Opinion
4:21-CV-3156
2022-04-07
Cynthia WEISENBERGER, individually and on behalf of others similarly situated, Plaintiff, v. AMERITAS MUTUAL HOLDING COMPANY, Defendant.
Jason S. Rathod, Nicholas Migliaccio, Migliaccio, Rathod Law Firm, Washington, DC, Vincent M. Powers, Powers Law Firm, Lincoln, NE, for Plaintiff. Kristine M. Brown, Pro Hac Vice, Marguerite A. Miller, Pro Hac Vice, Alston, Bird Law Firm, Atlanta, GA, Victoria H. Buter, Kutak, Rock Law Firm, Omaha, NE, for Defendant.
Jason S. Rathod, Nicholas Migliaccio, Migliaccio, Rathod Law Firm, Washington, DC, Vincent M. Powers, Powers Law Firm, Lincoln, NE, for Plaintiff.
Kristine M. Brown, Pro Hac Vice, Marguerite A. Miller, Pro Hac Vice, Alston, Bird Law Firm, Atlanta, GA, Victoria H. Buter, Kutak, Rock Law Firm, Omaha, NE, for Defendant.
MEMORANDUM AND ORDER
John M. Gerrard, United States District Judge
The plaintiff, Cynthia Weisenberger, alleged in her amended complaint class action claims concerning a data breach affecting at least 39,675 of the defendant's customers. Filing 12 at 1. The defendant has moved to dismiss the plaintiff's amended complaint pursuant to Fed. R. Civ. P. 12(b)(1) arguing that the plaintiff lacks Article III standing, and pursuant to Fed. R. Civ. P. 12(b)(6) arguing that the plaintiff failed to state a plausible claim upon which relief may be granted. Filing 14. The Court will deny the defendant's motion in part, and grant the motion in part.
I. STANDARD OF REVIEW
A motion pursuant to Fed. R. Civ. P. 12(b)(1) challenges whether the court has subject matter jurisdiction. The party asserting subject matter jurisdiction bears the burden of proof. Great Rivers Habitat Alliance v. Federal Emergency Management Agency , 615 F.3d 985, 988 (8th Cir. 2010). The court has substantial authority to determine whether it has jurisdiction. Osborn v. United States , 918 F.2d 724, 730 (8th Cir. 1990). A Rule 12(b)(1) motion can be presented as either a "facial" or "factual" challenge. Osborn , 918 F.2d at 729 n.6. This case presents a facial challenge. When reviewing a facial challenge, the court restricts itself to the face of the pleadings, and the nonmovant receives the same protections as it would facing a Rule 12(b)(6) motion. Id.
To survive a Rule 12(b)(6) motion to dismiss, a complaint must set forth a short and plain statement of the claim showing that the pleader is entitled to relief. Fed. R. Civ. P. 8(a)(2). This standard does not require detailed factual allegations, but it demands more than an unadorned accusation. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). The complaint must provide more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not suffice. Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007).
A complaint must also contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face. Iqbal, 556 U.S. at 678, 129 S.Ct. 1937. A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. Id. Where the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged—but it has not shown—that the pleader is entitled to relief. Id. at 679, 129 S.Ct. 1937.
In assessing a motion to dismiss, a court must take all the factual allegations in the complaint as true, but is not bound to accept as true a legal conclusion couched as a factual allegation. Twombly , 550 U.S. at 555, 127 S.Ct. 1955. The facts alleged must raise a reasonable expectation that discovery will reveal evidence to substantiate the necessary elements of the plaintiff's claim. See id. at 545, 127 S.Ct. 1955. The court must assume the truth of the plaintiff's factual allegations, and a well-pleaded complaint may proceed, even if it strikes a savvy judge that actual proof of those facts is improbable, and that recovery is very remote and unlikely. Id. at 556, 127 S.Ct. 1955.
A motion to dismiss under Rule 12(b)(6) tests only the sufficiency of the allegations in the complaint, not the sufficiency of the evidence alleged in support of those allegations. Stamm v. Cty. of Cheyenne, Neb. , 326 F. Supp. 3d 832, 847 (D. Neb. 2018) ; Harrington v. Hall Cty. Bd. of Supervisors , No. 4:15-CV-3052, 2016 WL 1274534, at *4 (D. Neb. Mar. 31, 2016).
II. BACKGROUND
The plaintiff is a resident of North Carolina. Filing 12 at 2. The defendant is a Nebraska-based insurance company that operates nationally, and provides several different insurance products to consumers. Filing 12 at 4. The plaintiff alleged that for the last three years, she had purchased a policy of dental insurance from the defendant. Filing 12 at 3. Sometime around May 1 to June 4, 2019, the defendant's information systems were breached by cybercriminals, and the plaintiff's personally identifiable information (PII) was accessed, along with the PII of at least 39,675 other individuals who were also insured by the defendant. Filing 12 at 1. According to the plaintiff, the PII data compromised by the data breach included names, addresses, email addresses, dates of birth, Social Security numbers, member identification numbers, policyholder names and numbers, and identification of the insureds’ employers.
