DECISION AND ORDER
This putative class action arises out of a data breach where hackers gained access to defendant Excellus Health Plan, Inc.'s ("Excellus") computer network and the personal information stored therein. Plaintiffs are individuals whose personal information was stored on Excellus's computer network at the time of the data breach. They assert claims of negligence, negligence per se, breach of contract and of the implied covenant of good faith and fair dealing, and unjust enrichment against defendants Excellus, Lifetime Healthcare, Inc. ("Lifetime"), Lifetime Benefit Solutions, Inc., Genesee Region Home Care Association, Inc. d/b/a Lifetime Care, Genesee Valley Group Health Association d/b/a Lifetime Health Medical Group, MedAmerica, Inc., and Univera Healthcare (collectively the "Excellus Defendants"), and claims for the violation of various state consumer protection laws against the Excellus Defendants and defendant Blue Cross and Blue Shield Association ("BCBSA"). (Dkt. 312).
The Court will refer to the Excellus Defendants and BCBSA collectively as "Defendants."
Presently before the Court are five motions: (1) the Excellus Defendants' motion for clarification of the Court's prior orders as to standing (Dkt. 376); (2) Plaintiffs' motion for class certification (Dkt. 387); (3) Defendants' motion to exclude the expert declarations of James Van Dyke and Gregory Allenby (Dkt. 417); (4) Plaintiffs' motion to strike the declaration of Excellus employee James Keddell and for sanctions (Dkt. 446); and (5) Plaintiffs' motion to exclude certain testimony of Defendants' experts Robert E. Anderson, Jr. and C. Federico Campbell (Dkt. 456). For the reasons that follow, the Court: (1) grants in part and denies in part the Excellus Defendants' motion for clarification; (2) denies Defendants' motion to exclude the testimony of Plaintiffs' experts as moot; (3) denies Plaintiffs' motion to exclude the testimony of Defendants' experts as moot; (4) denies Plaintiffs' motion to strike and for sanctions; and (5) grants in part and denies in part Plaintiffs' motion for class certification.
I. Factual Background
The Court has described the factual background of this matter in detail in earlier Decisions and Orders. (See Dkt. 140; Dkt. 181). The Court briefly summarizes Plaintiffs' factual allegations, as set forth in their Second Amended Consolidated Master Complaint. (Dkt. 312) (the "SACMC").
Excellus is a licensee of BCBSA and "the primary healthcare provider in upstate New York." (Id. at ¶ 37). Excellus is also a subsidiary of Lifetime and the parent of the remaining Excellus Defendants. (Id. at ¶¶ 39-50). Plaintiffs are individuals whose Personally Identifiable Information ("PII") and/or Protected Health Information ("PHI") was stored on Defendants' computer networks. (Id. at ¶¶ 17-35). "Beginning on or before December 23, 2013, hackers infiltrated Defendants' cybersecurity systems, acquired high-level access to Defendants' computer networks . . ., and gained access to the [PII] and [PHI] of approximately 10 million individuals." (Id. at ¶ 1) These hackers "operated in" Defendants' computer networks "with impunity" for at least nine months. (Id.).
II. Procedural Background
The instant action was commenced on September 18, 2015. (Dkt. 1). Several other lawsuits arising out of the Excellus data breach were thereafter commenced in this District. (See Dkt. 9-2 at 1-2). On November 5, 2015, the Honorable Michael A. Telesca issued an Order consolidating all then-pending actions in this District related to the Excellus data breach into the instant action and transferring the matter to the undersigned. (Dkt. 27). On November 10, 2015, the Court entered a Text Order directing that any subsequently filed lawsuit arising out of the same facts or involving the same claims be consolidated into this case. (Dkt. 28). On January 25, 2016, the Court appointed interim class counsel and directed Plaintiffs to file a consolidated master complaint. (Dkt. 80).
On April 15, 2016, Plaintiffs filed their Consolidated Master Complaint. (Dkt. 99) (the "CMC"). The Excellus Defendants filed a motion to dismiss the CMC on May 31, 2016. (Dkt. 107). BCBSA filed a motion to dismiss the CMC on June 17, 2016. (Dkt. 111). On February 22, 2017, the Court issued a Decision and Order granting in part and denying in part Defendants' respective motions to dismiss. (Dkt. 140) (the "Dismissal Decision"). As relevant here, the Court dismissed for lack of standing all claims asserted by the "non-misuse Plaintiffs," which it defined as "Plaintiffs who have not alleged any actual misuse of their data[.]" (Id. at 10, 29).
On March 22, 2017, Plaintiffs filed a motion for reconsideration, asking the Court to revisit its conclusion that the non-misuse Plaintiffs lacked standing. (Dkt. 142). The Court granted Plaintiffs' motion for reconsideration on January 19, 2018. (Dkt. 181) (the "Reconsideration Decision"). In particular, based on the Second Circuit's decision in Whalen v. Michaels Stores, Inc., 689 F. App'x 89 (2d Cir. 2017), the Court concluded that the "non-misuse Plaintiffs' allegations of the threat of future identity theft" were sufficient to establish standing. (Dkt. 181 at 13). However, the Court left intact "all other aspects" of the Dismissal Decision. (Id. at 2).
With leave of Court and no objection from Defendants (see Dkt. 191), on March 22, 2018, Plaintiffs filed an Amended Consolidated Master Complaint (Dkt. 193). Pursuant to a stipulation of the parties, the Court granted Plaintiffs leave to file the SACMC on March 15, 2019. (Dkt. 305). The SACMC was filed on March 25, 2019. (Dkt. 312).
On September 24, 2019, the Excellus Defendants moved for clarification of the Dismissal Decision and the Reconsideration Decision. (Dkt. 376). Plaintiffs responded on October 16, 2019 (Dkt. 381), and the Excellus Defendants replied on October 23, 2019 (Dkt. 383).
Plaintiffs filed their motion for class certification and supporting papers on November 22, 2019. (Dkt. 387; Dkt. 388; Dkt. 389; Dkt. 390; Dkt. 391; Dkt. 392; Dkt. 393; Dkt. 394; Dkt. 395; Dkt. 396). BCBSA and the Excellus Defendants filed their respective oppositions to the class certification motion on January 28, 2020. (Dkt. 414; Dkt. 418; Dkt. 419; Dkt. 420; Dkt. 421; Dkt. 422). Also on January 28, 2020, Defendants jointly filed a motion to exclude the expert declarations of James Van Dyke and Gregory Allenby. (Dkt. 417).
On April 27, 2020, Plaintiffs filed: (1) a motion for sanctions and to strike the declaration of James Keddell, which the Excellus Defendants had submitted in opposition to the class certification motion (Dkt. 446; Dkt. 447; Dkt. 448; Dkt. 449); (2) their reply papers in further support of their motion for class certification (Dkt. 450; Dkt. 451; Dkt. 452); (3) their opposition to Defendants' motion to exclude (Dkt. 453; Dkt. 454; Dkt. 455); and (4) a motion to exclude the testimony of Defendants' experts Robert E. Anderson, Jr. and C. Federico Campbell (Dkt. 456; Dkt. 457).
The Excellus Defendants filed their opposition to Plaintiffs' motion for sanctions and to strike on May 18, 2020. (Dkt. 462). Plaintiffs filed reply papers on May 27, 2020. (Dkt. 470; Dkt. 472).
On June 5, 2020, Defendants filed a reply in further support of their motion to exclude and a response to Plaintiffs' motion to exclude. (Dkt. 477; Dkt. 478; Dkt. 479). On July 7, 2020, Plaintiffs filed a reply in further support of their motion to exclude. (Dkt. 496).
The Court heard oral argument on the pending motions on October 19, 2020, and reserved decision. (Dkt. 518).
I. Motion for Class Certification
A. Legal Standard
Because the Court's resolution of Plaintiffs' class certification motion directly impacts the necessity of reaching several other issues raised by the parties, the Court turns to that issue first. "In determining whether class certification is appropriate, a district court must first ascertain whether the claims meet the preconditions of [Federal] Rule [of Civil Procedure] 23(a). . . ." Teamsters Local 445 Freight Div. Pension Fund v. Bombardier Inc., 546 F.3d 196, 201-02 (2d Cir. 2008). Specifically, the Court must conclude that the proposed class meets the following requirements:
(1) the class is so numerous that joinder of all members is impracticable;Fed. R. Civ. P. 23(a). If all these requirements are met, the Court may grant class certification where one of the scenarios set forth under Rule 23(b)(1)-(3) is satisfied. "The party seeking class certification bears the burden of establishing by a preponderance of the evidence that each of Rule 23's requirements has been met." Myers v. Hertz Corp., 624 F.3d 537, 547 (2d Cir. 2010).
(2) there are questions of law or fact common to the class;
(3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and
(4) the representative parties will fairly and adequately protect the interests of the class.
