holding plaintiffs need only allege losses, not unreimbursed losses, for a cognizable injury in a Florida breach of implied contract claimSummary of this case from In re Brinker Data Incident Litig.
Benjamin Scott Thomassen, Jay Edelson, William C. Gray, Ari J. Scharg, Edelson McGuire, LLC, Chicago, IL, for Plaintiffs–Appellants. John Delionado, Paulo R. Lima, Hunton & Williams, LLP, Miami, FL, Neil K. Gilman, Hunton & Williams, LLP, Washington, DC, for Defendant–Appellee.
Benjamin Scott Thomassen, Jay Edelson, William C. Gray, Ari J. Scharg, Edelson McGuire, LLC, Chicago, IL, for Plaintiffs–Appellants. John Delionado, Paulo R. Lima, Hunton & Williams, LLP, Miami, FL, Neil K. Gilman, Hunton & Williams, LLP, Washington, DC, for Defendant–Appellee.
Appeal from the United States District Court for the Southern District of Florida.
Before WILSON, PRYOR and MARTIN, Circuit Judges.
WILSON, Circuit Judge:
Juana Curry and William Moore (collectively “Plaintiffs”) appeal the district court's dismissal of their Second Amended Complaint (“Complaint”) for failure to state a claim upon which relief may be granted. The district court held that among its other deficiencies, the Complaint failed to state a cognizable injury. We find that the complaint states a cognizable injury for the purposes of standing and as a necessary element of injury in Plaintiffs' Florida law claims. We also conclude that the Complaint sufficiently alleges the causation element of negligence, negligence per se, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty under Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007), and Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). The Complaint similarly alleges facts sufficient to withstand a motion to dismiss on the restitution/unjust enrichment claim. However, the Complaint fails to allege entitlement to relief under Florida law for the claims of negligence per se and breach of the implied covenant of good faith and fair dealing. We therefore reverse in part, affirm in part, and remand the case to the district court for further proceedings.
We state the facts as alleged in the Complaint, accept them as true, and construe them in the light most favorable to Plaintiffs. Lanfear v. Home Depot, Inc., 679 F.3d 1267, 1271 n. 4 (11th Cir.2012). AvMed, Inc. is a Florida corporation that delivers health care services through health plans and government-sponsored managed-care plans. AvMed has a corporate office in Gainesville, Florida, and in December 2009, two laptop computers were stolen from that office. Those laptops contained AvMed customers' sensitive information, which included protected health information, Social Security numbers, names, addresses, and phone numbers. AvMed did not take care to secure these laptops, so when they were stolen the information was readily accessible. The laptops were sold to an individual with a history of dealing in stolen property. The unencrypted laptops contained the sensitive information of approximately 1.2 million current and former AvMed members.
The laptops contained personal information of Juana Curry and William Moore. Plaintiffs are careful in guarding their sensitive information and had never been victims of identity theft before the laptops were stolen. Curry guards physical documents that contain her sensitive information and avoids storing or sharing her sensitive information digitally. Similarly, Moore guards physical documents that contain his sensitive information and is careful in the digital transmission of this information.
Notwithstanding their care, Plaintiffs have both become victims of identity theft. Curry's sensitive information was used by an unknown third party in October 2010—ten months after the laptop theft. Bank of America accounts were opened in Curry's name, credit cards were activated, and the cards were used to make unauthorized purchases. Curry's home address was also changed with the U.S. Postal Service. Moore's sensitive information was used by an unknown third party in February 2011—fourteen months after the laptop theft. At that time, an account was opened in Moore's name with E*Trade Financial, and in April 2011, Moore was notified that the account had been overdrawn.
In November 2010, five named plaintiffs seeking to represent the class of individuals whose information was stored on the unsecured laptops filed this case in Florida state court, captioned Jean Resnick et al. v. AvMed, Inc. AvMed removed the case to federal court pursuant to the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d) and filed a motion to dismiss for failure to state a claim. SeeFed.R.Civ.P. 12(b)(6). The initial plaintiffs then amended their complaint to address the identified deficiencies and filed a new complaint. The First Amended Complaint added Curry as a named plaintiff. AvMed again filed a motion to dismiss under Rule 12(b)(6), which the district court granted without prejudice on the ground that the plaintiffs failed to state a cognizable injury. Specifically, the district court reasoned that the plaintiffs sought to “predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft.” The court explicitly declined to analyze whether the plaintiffs' complaint failed to allege a cognizable injury for the purposes of standing, see Lujan v. Defenders of Wildlife, 504 U.S. 555, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992), or under state law, see Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir.2007). The court found that to the extent the plaintiffs alleged actual identity theft, they failed to satisfy the pleading standards established by the Supreme Court in Twombly. Plaintiffs then filed a Second Amended Complaint—the Complaint at issue in this appeal—in which they added Moore and dropped the original five named plaintiffs who did not allege actual identity theft.
