LUCY H. KOH, District Judge.
Plaintiffs
The Anthem Defendants filed one consolidated motion to dismiss the second consolidated amended complaint ("SAC"). See ECF No. 473-3 ("SAC"); ECF No. 496 ("Anthem Mot."). The Non-Anthem Defendants also filed one consolidated motion to dismiss the SAC. ECF No. 490 ("Non-Anthem Mot."). The Non-Anthem Defendants have also filed a motion for clarification of the Court's First Motion to Dismiss Order. ECF No. 483. Having considered the parties' submissions, the relevant law, and the record in this case, the Court GRANTS in part and DENIES in part the Anthem Defendants' motion to dismiss; GRANTS in part and DENIES in part the Non-Anthem Defendants' motion to dismiss; and DENIES the Non-Anthem Defendants' motion for clarification.
Anthem, Inc. ("Anthem") is one of the largest health benefits and health insurance companies in the United States. SAC ¶ 158. Anthem serves its members through various Blue Cross Blue Shield ("BCBS") licensee affiliates and other non-BCBS affiliates. Id. Anthem also cooperates with the Blue Cross Blue Shield Association ("BCBSA") and independent BCBS licensees via the BlueCard program. Id. ¶ 159. "Under the BlueCard program, members of one BCBS licensee may access another BCBS licensee's provider networks and discounts when the members are out of state." Id.
In order to provide certain member services, the Anthem and Non-Anthem Defendants "collect, receive, and access their customers' and members' extensive individually identifiable health record information." Id. ¶ 160. "These records include personal information (such as names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data) and individually-identifiable health information (pertaining to the individual claims process, medical history, diagnosis codes, payment and billing records, test records, dates of service, and all other health information that an insurance company has or needs to have to process claims)." Id. The Court shall refer to members' personal and health information as Personal Identification Information, or "PII."
Anthem maintains a common computer database which contains the PII of current and former members of Anthem, Anthem's affiliates, BCBSA, and independent BCBS licensees. Id. ¶ 161. This database contains "information from former customers or members going back to 2004." Id. ¶ 162. In total, Anthem's database contains the PII of approximately 80 million individuals. Id. ¶ 338. According to Plaintiffs, both the Anthem and Non-Anthem Defendants promised their members that their PII would be protected through privacy notices, online website representations, and other advertising. Plaintiffs aver, for instance, that all Defendants were subject to Anthem's privacy policy, which states the following:
Id. ¶ 165 (emphasis removed). Many Anthem-affiliated websites further refer to Defendants' privacy obligations under the Health Insurance Portability and Accountability Act ("HIPAA") as well as other federal and state privacy laws. Id.
In February 2015, Anthem publicly announced that "cyberattackers had breached the Anthem Database, and [had] accessed [the PII of] individuals in the Anthem Database." Id. ¶ 337. This was not the first time that Anthem had experienced problems with data security. In late 2009, approximately 600,000 customers of Wellpoint (Anthem's former trade name) "had their personal information and protected healthcare information compromised due to a data breach." Id. ¶ 328. In addition, in 2013, the U.S. Department of Health and Human Services fined Anthem $1.7 million for various HIPAA violations relating to data security. Id. ¶ 329. Finally, in 2014, the federal government informed Anthem and other healthcare companies of the possibility of cyberattacks, and advised these companies to take appropriate measures, such as data encryption and enhanced password protection. Id. ¶¶ 334-35.
Plaintiffs allege that Defendants did not sufficiently heed these warnings, which allowed cyberattackers to extract massive amounts of data from Anthem's database between December 2014 and January 2015. Id. ¶ 360. After Anthem discovered the extent of this data breach, it proceeded to implement various containment measures. Id. ¶ 365-66 . The cyberattacks ceased by January 31, 2015. Id. In addition, after learning of the cyberattacks, Anthem retained Mandiant, a cybersecurity company, "to assist in assessing and responding to the Anthem Data Breach and to assist in developing security protocols for Anthem." Id. ¶ 341. Mandiant's work culminated in the production of an Intrusion Investigation Report ("Mandiant Report"), which Mandiant provided to Anthem in July 2015. Id.
According to Plaintiffs, the Mandiant Report found that "Anthem and [its] Affiliates [had] failed to implement basic industry-accepted data security tools to prevent cyberattackers from accessing the Anthem Database." Id. ¶ 343. Moreover, "[e]ven if the cyberattackers gained access to the Anthem Database, Anthem could have and should have, but failed to, discover the data breach before any data was exfiltrated." Id. ¶ 345.
Additionally, "BCBSA and [the] non-Anthem BCBS [companies] allowed the [PII] that their current and former customers and members had entrusted with them to be placed into the Anthem Database even though there were multiple public indications and warnings that the Anthem and Anthem Affiliates' computer systems and data security practices were inadequate." Id. ¶ 377. Plaintiffs further aver that although Anthem publicly disclosed the data breach in February 2015, many affected customers were not personally informed until March 2015. Finally, Plaintiffs contend that Anthem still has not disclosed whether it has made any changes to its security practices to prevent a future cyberattack.
A number of lawsuits were filed against Defendants in the wake of the Anthem data breach. In general, these lawsuits bring putative class action claims alleging (1) failure to adequately protect Anthem's data systems, (2) failure to disclose to customers that Anthem did not have adequate security practices, and (3) failure to timely notify customers of the data breach.
In spring 2015, Plaintiffs in several lawsuits moved to centralize pretrial proceedings in a single judicial district. See 28 U.S.C. § 1407(a) ("When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings."). On June 12, 2015, the Judicial Panel on Multidistrict Litigation ("JPML") issued a transfer order selecting the undersigned judge as the transferee court for "coordinated or consolidated pretrial proceedings" in the multidistrict litigation ("MDL") arising out of the Anthem data breach. See ECF No. 1 at 1-3.
On September 10, 2015, the Court held a hearing to appoint Lead Plaintiffs counsel. Following this hearing, the Court issued an order appointing Co-Lead Plaintiffs counsel and requesting that counsel file a single consolidated amended complaint by October 19, 2015. ECF No. 284 at 2. On October 19, 2015, Plaintiffs filed their consolidated amended complaint, which organized Plaintiffs' causes of action into thirteen different counts, with claims asserted pursuant to various state and federal laws under each count. ECF No. 334-6 ("CAC").
At the October 25, 2015 case management conference, the Court determined that the Anthem and Non-Anthem Defendants would file separate motions to dismiss. Both motions would be "limited to a combined total of 10 claims, with 5 claims selected by Plaintiffs, 3 claims selected by the Anthem Defendants, and 2 claims selected by the [Non-Anthem Defendants]." ECF No. 326 at 2-3. At the November 10, 2015 case management conference, the parties identified the 10 claims that would be addressed in Defendants' motions to dismiss.
On November 23, 2015, the Anthem Defendants and Non-Anthem Defendants filed their first round motions to dismiss. On February 14, 2016, the Court granted in part and denied in part the first round motions to dismiss. ECF No. 468 ("First MTD Order."). Specifically, the Court granted with prejudice Defendants' motions to dismiss Plaintiffs' Indiana negligence, Kentucky Consumer Protection Act, and Kentucky Data Breach Act claims. Id. at 81. The Court granted with leave to amend Defendants' motions to dismiss Plaintiffs' California breach of contract, New Jersey breach of contract, New York unjust enrichment, and Georgia Information and Privacy Protection Act claims. Id. The Court denied Defendants' motions to dismiss Plaintiffs' California Unfair Competition Law, New York General Business Law § 349, and federal law third party beneficiary claims. Id. The Court also addressed standing and ERISA preemption in the First Motion to Dismiss Order.
In accordance with the Court's First Motion to Dismiss Order, Plaintiffs filed the SAC on March 11, 2016. The Anthem and Non-Anthem Defendants filed their second round motions to dismiss on April 5, 2016. Plaintiffs filed their oppositions on April 26, 2016, and the Anthem Defendants and Non-Anthem Defendants filed their replies on May 10, 2016. ECF No. 508 ("Anthem Opp'n"); ECF No. 507 ("Non-Anthem Opp'n"); ECF No. 511 ("Anthem Reply"); ECF No. 512 ("Non-Anthem Reply"). In addition, on March 28, 2016, the Non-Anthem Defendants filed a motion for clarification regarding the First Motion to Dismiss Order. ECF No. 483. Plaintiffs filed a response on March 31, 2016, ECF No. 486, and the Non-Anthem Defendants filed a reply on April 4, 2016, ECF No. 488.
Pursuant to Federal Rule of Civil Procedure 12(b)(6), a defendant may move to dismiss an action for failure to allege "enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a `probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (internal citations omitted). For purposes of ruling on a Rule 12(b)(6) motion, the Court "accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party." Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008).
