Opinion
23-CV-03053 (NGG) (VMS)
04-30-2024
TIFFANY TROY and ERIC JOHN MATA, on behalf of themselves and on behalf of others similarly situated, Plaintiffs, v. AMERICAN BAR ASSOCIATION, Defendant.
MEMORANDUM & ORDER
NICHOLAS G. GARAUFIS, United States District Judge
Plaintiffs Tiffany Troy and Eric John Mata, (collectively, “Plaintiffs”) bring a putative class action against Defendant American Bar Association (“ABA' or “Defendant”) arising from a March 2023 data security breach (the “Breach”). Plaintiffs seek relief on behalf of themselves and several proposed classes of similarly situated persons with ABA accounts, asserting claims for (i) breach of implied contract; (ii) violation of various state consumer protection statutes; (ii) deceptive business practices under N.Y. G.B.L. § 349; and (iii) deceptive business practices under TX. Bus. & Com. § 17.46. Defendant has moved to dismiss Plaintiffs' Amended Complaint (Am. Compl. (Dkt. 15)), in its entirety for failure to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6). (See Not. of Mot. (Dkt. 17); Mem. of Law in Support of Def's. Mot. to Dismiss (“Def's. Mot.”) (Dkt. 19).)
For the following reasons, the Defendant's motion is GRANTED and Plaintiffs' claims are dismissed in their entirety.
The following facts are taken from, the Amended Complaint and, for the purposes of this motion to dismiss, are assumed to be true. See Ark. Pub. Emps. Ret. Sys. v. Bristol-Myers Squibb Co., 28 F.4th 343, 349 (2d Cir. 2022).
Plaintiff Troy is a citizen of New York and has been a registered member of ABA since August 2018. (Am. Compl. ¶ 12.) Plaintiff Mata is a citizen of Texas and has been a registered member of ABA since 2022. (Id. ¶ 13.) In addition to being members with the ABA, both Plaintiffs made purchases from ABA during the relevant time period. (Id. ¶¶ 1243.) Defendant ABA is a nation-wide voluntary attorney bar association. (Id. ¶ 14.) ABA requires customers to disclose personal identifying information and processes customer credit and debit card payments. (Id.)
On March 6, 2023, an unidentified “hacker” acquired unauthorized access to the ABA network. (Id. ¶ 16.) Plaintiffs allege Defendant took no action to remove the hacker's access until on or about March 17, 2023. (Id. ¶ 17.) Plaintiffs further allege that the Breach was a result of Defendant's failure to comply with reasonable security standards and that ABA'S IT department was poorly managed, only exacerbating its purported inadequate security practices. (Id. ¶¶ 18-19.) Following the incident, ABA emailed its affected members, including Plaintiffs, with a notice of the data breach. (Id. ¶ 32.) Plaintiffs estimate that approximately 1.5 million ABA members were affected by the Breach. (Id. ¶ 15.)
As a result of the hacker obtaining ABA members' personal information, Plaintiffs assert that they had to expend costs associated with identity theft and increased risk of identity theft. (Id. ¶ 34.) In support, they an uptick in spam text messages and other fraudulent activity. For example, Plaintiff Troy received spam text messages, including but not exclusively on, June 8, 2023, June 20, 2023, June 26, 2023, July 6, 2023, July 12, 2023, August 16, 2023, August 23, 2023, and August 24, 2023. (Id. ¶ 35.) Prior to the leak, Plaintiff Troy received about one to two spam text messages a year. (Id.) Moreover, many of the text messages were in Chinese or referred Plaintiff Troy's Chinese-speaking ability, indicating a leak of personal language information. (Id.) On July 31, 2023, an unknown third party attempted to fraudulently use Plaintiff Troy's Amazon Business Rewards Visa credit card from Chase Bank to make a purchase of $1,087.65 from Best Buy without her authorization. (Id. ¶ 36.) Plaintiff Troy replaced her credit card the same day. (Id.) On August 1, 2023, Plaintiff Troy purchased Norton LifeLock identity theft protection for $97.98. (Id. ¶ 41.)
