Resnick et al v. AvMed, Inc.

RESPONSE in Opposition re Defendant's MOTION to Dismiss 31 Amended Complaint, and incorporated memorandum of law

S.D. Fla.May 31, 2011

i UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA Case No. 10-cv-24513-JLK JUANA CURRY and WILLIAM MOORE, individually and on behalf of a class of similarly situated individuals, Plaintiffs, v. AVMED, INC., d/b/a/ AvMed, a Florida Corporation, Defendant, Case No. 10-cv-24513-JLK The Honorable James Lawrence King PLAINTIFFS’ RESPONSE IN OPPOSITION TO DEFENDANT AVMED, INC.’S MOTION TO DISMISS Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 1 of 34 ii TABLE OF CONTENTS INTRODUCTION 1 STATEMENT OF FACTS 2 A. The AvMed Data Breach 2 B. AvMed Was Obligated By The Written Services Contract To Protect Plaintiffs’ Sensitive Information 3 C. AvMed Customer Moore’s Identity Was Stolen And Used To Open A Bank Account At E*Trade And Withdraw $4,298.77 4 D. AvMed Customer Curry’s Identity Was Stolen And Used To Open A Bank Account At Bank of America, Obtain Credit Cards, and Make Purchases. 4 LEGAL STANDARD 5 ARGUMENT 6 I. The Complaint Sufficiently Alleges Actual Damages As Both Plaintiffs, Whose Identities Were Stolen And Misused, Suffered Monetary Damages 6 A. Plaintiffs Suffered Monetary Damages In The Form Of Overdrafts, Fraudulent Charges, and Financial Outlays and Losses Associated With The Data Breach 7 B. Plaintiffs Are Entitled To Recover Money Spent Monitoring Their Credit And Preventing Additional Harm Because They Have Suffered Actual (Rather Than Potential) Identity Theft. 8 C. Plaintiffs Are Entitled To Recover For the Anxiety And Emotional Distress Caused By AvMed’s Breach of its Duty of Confidentiality. 10 II. The Complaint Sufficiently Alleges Injury Under the Twombly Plausibility Standard, And The Law of the Case Doctrine Does Not Bar Plaintiffs’ Claims. 11 Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 2 of 34 iii A. The Complaint Satisfies the Twombly Plausibility Standard By Sufficiently Alleging That Plaintiffs’ Identity Thefts Were Caused By AvMed’s Data Breach. 12 B. The Law of the Case Doctrine Does Not Bar Plaintiffs’ Claims As No Final Judgments Have Been Entered And The Case Has Remained Within the Jurisdiction of the District Court. 15 III. The Complaint Sufficiently States A Claim For Negligence 16 A. The Complaint Sufficiently Alleges That The Data Breach Proximately Caused Plaintiffs’ Identity Thefts. 17 B. The Economic Loss Rule Does Not Bar Plaintiffs’ Negligence Claims 18 IV. The Complaint Sufficiently States A Claim For Negligence Per Se 19 V. The Complaint Sufficiently States A Claim For Breach of Express Contract. 19 A. Plaintiffs Have Sufficiently Pleaded The Existence of a Valid Contract. 20 B. The Pre-existing Duty Rule Is Inapplicable. 20 C. The Complaint Sufficiently States A Claim For Breach of the Covenant of Good Faith and Fair Dealing 22 VI. The Complaint Sufficiently Alleges An Alternative Claim for Breach of Implied Contracts 23 VII. The Complaint Sufficiently States An Alternative Claim For Unjust Enrichment 25 VIII. The Complaint Sufficiently States A Claim For Breach of Fiduciary Duty 25 CONCLUSION 27 Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 3 of 34 iv TABLE OF AUTHORITIES Supreme Court Cases Ashcroft v. Iqbal, 127 S.Ct. 1937 (2009) 12 Bell Atl. Corp. v. Twombly, 550 U.S. 544, 127 S. Ct. 1955 (2007) 1, 2, 11, 12 Christopher v. Harbury, 536 U.S. 403 (2002) 5 Conley v. Gibson, 355 U.S. 41 (1957) 5 Swierkiewicz v. Sorema N.A., 534 U.S. 506 (2002) 6 United States Court of Appeals Cases Aldana v. Del Monte Fresh Produce N.A., Inc., 578 F.3d 1283 (11th Cir. 2009) 15 Burger King Corp. v. Weaver, 169 F.3d 1310 (11th Cir. 1999) 22 Edwards v. Prime, Inc., 602 F.3d 1276 (11th Cir. 2010) 14 Exxon Corp. v. United States, 931 F.2d 874 (Fed. Cir. 1991) 15 F.D.I.C. v. Stahl, 89 F.3d 1510 (11th Cir. 1996) 15 First Alabama Bank of Montgomery, N.A. v. Parsons Steel, Inc., 825 F.2d 1475, (11th Cir. 1987) 16 Glover v. Ligett Group, Inc., 459 F.3d 1304 (11th Cir. 2006) 8 Hill v. White, 321 F.3d 1334 (11th Cir. 2003) 5 Holcomb v. United States, 622 F.2d 937 (7th Cir. 1980) 15 Marsh v. Butler County, Ala., 268 F.3d 1014 (11th Cir. 2001) 5 Norelus v. Denny’s, Inc., 628 F.3d 1270 (11th Cir. 2010) 15, 16 Pielage v. McConnell, 516 F.3d 1282 (11th Cir. 2008) 24 Pisciotta v. Old Nat. Bancorp, 499 F.3d 629 (7th Cir. 2007) 10 Stollenwerk v. Tri-W. Health Care Alliance, 254 F. App’x. 664 (9th Cir. 2007) 7, 13 Tiara Condo. Ass’n, Inc. v. Marsh & McLennan Companies, Inc., 607 F.3d 742 (11th Cir. 2010) 23 Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 4 of 34 v United States v. Baker, 432 F.3d 1189 (11th Cir. 2005) 14 United States v. Escobar-Urrego, 110 F.3d 1556 (11th Cir. 1997) 15 Vintilla v. United States, 931 F.2d 1444 (11th Cir. 1991) 16 United States District Court Cases De Sterling v. Bank of Am., N.A., 2009 WL 3756335 (S.D. Fla. Nov. 6, 2009) 20 Donnelly v. Circuit City Stores, Inc., 2007 WL 896337 (M.D. Fla. Mar. 22, 2007) 25 Gardner et al. v. Health Net, Inc., Case No. 2:10-CV-02140-PA-CW (C.D. Cal. 2010) 13, 14 Guin v. Brazos Higher Ed. Serv. Corp, Inc., 2006 WL 288483 (D. Minn. Feb. 7, 2006) 17 Hammond v. The Bank of New York Mellon Corp., 2010 WL 2643307 (S.D. N.Y. June 25, 2010) 10 In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108 (D. Me. 2009) 8, 18 Jones v. Commerce Bancorp, Inc., 2006 WL 1409492 (S.D. N.Y. May 23, 2006) 6, 7, 23 Nautica Int’l, Inc. v. Intermarine, 5 F.Supp.2d 1333 (S.D. Fla. 1998) 22 Scherer v. Laborers’ Int’l Union of N. Am., 746 F. Supp. 73 (N.D. Fla. 1988) 21, 22 Shafran v. Harley Davidson, 2008 WL 763177 (S.D. N.Y. Mar. 30, 2008) 10 Silver v. Countrywide Home Loans, Inc., 2011 WL 121701 (S.D. Fla. 2011) 26 Shames-Yeakel v. Citizens Fin. Bank, 677 F. Supp. 2d 994 (N.D. Ill. 2009) 7 Winter Park Condo. Ltd. P’ship v. Wachovia Bank, N.A., 2009 WL 290992 (M.D. Fla. Feb. 6, 2009) 26 Witriol v. LexisNexis Group, 2006 WL 4725713, (N.D. Cal. Feb. 10, 2006) 9 Zarrella v. Pac. Life Ins. Co., 2010 WL 4663296, (S.D. Fla. Nov. 10, 2010) 20 State Cases Am. Safety Ins. Serv., Inc. v. Griggs, 959 So.2d 322 (Fla. Dist. Ct. App. 2007) 25 Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 5 of 34 vi Baron v. Osman, 39 So. 3d 449 (Fla. Dist. Ct. App. 2010) 25 Bromer v. Fla. Power & Light Co., 45 So.2d 658 (Fla. 1948) 24 Commerce P’ship v. Equity Contracting Co., 695 So.2d 383 (Fla. Dist. Ct. App. 1997) 23 Coral Gables Fed. Sav. & Loan Ass'n v. City of Opa-Locka, 516 So. 2d 989 (Fla. Dist. Ct. App. 1987) 18 County of Brevard v. Miorelli Eng’g, Inc., 703 So.2d 1049 (Fla. 1997) 22 Daly v. Metro. Life Ins. Co., 4 Misc. 3d 887 (N.Y. Sup. Ct. 2004) 6, 7, 17, 26 deJesus v. Seaboard Coast Line Railroad Co., 281 So.2d 198 (Fla. 1973) 19 Florida Dept. of Corr. v. Abril, 969 So.2d 201 (Fla. 2007) 11, 26 Goldberg v. Florida Power & Light Co., 899 So. 2d 1105 (Fla. 2005) 17 Gracey v. Eaker, 837 So.2d 348, 352 (Fla. 2002) 11 Herndon v. Shands Teaching Hosp. & Clinics, Inc., 23 So. 3d 802 (Fla. Dist. Ct. App. 2009) 17 Hewitt v. Avis Rent-A-Car Sys., Inc., 912 So. 2d 682 (Fla. Dist. Ct. App. 2005) 17 Kuhn v. Capital One Fin. Corp., 2006 WL 3007931, (Mass. App. Ct. 2006) 7, 9 LeMaster v. Glock, 610 So.2d 1336, 1338 (Fla. Dist. Ct. App. 1992) 17 McMillan v. Shivley, 23 So.3d 830 (Fla. Dist. Ct. App. 2009) 24 PK Ventures, Inc. v. Raymond James & Assocs., 690 So.2d 1296 (Fla. 1997) 18 Rabon v. Inn of Lake City, 693 So.2d 1126 (Fla. Dist. Ct. App. 1997) 24 Reynolds v. State Farm Mut. Auto. Ins. Co., 611 So. 2d 1294 (Fla. Dist. Ct. App. 1992) 11 Susan Fixel, Inc. v. Rosenthal & Rosenthal, Inc., 842 So. 2d 204 (Fla. Dist. Ct. App. 2003). 