Here, Plaintiffs seek certification for the majority of their proposed classes under Rule 23(b)(3). Rule 23(b)(3) provides that a class may be certified if the Rule 23(a) criteria are satisfied and if "the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods." Fed. R. Civ. P. 23(b)(3). This provision is intended to "'secure judgments binding all class members save those who affirmatively elect[ ] to be excluded,' where a class action will 'achieve economies of time, effort, and expense, and promote . . . uniformity of decision as to persons similarly situated, without sacrificing procedural fairness or bringing about other undesirable results.'" In re Glob. Crossing Sec. & ERISA Litig., 225 F.R.D. 436, 454 (S.D.N.Y. 2004) (alterations in original and quoting Amchem Prod., Inc. v. Windsor, 521 U.S. 591, 614-15 (1997)).
"The Rule 23(b)(3) predominance inquiry tests whether proposed classes are sufficiently cohesive to warrant adjudication by representation." Amchem Prod., Inc., 521 U.S. at 623. "Class-wide issues predominate if resolution of some of the legal or factual questions that qualify each class member's case as a genuine controversy can be achieved through generalized proof, and if these particular issues are more substantial than the issues subject only to individualized proof." Moore v. PaineWebber, Inc., 306 F.3d 1247, 1252 (2d Cir. 2002).
Plaintiffs also seek certification of an injunctive relief class pursuant to Rule 23(b)(2). A class action may be maintained under Rule 23(b)(2) "if Rule 23(a) is satisfied and if . . . the party opposing the class has acted or refused to act on grounds that apply generally to the class, so that final injunctive relief or corresponding declaratory relief is appropriate respecting the class as a whole." Fed. R. Civ. P. 23(b)(2). "The key to the (b)(2) class is the indivisible nature of the injunctive or declaratory remedy warranted—the notion that the conduct is such that it can be enjoined or declared unlawful only as to all of the class members or as to none of them." Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 360 (2011) (quotation omitted).
B. The Proposed Classes
Plaintiffs ask the Court to certify the following classes:
A. Nationwide Damages Class Under N.Y. Gen. Bus. Law § 349 Against Excellus ("GBL § 349 Damages Class"):
All individuals in the United States whose . . . PII . . . and/or . . . PHI . . . was stored in Excellus's systems between December 23, 2013 and May 11, 2015 who: (1) are included in Excellus's list of Impacted Individuals, and (2) received products or services for which Excellus was paid between 2003 and 2015.
B. Federal Employee Class Under N.Y. Gen. Bus. Law § 349 Against Blue Cross Blue Shield Association ("Federal GBL § 349 Damage Class"):
All enrollees in the Blue Cross and Blue Shield Association Federal Employees Plan whose PII and/or PHI was stored in Excellus's systems between December 23, 2013 and May 11, 2015 who also are included in Excellus's list of Impacted Individuals.
C. Nationwide Breach of Contract Class Against Excellus ("Breach of Contract Class"):
All individuals in the United States whose PII and/or PHI was stored in Excellus's systems between December 23, 2013 and May 11, 2015 who: (1) are included in Excellus's list of Impacted Individuals, and (2) were members of an Excellus individual, group or Medicare Advantage health insurance plan between 2003 and 2015.
D. Separate Statewide Negligence Classes Against Excellus:
All individuals residing in [New York / California / Florida / Indiana / Pennsylvania] whose PII and/or PHI was stored in Excellus's systems between December 23, 2013 and May 11, 2015.
E. Unjust Enrichment Class Against Excellus:(Dkt. 387 at 2-3). "Excluded from each Class are (1) Defendants, any entity or division in which Defendants have a controlling interest, and their legal representatives, officers, directors, assigns, and successors; (2) the Judges to whom this case is assigned, their immediate family members, and courtroom staff; and (3) any individuals who validly exclude themselves from the Class." (Id. at 3).
All individuals residing in New York whose PII and/or PHI was stored on Excellus's systems between December 23, 2013 and May 11, 2015 who (1) are included in Excellus's list of Impacted Individuals, and (2) who received products or services for which Excellus was paid between 2003 and 2015.
F. Nationwide Class Bringing Claim for Injunctive Relief Pursuant to N.Y. Gen. Bus. Law § 349 Against Excellus ("GBL § 349 Injunctive Relief Class"):
All individuals in the United States whose PII and/or PHI was stored in Excellus's systems between December 23, 2013 and May 11, 2015 who (1) are included in Excellus's list of Impacted Individuals and (2) whose PII and/or PHI currently resides in Excellus's systems.
C. Defendants' Objections to Class Certification
The Excellus Defendants and BCBSA oppose Plaintiffs' request for class certification. The Excellus Defendants argue that: (1) individualized issues of injury and causation under either Article III or state law predominate, precluding the certification of any putative class; (2) the proposed GBL § 349 Damages Class cannot be certified because there is no causal connection between the allegedly deceptive act or practice and Plaintiffs' injury; (3) the proposed classes do not satisfy Rule 23's ascertainability requirement; (4) the claims of numerous members of the proposed GBL § 349 Damages Class, Breach of Contract Class, and Unjust Enrichment Class are barred by the statute of limitations; (5) individualized issues predominate as to the incorporation by reference theory relied on by the proposed nationwide Breach of Contract Class; (6) individualized issues regarding the directness of the benefit under New York law predominate as to the proposed Unjust Enrichment Class; (7) individualized issues regarding the application of the economic loss rule predominate as to the proposed Statewide Negligence Classes; (8) Plaintiffs have not demonstrated that nationwide class certification is appropriate; and (9) Plaintiffs have not submitted facts sufficient to justify certification of a class for injunctive relief. (Dkt. 418).
BCBSA, against whom only the proposed Federal GBL § 349 Damage Class seeks relief, joins in the Excellus Defendants' arguments to the extent they are applicable, and further argues that: (1) individualized standing considerations preclude certification of the Federal GBL § 349 Damage Class; (2) Plaintiffs have not satisfied Rule 23's commonality requirement as to the Federal GBL § 349 Damage Class; (3) individualized causation and damages issue predominate over common questions as to the Federal GBL § 349 Damage Class; (4) proposed class representative Nina Mottern is not typical of the Federal GBL § 349 Damage Class; and (5) it is inappropriate to certify the Federal GBL § 349 Damage Class on a nationwide basis. (Dkt. 414).
For the reasons set forth below, the Court agrees with Defendants that (1) the proposed GBL § 349 Damages, Breach of Contract, Unjust Enrichment, and Statewide Negligence Classes do not satisfy Rule 23(b)(3)'s predominance requirement and (2) the proposed Federal GBL § 349 Damage Class does not satisfy Rule 23(a)(2)'s commonality requirement. However, the Court finds that the proposed GBL § 349 Injunctive Relief Class should be certified pursuant to Rule 23(b)(2).
1. The Proposed Rule 23(b)(3) Classes Against Excellus Fail to Satisfy the Predominance Requirement
"The Rule 23(b)(3) predominance inquiry tests whether proposed classes are sufficiently cohesive to warrant adjudication by representation." Amchem Prod., 521 U.S. at 623. As noted above, "[c]lass-wide issues predominate if resolution of some of the legal or factual questions that qualify each class member's case as a genuine controversy can be achieved through generalized proof, and if these particular issues are more substantial than the issues subject only to individualized proof." Moore, 306 F.3d at 1252. The Court has a "duty to take a close look at whether common questions predominate over individual ones." Comcast Corp. v. Behrend, 569 U.S. 27, 34 (2013) (quotation omitted).
a. Statute of Limitations
Because it presents a relatively straightforward legal issue, the Court considers first the Excellus Defendants' contention that the claims of numerous members of the proposed GBL § 349 Damages, Breach of Contract, and Unjust Enrichment Classes are barred on their face by the statute of limitations and that statute of limitations issues would thus predominate over common issues.
The Second Circuit has explained that while "the presence of individual defenses does not by its terms preclude class certification," a failure by plaintiffs to offer a "reliable means of collectively determining how many class members' claims are time-barred" counsels against class certification. McLaughlin v. Am. Tobacco Co., 522 F.3d 215, 233-34 (2d Cir. 2008), abrogated on other grounds by Bridge v. Phx. Bond & Indem. Co., 553 U.S. 639 (2008); see also Royal Park Inv. SA/NV v. Deutsche Bank Nat'l Tr. Co., No. 14- CV-4394 (AJN), 2018 WL 1750595, at *16 (S.D.N.Y. Apr. 11, 2018) ("[C]ertification is improper if plaintiffs have offered no reliable means of collectively determining how many class members' claims are time-barred." (quotation omitted)).
The Excellus Defendants note that the proposed GBL § 349 Damages, Breach of Contract, and Unjust Enrichment Classes "run from some point in 2003 to some point in 2015," apparently based on the fact that Excellus began providing its members with a standard form "Notice of Privacy Practices" ("NOPP") in 2003. (Dkt. 418 at 52). The Excellus Defendants argue that these three classes thus "on their face include putative class members whose claims are barred by the applicable statute of limitations, and have been for some time." (Id. at 53 (noting that the statute of limitations for GBL § 349 damages claims is three years, the statute of limitation for breach of contract claims under New York law is six years, and the statute of limitations under New York law for unjust enrichment is either three or six years)).
