RANDOLPH et al v. ING LIFE INSURANCE AND ANNUITY COMPANY

Memorandum in opposition to re MOTION to Dismiss Complaint

D.D.C.September 25, 2006

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA REGINA RANDOLPH, et al., * Plaintiffs, * Civil Action No. 06-1228 vs. * (CKK) ING LIFE INSURANCE AND * ANNUITY COMPANY * Defendant. * PLAINTIFFS’ OPPOSITION TO DEFENDANT’S MOTION TO DISMISS Comes now, the plaintiffs, by and through counsel, and hereby submit their opposition to the Motion to Dismiss filed by the defendant. The defendant contends that plaintiffs’ complaint should be dismissed because there is a lack standing, because the complaint fails to state a claim upon which relief can be granted, and for mootness. As will be shown below, however, the plaintiffs have statutory standing to bring this lawsuit, there are several means available to obtain relief which exists under the circumstances of this case, and mootness is not even remotely an issue in this matter. I. Statement Of Relevant Facts The plaintiffs, Regina A. Randolph, Tony Giles, Tonia Robinson, Darlene Fields, Marthine Bartee, Don Pope and Tamonica Heard brought this action on behalf of themselves and all others similarly situated present and former District of Columbia employees against ING Life Insurance Annuity Company (“ING”). Plaintiffs, all of whom themselves are current or retired District of Columbia employees, are but seven (7) of the more than 13,000 current or former District employees, whose private personal information, including Social Security numbers, were improperly, unlawfully, willfully and/or negligently disclosed by ING in at least three ways: 1) through the access Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 1 of 13 -2- and removal of data files containing the private personal information of thirteen(13) thousand District employees from the defendant’s facility by employee John Doe; (2) through the transfer of the data to external and unprotected disks and/or computers by John Doe; and (3) through the alleged theft of these disks and/or computers by a third party, the identity of whom may never be known. These disclosures were made without plaintiffs’ knowledge or consent and violate their clearly established right to privacy, several D.C. Statutes and at least one (1) Federal Statute. The disclosures of plaintiffs’ private personal information was clearly an unwarranted invasion of their privacy and was the direct and proximate result of defendant’s grossly negligent and/or its willful and intentional failure to establish and enforce appropriate safeguards to ensure the security and privacy of District of Columbia employee records and to protect against any known or anticipated threats or hazards to the security and integrity of these records in violation of applicable law. Moreover and contrary to the representations of the defendant, subsequent to learning of these disclosures, the defendant was deliberately indifferent in failing to take reasonable corrective action, including but not limited to, taking immediate action to retrieve the data from the laptop computer of its agent despite knowledge of the substantial risk of serious harm to the personal and financial security of the affected employees as result of the disclosures. On or about June 19, 2006, ING publically announced through national media outlets that the private information of 13,000 District of Columbia workers and retirees had been disclosed. The private personal information of these employees that was disclosed included names, addresses, dates of birth, spouse identities, financial resources and Social Security numbers at a minimum. In actuality, the information was essentially the personnel folders of the plaintiffs. ING reported that Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 2 of 13 -3- this disclosure resulted from an alleged burglary of the home of one of its employees/agents. However, ING officials knew about the theft within hours of the crime but did not inform the plaintiffs until seven (7) days later. Upon learning of the above-described disclosures, ING unreasonably delayed reporting the disclosures to the plaintiffs despite knowledge of the imminent and substantial risk of serious harm to the personal security of the affected employees. ING also knew or should have known that its computer security practices were wholly inadequate. Despite the fact that ING utilized no security devices on the laptop computer that it allowed John Doe to store plaintiffs’ personal data upon, and had specific notice of the potential adverse effect of random and unauthorized disclosures of personal information, ING failed to establish appropriate safeguards to ensure the security and confidentiality of District of Columbia employees’ and retirees’ personnel records and to protect against any anticipated threats or hazards to the security and integrity of those records. And this is so even though it had experienced an eerily similar event in Florida in December 2005. It is against the backdrop of these facts that ING asserts that the plaintiffs have no standing to sue for damages, have failed to state a claim upon which relief can be granted, and because it has “promised” to take care of any financial losses that the affected employees may suffer as a result