25, 26 Zinn v. GJPS Lukas, Inc., 695 So.2d 499 (Fla. Dist. Ct. App. 1997) 10 Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 6 of 34 vii Statutory Provisions 42 U.S.C.A. § 1320d 3, 20, 21 Fla. Stat. § 395.3025 19 Secondary Sources Corbin, Arthur L. Corbin on Contracts § 1.19 (Joseph M. Perillo ed. 2010) 23 Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 7 of 34 1 INTRODUCTION Plaintiffs’ Second Amended Complaint (-SAC‖) alleges new facts that cure the gaps identified by the Court in Plaintiffs’ First Amended Complaint (-FAC‖) such that Plaintiffs may now seek recovery for the harms caused by AvMed-the insurance company that Plaintiffs trusted with their most personal and confidential information. AvMed abused that trust. AvMed (1) required Plaintiffs to provide it with highly sensitive information, (2) promised, and subsequently failed, to secure that information, and, in turn, (3) caused identity theft and monetary damages to Plaintiffs (both of whom had both previously taken extraordinary measures to protect their identities). Compounding matters, AvMed suppressed the news of its tortious conduct, which prevented AvMed consumers from protecting themselves. Plaintiffs’ new allegations address the concerns noted by the Court’s previous Order and allow Plaintiffs to hold AvMed responsible for its unlawful actions and shameful corporate citizenry. Plaintiffs’ FAC was previously brought by six named plaintiffs on behalf of a class seeking to hold AvMed liable for the disclosure of their highly confidential medical and financial information. (Dkt. No. 15.) However, of the original six named plaintiffs, only Juana Curry (-Curry‖) had suffered actual identity theft and monetary damages as a result of the breach. In its April 5, 2011 Order, the Court found that the other five named plaintiffs failed to state a cause of action against AvMed because -a heightened likelihood of identity theft … does not represent a cognizable injury.‖ (Dkt. No. 30, p. 2.) The Court also found that -to the extent [Curry] alleges that she suffered actual identity theft and traces that theft back to the theft of computers taken from Defendant’s corporate headquarters,‖ her allegations did not meet the standard set forth in Bell Atlantic v. Twombly, 550 U.S. 544 (2007). Plaintiffs have now aptly, through their new allegations, met and exceeded that standard. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 8 of 34 2 To cure these deficiencies, Plaintiffs made three substantive changes to their Second Amended Complaint (-SAC‖) (Dkt. No. 31). First, the five former named plaintiffs that did not allege actual identity theft were dismissed. Second, William Moore (-Moore‖)-another individual who suffered actual identity theft and monetary damages-was added. Third, additional specific facts were alleged to demonstrate that AvMed’s data breach was the sole cause of both Curry’s and Moore’s identity thefts. As alleged, Plaintiffs, prior to the data breach, had never had their identities stolen and both had been habitually vigilant to protect themselves from identity theft. These allegations exceed the Twombly threshold as they demonstrate that AvMed’s disclosure of Plaintiffs’ personal information caused their identity thefts. AvMed’s motion to dismiss (Dkt. No. 33) simply pretends as though these amendments were never made, and argues that neither Plaintiff is entitled to any recovery. This argument ignores the plain language of the SAC establishing that AvMed’s failure to properly store and protect Plaintiffs’ confidential information caused them to suffer actual identity theft and monetary damages. In the end, AvMed’s facial attack amounts to nothing more than an attempt to force Plaintiffs to prove their claims at the pleading stage-something that is not required of any litigant. For these reasons, as explained below, AvMed’s motion to dismiss should be denied in its entirety. STATEMENT OF FACTS A. The AvMed Data Breach On December 10, 2009, two laptop computers were stolen from AvMed’s corporate office containing approximately 1.2 million AvMed members’ Social Security numbers (-SSNs‖), personally identifying information, medical information, and protected health Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 9 of 34 3 information as defined by the Health Insurance Portability and Accountability Act (-HIPAA‖) (collectively, -Sensitive Information‖). (SAC [cited as ¶] 2.) After the theft, it was discovered that AvMed failed to encrypt or even password-protect the Sensitive Information contained on the stolen laptop computers in direct contravention of industry-wide standards mandating the encryption of Sensitive Information. (¶35.) AvMed confessed that its consumers’ Sensitive Information was not properly protected. (Dkt. 15-5, p. 2.) As a result, any person is able to access AvMed’s enrollees’ Sensitive Information and medical records. (¶28.) On or about February 3, 2010, AvMed-for the first time-publicly revealed the data breach and notified 360,000 potentially affected members. (¶¶27-28.) AvMed then waited until June 3, 2010-one hundred and seventy-four (174) days after the breach was discovered-to finally disclose that an additional 860,000 current and former members were victimized. (¶31.) In deliberate disregard of the fact that at least one stolen laptop computer was unprotected, AvMed downplayed the seriousness of the incident by telling Plaintiffs and the Class that the Sensitive Information -was listed in such a way that the risk of identity theft is very low….‖ (Dkt. 15-5, p. 2). This statement of false assurance was given despite AvMed’s knowledge, and subsequent admissions, that the Sensitive Information was not secure, and hindered AvMed’s customers from taking necessary precautions. (¶34.) Even worse, the thief sold the unencrypted, unprotected AvMed computer to another criminal who has a history of dealing in stolen property. (¶25.) B. AvMed Was Obligated By The Written Services Contract To Protect Plaintiffs’ Sensitive Information. Plaintiffs and AvMed entered into a written services contract wherein AvMed promised, inter alia, to protect and safeguard Plaintiffs’ Sensitive Information. (¶21.) As such, AvMed was contractually obligated to encrypt Plaintiffs’ Sensitive Information, implement procedures to Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 10 of 34 4 prevent Plaintiffs’ Sensitive Information from being lost and/or accessed by unauthorized third parties, and to only disclose Plaintiffs’ Sensitive Information with consent or when required to do so by law. (¶¶18, 19, 20, 21.) AvMed itself confessed that it did not protect and safeguard this information. (Dkt. 15-5, p. 2.) C. AvMed Customer Moore’s Identity Was Stolen And Used To Open A Bank Account At E*Trade And Withdraw $4,298.77. In or around February 2011, Moore’s identity was stolen and used to open a bank account with E*Trade Financial (-E*Trade‖) in his name. (¶60.) On April 5, 2011, Moore’s E*Trade account was overdrawn by $4,298.77 by an unauthorized third party. (¶63.) Despite the fact that Moore reported the identity theft to E*Trade, E*Trade continues to hold Moore responsible for the overdrawn amount of $4,298.77. (¶63.) Prior to AvMed’s data breach, Moore’s identity had never been stolen or compromised in any way. (¶¶68-69.) Indeed, prior to the breach, and continuing thereafter, Moore has taken habitual and extraordinary measures to protect himself from identity theft. (¶71.) Beginning years prior to the data breach and continuing to this day, Moore regularly monitors his credit for unusual activity. (¶70.) Moore has never transmitted unencrypted Sensitive Information over the Internet, or any other unsecured source. (¶71.) Moore stores documents containing Sensitive Information in a safe and secure physical location, and destroys any documents received in the mail that contain any of his Sensitive Information, or that