The plaintiff alleged that she was not notified that her PII had been compromised until August 13, 2019. Filing 12 at 2. The notification letter the defendant sent advised the plaintiff that there had been a data breach, identified the kind of PII that may have been compromised, and advised her to contact the Federal Trade Commission (FTC). Filing 12 at 3. As advised, the plaintiff contacted the FTC and had a fraud alert put on her information. The plaintiff also reported the data breach to her local police department, who informed her that they could not help. In its notification letter, the defendant offered to provide a year of credit monitoring. The plaintiff, however, declined the defendant's offer believing that the defendant's credit monitoring offer would be ineffective to protect her PII because she would be required to share her private information with a credit monitoring agency who could not guarantee complete privacy of her PII. The plaintiff alleged that in the two years since the data breach, she's lost $280 due to fraudulent activity on her Amazon account, had two email accounts compromised, and had to replace credit cards five times. Filing 12 at 3. She has also received targeted advertising for credit monitoring services. According to the plaintiff, the cybercriminals were able to breach the defendant's systems through a phishing attack where between May and June 2019, several of the defendant's associates gave hackers access to their email credentials, thus compromising a large number of email inboxes. Filing 12 at 5. It is likely that the PII obtained by the hackers is now for sale on the dark web. Filing 12 at 6. The plaintiff alleged that the data breach occurred because the defendant failed to take reasonable measures to protect the PII it collected and stored. The defendant, according to the plaintiff, failed to implement data security measures designed to prevent phishing attacks despite repeated warnings to the healthcare industry, insurance companies, and other associated industries, about the risk of cyberattacks, and the highly publicized occurrence of many similar attacks on healthcare providers in the recent past.
The plaintiff alleged that as part of the insurance agreement, the defendant promised the plaintiff and all of its insureds that it would maintain the security and privacy of all personal information. Filing 12 at 7. Further, according to the plaintiff, the HIPAA Notice of Privacy Practices that the defendant sent to its insureds specifically informed them that the defendant was required by law to maintain the privacy and security of protected health information, that the defendant would promptly let its insureds know if a data breach occurred which compromised an insured's privacy or security information, and that it must follow the duties and privacy practices described in its Notice.
III. DISCUSSION
1. ARTICLE III STANDING
A plaintiff invoking the jurisdiction of the court must demonstrate Article III standing to sue. In re SuperValu, Inc. , 870 F.3d 763, 768 (8th Cir. 2017). Standing is comprised of three elements. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). First, the plaintiff must have suffered an injury-in-fact—an invasion of a legally protected interest which is concrete and particularized, as well as actual or imminent, and not conjectural or hypothetical. Id. Second, the injury must be causally connected to the defendant's conduct—meaning, the injury has to be fairly traceable to the challenged action of the defendant, and not the result of independent action of some third party not before the court. Id. Third, it must be likely, and not merely speculative, that the injury will be addressed by a favorable decision. Id. at 561, 112 S.Ct. 2130.
Here, the defendant only asserts and argues that the plaintiff's amended complaint failed to plausibly demonstrate that the injuries she alleged are fairly traceable to the defendant's conduct. Filing 15 at 5-8. The defendant argues that the specific categories of PII that the plaintiff claimed were accessed by hackers are not connected to the specific harms that she suffered. Filing 15 at 7. The plaintiff's claims regarding unauthorized charges and the need to replace credit cards, according to the defendant, are not traceable to the defendant's data breach because there are no allegations that credit card data was accessed in the cyberattack. Also, according to the defendant, the plaintiff's allegation that her email accounts were compromised is not fairly traceable to the data breach because there are no allegations that passwords to access her email accounts were provided to the defendant or accessed by the cybercriminals.
The Court is unpersuaded. First, the defendant doesn't dispute that the plaintiff's allegations concerning her actual injuries—the costs she has incurred for unauthorized charges and credit card replacement—constitute an injury-in-fact. The defendant's argument is only that the plaintiff's injuries are not the defendant's fault, because they are not traceable to the defendant's data breach.
The problem with the defendant's argument is that it narrowly focuses on what the plaintiff didn't specifically allege, and ignores what the plaintiff did allege in her amended complaint. The kind of PII that the plaintiff alleged was compromised in the data breach—Social Security numbers, addresses, birth dates, names, addresses, and email addresses—is the kind of information, unlike mere credit card information, that can lead to a wide range of identity fraud. See In re Equifax Inc. Customer Data Sec. Breach Litig. , 999 F.3d 1247, 1262 (11th Cir. 2021) (acknowledging the "unequivocal damage that can be done" by hackers with access to stolen Social Security numbers, names, and dates of birth). Further, for the purpose of the defendant's motion, no party disputes that the misuse of credit card information constitutes credit card fraud, which is itself a form of identity theft. In re SuperValu, Inc. , 870 F.3d at 772.
The Court finds it plausible that with access to the plaintiff's name, Social Security number, address, date of birth, and other PII, a hacker could gain access to the plaintiff's credit records and credit card accounts, and cause the damages that the plaintiff alleged in her amended complaint. See Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc. , 892 F.3d 613, 623 (4th Cir. 2018).
The defendant's argument suggests that the injuries the plaintiff actually experienced might be the result of an unrelated data breach, but that suggestion alone does not render causation due to the defendant's data breach implausible. See In re U.S. Off. of Personnel Mgmt. Data Sec. Breach Litig. , 928 F.3d 42, 60 (C.A.D.C. 2019). The fairly traceable standard does not equate to a standard of tort causation. Hutton , 892 F.3d at 623. Article III standing does not require the defendant's conduct to be the immediate cause, or even a proximate cause, of the plaintiff's injuries—only that the plaintiff's injuries be fairly traceable to the defendant's conduct. Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. 2017). At this stage of the litigation, where the plaintiff's burden is relatively modest, it is presumed that the general allegations in a complaint embrace the specific facts that are necessary to support a link between the plaintiff's injury and the defendant's data breach. In re SuperValu, Inc. , 870 F.3d at 772.