Plaintiff Mata also received spam emails and telephone calls, including two spam calls on July 13, 2023 and July 16, 2023 that were marked as “Spam Risk” and “Threat: Severe” by AT&T's security application, and two spam emails on July 11, 2023 that were fraudulently advertising offers from Dick's Sporting Goods and SAC Rock Enroll. (Id. ¶ 42.) Plaintiff Mata asserts he received another spam email on July 21, 2023, as well as others that he has since deleted. (Id.)
As a result of ABA's conduct, Plaintiffs were denied privacy protections that they paid for and incurred actual monetary damages in overpaying for ABA services, monitoring their financial and bank accounts, including through identity theft protection purchases, and obtaining replacement credit and debit cards. (Id. ¶¶ 31, 34, 36, 41, 44.)
Plaintiffs assert claims for breach of implied contract (Id. ¶¶ 5965), violations of N.Y. G.B.L. § 349 and TX Bus. & Com. § 17.46 (Id. ¶¶ 81-106), and violations of consumer fraud acts of 31 other states and the District of Columbia. (Id. ¶¶ 66-80.)
The court notes for clarification that Plaintiffs' proposed multistate class, as discussed below, includes consumer fraud statutes from the District of Columbia and 32 states, including New York. (Id. ¶ 46 n.ll.) Because Plaintiffs bring a separate, alternative count under New York's consumer fraud act (N.Y. G.B.L. § 349), the court does not include New York when referencing the other state consumer fraud statutes here.
Plaintiffs bring the instant suit on behalf of themselves, as well as two proposed classes. The first proposed class is for the breach of contract claim and consists of persons residing in the United States who have registered an account with ABA (the “National Class”). (Id. ¶ 45.) The second proposed class is for the state consumer fraud statutes and consists of persons (a) residing in one of the 32 states (or the District of Columbia) with consumer fraud statutes and (b) who have registered an account with ABA (the “Consumer Fraud Multistate Class”). (Id. ¶ 46.) Alternative to the latter multistate class, Plaintiffs also propose a state-sub class for all persons residing in New York who registered an account with ABA (the “New York State Class”) and a state-sub class for all persons residing in Texas who registered an account with ABA (the ‘Texas State Class”). (Id. ¶¶ 47-48.)
On November 21, 2023, Defendant moved to dismiss all counts in the Amended Complaint. (Defs. Mot. at 2.)
II. LEGAL STANDARD
To survive a Rule 12(b) (6) motion to dismiss, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell AtL Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. A complaint must contain facts that do more than present a “sheer possibility that a defendant has acted unlawfully.” Id. In deciding a motion to dismiss, the court will accept all factual allegations in the complaint as true and draw “all reasonable inferences in the plaintiff's favor.” See Fink v. Time Warner Cable, 714 F.3d 739, 740-41 (2d Cir. 2013). However, allegations that “are no more than conclusions [ ] are not entitled to the assumption of truth.” Hayden v. Paterson, 594 F.3d 150, 161 (2d Cir. 2010). Further, dismissal for failure to state a claim is appropriate if it is clear from the face of the complaint that a claim is barred as a matter of law. Biocad JSC v. F. Hoffman-La Roche, 942 F.3d 88, 93 (2d Cir. 2019).
When quoting cases, unless otherwise noted, all citations and internal quotation marks are omitted, and all alterations are adopted.
Where an individual plaintiff brings claims on behalf of themself and a class but fails to state a claim, the court lacks jurisdiction to adjudicate the putative class claims. See Lin v. Canada Goose US, Inc., 640 F.Supp.3d 349, 364-65 (S.D.N.Y. Nov. 14, 2022) (collecting cases).
III. DISCUSSION
The court first reviews Plaintiffs' implied contract claims then turns to their state consumer protection claims.