contain any information that could otherwise be used to steal his identity. (¶71.) D. AvMed Customer Curry’s Identity Was Stolen And Used To Open A Bank Account At Bank of America, Obtain Credit Cards, and Make Purchases. In or around October 2010, Curry’s identity was stolen and used to make fraudulent purchases in her name, open fake bank accounts with Bank of America, change her home Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 11 of 34 5 address with the Postal Service, and obtain credit cards. (¶44.) Consequently, Curry was forced to spend time and money placing alerts on her credit and contesting the fraudulent charges made in her name. (¶47.) In fact, Curry missed work and incurred significant lost monies and goodwill at her place of employment due to forced absences while attempting to remedy the effects of AvMed’s data breach. (¶49.) Due to the identity theft, Curry was also forced to subscribe to LifeLock, an identity theft protection service costing her $17.00 per month. (¶48.) Like Moore, prior to AvMed’s data breach, Curry’s identity had never been stolen or compromised in any way. (¶¶53-54.) Indeed, Curry took substantial precautions to protect herself from identity theft. (¶55.) Curry has never transmitted unencrypted Sensitive Information over the Internet, or any other unsecured source. (¶55.) Curry stores documents containing Sensitive Information in a safe and secure physical location, and destroys any documents she receives in the mail that contain any of her Sensitive Information, or that contain any information that could otherwise be used to steal her identity. (¶55.) LEGAL STANDARD In deciding a Rule 12(b)(6) motion to dismiss, the Court must accept all factual allegations in a complaint as true and take them in the light most favorable to plaintiff. Christopher v. Harbury, 536 U.S. 403, 406 (2002); Hill v. White, 321 F.3d 1334, 1335 (11th Cir. 2003). A complaint should not be dismissed unless it appears beyond doubt that the plaintiff can prove no set of facts that would entitle him to relief. Conley v. Gibson, 355 U.S. 41, 45-46 (1957); Marsh v. Butler County, Ala., 268 F.3d 1014, 1022 (11th Cir. 2001). To satisfy the pleading requirements of Federal Rule of Civil Procedure 8, a complaint must simply give the defendant fair notice of the plaintiff’s claim and the grounds upon which it rests. Swierkiewicz v. Sorema N.A., 534 U.S. 506, 512 (2002). Plaintiffs have clearly met this standard. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 12 of 34 6 ARGUMENT I. The Complaint Sufficiently Alleges Actual Damages Because Both Plaintiffs, Whose Identities Were Stolen And Misused, Suffered Monetary Damages. Plaintiffs’ amended allegations have squarely addressed the deficiencies identified by the Court in its April 5, 2011 Order (Dkt. No. 30.) In the Order, the Court found that the -possibility of risk [of identity theft] does not represent a cognizable injury.‖ (Dkt. No. 30, p. 2.) Far from the mere possibility of identity theft, Moore and Curry have already suffered actual identity theft. 1 (¶¶43, 59.) Indeed, Moore’s identity was used to open an E*Trade bank account and overdraw $4,298.77 (¶62), while Curry’s identity was used to open bank accounts and make purchases on credit cards opened in her name. (¶¶44, 45.) In choosing to ignore these amendments (or perhaps due to a glitch in its -Workshare DeltaView software program‖), AvMed disingenuously argues that Plaintiffs have failed to allege actual damages because (i) Plaintiffs have not alleged that they suffered any monetary damages, (ii) money spent on credit monitoring is not compensable, and (iii) anxiety and emotional distress are not compensable injuries in the data breach context. Each argument fails and completely ignores the clear language of the SAC. 1 Since Moore and Curry have alleged actual identity theft, the numerous cases cited by AvMed for the proposition that -substantial increased risk of identity theft‖ is not a cognizable injury are entirely inapplicable. Instead, the only relevant data breach cases are those in which the plaintiff’s confidential information was entrusted to a commercial party, was stolen, and was actually misused. See, e.g., Daly v. Metro. Life Ins. Co., 4 Misc. 3d 887, 891, 782 N.Y.S.2d 530 (N.Y. Sup. Ct. 2004) (holding that damages and the causal connection to defendant’s failure to maintain data security were questions of fact where data was compromised and misused); see also Jones v. Commerce Bancorp, Inc., 2006 WL 1409492 (S.D. N.Y. May 23, 2006) (holding that time attempting to remedy an identity theft caused by a data breach was sufficient to allege damages, and allowing breach of contract, breach of fiduciary duty, and negligence claims to proceed). Thus, AvMed’s reliance on cases discussing a mere -substantial increased risk of identity theft‖ are inapposite. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 13 of 34 7 A. Plaintiffs Suffered Monetary Damages In The Form Of Overdrafts, Fraudulent Charges, and Financial Outlays and Losses Associated With The Data Breach. AvMed’s attempt to argue that Moore and Curry have not incurred actual damages ignores the plain allegations of the SAC and the fact that both Plaintiffs have suffered actual identity theft. Plainly and unequivocally, courts find the existence of actual damages in every instance of actual identity theft. See, e.g., Stollenwerk v. Tri-W. Health Care Alliance, 254 F. App’x. 664, 667-68 (9th Cir. 2007); Kuhn v. Capital One Fin. Corp., 2006 WL 3007931, *3 (Mass. App. Ct. 2006); Daly v. Metro. Life Ins. Co., 4 Misc. 3d 887, 893 (N.Y. Sup. Ct. 2004); Jones v. Commerce Bancorp, Inc., 2006 WL 1409492, *2 (S.D. N.Y. May 23, 2006); Shames- Yeakel v. Citizens Fin. Bank, 677 F. Supp. 2d 994, 1009 (N.D. Ill. 2009). Thus, by pleading that both Plaintiffs suffered actual identity theft, actual damages are presumed as a matter of law. Even without this presumption, the SAC describes the actual monetary damages incurred as a result of both Moore’s and Curry’s identity theft. In fact, the SAC specifically alleges that despite reporting the identity theft to E*Trade, -E*Trade holds Moore responsible for the overdrawn amount of $4,298.77.‖ (¶63.) Likewise, Curry continues to contest and challenge fraudulent credit card charges with Bank of America. (¶48.) As a result of AvMed’s tortious conduct, Plaintiffs have incurred debt that they would not have otherwise been burdened with. Additionally, both Moore and Curry were forced to spend money placing alerts with the various credit bureaus and incur out-of-pocket costs related to travel, use of cellular telephone minutes, postage, and credit-monitoring services. (¶¶51, 66.) Curry was also forced to miss work on several occasions to meet with police officers, causing her to lose monies and goodwill with her employer as a result of dealing with the data breach and subsequent identity theft. (¶49.) In an attempt to mitigate the devastating effect of her stolen identity, Curry also pays $17.00 per Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 14 of 34 8 month for a subscription to LifeLock-an identity theft protection service. (¶48.) Given the glut of allegations concerning Moore’s and Curry’s monetary damages, AvMed’s attempt to argue that they failed to allege actual injury clearly fails. AvMed is flat wrong that Moore must allege that he actually paid E*Trade for the amount of the overdraft, or that Curry must allege that her fraudulent credit card charges -went unreimbursed‖ to state a cognizable injury. 