Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 1 of 27 PageID #: 90 IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF MISSOURI EASTERN DIVISION TINA GRANT, individually and on behalf of all others similarly situated ) ) ) ) ) ) ) ) ) ) ) Plaintiff, v. EQUIFAX WORKFORCE SOLUTIONS a/k/a TALX CORPORATION, Defendant. BETZALEL YOCHANAN, individually and on behalf of all others similarly situated, Plaintiff, v. EQUIFAX WORKFORCE SOLUTIONS a/k/a TALX CORPORATION, Defendant. ) ) ) ) ) ) ) ) ) ) ) CASE NO: 4:16-cv-00696 Judge Catherine D. Perry CASE NO: 4:16-cv-00843 DEFENDANT EQUIFAX WORKFORCE SOLUTIONS’ MEMORANDUM IN SUPPORT OF MOTION TO DISMISS Equifax Workforce Solutions (“EWS”) provides its W-2 eXpress service to The Kroger Company (“Kroger”), which permits Kroger employees to access and view their W-2 information online. During the 2015 tax year, unidentified criminals accessed the W-2 information of a number of Kroger employees using the default log-in information of those Kroger employees. Within thirteen days following Kroger’s announcement of this unauthorized access, and despite having no evidence of any unauthorized access to their own W-2 information and no actual injuries, two Kroger employees, Plaintiffs Tina Grant and Betzalel Yochanan, filed 1 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 2 of 27 PageID #: 91 putative class action complaints against EWS. Those complaints were consolidated into this single lawsuit, which EWS now moves to dismiss in its entirety. First, dismissal with prejudice is appropriate because Plaintiffs do not have standing to sue under Article III of the U.S. Constitution, a conclusion that is clear under recent authority from both this Court and the U.S. Supreme Court. Neither Grant nor Yochanan specifically alleges that their own W-2 information was stolen or even inappropriately accessed. And, despite numerous allegations of hypothetical harm that individuals, including Plaintiffs, may suffer one day, Plaintiffs fail to allege a single, concrete injury that they actually suffered or will suffer imminently. This Court has consistently rejected these types of hypothetical injuries as insufficient to establish standing, including in a recent data breach case in which the plaintiffs specifically alleged that their information was stolen. See Duqum v. Scottrade, Inc., 4:15-cv01537-SPM, ECF No. 79 (E.D. Mo. July 12, 2016), attached as Exhibit A. Here, Plaintiffs’ allegations fall even shorter. They do not specifically allege their information was stolen or any actual or imminent injury, much less one fairly traceable to EWS’ conduct. As in Scottrade, this Court should dismiss Plaintiffs’ Complaints. Second, in the alternative, dismissal is appropriate because the two claims in the Grant Complaint and the five claims in the Yochanan Complaint are legally insufficient on their face for the following reasons: • The negligence claims in both Complaints are barred by the economic loss rule; • In addition to not identifying any actual injury, the negligence claims do not identify any duty that EWS owed Plaintiffs, who are Kroger employees and who have no contractual relationship with EWS; 2 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 3 of 27 PageID #: 92 • The unjust enrichment claims do not allege any benefit that was directly conferred on EWS by Plaintiffs; • Yochanan’s claim under the Georgia data breach notification statute fails because it does not provide a private cause of action; and • Yochanan’s demands for declaratory and injunctive relief fail because they are duplicative and inconsistent with the remaining claims in his Complaint and seek relief for alleged past wrongs. FACTUAL AND PROCEDURAL BACKGROUND EWS provides various human resources, payroll, tax management, and compliance products and services such as W-2 eXpress to Kroger. See Grant Compl. ¶ 1; Yochanan Compl. ¶ 1. 1 On May 5, 2016, Kroger informed its employees that criminals gained access to W-2 eXpress information for certain Kroger employees by using the default log-in for those employees. Grant Compl. at ¶¶ 2, 9, 40 (Kroger stated that “[w]e believe individuals gained access to some Kroger associates’ electronic W-2 forms”) (emphasis added); see also Yochanan Compl. ¶¶ 1, 14. The W-2 information purportedly included employees’ full names, addresses, zip codes, dates of birth, wages, and Social Security numbers. Grant Compl. ¶ 2. Kroger has stated that the default log-in information was “likely ‘obtained from some other source’” (Grant Compl. ¶ 12), and Plaintiffs have not alleged that the information was obtained from EWS. Just two weeks later, on May 18, 2016, Plaintiff Tina Grant filed a putative class action complaint in this Court against EWS, alleging that EWS failed to implement sufficient security 1 As is required for this Motion to Dismiss, EWS treats the specific factual allegations of the Complaints as true. Wolfchild v. Redwood Cnty., Nos. 15-1580, 15-2375, 15-3225, 15-3277, 2016 WL 3082341, at *2 (8th Cir. June 1, 2016). EWS, however, denies any wrongdoing and will challenge the veracity of specific allegations if the litigation proceeds beyond the motion to dismiss stage. 3 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 4 of 27 PageID #: 93 measures to protect employee information and bringing claims for negligence and unjust enrichment. See generally Grant Compl. Shortly afterward, on May 24, 2016, Plaintiff Yochanan filed a similar putative class action complaint against EWS in the Northern District of Georgia, which Yochanan subsequently dismissed without prejudice and refiled in this Court. Plaintiff Yochanan’s current Complaint contains similar conclusory allegations and brings claims for negligence, unjust enrichment, negligence per se, declaratory and injunctive relief, and a claim under the Georgia data breach statute. See generally Yochanan Compl. Plaintiffs do not allege that any unauthorized access to W-2 information was the result of, for example, a phishing incident or a hack of the W-2 eXpress computer systems. Moreover, while alleging that only some Kroger employee W-2 information was accessed without authorization, Plaintiffs do not specifically allege that their W-2 information was accessed on W-2 eXpress without authorization. Shortly after Plaintiffs initially filed their lawsuits, on approximately May 27, 2016, Kroger stated that it had notified 13,000 current and former employees of potentially suspicious activity involving their W-2 information, but that the number of affected individuals is less than 13,000. 2 In the Complaint Plaintiff Yochanan filed in this Court on June 14, 2016, he fails to mention that Kroger has stated that the universe of potentially affected individuals is less than 13,000, and does not allege that he is within the group of 13,000. Nor has Plaintiff Grant amended her Complaint to allege that she is within that group. On July 8, 2016, this Court consolidated the Grant and Yochanan Complaints on the parties’ joint motion. See ECF No. 17. As described further below, the Grant and Yochanan 2 See http://www.ajc.com/news/business/equifax-sued-over-theft-of-kroger-workersinfo/nrWRk/. See also Barron v. South Dakota, No. CIV 09-4111, 2010 WL 9524819, at *3 (D. S.D. Sept. 30, 2010) (courts may consider publications as evidence of what is in the public realm at the time). 4 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 5 of 27 PageID #: 94 Complaints list numerous injuries that the Plaintiffs or others may suffer at some point in the future, but fail to allege any actual unauthorized access or any actual or imminent injuries. As described in detail below, none of these speculative and hypothetical injuries are sufficient to establish standing and, in any event, all of the alleged claims are insufficient on their face. LEGAL STANDARD EWS moves to dismiss the Grant and Yochanan Complaints for lack of subject-matter jurisdiction. Fed. R. Civ. P. 12(b)(1). To survive a Rule 12(b)(1) motion to dismiss, Plaintiffs must “‘clearly . . . allege facts demonstrating’ each element” of Article III standing. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016); Bray v. Bank of Am., N.A., No. 4:14-CV-1336-CEJ, 2016 WL 687818, at *2 (E.D. Mo. Feb. 19, 2016) (“The plaintiff bears the burden of establishing standing.”); Wallace v. ConAgra Foods, Inc., 747 F.3d 1025, 1030 (8th Cir. 2014) (“Article III requires ‘an injury [to] be concrete, particularized, and actual or imminent.’”) (quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149 (2010)). In the alternative, EWS moves to dismiss the Grant and Yochanan Complaints for failure to state a claim for relief. Fed. R. Civ. P. 12(b)(6). The Complaints must state “a claim to relief that is plausible on its face,” meaning the allegations must consist of more than “ʻlabels and conclusions,’ . . . ‘a formulaic recitation of the elements of a cause of action,’ . . . or ‘naked assertion[s]’ devoid of ‘further factual enhancement.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). A claim is facially plausible “‘when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.’” Blue Buffalo Co. Ltd. v. Nestlé Purina Petcare Co., No. 4:15 CV 384 RWS, 2016 WL 3227676, at *2 (E.D. Mo. June 13, 2016) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). “While 5 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 6 of 27 PageID #: 95 factual matter must be accepted as true, courts will not presume conclusory statements to be true.” Blue Buffalo, 2016 WL 3227676, at *2. ARGUMENT I. BECAUSE PLAINTIFFS FAIL TO SPECIFICALLY ALLEGE THEIR W-2 INFORMATION WAS STOLEN OR ANY ACTUAL INJURY, THEY LACK STANDING TO BRING THEIR CLAIMS. Plaintiffs filed their Complaints against EWS despite having no evidence or specific allegations that their W-2 information was actually accessed or stolen by third-party criminals. Instead, Plaintiffs rest their claims on alleged injuries that they and purported class members “may” suffer if their information was accessed, which is insufficient to establish the required concrete injury-in-fact to invoke standing in federal court. A. Plaintiffs Fail to Specifically Allege Their W-2 Information Was Stolen. Neither Plaintiff has specifically plead that their own W-2 information was accessed or stolen by third-party criminals. The Complaints contain only general and conclusory allegations that W-2 information was “accessed” or “stolen” or “compromised,” but neither Grant nor Yochanan specifically allege that their own W-2 information was accessed or stolen. See, e.g., Grant Compl. ¶ 57; Yochanan Compl. ¶ 26. Indeed, Plaintiff Grant concedes that her information only “may” have been compromised. Grant Compl. ¶ 4. Plaintiff Yochanan fails to even specifically plead any allegations that his information was or could have been compromised. If Plaintiffs have no evidence that their own W-2 information was actually accessed or stolen, they were presumably not even affected by these criminals and certainly could not have suffered an injury that meets the constitutional requirements for Article III standing. Clapper v. 6 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 7 of 27 PageID #: 96 Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013) (a plaintiff must plausibly demonstrate that she has suffered an injury). B. Even if Plaintiffs Specifically Plead Their W-2 Information Was Stolen, Plaintiffs Fail to Plead An Injury-in-Fact. To establish Article III standing, a plaintiff must plausibly demonstrate that she has suffered an injury that is (1) “concrete, particularized, and actual or imminent”; (2) “fairly traceable to the challenged action”; and (3) “redressable by a favorable ruling.” Clapper, 133 S. Ct. at 1147; see also Spokeo, 136 S. Ct. at 1547, 1549 (“Injury in fact is a constitutional requirement” that “requires a concrete injury even in the context of a statutory violation”). Plaintiffs fail to meet all three constitutional requirements, and each failure warrants dismissal of their claims. 