of its incredibly negligent conduct, any claims that they can advance are moot. II. ARGUMENT A. The Plaintiffs Have Standing To Bring This Lawsuit Pursuant To Statute And Well Established Recognized Case Law The defendant maintains that the plaintiffs have neither suffered nor alleged an actionable (“recognized”) injury and therefore lack standing to bring this lawsuit. What the plaintiffs have Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 3 of 13 -4- specifically and relevantly alleged in their complaint is the following: 2. Plaintiffs, all of whom are current or retired District of Columbia employees, are seven (7) of more than 13,000 current or former District employees, whose private personal information, including Social Security numbers, were improperly, unlawfully, willfully and intentionally disclosed in at least three ways: 1) through the access and removal of data files containing the private personal information of 13 thousand district employees from the Defendant’s facility by employee John Doe; (2) through the transfer of the data to external and unprotected disks and/or computers by John Doe; and (3) through the alleged theft of these disks and/or computers by a third party, the identity of whom may never be known. There disclosures were made without Plaintiffs’ knowledge or consent and violate their clearly established right to privacy. 3. These disclosures were the direct and proximate result of Defendant’s grossly negligent and/or its willful and intentional failure to establish and enforce appropriate safeguards to ensure the security and privacy of District of Columbia employee records and to protect against any known or anticipated threats or hazards to the security and integrity of these records in violation of their clearly established right to privacy. 5. As a result of the Defendant’s acts and omissions in disclosing and failing to protect Plaintiffs’ private personal information, including their Social Security numbers, Plaintiffs and those similarly situated have been placed at a substantial risk of harm in the form of identity theft and have incurred and will incur actual damages in an attempt to prevent identity theft by purchasing services to monitor their credit information. The remedies sought include declaratory and remedial injunctive relief, damages and reasonable attorney’s fees and costs. 16. Defendant ING Life Insurance and Annuity Company (“ING”) provides investment advice, administrative services and record keeping to the plaintiffs as a current participant or retiree in the District of Columbia 457 Deferred Compensation Plan. It is a Delaware Corporation, and does a considerable amount of business in the District of Columbia. 17. As District of Columbia employees participating in its Employer’s Deferred Compensation Plan, plaintiffs were required to provide ING with their private personal information including their social security numbers. 19. ING reported that the disclosure was connected to an alleged burglary of the home of one of its employees/agents. Upon information and belief, on or about June 12, 2006, John Doe, a low-ranking data analyst and long time ING employee, had removed from ING’s facility, D.C. government worker’s files containing private Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 4 of 13 -5- personal information of over 13,000 persons comprised of District of Columbia workers and retirees, and had taken these files to his home. John Doe then copied the files onto his computer and/or external disks for an unspecified purpose. John Doe’s computer and/or disk were allegedly stolen during a burglary of his home. Upon information and belief, these items have not been recovered as of the date of the filing of this Complaint. They are not believed to be encrypted or password protected and can be easily accessed and duplicated. 23. The unauthorized and unconsented disclosure of an individual’s name, address, date of birth and Social Security number creates a substantial risk of identity theft. An individual’s Social Security number is the most useful identifier for retrieving information from public record databases, financial institutions and credit bureaus. Armed with an individual’s name, address, date of birth and Social Security number, an identity thief is able to quickly and easily steal an identity, whereas, without such information, the task is difficult, time consuming and costly. 25. ING’s unauthorized and unconsented disclosures of Plaintiffs’ and Class Members’ private personal information and the imminent and substantial risk of identify theft to which Plaintiffs and Class Members have been exposed is the direct result of Defendant’s failure to (1) establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records; (2) to protect against any anticipated threats or hazards to the security and integrity of those records; and (3) to promptly take reasonable measures to correct the disclosures, including but not limited to, providing law enforcement and the affected District of Columbia employees with prompt and accurate notice of the disclosures. 