2 (Dkt. No. 33, p. 14.) On a motion to dismiss, the Court must view the complaint in the light most favorable to the plaintiff, and accept all reasonable inferences as true. Glover v. Ligett Group, Inc., 459 F.3d 1304, 1308 (11th Cir. 2006). Thus, it may be reasonably inferred from the SAC, that Plaintiffs remain responsible for damages incurred by the misuse of their stolen identities-especially given that the SAC specifically alleges that E*Trade continues to hold Moore responsible for the fraudulent overdraft. B. Plaintiffs Are Entitled To Recover Money Spent Monitoring Their Credit And Preventing Additional Harm Because They Have Suffered Actual (Rather Than Potential) Identity Theft. AvMed argues that recovery for credit monitoring has been -overwhelmingly rejected by just about every court to consider it.‖ (Dkt. No. 33, p. 14.) This argument again turns a blind eye to the fact that both Moore and Curry-the only plaintiffs named in the SAC-have both suffered actual identity theft. Indeed, where actual identity theft has been alleged, the attendant damages including expenses associated with credit monitoring are recoverable. See Witriol v. 2 The sole case that AvMed cites for its novel theory-In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108 (D. Me. 2009)-is fully distinguishable. In Hannaford, the plaintiffs’ claims were based only on the theft of their credit card numbers and not their identities. Id. at 133-34. As such, their claims were necessarily limited to the fraudulent credit card charges that their banks refused to reimburse. Here, however, both Plaintiffs’ identities were stolen, and unlike a stolen credit card, a stolen identity cannot be cured with a single telephone call to the bank. Thus, it is irrelevant that Curry did not allege that her credit card charges -went unreimbursed‖ because, unlike the Hannaford plaintiffs, she was forced to spend time and money combating her identity theft and monitoring her credit. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 15 of 34 9 LexisNexis Group, 2006 WL 4725713, *6 (N.D. Cal. Feb. 10, 2006) (plaintiffs are entitled to recover the -costs associated with monitoring and repairing credit impaired by the unauthorized release of private information‖); see also Kuhn v. Capital One Fin. Corp., 2006 WL 3007931, *3 (Mass. App. Ct. 2006) (plaintiffs are entitled to recover -the value of the time spent in seeking to prevent or undo the harm‖ of a data breach). The court’s opinion in Witriol v. LexisNexis Group is particularly instructive. In Witriol, the plaintiff and the putative class alleged no other damages aside from money spent monitoring their credit. Witriol, 2006 WL 4725713 at *6. The Court found that the plaintiffs’ allegations of credit monitoring expenses were sufficient to state a claim. See Id. at *6 (-Plaintiff has expressly alleged that, he and the Class Members have incurred costs associated with monitoring and repairing credit impaired by the unauthorized release of private information. Thus, Plaintiff has sufficiently alleged that he has suffered actual injury and sustained monetary loss as a result of Defendants’ actions‖). Similarly, in Kuhn v. Capital One Fin. Corp., the plaintiff did not even allege that the data breach resulted in direct monetary damage. Kuhn, 2006 WL 3007931, *1. Even so, the court still found that the plaintiff was entitled to damages because of -time … making long distance calls, contacting the various credit rating agencies in order to get the fraudulent accounts closed and prevent future fraudulent activity under her name.‖ Id. at *3. Accordingly, the appellate court reversed entry of summary judgment for breach of contract, breach of the covenant of good faith and fair dealing, negligence, and breach of fiduciary duty. Id. Given that Plaintiffs suffered actual identity theft, and not just speculative future injury, all of the cases cited by AvMed to support its theory-that money spent on credit monitoring is not compensable-are completely irrelevant to this matter. See Shafran v. Harley Davidson, Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 16 of 34 10 2008 WL 763177, *1 (S.D. N.Y. Mar. 30, 2008) (plaintiff alleged that defendant’s data breach only -exposed its customers to an increased likelihood of identity theft,‖ but failed to allege actual identity theft) (emphasis added); see also Hammond v. The Bank of New York Mellon Corp., 2010 WL 2643307, *2 (S.D. N.Y. June 25, 2010) (plaintiff alleged that defendant’s data breach caused merely an -increased risk of future harm,‖ but failed to allege actual identity theft) (emphasis added); see also Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 639 (7th Cir. 2007) (plaintiff alleged that defendant’s data breach caused solely an -exposure to a future potential harm,‖ but failed to allege actual identity theft) (emphasis added). Contrary to the instant case, none of the plaintiffs in the cases cited by AvMed alleged actual identity theft. AvMed’s reliance on such cases is therefore misplaced. Moreover, AvMed’s argument that Plaintiffs are not entitled to recover money spent on credit monitoring is disingenuous given that AvMed specifically advised Plaintiffs and the Classes to take such action to protect themselves from identity theft. (¶79; Dkt 15-5, pp. 2-3.) Amongst other losses alleged in the SAC, Curry has spent, and continues to spend, $17.99 a month for credit monitoring services as a result of the data breach and her resulting identity theft. (¶48.) And, given the duty to mitigate, it was reasonable, if not even required, for Plaintiffs to pay for credit monitoring services. See Zinn v. GJPS Lukas, Inc., 695 So.2d 499, 501 (Fla. 5th DCA 1997) (plaintiffs must discharge their duty to mitigate their damages). Thus, no serious contention may be made that money spent on credit monitoring is not a compensable expense. C. Plaintiffs Are Entitled To Recover For the Anxiety And Emotional Distress Caused By AvMed’s Breach of its Duty of Confidentiality. AvMed next argues that the impact rule bars Plaintiffs from recovering for the anxiety and emotional distress they suffered as a result of their identity thefts. Florida courts have clear, recognized exceptions to the impact rule by which a plaintiff may recover for emotional distress Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 17 of 34 11 even though no impact or physical injuries are alleged. Florida Dept. of Corr. v. Abril, 969 So.2d 201, 207 (2007). One such exception exists for a breach of the duty of confidentiality with respect to the release of sensitive personal information. 3 Id.; See Gracey v. Eaker, 837 So.2d 348, 352 (2002) (impact rule inapplicable in breach of duty of confidentiality cases because redress must be available where -[a] confidential relationship and statutory protection is defiled by the disclosure of the most personal of information‖). As AvMed requested and collected Plaintiffs’ Sensitive Information, there is no question that AvMed accepted and owed a duty of confidentiality to Plaintiffs. Thus, AvMed’s attack on the severity of Plaintiffs’ emotional injuries is premature at the pleadings stage. Indeed, whether the emotional distress and anxiety alleged by Plaintiffs rises to the required severity level can only be decided after a more complete factual development of the record. See Reynolds v. State Farm Mut. Auto. Ins. Co., 611 So. 2d 1294, 1299 (Fla. Dist. Ct. App. 1992) (the degree of foreseeable emotional distress to a consumer from disclosure in breach of a confidential relationship is decided on a -case-by-case basis‖); see also Willis v. Gami Golden Glades, LLC, 967 So. 2d 846, 861 (Fla. 2007) (-the Court has continued to carve out well-meaning exceptions to [the impact] rule on a case-by-case basis.