Nonetheless, the Court is not required to "`assume the truth of legal conclusions merely because they are cast in the form of factual allegations.'" Fayer v. Vaughn, 649 F.3d 1061, 1064 (9th Cir. 2011) (quoting W. Mining Council v. Watt, 643 F.2d 618, 624 (9th Cir. 1981)). Mere "conclusory allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss." Adams v. Johnson, 355 F.3d 1179, 1183 (9th Cir. 2004); accord Iqbal, 556 U.S. at 678. Furthermore, "`a plaintiff may plead [him]self out of court'" if he "plead[s] facts which establish that he cannot prevail on his . . . claim." Weisbuch v. Cnty. of L.A., 119 F.3d 778, 783 n.1 (9th Cir. 1997) (quoting Warzon v. Drew, 60 F.3d 1234, 1239 (7th Cir. 1995)).
For purposes of motions to dismiss, as with virtually all motions touching upon substantive legal matters, the general rule "is that the MDL transferee court is generally bound by the same substantive legal standards, if not always the same interpretation of them, as would have applied in the transferor court." In re Korean Air Lines Co., Ltd., 642 F.3d 685, 699 (9th Cir. 2011).
Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend "shall be freely granted when justice so requires," bearing in mind "the underlying purpose of Rule 15 to facilitate decision on the merits, rather than on the pleadings or technicalities." Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (en banc) (ellipses omitted). Generally, leave to amend shall be denied only if allowing amendment would unduly prejudice the opposing party, cause undue delay, or be futile, or if the moving party has acted in bad faith. Leadsinger, Inc. v. BMG Music Publ'g, 512 F.3d 522, 532 (9th Cir. 2008).
Before addressing the specific claims at issue, the Court examines the Non-Anthem Defendants' arguments regarding standing. These arguments also relate to the issues raised in the Non-Anthem Defendants' motion for clarification.
In the First Motion to Dismiss Order, the Court observed that there were ten Non-Anthem Defendants against whom the CAC "fails to allege any specific facts" regarding the selected claims at issue. First MTD Order at 8. Those Non-Anthem Defendants were: Blue Cross and Blue Shield of Alabama; Blue Cross and Blue Shield of Arizona, Inc.; CareFirst of Maryland, Inc.; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of North Carolina, Inc.; Highmark Health Services; Highmark West Virginia, Inc.; BlueCross BlueShield of Tennessee, Inc.; Blue Cross and Blue Shield of Vermont; and Blue Cross and Blue Shield of Illinois. Because no factual allegations were made against these Non-Anthem Defendants as to the selected claims, the Court dismissed the selected claims against these Non-Anthem Defendants on standing grounds.
In reaching this decision, the Court found instructive the reasoning in In re Carrier IQ, 78 F.Supp.3d 1051 (N.D. Cal. 2015), where the district court, after examining U.S. Supreme Court precedent in Amchem Products, Inc. v. Windsor, 521 U.S. 591 (1997), and Ortiz v. Fibreboard Corp., 527 U.S. 815 (1999), concluded that courts have discretion on when to address standing in a nationwide class action—whether at the outset of litigation or at class certification. In exercising such discretion, a court should consider factors such as the cost and burden of discovery, the breadth of the proposed class, and whether a named plaintiff's claim is typical of individuals whose claims arise under the laws of other states. First MTD Order at 10.
With these factors in mind, the Court expressed concern that some Non-Anthem Defendants would remain in this case even though Plaintiffs might not, as a matter of law, be able to pursue the selected claims against these Defendants. There were, for instance, no allegations in the CAC to suggest that any Blue Cross and Blue Shield of Illinois customers resided in California or New York. As such, it would make little sense to ask Blue Cross and Blue Shield of Illinois to defend itself against Plaintiffs' California Unfair Competition Law or New York General Business Law § 349 claims.
The Court went on to distinguish the posture of this case from that in In re Target Corp. Data Security Breach Litigation, 66 F.Supp.3d 1154 (D. Minn. 2014). In In re Target, there were "114 named Plaintiffs who reside[d] in every state in the union save four and the District of Columbia." Id. at 1160. "As Target undoubtedly knows, there are consumers in Delaware, Maine, Rhode Island, Wyoming, and the District of Columbia whose personal financial information was stolen in [a] 2013 [data] breach." Id. "To force [p]laintiffs' attorneys to search out those individuals at [the motion to dismiss] stage serves no useful purpose." Id. Here, on the other hand, there was no indication from the CAC that Plaintiffs would be able to find an individual to plead specific facts concerning the selected claims against ten Non-Anthem Defendants.
The Non-Anthem Defendants' first motion to dismiss was, however, granted with leave to amend. In the second round motion to dismiss, the Non-Anthem Defendants once again argue for dismissal of the selected claims against ten Non-Anthem Defendants. The list of Defendants has changed somewhat since the Court's First Motion to Dismiss Order. These changes reflect the fact that Plaintiffs omitted three Non-Anthem Defendants from the SAC and that Non-Anthem Defendants identified three additional Non-Anthem Defendants in the SAC against whom the named Plaintiffs make no specific factual allegations as to the selected claims. Non-Anthem Mot. at 2-3 n.2. The updated list of ten Non-Anthem Defendants is: Blue Cross and Blue Shield of Alabama; CareFirst of Maryland, Inc.; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of North Carolina, Inc.; Highmark Health Services; Blue Cross and Blue Shield of Vermont; Blue Cross Blue Shield of Massachusetts; Arkansas Blue Cross and Blue Shield; Blue Cross and Blue Shield of Minnesota; and Blue Cross and Blue Shield of Illinois. In addition, Non-Anthem Defendants also request that the Court "dismiss every non-selected claim against every . . . Defendant to the extent the named Plaintiff(s) asserting the claim does not allege he or she was insured by . . . th[at] . . . Defendant." Id. at 4 (emphasis removed). The Court addresses these arguments in turn.
The easiest way for Plaintiffs to have avoided dismissal would have been to find a named Plaintiff to assert one of the seven remaining selected claims against the ten Non-Anthem Defendants at issue. Plaintiffs have not done so. Instead of identifying new named Plaintiffs, however, the SAC includes enrollment data on each Non-Anthem Defendant. This data "set[] forth the number of residents of each state that were . . . enrolled" in "a health insurance of health benefits plan" by each Non-Anthem Defendant. SAC ¶¶ 242-55. From the Court's review of this data, it appears that every Non-Anthem Defendant at issue enrolled residents from nearly every state.
The Court finds that this alternative method also addresses the Court's concerns regarding standing. Indeed, there was previously no indication that Blue Cross and Blue Shield of Illinois enrolled any California or New York residents. Now, however, the SAC states that 208,945 California residents and 82,404 New York residents were enrolled in a Blue Cross and Blue Shield of Illinois plan. Taken together, the number of California and New York residents enrolled in a Blue Cross and Blue Shield of Illinois plan (291,349) actually exceeds the number of Illinois residents enrolled in a Blue Cross and Blue Shield of Illinois plan (265,801). Id. ¶ 245. Thus, 208,945 individuals could bring a California Unfair Competition Law claim against Blue Cross and Blue Shield of Illinois, and 82,404 individuals could bring a New York General Business Law § 349 claim against Blue Cross and Blue Shield of Illinois.
Under such circumstances, Plaintiffs' allegations are now more analogous to the facts in In re Target. As in In re Target, the SAC shows that every Non-Anthem Defendant provided health insurance or health benefits services to residents of nearly every state. The Court's concerns regarding whether any individuals could assert the selected claims against certain Defendants have thus been sufficiently addressed. At this point in the litigation, "forc[ing] Plaintiffs' [counsel] to search out . . . individuals [to add as named Plaintiffs] at this stage serves no useful purpose." In re Target, 66 F. Supp. 3d at 1160. Moreover, dismissing the selected claims against the ten Defendants at issue could prematurely preclude many individuals—such as the 208,945 Blue Cross and Blue Shield of Illinois enrollees in California—from pursuing viable claims.
Accordingly, the Court, in its discretion, declines to dismiss the selected claims against the ten Non-Anthem Defendants at issue. The Non-Anthem Defendants' motion to dismiss on standing grounds is therefore DENIED.
The Court cautions that today's decision is not meant to give Plaintiffs a free pass on standing. Although standing questions may be deferred until class certification in cases like this, "[t]he question of standing is not subject to waiver." United States v. Hays, 515 U.S. 737, 742 (1995). "This is no less true with respect to class actions than with respect to other suits." Lewis v. Casey, 518 U.S. 343, 357 (1996). "That a suit may be a class action adds nothing to the question of standing," id. (ellipses omitted), and if standing concerns remain at class certification, the Non-Anthem Defendants are invited to re-raise them before this Court.