Further, in response to the defendant's motion, the plaintiff argued that the type of PII compromised in the data breach supports a finding that the data breach created a substantial risk of future harm. Filing 19 at 13. At this early stage of the proceedings, the Court finds the plaintiff's argument persuasive. A claim of future injury can be sufficient to establish Article III standing where the threatened injury is certainly impending, or where there is substantial risk that the harm will occur. Susan B. Anthony List v. Driehaus , 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014). Here, the sensitive nature of the PII compromised, and the allegations that the plaintiff's PII will be made available on the dark web (filing 12 at 6), makes it reasonably plausible that there is a substantial risk that the plaintiff will suffer harm from identity theft in the future. See, In re U.S. Office of Personnel Mgmt. Data Sec. , 928 F.3d at 60 ; In re Equifax Inc. , 999 F.3d at 1262 ("Given the colossal amount of sensitive data stolen, including Social Security numbers, names, and dates of birth, and the unequivocal damage that can be done with this type of data, we have no hesitation in holding that Plaintiffs adequately alleged that they face a ‘material’ and ‘substantial’ risk of identity theft.") The defendant's motion to dismiss for a lack of standing will be denied.
2. NEGLIGENCE
As a preliminary matter, the defendant asserts, for the purposes of this motion, that there is no actual conflict between the laws of North Carolina, where the plaintiff resides, and the laws of Nebraska, where the defendant's business is based. Filing 15 at 9. The plaintiff makes no argument regarding a choice-of-law question, but has pled two Nebraska statutory-based claims. Filing 12 at 50-54. Thus, in the absence of an articulated conflict of law issue between the parties, the Court will consider the defendant's motion under Nebraska law alone. When neither party raises a conflict of law issue in a diversity case, the federal court applies the law of the state in which the federal court sits. See BBSerCo, Inc. v. Metrix Co. , 324 F.3d 955, 960 n.3 (8th Cir. 2003).
The defendant argues that the plaintiff's negligence claim fails because Nebraska does not recognize a legal duty to safeguard information from a criminal cyberattack under the circumstances described in the plaintiff's amended complaint. Filing 15 at 10. Neither, the defendant argues, does Nebraska recognize a common law duty to give notice of a data breach. Filing 15 at 12.
The defendant's view of its duty is much too narrow. True, as the defendant argues, an actor whose conduct has not created a risk of harm to another has no duty to the other unless an affirmative duty is imposed by law. Bell v. Grow With Me Childcare & Presch., LLC, 299 Neb. 136, 907 N.W.2d 705, 714 (Neb. 2018). Here, however, the plaintiff alleged that it was the defendant's conduct that created the risk of harm—that being, the defendant's failure to use reasonable care to not expose the PII in its custody to a data breach. Filing 12 at 37-41.
Nebraska law provides that an actor, such as the defendant, ordinarily has a duty to exercise reasonable care when the actor's conduct creates a risk of physical harm, which here is the unauthorized intrusion into the defendant's negligently secured business records that caused the plaintiff's PII to be compromised. A.W. v. Lancaster Cnty. Sch. Dist. 0001 , 280 Neb. 205, 784 N.W.2d 907, 915 (2010). Further, the conduct of an actor who has created a risk of harm can lack reasonable care insofar as it foreseeably combines with or permits the improper conduct of a third party. Ginapp v. City of Bellevue, 282 Neb. 1027, 809 N.W.2d 487, 492 (2012) (citing Restatement (Third) of Torts: Phys. & Emot. Harm § 19 (2010) ).
"Physical harm" includes both bodily injury as well as damage to tangible property, which here would include the defendant's business records. Restatement (Third) of Torts: Phys. & Emot. Harm § 4 (2010). Also, any level of physical impairment is sufficient for liability, and any detrimental change in the physical condition of a person's property counts as a harmful impairment. § 4 cmt. c.
In addition, the plaintiff has alleged facts plausibly establishing a duty to protect her from economic harm resulting from the conduct of a third party. Although Nebraska has endorsed the Restatement (Third) of Torts: Liability for Physical and Emotional Harm, it has not addressed the Restatement (Third) of Torts: Liability for Economic Harm. Nonetheless, both the Restatement (Second) of Torts and Restatement (Third) of Torts: Liability for Economic Harm suggest a duty under the circumstances alleged here. To begin with, the Restatement (Second) provides that "[a]n act or an omission may be negligent if the actor realizes or should realize that it involves an unreasonable risk of harm to another through the conduct of the other or a third person which is intended to cause harm, even though such conduct is criminal." Restatement (Second) of Torts § 302B (1965) ; cf. Flannery v. Sample Hart Motor Co. , 194 Neb. 244, 231 N.W.2d 339, 342 (1975). That includes
situations in which the actor, as a reasonable man, is required to anticipate and guard against the intentional, or even criminal, misconduct of others. In general, these situations arise where the actor is under a special responsibility toward the one who suffers the harm, which includes the duty to protect him against such intentional misconduct; or where the actor's own affirmative act has created or exposed the other to a recognizable high degree of risk of harm through such misconduct, which a reasonable man would take into account.
§ 302B cmt. e. (emphasis supplied). Among the relationships that confer a duty to protect against misconduct is that of bailee and bailor. Id. And in this instance, the defendant affirmatively acted to gather PII—effectively, a "bailment" for information—and the defendant's act of gathering that information into a centralized database (a "gold mine" for hackers) exposed the plaintiffs to risks that a reasonable person in the defendant's position would take into account, obliging the defendant to take reasonable care. See id.