1. Plaintiffs Allege Only Speculative and Hypothetical Injuries. Throughout both Complaints, Plaintiffs allege various purported injuries, which can be broken down into three categories and all of which are insufficient to establish standing: (1) hypothetical and speculative injuries that Plaintiffs might suffer in the future; (2) hypothetical and speculative harm that identity thieves might do to unspecified individuals in the future; and (3) hypothetical and speculative harm that would allegedly be suffered by “members of the class” in the future, but not by Plaintiffs themselves. Even if Plaintiffs’ W-2 information was accessed by criminals, which they do not specifically allege, none of these claimed injuries meet the constitutional requirement for an injury-in-fact to be “concrete, particularized, and actual or imminent.” Clapper, 133 S. Ct. at 1147; see also Wallace, 747 F.3d at 1031 (“Time and again the Supreme Court has reminded lower courts that speculation and conjecture are not injuries cognizable under Article III.’”). 7 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 8 of 27 PageID #: 97 a. Hypothetical and Speculative Injuries That Plaintiffs Might Suffer in the Future The Complaints allege various injuries that the Plaintiffs may suffer at an unknown point in the future or are at “risk” of suffering at some point in the future. For example: • Plaintiff now “face(s) a real and immediate risk of identity theft and other problems associated with the disclosure of [her] SSN, and will need to monitor [her] credit and tax filings for an indefinite duration.” Grant Compl. ¶ 37. • Plaintiff has been “exposed to fraud and a heightened and imminent risk of fraud and identity theft”; Plaintiff “must now and in the future closely monitor” financial accounts, . . . “may be faced with fraudulent debt” or may “incur costs” for “protective measures.” Grant Compl. ¶ 41. • Plaintiff has been “exposed to fraud, identity theft, and financial harm” and to “a substantial, heightened, and imminent risk of such harm in the future.” Yochanan Compl. ¶ 5. • Plaintiff is subject to a “substantial, increased, concrete risk of identity theft.” Yochanan Compl. ¶ 24. • “[E]xposure to a heightened, imminent risk of fraud, identity theft, and financial harm.” Yochanan Compl. ¶ 63. None of these allegations amount to any injury suffered by Plaintiffs. While an “imminent” injury may establish Article III standing, “it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes – that the injury is certainly impending.” Clapper, 133 S. Ct. at 1147. Simply labeling future injury as “imminent” does not make it so. Plaintiffs’ allegations that their information may have been compromised combined with their allegations that they “may” suffer or are “at risk” of suffering various future injuries are at best “ʻ[a]llegations of possible future injury’ [which] are not sufficient.” Id. This Court has twice rejected such claimed injuries, finding them insufficient to establish an injury-in-fact. In Scottrade, 4:15-cv-01537-SPM, ECF No. 79 (Ex. A), the plaintiffs alleged they suffered several categories of injury as a result of a data breach. First, unlike here, the plaintiffs alleged that there was a hack into Scottrade’s computer systems and their information 8 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 9 of 27 PageID #: 98 was actually stolen. Id. at 2-3. Second, this Court noted that the plaintiffs did not allege that any of the stolen personal information had actually “been used to commit any identity theft, fraud, or any other act that has resulted in harm to any plaintiff,” and did not allege any facts that hackers intended to commit such acts. Id. at 10. Because it could not “determine whether Plaintiffs will suffer harm in the future without engaging in considerable speculation about the hackers’ possible intentions and future actions,” this Court held that such speculative allegations were insufficient to demonstrate an injury in fact. Id. at 10-13. Likewise, in Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1049 (E.D. Mo. 2009), the plaintiff alleged that he suffered several categories of injury as a result of a data breach. Like Grant and Yochanan, the plaintiff did not claim that “his personal information [had] in fact been stolen and/or his identity compromised,” but only that he “faces an increased risk of identity theft at an unknown point in the future.” Id. at 1052. As a result, this Court held that the plaintiff’s injuries were not “imminent” and thus not sufficient to establish standing. Id. (“Where the timing and type of injury cannot be determined, such abstract injuries do not provide the injury-in-fact required for Article III standing”). As in both Scottrade and Amburgy, “many ʽif’s’ would have to come to pass” for Plaintiffs to suffer any injuries, much less the injuries alleged here. Amburgy, 671 F. Supp. 2d at 1053; see also Scottrade, at 10. Plaintiffs Grant and Yochanan may suffer harm only if the criminals actually accessed their W-2 information; “if the [criminals] actually intend to use Plaintiffs’ PII to commit identity theft, fraud, or some other act that might harm Plaintiffs; if the [criminals] attempt to use the PII to commit such identity theft, fraud, or other act; if they actually succeed in doing so; and if the identity theft, fraud, or other act causes harm to the Plaintiffs.” Scottrade at 10. This “considerable speculation” and “multiple if’s squarely place” 9 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 10 of 27 PageID #: 99 Plaintiffs’ claimed injuries in the “realm of the hypothetical,” and are insufficient to confer standing. Amburgy, 671 F. Supp. 2d at 1053. Further, Plaintiff Yochanan’s allegation that he “enrolled in identity theft protection services at a monthly cost to him of $9.99 per month,” is insufficient to establish an injury-infact. Yochanan Compl. ¶ 9. 3 These expenses were incurred to prevent future harm, and Yochanan “cannot manufacture standing merely by inflicting harm on [himself] based on [his] fears of hypothetical future harm that is not certainly impending.” Clapper, 133 S. Ct. at 1151; see also Scottrade at 14 (“[B]ecause the Court has already found that Plaintiffs’ increased risk of identity theft or fraud is [sic] does not constitute an imminent harm, the cost of monitoring for that risk or mitigating that risk cannot constitute injury in fact.”); In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *4 (N.D. Ill. Sept. 3, 2013) (finding that allegations of “actual injury in the form of time spent mitigating an increased risk of identity theft or fraud is insufficient to establish standing”). 4 b. Hypothetical and Speculative Harm That Identity Thieves Might Do To Unspecified Individuals in the Future The Complaints also allege various injuries that unidentified individuals may suffer at the hands of unidentified “identity thieves.” For example: • “Identity thieves can use the W-2 information . . . to perpetrate a wide variety of crimes.” Grant Compl. ¶ 31. 3 Grant has not alleged that she is currently taking any measures to monitor her credit or incurring costs to do so. 4 Nor do Plaintiffs’ allegations of “diminution in value of [] personal information” constitute an injury in fact. See Grant Compl. ¶ 42(f); Yochanan Compl. ¶ 63. Plaintiffs do not allege any facts showing that their personal information was actually accessed or how their personal information is less valuable as a result of any such access. This Court, like most courts, found such bare and hypothetical allegations insufficient to establish injury-in-fact. Scottrade at 16-18. 10 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 11 of 27 PageID #: 100 • “[P]ermits identity thieves to commit other types of fraud including signing up for fraudulent credit cards and loan accounts, . . . types of government fraud, . . . [and] false insurance claims.” Grant Compl. ¶ 33. • “[V]ery strong probability that those impacted by the Data Breach could be at a risk of fraud and identity theft . . . .” Grant Compl. ¶ 40. • “[I]dentity thieves can commit a variety of crimes that harm victims of the Data Breach.” Yochanan Compl. ¶ 4. • “Criminals frequently use Social Security numbers to create false bank accounts, file fraudulent tax returns, and incur credit in the victim’s name.” Yochanan Compl. ¶ 25. But Plaintiffs do not allege that they, or any specific individuals, suffered these injuries. Such vague allegations are a far cry from a “concrete, particularized, and actual or imminent” injury to establish standing. Clapper 133 S. Ct. at 1147. For an injury to be “particularized, it must affect the plaintiff in a personal and individual way.” Scottrade at 5. Plaintiffs’ allegations are insufficient to establish an injury-in-fact. c. Hypothetical and Speculative Harm That Would Allegedly Be Suffered by “Members of the Class” in the Future, But Not by Plaintiffs Themselves. The Complaints’ last category of purported injuries involves hypothetical future harm “suffered by members of the Class” (purported classes Plaintiffs cannot represent), including “[l]oss or delay of tax refunds,” “[t]heft of [] valuable personal and [W-2] information,” “[c]osts associated with time spent and the loss of productivity,” “impairment of [] credit scores,” and “loss of use of and access to their financial accounts and/or credit.” Grant Compl. ¶ 42; Yochanan Compl. ¶ 26. Nowhere in the Complaints do Plaintiffs allege that they suffered these claimed injuries or even provide an example of a putative class member that suffered them. For class claims to proceed, the “district court must determine that at least one named class representative has Article III standing to raise each class” claim. Prado-Steiman ex. rel. Prado v. 11 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 12 of 27 PageID #: 101 Bush, 221 F.3d 1266, 1279 (11th Cir. 2000); see also Brown v. Sibley, 650 F.2d 760, 771 (5th Cir. 1981) (a “named plaintiff cannot acquire standing to sue by bringing his action on behalf of others who suffered injury which would have afforded them standing had they been named plaintiffs”). Such vague allegations, without any allegation that Plaintiffs suffered the claimed injuries, are insufficient. The hypothetical and future injuries that “may” happen at some unknown date alleged by Plaintiffs are exactly the type that courts, including this Court, have rejected repeatedly as insufficient to support standing. 