In reply, Plaintiffs contend that no putative class member's claims fall outside the statute of limitations as to any of these three proposed classes. (See Dkt. 451 at 32-33, 37, 42). The Court disagrees. Turning first to the proposed GBL § 349 Damages Class, the parties agree that the claims asserted by this proposed class are subject to a three-year statute of limitations. (See id. at 32 (citing Gaidon v. Guardian Life Ins. Co. of Am., 96 N.Y. 2d 201 (2001))). The accrual of a GBL § 349 claim occurs at the time of the plaintiff's injury, or "when all of the factual circumstances necessary to establish a right of action have occurred, so that plaintiff would be entitled to relief." Gristede's Foods, Inc., v. Unkechauge Nation, 532 F. Supp. 2d 439, 453 (E.D.N.Y. 2007) (citation omitted). Importantly, the "date of discovery rule is not applicable and cannot serve to extend that limitations period." Wender v. Gilberg Agency, 276 A.D.2d 311, 312 (1st Dep't 2000).
Here, the SACMC alleges that Defendants violated GBL § 349 by making material misrepresentations regarding their data privacy and security practices. "Thus, [Defendants'] misrepresentations or omissions were about the nature of the product itself," and the injury to Plaintiffs occurred as soon as their personal information was stored in Defendants' inadequately protected systems. Marshall v. Hyundai Motor Am., 51 F. Supp. 3d 451, 461 (S.D.N.Y. 2014) (finding that GBL § 349 claim accrued when vehicles with defective brake systems were purchased, not "when the brakes failed or when [the plaintiffs] had to pay for repairs of the faulty brakes"); see also Bristol Vill., Inc. v. Louisiana-Pac. Corp., 170 F. Supp. 3d 488, 499 (W.D.N.Y. 2016) (GBL § 349 claim accrued when defective "TrimBoard" was installed and not when the plaintiff discovered deterioration); Statler v. Dell, Inc., 775 F. Supp. 2d 474, 484 (E.D.N.Y. 2011) (GBL § 349 claim accrued when computers with faulty capacitors were purchased). Because Plaintiffs' theory of their GBL § 349 claims is that they were deceived by Excellus's failure to reveal that "its cybersecurity systems were insufficiently equipped to safeguard the PII and PHI Excellus collected from its members and affiliates and warehoused" (Dkt. 451 at 16), their injury accrued as soon as Excellus placed their personal information into its inadequately protected network. The proposed GBL § 349 Damages Class thus contains on its face numerous putative class members whose claims are time-barred.
Gaidon, upon which Plaintiffs rely, does not support their position. In that case, at the time the insurance policies at issue were purchased, the defendant had falsely stated that "after a specified period, the policy's dividends would thereafter cover the premium costs." 96 N.Y.2d at 206 (quotation omitted). The New York Court of Appeals held that the plaintiff's GBL § 349 claims based on these deceptive acts did not accrue until eight years later, when "premiums were demanded after the purported date they were to be entirely offset by dividends." Id. The Gaidon court explained that "the gravamen of the complaints of General Business Law § 349 violations was not false guarantees of policy terms, but deceptive practices inducing unrealistic expectations of continuing interest/dividend rate performance to fully offset premiums at the projected date," because that was when the plaintiff's "expectations were actually not met[.]" Id. at 211-12. In other words, in Gaidon, the defendant's promise was not actually broken until the projected date arrived and the dividends failed to cover the premium costs. Before that time, a court could not have ordered any remedy.
By contrast, under Plaintiffs' theory of this case, Excellus broke its promise as soon as it took custody of Plaintiffs' private information and placed it on an improperly secured network. The fallacy of Plaintiffs' statute of limitations argument is illustrated by imagining that the PHI and PII at issue here took the form of physical documents rather than electronically stored information. If Excellus had represented to Plaintiffs that it would store the documents in a locked room with a security guard, and then instead stored them in an unlocked, abandoned building, there can be no question that Plaintiffs could seek a remedy without waiting for an actual theft. Plaintiffs' GBL § 349 claims accrued when Excellus allegedly failed to provide the cybersecurity measures it had promised. See Schandler v. New York Life Ins. Co., No. 09 CIV. 10463 LMM, 2011 WL 1642574, at *1, 5 (S.D.N.Y. Apr. 26, 2011) (finding GBL § 349 claim that insurer had deceptively promised that plan provided "broad convalescent facility benefits regardless of an insured's age" accrued at time policy was purchased and not when the plaintiff's claims for such benefits were rejected (internal quotation marks omitted)).
A similar analysis applies to the proposed Unjust Enrichment Class, which is limited to individuals who resided in New York. Under New York law, the statute of limitations for an unjust enrichment claim is three years where the plaintiff seeks monetary damages. Matana v. Merkin, 957 F. Supp. 2d 473, 494 (S.D.N.Y. 2013). An unjust enrichment claim accrues "upon the occurrence of the wrongful act giving rise to a duty of restitution and not from the time the facts constituting the fraud are discovered." Cohen v. S.A.C. Trading Corp., 711 F.3d 353, 364 (2d Cir. 2013) (citation omitted). Accordingly, Plaintiffs' contention that their unjust enrichment claims accrued in 2013, when the data breach occurred, has no merit. Defendants' allegedly wrongful act—namely, failing to use any part of the "premiums for health insurance and health benefits services that Plaintiffs and Class Members paid . . . to pay for the administrative costs of reasonable data privacy and security practices and procedures" (Dkt. 312 at ¶ 244)—occurred well before the data breach. The proposed Unjust Enrichment Class thus also contains on its face numerous putative class members whose claims are time-barred.
Turning to the proposed Breach of Contract Class, Plaintiffs seek to certify this proposed class on a nationwide basis but contend that "New York law applies to all Plaintiffs' and Class Members' breach of contract claims." (Dkt. 429 at 44). The Court will assume for purposes of assessing the statute of limitations that this is correct, but notes that the issue becomes even more complicated if it is not, because different states have different statutes of limitation for breach of contract claims.
"New York does not apply the 'discovery' rule to statutes of limitations in contract actions. Rather, the statutory period of limitations begins to run from the time when liability for wrong has arisen even though the injured party may be ignorant of the existence of the wrong or injury." ACE Sec. Corp. v. DB Structured Prod., Inc., 25 N.Y.3d 581, 594 (2015) (citations and quotations omitted); see also Dreni v. Printeron Am. Corp., ___ F. Supp. 3d ___, No. 1:18-CV-12017-MKV, 2020 WL 5518170, at *7 (S.D.N.Y. Sept. 14, 2020) ("Under New York law, a cause of action for breach of contract accrues at the time of breach."). Here, Plaintiffs allege that Defendants breached their contractual obligations "by violating the commitment to maintain the confidentiality and security of Personal Information compiled by Defendants and stored in the Excellus Networks" and "failing to comply with their policies and applicable laws, regulations, industry standards, and best practices for data security and protecting the confidentiality of Personal Information." (Dkt. 312 at ¶ 229). As with Plaintiffs' GBL § 349 and unjust enrichment claims, Excellus's purported wrongful conduct did not occur on the date of the data breach, but when it put Plaintiffs' personal information into its allegedly improperly secured systems, notwithstanding the fact that Plaintiffs did not learn of the wrong until, in some cases, many years later.
Accordingly, the Court agrees with the Excellus Defendants that the proposed GBL § 349 Damages, Unjust Enrichment, and Breach of Contract Classes contain numerous putative class members whose claims are time-barred on their face. Plaintiffs, who bear the burden on the instant class certification motion, have not proffered any methodology, reliable or otherwise, for determining how many class members' claims are time-barred—instead, they have relied on flawed arguments that the statute of limitations does not bar any putative class members' claims. Moreover, based on the facts and circumstances of this case, there would also need to be proof for each putative class member as to when his or her relationship with Defendants began in order to assess the statute of limitations issue. These individualized issues would overwhelm the common issues presented by Plaintiffs' claims. See Wing v. Metro. Life Ins. Co., No. 04-CV-8558 BSJ RLE, 2007 WL 9814564, at *10 (S.D.N.Y. May 31, 2007) (collecting cases finding predominance requirement not satisfied where there were individualized questions regarding the statute of limitations).
b. GBL § 349 and Causation
In addition to the statute of limitations issue identified above, the Court finds that the proposed GBL § 349 Damages Class fails to satisfy Rule 23(b)(3)'s predominance requirement because there are individualized issues of causation that overwhelm the common questions of fact and law.
"Under GBL § 349, a plaintiff must show that he or she was injured as a result of the defendant's deceptive acts or practices." Marshall v. Hyundai Motor Am., 334 F.R.D. 36, 59 (S.D.N.Y. 2019). "Where the link between the defendant's alleged deception and the injury suffered by plaintiffs is too attenuated and requires too much individualized analysis, courts will not certify a class." Oscar v. BMW of N. Am., LLC, 274 F.R.D. 498, 513 (S.D.N.Y. 2011) (denying class certification of GBL § 349 claims based on misrepresentations regarding automobile tires because the plaintiff had "adduced absolutely no evidence that he could demonstrate on a classwide [basis] that consumers would have paid less for their [vehicles] if they had known that the tires were susceptible to puncture"). The New York Court of Appeals has made it clear in this context that the alleged deception cannot function "as both act and injury." Small v. Lorillard Tobacco Co., 94 N.Y.2d 43, 56 (1999).