In the Complaint at issue, Plaintiffs seek to represent the class of AvMed customers whose sensitive information was stored on the stolen laptops and a subclass of individuals whose identities have been stolen since the laptop theft. Plaintiffs brought seven counts against AvMed under Florida law. Plaintiffs allege that AvMed was negligent in protecting their sensitive information and negligent per se when it violated section 395.3025 of the Florida Statutes, which protects medical information. Plaintiffs also allege that AvMed breached its contract with Plaintiffs, and alternatively that AvMed breached its implied contract with Plaintiffs. In the alternative to the breach of contract claim, Plaintiffs also allege a claim for restitution/unjust enrichment. Finally, Plaintiffs allege that AvMed breached the implied covenant of good faith and fair dealing, and that AvMed breached the fiduciary duty it owed to Plaintiffs.
AvMed filed a motion to dismiss the Complaint for failure to state a claim, and the district court granted the motion, stating only that “[a]mong its other deficiencies, Plaintiffs' Second Amended Complaint again fails to allege any cognizable injuiry.” Plaintiffs appeal.
Prior to making an adjudication on the merits, we must assure ourselves that we have jurisdiction to hear the case before us. Anago v. Shaz, 677 F.3d 1272, 1275 (11th Cir.2012) (citing Arbaugh v. Y&H Corp., 546 U.S. 500, 514, 126 S.Ct. 1235, 1244, 163 L.Ed.2d 1097 (2006)). Litigants must show that their claim presents the court with a case or controversy under the Constitution and meets the “irreducible constitutional minimum of standing.” Lujan, 504 U.S. at 560, 112 S.Ct. at 2136. To fulfill this requirement, a plaintiff must show that:
(1) it has suffered an “injury in fact” that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.
Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180–81, 120 S.Ct. 693, 704, 145 L.Ed.2d 610 (2000). “At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice” to establish standing. Lujan, 504 U.S. at 561, 112 S.Ct. at 2137.
Whether a party claiming actual identity theft resulting from a data breach has standing to bring suit is an issue of first impression in this Circuit. Plaintiffs allege that they have become victims of identity theft and have suffered monetary damages as a result. This constitutes an injury in fact under the law. Via Mat Int'l S. Am. Ltd. v. United States, 446 F.3d 1258, 1263 (11th Cir.2006) (finding economic harm sufficient to create standing); see also Lambert v. Hartman, 517 F.3d 433, 437 (6th Cir.2008).
Some of our sister Circuits have found that even the threat of future identity theft is sufficient to confer standing in similar circumstances. Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir.2010) (finding an injury in fact where plaintiffs alleged a data breach and threat of identity theft, but no actual identity theft); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir.2007) (same). As Plaintiffs have alleged only actual—not speculative—identity theft, we need not address the issue of whether speculative identity theft would be sufficient to confer standing.
We must next determine whether Plaintiffs' injury is fairly traceable to AvMed's actions. A showing that an injury is “fairly traceable” requires less than a showing of “proximate cause.” Focus on the Family v. Pinellas Suncoast Transit Auth., 344 F.3d 1263, 1273 (11th Cir.2003). Even a showing that a plaintiff's injury is indirectly caused by a defendant's actions satisfies the fairly traceable requirement. Id. Plaintiffs allege that AvMed failed to secure their information on company laptops, and that those laptops were subsequently stolen. Despite Plaintiffs' personal habits of securing their sensitive information, Plaintiffs became the victims of identity theft after the unencrypted laptops containing their sensitive information were stolen. For purposes of standing, these allegations are sufficient to “fairly trace” their injury to AvMed's failures.
Finally, Plaintiffs must show that a favorable resolution of the case in their favor could redress their alleged injuries. Friends of the Earth, Inc., 528 U.S. at 180–81, 120 S.Ct. at 704. Plaintiffs allege a monetary injury and an award of compensatory damages would redress that injury. Plaintiffs have alleged sufficient facts to confer standing, and we now turn to the merits of their appeal.