26. The Defendant’s loss of Plaintiffs’ and Class Members’ private personal information is unprecedented in scope and raises concerns about the safety of many District of Columbia Police Officers and other District of Columbia employees. For example, the Plaintiffs’ and Class Members’ private personal information could be used to find out where police personnel live. As a direct and proximate result of Defendant’s acts and omissions, Plaintiffs and Class Members have been exposed to a risk of substantial harm and inconvenience, and have incurred or will incur actual damages in purchasing comprehensive credit reports and/or monitoring of their identity and credit for the indefinite future. 28. The members of the putative class are so numerous that joinder of individual claims is impracticable. Moreover, there are significant questions of fact and issues of law common to the members of the putative class. These issues include whether Defendant failed to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records and to protect against known and anticipated threats or hazards to the security and integrity of these records, whether such failure was grossly negligent and/or willful and intentional, Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 5 of 13 -6- whether the putative class members were adversely affected, and whether they incurred actual damages as result. 29. Plaintiffs’ claims are typical of the claims of the putative class. Plaintiffs and all members of the putative class have been adversely affected and damaged in that their private information has been compromised and stolen. 36. The foregoing acts and omissions of the Defendant constitutes an authorized, nonconsensual, and inappropriate disclosure of Plaintiffs’ Social Security numbers in violation of their clearly established right to privacy. 38. The foregoing acts and omissions of Defendant ING constitute a willful and intentional failure to establish appropriate safeguards to ensure the security and privacy of District of Columbia employees records and to protect against known and anticipated threats or hazards to the security and integrity of Plaintiffs’ private personal records in violation of their clearly established right of privacy. 40. The foregoing acts and omissions of Defendant ING constitute gross negligence and such negligence was the proximate cause of Plaintiffs’ private personal information being disclosed to unknown parties in the public arena. 42. The foregoing acts and omissions of Defendant ING constitute negligence and such negligence was the proximate cause of Plaintiffs’ private personal information being disclosed to unknown parties in the public arena. In addition, the relief sought by the plaintiff is also of significance: WHEREFORE, Plaintiffs, on behalf of themselves and all others similarly situated, hereby demand judgment against Defendant as follows: a. For a declaration that Defendant’s acts and omission constitute a willful and intentional failure to establish appropriate safeguards to ensure the security and privacy of District of Columbia employees and retirees records and to protect against known and anticipated threats or hazards to the security and integrity of these records in violation of Plaintiffs’ clearly established right to privacy. b. For preliminary and permanent injunctive relief enjoining, prohibiting and preventing Defendant from continuing to operate without appropriate safeguards to ensure the security and privacy of District of Columbia employee records and to protect against anticipated threats or hazards to the security and integrity of these records, and an identity and/or credit monitoring program for the benefit of Plaintiffs and the proposed class under the Court’s supervision to safeguard against the serious harm attendant to the improper disclosure/theft of confidential information; Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 6 of 13 -7- c. For an award of damages for Plaintiffs and each affected class member in an amount of no less than $10,000.00 as well as an identity and/or credit monitoring program for the benefit of Plaintiffs and the proposed class under the Court’s supervision to safeguard against the serious harm attendant to the improper disclosure/theft of confidential information; d. For an award of reasonable attorney fees and costs incurred by Plaintiffs and the members of the putative class in prosecuting this matter; and e. For an award of such other relief in law and equity to which Plaintiffs and the members of the putative class may be entitled under the premises. Contrary to the position of the defendant, the plaintiffs’ allegations fully support three (3) separate avenues of recovery. The first is for an unwarranted invasion of personal privacy or more specifically stated, the breach of a fiduciary duty. In Vassiliades v. Garfinckel’s, 492 A.2d 580, the D.C. Court of Appeals explained it thusly: The tort of breach of confidential relationship is generally described as consisting of the “unconsented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship.” [citation omitted] * * * * * this court has held that persons who occupy a fiduciary relationship must scrupulously honor that trust and confidence reposed in them because of that special relationship, and that the breach of a fiduciary duty warrants the imposition of damages. [citations omitted] Id. at 591. ING undeniably occupies a fiduciary relationship with the plaintiffs. Complaint ¶ 16, Bolchoz Affidavit