Plaintiffs have not demonstrated that causation can be ascertained on a classwide basis in this case. Plaintiffs contend that causation is subject to common proof because the "[t]he fact finder will ultimately evaluate [the] evidence and determine whether Excellus's misrepresentations and/or omissions led to the breach and caused class members' PII and PHI to be compromised." (Dkt. 451 at 22). Plaintiffs' argument ignores a key step in the causal chain—a link between the allegedly deceptive conduct and the putative members of the proposed GBL § 349 Damages Class. The nature of the products involved here and the nature of the health insurance market—namely, that most individuals obtain their health insurance through their employer—raise individualized questions regarding whether the putative class members were even aware of Excellus's alleged misrepresentations and/or omissions. As Plaintiffs acknowledge, the evidence in this case demonstrates that they "chose their insurance policies for different reasons" and, importantly, that "some had no choice in the selection at all." (Dkt. 451 at 19). Moreover, and as discussed in more detail below, some of the members of the proposed GBL § 349 Damages Class had no dealings with Excellus whatsoever, but had their PHI and PII housed on Excellus's network because of their relationship with one of its affiliates.
The Court is not persuaded by Plaintiffs' argument that this is an issue of "reliance, proof of which is not required by the GBL," and not of causation. (Dkt. 451 at 19). It is true that the New York Court of Appeals "has cautioned courts against conflating 'reliance' and 'causation' with regard to section 349 claims," Rodriguez v. It's Just Lunch, Int'l, 300 F.R.D. 125, 147 (S.D.N.Y. 2014) (citing Stutman v. Chem. Bank, 95 N.Y.2d 24, 30 (2000)), and that "[i]ntent to defraud and justifiable reliance by the plaintiff are not elements of [a GBL § 349 claim]," Small, 94 N.Y.2d at 55. However, the Excellus Defendants' argument is not that Plaintiffs must demonstrate that "they would not otherwise have entered into the transaction" absent the allegedly deceptive representations. Stutman, 95 N.Y.2d at 30. Instead, the issue here is whether it can be determined on a classwide basis that the members of the proposed GBL § 349 Damages Class were even exposed to the Excellus Defendants' alleged deceptions.
Plaintiffs' causation theory with respect to their GBL § 349 claims appears to be as follows: Excellus had substandard cybersecurity systems. It engaged in deceptive conduct about those substandard cybersecurity systems, which "allowed Excellus to deceive the public at large, individual consumers, employers, and any other entities who availed themselves of Excellus's services; by deceiving these parties collectively, Excellus was able to forego investments in cybersecurity and was ill-prepared to deal with foreseeable cybersecurity threats, ultimately causing classwide harm." (Dkt. 451 at 20).
Plaintiffs have not pointed to a single case embracing a theory under which a GBL § 349 plaintiff need not even be aware of the allegedly deceptive conduct, nor has the Court uncovered any such case in its own research. To the contrary, the case law consistently holds that "in order to have been injured by the defendant's deceptive act, a plaintiff must have been personally misled or deceived." Ritchie v. N. Leasing Sys., Inc., No. 12-CV-4992 (KBF), 2016 WL 1241531, at *21 (S.D.N.Y. Mar. 28, 2016) (quoting LaCourte v. JP Morgan Chase & Co., No. 12 Civ. 9453 (JSR), 2013 WL 4830935, at *10 (S.D.N.Y. Sept. 4, 2013)), aff'd sub nom. Ritchie v. Taylor, 701 F. App'x 45 (2d Cir. 2017); see also Goshen v. Mut. Life Ins. Co. of N.Y., 98 N.Y.2d 314, 325 (2002) ("The phrase 'deceptive acts or practices' under the statute is not the mere invention of a scheme or marketing strategy, but the actual misrepresentation or omission to a consumer."); Solomon v. Bell Atl. Corp., 9 A.D.3d 49, 52 (1st Dep't 2004) ("[T]o prevail in a cause of action under GBL §§ 349 and 350, the plaintiff must prove that the defendant made misrepresentations or omissions that were likely to mislead a reasonable consumer in the plaintiff's circumstances, that the plaintiff was deceived by those misrepresentations or omissions and that as a result the plaintiff suffered injury." (emphasis added)); Oden v. Bos. Sci. Corp., 330 F. Supp. 3d 877, 902-03 (E.D.N.Y. 2018) ("[T]o assert a GBL § 349 claim, a plaintiff must allege that s/he was exposed to the alleged misrepresentations." (citation omitted and alteration and emphasis in original)); Gerstle v. Nat'l Credit Adjusters, LLC, 76 F. Supp. 3d 503, 513 (S.D.N.Y. 2015) ("[A] plaintiff must have been personally misled or deceived to suffer injury as a result of the defendant's deception." (internal quotations omitted)); Abraham v. Am. Home Mortg. Servicing, Inc., 947 F. Supp. 2d 222, 234 (E.D.N.Y. 2013) ("In an action under GBL § 349, each Plaintiff must individually plead that the disclosures he or she received were inadequate, misleading, or false, and that she was injured as a result of the insufficient or false disclosures."). In other words, while a plaintiff pursuing a GBL § 349 claim need not have relied on (or even necessarily have believed) the allegedly deceptive conduct, he or she must have at least been exposed to it.
Hobish v. AXA Equitable Life Ins. Co., 171 A.D.3d 494 (1st Dep't 2019), cited by Plaintiffs, does not support their position. The individual plaintiff in the Hobish case "was a participant in the transactions through which" the insurance policy at issue was obtained and further "was deceived by defendant throughout her participation in the sales transactions and the maintenance of the Policy." Hobish v. AXA Equitable Life Ins. Co., No. 650315/2017, 2018 WL 780603, at *5 (N.Y. Sup. Ct., N.Y. Cty. Feb. 08, 2018).
There are cases in which a corporate plaintiff has been permitted to bring a GBL § 349 claim against a competitor that has misled the public regarding the quality of the plaintiff's products or services. See, e.g., Securitron Magnalock Corp. v. Schnabolk, 65 F.3d 256, 264 (2d Cir. 1995) (allowing GBL § 349 claim by competitor where the defendant had allegedly made false statements about the plaintiff's product to the state regulatory agencies and members of the public). However, the causation inquiry in such cases, where the injury is the loss of business to the competitor, is entirely different than the one presented here. In this case, to show causation, Plaintiffs would need to demonstrate that Excellus's purportedly deceptive conduct played a role in their PII and PHI being stored on Excellus's insecure network, which is simply not amenable to classwide resolution.
Here, there would necessarily have to be individualized causation inquiries into whether the members of the proposed GBL § 349 Damages Class were ever exposed to Excellus's alleged deceptions. The case of named Plaintiff Andres Curbelo ("Curbelo") illustrates the problem. Curbelo never purchased insurance or any other product or service directly from Excellus. (See Dkt. 418 at 11). Instead, his PII and PHI were housed on Excellus's network because he had received treatment at a Lifetime Health Medical Group facility and Lifetime Health Medical Group used Excellus for administrative services. (Id.). A jury's inquiry into whether Curbelo, who had no direct dealings with Excellus, was exposed to Excellus's alleged deceptions would be very different from its inquiry into, for example, the exposure of individuals who purchased Excellus insurance through their employers. This is precisely the kind of case in which "the link between the defendant's alleged deception and the injury suffered by plaintiffs is too attenuated and requires too much individualized analysis," such that class certification is not appropriate. Oscar, 274 F.R.D. at 512.
c. Unjust Enrichment , Pursuing Alternative Theories of Recovery, and Directness of the Benefit
The Court finds that Plaintiffs' proposed Unjust Enrichment Class, in addition to running afoul of the statute of limitations, also fails the predominance inquiry because there are individualized questions regarding the relationship between the putative class members and Excellus, including whether there was a contract governing data privacy.
As to the contract issue, it is undisputed that "express contracts exist between Excellus and at least certain class members and absent putative class members that contain provisions addressing data privacy." (Dkt. 418 at 56-57). It is further undisputed that New York law "precludes unjust enrichment claims whenever there is a valid and enforceable contract governing a particular subject matter, whether that contract is written, oral, or implied-in-fact." Beth Israel Med. Ctr. v. Horizon Blue Cross & Blue Shield of New Jersey, Inc., 448 F.3d 573, 587 (2d Cir. 2006).
Plaintiffs argue that all the putative members of the proposed Unjust Enrichment Class can pursue their contract and unjust enrichment theories in the alternative at this stage of the proceedings. (See Dkt. 451 at 40). They are incorrect. "[W]here the validity of a contract that governs the subject matter at issue is not in dispute, and the claimant alleges breach of the contract, the claimant cannot plead unjust enrichment in the alternative under New York law." Stanley v. Direct Energy Servs., LLC, 466 F. Supp. 3d 415 (S.D.N.Y. 2020). Accordingly, the members of the proposed Unjust Enrichment Class whom Excellus does not dispute have valid, enforceable contracts governing data security cannot pursue an unjust enrichment claim, even in the alternative. The proposed Unjust Enrichment Class is thus subject to individualized inquires as to the putative members' contractual relationship with Excellus.