Similarly, the Restatement (Third) provides that
An actor who, in the course of his or her business, profession, or employment, or in any other transaction in which the actor has a pecuniary interest, performs a service for the benefit of others is subject to liability for pecuniary loss caused to them by their reliance upon the service, if the actor fails to exercise reasonable care in performing it.
Restatement (Third) of Torts: Liab. for Econ. Harm § 6 (2020). And here, the defendant gathered PII incident to performing a service: that is, considering the plaintiff's application for (and acceptance of) insurance benefits. The defendant obviously had a pecuniary interest in that transaction, and so was obliged to exercise reasonable care when performing.
The defendant may suggest that securing PII wasn't part of the "service" provided ... but that goes to whether the defendant breached its duty, not whether the duty existed.
Of course, "there is no liability in tort for economic loss caused by negligence in the performance or negotiation of a contract between the parties." Id. , § 3. But the defendant denies that it was contractually obliged to protect the plaintiff's PII—so, the plaintiff is entitled to plead in the alternative. If she ultimately recovers in contract, she may be precluded (by a number of doctrines) from recovering in tort. But until that's settled, she's allowed to pursue alternative theories of recovery.
But regardless of whether the injury here is characterized as a physical intrusion on property, or an economic loss resulting from a relationship between the parties that obliged the defendant to exercise reasonable case, the Court has little difficulty in concluding that having gathered the plaintiff's PII, the defendant had a legal duty under Nebraska law to take reasonable care to secure it.
The plaintiff plausibly alleged that the defendant owed a duty to exercise reasonable care to secure and safeguard the plaintiff's PII stored in the defendant's computer systems. That duty included using reasonable and adequate security procedures and systems that were compliant with standard practices within the industry. The plaintiff also plausibly alleged that the defendant knew or should have known of the risks inherent in collecting and storing PII, that there had been numerous well-documented and well-publicized data breaches affecting the medical industry, and that a breach of the defendant's system would damage thousands of its customers.
Also in support of its no-tort-duty argument, the defendant argues that the Nebraska Legislature expressly declined to create a private right of action for the failure to protect an out-of-state resident's PII, and that Nebraska courts have regularly declined to recognize new tort duties where the legislature has not expressly, or by implication, provided for civil tort liability. Filing 15 at 11.
The defendant is correct that in Nebraska, whether a statute creates a private right of action depends on the statute's purpose and whether the Legislature intended to create a private right of action. McShane Constr. Co., LLC v. Gotham Ins. , 867 F.3d 923, 928 (8th Cir. 2017). A statute may imply a tort duty to act in the manner required by the statute where the statute is enacted to protect a class of persons which includes the plaintiff, the statute is intended to prevent the particular injury at issue, and the statute is intended by the Legislature to create a private liability as distinguished from one of a public character. A.W. , 784 N.W.2d at 920. Without a legislative intent to create a private right and remedy, courts cannot create an implied cause of action no matter how desirable as a matter of policy, or how compatible that may be with the statute. Pro. Mgmt. Midwest Inc. v. Lund Co., 284 Neb. 777, 826 N.W.2d 225, 233 (2012).
The defendant is also correct that the relevant Nebraska statutory scheme, the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (Data Protection Act), Neb. Rev. Stat. §§ 87-801 - 87-808, does not create or imply a private right of action for a data breach within the Act itself. Section 87-808(1) of the Data Protection Act describes what a commercial entity such as the defendant must do to secure computerized data that is owns, licenses, or maintains.
To protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.
Although § 87-808(1) describes a duty of reasonable care for Nebraska entities to protect a person's PII, § 87-806(2) of the Act specifically excludes a private right of action within the Act itself. No matter how strong the policy of protecting an individual's personal information in § 87-808(1) may be, the legislative intent to exclude a private remedy must prevail.
But the analysis doesn't end here. Under Nebraska law, whether a statute includes an implied right of action is distinct and separate from whether a statute creates a common law duty in tort which can be enforced in a negligence action. Pro. Mgmt. Midwest Inc., 826 N.W.2d at 232. Even a statute that does not give rise to a tort duty beyond the general common law duty to exercise reasonable care can serve as relevant evidence of a standard of care and whether that standard of care was breached. A.W. , 784 N.W.2d at 921.
Here, the plaintiff's negligence claim, contrary to the defendant's argument, is not predicated on a statutory right of action. The plaintiff alleged that the defendant owed her and others a common law duty to exercise reasonable care to secure and safeguard their PII, and to use commercially reasonable methods to do so. Filing 12 at 37. The plaintiff's reference to the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act (HIPAA), serves only as a reference to relevant evidence of a standard of care. It is worthwhile to note that if an entity complies with the relevant HIPAA regulations, such entity is also in compliance with § 87-808(1) of the Nebraska Data Security Act. Neb. Rev. Stat. § 87-808(3)(b).
Finally, to the extent that the defendant argues that it has no duty as a matter of legislative policy, such argument is unpersuasive. A finding of no duty may arise in the exceptional case when an articulated countervailing principle or policy warrants denying or limiting liability in a particular class of cases. A.W. , 784 N.W.2d at 915. If such an exceptional case occurs, a court may then determine that a defendant has no duty or that the ordinary duty of reasonable care needs modification. Id. Importantly, a no-duty determination is grounded in public policy and based upon legislative facts, not adjudicative facts arising out of the particular facts of the case. Kimminau v. City of Hastings, 291 Neb. 133, 864 N.W.2d 399, 412 (2015).