‖ Thus, Plaintiffs’ claims for anxiety and emotional distress should stand. II. The Complaint Sufficiently Alleges Injury Under the Twombly Plausibility Standard, And The Law of the Case Doctrine Does Not Bar Plaintiffs’ Claims. As demonstrated above, given the vigilance taken by Plaintiffs to protect their identities and the complete absence of any previous identity theft issues, it is obvious-let alone plausible-that AvMed’s data breach led to the theft of Plaintiffs’ identities and their subsequent 3 It is important to note that AvMed does not contest, and therefore concedes, that it owed Plaintiffs a duty of confidentiality. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 18 of 34 12 damages. Still, AvMed argues that Plaintiffs have not -plausibly alleged‖ that their injuries -resulted from the theft of the laptops.‖ (Dkt. No. 33, pp. 12.) In making this argument, AvMed also contends that the Court should invoke the law of the case doctrine and not even consider the allegations in the SAC. These arguments fundamentally misapply both the law established in Twombly and the law of the case doctrine, and ignore the plain language of the SAC. A. The Complaint Satisfies the Twombly Plausibility Standard By Sufficiently Alleging That Plaintiffs’ Identity Thefts Were Caused By AvMed’s Data Breach. To establish plausibility, the allegations must only -raise a right to relief above the speculative level.‖ Twombly, 550 U.S. at 555. A claim has facial plausibility when the plaintiff -pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.‖ Ashcroft v. Iqbal, 127 S.Ct. 1937, 1949 (2009). The plausibility rule -does not impose a probability requirement at the pleading stage.‖ Id. at 1955; Twombly, 550 U.S. at 557. Indeed, -a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and that recovery is very remote and unlikely.‖ Id. at 556. In this case, the SAC alleges specific facts that plausibly demonstrate AvMed’s data breach caused Curry’s and Moore’s identity thefts: (1) AvMed collected and negligently stored Plaintiffs’ Sensitive Information; 4 (2) an unauthorized third party breached AvMed’s digital database and gained access to Plaintiffs’ Sensitive Information (¶¶ 23, 25, 40); (3) Plaintiffs’ Sensitive Information was stolen and used to steal their identities which caused them to suffer 4 In fact, AvMed admitted that it failed to encrypt or password-protect its members’ Sensitive Information that was stored on the laptops. For instance, in a June 7, 2010 update to the -Frequently Asked Questions‖ section of its website, AvMed admitted, -[d]uring the recovery process and internal investigation, AvMed determined that the data on the laptops was not properly secure.‖ (¶38.) Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 19 of 34 13 damages. (¶¶ 44, 51, 60, 66.) While these allegations, on their own, are sufficient to establish plausibility, the SAC alleges several additional facts which foreclose any possibility that Plaintiffs’ injuries were caused by anything other than AvMed’s data breach: neither Moore nor Curry have ever had their identities stolen prior to AvMed’s data breach (¶¶53, 68); both Curry and Moore have taken extraordinary precautions to protect their identities (¶¶54, 55, 69, 70, 71); Curry has never made any purchases online (¶55); Moore has never transmitted any unencrypted Sensitive Information over the Internet or any other unsecured source (¶71); both Moore and Curry store papers containing Sensitive Information in a secure physical location, and both destroy documents they receive in the mail that could be used for potential identity theft. (¶¶55, 71.) These allegations contain enough factual content to clearly -nudge [Plaintiffs’] claims across the line from conceivable to plausible.‖ Twombly, 550 U.S. at 570; See Stollenwerk, 254 Fed.Appx. at 668 (-As a matter of twenty-first century common knowledge, just as certain exposures can lead to certain diseases, the theft of a computer hard drive certainly can result in an attempt by a thief to access the contents for purposes of identity fraud, and such an attempt can succeed‖). Significantly, the court in Gardner et al. v. Health Net, Inc. has already considered virtually identical allegations, and found them to be sufficient to state a claim for negligence and breach of contract. See, Order, Dkt. No. 87, Gardner et al. v. Health Net, Inc., Case No. 2:10- CV-02140-PA-CW (C.D. Cal. 2010) (Order attached hereto as Exhibit A.) The plaintiff in Gardner alleged that: she suffered identity theft after a disk drive was stolen from defendant’s office; prior to the data breach, she had never been a victim of identity theft; she took -extraordinary precautions to protect herself from identity theft‖; she -never made any purchase online with a credit card; she never transmitted Sensitive Information on the Internet; and she Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 20 of 34 14 never stored her Sensitive Information on a computer or media device. See, Order, Dkt No. 87, p. 4. The Court found that -it may be reasonably inferred from these allegations that [the plaintiff] suffered from identity theft as the result of the theft of the disk drive from defendant’s offices.‖ See, Order, Dkt No. 87, p. 4. In a last ditch effort to call the plausibility of Plaintiffs’ claims into question, AvMed cites to statements made by a police officer in a newspaper article to prove that laptops were stolen from AvMed -for money, not for purposes of identity theft.‖ (Dkt. No. 33, p. 9.) In addition to being speculative and lacking any foundational basis whatsoever, the newspaper article is inadmissible double hearsay. See United States v. Baker, 432 F.3d 1189, 1211-12 (11th Cir. 2005) (newspaper articles are inadmissible hearsay when -relevant primarily to establish the truth of their contents‖). Since AvMed is offering the newspaper article solely to prove the truth of its contents, and to thus, disprove Plaintiffs’ claims, it cannot be considered. The article also lacks any legal significance at the pleadings stage. Plaintiffs are not required to prove ultimate facts or produce any evidentiary foundation for its claims to satisfy Rule 12(b)(6). Rather, for purposes of this motion -all factual allegations in the complaint [are] true and construe[d] in the light most favorable to the plaintiffs.‖ Edwards v. Prime, Inc., 602 F.3d 1276, 1291 (11th Cir. 2010) AvMed cannot preempt the discovery process with a Rule 12(b)(6) motion and urge the Court to reject the well-pleaded allegations of the SAC for want of proof, or to force Plaintiffs to meet a summary judgment-type burden of proof at this stage. Thus, AvMed’s attempt to dismiss Plaintiffs’ claims with a newspaper article fails. B. The Law of the Case Doctrine Does Not Bar Plaintiffs’ Claims. The law of the case doctrine has no applicability to the current matter as there have not yet been any rulings by an appellate court in this case. Under the law of the case doctrine, -the Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 21 of 34 15 findings of fact and conclusions of law by an appellate court are generally binding in all subsequent proceedings in the trial court or on a later appeal.‖ Norelus v. Denny’s, Inc., 628 F.3d 1270, 1288 (11th Cir. 2010) (emphasis added). Accordingly, the -law of the case applies only where there has been a final judgment.‖ Aldana v. Del Monte Fresh Produce N.A., Inc., 578 F.3d 1283, 1289 (11th Cir. 2009). Without both a final judgment and subsequent appellate review, the doctrine is inapplicable. Holcomb v. United States, 622 F.2d 937, 940 (7th Cir. 1980). Additionally, it is well settled in the Eleventh Circuit that -a court’s previous rulings may be reconsidered as long as the case remains within the jurisdiction of the district court.