2. Plaintiffs’ Alleged Injuries Are Not Fairly Traceable To Any EWS Action. Even if Plaintiffs’ W-2 information was actually accessed and stolen, which they have not specifically alleged, any such access would be by third party criminals and not “fairly traceable to the challenged action” of EWS. Clapper, 133 S. Ct. at 1147. Similarly, any potential, future injuries would be fairly traceable, if they were to occur, to criminal actions by third parties independent from EWS. Courts should be reluctant “to endorse standing theories that rest on speculation about the decisions of independent actors.” Id. at 1150. Moreover, as described above, Plaintiffs’ allegations depend on a “highly attenuated chain of possibilities” and multiple “ifs.” See supra at Section I(B)(1). Each of these possibilities --- or “ifs” --- would depend on an action taken by a third-party criminal that cannot be traced to any action by EWS. This “speculative chain of possibilities” does not satisfy the traceability requirement. Clapper, 133 S. Ct. at 1150; In re: Science Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 31-32 (D. D.C. 2014) (holding that plaintiffs’ allegations that a breach made it more likely that criminals would steal personal information did not plausibly allege that identity theft was fairly traceable to data breach); Peters 12 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 13 of 27 PageID #: 102 v. St. Joseph Servs. Corp., 74 F. Supp. 3d 847, 857 (S.D. Tex. 2015) (holding that allegations of identity theft did not meet the traceability requirement because the allegations “[f]ailed to account for the sufficient break in causation caused by opportunistic third parties”). 3. Plaintiffs’ Claimed Injuries Are Not Redressable By A Favorable Ruling. Plaintiffs also fail to establish the third requirement for standing, redressability. Clapper 133 S. Ct. at 1147. Should any of the alleged future injuries occur to Plaintiffs, each of those actions would have been taken by an independent third-party criminal. The Court cannot control any damage or loss that may or may not occur by actions of these third parties who are not before the Court. Peters, 74 F. Supp. 3d at 857 (holding that it “is not likely that a favorable decision from this Court would redress the harm” plaintiff has experienced when the court could not prevent third parties not before the Court from using the information nor could the court “otherwise disgorge them of her personal information” and the plaintiff failed to allege “any quantifiable damage or loss she has suffered as a result of the Data Breach”). C. Plaintiffs Lack Standing to Bring Their Class Claims. Because Plaintiffs put forth no specific allegations that their W-2 information was actually accessed or stolen, not only do they lack Article III standing, Plaintiffs cannot represent the purported classes they allege in their Complaints. Despite having no specific evidence or allegations of their information being accessed, Plaintiffs seek to represent classes of individuals whose W-2 information was, in fact, accessed by third-party criminals. See Grant Compl. ¶ 43 (purporting to represent a nationwide class of employees whose personal information was “accessed by unauthorized individuals”); Yochanan Compl. ¶¶ 34-35 (purporting to represent nationwide and state sub-classes of “natural persons and entities” whose “personally identifiable information was acquired by unauthorized persons”). 13 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 14 of 27 PageID #: 103 A plaintiff cannot represent a class unless it shows that it has standing to raise the claims of the class it seeks to represent. See Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 156 (1982) (“We have repeatedly held that a class representative must be part of the class and possess the same interest and suffer the same injury as the class members.”) (internal quotation marks omitted); Oetting v. Norton, 795 F.3d 886, 890-92 (8th Cir. 2015) (“It is axiomatic that the lead plaintiff must fit the class definition” and dismissing complaint); Chin v. General Mills, Inc., No. 12-2150 (MJD/TNL), 2013 WL 2420455, at *3 (D. Minn. June 3, 2013) (“The named plaintiffs in a class action may not rely on injuries that the putative class may have suffered, but instead must allege that they personally have been injured”). Because Plaintiffs have not pled any specific allegations regarding the unauthorized access or theft of their W-2 information, Plaintiffs are not members of the classes they purport to represent nor have they suffered the same alleged injuries those purported classes are alleged to have suffered. As the Eighth Circuit made clear in Oetting, 795 F.3d at 892, “ʻif a case has only one class representative and that party does not have standing, then the court lacks jurisdiction over the case and it must be dismissed.’ . . . The court ha[s] no duty to save an uncertified class from [plaintiff’s] failure to file a class action complaint” alleging proper standing. Plaintiffs’ class allegations must be dismissed. II. PLAINTIFFS’ NEGLIGENCE CLAIMS FAILS. For three separate and independent reasons, Plaintiffs have failed to state their negligence or negligence per se claims: (1) Plaintiffs’ claims are barred by the economic loss rule; (2) Plaintiffs do not identify any duty EWS owed them, including as the result of a statutory violation that supports a negligence per se claim; and (3) Plaintiffs do not allege any actual injury recoverable under a theory of negligence. 14 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 15 of 27 PageID #: 104 A. Plaintiffs’ Claims for Negligence and Negligence Per Se Are Barred By the Economic Loss Rule. Plaintiffs assert tort claims for negligence and negligence per se, seeking damages solely from economic losses. Plaintiffs do not allege that any of their injuries are accompanied by either personal injury or physical injury to property. The Missouri economic loss doctrine prohibits a plaintiff from seeking to recover in tort for economic losses when no “harm to person or damage to property” is alleged. Dannix Painting, LLC v. Sherwin-Williams Co., 732 F.3d 902, 905-06 (8th Cir. 2013); see also Captiva Lake Invs., LLC v. Ameristructure, Inc., 436 S.W.3d 619, 628 (Mo. Ct. App. 2014) (same). Unsurprisingly, courts in other data breach cases have routinely dismissed negligence and negligence per se claims under the applicable economic loss rule. See, e.g., In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 529-31 (N.D. Ill. 2011) (applying economic loss rule in retailer data breach); In re Sony Gaming Networks and Customer Data Security Breach Litig., 996 F. Supp. 2d 942, 967, 973 (S.D. Cal. 2014) (applying California and Massachusetts economic loss rules). Because the alleged potential damages sought by Plaintiffs would be solely from economic losses, the economic loss rule bars them. 5 B. Plaintiffs Fail to Establish that EWS Owed Plaintiffs A Duty As Required To State A Claim For Negligence. To state a claim for negligence, Plaintiffs must show that EWS owed a duty to Plaintiffs “to protect [them] from injury.” See Strickland v. Taco Bell Corp., 849 S.W.2d 127, 131 (Mo. 5 Even though this Court is not required to conduct a rigorous choice of law analysis at this stage, Plaintiffs’ negligence claims are also barred by the economic loss rule under the state law alleged in Plaintiff Yochanan’s alternative Georgia “sub-class.” See Bates & Assocs., Inc. v. Romei, 426 S.E.2d 919, 922 (Ga. Ct. App. 1993) (“[C]ourts adhere to the rule that purely economic interests are not entitled to protection against mere negligence.”); Willingham v. Global Payments, Inc., No. 1:12-CV-01157-RWS, 2013 WL 440702, at *18 (N.D. Ga. Feb. 5, 2013) (applying Georgia economic loss rule in data breach suit). 15 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 16 of 27 PageID #: 105 Ct. App. 1993). In the data breach context, this Court has declined to recognize a duty to protect personal information beyond that specifically imposed by the Missouri legislature. Amburgy, 671 F. Supp. 2d at 1055 (refusing to create a duty when no cause of action existed under the Missouri legislature and noting that “[t]he Court will not create a claim where one does not exist”). And no Missouri court has recognized a common law duty to safeguard personal information from third-party criminal actions. Indeed, other courts, including those in Georgia, faced with negligence claims brought following data breaches have refused to recognize such a common law duty. See, e.g., McConnell v. Dep’t of Labor, A16A0655, 2016 WL 3361735, at *3-4 (Ga. Ct. App. June 16, 2016) (holding that no Georgia case has recognized a “duty to safeguard and protect the personal information of another,” and that the Georgia data breach notification statute, O.C.G.A. § 10-1-910 et seq., “cannot serve as the source of a statutory duty to safeguard personal information”); Worix v. MedAssets, Inc., 869 F. Supp. 2d 893, 897-98 (N.D. Ill. 2012) (declining to recognize a new common law duty to safeguard sensitive information); Citizens Bank of Pa. v. Reimbursement Techs., Inc., No. 12-1169, 2014 WL 2738220, at *3-4 (E.D. Pa. June 17, 2014) (concluding plaintiffs failed to allege any common law duty to secure customers’ personal information, stating that “[d]efendants are generally not held liable for wrongful acts by intervening third parties”). Plaintiffs provide no basis for the Court to divine a duty on these facts. EWS provides the W2 eXpress service to and contracts with Kroger, not Kroger’s employees, such as Plaintiffs Grant and Yochanan. Plaintiffs fail to plead how a duty could exist between themselves and EWS. Further, Plaintiffs’ contention that EWS breached a duty by “failing to implement standard industry best practices and protocols” is insufficient because commercial or industry standards do not create a legal duty to Plaintiffs. See Willingham¸ 2013 WL 440702, at *19 16 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 17 of 27 PageID #: 106 (rejecting similar argument based on industry standards). In addition, this Court has previously held that no common law duty to provide notice of a data breach exists under Missouri law. See Amburgy, 671 F. Supp. 2d at 1055; see also In re Hannaford Bros. Co. Customer Data Security Breach Litig., 613 F. Supp. 2d 108, 124 (D. Me. 2009) (Maine common law recognizes no duty to “advise customers of the theft”). 6 As a result, Plaintiffs do not, and cannot, allege any recognized duty on the part of EWS to protect their information from the acts of third-party criminals. This Court should dismiss the Plaintiffs’ negligence claims. C. Plaintiffs Fail to Allege Compensable Damages. To establish a claim for negligence in Missouri, a plaintiff must demonstrate “actual damages to the [plaintiff’s] person or property.” Amburgy, 671 F. Supp. 2d at 1054; see also MCI Commc’ns Servs., Inc. v. CMES, Inc., 728 S.E.2d 649, 652 (Ga. 2012) (“An injury to a person or damage to property is required for a tort to be actionable”). A plaintiff must show “some harm for which damages can be reasonably assessed.” Amburgy, 671 F. Supp. 2d at 1054. As discussed above, supra at Section I(B), the nature of Plaintiffs’ alleged injuries that “may” occur in the future is speculative and hypothetical and Plaintiffs fail to allege any actual damage to their “person or property.” This Court has specifically held that such speculative damages “cannot reasonably be assessed for a hypothetical harm which may (or may not) come to plaintiff in the future” and cannot support a claim for negligence. Id. at 1055 (“[b]ecause the Complaint fails to plead harm resulting in compensable damage to plaintiff, plaintiff’s claim of negligence must be dismissed for failure to state a claim”); see also Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634-35 (7th Cir. 2007) (dismissing negligence claim in data breach suit because “the harm 6 Nor have Plaintiffs adequately alleged how a “special relationship” or “independent duties under state laws” create such a duty. See, e.g., Yochanan Compl. ¶¶ 56-57. 