at ¶ 13, D.C. Code § 1-702, D.C. Code § 1-626.04. See also Wagman v. Lee, 457 A.2d 401,405 (D.C. 1983)(there can be no question as to the existence of the fiduciary capacity in a case where the agent has been entrusted with money to be used for a specific purpose). The plaintiffs have unequivocally alleged a breach of the duty owed by ING. Complaint ¶¶ 3, 5, 25, 26, Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 7 of 13 -8- 36, 38, 40 and 42. Further, case law in the District of Columbia is unequivocal in that the breach of a fiduciary duty warrants the imposition of damages.” Vassiliades, supra., Wagman, supra. If this were not enough, D.C. Code § 1-626.14 specifically provides as follows A civil action may be brought by a participant or a beneficiary of the Trust, . . . to enjoin any act or practice that violates any provision of this Chapter or the terms of the retirement program, and for other appropriate legal and equitable relief . . . Additionally, D.C. Code § 1-747 specifically provides: (a) A civil action may be brought: (1) By a participant or beneficiary . . . (B) To recover benefits due to him under the terms of the retirement program . . . (3) By a participant or beneficiary . . . (A) To enjoin any act or practice which violates any provision of this chapter or the terms of a retirement program; or (B) To obtain other appropriate equitable relief: (I) To redress any such violation; or (ii) To enforce any provisions of this chapter or the terms of a retirement program Accordingly, the plaintiffs clearly have standing to bring this lawsuit as they are all participants in either the District Retirement Benefits Program D.C. Code § 1-626.05 (District employees) or the District of Columbia Retirement Program (Police, Firefighters, Teachers and Judges) D.C. Code § 1-702. The defendant’s position in its motion is that the “plaintiffs fail to allege injury in-fact sufficient to confer standing.” Mot. Mem. at 6. This position simply misstates the facts and the law Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 8 of 13 / The cases cited by the defendant for this proposition are Giordano v. Wachovia Sec., LLC,1 No. 06-476, 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. CIV 03-0185-PHX-5RB, 2005 U.S. Dist. LEXIS 41054 (D.Ariz. Sept. 6, 2005); Guin v. Brazos Higher Ed. Serv. Corp., Inc., No. 05-668, 2006 U.S. Dist. LEXIS 4846 (continued...) -9- applicable to those facts. A fiduciary relationship exists between the parties, and the breach of a fiduciary duty, as is alleged here, by failing to act with the case, skill, prudence, and diligence under the circumstances then prevailing that a prudent individual acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims. D.C. Code § 1-626.13 & 1-714, specifically provides a basis for recovery under the law. Vassiliades, supra. At this point in the case, the pleading stage, the issue is not whether the plaintiffs have established sufficient proof of damages. Rather, the issue is whether the plaintiffs have sufficiently pled claims for such damages. Steven Pharmaceuticals, Inc. v. F.D.A., 402 F.3d 1249. 1253 (D.C. Cir. 2005). And while the Court may consider materials outside the pleadings in the context of a motion to dismiss premised upon lack of jurisdiction, the Court must still accept the factual allegations of the complaint as true. Id. Plaintiffs’ complaint, as noted previously, clearly alleges a fiduciary relationship, and a breach of a fiduciary duty. As such, a basis for the imposition of damages exists. Vassiliades, supra at 592; D.C. Code § 1-747; D.C. Code § 1-626.14. In support of its position that the plaintiffs here have failed to allege a “recognized injury,” the defendant cites four (4) recent cases from Arizona, Minnesota and New Jersey, which found that the “risk of identity theft as a result of lost or stolen data is not a recognized injury.” Mot. Mem. at 9. Those cases, however, are clearly and easily distinguished from this case. Significantly, none1 Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 9 of 13 (...continued)1 (D.Minn. Feb. 7, 2006) and Forbes v. Wells Fargo Bank, N.A., 420 F.Supp. 2d 1018 (D.Minn. 2006) -10- of those cases contained an issue addressing District of Columbia Law; neither case involved specific statutes allowing for suits to be brought for the breach of a fiduciary duty regarding a retirement plan; neither of those cases involved a specific allegation of a breach of fiduciary duty, and importantly, neither of those cases were premised on the uncontested, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship that this jurisdiction has deemed actionable. Vassiliades, supra. at 591. Indeed, in Giordano the court noted that Plaintiff’s Complaint merely alleges that a version of her personal information was lost and conceded that there is no evidence that the information was stolen. Giordano, supra. at 5. In Forbes, supra, the plaintiff did not pursue a claim for breach of fiduciary duty. Id. at n. 2. Likewise in Stollenwerk, the plaintiffs did not pursue a breach of confidentiality nor a breach of confidential relationship claim, and in Guin, the plaintiff voluntary dismissed his claim for breach of fiduciary duty. The law in the District of Columbia is clear and unequivocal, and the plaintiffs have