‖ 5 Aldana, 578 F.3d at 1289; See Vintilla v. United States, 931 F.2d 1444, 1447 (11th Cir. 1991) (law of the case doctrine had no application to district court’s denial of motion to dismiss, which was not a final judgment, such that court was free to reconsider its ruling at the summary judgment stage); see also First Alabama Bank of Montgomery, N.A. v. Parsons Steel, Inc., 825 F.2d 1475, 1480 (11th Cir.1987) (court’s denial of summary judgment was not a final judgment and did not become the law of the case, because it was subject to reconsideration and correction at any time before final judgment). In this case, the law of the case doctrine is inapplicable for two reasons. First, the Court’s April 5, 2011 Order dismissing the FAC without prejudice was not a final order. (Dkt. No. 30.) Second, and unmistakably determinative, no issues have yet been appealed in this matter, and consequently, no -findings of fact‖ or -conclusions of law‖ have been made by the Eleventh Circuit. Norelus, 628 F.3d at 1288. Accordingly, the law of the case doctrine does not bar Plaintiffs’ SAC, and the Court is permitted to consider whether the SAC’s allegations are plausible. First Alabama Bank of Montgomery, N.A., 825 F.2d at 1480. 5 Obviously, if the converse were true, it would be impossible for a court to ever consider a motion for reconsideration. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 22 of 34 16 III. The Complaint Sufficiently States A Claim For Negligence. In arguing for the dismissal of Plaintiffs’ negligence claim (Count I), AvMed does not dispute (and therefore concedes) that it owed a duty of confidentiality to Plaintiffs to protect their Sensitive Information. Nor does AvMed dispute (and therefore concedes) that it breached that duty. Instead, AvMed argues only that an intervening criminal act defeats proximate cause, and Plaintiffs’ claim is barred by the economic loss rule. Both of these arguments lack merit. 6 A. The Complaint Sufficiently Alleges That The Data Breach Proximately Caused Plaintiffs’ Identity Thefts. AvMed’s argument that an intervening criminal act defeats proximate cause fails. The issue of proximate causation is ordinarily one to be resolved by the trier of fact. See Hewitt v. Avis Rent-A-Car Sys., Inc., 912 So. 2d 682, 686 (Fla. Dist. Ct. App. 2005) (-[I]f reasonable persons could differ as to whether the facts establish proximate cause, then the resolution of the issue must be left to the fact finder‖) (emphasis added). It is well-settled that -circumstances under which a court may resolve the question of proximate cause as a matter of law are extremely limited.‖ LeMaster v. Glock, 610 So.2d 1336, 1338 (Fla. 1st DCA 1992). Even the sole case cited by AvMed to prop up its intervening cause theory-Guin v. Brazos Higher Ed. Serv. Corp, Inc., 2006 WL 288483 (D. Minn. Feb. 7, 2006)-cuts squarely against its argument as Guin was decided at the summary judgment stage, rather than the pleadings stage. 7 Furthermore, AvMed’s argument ignores that intervening criminal conduct is deemed 6 Plaintiffs hereby incorporate their arguments from § II, supra, which plausibly demonstrate-given Plaintiffs vigilance in guarding their identities and their identity theft free histories-that AvMed’s data breach was the proximate cause of Plaintiffs’ identity thefts. 7 See Daly, 4 Misc. 3d at 893-94 (whether defendants’ responsibility for damages stemming from a data breach is lessened under the theory that the theft of plaintiffs’ information by a third party was an unforeseeable intervening event were reserved as an issue for trial). Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 23 of 34 17 foreseeable when the defendant’s negligence involved conduct (such as failing to encrypt Sensitive Information) that was intended to prevent the very harm that occurred (such as the theft of that information). Goldberg v. Florida Power & Light Co., 899 So. 2d 1105, 1116 (2005); See Herndon v. Shands Teaching Hosp. & Clinics, Inc., 23 So. 3d 802, 803-04 (Fla. Dist. Ct. App. 2009) (intervening crime will not negate proximate cause if the crime is foreseeable, and foreseeability, as it relates to proximate cause, is a jury issue); see also Coral Gables Fed. Sav. & Loan Ass'n v. City of Opa-Locka, 516 So. 2d 989, 992 (Fla. Dist. Ct. App. 1987) (holding that embezzlement is not an unforeseeable result of a bank’s negligent banking procedures). Here, AvMed was required to encrypt its members’ confidential, personal data to prevent disclosure through a breach. That, conduct, of course, was intended to prevent the very harm that occurred here. (¶¶86-88.) Accordingly, under the applicable law, AvMed’s failure to encrypt Plaintiffs’ Sensitive Data was the proximate cause of the data breach and their identity thefts. B. The Economic Loss Rule Does Not Bar Plaintiffs’ Negligence Claims. The economic loss rule does not serve as a barrier to Plaintiffs’ claim. The economic loss rule only applies where: (1) the duty owed is purely contractual, (2) the parties to the contracts negotiated and allocated the risk of loss, and (3) Plaintiffs were seeking -economic losses.‖ Invo Florida, Inc. v. Somerset Venturer, Inc., 751 So.2d 1263, 1265 (Fla. 3d DCA 2000). Here, however, Plaintiffs have alleged (and AvMed does not contest) that AvMed owed a common law duty-not purely a contractual duty-of confidentiality to protect Plaintiffs’ Sensitive Information, as well as, a statutory duty under HIPAA. Furthermore, as the written services contracts are not presently before the Court, AvMed cannot blindly argue that the risk of identity theft was allocated in the written services contracts. Through this argument, AvMed hopes to deprive Plaintiffs of the opportunity to conduct Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 24 of 34 18 discovery of the contracts to prove their claims. Regardless, the economic loss rule has been specifically rejected in data breach cases because it was not intended to shield defendants from negligence-based tort claims. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 127 (D. Me. 2009). Thus, the economic loss rule is wholly inapplicable. IV. The Complaint Sufficiently States A Claim For Negligence Per Se. Plaintiffs’ negligence per se claims (Count V) are based upon AvMed’s violation of the confidentiality provisions of Fla. Stat. § 395.3025. Violation of a statute that was enacted to protect a particular class of persons from a particular type of injury constitutes negligence per se. deJesus v. Seaboard Coast Line Railroad Co., 281 So.2d 198 (1973). Here, Fla. Stat. § 395.3025 was enacted to protect the confidentiality of medical information of Florida residents-such as Plaintiffs-as it expressly provides that medical information must not be disclosed without consent. Fla. Stat. § 395.3025. Thus, AvMed’s disclosure of Plaintiffs’ health information without authorization violates Fla. Stat. § 395.3025 and constitutes negligence per se. AvMed attempts to rebut this claim by arguing that Fla. Stat. § 395.3025 applies only to -licensed facilities,‖ and that health plan providers, like itself, are not covered by the statute. However, this argument contradicts the plain language of the statute: Patient records are confidential and must not be disclosed without the consent of the person to whom they pertain, but appropriate disclosure may be made without such consent to. Fla. Stat. § 395.3025(4). This statute is not, on its face, limited to -licensed facilities. Accordingly, Plaintiffs are entitled to rely on a violation of Fla. Stat. § 395.3025 as evidence of negligence. V. The Complaint Sufficiently States A Claim For Breach of Express Contract. Plaintiffs claim for breach of express contract (Count II) is based upon AvMed’s breach Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 25 of 34 19 of the written services contracts. In seeking dismissal of the claim, AvMed curiously argues that: (i) Plaintiffs have not alleged a contract requiring AvMed to adequately protect Plaintiffs’ Sensitive Information, and (ii) the claim fails for lack of consideration because AvMed was under a pre-existing duty to comply with state and federal security protocols to protect confidential health information. Plaintiffs have, of course, alleged such a contract, and as discussed infra, AvMed’s preexisting duty-to the extent one existed at all-was less than that required under the contract. Accordingly, both of these arguments fail. A. Plaintiffs Have Sufficiently Pleaded The Existence of a Valid Contract. Plaintiffs allege that they entered into a written services contract with AvMed that required Plaintiffs to provide AvMed with their Sensitive Information and pay money in exchange for AvMed’s health care coverage and promises to protect their Sensitive Information. (¶21.) AvMed expressly promised Plaintiffs that it would, inter alia: protect their Sensitive Information (¶21) and safeguard Plaintiffs’ Sensitive Information from being lost and/or accessed by unauthorized third parties. (¶20.) These written contracts are in AvMed’s possession, and will be a focal point of discovery. 