeter's complaint contains sufficient factual allegations, taken as true, to state a claim that a common-law duty exists for purposes of Count I. Iqbal, 556 U.S. at 678; Fisher, 181 P.3d at 607.
“Special Relationship.”
ESGW additionally argues that it possesses no “special relationship” with Teeter giving rise to an independent duty. (Id. at 23.) Teeter does not attempt to refute this argument. (Doc. 17 at 13-14.) Teeter has waived the claim for any “special relationship” Teeter and putative class action members and ESGW.
Statutory Duty.
Teeter relies on the FTC Act and HIPAA to supply a statutory duty. Teeter argues that the FTC Act and HIPAA each establish ESGW's duty to protect her data as a “predicate [to] a broader common[-]law duty.” (Doc. 17 at 14.) Teeter cites no case law in support of this argument. ESGW argues that neither statute provides a private right of action. (Doc. 11 at 23-24.)
Neither the FTC Act nor HIPAA supplies a private right of action. “[T]here is no private right of action under the [FTC Act].” Mazza v. Am. Honda Motor Co., Inc., 666 F.3d 581, 592 (9th Cir. 2012). HIPAA authorizes only state attorneys general and the United States Department of Health and Human Services to bring enforcement actions under the statute. 42 U.S.C. § 1320d-5-d-6. Teeter may not rely upon a statutory duty for her negligence claim.
i. Causation and Damages.
ESGW argues that Teeter has failed to allege proximate causation of a cognizable injury. ESGW states that Teeter does not allege that her information was misused or that she suffered discontinuity in healthcare. (Doc. 11 at 25.) ESGW notes that Teeter does not allege having enrolled in ESGW's free credit monitoring service. (Id.) ESGW maintains that Teeter's claims rest on “theoretical future harm” that has not yet occurred. (Id.) Teeter responds by repeating the Complaint's list of alleged injuries. (Doc. 17 at 14.)
Teeter alleges that she suffered “actual identity theft,” out-of-pocket expenses, lost continuity in healthcare, lost time, emotional injuries, and “imminent and impending injury” arising from a “substantially increased risk” of fraud and identity theft as a result of the breach. (Doc. 1 at 8; Doc. 17 at 14.) The Court agrees with ESGW that these alleged injuries, without more, may not suffice to establish a cognizable injury and proximate causation for a negligence claim. Teeter's allegations prove sufficient, however, for the motion to dismiss stage. Iqbal, 556 U.S. at 678. Teeter plausibly has pled the elements of a common-law negligence claim sufficient to survive ESGW's motion to dismiss. The Court declines to dismiss Count I.
B. Adequacy of Count II: Negligence Per Se .
A plaintiff must establish “that the statute allegedly violated allows a private right of action” in order to prevail on a claim of negligence per se. Doyle v. Clark, 254 P.3d 570, 576-77 (Mont. 2011). ESGW maintains that none of Teeter's stated statutory bases for her negligence per se claim-FTCA, HIPAA, and Mont. Code § 30-14-1704--supplies a private right of action, thereby requiring dismissal of this claim. (Doc. 11 at 26.) Teeter does not respond to ESGW's arguments regarding the negligence per se claim. ESGW contends that Teeter has waived opposition and that the Court should dismiss this cause of action. (Doc. 20 at 4.) Teeter requested during the January 25, 2023, motion hearing that the Court dismiss, without prejudice, her negligence per se cause of action. The Court will dismiss Count II without prejudice.
C. Adequacy of Count III: Invasion of Privacy.
An invasion of privacy claim requires a plaintiff to prove the following three elements: (1) an intentional intrusion into a private place, conversation, or matter, (2) in a manner highly offensive to a reasonable person, and (3) damages. Medical Lab. Mgmt. Consultants v. ABC, 306 F.3d 806, 812 (9th Cir. 2002).
ESGW argues that Teeter has failed to state an invasion of privacy claim. ESGW highlights that Teeter alleges no intentional intrusion, affirmative disclosure, or publication by ESGW. (Doc. 11 at 27-28.) Teeter does not respond to ESGW's arguments regarding the invasion of privacy claim. ESGW contends that Teeter has waived opposition and that the Court should dismiss this claim. (Doc. 20 at 4.) Teeter requested during the January 25, 2023, motion hearing that the Court dismiss, without prejudice, her invasion of privacy cause of action. The Court will dismiss Count III without prejudice.