17 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 18 of 27 PageID #: 107 caused by identity information exposure, coupled with the attendant costs to guard against identity theft” is insufficient to state a claim for negligence). Because Plaintiffs fail to allege any “actual” damages that are compensable under a theory of negligence, their claims fail and should be dismissed. D. Plaintiff Yochanan Does Not Identify Any Statute That Supports His Negligence Per Se Claim. Plaintiff Yochanan alleges that EWS violated the prohibition on “unfair … practices in or affecting commerce” in Section 5 of the FTC Act, 15 U.S.C. § 45, and is thus liable for negligence per se. Yochanan Compl. ¶¶ 66-77. But Section 5 of the FTC Act is not a statute on which negligence per se may be premised under Missouri law. Under Missouri law, the “test to determine whether a violation of a statute may constitute negligence per se depends on legislative intent.” Lowdermilk v. Vescovo Building and Realty Co., 91 S.W. 3d 617, 628-29 (Mo. Ct. App. 2002) (“[n]egligence per se arises where the legislature pronounces in a statute what the conduct of a reasonable person must be . . . and the court then adopts the statutory standard of care”). Missouri courts have consistently held that the doctrine of negligence per se is ordinarily based on a class of “safety statutes” and has “traditionally arisen in cases involving personal injury and physical injury to property,” not cases involving “damage to economic interests” such as Plaintiffs’ Complaints here. Id. at 628 (holding that a statute regulating disclosures by real estate brokers does not provide a basis for a claim for negligence per se under Missouri law). Section 5 of the FTC Act is not within the class of statutes Missouri courts have recognized to include a claim for negligence per se. No court has recognized a claim for negligence per se based on Section 5 and indeed, it does not even provide for a private cause of action. See FTC v. QT, Inc., 448 F. Supp. 2d 908, 970 (N.D. Ill. 2006); Holloway v. Bristol18 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 19 of 27 PageID #: 108 Myers Corp., 485 F.2d 986, 997 (D.C. Cir. 1973). Plaintiff Yochanan has put forth no allegations that support a claim for negligence per se. 7 III. PLAINTIFFS’ CLAIMS FOR UNJUST ENRICHMENT FAIL. To state a claim for unjust enrichment, Plaintiffs must show that “(1) [she] conferred a benefit on the defendant; (2) the defendant appreciated the benefit; and (3) the defendant accepted and retained the benefit under inequitable and/or unjust circumstances.” Howard v. Turnbull, 316 S.W.3d 431, 436 (Mo. App. Ct. 2010). Plaintiffs, who are Kroger employees and have no contractual relationship with EWS, fail to state a claim for unjust enrichment against EWS because (1) Plaintiffs did not directly confer a benefit on EWS; and (2) to the extent any benefit was conferred on EWS, a contract governs the relationship between Kroger and EWS, thus barring a claim for unjust enrichment. First, based on the allegations of Plaintiffs’ Complaint, Plaintiffs fail to plead that they conferred any benefit on EWS. As acknowledged by the Complaints, EWS provides products and services to and contracts with employers, like Kroger, who in turn allows employees, such as Plaintiffs, to use such products and services as part of their employment. Grant Compl. ¶ 1; see also Yochanan Compl. ¶ 1. In other words, the “client” of EWS as alleged in Plaintiffs’ Complaints is Kroger, not Plaintiffs. Id. ¶ 8 (“The W-2Express system is a database maintained by [EWS] where an employee of a client organization may access his or her W-2 online.”); ¶ 31 (EWS’s “clients’ employees”). Yet Plaintiffs bring claims for unjust enrichment against EWS claiming “Plaintiff and members of the Class conferred an economic benefit on Defendant by purchasing and using Defendant’s products and services in the course of their employment with 7 Nor would Plaintiff Yochanan’s allegations give rise to a claim for negligence per se under Georgia law because Section 5 of the FTC Act does not impose a clear and concrete duty or standard of conduct. See Wells Fargo Bank, N.A. v. Jenkins, 744 S.E.2d 686, 688 (Ga. 2013) (there must be an “alleged breach of a legal duty with some ascertainable standard of conduct.”). 19 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 20 of 27 PageID #: 109 Kroger.” Id. ¶ 60. Plaintiffs purchased no such products or services. 8 Plaintiffs’ allegations are mutually contradictory and self-destructive; thus, no cause of action is stated. DeVault v. Truman, 194 S.W.2d 29, 32 (Mo. 1946). “The Missouri Supreme Court has held that to state a claim for unjust enrichment, a plaintiff must allege that a benefit was conferred on the defendant by that particular plaintiff.” Speaks Family Legacy Chapels, Inc. v. Nat’l Heritage Enters., Inc., No. 2:08-cv-04148-NKL, 2009 WL 2391769, at *4 (W.D. Mo. Aug. 3, 2009) (emphasis added). 9 In Speaks, the Western District of Missouri dismissed a claim for unjust enrichment when “none of Plaintiffs’ money or services are alleged to have passed from them directly to any Wulf Defendant.” Id. The money, or “benefits at issue,” were paid by individuals to an entity who then hired the defendant at issue in the case for certain advice. Id. Similarly, if the party that received the alleged benefits is not a party to the action before the court, no benefit is conferred between the parties. Am. Civil Liberties Union v. Miller, III, 803 S.W.2d 592, 595 (Mo. 1991) (when the alleged benefit is conferred not on defendant, but on a third party, plaintiff fails to allege an essential element of the tort of unjust enrichment that a benefit be conferred upon the defendant by the plaintiff). In Wiles v. Southwestern Bell Tele. Co., the Western District of Missouri dismissed a claim for unjust enrichment with allegations very similar to Plaintiffs’ here. A putative class brought claims against defendant AT&T relating to the acquisition of plaintiffs’ personal driver’s 8 Plaintiffs allege that “they would not have purchased or used Defendant’s products and services” had they “known that Defendant would not adequately secure their personal and [W-2] information.” Grant Compl. ¶ 63; see also Yochanan Compl. ¶ 89. Again, EWS contracts with and provides its services to Kroger, not Plaintiffs, and Plaintiffs did not, and have not alleged, that they purchased the products and services directly from EWS. 9 Georgia law also requires an alleged benefit to be conferred directly to state a claim for unjust enrichment. See Brown v. Cooper, 514 S.E.2d 857, 860 (Ga. Ct. App. 1999) (holding that a claim for unjust enrichment must be brought by the party who actually conferred the benefit at issue). 20 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 21 of 27 PageID #: 110 license data. 2010 WL 1463025, at * 1. The plaintiff claimed that AT&T was unjustly enriched by receiving and using “Plaintiffs’ personal information.” Id. at *4. The Court held that the defendant AT&T obtained the information from the Missouri Department of Revenue, not from a party before the court as required for an unjust enrichment claim. Id. The Court noted that “it is the contract-like nature of the relationship of the parties that gives rise to unjust enrichment claims” and no such relationship between the parties was indicated by the complaint when the particular plaintiff did not confer a benefit on that defendant. Id.; see also Wiles v. Worldwide Info., Inc., 809 F. Supp. 2d 1059, 1083 (W.D. Mo. 2011) (in similar litigation, dismissing claim for unjust enrichment and holding that “[a]ny benefit enjoyed by Defendant was conferred by the State of Missouri, not Plaintiffs” when the defendant obtained personal driver’s license information from the state of Missouri). Because Plaintiffs fail to plead that they conferred a benefit on EWS, their claims for unjust enrichment fail and should be dismissed. Second, to the extent any benefit was conferred on EWS by Kroger, a contract governs the relationship between Kroger and EWS, thus barring a claim for unjust enrichment. “If the plaintiff has entered into an express contract for the very subject matter for which he seeks recovery, unjust enrichment does not apply, for the plaintiff’s rights are limited to the express terms of the contract.” Howard, 316 S.W. 3d at 436; see also Speaks, 2009 WL 2391769, at *4 (“[t]he unjust enrichment claim is unavailable when the alleged benefit conferred is the subject matter of a contract.”). IV. PLAINTIFF YOCHANAN FAILS TO STATE A CLAIM UNDER THE GEORGIA DATA BREACH STATUTE. Plaintiff Yochanan alleges that EWS violated the “Georgia Security Breach Notification Statute,” Ga. Code Ann. § 10-1-912, et seq. by “failing to disclose the Data Breach in a timely and accurate manner,” and thus causing Plaintiff Yochanan damages. Yochanan Compl. ¶¶ 9321 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 22 of 27 PageID #: 111 102. As an initial matter, the Georgia data breach statute does not provide for a private right of action, and thus Plaintiff Yochanan cannot assert a claim against EWS pursuant to it. See Ga. Code Ann. §§ 10-1-910-915; see also McConnell, 2016 WL 3361735, at *3-4 (parties recognizing that Georgia data breach statute does not create a private cause of action and court holding that the statute does not create a duty to safeguard personal information under a common law negligence theory). Other courts, including those in Missouri, have recognized that certain state data breach statutes do not provide for private causes of action. See Amburgy, 671 F. Supp. 2d at 1055 (Missouri data breach notification law does not provide for a private cause of action for failure to provide adequate and timely notice nor is there a claim under a theory of negligence); Pisciotta , 499 F.3d at 637 (dismissing data breach notification claim because statute did not provide for a private right of action). Further, as previously discussed, the Complaint is void of any actions taken or injuries suffered as a result of the purportedly delayed notification Plaintiffs received from their employer, Kroger, further warranting dismissal of the claim. See Khan v. Children’s Nat’l Health Sys., No. TDC-15-2125, 2016 WL 2946165, at *6 (D. Md. May 19, 2016) (“Khan’s claim that CNHS impermissibly delayed notifying her of the breach does not establish any injury, since Khan does not claim that the period during which she was unaware of the need to monitor for identity fraud resulted in any harm.”). Plaintiff Yochanan’s claim under the Georgia data breach statute fails to state a claim and should be dismissed. V. PLAINTIFF YOCHANAN’S CLAIM FOR DECLARATORY AND INJUNCTIVE RELIEF FAILS. Plaintiff Yochanan’s claims for equitable relief are duplicative and inconsistent with the remaining claims in his Complaint and should be dismissed. 