We review a district court's dismissal of a complaint for failure to state a claim upon which relief may be granted de novo. Spain v. Brown & Williamson Tobacco Corp., 363 F.3d 1183, 1187 (11th Cir.2004).
AvMed contends that the Complaint fails to allege a cognizable injury under Florida law and that the Complaint fails to allege facts sufficient to establish causation under the federal pleading standards. We address each argument in turn.
AvMed contends that Plaintiffs' injuries are not cognizable under Florida law because the Complaint alleges only “losses,” not “unreimbursed losses.” This is a specious argument. On a motion to dismiss, we review the pleadings and draw “reasonable inference[s]” from the facts alleged. Iqbal, 556 U.S. at 678, 129 S.Ct. at 1949. Under the notice-pleading standard, we no longer require the hyper-technical code pleadings of ages past, see id. at 678–79, 129 S.Ct. at 1950, and we “draw on [our] judicial experience and common sense” when construing the allegations in a complaint, id. at 679, 129 S.Ct. at 1950.
The Complaint specifically alleges that both Curry and Moore suffered financial injury (D.E. 31 ¶¶ 47, 48, 49, 51, 63, 66); monetary loss is cognizable under Florida law for damages in contract, quasi-contract, negligence, and breach of fiduciary duty. See, e.g., Capitol Envtl. Servs., Inc. v. Earth Tech, Inc., 25 So.3d 593 (Fla.Dist.Ct.App.2009) (contract); Young v. Becker & Poliakoff, P.A., 88 So.3d 1002, 1006, 1008 (Fla.Dist.Ct.App.2012) (fiduciary duty). Plaintiffs have therefore alleged a cognizable injury under Florida law.
At the pleading stage, a complaint must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). Plaintiffs must plead all facts establishing an entitlement to relief with more than “labels and conclusions” or “a formulaic recitation of the elements of a cause of action.” Twombly, 550 U.S. at 555, 127 S.Ct. at 1965. The complaint must contain enough facts to make a claim for relief plausible on its face; a party must plead “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678, 129 S.Ct. at 1949 (citing Twombly, 550 U.S. at 570, 127 S.Ct. at 1965).
Following the approach suggested by the Supreme Court in Iqbal, we begin our analysis by identifying “pleadings that, because they are no more than conclusions, are not entitled to the assumption of truth.” 556 U.S. at 680, 129 S.Ct. at 1950. We then turn to the “well-pleaded factual allegations” and, assuming their veracity, “determine whether they plausibly give rise to an entitlement to relief.” Id.
First, we determine what must be pled for each cause of action. Plaintiffs brought seven counts against AvMed, all under Florida law. Of the seven causes of action alleged, Florida law requires a plaintiff to show that the defendant's challenged action caused the plaintiff's harm in six of them: negligence, negligence per se, breach of fiduciary duty, breach of contract, breach of contract implied in fact, and breach of the implied covenant of good faith and fair dealing. A negligence claim requires a plaintiff to show that (1) defendants owe plaintiffs a duty, (2) defendants breached the duty, (3) defendants' breach injured plaintiffs, and “(4) [plaintiffs'] damage [was] caused by the injury to the plaintiff as a result of the defendant's breach of duty.” Delgado v. Laundromax, Inc., 65 So.3d 1087, 1089 (Fla.Dist.Ct.App.2011) (emphasis added). Similarly, under Florida law, an action for negligence per se requires a plaintiff to show “violation of a statute which establishes a duty to take precautions to protect a particular class of persons from a particularly injury or type of injury.” Davis v. Otis Elevator Co., 515 So.2d 277, 278 (Fla.Dist.Ct.App.1987) (citing de Jesus v. Seaboard Coast Line R.R., 281 So.2d 198, 200–01 (Fla.1973)). As part of this showing, plaintiffs must establish “that the violation of the statute was the proximate cause of [their] injury.” de Jesus, 281 So.2d at 201 (emphasis added). The elements of a cause of action for breach of fiduciary duty in Florida include “damages flowing from the breach.” Crusselle v. Mong, 59 So.3d 1178, 1181 (Fla.Dist.Ct.App.2011).
Plaintiffs do not specify whether they intend to bring an action for breach of contract implied in law or implied in fact. The Complaint suggests that they intend to allege a contract implied in fact, and we analyze it as such. See D.E. 31 ¶¶ 118–119 (“In order to benefit from Defendant's healthcare plan, Plaintiffs ... disclosed Sensitive Information .... By providing that Sensitive Information and upon Defendant's acceptance of such information, Plaintiffs ... and Defendant ... entered into implied contracts ....”). To the extent Plaintiffs allege a contract implied in law, such contracts must be pled in the same way as unjust enrichment claims, discussed infra. See Hull & Co. v. Thomas, 834 So.2d 904, 906–07 (Fla.Dist.Ct.App.2003).