8 Given the allegations in the SAC, Plaintiffs have indisputably established the existence of a valid contract. Thus, Plaintiffs do not-as AvMed suggests-simply -cobble together several statements made not in any contract between AvMed and its members, but in various documents that appear on AvMed’s website.‖ (Dkt. 23, p. 17.) Instead, Plaintiffs allege specific express contractual obligations that AvMed was bound to comply with. These contentions are clearly sufficient to render any disposition premature at this point in the proceedings. Zarrella v. Pac. Life Ins. Co., 8 To state a claim for breach of contract, -a plaintiff is not required to attach the subject contract to the complaint.‖ De Sterling v. Bank of Am., N.A., 2009 WL 3756335, *2 (S.D. Fla. Nov. 6, 2009). Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 26 of 34 20 2010 WL 4663296, *6 (S.D. Fla. Nov. 10, 2010). B. The Pre-existing Duty Rule Is Inapplicable. AvMed improperly attempts to evade contractual liability for its failure to protect Plaintiffs’ Sensitive Information by arguing that it was under a pre-existing duty to abide by HIPAA’s regulations concerning confidentiality. This argument simply attempts to obfuscate the subject matter of the written services contract, and ignores that the contract required Plaintiffs to provide AvMed with their health information, as well as additional personal information, such as their phone numbers, addresses, and Social Security numbers. HIPPAA does not cover this additional information that the contract required AvMed to safeguard. AvMed’s pre-existing duty under HIPAA extends only to Plaintiffs’ -health information.‖ Under HIPAA, the term -health information‖ means: [a]ny information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. 9 42 U.S.C.A. § 1320d(4) (emphasis added). However, pursuant to the written services contract, AvMed collected and maintained information in addition to Plaintiffs’ health information, such as their phone numbers, addresses, and Social Security numbers. (¶¶18, 118.) Since HIPAA only applies to -health information,‖ as defined, it has no application to AvMed’s contractual promise to safeguard Plaintiffs’ Sensitive Information because AvMed promised to do more than was required under HIPAA. 3 Williston on Contracts § 7:43 (4th ed.) Thus, AvMed’s reliance on the 9 Other identifying information, like a unique medication schedule is protected under HIPAA when they both -identify‖ individuals and -relate to‖ a medical condition. By way of example, Social Security numbers may identify an individual, but of course, do not also relate to a medical condition. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 27 of 34 21 pre-existing duty rule is misplaced because its contractual duties extended beyond the scope of its pre-existing duty required by HIPAA. The single case cited by AvMed to support its argument-Scherer v. Laborers’ Int’l Union of N. Am., 746 F. Supp. 73 (N.D. Fla. 1988)-is inapposite for two primary reasons. First, that case dealt with whether consideration was sufficient to form a valid contract where the defendant was already under a pre-existing contractual duty to perform. Id. at 83. Here, AvMed does not argue that it was already under a contractual duty to protect and encrypt Plaintiffs’ Sensitive Information, and in fact, AvMed apparently denies that a contract existed between it and Plaintiffs in the first place. Second, Scherer was decided at the summary judgment stage, rather than the pleadings stage. Id. at 75. Therefore, while the facts of Scherer are distinguishable from the instant case, its procedural posture suggests that the question of pre-existing duty is appropriately dealt with during summary judgment. Accordingly, AvMed’s pre-existing duty to comply with HIPAA does not render the written services contract invalid as it required Plaintiffs to submit-and AvMed to protect and maintain-additional information that clearly exceeded the scope of any pre-existing duty. C. The Complaint Sufficiently States A Claim For Breach of the Covenant of Good Faith and Fair Dealing. As Plaintiffs’ have alleged a claim for breach of express contract, as discussed supra, Plaintiffs have-as a matter of law-also sufficiently stated a claim for breach of the covenant of good faith and fair dealing (Count VII). 10 Nautica Int’l, Inc. v. Intermarine, 5 F.Supp.2d 1333, 1340 (S.D. Fla. 1998). Still, AvMed incorrectly argues that: (i) Plaintiffs have not alleged the existence of any express contracts; and (ii) Plaintiffs have not alleged that AvMed has 10 Florida contract law recognizes the implied covenant of good faith and fair dealing in every contract. Burger King Corp. v. Weaver, 169 F.3d 1310, 1315 (11th Cir. 1999); County of Brevard v. Miorelli Eng’g, Inc., 703 So.2d 1049, 1050 (1997). Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 28 of 34 22 -consciously or deliberately acted to frustrate the purpose of the services contract.‖ (Dkt. 23, p. 20.) These arguments unequivocally fail as they entirely ignore the plain language of the SAC. As discussed, Plaintiffs have sufficiently alleged that AvMed was under express contractual obligations to safeguard Plaintiffs’ Sensitive Information. AvMed breached its covenant of good faith and fair dealing by, inter alia, disclosing the information it promised to protect, and most plainly, by suppressing its disclosure by failing to promptly notify Plaintiffs and 860,000 enrollees of the breach. (¶¶31, 148.) Any argument that these allegations are absent ignores the plain language of the SAC. Moreover, contrary to AvMed’s argument, Florida law does not require Plaintiffs to allege that AvMed -frustrated the purpose of the contract by a conscious and deliberate act.‖ (Dkt. 33, p. 21.) The sole case cited to support this novel theory-Tiara Condo. Ass’n, Inc. v. Marsh & McLennan Companies, Inc., 607 F.3d 742 (11th Cir. 2010)-was, again, decided at the summary judgment stage, rather than the pleadings stage. Id. at 747. Regardless, Plaintiffs do in fact allege that AvMed -willfully failed to disclose the scope and expanse of the breach.‖ (¶26.) As such, Plaintiffs’ claim for breach of the covenant of good faith and fair dealing must stand. VI. The Complaint Sufficiently Alleges An Alternative Claim for Breach of Implied Contracts. Count III asserts a valid claim for breach of implied contracts. An implied contract arises when the parties’ assent is -inferred in whole or in part from the parties’ conduct.