For substantially similar reasons, the Non-Anthem Defendants' request to dismiss the non-selected claims against every Non-Anthem Defendant is also DENIED. As outlined above, Plaintiffs have presented sufficient allegations to establish that every Non-Anthem Defendant offered health insurance or health benefits services to residents of every state.
Finally, the above analysis also answers the Non-Anthem Defendants' motion for clarification. The gist of this motion is that, based on the First Motion to Dismiss Order, ten Non-Anthem "Defendants should be relieved of the burden of discovery until resolution of the selected claims." ECF No. 483 at 3. As dismissal of the selected claims against these ten Non-Anthem Defendants on the basis of standing is unwarranted, the Non-Anthem Defendants' request for a pause in discovery against these ten Non-Anthem Defendants is also DENIED.
"Under California law, to state a claim for breach of contract a plaintiff must plead [1] the contract, [2] plaintiffs' performance (or excuse for nonperformance), [3] defendant's breach, and [4] damage to plaintiff therefrom." Low v. LinkedIn Corp., 900 F.Supp.2d 1010, 1028 (N.D. Cal. 2012) (internal quotation marks omitted). Here, California Plaintiffs allege that "Plaintiffs and Class Members . . . entered into contracts with Anthem and its Affiliates that incorporated, either by express provision or attachment, or incorporation by reference, Anthem's . . . privacy policies pertaining to personal and health-related information." SAC ¶ 458. California Plaintiffs further contend that, by allowing cyberattackers to access the Anthem Database, the Anthem Defendants breached these contractual obligations. In moving to dismiss, the Anthem Defendants assert that the SAC "fails to identify [the] contractual provisions that were breached" and "fails to show that any breach caused contractual damages." Anthem Mot. at 6, 11.
There are three specific types of contracts at issue, with each type operating somewhat differently. First, "many Plaintiffs . . . purchased individual insurance or health benefits policies [directly] from Anthem and its Affiliates." SAC ¶ 191. These individuals "entered into contracts with Anthem and its Affiliates when they applied and paid for insurance and Anthem issued them a policy." Id. The Court refers to such contracts as "individual plan" contracts.
Second, some Plaintiffs entered into "group insurance policies" where Anthem "act[ed] as the insurer of risk." Id. ¶ 214. Under such contracts, a group—usually an employer—purchases insurance from a regulated insurance company. "Typically, the employer pays a per-employee premium to an insurance company, and the insurance company assumes the risk of providing health coverage for insured events." Mich. Catholic Conf. and Catholic Family Servs. v. Burwell, 807 F.3d 738, 742 (6th Cir. 2015) (internal quotation marks omitted). Similar to individual plan contracts, under these group insurance policies, the Anthem Defendants act as the insurer and bear any risks associated with insurance coverage. The Court refers to these plans as "fully-insured group plan" contracts.
Third, many Plaintiffs were part of self-insured group plans. SAC ¶ 214. Under such plans, the group "contract[s] with an insurance company . . . to administer the plan, but the [group] bears the risk associated with offering health benefits." Mich. Catholic Conf., 807 F.3d at 743. Unlike an individual plan or a fully-insured group plan, the Anthem Defendants act under these contracts as an administrator rather than as an insurer. The Anthem Defendants do not bear the risks associated with insurance coverage. The Court refers to these contracts as "administrative services only" agreements or "ASO" agreements.
The SAC identifies eleven California Plaintiffs, eight of whom assert a breach of contract claim against the Anthem Defendants. SAC ¶¶ 15-23. The remaining California Plaintiffs are covered by a Non-Anthem Defendant. The situation of the eight California Plaintiffs asserting a California breach of contract claim against an Anthem Defendant is documented below.
Because the legal architecture behind individual and fully-insured group plans (where the Anthem Defendants act as the insurer) differs from the legal architecture behind ASO agreements (where the Anthem Defendants act as the administrator), the Court addresses the Anthem Defendants' arguments regarding these plans separately.
For California Plaintiffs covered by an individual or fully-insured group plan, the Anthem Defendants contend that, although "[t]he SAC asserts that various privacy notices and policies became enforceable provisions of Plaintiffs' health plan contracts," the SAC "fails to allege facts to support th[is] assertion." Anthem Mot. at 6. California Plaintiffs, in response, assert that these privacy provisions were part of their underlying contracts via incorporation by reference or through express attachment.
As to incorporation by reference, California law provides that "[a] contract may validly include the provisions of a document not physically a part of the basic contract." Shaw v. Regents of Univ. of Cal., 67 Cal.Rptr.2d 850, 856 (Ct. App. 1997). "It is, of course, the law that the parties may incorporate by reference into their contract the terms of some other document." Id. "For the terms of another document to be incorporated into the document executed by the parties [1] the reference must be clear and unequivocal, [2] the reference must be called to the attention of the other party and he must consent thereto, and [3] the terms of the incorporated document must be known or easily available to the contracting parties." Id. "The contract need not recite that it incorporates another document, so long as it guides the reader to the incorporated document." Id. (internal quotation marks and alteration omitted).
With these principles in mind, the California Court of Appeal determined, in Shaw v. Regents of the University of California, that a college professor's contract had incorporated by reference the university's patent policy. Id. at 852. As the court explained, "when [plaintiff] signed the agreement, the parties intended it to incorporate the [University's] Patent Policy." Id. at 856. Specifically, "[plaintiff's contract] (1) direct[ed] [plaintiff] to `Please read the Patent Policy. . .,' and (2) state[d] that, in signing the patent agreement, [plaintiff was] `not waiving any rights to a percentage of royalty payments received by University, as set forth in [the] University Policy Regarding Patents.'" Id. (emphasis removed).
Following Shaw, the California Court of Appeal also determined that an arbitration clause was sufficiently incorporated by reference in Wolschlager v. Fidelity National Title Insurance Company, 4 Cal.Rptr.3d 179 (Ct. App. 2003). In Wolschlager, plaintiff received a preliminary report from defendant, a title insurance company. Id. at 181. This report did not state that the insurance policy was subject to an arbitration clause; indeed, the report did not even mention an arbitration clause. Instead, the report included two sentences which stated that "[Complete] [c]opies of the [entire insurance] policy . . . should be read. They are available from the office which issued this Report." Id. at 181-82. The full policy, which plaintiff later received after agreeing to purchase insurance from defendant, contained an arbitration clause. Id. at 182.
The Wolschlager court acknowledged that defendant, by moving to enforce the arbitration clause, sought to incorporate by reference "documents which were not attached" and "not presented" to plaintiff "at the time" that plaintiff reviewed the preliminary report and signed the underlying contract. Id. Indeed, "[t]here was no substantive dispute that plaintiff did not actually know about the arbitration clause." Id. at 185. Nonetheless, the California Court of Appeal found in defendant's favor, with the court noting that "the Preliminary Report specifically identifies the document incorporated as the policy, lists the form which is contemplated and tells the recipient where they can find the policy." Id. at 184-85. "This incorporation was both clear and unequivocal." Id. at 185. Moreover, "even if plaintiff did not know about the arbitration clause, the [p]olicy with the clause was easily available to him. The preliminary report identified the [p]olicy by name and directed . . . plaintiff to where he could inspect it." Id. "Nothing further," the California Court of Appeal observed, "was needed." Id.
Under Shaw and Wolschlager, the contracts entered into by Michael Bronzo ("Bronzo"), Kenneth Solomon ("Solomon"), Mary Ella Carter ("Carter"), and Kenneth Coonce ("Coonce") sufficiently incorporate by reference the Anthem Defendants' promises to protect individual privacy. First, on whether the references were clear and unequivocal, Shaw, 67 Cal. Rptr. at 856, each contract includes several specific references to Anthem's privacy policies. Bronzo's contract, for instance, states that "You have the right to receive a copy of the Notice of Privacy Practices. You may obtain a copy by calling our customer service department . . . or by accessing our website." ECF No. 473-5 at 28. At another point, Bronzo's contract provides that Anthem's right to "receive from any Provider of service information about You" is "subject to all applicable confidentiality requirements." Id. at 29. Further, the next paragraph reads, in all caps, that "A STATEMENT DESCRIBING OUR POLICIES AND PROCEDURES FOR PRESERVING THE CONFIDENTIALITY OF MEDICAL RECORDS IS AVAILABLE AND WILL BE FURNISHED TO YOU UPON REQUEST." Id. The paragraph concludes by advising Bronzo to contact Anthem's customer service department for "a copy of our policies and procedures for preserving Your medical record confidentiality." Id. Thus, the Anthem Defendants, on multiple instances, made clear and unequivocal references to Anthem's privacy policies in Bronzo's contract.