The contract claims also require a showing of causation. In Florida, a breach of contract claim requires a party to show that damages resulted from the breach. Rollins, Inc. v. Butland, 951 So.2d 860, 876 (Fla.Dist.Ct.App.2006). Florida courts use breach of contract analysis to evaluate claims of breach of contract implied in fact and breach of the covenant of good faith and fair dealing. See Baron v. Osman, 39 So.3d 449, 451 (Fla.Dist.Ct.App.2010) (per curiam) (contract implied in fact); Hospital Corp. of Am. v. Fla. Med. Ctr., Inc., 710 So.2d 573, 575 (Fla.Dist.Ct.App.1998) (per curiam) (implied covenant of good faith and fair dealing).
In Florida, whether a contract is implied in fact is “inferred from the facts and circumstances of the case.” Eskra v. Provident Life & Accident Ins. Co., 125 F.3d 1406, 1413 (11th Cir.1997).
In discussing causation, Plaintiffs allege that “AvMed's data breach caused [Plaintiffs'] identity theft,” that the facts Plaintiffs allege have “sufficiently shown that the data breach caused [the] identity theft,” and that “but for AvMed's data breach, [Plaintiffs'] identit[ies] would not have been stolen.” Although at this stage in the proceedings we accept plaintiffs' allegations as true, we are not bound to extend the same assumption of truth to plaintiffs' conclusions of law. Twombly, 550 U.S. at 555, 127 S.Ct. at 1965;see also Iqbal, 556 U.S. at 678, 129 S.Ct. at 1950. These claims state merely that AvMed was the cause of the identity theft—a conclusion we are not bound to accept as true.
We now consider the well-pleaded factual allegations relating to causation to determine whether they “plausibly suggest an entitlement to relief.” Iqbal, 556 U.S. at 681, 129 S.Ct. at 1951. The complaint alleges that, prior to the data breach, neither Curry nor Moore had ever had their identities stolen or their sensitive information “compromised in any way.” It further alleges that “Curry took substantial precautions to protect herself from identity theft,” including not transmitting sensitive information over the Internet or any unsecured source; not storing her sensitive information on a computer or media device; storing sensitive information in a “safe and secure physical location;” and destroying “documents she receives in the mail that may contain any of her sensitive information, or that contain any information that could otherwise be used to steal her identity, such as credit card offers.” Similarly, Moore alleges in the complaint that he “took substantial precautions to protect himself from identity theft,” including not transmitting unencrypted sensitive information over the internet or any other source, storing documents containing sensitive information “in a safe and secure physical location and destroy[ing] any documents he receives in the mail” that include either sensitive information or information that “could otherwise be used to steal his identity.” Plaintiffs became victims of identity theft for the first time in their lives ten and fourteen months after the laptops containing their sensitive information were stolen. Curry's sensitive information was used to open a Bank of America account and change her address with the United States Post Office, and Moore's sensitive information was used to open an E*Trade Financial account in his name.
Our task is to determine whether the pleadings contain “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ ” Iqbal, 556 U.S. at 681, 129 S.Ct. at 1949 (quoting Twombly, 550 U.S. at 570, 127 S.Ct. at 1966.) A claim is facially plausible when the court can draw “the reasonable inference that the defendant is liable for the misconduct alleged” from the pled facts. Id. Taken as true, these factual allegations are consistent with Plaintiffs' conclusion that AvMed's failure to secure Plaintiffs' information caused them to become victims of identity theft. After thorough consideration, we conclude that the allegations are sufficient to cross the line from merely possible to plausible. See id.
Generally, to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence. In an unpublished opinion on summary judgment, the Ninth Circuit found that a plaintiff sufficiently showed a causal relationship where “(1) [plaintiff] gave [the defendant] his personal information; (2) the identity fraud incidents began six weeks after the hard drives containing [defendant's] customers' personal information were stolen; and (3) [plaintiff had] previously not suffered any such incidents of identity theft.” Stollenwerk v. Tri–West Health Care Alliance, 254 Fed.Appx. 664, 667 (9th Cir.2007) (emphasis added). There, the court stated that these three facts, in conjunction with the inference a jury could make that the type of information stolen was the same type of information needed to open the fraudulent accounts, were sufficient to defeat a motion for summary judgment brought on the basis of a failure to establish causation. Id. at 667–68. Even with this close connection in time, the court recognized that allegations only of time and sequence are not enough to establish causation: “ purely temporal connections are often insufficient to establish causation .... [H]owever, proximate cause is supported not only by the temporal[ ] but also by the logical[ ] relationship between the two events.” Id. at 668 (citation omitted).