The Court further agrees with the Excellus Defendants that the proposed Unjust Enrichment Class is subject to individualized inquiries as to the nature of the relationship between the putative class members and Excellus. "[A] New York unjust enrichment claim requires no direct relationship between plaintiff and defendant." Choi v. Tower Rsch. Cap. LLC, 890 F.3d 60, 69 (2d Cir. 2018) (internal quotation marks omitted). Instead, "the requirement of a connection between plaintiff and defendant is a modest one: 'A claim will not be supported if the connection between the parties is too attenuated.'" Id. (quoting Mandarin Trading Ltd. v. Wildenstein, 16 N.Y.3d 173, 182 (2011) and original alteration omitted). "The relationship must be one that could have caused reliance or inducement." Crescimanni v. Trovato, 162 A.D.3d 849, 851 (2d Dep't 2018).
Plaintiffs acknowledge that the members of the proposed Unjust Enrichment Class have different relationships with Excellus, but suggest that the Court can determine as a matter of law that none of those relationships are too attenuated to support an unjust enrichment claim. (Dkt. 451 at 41). The Court disagrees. It is not clear on the record before the Court whether there are genuine factual disputes as to the nature of any of the putative class members' relationships with Excellus. The proposed Unjust Enrichment Class includes "[a]ll individuals residing in New York whose PII and/or PHI was stored on Excellus's systems between December 23, 2013 and May 11, 2015 who (1) are included in Excellus's list of Impacted Individuals, and (2) who received products or services for which Excellus was paid between 2003 and 2015." (Dkt. 387 at 3). The Court has no information before it regarding the various relationships that could have resulted in an individual falling within this definition. "[C]ourts are cautious about extending unjust enrichment liability beyond the principals to the transaction, and . . . when they do so, it is possible as a matter of equity to draw a clear line between the plaintiff's loss and the defendant's gain or misconduct." Marini v. Adamo, 12 F. Supp. 3d 549, 552 (E.D.N.Y. 2014), aff'd, 644 F. App'x 33 (2d Cir. 2016). The Court cannot find on a classwide basis that the members of the proposed Unjust Enrichment Class satisfy this requirement, because it lacks the necessary information. Further, this individualized inquiry is far more substantial than the aspects of Plaintiffs' unjust enrichment claims that are subject to common resolution.
For all these reasons, in addition to the statute of limitations issue discussed above, the Court cannot certify the proposed Unjust Enrichment Class, because the predominance requirement is not satisfied.
d. Breach of Contract , Incorporation by Reference, and Application of the Economic Loss Rule and Independent Tort Doctrine
There are also additional predominance problems related to the proposed Breach of Contract Class and the proposed Statewide Negligence Classes. Specifically, Plaintiffs' breach of contract claims rely on their contention that the NOPPs provided to Excellus members were incorporated by reference into the contracts between Excellus and those members. (See Dkt. 451 at 34). This contention is not capable of classwide resolution, based on the record before the Court. Plaintiffs assert that the standard NOPP is "sent to all [Excellus's] members' upon enrollment in an individual, group or Medicare health plan." (Dkt. 429 at 43). However, the evidence cited by Plaintiffs for this contention does not support it. Plaintiffs cite to the deposition testimony of Excellus employee Kelly Wheeless. (See id. at 43 n. 129). Ms. Wheeless testified that the NOPP "can be sent upon enrollment or the member can be advised of its availability electronically." (Dkt. 388-8 at 2 (emphasis added); see also id. at 8 (Ms. Wheeless confirming it was Excellus's policy to send either the NOPP "or a link to" the NOPP) (emphasis added)). Accordingly, Plaintiffs' contention that "Excellus sent all members of the class the standard NOPPs along with the certificate of coverage; under New York law, this makes the NOPP part of each class members' contract" (Dkt. 451 at 34) is simply not borne out by the evidence cited. Instead, Ms. Wheeless' testimony establishes that some Plaintiffs and putative class members may not have been provided with a contemporaneous copy of the NOPP at all, but may instead have simply been provided a link where they could access and read the document at a later time of their own choosing.
The record before the Court is devoid of evidence regarding the form that the "link" to the NOPP may have taken and whether it was standardized. This fact is significant in any incorporation by reference analysis, because "under New York law . . . the doctrine of incorporation by reference requires that the paper to be incorporated into the written instrument by reference must be so described in the instrument that the paper may be identified beyond all reasonable doubt" and "vague references to documents not specifically identified do not suffice." Ward v. TheLadders.com, Inc., 3 F. Supp. 3d 151, 163 (S.D.N.Y. 2014) (citation and original alteration omitted) (finding that statement that additional terms and conditions "may" be found on website does not suffice to incorporate statements on website by reference). The standard for incorporation by reference is an "exacting" one. Id. (citation omitted). Accordingly, the Court is not persuaded that Plaintiffs' breach of contract claims, all of which rely on an incorporation by reference theory, can be resolved on a classwide basis. Instead, there would need to be an inquiry into whether a given class member received a paper copy of the NOPP or a link thereto, and, if he or she received a link, what language that link used.
This conclusion also has significant implications for the proposed Statewide Negligence Classes. The Excellus Defendants argue that the proposed Statewide Negligence Classes should not be certified under Rule 23(b)(3) because individualized issues regarding the application of the economic loss rule/independent tort doctrine predominate. (Dkt. 418 at 59). The Excellus Defendants note that under the laws of each of the states at issue—New York, California, Florida, Indiana, and Pennsylvania—"negligence claims are precluded to the extent they seek to enforce the parties' contractual provisions through tort." (Id.). The Excellus Defendants contend that "Plaintiffs' theory of the case necessarily means that some of their putative members are seeking a tort claim that overlaps with their breach of contract allegations" and that individualized inquiries in this regard will overwhelm any common questions. (Id. at 61). In opposition, Plaintiffs argue that they have asserted their negligence claims in the alternative to their contract claims, and that whether a state's economic loss rule applies can be determined on a classwide basis. (Dkt. 451 at 38).
The Court agrees with the Excellus Defendants. It is undisputed that the scope of any permissible negligence claim will turn on the terms of any contract between the putative class members and Excellus. Here, for the reasons discussed above, individualized inquiries regarding such contract terms (and specifically whether the NOPP was incorporated by reference into a given class member's contract with Excellus) would be necessary. These individualized inquiries would overwhelm any common questions, and accordingly, the proposed Breach of Contract and Statewide Negligence Classes do not satisfy Rule 23(b)(3)'s predominance requirement.
2. The Proposed Federal GBL § 349 Class Fails to Satisfy the Commonality or Predominance Requirements
BCBSA contends that Plaintiffs cannot satisfy the commonality or predominance requirements as to the proposed Federal GBL § 349 Damage Class. The Court agrees, for the reasons that follow.
Rule 23(a)(2) requires a showing of "questions of law or fact common to the class." Fed. R. Civ. P. 23(a)(2). That requirement is satisfied where an issue of law or fact is common to the class, and where a classwide proceeding is capable of "generat[ing] common answers apt to drive the resolution of the litigation." Wal-Mart, 564 U.S. at 349-50 (citation omitted).
BCBSA argues that Plaintiffs cannot establish commonality with respect to the proposed Federal GBL § 349 Damage Class because there is no evidence that any alleged deceptive conduct by BCBSA occurred on a classwide basis. (Dkt. 414 at 13). As BCBSA correctly notes, Plaintiffs' opening class construction brief did not even mention BCBSA in the commonality section. (See Dkt. 429 at 29-32). Moreover, while Plaintiffs assert elsewhere in their opening brief that BCSBA provided a NOPP to putative members of the Federal GBL § 349 Damage Class, the only evidence they cite for that proposition is an NOPP found on BCBSA's website in November 2019. (See id. at 22 n.76). Plaintiffs present no evidence that this NOPP (or a substantively similar NOPP) was in use at the times relevant to the instant litigation.
Plaintiffs' reply brief does not meaningfully address this failure. Instead, Plaintiffs assert without citation to any evidence that "BCBSA provided all class members with substantially similar NOPPs that promised to keep enrollees' PII and PHI confidential." (Dkt. 452 at 7). This unsupported assertion is insufficient to satisfy Plaintiffs' burden on a motion for class certification. See Wal-Mart, 564 U.S. at 351 ("Rule 23 does not set forth a mere pleading standard. A party seeking class certification must affirmatively demonstrate his compliance with the Rule—that is, he must be prepared to prove that there are in fact sufficiently numerous parties, common questions of law or fact, etc." (emphasis in original)).
Plaintiffs do argue elsewhere in a footnote that there is evidence that all of BCBSA's relevant NOPPs were substantively similar, because (1) comparable language to the 2019 NOPP is found in a 2014 NOPP provided to Plaintiff Nina Mottern and (2) BCBSA was required by federal law to include certain assurances in its NOPPs throughout the relevant time period. (Dkt. 452 at 5 n.4). Initially, the Court notes it need not consider arguments relegated to footnotes. See Express Gold Cash, Inc. v. Beyond 79, LLC, No. 1:18-CV-00837 EAW, 2019 WL 4394567, at *3 n.1 (W.D.N.Y. Sept. 13, 2019) (collecting cases). More importantly, Plaintiffs have again not supported their assertion that the NOPPs were uniform throughout the relevant time period, such that a jury could determine on a classwide basis whether they were misleading. A single NOPP from 2014 and a single NOPP from 2019, with no testimony or other evidence regarding what changes did or did not occur to the content in between, simply do not satisfy Plaintiffs' burden at this stage of the proceedings. Further, Plaintiffs' argument about the requirements placed on BCBSA by federal law are inapposite. Plaintiffs' GBL § 349 claims against BCBSA are predicated on their contention that BCBSA broke the law and engaged in deceptive conduct, yet Plaintiffs simultaneously urge the Court to simply assume that all BCBSA's NOPPs during the relevant time period comported with the law by containing the required assurances. This illogical leap cannot be the basis for a finding of commonality.