The Anthem Defendants made similar representations to Solomon, Carter, and Coonce. Solomon's contract, for instance, states: "You . . . have the right to receive a copy of the Notice of Privacy Practices. You may obtain a copy by calling our customer service department . . . or by accessing our web site." ECF No. 473-7 at 22. Similarly, Carter's plan booklet states that the Anthem Defendants "will make every effort and take care to keep your medical data secret." ECF No. 473-5 at 40. "Medical data about you can only be given to others if you agree to it in writing or if required by law." Id. "A statement describing our policies and procedures for preserving the confidentiality of medical records is available and will be furnished to you upon request." Id. Coonce's plan booklet also directs Coonce to obtain a copy of Anthem's "Notice of Privacy Practices" either by calling Anthem's customer service department or by accessing Anthem's website. ECF No. 473-6 at 6.
Second, "the references were called to the attention of" Bronzo, Solomon, Carter, and Coonce. Shaw, 67 Cal. Rptr. at 856. As noted above, each governing contract or group plan booklet called attention to the Anthem Defendants' privacy policies and gave instructions on how consumers could review these policies in greater detail.
Third, "the terms of the incorporated document [were] known or easily available to the contracting parties." Id. The SAC states that Anthem's privacy obligations were codified in at least three sets of documents: a "Personal Information (Including Social Security Number) Privacy Policy," ("PIPP") which was posted on "the Anthem website and the website for every Anthem BCBS Affiliate and . . . other Anthem Affilate[]," SAC ¶¶ 165-66; an Annual Notice of Privacy Practices ("Annual Privacy Notice"), id. ¶ 169; and in other statements on Anthem's website, id. ¶ 168. The core message from these documents is the same: to take reasonable security measures to protect customer PII. See ECF No. 473-5 at 2 (PIPP); ECF No. 473-5 at 16 (Annual Privacy Notice). All of these documents, moreover, were "easily available," Shaw, 67 Cal. Rptr. at 856, either via a physical copy or online.
The references at issue in the instant case in fact go several steps further than the references in Wolschlager. In Wolschlager, plaintiff was simply advised that "[c]omplete [c]opies of the [insurance] policy . . . should be read," without making any reference to the arbitration clause that was later disputed. 4 Cal. Rptr. 3d at 181. Here, on the other hand, the governing documents all discussed Anthem's obligation to protect privacy. In addition, these documents specifically direct California Plaintiffs to review Anthem's privacy policies in greater detail by either calling Anthem's customer service department or by visiting Anthem's public website. Under such circumstances, the Court finds that the Anthem Defendants' privacy policies were sufficiently incorporated by reference into the contracts of Bronzo, Solomon, Carter, and Coonce.
In response to Shaw and Wolschlager, the Anthem Defendants argue (1) that Amtower v. Photon Dynamics, Inc., 71 Cal.Rptr.3d 361 (Ct. App. 2008), compels a contrary result, (2) that the integration clause in California Plaintiffs' contracts precludes incorporation by reference of Anthem's privacy policies, and (3) that Anthem's privacy policies only codify preexisting legal duties and do not create independent contractual obligations.
The Anthem Defendants' reliance upon Amtower is misguided. Amtower involved two separate contracts governing two different sets of parties. The first contract, known as the "Merger Agreement," negotiated the process by which CR Technology, Inc. ("CRT") would merge with Photon Dynamics Inc. ("Photon"). Id. at 367-68. The only parties to the Merger Agreement were CRT and Photon. Notably, the Merger Agreement included an attorney's fees provision. The second contract, known as the "Affiliate Agreement," negotiated the rights of CRT shareholders to "sell the Photon stock [that] they acquired through the [CRT and Photon] merger." Id. at 368. The parties to the Affiliate Agreement were CRT's shareholders, which included plaintiff, and Photon. The Affiliate Agreement did not include an attorney's fees provision.
Plaintiff subsequently brought suit against Photon and Photon's officers, "complaining that he had been misled about the transferability of Photon stock" under the Affiliate Agreement. Id. at 369. Photon prevailed at trial and sought recovery of attorney's fees. The crux of Photon's argument was that, although the Affiliate Agreement did not include an attorney's fees provision, the Affiliate Agreement did mention the Merger Agreement, which meant that the Merger Agreement's attorney's fees provision was incorporated by reference into the Affiliate Agreement. See id. at 382-83. The California Court of Appeal rejected this argument.
As the California Court of Appeal observed, "[t]he parties to the Merger Agreement were Photon and CRT." Id. at 382. On the other hand, "[t]he parties to the Affiliate Agreement were Photon and plaintiff." Id. Thus, "unlike the facts in either Shaw or Wolschlager, the Merger Agreement [was] a separate contract that plaintiff did not solicit and to which he was not a party." Id. at 385. "The Merger Agreement was not attached to the Affiliate Agreement and the Affiliate Agreement did not refer to it as providing any rights or remedies to plaintiff." Id. In other words, the Amtower defendant sought to incorporate and enforce provisions from another contract to which plaintiff was not a party.
These differences distinguish Amtower from the instant case. The agreements at issue here all involve the same parties: Plaintiffs and the Anthem Defendants. Unlike in Amtower, there are no other parties at issue: the Anthem Defendants agreed to provide health insurance to Plaintiffs, and also agreed to protect Plaintiffs' PII.
The Anthem Defendants' reliance upon the contracts' integration clause is similarly inapposite. As the Anthem Defendants point out, for Coonce's policy, for instance, one provision states that "the entire Agreement consists of" the "Group Insurance Policy," the "Combined Evidence of Coverage and Disclosure Forms including any amendments, the group application, the eligible persons' individual applications, and the premium charge rate schedule." ECF No. 473-6 at 17; Anthem Mot. at 7. This integration clause, the Anthem Defendants argue, does not mention the Anthem Defendants' privacy policies. Consequently, these privacy policies are not part of Coonce's contract. Id.
Generally, an integration clause "prohibits the introduction of any extrinsic evidence, whether oral or written, to vary, alter or add to the terms of an integrated written instrument." Casa Herrera, Inc. v. Beydoun, 83 P.3d 497, 502 (Cal. 2004). However, "[t]he rule does not . . . prohibit the introduction of extrinsic evidence to explain the meaning of a written contract if the meaning urged is one to which the written contract terms are reasonably susceptible." Id. (internal quotation marks, ellipses, and alteration omitted).
Here, the Anthem Defendants' reliance upon the integration clause overlooks a critical fact: Coonce's Combined Evidence of Coverage and Disclosure Form—which the Anthem Defendants acknowledge is part of the "entire Agreement"—incorporates by reference Anthem's privacy policies. Coonce's Combined Evidence of Coverage and Disclosure Form, for instance, states that "[y]ou . . . have the right to receive a copy of the Member Rights and Responsibilities Statement and/or the Notice of Privacy Practices." ECF No. 473-6 at 6. The form also directs Coonce to contact the Anthem Defendants in order to obtain "[a] statement describing our policies and procedures regarding the confidentiality of medical records." Id. at 10.
The California Court of Appeal addressed an analogous situation in King v. Larsen Realty, Inc., 175 Cal.Rptr. 226 (Ct. App. 1981). In King, the membership application for a local realtor board required members "to abide by the constitution, bylaws, rules and regulations of the local board and the state association." Id. at 229. The bylaws, in turn, "impose[d] upon members the duty to arbitrate on the terms set forth in the California Association of Realtors Arbitration Manual." Id. at 229-30. "Hence," the California Court of Appeal concluded, "the entire scheme of interboard arbitration [in the California Association of Realtors Arbitration Manual] was incorporated into the bylaws of the [local realtor board]." Id. at 230.
In like manner, in Ruffu v. California Physicians Service, 2002 WL 1352449 (Cal. Ct. App. June 20, 2002), the California Court of Appeal rejected plaintiff's argument that the integration clause in a health insurance contract precluded the court from considering a Summary of Benefits document. As the Ruffu court noted, the insurance contract incorporated the insurance application; this application, in turn, referred to the Summary of Benefits document. "Thus, the Summary of Benefits is incorporated by reference into the application, which in turn is incorporated into the Agreement." Id. at *4. The privacy policies here do the same thing: the integration clause incorporates the Combined Evidence of Coverage and Disclosure Form, which in turn incorporates by reference Anthem's privacy policies.
Finally, the Anthem Defendants argue that "[n]otices required by law that detail preexisting legal obligations do not give rise to contractual rights." Anthem Mot. at 8 (internal quotation marks omitted). As noted in the First Motion to Dismiss Order, however, "Plaintiffs' breach of contract claim reaches beyond mere violation of applicable laws." MTD Order at 27. Rather, the SAC, like the CAC, avers that the Anthem Defendants "violat[ed] their commitment to maintain the confidentiality and security of [PII] compiled by Anthem and their Affiliates in the Anthem Data Base; and by failing to comply with their own policies and applicable laws, regulations and industry standards for data security and protecting the confidentiality of [PII]." SAC ¶ 461.