22 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 23 of 27 PageID #: 112 A. Plaintiff Yochanan Fails to State a Claim for Injunctive Relief. Plaintiff Yochanan asks the Court to issue “injunctive relief requiring [EWS] to employ adequate security protocols to protect the PII of Class Members in its possession.” Yochanan Compl. ¶¶ 82-85. Since a claim for injunctive relief is a remedy, not a separate cause of action, Plaintiff Yochanan’s claim for injunctive relief should be dismissed. See Budach v. NIBCO, Inc., No. 2:14-cv-04324, 2015 WL 3853298, at *9 (W.D. Mo. June 22, 2015) (“there is no cause of action for ‘injunction,’ under either Missouri or federal law”); Henke v. Arco Midcon, LLC, 750 F. Supp. 2d 1052, 1059-60 (E.D. Mo. 2010) (injunctive relief cannot stand as a separate cause of action). Additionally, Plaintiff Yochanan fail to establish that inadequate remedies at law exist. An injunction is an “extraordinary and harsh remedy and should not be granted when there is an adequate remedy at law.” Sales Resource, Inc. v. Alliance Foods, Inc., Nos. 4:08cv0732 TCM, 4:09cv0666 TCM, 2010 WL 5184943, at *32 (E.D. Mo. Dec. 15, 2010). “Generally, the phrase ‘adequate remedy at law’ means that [an injunction is available when] damages will not adequately compensate the plaintiff for the injury or threatened injury.” Id.; see also Alternative Medicine and Pharmacy, Inc. v. Express Scripts, Inc., No. 4:14 CV 1469 CDP, 2014 WL 4988199, at *6 (E.D. Mo. Oct. 7, 2014) (“[w]hen there is an adequate remedy at law, a preliminary injunction is not appropriate”). Plaintiff’s entire Complaint contradicts that very assertion. Plaintiff brings claims under common law theories and state statutes, all of which require actual and concrete damages to state a claim. Plaintiff cannot have it both ways. Damages cannot be alleged to be actual and concrete on the one hand and inadequate on the other. See Alliance Foods, 2010 WL 5184943, at *33 (holding that plaintiffs were not entitled to injunctive relief when adequate remedies at law exist under plaintiffs’ claims). 23 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 24 of 27 PageID #: 113 B. Plaintiff Yochanan Fails to State a Claim for Declaratory Relief. Plaintiff Yochanan asks the Court to “enter a judgment” under the Declaratory Judgment Act, declaring that EWS “owed and continues to owe a legal duty to secure Class Members’ personal and financial information,” “breached” the duty, caused the data breach, and failed to disclose the breach. Yochanan Compl. ¶¶ 79-81. As an initial matter, Plaintiff Yochanan’s claim for declaratory relief fails because it is duplicative of his other claims. See Morningstar, LLC v. Hardee’s Food Systems, Inc., No. 4:08CV794 TIA, 2009 WL 36406, at *4 (E.D. Mo. Jan. 6, 2009) (dismissing claim for declaratory relief when duplicative of other claims and holding that “addressing such count would serve as a ‘needless waste of judicial resources’”). Additionally, Plaintiff Yochanan’s claim focuses on alleged past wrongs, rather than future harm, thus warranting dismissal of the claim. See, e.g., Yochanan Compl. ¶¶ 81-82 (Plaintiff Yochanan seeking a declaration that EWS “owed” a legal duty and breached the legal duty “by failing to employ reasonable security measures”); see Reid v. BCBSM, Inc., 984 F. Supp. 2d 949, 953-54 (D. Minn. 2013) (dismissing claim for declaratory relief when alleged injury in past and “there is no threat of ongoing or future harm”). CONCLUSION For the foregoing reasons, Plaintiffs’ Complaints should be dismissed for lack of Article III standing. Independently, Plaintiffs’ Complaints should also be dismissed for failure to state a claim upon which relief can be granted. 24 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 25 of 27 PageID #: 114 Respectfully submitted, Date: August 12, 2016 /s/ Phyllis B. Sumner Phyllis B. Sumner (admitted pro hac vice) Elizabeth D. Adler (admitted pro hac vice) KING & SPALDING LLP 1180 Peachtree Street, N.E. Atlanta, Georgia 30309 Tel.: (404) 572-4600 Fax: (404) 572-5140 psumner@kslaw.com eadler@kslaw.com Nicholas A. Oldham (admitted pro hac vice) KING & SPALDING LLP 1700 Pennsylvania Avenue NW Washington, D.C. 20006 Tel.: (202) 737-0500 Fax: (202) 626-3737 noldham@kslaw.com Peter Corsale POLSINELLI PC 100 S. Fourth Street Suite 1000 St. Louis, MO 63102 Tel: (314) 889-8000 Fax: (314) 231-1776 pcorsale@polsinelli.com Counsel for Defendant Equifax Workforce Solutions a/k/a TALX Corporation 25 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 26 of 27 PageID #: 115 CERTIFICATE OF SERVICE I hereby certify that on August 12, 2016, the foregoing was electronically filed with the Clerk of the Court using the CM/ECF system, by which notification of such filing was electronically sent and served to the following: Norman E. Siegel J. Austin Moore Barrett J. Vahle STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City, MO 64112 Tel: (816) 714-7100 Fax: (816) 714-7101 siegel@stuevesiegal.com moore@stuevesiegel.com vahle@ stuevesiegal.com Carl Malmstrom WOLF HALDENSTEIN ADLER FREEMAN & HERZ LLP One South Dearborn St., Suite 2122 Chicago, IL 60603 Tel: (312) 984-0000 Fax: (312) 212-4401 malmstrom@whafh.com Attorneys for Plaintiff Tina Grant John Yanchunis MORGAN & MORGAN, PA 201 N. Franklin St., 7th FL Tampa, FL 33602 Tel: (813) 223-5505 Fax: (813) 275-9205 jyanchunis@forthepeople.com Tami Hamm THE HAMM LAW FIRM, LLC 8630 Delmar Blvd. Suite 120 St. Louis, MO 63124 Tel: (314) 439-1046 tamihamm@gmail.com Attorneys for Plaintiff Betzalel Yochanan 26 Case: 4:16-cv-00843-CDP Doc. #: 13 Filed: 08/15/16 Page: 27 of 27 PageID #: 116 I further certify that on August 12, 2016, the forgoing was mailed via First Class U.S. Mail, postage prepaid, to the following: Thomas Burt WOLF HALDENSTEIN ADLER FREEMAN & HERZ LLP 270 Madison Avenue New York, NY 10016 Tel: (212) 545-4600 Fax: (212) 545-4653 burt@whafh.com Theodore B. Bell WOLF HALDENSTEIN ADLER FREEMAN & HERZ LLP One South Dearborn St., Suite 2122 Chicago, IL 60603 Tel: (312) 984-0000 Fax: (312) 212-4401 tbell@whafh.com Attorneys for Plaintiff Tina Grant Rachel Soffin MORGAN & MORGAN, PA 201 N. Franklin St., 7th FL Tampa, FL 33602 Tel: (813) 223-5505 Fax: (813) 222-2434 rsoffin@forthepeople.com Michael A. Galpern Andrew P. Bell James A. Barry LOCKS LAW FIRM, LLC 801 N. Kings Highway Cherry Hill, New Jersey 08034 Tel: (856) 663-8200 Fax: (856) 661-8400 Attorneys for Plaintiff Betzalel Yochanan /s/ Phyllis B. Sumner Phyllis B. Sumner 27 Case: DOC. #1 13?1 Filed: 08/15/16 Page: 1 of 20 PagelD 117 Exhibit A Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:12ofof19 20PageID PageID#:#:611 118 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MISSOURI EASTERN DIVISION ANDREW DUQUM, et al., ) ) ) ) ) ) ) ) ) Plaintiffs, v. SCOTTRADE, INC., Defendant. Case No. 4:15-CV-1537-SPM MEMORANDUM AND ORDER This matter is before the Court on Defendant Scottrade, Inc.’s Motion to Dismiss Consolidated Class Action Complaint. (Doc. 58). The parties have consented to the jurisdiction of the undersigned United States Magistrate Judge pursuant to 28 U.S.C. § 636(c)(1). (Doc. 62). The motion has been fully briefed. For the following reasons, the motion will be granted. I. FACTUAL BACKGROUND Defendant is a firm that provides brokerage, banking, and retirement planning services to individuals and businesses. Consolidated Class Action Compl. (“Compl.”), Doc. 40, ¶¶ 34-35. When a customer opens an account with Defendant, Defendant requires the customer to complete its Brokerage Agreement and provide personal information, including names, addresses, phone numbers, Social Security numbers, work history, and other personal identifying information (collectively, “PII”). Id. ¶ 37. The Brokerage Agreements incorporate the Scottrade Brokerage Privacy Statement, which states, “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.” Id. ¶¶ 37, 40. The Privacy Statement also indicates that Defendant collects personal information at other times and 1 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:23ofof19 20PageID PageID#:#:612 119 collects personal information from others, such as credit bureaus. Id. ¶ 41. Defendant also has an Online Privacy Policy and other documents on its website indicating that it takes steps to protect the security of customer information. Id. ¶¶ 42-43. Between September 2013 and February 2014, hackers gained access to Defendant’s customer databases and exported confidential customer PII from those databases (the “data breach”). Id. ¶¶ 2, 59. The data breach was reported to involve the confidential information of approximately 4.6 million customers. Id. ¶ 48. The hackers took the PII for the purpose of building their own competing customer database for marketing and brokering stock transactions. Id. ¶ 62. They used the PII to operate a stock price manipulation scheme that amassed millions of dollars. Id. ¶ 74. Defendant was unaware of the data breach until August 2015, when the FBI notified Defendant of it. Id. ¶¶ 75-76. On October 2, 2015, Defendant began notifying its customers about the data breach via email or mail. Id. ¶ 78. Defendant stated that it would provide one year of credit monitoring and identity theft insurance to affected persons, and it also suggested several actions customers could take themselves to detect or prevent fraud. Id. ¶¶ 84-88. Shortly after Defendant announced the data breach, several of Defendant’s customers filed putative class action lawsuits based on the data breach. On October 3, 2015, Plaintiff Stephen Hine filed his putative class action, Hine v. Scottrade, Inc., No. 4:15-CV-01954-CEJ, in the United States District Court for the Southern District of California, and the case was subsequently transferred to this Court. On October 7, 2015, Plaintiff Andrew Duqum filed his putative class action, Duqum v. Scottrade, Inc., No. 4:15-CV-01537-SPM, in this Court. On December 9, 2015, Plaintiff Matthew Kuhns filed his putative class action, Kuhns v. Scottrade, Inc., No. 4:15-CV-01812-SPM, in this Court. On January 31, 2016, a fourth case, Angela Martin 2 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:34ofof19 20PageID PageID#:#:613 120 v. Scottrade, Inc., No. 4:16-CV-00124-RWS, originally filed in the United States District Court for the Middle District of Florida, was also transferred to this Court. This Court subsequently consolidated all four cases pursuant to Fed. R. Civ. P. 42(a) and E.D. Mo. Local Rule 4.03. See Docs. 36 & 38. On February 19, 2016, Plaintiffs filed their Consolidated Class Action Complaint, individually and on behalf of all others similarly situated. 