Plaintiffs thus cannot establish commonality as to the proposed Federal GBL § 349 Damage Class because they have not demonstrated that there are common questions of law or fact. To the contrary, Plaintiffs have come forward with no meaningful evidence to support their assertion that BCBSA engaged in any uniform conduct towards the putative class members that could support liability under GBL § 349.
The Court further agrees with BCBSA that, even assuming Plaintiffs could demonstrate commonality, they cannot satisfy the predominance requirement, because causation is not amenable to classwide resolution.
As discussed at length above, causation in the context of a GBL § 349 claim requires a showing that the plaintiff was injured as a result of the defendant's deceptive conduct. Here, as the Court has already explained, Plaintiffs have failed to point to any classwide evidence regarding BCBSA's alleged misrepresentations and/or omissions. The November 2019 NOPP proffered by Plaintiffs, even buttressed by the 2014 NOPP produced in reply, is insufficient to satisfy their burden on a motion for class certification, for the reasons discussed above.
Further, Plaintiffs have failed to offer any classwide theory as to how any alleged misrepresentations and/or omissions by BCBSA caused any injury to Plaintiffs. As with the proposed GBL § 349 Damages Class, Plaintiffs have presented no classwide evidence that the putative members were even exposed to BCBSA's alleged deceptive acts, and causation cannot be ascertained on a classwide basis. Accordingly, individualized inquiries would predominate as to the proposed Federal GBL § 349 Damage Class, and class certification is not appropriate.
3. The proposed GBL § 349 Injunctive Relief Class
Having determined, for the reasons set forth above, that none of Plaintiffs' proposed classes under Rule 23(b)(3) can be certified, the Court turns to the proposed GBL § 349 Injunctive Relief Class under Rule 23(b)(2).
"A class action may be maintained if Rule 23(a) is satisfied and if . . . the party opposing the class has acted or refused to act on grounds that apply generally to the class, so that final injunctive relief or corresponding declaratory relief is appropriate respecting the class as a whole." Fed. R. Civ. P. 23(b)(2). "The key to the (b)(2) class is the indivisible nature of the injunctive or declaratory remedy warranted—the notion that the conduct is such that it can be enjoined or declared unlawful only as to all of the class members or as to none of them." Wal-Mart, 564 U.S. at 360 (internal quotation marks and citation omitted).
Importantly, there is no predominance requirement with respect to a Rule 23(b)(2) class. See Wal-Mart, 564 U.S. at 362-63 ("The procedural protections attending the (b)(3) class—predominance, superiority, mandatory notice, and the right to opt out—are . . . unnecessary to a (b)(2) class. When a class seeks an indivisible injunction benefiting all its members at once, there is no reason to undertake a case-specific inquiry into whether class issues predominate or whether class action is a superior method of adjudicating the dispute."). Accordingly, the predominance issues that prevent certification of the proposed GBL § 349 Damages Class do not pose a similar problem with respect to the proposed GBL § 349 Injunctive Relief Class.
As an initial matter, the Court concludes that the proposed GBL § 349 Injunctive Relief Class satisfies the requirements of Rule 23. The Excellus Defendants have raised no arguments with respect to numerosity, commonality, typicality, or adequacy, and the Court finds that Plaintiffs' submissions establish that these prerequisites are satisfied here.
The Court further finds that Rule 23(a)'s implied requirement of ascertainability is satisfied. "The ascertainability requirement, as defined in this Circuit, asks district courts to consider whether a proposed class is defined using objective criteria that establish a membership within defined boundaries." In re Petrobas Sec., 862 F.3d 250, 269 (2d Cir. 2017). It is a "modest threshold requirement" that "will only preclude certification if a proposed class definition is indeterminate in some fundamental way." Id.
The Court is not persuaded by the Excellus Defendants' argument that Plaintiffs' assertion of the proposed GBL § 349 Injunctive Relief Class against Excellus only renders it unascertainable. (See Dkt. 418 at 47-48). While Plaintiffs' failure to seek class certification as to any of the other Excellus Defendants may have other procedural repercussions, it does not change the fact that membership in the proposed GBL § 349 Injunctive Relief Class is easily and clearly defined, requiring only an answer to three straightforward questions: (1) was an individual's PII and/or PHI stored on Excellus's systems between December 23, 2013, and May 11, 2015; (2) was that individual included in Excellus's list of Impacted Individuals; and (3) does that individual's PII and/or PHI still reside on Excellus's systems? The Excellus Defendants have cited no case in which a Court found Rule 23's ascertainability requirement not satisfied on the basis that a class was asserted against fewer than all the defendants.
The Court further rejects the Excellus Defendants' argument that Plaintiffs do not have standing to seek injunctive relief in this case. Discovery in this matter is ongoing, and Plaintiffs have presented to the Court some evidence that Excellus did not timely remedy the security lapses that led to the data breach in 2013. (See, e.g., Dkt. 430-2). Depending on the additional information uncovered in the ongoing discovery in this matter, it is possible a trier of fact could conclude the members of the proposed GBL § 349 Injunctive Relief Class, which is limited to individuals whose PII and/or PHI is currently stored on Excellus's computer networks, continue to be at risk. The Excellus Defendants' arguments that in fact there are no ongoing security lapses go to the merits of the claims, and not the appropriateness of class certification. See Arkansas Teacher Ret. Sys. v. Goldman Sachs Grp., Inc., 955 F.3d 254, 268 (2d Cir. 2020) (explaining that "Rule 23 is not a weed whacker for merits problems" and that the burden on the plaintiffs is to show that the questions are common, not that the plaintiffs will ultimately prevail—it is sufficient if "[w]in or lose, the issue is common to all class members").
There is further no question that the conduct at issue (that is, the purported ongoing failure to provide adequate cybersecurity as to stored PII and PHI) is such that it is either lawful as to all the members of the proposed GBL § 349 Injunctive Relief Class or as to none of them. Excellus does not dispute that its cybersecurity practices are uniform as to all relevant stored PII and PHI.
For all these reasons, the Court finds the evidence presented by Plaintiffs sufficient to warrant certification of the proposed GBL § 349 Injunctive Relief Class. See Adkins v. Facebook, Inc., 424 F. Supp. 3d 686, 698 (N.D. Cal. 2019) (in data breach case, certifying Rule 23(b)(2) class seeking "an order compelling Facebook to promptly correct any problems or issues detected by . . . third-party security auditors"). As to this class, the Court appoints Matthew Fero, Andres Curbelo, Cindy Harden, Cathryn Kwit, Robert Kwit, Harold Jackling, Nina Mottern, Barbara Palmer, Carole Preston, James Smith, Sharon Smith, Don Korn, and Carlos Martinho as class representatives. The Court further appoints Hadley L. Matarazzo and James J. Bilsborrow as Co-Lead Class Counsel, and Eric H. Gibbs and Lynn A. Toops as Plaintiffs' Executive Committee, for the reasons discussed in detail in the Court's Decision and Order appointing interim class counsel. (Dkt. 80).
The Court previously solicited input from the parties regarding the necessity of excluding individuals within the third-degree of relation to the undersigned from any class. (See Dkt. 513). However, because the sole class that the Court has certified seeks injunctive relief only, there is no need for such exclusion. Cf. Berry v. Schulman, 807 F.3d 600, 607 (4th Cir. 2015) ("[A] judge's inclusion as a class member in a Rule 23(b)(2) class action seeking only injunctive and declaratory relief, in which a substantial segment of the general public are also members, does not require recusal, unless the judge has an interest in the action unique from that of members of the general public included in the class." (citation omitted)); Gordon v. Reliant Energy, Inc., 141 F. Supp. 2d 1041, 1045 (S.D. Cal. 2001) ("[A] judge need not recuse if he or she is a class member in a class action that seeks only injunctive or declaratory relief unless the judge's interest in the action is 'unique' from that of other members of the general public included in the class.").
The Court appointed Ms. Matarazzo and Robin L. Greenwald of Weitz & Luxenberg, P.C., as Co-lead Interim Class Counsel. (Dkt. 80). Plaintiffs' counsel request now that James J. Bilsborrow of Weitz & Luxenberg, P.C., be appointed Co-Lead Class Counsel in place of Ms. Greenwald. (See Dkt. 388 at ¶ 6). Mr. Bilsborrow has worked alongside Ms. Matarazzo and Ms. Greenwald since the outset of this litigation and is an experienced class action litigator. (See Dkt. 393 at ¶¶ 3, 5, 7-12). The Court finds it appropriate to appoint Mr. Bilsborrow as Co-Lead Class Counsel.