stated a cause of action within the parameters of that law regarding the disclosure of nonpublic information that a defendant has learned within a confidential relationship. Thus, unlike Forbes, Stollenwerk, Guin, and Giordano, the plaintiffs have standing to advance this action in the Superior Court of the District of Columbia, where this action was filed, and before this Court, where this action was Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 10 of 13 / In a bit of irony or more probably forum shopping, the defendant removed this case to this2 Court and now contends that this Court is without subject matter jurisdiction. If indeed this Court makes such a determination, despite the overwhelming authorities to the contrary, 28 U.S.C. § 1447 ( c) is unequivocal, “If at any time before final judgment it appears that the district court lacks subject matter jurisdiction, the case shall be remanded.” In addition, “the court must resolve all doubts about federal jurisdiction in favor of remand to the state court.” Walker v. Waller, 267 F.Supp. 2d 31, 32 (D.D.C. 2003); Nwachukwu v. Karl, 223 F.Supp. 2d 60, 66 (D.D.C. 2002). -11- removed by the defendant. 2 B. Plaintiffs’ Complaint Fully Set Forth Claims Upon Which Relief Can Be Granted As noted previously, the plaintiffs’ complaint has clearly alleged a duty on the part of the defendant, who had a confidential relationship with the plaintiffs, and a breach of the duty owed which provide a basis for the imposition of damages. Vassiliades, supra.; Wagman, supra. In addition to these precedents, D.C. Code §§ 1-742, 1-747 and D.C. Code §§ 1-626.13, 1-626.14 also provides independent bases for the recovery of damages against this defendant. The fact that the defendant has misconstrued the claims being advanced by the plaintiff is of no moment. In order to survive a Rule 12(b)(6) motion, a complaint only need provide a short and plain statement of the claim and the grounds upon which it rests. F.R.C.P. 8(a)(2); Conley v. Gibson, 355 U.S. 41, 47 (1957). A motion filed pursuant to Rule 12(b)(6) does not test the merits of a plaintiff’s complaint instead, it tests whether the plaintiff has properly stated a claim. F.R.C.P. 12(b)(6); Karl, supra., at 69. In sum, the Court may only dismiss a complaint for failure to state a claim only if it is clear that plaintiffs can prove no set of facts in support of their claim which would entitle them to relief. Barr v. Clinton, 370 F.3d 1196, 1202 (D.C. Cir. 2004). Because plaintiffs’ complaint does in fact set forth claims under District of Columbia statutory law and pursuant to a breach of confidential relationship,” defendant’s motion must be Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 11 of 13 -12- denied. C. There Is Nothing At All Moot About This Litigation The defendant filed a motion to dismiss, attached an affidavit to that motion and now is asking the Court to ignore the language of Rule 12. If, on a motion asserting the defense numbered (6) to dismiss for failure of the pleading to state a claim upon which relief can be granted, matters outside the pleadings are presented to and not excluded by the court, the motion shall be treated as provided in Rule 56 . . . Should the Court exclude the affidavit of Mr. Bolchoz, no basis for mootness exists. Should the Court consider the Bolchoz affidavit, the plaintiffs must be allowed the opportunity to conduct discovery. Anderson v. Libby Lobby, 477 U.S. 242 (1986); F.R.C.P. 56. More importantly, however, is the fact that this defendant has not provided any “damages” to the plaintiffs as has been demanded by the plaintiffs in their complaint, nor is it contended that it has. The plaintiffs have made a specific demand for monetary relief and no such relief has been tendered. Plaintiffs are entitled to monetary damages in this case as to the claims they have advanced. Vassiliades, supra.; Wagman, supra. Furthermore, the plaintiffs vigorously dispute that this defendant has taken the remedial actions alleged, and notes that hearsay statements such as “Equifax has described ILIAC as ‘rais[ing] the bar in terms of the ‘best in class’ responses” to “data breach” incidents,” are entirely inadmissible and meaningless. There is in actuality no issue of mootness but to the extent one is deemed before the Court, the plaintiffs should be afforded the opportunity to conduct discovery in order to expose the hollow contentions of the defendant regarding its alleged remedial activities. Wherefore for the reasons stated herein and in the record of this proceeding and because no Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 12 of 13 -13- basis exists for an order dismissing plaintiffs’ claims, defendant’s motion should be summarily denied. Alternatively, should the Court determine that it has no subject matter jurisdiction, this case should be remanded to the D.C. Superior Court pursuant to 28 U.S.C. § 1447( c). Request For Oral Hearing Pursuant to LcvR 7.1(f), the plaintiffs request that this matter be scheduled for oral hearing. Respectfully submitted, Gregory L. Lattimer [371926] 1100 H Street, N.W. Suite 920 Washington, D.C. 20005 (202) 638-0095 Ted J. Willliams 1200 G Street, N.W. Suite 800 Washington, DC 20005 (202) 434-8744 Case 1:06-cv-01228-CKK Document 14 Filed 09/25/2006 Page 13 of 13