A. Implied Contract
1. Choice of Law
A federal trial court sitting in diversity jurisdiction must apply the law of the forum state to determine the choice of law. See Fieger v. Pitney Bowes Credit Corp., 251 F.3d 386, 393 (2d Cir. 2001). As New York is the forum state in this case, “ [i] t is only when it can be said that there is no actual conflict that New York will dispense with a choice of law analysis.” Id.
As a threshold matter, Plaintiffs apply New York law to argue that they have plausibly alleged breach of an implied contract. (Opp. at 5.) ABA argues no choice of law determination is necessary where, as here, there is no actual conflict between New York, II-linois and Texas on the elements of a breach of implied contract claim. (Reply (Dkt. 22) at 2 n.l.)
Plaintiff Troy resides in New York, Plaintiff Mata resides in Texas, and ABA is headquartered in Illinois but conducts business in New York. (Am. Compl. ¶¶ 10,12-13; Def's. Mot. at 3.) Across all three states, the elements of a contract are the same: the existence of a valid and enforceable contract; some performance by the plaintiff; breach by the defendant; and damages. See, e.g., In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 590 (N.D. Ill. 2022); In re Canon U.S.A Data Breach Litig., No. 20-CV-6239 (AMD) (SJB), 2022 WL 22248656, at *9 (E.D.N.Y. Mar. 15, 2022); In re Marriage of Eilers, 205 S.W.3d 637, 641642 (Tex. App. 2006). And all three states recognize that an implied contract is similar to that of an express contract, with the difference being that an implied contract turns on the circumstances and conduct of the parties. The parties do not identify a material conflict between the states' substantive rules, nor has this court found one. Accordingly, the court applies New York law. See In re Waste Mgmt. Data Breach Litig., No. 21-CV-6147 (DLC), 2022 WL 561734, at *2 (S.D.N.Y. Feb. 24, 2022) (finding no conflict between state laws where elements of the claim are the same and courts consider similar factors).
The parties do not despite the application of New York law. Plaintiffs assert that New York law should apply, which Defendant does not concede but notes that a choice of law determination is unnecessary because there is no conflict between New York, Illinois, and Texas as it relates to the implied breach of contract claim. (See Opp. at 5; Reply (Dkt. 22) at 2 n.l.)
2. Breach of Implied Contract Claim
ABA seeks to dismiss Plaintiffs' breach of implied contract claim for failure to state a claim. (Def's. Mot. at 7.)
Under New York law, “the elements required to allege a breach of implied contract are identical to those necessary to allege a breach of contract.” Wallace v. Health Quest Sys., Inc., No. 20-CV-545 (VB), 2021 WL 1109727, at *10 (S.D.N.Y. Mar. 23, 2021). An implied contract, however, “may result as an inference from the facts and circumstances of the case, although not formally stated in words, and is derived from the presumed intention of the parties as indicated by their conduct.” Beth Israel Med, Ctr. v. Horizon Blue Cross & Blue Shield of New Jersey, Inc., 448 F.3d 573, 582 (2d Cir. 2006).
ABA argues that Plaintiffs fail to “plead facts sufficient to allege that any implied-in-fact contract ever existed.” (DePs. Mot. At 7.) In its opposition, Plaintiffs point to ABA's privacy policy to establish that an agreement between ABA and ABA members existed and that there was a promise by ABA to safeguard members' information from unauthorized disclosure. (Opp. at 5-6.) Plaintiffs' Amended Complaint makes no reference to a privacy policy, but rather asserts that when customers making purchases with ABA provide their names, emails, and credit or debit information for payment, those customers enter into an implied contract with ABA such that ABA is required to reasonably safeguard their customers' information. (Am. Compl. ¶¶ 61-65.) Indeed, Plaintiffs claim that “the services purchased from ABA by Plaintiffs and the Class necessarily included compliance with industry-standard measures with respect to the collection and safeguarding of [personal identifiable information (“PH”)], including their credit and debit card information.” (Id. ¶ 31 (emphasis added).) Plaintiffs' complaint thus focuses exclusively on a purported failure to comply with industry standards rather than a specified policy or agreement.