‖ Commerce P’ship v. Equity Contracting Co., 695 So.2d 383, 385 (Fla. 4th DCA 1997). The only distinction between an express and implied-in-fact contract is the manner in which the parties’ assent is manifested or proven. Id.; 1-1 Arthur L. Corbin, Corbin on Contracts § 1.19 (Joseph M. Perillo ed. 2010). In this case, AvMed was under an implied contractual obligation to -take reasonable Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 29 of 34 23 steps to secure and safeguard the [Sensitive Informaiton]‖ (¶119) and -provide Plaintiffs and the Classes with prompt and sufficient notice of any and all unauthorized access and/or theft of their Sensitive Information.‖ (¶120.) By failing to safeguard Plaintiffs’ Sensitive Information, AvMed breached its obligations under the implied contract. In urging dismissal of Plaintiffs’ claim, AvMed argues that the -fair and reasonable inference from the parties’ conduct‖ is that no implied contract was formed. 11 (Dkt. No. 33, p. 22.) Aside from lacking any factual or legal support, this theory directly contravenes the well- established principle that -the court must accept all of the plaintiff’s allegations as true‖ and -constru[e] them in the light most favorable to the plaintiff.‖ Pielage v. McConnell, 516 F.3d 1282, 1284 (11th Cir. 2008) (emphasis added). Consequently, AvMed’s -fair and reasonable inference‖ argument fails. Although AvMed does not (and cannot) cite to any authority for its -fair and reasonable inference‖ argument, the cases that AvMed cites generally with respect to breach of implied contracts indicate that dismissal of Plaintiffs’ breach of implied contract claim is inappropriate at this stage. See Rabon v. Inn of Lake City, 693 So.2d 1126, 1127 (Fla. 1st Dist. Ct. App. 1997) (appealing from summary judgment); see also Bromer v. Fla. Power & Light Co., 45 So.2d 658, 660 (1948) (appealing from final judgment); see also McMillan v. Shivley, 23 So.3d 830 (Fla. 1st Dist. Ct. App. 2009) (reversing dismissal of implied contract claim). Thus, Plaintiffs’ breach of implied contracts claim should stand. VII. The Complaint Sufficiently States An Alternative Claim For Unjust Enrichment. 11 While AvMed again argues that the pre-existing duty rule bars recovery for Plaintiffs’ breach of implied contracts claim, its argument is identical to its argument opposing Plaintiffs’ breach of express contract claim. As AvMed asserts no new argument, nor cites any additional authority, Plaintiffs will spare the Court regurgitation as to why the pre-existing duty rule is inapplicable to this case. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 30 of 34 24 Count IV asserts a valid claim for unjust enrichment. If no express or implied in fact contract exists, a party may recover under quasi-contract. Am. Safety Ins. Serv., Inc. v. Griggs, 959 So.2d 322, 331 (Fla. 5th DCA 2007). The SAC alleges that: Plaintiffs conferred a monetary benefit onto AvMed in the form of monthly fees (¶126); AvMed had knowledge of the enrollment fees and accepted the benefit (¶127); and it would be unjust for AvMed to retain the enrollment fees because it failed to comply with the law and industry standard privacy protocols, which resulted in the mass disclosure of Plaintiffs’ Sensitive Information. (¶128.) AvMed should not be permitted to retain Plaintiffs’ enrollment fees to the extent that they were used, or were to be used, to safeguard and protect Plaintiffs’ Sensitive Information. See Baron v. Osman, 39 So. 3d 449, 451 (Fla. Dist. Ct. App. 2010) (unjust enrichment is based on an obligation created by law to cure the unjust retention of a benefit conferred by another). In any event, it is procedurally improper to dismiss this unjust enrichment claim at the pleadings stage. See Donnelly v. Circuit City Stores, Inc., 2007 WL 896337, *3 (M.D. Fla. Mar. 22, 2007) (-Alternate pleading allows for a plaintiff’s case to proceed in the face of uncertainty as to the existence of a contract or, perhaps, uncertainty as to whether the particular issue at hand falls within the ambit of a contract.…‖). Accordingly, the claim should stand. VIII. The Complaint Sufficiently States A Claim For Breach of Fiduciary Duty. Count VI asserts a valid claim for breach of fiduciary duty. Such duties are implied in law as a result of the underlying transaction and the relationship of the parties. Susan Fixel, Inc. v. Rosenthal & Rosenthal, Inc., 842 So. 2d 204, 207 (Fla. Dist. Ct. App. 2003). Here, the duty of confidentiality that AvMed owed to Plaintiffs is akin to traditional notions of fiduciary duty. Daly, 4 Misc. 3d at 892. Quite simply, the duty to protect the confidentiality of health records creates a relationship of trust and confidence between the parties. Id.; Abril, 969 So.2d at 207. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 31 of 34 25 Indeed, by requiring Plaintiffs to provide their Sensitive Information, and by Plaintiffs actually providing such information, AvMed and Plaintiffs entered into a fiduciary relationship. AvMed breached its fiduciary duty to Plaintiffs by failing to encrypt this health information, and failing to timely notify the affected members of the data breach. (¶139.) A fiduciary relationship may be implied in law as such relationships are -premised upon the specific factual situation surrounding the transaction and the relationship of the parties.‖ Susan Fixel, Inc., 842 So. 2d at 207. Because of the factually intensive nature of an implied fiduciary duty inquiry, such claims are better addressed by a summary judgment motion, or at trial, rather than on a motion to dismiss. Id. AvMed prematurely attempts to dismiss this claim by citing several inapplicable cases wherein the communication of only financial information between a bank and a customer was found not to create a fiduciary relationship. See Winter Park Condo. Ltd. P’ship v. Wachovia Bank, N.A., 2009, WL 290992 (M.D. Fla. Feb. 6, 2009) (receipt of confidential financial information did not give rise to duty to keep information confidential); see also Silver v. Countrywide Home Loans, Inc., 2011 WL 121701, *5 (S.D. Fla. Jan. 13, 2011) (same). However, the disclosure of medical information, including highly embarrassing medical conditions, is far different from the types of transmissions that AvMed analogizes to the present matter. Thus, dismissal at the pleadings stage-without opportunity for a fact inquiry-is inappropriate, especially given the highly personal nature of the information disclosed. Accordingly, the breach of fiduciary duty claim should stand. CONCLUSION For the reasons stated above, Plaintiffs respectfully submit that AvMed’s motion to dismiss should be denied. Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 32 of 34 26 Dated: May 31, 2011 Respectfully submitted, JUANA CURRY and WILLIAM MOORE, individually and on behalf of all others similarly situated, By: /s/ Steven Teppler______________________ Jay Edelson (Admitted Pro Hac Vice) William C. Gray (Admitted Pro Hac Vice) Ari J. Scharg (Admitted Pro Hac Vice) Steven W. Teppler Florida Bar No. 14787 Edelson McGuire, LLC 350 North LaSalle Street, Suite 1300 Chicago, Illinois 60654 Tel.: (312) 589-6470 Fax: (312) 589-6378 jedelson@edelson.com bgray@edelson.com ascharg@edelson.com steppler@edelson.com Edmund A. Normand Florida Bar No. 865590 Diego M. Madrigal, III Florida Bar No. 0037643 Wooten,Kimbrough, & Normand, P.A. 236 S. Lucerne Circle Orlando, Florida 32801 Tel.: (407) 843-7060 Fax: (407) 843-5836 Counsel for Plaintiffs Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 33 of 34 27 CERTIFICATE OF SERVICE I, Steven W. Teppler, an attorney, certify that, on May 31, 2011, I caused the above and foregoing Plaintiffs’ Response in Opposition to Defendant AvMed, Inc.’s Motion to Dismiss to be filed with the Clerk of the Court and transmitted by electronic mail to all counsel of record via the Court’s CM/ECF electronic filing system, on this the 31st day of May, 2011. /s/ Steven W. Teppler Case 1:10-cv-24513-JLK Document 35 Entered on FLSD Docket 05/31/2011 Page 34 of 34