1 Plaintiffs allege that they had accounts with Defendant and that as a result of the data breach, their PII was disclosed, transferred, sold, opened, read, mined, and otherwise used without their authorization. Compl. ¶¶ 9-12. Plaintiffs allege several causes of action against Defendant related to the data breach, including breach of contract, breach of implied contract, negligence, unjust enrichment/assumpsit, declaratory relief, and violations of various state consumer protection statutes. II. DISCUSSION In the instant motion, Defendant argues that Plaintiffs’ Consolidated Class Action Complaint must be dismissed for lack of subject matter jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1), because Plaintiffs have not suffered an injury in fact and therefore do not have standing to bring suit in this Court under Article III of the United States Constitution. Defendant also argues that Plaintiffs’ claims should be dismissed under Rule 12(b)(6) for failure to state a claim. 1 Angela Martin is not named as a plaintiff in the Consolidated Class Action Complaint. However, another named Plaintiff, Richard Obringer, is included. 3 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:45ofof19 20PageID PageID#:#:614 121 A. Defendant’s Motion to Dismiss Under Rule 12(b)(1) for Lack of Subject Matter Jurisdiction 1. Legal Standard A motion to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1) may be either a “facial” challenge based on the face of the pleadings, or a “factual” challenge, in which the court considers matters outside the pleadings. See Titus v. Sullivan, 4 F.3d 590, 593 (8th Cir. 1993); Osborn v. United States, 918 F.2d 724, 729, n. 6 (8th Cir. 1990); C.S. ex rel. Scott v. Mo. State Bd. of Educ., 656 F. Supp. 2d 1007, 1011 (E.D. Mo. 2009). Here, Defendant’s challenge is based on the face of the pleadings and is therefore a facial attack. In evaluating a facial attack, “the court restricts itself to the face of the pleadings and the non-moving party receives the same protections as it would defending against a motion brought under Rule 12(b)(6).” Branson Label, Inc. v. City of Branson, Mo., 793 F.3d 910, 914 (8th Cir. 2015) (quoting Osborn, 918 F.2d at 729 n. 6). The court must accept as true all of the factual allegations in the complaint, but it need not accept legal conclusions. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). 2. Discussion Under Article III, § 2 of the United States Constitution, federal jurisdiction is limited to “Cases” and “Controversies.” U.S. Const. Art. III, § 2. “‘One element of the case-or-controversy requirement’ is that plaintiffs ‘must establish that they have standing to sue.’” Clapper v. Amnesty Int’l U.S.A., 133 S. Ct. 1138, 1146 (2013) (quoting Raines v. Byrd, 521 U.S. 811, 818 (1997)). The “irreducible constitutional minimum” of standing consists of three elements. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). “The plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. “The plaintiff, as the party invoking federal jurisdiction, bears 4 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:56ofof19 20PageID PageID#:#:615 122 the burden of establishing these elements.” Id. (citing FW/PBS, Inc. v. Dallas, 493 U.S. 215, 231 (1990)). Where a case is at the pleading stage, the plaintiff must “clearly . . . allege facts demonstrating each element.” Id. (quoting Warth v. Seldin, 422 U.S. 490, 518 (1975)). Only the injury in fact element of standing is at issue in this case. “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Id. at 1548 (quoting Lujan, 504 U.S. at 560). “For an injury to be particularized, it must affect the plaintiff in a personal and individual way.” Id. (quotation marks omitted). For an injury to be “concrete, it “must be ‘de facto’; that is, it must actually exist”; it must be real and not “abstract.” Id. In their Consolidated Class Action Complaint, Plaintiffs allege that they have suffered several categories of injury or harm related to the data breach: (a) increased risk of identity theft and identity fraud; (b) the financial and/or temporal cost of monitoring their credit, monitoring their financial accounts, and mitigating their damages; (c) failure to receive the full benefit of their bargain as a result of receiving brokerage and financial services that were less valuable than what they paid for; (d) deprivation in the value of their personal information; and (e) invasion of privacy and breach of the confidentiality of their personal information. See Compl. ¶ 15. Defendant contends that none of these alleged harms constitute an injury in fact that is “actual” or “imminent,” arguing that the majority of courts faced with similar allegations have found these alleged harms too speculative or abstract to satisfy the injury in fact requirement. The Court will address each alleged type of alleged harm in turn. 5 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:67ofof19 20PageID PageID#:#:616 123 i. Increased Risk of Identity Theft and Identity Fraud Plaintiffs first allege that they face an “imminent, immediate and [] continuing increased risk of identity theft and identity fraud” 2 because their PII has been taken by hackers who have “disclosed [], transferred, sold, opened, read, mined, and otherwise used” Plaintiffs’ PII without their authorization, to [the hackers’] financial benefit and to [Plaintiffs’] financial and other detriment.” Compl. ¶¶ 9-12, 15. Plaintiffs allege that criminals can use PII for a variety of crimes, including credit card fraud, phone or utilities fraud, bank/finance fraud, obtaining a driver’s license or official identification card in the victim’s name, obtaining government benefits, filing a fraudulent tax return, obtaining a job using the victim’s social security number, or receiving medical services in the victim’s name. Id. ¶¶ 25-27. Defendant argues that Plaintiffs’ allegations are insufficient to satisfy the injury in fact requirement, because they allege only the hypothetical possibility of harm. As discussed above, to show an injury in fact, the plaintiff must show that he or she suffered an invasion of an interest that is “actual or imminent, not conjectural or hypothetical.’” Clapper, 135 S. Ct. at 1147 (quoting Lujan, 504 U.S. at 560). In Clapper, the Supreme Court addressed the circumstances under which a threatened future injury should be considered “imminent,” such that the threatened injury satisfies the injury in fact requirement for Article III standing. The Supreme Court stated that it has “repeatedly reiterated that ‘threatened injury must be certainly impending to constitute injury in fact’ and that ‘allegations of possible future injury’ are not sufficient.” Clapper, 133 S. Ct. at 1147 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)) (emphasis in original). It expressly rejected the argument that it was sufficient to 2 Plaintiffs allege that “identity theft” occurs when PII is used to commit fraud or other crimes, including credit card fraud, phone or utilities fraud, bank fraud, and government fraud. See Compl. ¶ 13 n.1 6 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:78ofof19 20PageID PageID#:#:617 124 show an “objectively reasonable likelihood” of a threatened injury occurring. It also expressed a “reluctance to endorse standing theories that rest on speculation about decisions of independent actors” and noted that a theory of standing based on future injury that “relies on a highly attenuated chain of possibilities” about what independent actors might do does not satisfy the requirement that the threatened injury must be certainly impending. Id. at 1148-50. 3 Both before and after the Supreme Court’s decision in Clapper, most courts addressing standing in data breach cases have found that in the absence of some actual identity theft or other act harming the plaintiffs, the increased risk of future harm following a data breach does not constitute an injury in fact for purposes of Article III standing. See In re SuperValu, Inc., No. 14MD-2586 ADM/TNL, 2016 WL 81792, at *4-*5 (D. Minn. Jan. 7, 2016) (noting that “[i]n data security breach cases where plaintiffs’ data has not been misused following the breach, the vast majority of courts have held that the risk of future identity theft or fraud is too speculative to constitute an injury in fact for purposes of Article III standing”; finding no injury in fact based on increased risk of future harm where the plaintiffs’ PII was stolen in a large data breach but the only incident of actual misuse of information alleged was a single unauthorized credit card charge not clearly traceable to the breach); In re Zappos.com, Inc., 108 F. Supp. 3d 949, 955-58 (D. Nev. 2015) (noting that “[t]he majority of courts dealing with data-breach cases post-Clapper have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing”; finding no injury in fact based on increased risk of future harm where the plaintiffs’ PII was stolen in a large data breach but no plaintiff had alleged that any unauthorized purchases or other manifestations of misuse of their 3 In a footnote, the Supreme Court in Clapper also noted that it has “in some instances . . . found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm,” though it did not explain the circumstances under which that standard would apply. Id. at 1147 n. 5. 7 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:89ofof19 20PageID PageID#:#:618 125 PII had occurred); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 28 (D.D.C. 2014) (noting that “since Clapper was handed down last year, courts have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data-breach cases” and that “[m]ost cases that found standing . . . were decided pre-Clapper or rely on preClapper precedent and are, at best, thinly reasoned”). 4 These courts often emphasize that the asserted risk of harm is too speculative and hypothetical to satisfy the imminence requirement because it depends on speculation about the actions of independent actors—the hackers or other criminals. Whether the plaintiffs will actually suffer the threatened harm depends on whether the hackers actually obtained the PII, whether they intend to use the PII to commit acts that would be detrimental to the plaintiffs, whether they are capable of using the PII to commit acts detrimental to the plaintiffs, and whether they actually do use the information to commit acts detrimental to the plaintiffs, such as making unauthorized transactions in the plaintiffs’ names. See, e.g., In re SuperValu, Inc., 2016 WL 81792, at *5 (increased risk of harm was too speculative to constitute an injury in fact, in part because the court was required “to speculate about whether the hackers who gained access 4 See also, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 42-45 (3d Cir. 2011) (no injury in fact based on increased risk of harm where there were no allegations that the data exposed in the breach had actually been misused to the plaintiffs’ detriment); Whalen v. Michael Stores, Inc., --F. Supp. 3d ----, No. 14-CV-7006(JS)(ARL), 2015 WL 9462108, at *4-*5 (E.D.N.Y. Dec. 28, 2015) (no injury in fact based on an increased risk of harm where hackers stole credit and debit card information from retailer’s systems); Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 365-66 (M.D. Pa. 2015) (no injury in fact based on increased risk of harm where the plaintiffs alleged that hackers obtained and misappropriated their personal data but did not allege that the hackers actually committed any identity theft or other crime); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654-57 (S.D. Ohio 2014) (no injury in fact based on increased risk of harm where plaintiffs alleged that their PII was stolen and disseminated but did not allege that they had been victimized by identity theft, identity fraud, medical fraud, or phishing); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1052-53 (E.D. Mo. 2009) (no injury in fact based on increased risk of harm where it was unclear whether plaintiff’s information had been compromised in the breach and when, if ever, it would be fraudulently used to cause him harm). 