D. Adequacy of Count IV: Breach of Confidence.
Breach of confidence under other states' laws flows from “the concept of an implied obligation or contract between the parties that confidential information will not be disclosed.” Entm't Research Grp., Inc. v. Genesis Creative Grp., Inc., 122 F.3d 1211, 1226 (9th Cir. 1997). Disclosure requires that a defendant “affirmatively shared any information or performed any act that gave the hackers information.” In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1147 (C.D. Cal. 2021). “No breach of confidentiality takes place until an unauthorized person views the medical information.” Sutter Health v. Superior Court, 227 Cal.App.4th 1546, 1557 (2014).
ESGW argues first that Teeter has failed to identify any state-law basis for her breach of confidence claim. (Doc. 11 at 29.) ESGW contends that Montana law provides no basis for breach of confidence claims in “data security or similar contexts.” (Id.) Second, ESGW argues that Teeter has not established that ESGW affirmatively shared information or that an unauthorized person viewed her or other class members' PHI/PII. (Id. at 30.)
Teeter does not respond to ESGW's arguments regarding the breach of confidence claim. ESGW contends that Teeter has waived opposition and that the Court should dismiss this claim. (Doc. 20 at 4.) Teeter requested during the January 25, 2023, motion hearing that the Court dismiss, without prejudice, her breach of confidence cause of action. The Court will dismiss Count IV without prejudice.
E. Adequacy of Count V: Breach of Implied Contract.
Courts may recognize an implied contract “[i]f the ‘existence and terms' of an agreement ‘are manifested by conduct,' rather than words[.]” Pfau v. Mortenson, 858 F.Supp.2d 1150, 1159 (D. Mont. 2012) (internal citation omitted). An implied contract requires the same four elements as an express contract: “identifiable parties, consent, a lawful object and consideration.” C B & F Dev. Corp. v. Culbertson State Bank, 844 P.2d 85, 89 (Mont. 1992).
ESGW asserts that Teeter has failed to plead a claim for breach of implied contract. (Doc. 11 at 30-32.) ESGW emphasizes that courts routinely dismiss implied contract claims in data security cases. Krottner v. Starbucks Corp., 406 Fed.Appx. 129, 130 (9th Cir. 2010). (Id. at 31-32.) ESGW argues that Teeter fails to allege consent or consideration. Teeter responds that her breach of implied contract claim should survive because ESGW required her to provide her PHI/PII as a condition of her employment under the “implied condition that it would be kept secure.” (Doc. 17 at 15.) Teeter cites no case law or statutory support for this interpretation.
Teeter's argument that ESGW's requirement that employees provide PHI/PII as part of the hiring process somehow equates to an implied contract to prevent any data breach regarding that information lacks merit. The Ninth Circuit in Krottner affirmed the dismissal of an implied contract claim on the basis that the plaintiffs' allegations had failed to demonstrate a meeting of the minds or any specific offer to encrypt or otherwise safeguard plaintiffs' personal data. 406 Fed.Appx. at 130. Teeter, as with the plaintiffs in Krottner, proffers no evidence of conduct that manifests consent or consideration. Id.; Pfau, 858 F.Supp. at 1159. ESGW did not bargain for or benefit from Teeter's provision of her PHI/PII as part of her employment. To the contrary, federal and state regulations required ESGW to collect this information. I.R.C. §§ 6109(a)(1); Mont. Admin. R. 24.11.2704(3). Teeter fails to allege plausibly the existence of an implied contract. C B & F Dev. Corp., 844 P.2d at 89. The Court will dismiss Count V without prejudice.
F. Adequacy of Count VI: Breach of Implied Covenant.
“The existence of an enforceable contract is a prerequisite to a claim for tortious breach of the covenant.” Morrow v. Bank of Am., N.A., 324 P.3d 1167, 1176 (Mont. 2014). “The covenant ‘must attach to a party's actions within the confines of its duties under a contract.” Roybal v. Bank of Am., N.A., 2015 U.S. Dist. LEXIS 44635, at *18 (D. Mont. Apr. 6, 2015).
ESGW argues that Teeter's breach of implied covenant claim fails for the same reasons that her breach of implied contract claim fails. (Doc. 11 at 33.) Teeter counters that an enforceable contract did exist. Teeter bases this assertion solely upon the employment contract between ESGW and Teeter. (Doc. 17 at 15.)