Generally, courts may not look to extrinsic documents outside the four comers of the complaint unless those documents are attached to the complaint or incorporated into it by reference. See Chambers v. Time Warner, 282 F.3d 147, 152-53 (2d Cir. 2002). A court may nevertheless consider a document incorporated by reference “where the complaint relies heavily upon its terms and effect thereby rendering the document integral to the complaint.” Upstate New York Engineers Health Fund v. John F. & John P. Wen- zel Contractors, Inc., No. 17-CV-0570 (LEK) (DEP), 2019 WL 1208230, at *5 (N.D.N.Y. Mar. 14, 2019).
Even assuming Plaintiffs relied upon the terms and effect of the ABA privacy policy, the privacy policy does not establish an agreement in which ABA has promised to safeguard their customers' information. In fact, the policy expressly disclaims such an obligation, explaining that “despite [ABA's] reasonable efforts to protect your Personal Data from unauthorized access, use, or disclosure, the ABA cannot guarantee or warrant the security of the Personal Data you transmit to us, or to or from our online Sites.” (Ex. 2 to Schweitzer Deci. (Dkt. 21) (“ABA Privacy Policy”) (Dkt. 21-2) at 7.) As courts in this Circuit have recognized when considering similar implied contract claims, this kind of language in a privacy policy “does not reflect an agreement by Defendants to adopt any particular security measures or take any particular action.” Chef Alessandro Pirozzi, Inc. v. CardConnect, LLC, No. 22-CV-0902 (DG) (SIL), 2023 WL 4824433, at *5 (E.D.N.Y. June 1, 2023) (collecting cases).
However, drawing inferences in Plaintiffs' favor, the court still finds that Plaintiffs allege assent to enter into an implied contract based on industry custom. See Nadel v. Play-By-Play Toys & Novelties, Inc., 208 F.3d 368, 376 n.5 (2d Cir. 2000) (noting that mutual assent to enter into an implied contract can be inferred from factors such as specific conduct of the parties, industry custom, and course of dealing). Plaintiffs allege making purchases from ABA, and in return for those purchases, Plaintiffs were required to give ABA their names, emails, and/or credit card information. (Am. Compl. ¶¶ 12,13, 61.) That Defendant has allegedly failed to comply with reasonable security standards when requiring Plaintiffs to provide this information when making purchases is sufficient to allege the existence of an implied contract. (Id. ¶¶ 18-19.) See also Koeller v. Numrich Gun Parts Corp., 675 F.Supp.3d 260, 271 (N.D.N.Y. 2023) (“[I]n our day and age of data and identity theft, it is difficult to imagine how the mandatory receipt of sensitive information would not imply the recipient's assent to protect the information.”).
While an implied contract exists, the claim still fails because Plaintiffs do not allege how ABA has breached said contract. Specifically, Plaintiffs fail to identify which “commercially reasonable security measure” ABA did not implement to protect their data. See Am. Compl. ¶ 19; Opp. at 5-6.) Instead, they assume that ABA'S practice of using hashed and salted passwords was madequate and thus violative of industry-standard security measures. As explained in the Notice of Data Breach (the “Notice”), ABA informed its members that their usernames and passwords were acquired by an unauthorized third party but that the passwords were not exposed in plain text. (See Ex. A to Saxl Deci. (“Notice of Data Breach”) (Dkt. 18-1).) ‘They were instead hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext,” (Id.) Plaintiffs allege that “fu]pon Information and belief, user IDs and passwords can be reconstructed from hashed and salted user IDs and passwords.” (Am. Compl. ¶ 40.) In their opposition, Plaintiffs argue that this process, coupled with the defending and mismanaging the department that implements data security measures, indicates a failure to implement commercially reasonable security measures amount to a breach of the implied agreement. (Opp. at 6.)