Plaintiffs in the present case have pled facts indicating causation similar to those pled in Stollenwerk, but the inferential leap they ask us to make from the initial data breach to the stolen identities includes a time span more than six times greater than the one in Stollenwerk. Rather than a six-week gap between the initial data breach and the identity theft, Plaintiffs here allege gaps of ten and fourteen months between the two events. As the Stollenwerk court stated, a mere temporal connection is not sufficient; Plaintiffs' pleadings must indicate a logical connection between the two incidents. Here, Plaintiffs allege a nexus between the two events that includes more than a coincidence of time and sequence: they allege that the sensitive information on the stolen laptop was the same sensitive information used to steal Plaintiffs' identity. (D.E. 31 ¶¶ 2, 41, 46, 61.) Plaintiffs explicitly make this connection when they allege that Curry's identity was stolen by changing her address and that Moore's identity was stolen by opening an E*Trade Financial account in his name because in both of those allegations, Plaintiffs state that the identity thief used Plaintiffs' sensitive information. (D.E. 31 ¶¶ 46, 61). We understand Plaintiffs to make a similar allegation regarding the bank accounts opened in Curry's name even though they do not plead precisely that Curry's sensitive information was used to open the Bank of America account. The Complaint states that Curry's sensitive information was on the unencrypted stolen laptop ( Id. ¶ 7), that her identity was stolen, and that the stolen identity was used to open unauthorized accounts ( Id. ¶ 44). Considering the Complaint as a whole and applying common sense to our understanding of this allegation, we find that Plaintiffs allege that the same sensitive information that was stored on the stolen laptops was used to open the Bank of America account. Thus, Plaintiffs' allegations that the data breach caused their identities to be stolen move from the realm of the possible into the plausible. Had Plaintiffs alleged fewer facts, we doubt whether the Complaint could have survived a motion to dismiss. However, Plaintiffs have sufficiently alleged a nexus between the data theft and the identity theft and therefore meet the federal pleading standards. Because their contention that the data breach caused the identity theft is plausible under the facts pled, Plaintiffs meet the pleading standardsfor their allegations on the counts of negligence, negligence per se, breach of fiduciary duty, breach of contract, breach of implied contract, and breach of the implied covenant of good faith and fair dealing.
Our interpretation of the Complaint is reasonable when considering the allegation contained two paragraphs later in paragraph 46, “Curry's sensitive information was also used to change her home address with the U.S. Postal Service.” Use of the word “also” indicates that Plaintiffs intended the allegation made in paragraph 44, that “Curry's identity was stolen and ... used” to mean that Curry's sensitive information was stolen and used.
Plaintiffs' unjust enrichment claim does not have a causation element, so we analyze the sufficiency of the Complaint on that claim separately. In the Complaint, Plaintiffs allege that AvMed cannot equitably retain their monthly insurance premiums—part of which were intended to pay for the administrative costs of data security—because AvMed did not properly secure Plaintiffs' data, as evinced from the fact that the stolen laptop containing sensitive information was unencrypted. AvMed argues that the district court correctly dismissed the Complaint because Plaintiffs' alleged injuries are not cognizable under the law and because Plaintiffs paid AvMed not for data security but for health insurance.
To establish a cause of action for unjust enrichment/restitution, a Plaintiff must show that “1) the plaintiff has conferred a benefit on the defendant; 2) the defendant has knowledge of the benefit; 3) the defendant has accepted or retained the benefit conferred; and 4) the circumstances are such that it would be inequitable for the defendant to retain the benefit without paying fair value for it.” Della Ratta v. Della Ratta, 927 So.2d 1055, 1059 (Fla.Dist.Ct.App.2006).