The employment contract between Teeter and ESGW proves irrelevant to Teeter's implied covenant claim. The employment contract contained no promises regarding data security. (Doc. 11 at 30-33.) Teeter has failed to allege plausibly the existence of an enforceable contract between the parties to prevent any data breach. Roybal, 2015 U.S. Dist. LEXIS 44635, at *18. Teeter's implied covenant claim fails in the absence of an enforceable contract. Morrow, 324 P.3d at 1176. The Court will dismiss Count VI without prejudice.
G. Adequacy of Count VII: Unjust Enrichment.
An unjust enrichment claim requires the following three elements: “(1) a benefit conferred on one party by another; (2) the other's appreciation or knowledge of the benefit; and (3) the other's acceptance or retention of the benefit under circumstances that would render it inequitable for the other to retain the benefit[.]” Associated Mgmt. Servs., Inc. v. Ruff, 424 P.3d 571, 595 (Mont. 2018).
ESGW argues that Teeter's unjust enrichment claim lacks merit. ESGW repeats that Montana and federal law required Teeter to provide her Social Security number to ESGW. (Doc. 11 at 34.) ESGW maintains that Teeter has failed to establish that she or class members conferred any benefit on ESGW, including failing to establish what ESGW's purported profits were with respect to the data breach. (Id. at 33-34.)
Teeter responds that she adequately has pled unjust enrichment. She alleges that ESGW was unjustly enriched “through its failure to disclose its lax data security practices at her expense.” (Doc. 17 at 15-16.) Teeter alleges that she lost time and that the value of her PII diminished. (Id.)
Teeter has failed to allege plausibly a material benefit conferred upon ESGW. ESGW received no material benefit from Teeter's PHI/PII. ESGW also derived no material benefit from the data breach. Teeter's unjust enrichment claim fails. Ruff, 424 P.3d at 595. The Court will dismiss Count VII without prejudice.
III. Opportunity to Amend or Supplement Complaint.
Teeter urges the Court to provide her an opportunity to amend the Complaint should the Court determine that it fails to state a claim or establish standing. (Doc. 17 at 16.) Teeter emphasizes that courts generally should deny leave to amend only upon a showing of bad faith, undue delay, futility, or prejudice. Leadsinger, Inc. v. BMG Music Publ'g, 512 F.3d 522, 532 (9th Cir. 2008) (citing Foman v. Davis, 371 U.S. 178, 182 (1962)). Teeter argues that ESGW has provided no evidence of bad faith, futility, or prejudice with respect to potential amendment. (Doc. 20 at 16.)
ESGW responds that amendment would prove futile. (Doc. 20 at 9-10.) ESGW argues that the Court should deny leave to amend on the basis that Fed.R.Civ.P. requires any amendment to a pleading must be viable. (Id.) “An amendment is futile when no set of facts can be proved under the amendment to the pleadings that would constitute a valid and sufficient claim or defense.” Missouri ex rel. Koster v. Harris, 847 F.3d 646, 656 (9th Cir. 2017) (internal citation and quotation omitted).
The Court declines to rule on the issue of amendment or supplementation in light of the determination that Teeter's common-law negligence cause of action survives ESGW's motion to dismiss.
CONCLUSION
The Court will grant, in part, ESGW's Motion to Dismiss. (Doc. 10.) Teeter has failed to rebut ESGW's arguments for the dismissal of counts II (Negligence Per Se), III (Invasion of Privacy), and IV (Breach of Confidence). (Doc. 17.) The Court will dismiss counts II, III, and IV. Teeter has failed to state a claim for relief for counts V (Breach of Implied Contract), VI (Breach of Implied Covenant of Good Faith and Fair Dealing), and VII (Unjust Enrichment). The Court also will dismiss counts V, VI, and VII. The Court will deny ESGW's Motion to Dismiss with respect to Count 1 (Negligence).
ORDER
Accordingly, IT IS ORDERED that:
1. Defendant Easterseals-Goodwill Northern Rocky Mountain, Inc.'s Motion to Dismiss (Doc. 10) is GRANTED, in part, and DENIED, in part.
2. Counts II, III, IV, V, VI, and VII are DISMISSED without prejudice.