Opinion
21-CV-2554 (PJS/JFD)
08-08-2022
In re PAWN AMERICA CONSUMER DATA BREACH LITIGATION v. PAWN AMERICA MINNESOTA, LLC; PAYDAY AMERICA, INC.; and PAL CARD MINNESOTA, LLC, Defendants. MELISSA THOMAS; RANDELL HUFF; MEGAN MURILLO; MONIQUE DERR; and PAOLA MANZO, on behalf of themselves and all others similarly situated, Plaintiffs,
Christopher P. Renz, Bryan L. Bleichner, and Jeffrey D. Bores, CHESTNUT CAMBRONNE PA; Nathan D. Prosser and Anne T. Regan, HELLMUTH & JOHNSON, PLLC; Terence R. Coates, MARKOVITS, STOCK & DEMARCO, LLC; Joseph Lyon, THE LYON FIRM, LLC; Gary M. Klinger, MILBERG COLEMAN BRYSON PHILLIPS GROSSMAN, PLLC, for plaintiffs. Thomas W. Hayde and Shawn Tuma, SPENCER FANE LLP; Doug Boettge, STINSON LLP, for defendants.
Christopher P. Renz, Bryan L. Bleichner, and Jeffrey D. Bores, CHESTNUT CAMBRONNE PA; Nathan D. Prosser and Anne T. Regan, HELLMUTH & JOHNSON, PLLC; Terence R. Coates, MARKOVITS, STOCK & DEMARCO, LLC; Joseph Lyon, THE LYON FIRM, LLC; Gary M. Klinger, MILBERG COLEMAN BRYSON PHILLIPS GROSSMAN, PLLC, for plaintiffs.
Thomas W. Hayde and Shawn Tuma, SPENCER FANE LLP; Doug Boettge, STINSON LLP, for defendants.
ORDER
PATRICK J. SCHILTZ, CHIEF JUDGE UNITED STATES DISTRICT COURT
Defendants Pawn America Minnesota, LLC; Payday America, Inc.; and PAL Card Minnesota, LLC (collectively, “Pawn America”), are Minnesota-based businesses that offer pawnbroking, short-term loans, and financial services for the “unbanked” and “underbanked.” Plaintiffs are customers of Pawn America who filed putative class actions against Pawn America after their sensitive personal information was stolen from Pawn America's computer network. ECF No. 30 ¶¶ 1-16. Plaintiffs seek monetary, injunctive, and declaratory relief. Id. ¶¶ 14-15, 227, 234.
See generally Pawn America, About Pawn America, https://www.pawnamerica.com/about-pawn-america (last visited Aug. 5, 2022); Payday America, About Us, https://www.paydayamerica.com/about-us (last visited Aug. 5, 2022); CashPass, FAQs, https://www.cashpass.com/faq-s (last visited Aug. 5, 2022). (CashPass is the trade name of PAL Card Minnesota, LLC. ECF No. 30 ¶ 31.)
This matter comes before the Court on Pawn America's motion to dismiss plaintiffs' consolidated complaint for lack of standing under Fed.R.Civ.P. 12(b)(1) and for failure to state a claim under Fed.R.Civ.P. 12(b)(6). ECF No. 40. For the reasons that follow, the Rule 12(b)(1) motion is granted as to plaintiffs' equitable claims and denied as to plaintiffs' monetary claims, and the Rule 12(b)(6) motion is denied.
I. BACKGROUND
Pawn America experienced a ransomware attack on its computer network in late September 2021. ECF No. 30 ¶ 39. Within a week or two, cybercriminals had stolen the sensitive personal information of hundreds of thousands of Pawn America's customers, including plaintiffs in these consolidated actions. Id. ¶¶ 1 n.1, 39-40. That information included the customers' full names, birth dates, Social Security numbers, driver's-license numbers, passport numbers, other government-issued identification numbers, and financial-account information. Id. ¶ 2.
Ransomware is “a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.” Fed. Bureau of Investigation, Ransomware, https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware (last visited Aug. 5, 2022).
Plaintiffs allege that, prior to the ransomware attack, Pawn America had failed to take reasonable data-security measures, such as encrypting the sensitive data on its network. See id. ¶¶ 43, 64. As a result, plaintiffs allege that they “face substantial risk of out-of-pocket fraud losses” from various kinds of identity theft. Id. ¶¶ 111-12. Plaintiffs also allege several other types of losses, including mitigation costs to protect themselves following the data breach (for example, fees for credit-monitoring services); “the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach”; a loss in the value of their sensitive personal information after its theft; and “anxiety, emotional distress, and loss of privacy” resulting from the risk that their sensitive personal information-“which contains the most intimate details about a person's life-may be disclosed to the entire world.” See id. ¶¶ 113-19; see also Id. ¶¶ 120-73 (detailing alleged injuries to the named plaintiffs). Plaintiffs further claim an interest in ensuring that their sensitive personal information (which they allege is still in Pawn America's possession) “is protected from further breaches by the implementation of security measures and safeguards.” Id. ¶ 117.