Plaintiffs allege that they conferred a monetary benefit on AvMed in the form of monthly premiums, that AvMed “appreciates or has knowledge of such benefit,” that AvMed uses the premiums to “pay for the administrative costs of data management and security,” and that AvMed “should not be permitted to retain the money belonging to Plaintiffs ... because [AvMed] failed to implement the data management and security measures that are mandated by industry standards.” Plaintiffs also allege that AvMed either failed to implement or inadequately implemented policies to secure sensitive information, as can be seen from the data breach. Accepting these allegations as true, we find that Plaintiffs alleged sufficient facts to allow this claim to survive a motion to dismiss.
AvMed argues that we can affirm the district court because the Complaint fails to allege an entitlement to relief under Florida law on each count. On review, we find that two of the pled causes of action do not allow Plaintiffs to recover under Florida law. We address only the two claims that fail: negligence per se, and breach of the covenant of good faith and fair dealing.
Plaintiffs allege that AvMed was negligent per se when it violated section 395.3025 of the Florida Statutes by disclosing “Plaintiffs' health information without authorization.” Plaintiffs state that this statute was enacted “to protect the confidentiality of medical information of Florida residents ... and expressly provides that a person's medical information must not be disclosed without his or her consent.” Plaintiffs contend that they are a part of the class of people the statute sought to protect and that the harm they suffered was the type of harm the statute sought to avoid, thereby concluding that AvMed was negligent per se.
Florida Statute section 395.3025(4) states that “[p]atient records are confidential and must not be disclosed without the consent of the patient.” This statute is contained in a chapter regulating the licensure,development, establishment, and minimum standard enforcement of hospitals, ambulatory surgical centers, and mobile surgical facilities. Fla. Stat. § 395.001. Because AvMed is an integrated managed-care organization and not a hospital, ambulatory surgical center, or mobile surgical facility, AvMed is not subject to this statute. See Hendley v. State, 58 So.3d 296, 298 (Fla.Dist.Ct.App.2011) (finding that Fla. Stat. § 395.3025 only applies to licensed facilities defined in § 395.002(16) and not to pharmacies). Section 395.3025 does not purport to regulate AvMed's behavior, and so AvMed's failure to comply with the statute cannot serve as a basis for a negligence per se claim.
While “every contract contains an implied covenant of good faith and fair dealing” under Florida law, a breach of this covenant—standing alone—does not create an independent cause of action. Centurion Air Cargo, Inc. v. United Parcel Serv. Co., 420 F.3d 1146, 1151 (11th Cir.2005). The duty of good faith must “relate to the performance of an express term of the contract and is not an abstract and independent term of a contract which may be asserted as a source of breach when all other terms have been performed pursuant to the contract requirements.” Ins. Concepts & Design, Inc. v. Healthplan Servs., Inc., 785 So.2d 1232, 1235 (Fla.Dist.Ct.App.2001) (per curiam) (emphasis omitted) (quoting Hospital Corp. of Am. v. Fla. Med. Center, Inc., 710 So.2d 573, 575 (Fla.Dist.Ct.App.1998)). A claimant asserting a cause of action for breach of the implied covenant must allege “a failure or refusal to discharge contractual responsibilities, prompted not by an honest mistake, bad judgment or negligence; but, rather by a conscious and deliberate act, which unfairly frustrates the agreed common purpose and disappoints the reasonable expectations of the other party.” Tiara Condo. Ass' n, Inc. v. Marsh & McLennan Cos., Inc., 607 F.3d 742, 747 (11th Cir.2010) (applying Florida law) (quoting Shibata v. Lim, 133 F.Supp.2d 1311, 1319 (M.D.Fla.2000)).
Plaintiffs here allege that AvMed breached the express provision of the service contract, which required AvMed “to ensure the ‘confidentiality of information about members' medical health condition being maintained by the Plan and the right to approve or refuse the release of member specific information including medical records, by AvMed, except when the release is required by law.’ ” However, Plaintiffs do not allege that AvMed's failures to secure their data resulted from a “conscious and deliberate act, which unfairly frustrates the agreed common purpose” as required under Florida law. Id.
From the language used in the Complaint—that AvMed “did not honor” its obligations and that it “failed to safeguard[,] ... fail[ed] to promptly and sufficiently notify[,] ... [and] fail[ed] to fully comply with the proscriptions of applicable statutory law”—we do not understand Plaintiffs to allege that AvMed's shortcomings were conscious acts to frustrate the common purpose of the agreement. We find therefore that AvMed failed to meet the pleading standard in this claim as well.