8 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#:13-1 79 Filed: Filed: 07/12/16 08/15/16 Page: Page: 910ofof1920PageID PageID#:#:619 126 to [the breached network] were able to capture or steal Plaintiffs’ PII; whether the hackers or other criminals will attempt to use the PII; and whether those attempts will be successful”); In re Zappos.com, Inc., 108 F. Supp. 3d at 959 (increased risk of harm was too speculative to constitute an injury in fact where the possibility of harm depended “entirely on the decisions or capabilities of an independent, and unidentified, actor”); Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1087 (E.D. Cal. 2015) (“Plaintiff’s allegations concerning his increased risk of harm require speculation about the decisions or capabilities of independent, unidentified actors,—the data thief or thieves, and whether they intend to misuse [the data] at some point in the future”) (quotation marks and alterations omitted); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1052-53 (E.D. Mo. 2009) (no injury in fact in a data breach case where the plaintiff would only be injured if many “ifs” came to pass—“‘if’ his personal information was compromised, and ‘if’ such information was obtained by an unauthorized third party, and ‘if’ his identity was stolen as a result, and ‘if’ the use of his stolen identity caused him harm”); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 655 (S. D. Ohio 2014) (“[W[hether Named Plaintiffs will become victims of theft or fraud . . . is entirely contingent on what, if anything, the third party criminals do with that information.”). These courts also often consider whether a significant period of time has passed since the breach without the plaintiffs having suffered the threatened injury, because “[a]s more time lapses without the threatened injury actually occurring, the notion that the harm is imminent becomes less likely.” In re SuperValu, Inc., 2016 WL 81792, at *5 (no injury in fact where “the passage of nearly a year and a half without the occurrence of harm traceable to the Data Breach makes it unlikely that such threatened harm is imminent”). See also Storm v. Paytime, 90 F. Supp. 3d 359, 366-67 (M.D. Pa. 2015) (no injury in fact where the passage of almost a year with 9 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:10 11ofof19 20PageID PageID#:#:620 127 no plaintiffs becoming actual victims of identity theft undermined the notion that the identity theft was imminent); In re Zappos.com, 108 F. Supp. 3d at 958-59 (no injury in fact where three and a half years had passed without a single allegation of theft or fraud). Here, although Plaintiffs have alleged that the hackers accessed Plaintiffs’ PII and used that PII for certain illegal business enterprises, Plaintiffs do not allege any of the PII stolen in the breach has been used to commit any identity theft, fraud, or any other act that has resulted in harm to any plaintiff. Nor do Plaintiffs allege any facts that suggest that the hackers intend to commit identity theft, fraud, or any other act that would result in harm to any plaintiff. Thus, as in the above cases, the Court cannot determine whether Plaintiffs will suffer harm in the future without engaging in considerable speculation about the hackers’ possible intentions and future actions. Plaintiffs will suffer harm only if the hackers actually intend to use Plaintiffs’ PII to commit identity theft, fraud, or some other act that might harm Plaintiffs; if the hackers attempt to use the PII to commit such identity theft, fraud, or other act; if they actually succeed in doing so; and if the identity theft, fraud, or other act causes harm to Plaintiffs. In light of the uncertainty over whether any of these events will occur, the Court cannot find that Plaintiffs face any harm that is “certainly impending.” This conclusion is strengthened by the fact that more than two years have passed since the original data breach without a single alleged instance of identity theft or fraud involving any of Defendant’s customers. 5 5 Even assuming that the “substantial risk” standard mentioned in the Clapper footnote could somehow apply here instead of the “certainly impending” standard, the Court also finds that standard is not satisfied for the same reasons that the “certainly impending” standard is not satisfied. See, e.g., In re Supervalu, Inc., 2016 WL 81792, at *5 (plaintiffs failed to show that there was a substantial risk that harm would occur from a data breach where there had been no incidents harming plaintiffs in over a year and where the occurrence of the harm depended on speculation about what the hackers would do); Fernandez, 127 F. Supp. 3d at 1087 (no “substantial risk” of harm from data breach where allegations concerning risk of harm required speculation about the future actions of a third party). 10 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:11 12ofof19 20PageID PageID#:#:621 128 Plaintiffs emphasize that here, unlike in some of the cases relied on by Defendant in which it was unclear whether the plaintiffs’ information had been accessed or whether the hackers had malicious intent, the hackers here actually accessed the PII and used it for unlawful purposes. However, those allegations do not change the Court’s conclusion. First, some of the cases relied on by Defendant did involve allegations that data had actually been accessed by hackers with malicious intent. See In re Zappos, Inc., 108 F. Supp. 3d at 958 (increased risk of harm was too speculative to support standing even where PII was “stolen” and even “[i]f the Court assumes that the hacker or some other nefarious third-party remains in possession of Plaintiffs’ personal information”); Storm, 90 F. Supp. 3d at 366 (no injury in fact despite allegations that the plaintiffs’ PII had been “stolen,” “accessed,” and “misappropriated”). Second, although the Court does not need to speculate about whether the hackers here will actually access the PII or whether they have malicious intent, the Court is still required to speculate about whether they intend to commit any acts (such as identity theft) that might actually harm any of the individual plaintiffs, whether they will succeed in committing those acts, and whether those acts will result in actual harm to Plaintiffs. As discussed above, in light of that uncertainty about the intentions and possible actions of third parties, the Court cannot find that any harm to Plaintiffs is “certainly impending” or that there is a substantial risk of it occurring, particularly in light of the passage of more than two years without it having occurred. Plaintiffs also argue that instead of relying on the cases discussed above, the Court should rely on Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). In that case, 350,000 credit card numbers were exposed to a data breach by hackers, and within a few months of the breach, fraudulent charges had been made on 9,200 of the cards. Id. at 690. The court found that the holders of the other cards had standing to sue based on the imminent risk of future 11 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:12 13ofof19 20PageID PageID#:#:622 129 harm to them, noting that they “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Id. at 693. As a preliminary matter, the Court notes that it appears that the Seventh Circuit was using the “objectively reasonable likelihood” standard that was rejected by the Supreme Court in Clapper. See Clapper, 133 S. Ct. at 1147 (“[T]he Second Circuit’s ‘objectively reasonable likelihood’ standard is inconsistent with our requirement that ‘threatened injury must be certainly impending to constitute injury in fact.’”). Moreover, to the extent that the Seventh Circuit was applying the appropriate standard, it is factually distinguishable. The 9,200 fraudulent charges in Remijas demonstrated that the hackers in that case intended to use, were capable of using, and were actually using the stolen data to create fraudulent credit card charges as to some cardholders, which significantly increased the likelihood that they intended to do the same with regard to the remaining cardholders and would be capable of doing so. That fact distinguishes Remijas from the instant case, in which more than two years have passed with no incidents of identity theft or other actual harm to the individuals whose PII was taken. The other cases relied on by Plaintiffs are similarly distinguishable See Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 965 (7th Cir. 2016) (several fraudulent transactions were made on one of the plaintiff’s cards shortly after the data breach); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142 (9th Cir. 2010) (after a laptop containing unencrypted personal data was stolen, one of the plaintiffs alleged that someone attempted to open a bank account in his name); 6 In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1216 (N.D. Cal. 2014) (data stolen by hackers had surfaced on the internet). Moreover, to the extent that these cases cannot 6 Significantly, Krottner predated Clapper and does not address or discuss either the “certainly impending” standard or the “substantial risk” standard. 12 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:13 14ofof19 20PageID PageID#:#:623 130 be distinguished from the instant case, the Court finds them less persuasive than the cases cited by Defendant, because they are less consistent with Clapper’s holding that a threatened injury must be “certainly impending” to satisfy the injury-in-fact requirement, as well as its suggestion that courts should be “reluctan[t] to endorse standing theories that rest on speculation about decisions of independent actors.” See Clapper, 133 C. Ct. at 1147-50. For all of the above reasons, the Court finds that Plaintiffs’ allegations regarding the increased risk of identity theft and fraud are not sufficient to demonstrate injury in fact for purposes of Article III standing. ii. Costs of Monitoring and Mitigation Plaintiffs also allege that they have suffered injury in the form of the alleged financial and/or temporal costs of monitoring their credit, monitoring their financial accounts, and mitigating their damages. Compl. ¶ 15. Defendant argues that because the risk of future harm that forms the basis for the alleged need for monitoring or mitigation is not imminent, the cost to monitor for it or mitigate the risk of it is not sufficient to confer Article III standing. In Clapper, the Supreme Court found that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” 133 S. Ct. 1151. “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Id. Consistent with Clapper, “[i]n data breach cases, courts consistently hold that the cost to mitigate the risk of future harm does not constitute an injury in fact unless the future harm being mitigated against is itself imminent.” In re SuperValu, Inc., 2016 WL 81792, at *7 (citing cases). See also Reilly v. Ceridian Corp., 664 F.3d 38, at 46 (3d Cir. 