Plaintiffs seek damages under four causes of action: (1) a common-law negligence claim, id. ¶¶ 186-99; (2) a negligence per se claim, id. ¶¶ 200-07; (3) a claim of breach of implied contract, id. ¶¶ 208-18; and (4) a claim under the California Consumer Privacy Act, id. ¶¶ 219-28. Plaintiffs also seek injunctive and declaratory relief to require Pawn America to implement certain data-security measures. Id. ¶¶ 227, 229-34. Pawn America has moved to dismiss on the grounds that plaintiffs' allegations are insufficient to establish standing and, alternatively, that plaintiffs have failed to state a claim upon which relief may be granted.
This claim is asserted by only one named plaintiff and by members of the putative “California Class,” all of whom are California residents. ECF No. 30 ¶¶ 20, 175.
The claim for injunctive relief is also asserted only by the California plaintiffs.
II. ANALYSIS
A. Legal Standard
A federal court may exercise “[t]he judicial Power” of the United States only to decide “Cases” and “Controversies.” U.S. Const., art. III, § 2. A plaintiff whose claim does not give rise to a genuine case or controversy is said to lack standing to sue in federal court; a federal court has no jurisdiction over that plaintiff's claim. See Lujan v. Defs. of Wildlife, 504 U.S. 555, 559-60 (1992).
“[T]he irreducible constitutional minimum of standing contains three elements.” Id. at 560. “First, the plaintiff must have suffered an ‘injury in fact'-an invasion of a legally protected interest which is (a) concrete and particularized and (b) ‘actual or imminent, not “conjectural” or “hypothetical.”'” Id. (citations and footnote omitted) (quoting Whitmore v. Arkansas, 495 U.S. 149, 155 (1990)). “Second, there must be a causal connection between the injury and the conduct complained of-the injury has to be ‘fairly . . . trace[able] to the challenged action of the defendant, and not . . . th[e] result [of] the independent action of some third party not before the court.” Id. (alterations in original) (quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976)). “Third, it must be ‘likely,' as opposed to merely ‘speculative,' that the injury will be ‘redressed by a favorable decision.'” Id. (quoting Simon, 426 U.S. at 38, 43).
“The party invoking federal jurisdiction bears the burden of establishing” the injury “with the manner and degree of evidence required” at the particular stage of the litigation. Id. at 561. “At the pleading stage”-the current stage of this litigation- “general factual allegations of injury resulting from the defendant's conduct may suffice” to establish standing. Id.
The term “concrete” has been the subject of much attention. The Supreme Court has said that a “‘concrete' injury must be ‘de facto'; that is, it must actually exist”; it must be “‘real,' and not ‘abstract.'” Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016). But “concrete” is not synonymous with “tangible.” Intangible injuries (such as infringements of free speech or religious exercise) may also be concrete. Id. “Chief among” intangible concrete harms “are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2204 (2021); see also id. at 2209 (“[W]e do not require an exact duplicate” between “a plaintiff's asserted harm” and “a harm traditionally recognized as providing a basis for a lawsuit in American courts.”).
As the Supreme Court has also observed, “the risk of real harm” can also be a concrete injury. Spokeo, 578 U.S. at 341 (emphasis added). For example, “a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” TransUnion, 141 S.Ct. at 2010. Typically, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm . . . ." Id. at 2010-11. But if “the exposure to the risk of future harm itself causes a separate concrete harm”-“[f]or example, a plaintiff's knowledge that he or she is exposed to a risk of future physical, monetary, or reputational harm could cause its own current emotional or psychological harm”-then that separate harm may establish standing for a damages claim. Id. at 2211 & n.7. And, although plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending,” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 416 (2013), costs incurred to mitigate a substantial and imminent risk of harm are sufficient to establish standing. See id. (holding that costs incurred in reasonable reaction to a risk of harm did not confer standing “because the harm [the plaintiffs sought] to avoid [was] not certainly impending” (emphasis added)); In re SuperValu, 870 F.3d 763, 771 (8th Cir. 2017) (“Because plaintiffs have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.” (emphasis added)).