Examples of policy driven no-duty exceptions include the absence of liability for a landowner to some trespassers, or a landlord's duty to provide security for common areas but not for rented space. Restatement (Third) of Torts, § 7 cmt. a (2010). Here, nothing in the Data Protection Act would lead to a conclusion that the common law duty of ordinary care to protect personal information should be modified. Instead, the Nebraska Data Protection Act expressly provides that an entity conducting business in Nebraska who owns or maintains personal information about a Nebraska resident "shall implement and maintain reasonable security procedures and practices" to protect personal information. Neb. Rev. Stat. § 87-808(1). The defendant's motion to dismiss the plaintiff's negligence claim will be denied.
3. NEGLIGENT FAILURE TO PROVIDE TIMELY NOTICE
The plaintiff alleged that the defendant negligently failed to notify the plaintiff and class members about the data breach so that they could take appropriate steps to mitigate the potential for identity theft and other damages. Filing 12 at 40. Accepting the factual allegations in the plaintiff's amended complaint as true, and viewing those facts in the light most favorable to the plaintiff, H.J. Inc. v. Nw. Bell Tel. Co. , 492 U.S. 229, 249, 109 S.Ct. 2893, 106 L.Ed.2d 195 (1989), for the purposes of this motion, the Court finds that the defendant's system was breached in a cyberattack sometime in May 2019, but the plaintiff was not notified that her PII had been accessed until August 13, 2019. The defendant argues that there is no common law duty to give notice of a data breach and no statutory duty to provide notice under Nebraska law. Filing 15 at 12. Additionally, according to the defendant, the plaintiff "cannot establish an unreasonable delay," and has not alleged how any delay caused her harm.
The plaintiff also alleged that the data breach occurred between May 1 and June 4, 2019, filing 12 at 1, that the defendant announced it had learned of suspicious activity in May 2019 that allowed cybercriminals to access its systems through a phishing attack, filing 12 at 5, and that in April 2019, the plaintiff received a letter from the defendant notifying her that her PII was taken, filing 12 at 3. The allegations in the amended complaint taken as a whole appear inconsistent, but at this early stage of the proceedings, the Court is required to view the facts in the light most favorable to the plaintiff, which the Court has done notwithstanding these apparent inconsistent allegations.
The plaintiff's failure-to-notify allegation is essentially a claim that the defendant failed to timely warn her that a cyberattack exposed her PII, and may subject her to identity theft. In Nebraska, a defendant whose conduct creates a risk of physical or emotional harm can fail to exercise reasonable care by failing to warn of the danger if the defendant knows or has reason to know of that risk and that those encountering the risk will be unaware of it. Riggs v. Nickel , 281 Neb. 249, 796 N.W.2d 181, 188-89 (2011) (citing Restatement (Third) of Torts § 18(a)(1) (2010)). Here, the plaintiff alleged that it was the defendant's failure to secure PII that created the risk of identity theft, that the defendant knew of that risk, and that the plaintiff, as one who would encounter the risk, would be unaware of it absent a warning.
The defendant notes, correctly, that § 87-803(1) of the Data Protection Act provides that the defendant would have a duty to notify only an affected Nebraska resident of a data breach. Filing 15 at 12. From this, the defendant argues that it has no duty to warn the plaintiff, a resident of North Carolina, that she may be at risk for identity theft. The Court disagrees.
Section 87-803(1) provides:
An individual or commercial entity that conducts business in Nebraska and that owns or licenses computerized data that includes personal information about a resident of Nebraska shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident. Notice shall be made as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
Implicit in the defendant's argument is an assertion that the Data Protection Act was intended to provide Nebraskans—and only Nebraskans—with a private right of action in the event of a failure to provide timely notice of a data breach. However, the structure of the Data Protection Act as a whole evinces a legislative intent to not provide Nebraskans (as well as residents of other states) with an express or implied private right of action, even though § 87-803 purports to assign a commercial entity such as the defendant with a duty to notify an affected Nebraskan of a data breach. This is so because § 87-806(1) provides that the Nebraska Attorney General "may issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of section 87-803." For a statute to imply a private right of action, there must be a legislative intent to create a private liability as distinguished from one of a public character. A.W. , 784 N.W.2d at 920. Here, the legislative intent was to create a liability of a public character.
As discussed above, a statute such as § 87-803 that does not give rise to a tort duty beyond the general common law duty to exercise reasonable care may still serve as relevant evidence of a standard of care and whether that standard of care has been breached. A.W. , 784 N.W.2d at 921. Nebraska law is clear that the defendant does have a common law duty to warn of a danger arising from a risk of harm that it created, which here, according to the plaintiff, was the defendant's failure to take reasonable measures to protect her PII. Further, the defendant does not assert or argue that § 87-803 is a no-duty exception limiting the common law duty to warn.
Finally, the defendant's argument that the plaintiff cannot establish that the delay in providing notice was unreasonable, or the damages caused by an untimely notice, are questions that go to the sufficiency of the evidence supporting the allegations in the amended complaint, not the sufficiency of the allegations. Stamm , 326 F. Supp. 3d at 847. The defendant's motion to dismiss the plaintiff negligent failure to notify claim will be denied.
4. BREACH OF EXPRESS CONTRACT
The plaintiff alleged that she and others class members entered into express contracts where they agreed to provide the defendant their PII, and the defendant agreed to provide insurance coverage and to protect the PII of its insureds. Filing 12 at 41. According to the plaintiff, the parties’ contract included the HIPAA privacy notices and explanation of benefits documents, which according to the terms of these documents required the defendant to implement data security measures adequate to safeguard and protect the confidentiality of the plaintiff's PII.