II. Motion for Clarification
The Court turns next to the Excellus Defendants' motion for clarification (Dkt. 376), which relates to the Court's Dismissal Decision and subsequent Reconsideration Decision. "[T]here is no Federal Rule of Civil Procedure specifically governing 'motions for clarification.'" Frommert v. Conkright, 00-CV-6311L, 2017 WL 952674, at *3 (W.D.N.Y. Mar. 10, 2017) (quoting University of Colorado Health at Mem. Hosp. v. Burwell, 165 F. Supp. 2d 56, 61 (D.D.C. 2016)). However, "[w]hen a court ruling is unclear or ambiguous, the issuing court may grant the motion and provide additional clarification modifying that ruling or order after providing other parties an opportunity to respond." Metcalf v. Yale Univ., No. 15-CV-1696 (VAB), 2019 WL 1767411, at *2 (D. Conn. Jan. 4, 2019). "Unlike a motion for reconsideration, a motion for clarification is not intended to alter or change a court's order, but merely to resolve alleged ambiguities in that order." Id.; see also Deutsche Bank Nat'l Tr. Co. v. WMC Mortg., LLC, No. 12-CV-1699-CSH, 2015 WL 11237310, at *6 (D. Conn. July 6, 2015) ("A clarification motion asks the Court: 'What did you mean to say?' A reconsideration motion says to the Court: 'We know what you said. It is wrong. Change it.'"). Here, the Excellus Defendants ask the Court to provide clarification as to two questions: "First, whether any plaintiff has standing to seek redress for alleged overpayment [for health insurance] and diminution in value [of personal information] in light of the Court's prior rulings . . . . Second, and if so, whether at least the four non-misuse plaintiffs . . . have standing to claim redress based on those alleged injuries." (Dkt. 376-1 at 8) (emphasis in original).
In order to properly understand the Excellus Defendants' motion for clarification, further discussion of the Dismissal Decision and the Reconsideration Decision is necessary. In the Dismissal Decision, the Court considered whether Plaintiffs had adequately alleged an injury-in-fact as to the non-misuse Plaintiffs, as required to establish standing. (See Dkt. 140 at 8); see also Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) ("[T]he irreducible constitutional minimum of standing contains three elements. First, the plaintiff must have suffered an 'injury in fact'—an invasion of a legally protected interest which is (a) concrete and particularized . . . and (b) actual or imminent, not conjectural or hypothetical . . . ." (internal quotation marks and citations omitted)). The Court specifically considered whether Plaintiffs' allegations of (1) an increased risk of future identity theft, (2) mitigation efforts, (3) overpayment for health insurance, (4) diminution in the value of personal information, or (5) violation of state statutes were sufficient to support a finding of an injury-in-fact, and concluded that they were not. (Dkt. 140 at 13-28).
In the Reconsideration Decision, the Court explained that in Whalen, the Second Circuit had "strongly implie[d] that . . . a risk of future identity theft is sufficient to plead an injury in fact." (Dkt. 181 at 12). Based on this new development in the case law, the Court reversed its prior conclusion that "the non-misuse Plaintiffs' allegations of the threat of future identity theft did not cross the line to establish standing. . . ." (Id. at 13). However, the Court left intact all other aspects of the Dismissal Decision. (Id. at 2).
The Excellus Defendants and Plaintiffs disagree as to whether the Dismissal Decision, as modified by the Reconsideration Decision, forecloses Plaintiffs from pursuing a damages theory based on an alleged overpayment for health insurance or an alleged diminution in the value of their PII and PHI. The Excellus Defendants contend that because "standing is not dispensed in gross" and "a plaintiff must demonstrate standing for each claim he seeks to press and for each form of relief that is sought" (Dkt. 376-1 at 8 (citation and quotation marks omitted)), the Court's conclusion that an alleged overpayment for health insurance or diminution in the value of personal information did not constitute an injury in fact necessarily means that Plaintiffs cannot seek compensation for these alleged injuries. Plaintiffs respond that while federal courts "have required a plaintiff to establish standing separately for monetary damages . . . and prospective injunctive relief," they have not "required a plaintiff . . . [to] establish standing for each sub-type of monetary relief recoverable under state law." (Dkt. 381 at 2 (emphasis in original)). Instead, Plaintiffs argue, "[h]aving established . . . the requisite adversity to proceed in federal court on certain state-law claims, the availability of certain sub-types of monetary damages, such as for the loss of personal information or overpayment of health insurance, is a question of state substantive law." (Id. at 8).
To the extent it was unclear from its prior Decisions and Orders, the Court clarifies that its prior holding remains intact and is the law of the case: that the four non-misuse Plaintiffs' allegations of mitigation efforts, overpayment for health insurance, and/or diminution in the value of personal information, were insufficient to confer standing. However, the Excellus Defendants' request that the Court go beyond that prior holding and address the standing of other Plaintiffs and the further legal ramifications that follow from the Court's standing conclusions is not properly brought as a motion for clarification. A motion for clarification is not a vehicle to expand upon a court's prior rulings. See Montauk U.S.A., LLC v. 148 S. Emerson Assocs., LLC, No. 17-cv-4747 SJF AKT, 2019 WL 2393519, at *2 (E.D.N.Y. June 6, 2019) (noting that the court had denied motion for clarification because "the relief it requested was beyond the scope" of the court's original order); United States v. Timmons Corp., No. 1:03-CV-951 (CFH), 2017 WL 11237145, at *7 (N.D.N.Y. Sept. 20, 2017) (denying motion for clarification because it would "require the Court to look beyond the findings made in its initial decision").
To be clear, the Court is not reaching the merits of the Excellus Defendants' argument, and the Excellus Defendants are free to seek adjudication of the issues raised in the motion for clarification in a procedurally proper manner and at an appropriate stage of the proceedings. However, the Court cannot "clarify" its holding as to issues that were not previously before it.
III. Motions to Exclude
The Court turns next to the parties' respective motions to exclude the testimony of their opponents' experts. Pursuant to Federal Rule of Evidence 702, a proposed expert witness must possess "scientific, technical, or other specialized knowledge [that] will help the trier of fact to understand the evidence or to determine a fact in issue." Fed. R. Evid. 702(a). In accordance with this rule, a court considering the admissibility of expert testimony must consider whether (1) "the testimony is based upon sufficient facts or data"; (2) "the testimony is the product of reliable principles and methods"; and (3) "the expert has reliably applied the principles and methods to the facts of the case." Id. 702(b), (c), (d).
In Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993), the Supreme Court explained that a trial court has a "gatekeeping" duty under Rule 702, and must make sure that proposed expert testimony "both rests on a reliable foundation and is relevant to the task at hand." Id. at 597; see also Kumho Tire Co. v. Carmichael, 526 U.S. 137, 147 (1999) ("In Daubert, this Court held that Federal Rule of Evidence 702 imposes a special obligation upon a trial judge to ensure that any and all scientific testimony is not only relevant, but reliable.") (quotation and alteration omitted).
"Per Daubert and its progeny, a court's Rule 702 inquiry involves the assessment of three issues: (1) the qualifications of the expert, (2) the reliability of the methodology and underlying data employed by the expert, and (3) the relevance of that about which the expert intends to testify." Washington v. Kellwood Co., 105 F. Supp. 3d 293, 304 (S.D.N.Y. 2015). "Ultimately, the party proffering the expert has the burden to demonstrate by a preponderance of the evidence that its expert witness satisfies these criteria." Id. (quotation and alteration omitted). "As the courts and Advisory Committee have made clear, 'the rejection of expert testimony is the exception rather than the rule.'" M.B. ex rel. Scott v. CSX Transp., Inc., 130 F. Supp. 3d 654, 665 (N.D.N.Y. 2015) (quoting Fed. R. Evid. 702, Advisory Committee's Note).
"The Supreme Court has not definitively ruled on the extent to which a district court must undertake a Daubert analysis at the class certification stage," but it has "offered limited dicta suggesting that a Daubert analysis may be required at least in some circumstances." In re U.S. Foodservice Inc. Pricing Litig., 729 F.3d 108, 129 (2d Cir. 2013). Accordingly, "courts in the Second Circuit regularly 'subject expert testimony to Daubert's rigorous standards insofar as that testimony is relevant to the Rule 23 class certification analysis.'" Bowling v. Johnson & Johnson, No. 17-cv-3982 (AJN), 2019 WL 1760162, at *7 (S.D.N.Y. Apr. 22, 2019) (emphasis added and quoting Scott v. Chipotle Mexican Grill, Inc., 315 F.R.D. 33, 55 (S.D.N.Y. 2016)).
However, in this case, the Court has resolved Plaintiffs' class certification motion without the need to rely upon the testimony of any expert, as set forth above. Accordingly, it is unnecessary for the Court to perform a Daubert analysis at this stage or to reach the arguments set forth in the motions to exclude. Instead, the Court denies the parties' respective motions to exclude as moot.