This notice is properly before the court because Plaintiffs refer to it in their Amended Complaint such that the document is deemed incorporated by reference. (Am. Compl. ¶ 32 (“ABA has emailed its affected members, including Plaintiffs, with a notice of the data breach.”).) See Chambers, 282 F.3d at 152-53.
This court disagrees that this sole allegation concerning the handling of personal information is sufficient to state a claim that industry practices were not followed. Absent allegations identifying the security measures ABA purportedly failed to implement, Plaintiffs cannot sustain their breach of implied contract claim. See In re Waste Mgmt. Data Breach Litig, 2022 WL 561734, at *5 (dismissing breach of implied contract where complaint failed to explain what measures defendant failed to take in order to protect employee data); see also Rider v. Uphold HQ Inc., 657 F.Supp.3d 491, 501 (S.D.N.Y. 2023) (“[P]laintiffs have not identified any language in [a Defendant] contract representing that any security measure relevant to the claim here was in place, and thus have failed to sufficiently allege a breach.”).
Defendant's motion is therefore GRANTED as to Plaintiffs' breach of implied contract claim.
B. Deceptive Practice Claims
1. N.Y. G.B.L. § 349
Plaintiff Troy alleges on behalf of herself and the New York State Class violations of deceptive business practices under N.Y. G.B.L. § 349. Section 349 prohibits “[deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service[.]” N.Y. G.B.L. § 349(a).
The court excludes Plaintiff Mata from its analysis because he is a resident of Texas and has not alleged any connection to deceptive acts or practices that may have occurred in New York. (Am. Compl. ¶ 13.) See also Kaufman v. Sirius KM Radio, Inc., 474 Fed.Appx. 5, 7 (2d Cir. 2012) (noting that in order to sustain a § 349 claim, the “transaction in which the consumer is deceived must occur in New York.”)
To successfully assert a claim under N.Y. G.B.L. § 349, “a plaintiff must allege that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice.” Orlander v. Staples, Inc., 802 F.3d 289, 300 (2d Cir. 2015) (citing Koch v. Acker, Merrall & Condit Co., 18 N.Y.3d 940, 941 (2012)). “New York courts define the term ‘deceptive acts and practices' objectively, as ‘representations or omissions, limited to those likely to mislead a reasonable consumer acting reasonably under the circumstances.'” Cohen v. Ne. Radiology, P.C., No. 20-CV-1202 (VB), 2021 WL 293123, at *9 (S.D.N.Y. Jan. 28, 2021) (quoting Oswego Laborers' Loc. 214 Pension Fund v. Marine Midland Bank, N.A., 85 N.Y.2d 20, 26 (1995)).
Plaintiffs assert that Defendant violated N.Y. G.B.L. § 349 by failing to properly implement adequate security measures to protect Plaintiffs and Class members' personal identifiable information, failing to warn customers that their information was at risk, and failing to discover and immediately notify affected customers of the nature and extent of the Breach. (Am. Compl. ¶¶ 74, 89.)
As discussed supra, Plaintiffs fail to identify which security measures ABA failed to implement. To the extent Plaintiffs argue that ABA's process of utilizing hashed and salted passwords was materially misleading, the court declines to accept such an assertion without any factual allegations suggesting that this measure fell below industry standards. See Iqbal, 556 U.S. at 678 (courts need not accept “naked assertion[s] devoid of further factual enhancement”). Plaintiffs also assert that ABA “did not act to address the breach or inform Plaintiffs of the breach timely.” (Opp. at 9.) In support, Plaintiffs point to their allegation that following the Breach on March 6, 2023, ABA took no corrective action until March 17, 2023, over 10 days later. (Am. Compl. ¶ 3.) Moreover, when Defendant did take action to notify its customers, it did so inadequately, failing to “uncover and disclose the extent of the Breach.” (Id. ¶ 7.)