The defendant argues that the HIPAA and benefits notices were not part of the insurance agreement, and that the plaintiff is attempting to convert HIPAA requirements into a private right of action. Filing 15 at 15-16. But even if part of an agreement, the defendant argues, no consideration was given for a contract arising from the HIPAA and benefit notices in light of the defendant's pre-existing statutory duty to safeguard information under HIPAA. Filing 15 at 17.
The plaintiff has, at this very early stage of the proceedings, sufficiently alleged the existence of an express contract between the parties. Instruments made in reference to and as part of the same transaction are to be considered and construed together. TNT Cattle Co., Inc. v. Fife , 304 Neb. 890, 937 N.W.2d 811, 834 (2020). It is of no significance if such instruments were made or dated at different times if they are related to and part of the same transaction. Baker's Supermarkets, Inc. v. Feldman , 243 Neb. 684, 502 N.W.2d 428, 433 (1993).
The plaintiff alleged that a series of instruments, all related to the same transaction, comprise the agreement between the parties that the plaintiff's PII would be kept secure. The defendant's arguments question the sufficiency of the evidence supporting the plaintiff's allegation, not the sufficiency of the allegations. At this stage of the litigation, it is the sufficiency of the allegations in the plaintiff's amended complaint, not the sufficiency of the evidence alleged in support of those allegations. Stamm, 326 F. Supp. 3d at 847.
The defendant's lack of consideration argument fares no better. Consideration is sufficient to support a contract if there is any detriment to the promisee or any benefit to the promisor. City of Omaha v. City of Elkhorn , 276 Neb. 70, 752 N.W.2d 137, 148 (Neb. 2008) ; Myers v. Neb. Equal Opportunity Com'n , 255 Neb. 156, 582 N.W.2d 362, 367 (1998). It is sufficient that the promisee did something that was not otherwise required, or that the promisor be entitled to receive something that would not otherwise be received. Pruss v. Pruss, 245 Neb. 521, 514 N.W.2d 335, 344 (1994).
Here, the promisee, the person to whom the promise was made, is the plaintiff. The promise that was allegedly made by the defendant/promisor was; If you give us your PII, we will keep it secure pursuant to our duty under HIPAA. Thus, the plaintiff/promisee did something she was not otherwise required to do—give the defendant her PII—and the defendant/promisor received something it was not otherwise entitled to receive—the plaintiff's PII. It is immaterial that the defendant was required by HIPAA to keep the plaintiff's PII secure for legally sufficient consideration to exist. What was required was that the defendant received something that it was not otherwise entitled to receive, which it did.
The plaintiff's amended complaint, taken as true, has alleged legally sufficient consideration to support an express agreement by the parties to keep the plaintiff's PII secure. The defendant's motion to dismiss the plaintiff's breach of an express contract claim will be denied.
5. BREACH OF IMPLIED CONTRACT
The defendant argues that the plaintiff's implied contract claim suffers from the same defects as her express contract claim in that the plaintiff failed to plausibly allege an objective manifestation of mutual assent to the material terms of a contract. Filing 15 at 19. In addition, the defendant argues that the plaintiff's implied contract claim should be dismissed because it is duplicative of the plaintiff's express contract claim. Filing 15 at 20.
An implied contract arises from a mutual agreement and intent to promise where the agreement and promise have simply not been expressed in words. 168th & Dodge, LP v. Rave Reviews Cinemas, LLC , 501 F.3d 945, 953 (8th Cir. 2007). An implied contract is found where the intentions of the parties are not expressed in writing, but circumstances are such as to show a mutual intent to contract. Linscott v. Shasteen , 288 Neb. 276, 847 N.W.2d 283, 289 (2014). Determining the parties’ intent to contract is normally a question of fact, and that intent is to be gathered from objective manifestations such as the conduct of the parties, the language used, acts done by the parties, or other pertinent circumstances surrounding the transaction. Kaiser v. Millard Lumber, Inc. , 255 Neb. 943, 587 N.W.2d 875, 882 (1999).
The plaintiff alleged that the defendant required her and the other class members to provide the defendant with their highly confidential private information as a condition for obtaining health-related insurance. Filing 12 at 8. The defendant, according to the plaintiff, promised and obligated itself to keep the plaintiff's PII confidential by the affirmative representations made in its HIPAA Notice of Privacy Practices. Filing 12 at 7. In addition, the plaintiff alleged that the defendant's obligation to protect her PII was a reasonable expectation, part of a mutual understanding, and implicit in their agreement for insurance due to the highly sensitive nature of her PII. In this regard, the plaintiff alleged that the defendant knew that health insurance companies are prime targets for cybercriminals, and that the FBI had warned companies in the healthcare industry that they were being targeted by cybercriminals. Filing 12 at 9. These and other allegations plausibly allege the existence of an implied agreement to protect the plaintiff's PII.
Finally, the plaintiff's amended complaint alleged express and implied contract claims in the alternative. First, the federal rules allow the plaintiff to pleading as many separate claims as she has, regardless of consistency. Fed. R. Civ. P. 12(d)(3). But, in Nebraska, claims of both express and implied contract are not inconsistent, and one may proceed on both theories because in either instance the action is premised on the existence of a contract. Tobin v. Flynn & Larsen Implement Co. , 220 Neb. 259, 369 N.W.2d 96, 98-99 (1985). In practice, as a suit progresses beyond the pleading stage, a plaintiff will proceed on only one of these two alternate (but yet consistent) theories at the same time; but doing so at the pleading stage risks losing one of two potential theories of recovery. Id. Whether the plaintiff's claim is grounded on an express contract, or in the alternative, on an implied contract, or on neither, will sort itself out in discovery. The plaintiff must only allege facts that raise a reasonable expectation that discovery will reveal evidence to substantiate the necessary elements of her claim. Twombly , 550 U.S. at 545, 127 S.Ct. 1955. That she has done.