“[A] plaintiff must ‘demonstrate standing separately for each form of relief sought.'” TransUnion, 141 S.Ct. at 2210 (quoting Friends of the Earth, Inc. v. Laidlaw Env't Servs. (TOC), Inc., 528 U.S. 167, 185 (2000)). The Court will therefore first address whether plaintiffs have standing to seek equitable relief and then address whether plaintiffs have standing to seek monetary damages.
B. Standing for Injunctive and Declaratory Relief
Plaintiffs seek injunctive and declaratory relief to force Pawn America to implement various data-security measures to ensure that, going forward, Pawn America “adequately safeguards” plaintiffs' data. ECF No. 30 ¶¶ 227, 234. To establish standing for this forward-looking relief, plaintiffs must allege a “sufficiently imminent and substantial” risk of harm that would be avoided if the sought-after relief was granted. TransUnion, 141 S.Ct. at 2210. Plaintiffs have not done so.
The only harm that would be redressed by plaintiffs' proposed injunction and declaration is the harm that would be caused by a future breach of Pawn America's computer network. It is certainly possible that Pawn America will suffer a second breach (whether or not it takes the requested security precautions) and certainly possible that plaintiffs will be harmed if a second breach occurs (even though their private information has already been stolen). But the law requires not just possibility but imminence. Nothing alleged in the complaint indicates that a second breach of Pawn America's computer system is imminent. Rather, plaintiffs allege only that they “have an interest in ensuring that their [private information], which is believed to remain in the possession of [Pawn America], is protected from further breaches.” ECF No. 30 ¶¶ 117, 129, 139, 149, 160, 172. True enough, but every human being has an interest in ensuring that any entity that possesses his or her private information keeps that information safe. The universal interest in the security of one's private data does not equate to a substantial and imminent risk of harm.
In sum, plaintiffs have not demonstrated standing for their injunctive and declaratory claims, so those claims must be dismissed for lack of jurisdiction.
C. Standing for Monetary Relief
1. Concreteness of Alleged Injuries
The Court now turns to plaintiffs' claims for damages. Here, the focus shifts from harm that plaintiffs might suffer from a future data breach to harm that plaintiffs have suffered or will likely suffer as a result of the data breach that already occurred. Plaintiffs have sufficiently alleged several concrete injuries stemming from that data breach-which, according to plaintiffs, was the result of Pawn America's failure to take reasonable measures to safeguard their private information.
First, plaintiffs allege that their private information (such as Social Security numbers, driver's-license numbers, and financial-account information) has been disclosed to cybercriminals. Id. ¶ 2. This alleged injury has a “close relationship” to disclosure of private information, one of the “harms traditionally recognized as providing a basis for lawsuits in American courts.” TransUnion, 141 S.Ct. at 2204; see also Davis v. Fed. Election Comm'n, 554 U.S. 724, 733 (2008). Plaintiffs have thoroughly described how their private information-much of whose value derives from the fact that it is private-has been published to a third party because of Pawn America's alleged negligence. That is sufficient to establish standing.
Second, plaintiffs have alleged emotional distress directly caused by the theft of their private information. ECF No. 30 ¶¶ 118-19. For more than a century, American courts have recognized damages as a remedy for emotional distress caused by invasions of privacy and similar torts. See, e.g., De May v. Roberts, 9 N.W. 146, 148-49 (Mich. 1881); Pavesich v. New England Life Ins. Co., 50 S.E. 68, 73 (Ga. 1905); Lesch v. Great N. Ry. Co., 106 N.W. 955, 957 (Minn. 1906); Munden v. Harris, 134 S.W. 1076, 1079 (Mo.Ct.App. 1911); Kunz v. Allen, 172 P. 532, 532-33 (Kan. 1918). Thus, this alleged emotional distress is sufficient to establish standing.
Third, at least one plaintiff alleges that she has paid out-of-pocket costs to mitigate the risk of identity theft following the data breach, ECF No. 30 ¶ 170, and all plaintiffs allege that they have spent “significant amounts of time to monitor their financial accounts and records for misuse” and to implement other remedial measures, id. ¶¶ 115-16. Because plaintiffs allege a substantial and imminent risk of identity theft, these mitigation costs qualify as concrete injuries. The data allegedly stolen is about the worst kind of private data that one could lose, at least when it comes to creating a risk of identity theft. As plaintiffs explain, Social Security numbers and driver's-license numbers are extremely valuable on the black market. Id. ¶¶ 103-04. They allow criminals to apply for lines of credit, file false tax returns, obtain unemployment benefits, work under false identities, manufacture fake IDs, and launch sophisticated social-engineering attacks. Id. ¶¶ 99, 105-07. Indeed, Pawn America itself allegedly told the victims of the data breach to protect themselves against identity theft. Id. ¶ 45.