Plaintiffs rely on Cohen v. Ne. Radiology, P.G, to argue that it is “at least plausible” that ABA's representations in its privacy policy concerning data security “would lead a reasonable consumer to believe that [Defendant was] providing more adequate data security than [it] purportedly [was].” (Opp. at 9 (quoting Cohen v. Ne. Radiology, P.C., 2021 WL 293123, at *9).) However, in that case, plaintiff alleged that the defendants did not inform him of a data breach within 60 days, in violation of the defendants' privacy practices, as expressly stated in a notice on their website. Here, ABA's privacy policy only notes that in the event of a breach, ABA will notify its customers either “by email, U.S. mail, telephone, or other means as permitted by law.” (ABA Privacy Policy at 9.) There is no promise that ABA will notify its customers as soon as the breach occurs, and no reasonable consumer would be misled to think otherwise.
Further, Plaintiffs do not allege that they saw or read the privacy policy prior to the alleged harm. In order to establish the requisite causal connection between the alleged misrepresentation and the resulting injury, “a plaintiff must plausibly allege that she actually viewed the misleading statement prior to making her decision to purchase, and must set forth where, when and how she came to view it.” In re GEICO Customer Data Breach Litig., No. 21-CV-2210 (KAM) (SJB), 2023 WL 4778646, at *17 (E.D.N.Y. July 21, 2023), report and recommendation adopted, No. 21-CV-2210 (KAM) (SJB), 2023 WL 5524105 (E.D.N.Y. Aug. 28, 2023) (collecting cases). Such a deficiency is “fatal to the [N.Y. G.B.L. § 349] claim” and must be dismissed. Id.
Accordingly, Defendant's motion is GRANTED as to Plaintiffs' N.Y. G.B.L. § 349 claim.
Plaintiff Mata also alleges on behalf of himself and the Texas State Class violations of deceptive business practices under TX. Bus. & Com. § 17.46. To state a claim for a deceptive act under the Texas Deceptive Trade Practices Act (“DTPA”), “Plaintiffs must show: (1) they are consumers who sought or acquired, by purchase or lease, goods or services from [the defendant]; (2) [the defendant] can be sued under the DTPA; (3) [the defendant] committed an act in violation of the DTPA; and (4) [the defendant's] purported action was a producing cause of Plaintiffs' damages.” Guajardo v. JP Morgan Chase Bank, N.A., 605 Fed.Appx. 240, 249 (5th Cir. 2015). Further, “[t]he pleading standard requires, at a minimum, that [plaintiffs] both list the specific violations of the relevant chapters, and specify in what way [defendant] violated them.” Am. Surgical Assistants, Inc. v. United Healthcare of Texas, Inc., No. 09-CV-0774, 2010 WL 1340557, at *3 (S.D. Tex. Mar. 30, 2010). Finally, the DPTA is subject to the heightened pleading standard set forth in Federal Rule of Civil Procedure 9(b). See Gonzalez v. State Farm Lloyds, 326 F.Supp.3d 346, 350 (S.D. Tex. 2017). Thus, to allege a claim under the DPTA, Plaintiffs must state “with particularity the circumstances constituting ... mistake.” Fed.R.Civ.P. 9(b).
Here the court excludes Plaintiff Troy from its analysis because she is a New York resident and has not alleged any connection to deceptive practices that may have occurred in Texas. (Am. Compl. 112.) See also Blake Marine Grp., LLC v. Frenkel & Co., 439 F.Supp.3d 249, 254 (S.D.N.Y. 2020) (noting that the Texas Deceptive Trade Practices Act is “directed at Texas consumers”).