6. BREACH OF FIDUCIARY DUTY
The defendant argues that a contractual relationship like the one between the plaintiff and the defendant does not create a fiduciary relationship under Nebraska law. Filing 15 at 21. The Court agrees. There is no presumption of a fiduciary relationship between the plaintiff and the defendant merely because they entered into a contract for a policy of dental insurance. Am. Driver Serv., Inc. v. Truck Ins. Exch., 10 Neb.App. 318, 631 N.W.2d 140, 148 (2001).
The plaintiff, however, argues that her claim of a fiduciary relationship does not merely rely on the fact that she entered into a contract for a policy of insurance with the defendant. Instead, the plaintiff alleged that a fiduciary relationship was created because of the confidential sensitive health information and PII that she entrusted to the defendant in order to obtain insurance coverage. The plaintiff characterizes this aspect of her relationship with the defendant as analogous to a patient/physician relationship. Filing 19 at 28-29.
In Nebraska, a fiduciary duty arises out of a confidential relationship which exists when one party gains the confidence of the other and purports to act with the other's interest in mind. City of South Sioux City, Neb. v. Charter Oak Fire Ins. Co., 385 F.Supp.3d 854, 861 (D. Neb. 2019) ; Gonzalez v. Union Pac. R.R. Co., 282 Neb. 47, 803 N.W.2d 424, 446 (2011). A fiduciary relationship arises when confidence is reposed on one side, and domination and influence result on the other side. DeSciose v. Chiles, Heider & Co., Inc. , 239 Neb. 195, 476 N.W.2d 200, 206 (1991).
Whether the plaintiff can separate one aspect of her contractual relationship with her insurer and claim that a fiduciary relationship exists as to that one aspect of the relationship appears to be a question that has not yet been addressed by a Nebraska court. There is some authority from other jurisdictions, but that authority falls on both sides of the question. For example, in Wallace v. Health Quest Systems, Inc. , the court recognized that in New York the duty inherent in the physician/patient relationship extends to healthcare operations because the "cloak of confidentiality" wraps around more than the health care professional who renders services. No. 20-CV-545, 2021 WL 1109727, at *12 (S.D.N.Y. Mar. 23, 2021).
Other courts have been less willing to extend a fiduciary relationship to what is otherwise a regular business transaction. In Attias v. Carefirst, Inc. , the defendant, a health insurer, suffered a data breach. 365 F. Supp. 3d 1, 5 (D.D.C. 2019). There, the court acknowledged that defining fiduciary relationships can be difficult, but one characteristic courts have traditionally looked for was a special confidential relationship that transcends an ordinary business transaction and requires each party to act with the interests of the other in mind. Id. at 24. The court then concluded that the plaintiff had failed to plead anything more than the typical commercial transaction between an insurer and insured. Acknowledging that the defendant had required the plaintiff to provide personal and confidential information, the court still concluded that this was something that will occur in almost every insurer/insured relationship. There was not a relationship alleged beyond that envisioned in everyday interactions with a health insurance provider so as to give rise to a fiduciary duty to safeguard the plaintiff's PII. Id.
In predicting what the Nebraska Supreme Court would do, the Court finds the reasoning in Attias persuasive. In Nebraska, there is no presumption of a fiduciary relationship between an insured and insurer merely because they entered into a contract for insurance coverage. Am. Driver Serv., Inc., 631 N.W.2d at 148. Here, the plaintiff alleged nothing that would distinguish her engagement with the defendant as something outside of a normal insurer/insured relationship. True that the plaintiff trusted the defendant to keep her PII secure, but the same is true with nearly every insurer/insured relationship, as well as with every customer who tenders payment to a vendor with a credit card. There is a common law duty for the insurer or vendor to use due care, but not a special confidential relationship giving rise to a fiduciary duty. The plaintiff's fiduciary duty claim will be dismissed.
7. VIOLATION OF NEBRASKA CONSUMER PROTECTION ACT
The Nebraska Consumer Protection Act, Neb. Rev. Stat. § 59-1601 et seq. , provides that unfair or deceptive acts or practices in the conduct of any trade or commerce that have an impact on the public interest by either directly or indirectly affecting the people of the State of Nebraska, shall be unlawful. See Tecumseh Poultry LLC v. Perdue Holdings, Inc. , No. 4:12-CV-3032, 2012 WL 3018255, at *9 (D. Neb. July 24, 2012) ; Arthur v. Microsoft Corp. , 267 Neb. 586, 676 N.W.2d 29, 37-38 (2004). The purpose of the Act is to protect consumers from unlawful practices. Arthur, 676 N.W.2d at 37. Any person who is injured by a violation of the Act which directly or indirectly affect the people of Nebraska is permitted to bring a civil action to recover damages. Hage v. Gen. Serv. Bureau , 306 F.Supp.2d 883, 889 (D. Neb 2003).
Although a violation of the Nebraska Data Protection Act does not give rise to a private cause of action within the Act itself, a violation of § 87-808 of that Act "shall be considered a violation of section 59-1602 and be subject to the Consumer Protection Act and any other law which provides for the implementation and enforcement of section 59-1602." Neb. Rev. Stat. § 87-806(2).