2011) (“[A]lleged time and money expenditures to monitor [plaintiffs’] financial 13 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:14 15ofof19 20PageID PageID#:#:624 131 information do not establish standing, because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for [plaintiffs’] claims.”); In re Zappos.com, Inc., 108 F. Supp. 3d at 961 (“The Court’s finding here that the threat of future theft or fraud is not sufficiently imminent to confer standing compels the conclusion that incurring costs to mitigate that threat cannot serve as the basis for this action.”). Here, because the Court has already found that Plaintiffs’ increased risk of identity theft or fraud is does not constitute an imminent harm, the cost of monitoring for that risk or mitigating that risk cannot constitute an injury in fact. iii. Failure to Receive the Full Value of Bargained-for Services Plaintiffs next allege that they have been injured as a result of the data breach because they received brokerage and financial services that were less valuable than the ones they paid for. Compl. ¶ 14. Specifically, they allege that Plaintiffs bargained for, and expected to receive, data security measures safeguarding and protecting the privacy of their PII, Compl. ¶ 45; that a portion of the brokerage and financial services fees Plaintiffs paid was for data management and data security, Compl. ¶ 14; and that Plaintiffs would not have opened accounts with Defendant, or would not have paid as much with respect to those accounts, had they known that Defendant failed to take reasonable precautions to secure PII, Compl. ¶ 46. A majority of courts have found that similar allegations of loss of bargained-for services in data breach cases are not sufficiently concrete to satisfy the injury in fact requirement of Article III standing. In re SAIC, 45 F. Supp. 3d at 30 (“To the extent that Plaintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing. They do not maintain, moreover, that the money they 14 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:15 16ofof19 20PageID PageID#:#:625 132 paid could have or would have bought a better policy with a more bullet-proof informationsecurity regime. Put another way, Plaintiffs have not alleged facts that show that the market value of their insurance coverage (plus security services) was somehow less than what they paid.”); Fernandez, 127 F. Supp. 3d at 1089 (no injury in fact based on lost benefit of the bargain because “Plaintiff has not alleged facts from which a plausible inference could be drawn that he has been injured by a loss in value of his insurance coverage, nor has he alleged that the value of his health care coverage after the Data Breach is less than what it was before the Data Breach.”); In re SuperValu, Inc., 2016 81792, at *8 (rejecting the plaintiffs’ argument that they were harmed by the lost benefit of their bargain; noting that the plaintiffs did “not allege that the Data Breach diminished the value of the groceries or other goods they purchased from Defendants” and did not “allege facts showing that the price they paid for the goods included an amount that both parties understood would be allocated toward protecting customer data.”); In re Zappos.com, Inc., 108 F. Supp. 3d at 962 n.5 (rejecting theory that plaintiffs had standing based on an alleged decrease in the value of Zappos’s services, where the plaintiffs did “not explain how the data breach impacted the value of the goods they purchased from Zappos” and did not “allege facts showing how the price they paid for such goods incorporated some particular sum that was understood by both parties to be allocated towards the protection of customer data”). See also Remijas, 794 F.3d at 694-95 (noting in dicta that the benefit of the bargain theory was “problematic” and “dubious” where plaintiffs had not alleged any defect in any product they purchased). But see In re Anthem Data Breach Litig., No. 15-md-02617, 2016 WL 589760, at *27 (N.D. Cal. Feb. 14, 2016) (loss of benefit of the bargain sufficient to show injury in fact where the plaintiffs alleged that had the defendants disclosed that their computer systems and data security practices were inadequate, the plaintiffs would not have enrolled in the defendants’ 15 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:16 17ofof19 20PageID PageID#:#:626 133 health care plans); Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 860-61 (N.D. Cal. 2011)) (finding plaintiff had alleged injury in fact based on lost benefit of the bargain theory; noting that plaintiff was setting forth a “novel theory” and that there was a “paucity of controlling authority” on the issue). Here, Plaintiffs do not allege facts from which a plausible inference could be drawn that Plaintiffs received services from Defendant that were less valuable than those Plaintiffs bargained for. Although they allege in a conclusory fashion that a portion of the brokerage fees they paid to Defendant were for “data management and security,” they do not allege any facts showing how any fee they paid was understood by both parties to be allocated toward the protection of customer data. Nor do Plaintiffs allege that the money they paid could have or would have bought a better policy with a more bullet-proof data-security regime. Thus, Plaintiffs have not alleged an injury sufficiently concrete to satisfy Article III’s injury in fact requirement. iv. Deprivation in Value of Plaintiffs’ Personal Information Plaintiffs also allege that as a result of the data breach, they have suffered (and will continue to suffer) economic damages and other injury and harm in the form of the deprivation of the value of their PII, for which there is a well-established national and international market. Compl. ¶ 13. Plaintiffs allege that they have a valuable property right in their PII and that Plaintiffs, not data thieves, should have the exclusive right to monetize their PII. Id. They allege that “[f]aced with the choice of having their PII . . . used without their authorization versus selling their PII on the black market and receiving the compensation themselves, Plaintiffs would choose the latter.” Id. Most courts have found that similar allegations are insufficient to demonstrate an injury in fact. See, e.g., In re Zappos.com, Inc., 108 F. Supp. 3d at 954 (finding no injury in fact based 16 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:17 18ofof19 20PageID PageID#:#:627 134 on deprivation of value of personal information; noting that “Even assuming that Plaintiffs’ data has value on the black market, Plaintiffs do not allege any facts explaining how their personal information became less valuable as a result of the breach or that they attempted to sell their information and were rebuffed because of a lower price-point attributable to the security breach”); Fernandez., 127 F. Supp. 3d at 1087 (finding no injury in fact based on deprivation of value of PII where plaintiff “has not alleged that he intended to sell his [PII], that he plans to sell it in the future, that he is foreclosed from doing so because of the Data Breach, or that the data breach reduces the value of the [PII] he possesses”); Galaria, 998 F. Supp. 2d at 660 (no injury in fact based on deprivation of value of personal information where plaintiffs failed to allege that the breach actually prevented them from selling their information at the price they claimed it was worth); In re SuperValu, Inc., 2016 WL 81792, at *7 (no injury in fact based on deprivation of value of personal information where “Plaintiffs have failed to allege any facts explaining how their PII became less valuable as a result of the Data Breach.”). Here, as in the above cases, Plaintiffs do not allege any facts showing how their PII became less valuable as a result of the data breach. Although Plaintiffs allege that they would rather sell their PII on the black market than have it used without their authorization, they do not allege that they ever intended to sell their information on the black market, that they ever attempted to sell it after the data breach and were unable to do so, or that they ever attempted to sell it after the data breach and were forced to accept a lower price than they would have had the data breach not occurred. Nor do they allege any other facts suggesting that they have been foreclosed from capitalizing on the value of their personal information because of the data breach. Therefore, as in the above cases, Plaintiffs have not alleged an injury sufficiently concrete to satisfy Article III’s injury in fact requirement. 17 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:18 19ofof19 20PageID PageID#:#:628 135 v. Invasion of Privacy and Breach of Confidentiality Plaintiffs next assert that they have suffered an invasion of privacy and a breach of confidentiality, alleging that consumers place a high value on the privacy of their personal data. Courts have held that loss of privacy and breach of confidentiality are too abstract to establish Article III standing. See In re SuperValu, Inc., 2016 WL 81792, at *8 (allegations of loss of privacy and confidentiality did not support standing because plaintiffs “have not alleged facts showing that the loss of privacy and confidentiality resulted in a concrete injury”); In re Zappos.com, 108 F. Supp. 3d at 962 n.5 (“Even if Plaintiffs adequately allege a loss of privacy, they have failed to show how that loss amounts to a concrete and particularized injury”; noting that “Plaintiffs do not claim that they have suffered any damages due to a loss of privacy”). Here, Plaintiffs do not allege any facts demonstrating that they suffered any damages or injury due to a loss of privacy or breach of confidentiality. These theories are not sufficiently concrete to establish injury in fact and do not support standing in this case. For all of the above reasons, Plaintiffs have failed to plead facts demonstrating that they have suffered any injury in fact. Therefore, Plaintiffs lack standing, and this case must be dismissed for lack of subject matter jurisdiction. Because the dismissal is for lack of standing under Rule 12(b)(1), the dismissal is without prejudice. See In re SuperValu, Inc., 2016 WL 81792, at *8; In re Zappos.com, Inc., 108 F. Supp. 3d at 962. B. Motion to Dismiss Under Rule 12(b)(6) for Failure to State a Claim Because the Court concludes that it is without subject matter jurisdiction over this case, the Court need not address Defendant’s motion to dismiss for failure to state a claim under Rule 12(b)(6). 18 Case: Case:4:16-cv-00843-CDP 4:15-cv-01537-SPM Doc. Doc.#:#: 13-1 79 Filed: Filed:07/12/16 08/15/16 Page: Page:19 20ofof19 20PageID PageID#:#:629 136 III. CONCLUSION For all of the above reasons, IT IS HEREBY ORDERED that Defendant Scottrade, Inc.’s Motion to Dismiss Consolidated Class Action Complaint. (Doc. 58) is GRANTED. IT IS FURTHER ORDERED that Defendant Scottrade, Inc.’s earlier Motion to Dismiss (Doc. 19), which was addressed to the Complaint that was filed by Andrew Duqum prior to the filing of the Consolidated Class Action Complaint, is DENIED as moot. IT IS FURTHER ORDERED that Plaintiffs’ Consolidated Class Action Complaint (Doc. 40) is DISMISSED without prejudice. SHIRLEY PADMORE MENSAH UNITED STATES MAGISTRATE JUDGE Dated this 12th day of July, 2016. 19