In this digital age, our personal information is increasingly becoming susceptible to attack. People with nefarious interests are taking advantage of the plethora of opportunities to gain access to our private information and use it in ways that cause real harm. Even though the perpetrators of these crimes often remain unidentified and the victims are left to clean up the damage caused by these identity thieves, cases brought by these victims are subject to the same pleading standards as are plaintiffs in all civil suits. Here, Plaintiffs have pled a cognizable injury and have pled sufficient facts to allow for a plausible inference that AvMed's failures in securing their data resulted in their identities being stolen. They have shown a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence. However, the Complaint fails to sufficiently allege an entitlement to relief under Florida law on the allegations of negligence per se and breach of the implied covenant of good faith and fair dealing. We therefore affirm in part, reverse in part, and remand to the district court for further proceedings.
AFFIRMED IN PART, REVERSED IN PART, AND REMANDED. PRYOR, Circuit Judge, dissenting:
I agree with the majority opinion that Curry and Moore have standing to sue, but Curry and Moore's complaint should be dismissed for failure to state a claim. Their complaint fails to allege a plausible basis for finding that AvMed caused them to suffer identity theft, and their claim of unjust enrichment fails as a matter of law.
Because of the paucity of well-pleaded facts about the cause of the identity thefts, the majority opinion “doubt[s] whether the Complaint could have survived a motion to dismiss” if Curry and Moore had “alleged fewer facts,” Majority Opinion at 17, but Curry and Moore's threadbare allegations about causation fail to “nudge[ ] [the] claims” relating to identity theft “across the line from conceivable to plausible,” Ashcroft v. Iqbal, 556 U.S. 662, 680, 129 S.Ct. 1937, 1951, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 1974, 167 L.Ed.2d 929 (2007)). “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ ” Id. at 678, 129 S.Ct. at 1949 (quoting Twombly, 550 U.S. at 570, 127 S.Ct. at 1974). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. “The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting Twombly, 550 U.S. at 556, 127 S.Ct. 1955, 167 L.Ed.2d 929). “Where a complaint pleads facts that are ‘merely consistent with’ a defendant's liability, it ‘stops short of the line between possibility and plausibility of ‘entitlement to relief.’ ' ” Id. (quoting Twombly, 550 U.S. at 557, 127 S.Ct. at 1955). “[C]ourts may infer from the factual allegations in the complaint ‘obvious alternative explanation[s],’ which suggest lawful conduct rather than the unlawful conduct the plaintiff would ask the court to infer.” Am. Dental Ass'n v. Cigna Corp., 605 F.3d 1283, 1290 (11th Cir.2010) (quoting Iqbal, 556 U.S. at 682, 129 S.Ct. at 1951–52).
The parties do not dispute that laptops containing the sensitive information of Curry and Moore was stolen from AvMed, but Curry and Moore's second amended complaint fails to plead enough facts to allow a factfinder to draw a reasonable inference that the sensitive information identity thieves used to open the fraudulent accounts in the plaintiffs' names was obtained from AvMed. In an attempt to bridge this gap, Curry and Moore allege that they have both been very careful to protect their sensitive information. For example, Curry alleges that she “destroys any documents she receives in the mail that contain any of her Sensitive Information, or that contain any information that could otherwise be used to steal her identity, such as credit card offers,” Compl. ¶ 55, and Moore alleges that he “destroys any documents he receives in the mail that contain any of his Sensitive Information, or that contain any information that could otherwise be used to steal his identity,” Compl. ¶ 71. But the manner in which Curry and Moore care for the sensitive information they receive from third parties tells us nothing about how the third parties care for that sensitive information before or after they send it to Curry and Moore.
The factual allegations in the second amended complaint present obvious alternative explanation[s], Am. Dental Ass'n, 605 F.3d at 1290 (quoting Iqbal, 556 U.S. at 682, 129 S.Ct. at 1951–52) (internal quotation marks omitted), regarding the cause of the identity theft that Curry and Moore suffered. An unscrupulous third party that possessed the sensitive information of Curry and Moore might have sold that information to the identity thieves who opened the fraudulent accounts or a careless third party might have lost the information that then found its way into the hands of the identity thieves. Although it is conceivable that the unknown identity thieves used the sensitive information stolen from AvMed to open the fraudulent accounts, it is equally conceivable, in the light of the facts alleged in the complaint, that the unknown identity thieves obtained the information from third parties. Curry and Moore do not allege any facts that make it plausible that the unknown identity thieves who opened the fraudulent accounts obtained the sensitive information necessary to do so from AvMed.