Both the PIPP and the Annual Privacy Notice corroborate this allegation. The PIPP states that "Anthem Blue Cross's Privacy Policy imposes a number of standards to prohibit the unlawful disclosure of Social Security number, and [to] guard the confidentiality of . . . other personal information." ECF No. 473-5 at 13 (emphasis added). Further, "Anthem Blue Cross safeguards Social Security numbers and other personal information by having physical, technical, and administrative safeguards in place." Id. Similarly, the Annual Privacy Notice states that "[w]e are dedicated to protecting your P[II], and have set up a number of policies and practices to help make sure your P[II] is kept secure. We have to keep your P[II] private. If we believe your P[II] has been breached, we must let you know." ECF No. 473-5 at 18. These commitments do not refer to any laws or preexisting legal obligations. Thus, consistent with the SAC, such statements could be read to reflect a commitment by Anthem to implement privacy policies that complement (or go beyond) Anthem's preexisting legal duties.
In sum, Bronzo, Solomon, Carter, and Coonce have sufficiently alleged that the Anthem Defendants' privacy policies were incorporated by reference into their contracts. As such, the Court need not address California Plaintiffs' express attachment theory.
The Court turns next to whether these California Plaintiffs have sufficiently pleaded contractual damages. "To establish contractual damages, a [p]laintiff must establish `appreciable and actual damage.'" Low, 900 F. Supp. 2d at 1028. "Nominal damages, speculative harm, or threat of future harm do not suffice to show legally cognizable injury." Id.
California Plaintiffs assert three damages theories. First, California Plaintiffs request Benefit of the Bargain Losses. The SAC describes these losses as "the difference in value between what Plaintiffs should have received from Defendants when they enrolled in and/or purchased insurance from Defendants that Defendants represented, contractually and otherwise, would be protected by reasonable data security, and Defendants' partial, defective, and deficient performance by failing to provide reasonable and adequate data security." SAC ¶ 415. Second, California Plaintiffs seek Loss of Value of PII, which Plaintiffs describe as "damages to and diminution in value of their [PII] entrusted to Defendants." Id. Third, California Plaintiffs request Consequential Out of Pocket Expenses, which are "damages resulting from [Plaintiffs'] attempt to ameliorate the effect of the breach of contract and subsequent Anthem Data Breach, including but not limited to purchasing credit monitoring services or taking other steps to protect themselves from the loss of their" PII. Id. ¶ 464.
On Benefit of the Bargain Losses, the California Supreme Court has held that "[d]amages are awarded in an action for breach of contract to give the injured party the benefit of his bargain and insofar as possible to place him in the same position he would have been in had the promisor performed the contract." Coughlin v. Blair, 262 P.2d 305, 314 (Cal. 1953). Likewise, in New West Charter Middle School v. Los Angeles Unified School District, 114 Cal.Rptr.3d 504, 515 (Ct. App. 2010), the California Court of Appeal noted that "[c]ontract damages compensate a plaintiff for its lost expectation interest." "This," the court observed, "is described as the benefit of the bargain that full performance would have brought." Id. When a "lessor fail[s] to deliver the promised premises," for example, "the proper measure of damages is the difference between the agreed rent and the rental value of the premises during the term of the lease." Id. (internal quotation marks omitted). Thus, both Coughlin and New West point in favor of Plaintiffs' attempt to recover Benefit of the Bargain Losses.
More recently, several federal courts have specifically upheld California breach of contract claims for Benefit of the Bargain Losses in the privacy context. In Svenson v. Google Inc., 2015 WL 1503429, *4 (N.D. Cal. Apr. 1, 2015), plaintiff had signed a contract with Google under the following terms: plaintiff "was to receive a payment processing service that would facilitate her [App] purchase while keeping her private information confidential in all but specific circumstances under which disclosure was authorized; and Google . . . was to retain a percentage of the App's purchase price." "Google did obtain [plaintiff's] personal information and did retain a percentage of the purchase price of the . . . App," but Google also, without plaintiff's permission, disclosed plaintiff's personal information to a third party vendor. Id. On damages, the Svenson court, citing New West, concluded that plaintiff had "alleged facts sufficient to show contract damages under a benefit of the bargain theory."
In an analogous context, this Court concluded that plaintiffs in In re Adobe Systems, Inc. Privacy Litigation, 66 F.Supp.3d 1197, 1224 (N.D. Cal. 2014), had established economic injury sufficient to defeat defendant's motion to dismiss. As this Court observed, "Plaintiffs allege they personally spent more on [defendant's] products than they would had they known [defendant] was not providing the reasonable security [defendant] represented it was providing." Id. It is "plausible that a company's reasonable security practices reduce the risk of theft of customer's personal data and thus that a company's security practices have economic value." Id. Accordingly, plaintiffs had "plausibly pleaded" that "they [had] personally lost money or property as a result" of defendant's actions. Id. at 1223-24 (internal quotation marks omitted).
In response to the line of decisions discussed above, the Anthem Defendants contend that Plaintiffs' "benefit of the bargain theory . . . fails because they do not allege facts showing that any alleged payments were earmarked for data security. Anthem Mot. at 11. Moreover, the Anthem Defendants cite several out of circuit cases where courts have declined to award benefit of the bargain damages. Both arguments are unavailing.
First, the Anthem Defendants have identified no California or Ninth Circuit authority to suggest that an entity must precisely "earmark" what portion of Plaintiffs' premiums went towards protecting Plaintiffs' data privacy. Indeed, California courts have consistently rejected such arguments. In Lewis Jorge Construction Management, Inc. v. Pomona Unified School District, 102 P.3d 257, 266 (Cal. 2004), for instance, the California Supreme Court held that, although contract "damages [must] be pled with [some degree of] particularity," they need not be "proven . . . with `mathematical precision.'" As such, "[w]here the fact of damages is certain, the amount of damages need not be calculated with absolute certainty. The law requires only that some reasonable basis of computation of damages be used, and the damages may be computed even [i]f the result reached is an approximation." Sargon Enterprises, Inc. v. Univ. of S. Cal., 288 P.3d 1237, 1254 (Cal. 2012) (internal quotation marks and citation omitted). "This is especially true where it is the wrongful acts of the defendant that have created the difficulty in proving the amount of loss." Id. (ellipses omitted).
Consistent with the reasoning in Lewis Jorge and Sargon, in the instant case, it is the alleged wrongful acts of the Anthem Defendants—their inability to fulfill their privacy obligations and their inability to set out the expected cost and value of these privacy obligations—which forms the basis of Plaintiffs' request for Benefit of the Bargain Losses. Put another way, the Anthem Defendants can not evade liability because the Anthem Defendants did not provide, in advance, a breakdown on how much of Plaintiffs' premiums the Anthem Defendants allocated (or should have allocated) to protecting Plaintiffs' PII.
Second, the Court finds unavailing the Anthem Defendants' reliance upon In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, 45 F.Supp.3d 14 (D.D.C. 2014), and Carlsen v. GameStop, 2015 WL 3538906 (D. Minn. June 4, 2015). Neither case addressed a California breach of contract claim. In fact, in In re SAIC, the district court limited its discussion only to jurisdictional issues and did not even examine any substantive claims. Instead, in a single sentence without citation, the district court concluded that, "[t]o the extent that [p]laintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing." 45 F. Supp. 3d at 30.
The Carlsen court likewise did not examine a California breach of contract claim. Moreover, defendant in Carlsen allowed users to sign up to receive either paid or free content; defendant's "Privacy Policy" applied to paying and non-paying users alike. 2015 WL 3538906, *5. As the Carlsen court observed, "because non-paying and paying users received the same Privacy Policy in this case, [p]laintiff cannot establish that the Privacy Policy has intrinsic monetary value attributed to it that was paid for and not received." Id. In contrast to Carlsen, Plaintiffs here have all paid premiums to the Anthem Defendants. There are no "non-paying" customers. Thus, Plaintiffs may be able to recover Benefit of the Bargain Losses in accordance with their premium payments.
Plaintiffs have also sufficiently pleaded damages for Loss of Value of PII. As the Court explained in the First Motion to Dismiss Order, the Ninth Circuit and a number of district courts have approved such damages theories. In In re Facebook Privacy Litigation, 572 F. App'x 494, 494 (9th Cir. 2014), for instance, "[p]laintiffs allege[d] that the information disclosed by [defendant could] be used to obtain personal information about plaintiffs, and that they were harmed both by the dissemination of their personal information and by losing the sales value of that information." These allegations, the Ninth Circuit determined, were "sufficient to show the element of damages for [plaintiffs'] breach of contract and fraud claims." Id.