Plaintiffs fail to plead which, if any, of the DTPA's “laundry list” of 34 deceptive practices ABA violated. See TX. Bus. & Com. § 17.46(b) (listing specific acts that are “false, misleading, or deceptive”); Bay Colony, Ltd. v. Trendmaker, Inc., 121 F.3d 998, 1005 (5th Cir. 1997) (referring to § 17.46(b) violations as the “laundry list violations”); see also Bums v. EMD Supply Inc., No. 22-CV-00929, 2024 WL 1558720, at *7 (Tex. App. Apr. 11, 2024) (‘The consumer must allege the defendant violated a specific provision of the DTPA in his petition.”).
Plaintiffs' complaint alleges that “ABA violated TX Bus. & Com. § 17.46 by failing to properly implement adequate, commercially reasonable security measures to protect Plaintiffs and the other Class members' private financial information, by failing to warn customers that their information was at risk, and by failing to discover and immediately notify affected customers of the nature and extent of the Breach.” (Am. Compl. ¶¶ 75,102.) Rather than specify which of the enumerated acts ABA violated, Plaintiffs assert they need not plead any one of them and reiterate several factual allegations that they contend provide the basis for their DTPA claim. (Opp. at 10.)
This court, however, need not undertake the exercise of determining which of Plaintiffs' factual allegations fit within which laundry list violation. “Because [Plaintiffs] fail[] to identify any specific provision of the DTPA of which defendant's alleged conduct would be in violation, [Plaintiffs'] attempt to make out a deceptive trade practices claim must fail.” Eng. v. Danone N. Am. Pub. Benefit Corp., 678 F.Supp.3d 529, 537 (S.D.N.Y. 2023) (citing Blanks v. Ford Motor Credit, 2005 WL 43981, at *4 (N.D. Tex. Jan. 7, 2005).) Even assuming Plaintiffs specified the acts for which ABA purportedly violated, the reasons for dismissing the N.Y. G.B.L. § 349 claim would also apply here-Plaintiffs cannot rely on a privacy policy that they have not alleged reading or relying on. Moreover, Plaintiffs argue that the Notice disseminated to ABA members “failed to apprise them of the possibility” of other information being disclosed in or as a result of the breach. (Opp. at 11.) However, Plaintiffs do not allege with specificity, as required under the DPTA, that this Notice included any false or misleading representations that were the producing cause of Plaintiffs' injuries. (Cf. Opp. at 7 (“[Plaintiffs] do not allege that they actually received this notice. Rather, Plaintiffs contend that they received notice of the data breach through a third party news source.”).)
Defendant's motion is therefore GRANTED as to Plaintiffs' TX Bus. & Com. § 17.46 claim, 3. Other State Consumer Protection Claims
Plaintiffs also allege various other state consumer protection statutes on behalf of themselves and the Consumer Fraud Multistate Class. The court need not address those other state statutes here. Where the court finds that Plaintiffs' individual claims should be dismissed, it lacks jurisdiction to decide the putative class claims. Lin v. Canada Goose US, Inc., 640 F.Supp.3d 349, 364-65 (S.D.N.Y. 2022); see also Police & Fire Ret. Sys. of City of Detroit v. IndyMac MBS, Inc., 721 F.3d 95,112 n.22 (2d Cir. 2013) (noting that “the jurisdiction of the district court depends upon its having jurisdiction over the claim of the named plaintiffs when the suit is filed and continuously thereafter until certification because until certification there is no class action but merely the prospect of one; the only action is the suit by the named plaintiffs”); Derbaremdiker v. Applebee's Int'l, No. 12-CV-1058 (KAM), 2012 WL 4482057, at *9 n.9 (E.D.N.Y. Sept. 26, 2012), affd 519 Fed.Appx. 77 (2d Cir. 2013) (“[A]lthough plaintiff asserts claims on behalf of potential class members that are predicated on other States' consumer protection laws, his complaint must be dismissed.”).
IV. CONCLUSION
In sum, the court GRANTS Defendant's Motion to Dismiss the Amended Complaint in its entirety. Plaintiffs' claims are DISMISSED without prejudice.
SO ORDERED.