Section 59-1602 of the Consumer Protection Act provides that unfair or deceptive acts or practices in the conduct of any trade or commerce shall be unlawful. Section 59-1609 provides, in pertinent part, that any person who is injured in her property by a violation of § 59-1602;
may bring a civil action in the district court to enjoin further violations, to recover the actual damages sustained by him or her, or both, together with the costs of the suit, including a reasonable attorney's fee, and the court may in its discretion, increase the award of damages to an amount which bears a reasonable relation to the actual damages which have been sustained and which damages are not susceptible of measurement by ordinary pecuniary standards; except that such increased award for violation of section 59-1602 shall not exceed one thousand dollars.
The interplay of these two Acts makes the issue concerning the plaintiff's Consumer Protection Act claim into one of whether the plaintiff stated a plausible claim that the defendant violated § 87-808 of the Data Protection Act, which would then be subject to enforcement pursuant to § 59-1609 of the Consumer Protection Act. As relevant here, § 87-808(1) provides that a commercial entity that "conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska " shall implement and maintain reasonable security procedures and practices appropriate for the kind of personal information owned, licensed, or maintained, and the nature and size of, and the resources available to, the business and its operations.
The defendant argues that it has no obligation to the plaintiff because she is a resident of North Carolina. Filing 15 at 24. But that argument is contrary to the plain text of § 87-808(1). The issue is whether the plaintiff plausibly pled that the defendant owns, licenses, or maintains PII about a Nebraska resident—not whether the plaintiff herself is a Nebraska resident.
First of all, it is implausible to think that a prominent Nebraska-based insurer would not have the PII of one single Nebraska resident in its data system. But more to the point, the plaintiff's amended complaint alleged that "tens of thousands of Nebraskans" have been insured by the defendant, and an appreciable number of those insureds have been impacted by the data breach. Filing 12 at 52. The facts that the plaintiff alleged must only raise a reasonable expectation that discovery will reveal evidence to substantiate the necessary elements of the plaintiff's claim. Twombly , 550 U.S. at 545, 127 S.Ct. 1955. Here, the plaintiff's allegations are sufficient to raise a reasonable expectation that discovery will reveal evidence to substantiate the plaintiff's claim that the defendant maintained the personal information of Nebraskans in its computer data systems.
The defendant also argues that the plaintiff does not allege in her amended complaint an unfair or deceptive practice that affects the public interest. Filing 15 at 22. This argument is immaterial given that the Data Security Act provides that a violation of § 87-808 shall be considered a violation of § 59-1602 and subject to enforcement pursuant to the Consumer Protection Act. Neb. Rev. Stat. § 87-806(2).
Finally, the defendant argues that the plaintiff's Consumer Protection Act claim should be dismissed because violations of § 87-803 are only enforceable by the Nebraska Attorney General. Filing 15 at 24. It is true that § 87-806(1) of the Data Protection Act provides that the Attorney General may issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of § 87-803. However, the plaintiff's claim as it pertains to the Consumer Protection Act concerns the alleged violation of § 87-808—not § 87-803, which concerns the prompt investigation of a data breach, and providing notice to Nebraska residents. Unlike § 87-808 of the Data Protection Act, violation of § 87-803 is not considered a violation of the Consumer Protection Act.
8. VIOLATION OF NEBRASKA UNIFORM DECEPTIVE TRADE PRACTICES ACT
The Nebraska Uniform Deceptive Trade Practices Act, Neb. Rev. Stat. § 87-301 et seq., "prohibits a broad panoply of deceptive trade practices". Mutual of Omaha v. Novak , 648 F. Supp. 905, 909 (D. Neb. 1986). To establish a violation of the Act, there must have been a representation regarding the nature of goods or services and the representation must have been for characteristics or benefits that the goods or services did not have. State ex rel. Stenberg v. Consumer's Choice Foods, Inc. , 276 Neb. 481, 755 N.W.2d 583, 592 (2008).
The defendant argues that it is in the business of providing insurance coverage, that the good or service the plaintiff purchased from the defendant was only a policy of dental insurance, and that the plaintiff hasn't alleged that there was anything wrong with the dental insurance product she purchased. In other words, data storage or data security were not goods or services that the defendant provides, and not goods or services that the plaintiff purchased. Filing 15 at 24.
The plaintiff argues that the defendant misrepresented the quality and characteristics of its data security practices and capacity to safeguard PII. Filing 19 at 35. In her amended complaint, the plaintiff alleged that she purchased a dental insurance policy from the defendant, and as a condition for insurance coverage, she was required to disclose her PII. Filing 12 at 2-3. In other words, securing her PII was a service ancillary to the good or service she purchased from the defendant, which was a policy of dental insurance.
"The Uniform Deceptive Trade Practices Act shall apply to deceptive trade practices conducted in whole or in part within the State of Nebraska against residents or nonresidents of this state." Neb. Rev. Stat. § 87-304. Here, the plaintiff's amended complaint does not allege that the defendant's trade was securing PII. It was providing insurance coverage, and ancillary to that the defendant obtained an insured's PII, which the defendant knew or should have known had to be kept secured against a cyberattack. The plaintiff failed to allege that there was anything deceptive regarding the defendant's trade, but only alleged negligence and a breach of contract regarding the defendant's performance of matters ancillary to conducting its trade. The plaintiff's Deceptive Trade Practices Act claim will be dismissed.
IT IS ORDERED:
1. The defendants’ motion to dismiss (filing 14) is granted in part and denied in part as set forth above.
2. The plaintiff's breach of fiduciary duty claim and violation of the Nebraska Uniform Deceptive Trade Practices Act ( Neb. Rev. Stat. § 87-301 et seq., are dismissed.
3. This matter is referred to the Magistrate Judge for case progression.