In like manner, both this Court in In re Adobe and the district court in Corona v. Sony Pictures Entertainment, Inc., 2015 WL 3916744 (N.D. Cal. June 15, 2015), concluded that plaintiffs had sufficiently pleaded economic injury by claiming "that the[ir] PII was stolen and posted on file-sharing websites for identity thieves to download." Corona, 2015 WL 3916744, *3; see also In re Adobe, 66 F. Supp. 3d at 1214 ("[T]he risk that [p]laintiffs' personal data will be misused by the hackers who breached [defendant's] network is immediate and very real."). Finally, in Svenson, the district court found that plaintiff's "allegations of diminution in value of her personal information are sufficient to show contract damages [under California law] for pleading purposes." 2015 WL 1503429, *5.
The Anthem Defendants, however, read these cases to effectively impose two pleading requirements upon Plaintiffs: to plead "both that there was a `robust' market for [Plaintiffs' PII] and that [P]laintiffs had been financially harmed by [the data breach by] usurping their ability to sell that information themselves." Anthem Mot. at 5 (quoting In re Google, Inc. Privacy Policy Litig., 2015 WL 4317479, *4 (N.D. Cal. July 15, 2015)) (emphasis added). The Court declines to adopt such an interpretation.
Indeed, even if both of these requirements were to apply, the SAC does aver that Plaintiffs' PII "is such a valuable commodity to identity thieves that once the information has been compromised, criminals often trade the information on the cyber black-market for years." SAC ¶ 412. Relatedly, "[w]ith access to an individual's [PII], criminals can do more than just empty a victim's bank account—they can also commit various types of fraud . . . [they] may obtain a job using the victim's Social Security Number. Id ¶ 411. These allegations could be read to infer that an economic market existed for Plaintiffs' PII, and that the value of Plaintiffs' PII decreased as a result of the Anthem data breach. Indeed, in another data breach case, the Seventh Circuit remarked: "Presumably, the purpose of [a] hack is, sooner or later, to make fraudulent charges or assume those consumers' identities." Remijas v. Neiman Marcus Gp., LLC, 794 F.3d 688, 693 (7th Cir. 2015). "Why else would hackers break into a store's database and steal consumers' private information?" Id.
Moreover, setting aside the above allegations, the Court also finds that Plaintiffs are not required to plead that there was a market for their PII and that they somehow also intended to sell their own PII. Not even the authority that the Anthem Defendants cite supports this proposition. In In re Google, the district court observed that "[p]laintiffs do not allege economic injury from any dissemination . . . or any injury in the form of loss of the [p]laintiffs' ability to sell their own information or its market value." 2015 WL 4317479, *5 (emphasis added); see also id. ("Plaintiffs plead neither the existence of a market for their email addresses and names nor any impairment of their ability to participate in that market.") (emphasis added). These statements appear to require a plaintiff to allege that there was either an economic market for their PII or that it would be harder to sell their own PII, not both.
In sum, In re Facebook, Corona, Svenson, or In re Google do not support the two part requirement that the Anthem Defendants advocate. Accordingly, Plaintiffs have sufficiently alleged Loss of Value of PII.
Finally, the Anthem Defendants contend that Plaintiffs can not recover "Consequential Out of Pocket Expenses" because "[t]here is an obvious alternative explanation for the injuries Plaintiffs allege." Anthem Mot. at 2 (internal quotation marks omitted). Namely, "[d]ozens of major American businesses and the federal government have been the victims of cyberattacks in recent years aimed at stealing millions of Americans' PII." Id. These data breaches have "result[ed] in Americans becoming the victims of identity theft each year." Id. at 2-3.
The Court found this argument meritless in the First Motion to Dismiss Order. It remains meritless. As the Court has explained, "under Defendants' theory, a company affected by a data breach could simply contest causation by pointing to the fact that data breaches occur all the time, against various private and public entities." First MTD Order at 36. "This would, in turn, create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable. No [California law], the relevant authority addressing causation, or the specific facts of this case support such a legal theory." Id.
On the instant motions to dismiss, the Court once again emphasizes: no court has ever accepted the Anthem Defendants' argument in the data breach context. In fact, defendant in Remijas made this exact same argument: "[Defendant] argues that these plaintiffs cannot show that their injuries are traceable to the data incursion at the company rather than to one of several other large-scale breaches that took place around the same time." 794 F.3d at 696. In response, the Seventh Circuit explained that "[t]he fact that . . . some other store might have caused . . . plaintiffs' private information to be exposed does nothing to negate . . . plaintiffs' standing to sue." Id. "If there are multiple companies that could have exposed . . . plaintiffs' private information to the hackers, then the common law of torts has long shifted the burden of proof to defendants to prove that their negligent actions were not the but-for cause of . . . plaintiff's injury." Id. (internal quotation marks omitted). "It is enough at this stage of the litigation that [defendant] admitted that 350,000 cards might have been exposed and that it contacted members of the class to tell them they were at risk. Those admissions and actions by the store adequately raise the plaintiffs' right to relief above the speculative level." Id.
Remijas is consistent with Ninth Circuit precedent. In Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011), the Ninth Circuit held that, "[i]f there are two alternative explanations, one advanced by defendant and the other advanced by plaintiff, both of which are plausible, plaintiff's complaint survives a motion to dismiss under Rule 12(b)(6)." The Starr court further held that a plaintiff's complaint "may be dismissed only when defendant's plausible alternative explanation is so convincing that plaintiff's explanation is implausible." Id.
Despite multiple rounds of briefing, the Anthem Defendants have failed to demonstrate why the reasoning in Remijas and Starr should not govern the instant case. The Anthem Defendants have never challenged the fact that (1) the Anthem Database was breached, (2) that this breach exposed the PII of approximately 80 million individuals, and (3) that the Anthem Database contained the PII of every single putative class member in the instant action. That is sufficient for purposes of pleading consequential injury at this point in litigation.
As a final matter, the Anthem Defendants have also cited no binding precedent to suggest that Plaintiffs are precluded from recovering for specific types of Consequential Out of Pocket Expenses, such as credit monitoring, under California contract law. The Court has found none in its own research. In fact, some courts have suggested that an individual may recover "actual damages" that were incurred in order "to mitigate" costs associated with being a "victim of identity theft." Ruiz v. Gap, Inc., 622 F.Supp.2d 908, 918 (N.D. Cal. 2009). Plaintiffs have sufficiently alleged such a relationship here. Coonce, for instance, alleges that he received a notice from Anthem in March 2015 informing him that his PII had been compromised. Five months later, Coonce "was notified . . . that his debit card number had been stolen and used for unauthorized charges." SAC ¶ 18. Consequently, Coonce spent $312 on identity theft and credit monitoring services. Id. Thus, Coonce was notified that his PII had been stolen, Coonce later learned that his financial information had been compromised, and, as a result, Coonce took actions to prevent further financial damage.
In sum, the Court finds that Bronzo, Carter, Coonce, and Solomon, who had individual or fully-insured group plan contracts with the Anthem Defendants, have sufficiently alleged a breach of contract claim under California law.
The Court turns next to California Plaintiffs Daniel Randrup, Steve Kawai, Kelly Tharp, and Daniel Tharp, who were enrolled in ASO agreements. Because the Anthem Defendants do not act as the insurer in these agreements and because these agreements are between an employer and an Anthem Defendant, Plaintiffs assert their California breach of contract claim as third party beneficiaries. See SAC ¶ 454 ("The Plaintiffs and Class Members who enrolled in Self-Funded Plans for whom Anthem provided only administrative services sue as third-party beneficiaries.").
In California, "[a] third party beneficiary may enforce a contract made expressly for his or her benefit." Kaiser Eng'rs, Inc. v. Grinnell Fire Protection Sys. Co., 219 Cal.Rptr. 626, 629 (Ct. App. 1985). "The intent of the contracting parties to benefit expressly that third party must appear from the terms of the contract." Id. Over time, the term "expressly" has come to mean "merely the negative of `incidentally.'" Id. "[T]he third person need not be named or identified individually to be an express beneficiary. A third party may enforce a contract if it can be shown that he or she is a member of the class for whose express benefit the contract was made." Id. "Generally, it is a question of fact whether a particular third person is an intended beneficiary of a contract." Prouty v. Gores Tech. Gp., 18 Cal.Rptr.3d 178, 184 (Ct. App. 2004). With these principles in mind, the Court addresses Randrup, Kawai, and the Tharps' claims in turn.
Randrup has failed to sufficiently allege a third party beneficiary claim, for two reasons. First, Randrup's ASO, on the first page, states that "[n]either SISC III [Randrup's employer] nor Anthem Blue Cross Life and Health intends this Agreement to confer any benefit on any persons who are not parties to this Agreement." ECF No. 473-7 at 6. The following page defines "Parties" as "SISC III and Anthem Blue Cross Life and Health." Id. at 7. Read together, these provisions suggest that SISC III and Anthem Blue Cross Life and Health did not intend to confer third party beneficiary status to Randrup. Indeed, in similar contexts, courts have read such clauses to preclude litigants from asserting third party beneficiary claims. See, e.g., Balsam v. Tucows Inc., 2009 WL 3463923, *3-*4 (N.D. Cal. Oct. 23, 2009) (finding that party could not bring claim where agreement included term that read: "This Agreement shall not be construed to create any obligation by either ICANN or Registrar to any non-party to this Agreement.").