IV. Motion to Strike and for Sanctions
In opposition to Plaintiffs' motion for class certification, the Excellus Defendants submitted the declaration of James W. Keddell, "a long time Excellus employee." (Dkt. 449 at 6). According to Plaintiffs, Keddell's declaration contained information that "Plaintiffs had been requesting in discovery since 2016"—namely, "detailed information about 11 of 17 of the class representative Plaintiffs, including the PII that was stored in Excellus' network" and "detailed information about [named plaintiffs] [Therese] Boomershine and [Brenda] Caltagarone's relationship with Defendants"—specifically that Boomershine had a long term care insurance policy effective from 2006 through 2010 issued by MedAmerica, Inc. and that Caltagarone's employer had a contract with Lifetime Benefit Solutions for administration of its 401(K) plan. (Id. at 13). Plaintiffs contend that once they learned "these important facts" from Keddell's declaration, they immediately served a Notice of Deposition for Keddell and a Request for Production of Documents. (Id.). The Excellus Defendants then produced "approximately 38 documents," including Boomershine's MedAmerica contract and the contract between Caltagarone's employer and Lifetime Benefit Solutions, which they had previously represented they did not possess. (Id.). The Excellus Defendants also produced additional information regarding the PII and/or PHI located in Excellus's network for "many of the named Plaintiffs." (Id. at 13-14).
In conjunction with the document production, defense counsel also sent a letter clarifying certain statements made in the Keddell declaration regarding plaintiff Dwayne Church ("Church"). (Id. at 14). In particular, Keddell stated in his declaration that Church's Social Security number had not been found in any of Excellus's "potentially affected systems." (Dkt. 422-11 at ¶ 9). Defense counsel clarified that Excellus did find Church's Social Security number in its "legacy system." (Dkt. 449 at 14). Plaintiffs also assert that Keddell claimed in his declaration to have personal knowledge regarding searches that he did not personally oversee or otherwise participate in. (Id. at 15).
Plaintiffs asked the Excellus Defendants to withdraw the Keddell declaration and "any reference to it in [the Excellus] Defendants' memorandum of law in Opposition to Plaintiffs' motion for class certification." (Id.). Plaintiffs further "made a proposal to address the substantial prejudice they suffered by not having access to the Boomershine and Caltagarone contracts until after filing their class certification motions." (Id.). The Excellus Defendants refused Plaintiffs' requests. (Id. at 16). Plaintiffs ask the Court to strike the Keddell declaration, to permit "Plaintiffs to move to certify [additional classes based on the Boomershine and Caltagarone contracts] after the Court rules on Plaintiffs' class certification motion if justified based on the Court's decision," and to impose monetary sanctions. (Id. at 17-27).
In opposition, the Excellus Defendants contend that they identified Keddell as a key witness in this case from the outset, but that Plaintiffs nonetheless decided not to depose him prior to filing their class certification motion. (Dkt. 462 at 6). The Excellus Defendants contest Plaintiffs' argument that Keddell's declaration is unreliable or misleading. As to Church's Social Security number, the Excellus Defendants note that at his deposition, Keddell stood by his statement that it was not found in any of the potentially affected systems at the time of data breach. (Id. at 27). The Excellus Defendants explain that Church's Social Security number was "buried in an 'xRef' field on a legacy enrollment system . . . that would not have been transferred into the Enterprise Data Warehouse that was determined to be within [the] scope of the cyberattack." (Id. at 27-28). The Excellus Defendants further note that Keddell's declaration did not claim that he had personally been involved in every search discussed therein, but expressly stated that he had "reviewed" the conduct of such searches. (Id. at 28). The Excellus Defendants acknowledge that they "missed" the Boomershine and Caltagarone contracts when gathering documents for production, but contend that these were ordinary discovery failures. (Id. at 9). The Excellus Defendants further argue that Plaintiffs failed to follow the proper procedures for seeking discovery sanctions and that they have cited the wrong provisions of the Federal Rules of Civil Procedure. (Id. at 21-23).
The Court denies Plaintiffs' motion to strike and for sanctions in its entirety. As to Plaintiffs' motion to strike the Keddell declaration, that document was not ultimately relevant to the Court's resolution of Plaintiffs' class certification motion, and so there would be no purpose in an order to strike. The Court further agrees with the Excellus Defendants that it would be inappropriate to strike the Keddell declaration, as opposed to allowing both it and Plaintiffs' objections thereto to remain part of the public record.
With respect to Plaintiffs' request that they be permitted to move for certification of additional breach of contract and/or negligence classes based on the Boomershine and Caltagarone contracts, the Court has found, for the reasons set forth above, that Plaintiffs' proposed Rule 23(b)(3) breach of contract and negligence classes against Excellus cannot be certified. Nothing in the record before the Court suggests that a potential breach of contract or negligence class against MedAmerica and/or Lifetime Benefit Solutions would fare any better. Accordingly, the Court denies this request without prejudice. Should Plaintiffs take the position that, in fact, the defects the Court has found in the proposed classes currently before it could be remedied as to their breach of contract and negligence claims against MedAmerica and/or Lifetime Benefit Solutions, they may file a motion setting forth the basis for that position and seeking leave to file a second class certification motion as to those claims.
Finally, the Court denies Plaintiffs' request for monetary sanctions. Plaintiffs' request for monetary sanctions is based on two alleged discovery failures: (1) the Excellus Defendants did not respond to one interrogatory propounded by Plaintiffs; and (2) the Excellus Defendants did not timely produce the Boomershine and Caltagarone contracts. As to the failure to respond to an interrogatory, the Court agrees with the Excellus Defendants that Plaintiffs did not follow the appropriate procedural steps before seeking sanctions. The interrogatory at issue sought information related to "approximately 9.4 million individuals" and the Excellus Defendants appropriately objected that it was unduly burdensome. (See Dkt. 462 at 21-22). At that point, the onus was on Plaintiffs to either litigate the propriety of the interrogatory as written or to take steps to narrow it. The Excellus Defendants were not, as Plaintiffs seem to suggest, required to sua sponte narrow the request to only the named Plaintiffs and then provide a response. The Court finds no breach of any discovery obligation by the Excellus Defendants with respect to its response to the interrogatory in question.
As to the delay in producing the Boomershine and Caltagarone contracts, "[t]he Federal Rules of Civil Procedure do not require perfection," and in cases involving voluminous discovery, it is "unsurprising that some relevant documents may . . . fall through the cracks." Freedman v. Weatherford Int'l Ltd., No. 12 CIV. 2121 LAK JCF, 2014 WL 4547039, at *3 (S.D.N.Y. Sept. 12, 2014) (quoting Moore v. Publicis Groupe, 287 F.R.D. 182, 191 (S.D.N.Y. 2012)). These documents were not turned over on the eve of trial, nor is there any evidence that they were deliberately hidden or withheld from Plaintiffs. "[A] district court has broad discretion in fashioning an appropriate sanction where the nature of the alleged breach of a discovery obligation is the non-production of evidence." Kortright Capital Partners LP v. Investcorp Inv. Advisers Ltd., 330 F.R.D. 134, 140 (S.D.N.Y. 2019) (quotations omitted). The Court does not find monetary sanctions appropriate here.
For the reasons set forth above, Plaintiffs' motion for class certification (Dkt. 387) is granted solely to the extent that the Court certifies the following class pursuant to Federal Rule of Civil Procedure 23(b)(2) for injunctive purposes only: All individuals in the United States whose PII and/or PHI was stored in Excellus's systems between December 23, 2013 and May 11, 2015 who (1) are included in Excellus's list of Impacted Individuals and (2) whose PII and/or PHI currently resides in Excellus's systems (the "Class"). Excluded from the Class are: (1) Defendants, any entity or division in which Defendants have a controlling interest, and their legal representatives, officers, directors, assigns, and successors; and (2) the Judges to whom this case is assigned, their immediate family members, and courtroom staff. The Court appoints Matthew Fero, Andres Curbelo, Cindy Harden, Cathryn Kwit, Robert Kwit, Harold Jackling, Nina Mottern, Barbara Palmer, Carole Preston, James Smith, Sharon Smith, Don Korn, and Carlos Martinho as Class representatives and further appoints Hadley L. Matarazzo and James J. Bilsborrow as Co-Lead Class Counsel, and Eric H. Gibbs and Lynn A. Toops as Plaintiffs' Executive Committee. The Court denies Plaintiffs' motion for class certification in all other respects.
"[A]bsent class members . . . need not be given notice and opt-out rights pursuant to Rule 23(b)(2)." Amara v. CIGNA Corp., 775 F.3d 510, 519 (2d Cir. 2014). The Court accordingly sees no need for the parties to propose a plan for class notice at this time or to exclude from the class definition individuals who opt out. --------
The Court grants in part and denies in part the Excellus Defendants' motion for clarification. (Dkt. 376). Specifically, the Court clarifies that its prior holding that the four non-misuse Plaintiffs lack standing based on alleged mitigation efforts, overpayment for health insurance, and/or diminution in value of personal information remains intact, but otherwise denies the motion for clarification as going beyond the scope of the Court's prior orders.
The Court denies Defendants' motion to exclude the expert declarations of James Van Dyke and Gregory Allenby (Dkt. 417) and Plaintiffs' motion to exclude certain testimony of Defendants' experts Robert E. Anderson, Jr. and C. Federico Campbell (Dkt. 456) as moot.
The Court denies Plaintiffs' motion to strike the declaration of Excellus employee James Keddell and for sanctions. (Dkt. 446).
ELIZABETH A. WOLFORD
United States District Judge Dated: November 23, 2020
Rochester, New York