The majority opinion attempts to salvage the complaint by asserting that it alleges that the sensitive information used to steal Curry and Moore's identities was obtained from AvMed, Majority Opinion at 16, but the complaint alleges no such thing. The majority opinion cites six paragraphs of the complaint to support its conclusion that the complaint plausibly alleges that the sensitive information used to steal Curry and Moore's identities was obtained from the stolen laptops:
• On or about December 10, 2009, two unencrypted laptop computers were stolen from AvMed's Gainesville, Florida corporate office.... The laptops contained private, personal information including, but not limited to, protected health information ..., Social Security numbers ..., medical information and other information (collectively, “Sensitive Information”) of approximately 1.2 million AvMed enrollees;
• As a result of AvMed's failure to implement and follow basic security procedures, Plaintiffs' Sensitive Information is now in the hands of thieves. Plaintiffs now face a substantial increased risk of identity theft; in fact, Curry and Moore have already experienced repeated instances of identity theft since the data breach ....
• Curry's Sensitive Information was contained on an unprotected and unencrypted laptop computer that was stolen in the data breach. As a result of the data breach, Curry's identity was stolen.
• Curry's identity was stolen and, in or around October 2010, it was used to open bank accounts with Bank of America and activate cards in her name;
• Curry's Sensitive Information was also used to change her home address with the U.S. Postal Service;
• The E*Trade Financial bank account was opened by an individual using Moore's Sensitive Information.
Compl. ¶¶ 2, 3, 7, 44, 46, & 61; see also Majority Opinion at 1617. But these paragraphs do not plausibly allege that the identity thieves gained access to Curry and Moore's sensitive information from the stolen laptops. At most, the complaint alleges that AvMed lost Curry and Moore's sensitive information on December 10, 2009, and about a year later, unidentified third parties obtained unspecified sensitive information from an unidentified source and used that unspecified information to engage in identity theft. The complaint, in the words of the majority opinion, alleges nothing “more than a coincidence of time and sequence.” Majority Opinion at 16.
The majority opinion assures us that Curry and Moore have, in fact, alleged something “more than a coincidence of time and sequence” between the stolen laptops and the identity thefts because “Plaintiffs state that the identity thief used Plaintiffs' sensitive information” to open the fraudulent accounts, id., but that circular reasoning fails. No one disputes that unknown identity thieves used the plaintiffs' sensitive information to open fraudulent accounts in their names. The dispute is whether the unknown identity thieves obtained that sensitive information from the laptops stolen from AvMed.
The complaint fails to allege a plausible basis for inferring that the unknown identity thieves obtained the sensitive information of Curry and Moore from AvMed. The complaint, for example, does not allege that only AvMed possessed the sensitive information used to open the fraudulent accounts. The complaint does not even allege what sensitive information was used to open financial accounts in the plaintiffs' names. The complaint alleges, for example, that the sensitive information stolen from AvMed included health and medical information, but the complaint fails to allege that this kind of information was used to open financial accounts in the plaintiffs' names.
“Determining whether a complaint states a plausible claim for relief [is] a context-specific task that requires the reviewing court to draw on its judicial experience and common sense,” Iqbal, 556 U.S. at 679, 129 S.Ct. at 1950, and that experience reveals that vast numbers of individuals, businesses, and governmental bodies possess our sensitive information, e.g., our names, social security numbers, health information, and other personal data. Technology allows this information to be copied quickly and transmitted over the Internet in an instant. Because of the nature of sensitive information—a social security number and a name are the same regardless of who possesses that information—it may be difficult to pinpoint the source of the sensitive information that is used to commit identity theft. But that difficulty does not relieve Curry and Moore of their burden under Rule 8 to plead a plausible basis for inferring that the sensitive information used by the identity thieves was obtained from AvMed.
The complaint also fails to state a claim of unjust enrichment under Florida law. “Florida courts have held that a plaintiff cannot pursue a quasi-contract claim for unjust enrichment if an express contract exists concerning the same subject matter.” Diamond S Dev. Corp. v. Mercantile Bank, 989 So.2d 696, 697 (Fla.Dist.Ct.App.2008); see also Am. Safety Ins. Serv., Inc. v. Griggs, 959 So.2d 322, 331 (Fla.Dist.Ct.App.2007) (“A plaintiff may recover under quasi-contract where there is no express or implied-in-fact contract, but the defendant received something of value or benefited from the service supplied.”). The parties do not dispute that they entered into an enforceable contract; they dispute whether the contract has been breached. In that circumstance, a claim of unjust enrichment cannot be maintained.
I respectfully dissent.