Second, although Plaintiffs contend that Randrup's contract "incorporated privacy policies that Anthem violated," Anthem Opp'n at 7, the agreement between SISC III and Anthem Blue Cross Life and Health does not support this contention. Unlike the contracts described above, Randrup's ASO agreement does not mention the PIPP or the Annual Privacy Notice. In fact, in their briefing, Plaintiffs do not even point to a single instance in Randrup's ASO agreement where the Anthem Defendants promised to protect Randrup's PII. Id.
After the Court's own review of the agreement at issue, the Court has found only one provision that could be taken to refer to the Anthem Defendants' privacy obligations: "Anthem Blue Cross Life and Health . . . agrees that all individually identifiable information regarding persons covered under the Plan . . . is confidential and shall be (i) used only in order to carry out the provisions of this Agreement . . . and (ii) disclosed only as otherwise provided in this Agreement or as required by law." ECF No. 473-7 at 10. This statement differs markedly from the statements made in the contracts of California Plaintiffs under individual and fully-insured group plans. At no point in this statement do the parties refer to Anthem's specific privacy obligations. Nor does this statement direct Randrup to visit Anthem's public website or contact Anthem's customer service department for a copy of Anthem's privacy policies. Thus, the content of this single statement, read together with the above statements disclaiming any third party rights, demonstrate that Randrup may not pursue a breach of contract claim.
Prouty v. Gores Technology Group and Milmoe v. Gevity HR, Inc., 2006 WL 2691393 (N.D. Cal. Sept. 20, 2006), do not compel a contrary finding. Both Prouty and Milmoe addressed whether an employee could assert a third party beneficiary claim in the context of a contract between two companies that acted as co-employers. As other courts have noted, Prouty and Milmoe created a limited exception to the general rule regarding contractual clauses that disclaim third party beneficiary claims. Balsam, 2009 WL 3463923, *4. "[I]n Prouty, the `specific' clause that the third parties sought to enforce was an amendment to an agreement." Id. "That the amendment was added after the general no third party beneficiary statement was included in the agreement was strong evidence of the parties' intent to modify the original terms of the agreement." Id. Moreover, "the clause protecting the employees in Prouty was aimed at protecting a narrow, specifically-identified class of people, namely employees of one party's subsidiary." Id. Likewise, in Milmoe, "the plaintiff's work and wages were the [express] subject of the contract, thus making it entirely plausible that parts of the contract were intended for the express benefit of the plaintiff." Id. at *5.
Such circumstances are not at play here. Although Plaintiffs contend that "under California law, a general `no third party beneficiary' clause may be trumped by more specific contract provisions that create benefits for a specific group," Plaintiffs have identified no such specific provisions here. Anthem Opp'n at 7. As such, unlike Prouty and Milmoe, there is no indication that the parties intended to allow Randrup to pursue a California breach of contract claim against the Anthem Defendants. Accordingly, the Court finds that Randrup can not proceed with his breach of contract claim against the Anthem Defendants.
Additionally, the Court denies Plaintiffs' leave to amend Randrup's claim. The Court may grant leave to amend unless doing so would unduly prejudice the opposing party, cause undue delay, or be futile, or if the moving party has acted in bad faith. These factors, however, are "not given equal weight." Bonin v. Calderon, 59 F.3d 815, 845 (9th Cir. 1995). "Futility of amendment can, by itself, justify the denial of a motion for leave to amend." Id. Amendment here would be futile. Randrup's ASO agreement expressly disclaims third party beneficiary claims and includes only a single provision that discusses the Anthem Defendants' privacy obligations. At no point in Randrup's agreement are the PIPP or Annual Privacy Notice mentioned. Furthermore, "a district court has broad discretion to grant or deny leave to amend, particularly where the court has already given a plaintiff one or more opportunities to amend his complaint." Mir v. Forsburg, 646 F.2d 342, 347 (9th Cir. 1980). Plaintiffs have now had two opportunities to amend the complaint. The SAC addresses the deficiencies identified in the First Motion to Dismiss Order for several California Plaintiffs, but not for Randrup.
Turning briefly to the other relevant leave to amend factors, the Court finds that providing leave to amend would also result in undue delay and could prejudice the Anthem Defendants. The parties are proceeding apace with the case schedule, with fact discovery set to close on October 17, 2016 and expert discovery set to close on January 23, 2017. Providing Plaintiffs with leave to amend, thus triggering another motion to dismiss, would delay the case schedule and prevent this action from efficient resolution.
Kawai was employed by the State of California and was enrolled in a CalPERS health plan administered by Anthem Blue Cross of California. SAC ¶ 19. The ASO agreement between CalPERS and Anthem Blue Cross of California states that "[t]he California Legislature and CalPERS have established an organized program for the provision of health benefits to State of California Employees." ECF No. 473-6 at 35. Unlike Randrup's ASO agreement, Kawai's ASO agreement does not include a provision that expressly disclaims third beneficiary status.
Moreover, also unlike Randrup's ASO agreement, Kawai's ASO agreement includes 11 pages that describe the Anthem Defendants' commitment to protect individual privacy. See id. at 39-42; 48-54. These obligations include a promise to "take all reasonable and necessary steps to prevent the unauthorized disclosure, modification or destruction of the Disclosing Party's Information Assets." Id. at 40. Anthem Blue Cross of California "must, at a minimum, use the same degree of care to protect the Disclosing Party's Information Assets that it uses to protect its own Information Assets." Id. Kawai's ASO agreement further provides that Anthem Blue Cross "will maintain the confidentiality of all information and documents relating to Members and will ensure all Member information is kept strictly confidential, and, as applicable, in accordance with federal and state law. All such information will be treated as sensitive and propriety in accordance with CalPERS confidentiality laws, Contractor's confidentiality policies and procedures, applicable physician code of ethics, constitutional right of privacy, all applicable federal and state law and requirements of all applicable accrediting bodies." Id. at 41-42 (emphasis added). Taken together, these statements appear to sufficiently incorporate by reference Anthem's privacy policies, such as its PIPP and Annual Privacy Notice.
Finally, Kawai's ASO agreement includes, as an attachment, a Business Associate Agreement, formed between CalPERS, the Plan Sponsor, and Anthem Blue Cross of California, the Business Associate. "In order to share P[I]I with third parties, . . . HIPAA requires health care plans and providers to enter into business associate agreements, [which are] contracts obligating the third parties to abide by HIPAA's restrictions on P[I]I disclosures." Monarch Fire Prot. Dist. of St. Louis Cnty, Mo. v. Freedom Consulting & Auditing Servs., Inc., 678 F.Supp.2d 927, 932 (E.D. Mo. 2009); see 45 C.F.R. § 164.502(e)(1)(i) ("A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf."). Kawai's Business Associate Agreement sets forth detailed privacy provisions, which include a provision that Anthem Blue Cross of California "implement administrative, physical, and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of" PII. ECF No. 473-6 at 49.
In sum, the provisions in the main ASO agreement and the Business Associate Agreement provide evidence that (1) Kawai was an intended third party beneficiary between CalPERS and Anthem Blue Cross of California and that (2) provisions in the ASO agreement could be read to allow Kawai to pursue a third party beneficiary claim.
The Anthem Defendants sole argument in response to this conclusion is that the purpose of the Business Associate Agreement is to "implement safeguards to protect electronic health information as required by the HIPAA Security Rule." Anthem Mot. at 10. Consequently, the Business Associate Agreement only memorializes certain preexisting legal obligations, which "do[] not create contractual rights." Id.
This contention is flawed in two respects. First, as outlined above, the attached Business Associate Agreement does not contain all of Anthem Blue Cross of California's privacy obligations. Several obligations are included in the main ASO agreement, such as a promise to "maintain the confidentiality of all information and documents relating to Members and will ensure all Member information is kept strictly confidential." ECF No. 473-6 at 41 (emphasis added). Thus, even if the Court were to set the Business Associate Agreement aside, the Court would nevertheless find that Kawai could maintain a third party beneficiary claim.
Second, very few courts have considered whether Business Associate Agreements create independent contractual rights. There is at least some regulatory language and case law, however, to suggest that they do. The regulations governing Business Associate Agreements state that "[a] business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to [45 C.F.R.] § 164.504(e) or as required by law." 45 C.F.R. § 164.502(a)(3) (emphasis added). The prevalent use of the word "or" suggests that Business Associate Agreements may be implemented such that they cover more ground than what would be required by federal law.