Because the complaint alleges a substantial and imminent risk of future identity theft, costs incurred to mitigate that risk are sufficient to establish standing.
SuperValu is not to the contrary. This case involves the theft of extraordinarily sensitive information, such as Social Security numbers, driver's-license numbers, passport numbers, and financial-account information. By contrast, SuperValu involved the theft of credit- and debit-card information, which “generally cannot be used alone to open unauthorized new accounts.” SuperValu, 870 F.3d at 770 (quoting U.S. Gov't Accountability Off., GAO-07-737, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown 30 (2007), https://www.gao.gov/assets/gao-07-737.pdf).
Finally, at least some plaintiffs have alleged that their identities have already been stolen because of the data breach. Id. ¶ 124 (plaintiff Randell Huff); id. ¶ 157 (plaintiff Monique Derr). As the Eighth Circuit has said, “identity theft constitutes an actual, concrete, and particularized injury.” SuperValu, 870 F.3d at 772. Plaintiffs Huff and Derr are materially indistinguishable from the plaintiff in SuperValu (David Holmes), and the Eighth Circuit held that Holmes had standing because he had alleged a fraudulent charge on his credit card following a data breach. Id. at 772-73 (“Holmes' allegations of misuse of his Card Information were sufficient to demonstrate that he had standing; that is all that is required for the court to have subject matter jurisdiction over this action.”). If Holmes had standing in SuperValu, then Huff and Derr clearly have standing in this case.
2. Fair Traceability of Alleged Injuries to Pawn America's Conduct
Pawn America argues that, even if plaintiffs have sufficiently alleged injury, they have not sufficiently alleged that their injuries are fairly traceable to Pawn America's conduct. The Court disagrees. Plaintiffs' burden “is relatively modest at this stage of the litigation.” Id. at 772 (quoting Bennett v. Spear, 520 U.S. 154, 171 (1997)); see also Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012) (“fairly traceable” element satisfied by allegations of identity theft after unencrypted laptops containing private data were stolen). The inquiry into traceability is a “threshold inquiry” for which “‘general allegations' of injury, causation, and redressability” suffice. SuperValu, 870 F.3d at 773 (quoting Brown v. Medtronic, Inc., 628 F.3d 451, 459 (8th Cir. 2010); and Lujan, 504 U.S. at 561). The Court finds that, for purposes of establishing standing, the complaint adequately alleges a connection between the data breach and plaintiffs' injuries. See ECF No. 30 ¶¶ 32 (alleging generally that plaintiffs gave their private data to Pawn America); id. ¶¶ 2, 39-50 (alleging that that private data was stolen during the breach); id. ¶¶ 109-73 (alleging harms befalling plaintiffs after the breach).
D. Rule 12(b)(6) Motion
Pawn America has moved to dismiss plaintiffs' claims on the merits under Fed.R.Civ.P. 12(b)(6). The Court denies Pawn America's motion for now. For one thing, Pawn America has informed the Court that it intends to file a motion to compel arbitration, see ECF No. 71, and the Court is not going to rule on the merits of claims that may have to be arbitrated. For another, this case presents complex choice-of-law issues, given that it involves plaintiffs who reside and defendants who operate in multiple states, a mix of common-law and statutory claims, and (possibly) a choice-of-law clause. See ECF No. 41 at 2 n.1. Without knowing which state's law governs which claims, the Court could not assess the merits of any particular claim even if the Court were inclined to do so.
For these reasons, the Court will defer ruling on any dispositive motions until it rules on the motion to compel arbitration-and, if that motion is denied, until the parties create the factual record that the Court will need to perform the necessary choice-of-law analysis. See, e.g., Cantonis v. Stryker Corp., No. 09-CV-3509 (JRT/JJK), 2011 WL 1084971, at *3 (D. Minn. Mar. 21, 2011); Ridings v. Stryker Sales Corp., No. 10-CV-2590 (MJD/FLN), 2010 WL 4963064, at *2 (D. Minn. Dec. 1, 2010).
ORDER
Based on the foregoing, and on all of the files, records, and proceedings herein, IT IS HEREBY ORDERED that defendants' motion to dismiss [ECF No. 40] is GRANTED IN PART and DENIED IN PART. In particular:
1. The motion is GRANTED with respect to plaintiffs' injunctive and declaratory claims. Those claims are DISMISSED WITHOUT PREJUDICE for lack of subject-matter jurisdiction.
2. The motion is DENIED in all other respects.