This interpretation is consistent with the understanding adopted by the Eastern District of Missouri in Monarch Fire Protection. In that case, plaintiff asked an auditing firm, Freedom Consulting & Auditing Services ("Freedom"), to review whether an individual had "use[d] [plaintiff's health] Plan for procedures that should not have been covered." 678 F. Supp. 2d at 932. Plaintiff subsequently filed suit for breach of contract "because Freedom breached a number of provisions of the [Business Associate Agreement] by, among other things, failing to immediately remove P[I]I from documentation received for purposes of the audit, disclosing P[I]I to [unauthorized third parties], and retaining P[I]I after completing the audit." Id. at 935. After reviewing the terms of the Business Associate Agreement, the Monarch Fire Protection court concluded that plaintiff was "entitled to summary judgment that Freedom breached the [Business Associate Agreement] by divulging P[I]I received in the audit process." Id. at 938. The Eighth Circuit affirmed. Monarch Fire Prot. Dist. of St. Louis Cnty, Mo. v. Freedom Consulting & Auditing Servs., Inc., 644 F.3d 633 (8th Cir. 2011). Plaintiff in Monarch Fire Department was therefore able to prevail on a breach of contract claim based upon privacy obligations set forth in a Business Associate Agreement. There is no reason why Kawai should not be able to do the same.
Thus, having concluded that Kawai has sufficiently alleged a third party beneficiary claim, the Court turns finally to the Anthem Defendants' remaining argument: whether Kawai may recover damages. Here, the Anthem Defendants argue that damages are not recoverable because "Plaintiffs' employers, and not Plaintiffs, . . . made payments to the Anthem Defendants." Anthem Mot. at 12. Kawai, however, alleges that he paid premiums to CalPERS, which then used these premiums to pay for services offered by the Anthem Defendants. Under California law, "when a plaintiff seeks to secure benefits under a contract as to which he is a third-party beneficiary, he must take that contract as he finds it." Marina Tenants Ass'n v. Deauville Marina Dev't Co., 226 Cal.Rptr. 321, 327 (Ct. App. 1986) (internal quotation marks and alterations omitted). Applying this principle to the instant case, the Anthem Defendants do not contest that CalPERS would be able to recover Benefit of the Bargain Losses, Loss of Value of PII, or Consequential Out of Pocket Expenses. By asserting a third party beneficiary claim, Kawai seeks to step into the shoes of CalPERS and recover the same damages that CalPERS would be able to recover. Kawai has thus "take[n] th[e] contract as he finds it," and has asserted rights commensurate to what CalPERS could assert. Id. Accordingly, Kawai's attempt to recover contract damages does not warrant dismissal.
The Tharps' ASO agreement is more analogous to Randrup's than to Kawai's. Indeed, although the Tharps' ASO agreement does not contain a clause that specifically disclaims third party beneficiary claims, the agreement does include a No Assignment Clause: "Unless it has first obtained the written consent of the other Party, neither Party may assign this Agreement to any other person." ECF No. 473-9 at 6. Although California courts have, in some instances, allowed third parties to pursue a claim notwithstanding a no assignment clause, the general view is that such a clause does not point in the Tharps' favor. See Schauer v. Mandarin Gems of Cal., Inc., 23 Cal.Rptr.3d 233, 237-40 (Ct. App. 2005).
More importantly, the Tharps' ASO agreement barely mentions the Anthem Defendants' privacy obligations. The agreement does not mention the PIPP or Annual Privacy Notice, nor does it discuss any security measures that the Anthem Defendants must undertake. One specific section states that the Anthem Defendants must comply with the legal requirements set forth under HIPAA. ECF No. 473-8 at 15. Another section makes a vague commitment to comply with Anthem's standard policies and procedures, but does not mention whether these standard policies include Anthem's privacy obligations. Id. at 8.
Although Plaintiffs appear to acknowledge these deficiencies, Plaintiffs nonetheless contend that the Tharps' ASO agreement "expressly committed to comply with HIPAA," which, Plaintiffs argue, provides the basis for a breach of contract claim. Anthem Opp'n at 7. The Court disagrees. As noted in the First Motion to Dismiss Order, "plaintiffs must . . . do something more to allege a breach of contract claim than merely point to allegations of a statutory violation." Wiebe v. NDEX West, LLC, 2010 WL 2035992, *3 (C.D. Cal. May 17, 2010) (quoting Berger v. Home Depot U.S.A., Inc., 476 F.Supp.2d 1174, 1177 (C.D. Cal. 2007)). A breach of contract claim based solely upon a pre-existing legal obligation to comply with HIPAA can not survive dismissal.
Having determined that the Tharps have not stated a viable third party beneficiary claim, the Court also denies Plaintiffs' leave to amend. As with Randrup, providing leave to amend would be futile, would result in undue delay, and could prejudice the opposing party. Moreover, Plaintiffs have already produced the Tharps' ASO agreement, and the Court has determined, after reviewing this agreement in detail, that it does not contain the provisions necessary to plead a third party beneficiary claim.
In sum, the Anthem Defendants' motion to dismiss Daniel Randrup, Kelly Tharp, and Daniel Tharp's breach of contract claim is GRANTED with prejudice. The Anthem Defendants' motion to dismiss the breach of contract claims of the remaining California Plaintiffs is DENIED.
In order to state a claim for breach of contract under New Jersey law, Plaintiffs "must allege (1) a contract between the parties; (2) a breach of that contract; (3) damages flowing therefrom; and (4) that the party stating the claim performed its own contractual obligations." Frederico v. Home Depot, 507 F.3d 188, 203 (3d Cir. 2007). In moving to dismiss Plaintiffs' New Jersey breach of contract claim, the Non-Anthem Defendants contend that the SAC "fails to allege facts identifying a contractual provision that allegedly was breached," that Plaintiffs did not "suffer[] any injury as a result of any alleged breach," and that Plaintiffs' "benefit of the bargain theory of injury" is barred by the filed rate doctrine. Non-Anthem Mot. at 6 (internal quotation marks omitted). These contentions are discussed in turn.
Because there is only one New Jersey Plaintiff, Elizabeth Ames ("Ames"), there is only one set of contracts at issue. Ames avers that she "was enrolled in a Horizon Blue Cross Blue Shield of New Jersey health plan," and "was previously enrolled in a Blue Cross Blue Shield of Florida health plan." SAC ¶ 85. Ames was insured by Horizon Blue Cross Blue Shield of New Jersey under an individual health plan and by Horizon Blue Cross Blue Shield of Florida under an ASO agreement.
Horizon Blue Cross Blue Shield of Florida does not challenge whether Ames's contract included certain privacy provisions. Non-Anthem Mot. at 6 n.6. Horizon Blue Cross Blue Shield of Florida is only challenging whether Ames can recover contractual damages. Id.
On the other hand, Horizon Blue Cross Blue Shield of New Jersey challenges whether Ames's contract included any privacy obligations. Plaintiffs assert that Anthem's privacy policies were part of Ames's contract with Horizon Blue Cross Blue Shield of New Jersey either via express attachment or via incorporation by reference. On express attachment, the parties agree that the Court's analysis should begin with the Benefits booklet that Horizon Blue Cross Blue Shield of New Jersey provided to Ames. This booklet contains eight sections. Two are of particular importance here: Section 7, "Important Notices," and Section 8, "Your Policy." ECF No. 491-1 at 7.
In Section 7, Horizon Blue Cross Blue Shield of New Jersey outlines its "Notice of information privacy practices." Id. at 17. This Notice states that Horizon Blue Cross Blue Shield of New Jersey "will abide by the statements made in this Notice," and "want[s]" you to know that [it] recognize[s] [its] obligation to keep information about you secure and confidential." Id. The Notice further provides that "[w]e also maintain appropriate administrative, technical and physical safeguards to reasonably protect your [PII]." Id.; see also id. ("Our employees get training regarding the need to maintain your [PII] in the strictest confidence."). The entirety of this Notice is reproduced on Horizon Blue Cross Blue Shield of New Jersey's website, and Ames' Booklet expressly directs Ames to "[g]o online" for further information on the Non-Anthem Defendants' policies. See ECF No. 491-1 at 8; ECF No. 473-11 at 26-31.
Section 8, the "Your Policy" section, contains information on premiums, specialty case management, and coordination of benefits. ECF No. 491-1 at 21-22. A provision of the "Your Policy" section also contains a clause which states that "[t]his Policy, including the endorsements and the attached papers, if any, constitutes the entire contract of insurance." Id. at 24.
The core dispute is whether this clause excludes consideration of the privacy obligations set forth in Section 7. According to the Non-Anthem Defendants, this integration clause restricts Ames' contract to include only those provisions in Section 8, the "Your Policy" section. Non-Anthem Reply at 4. Plaintiffs, on the other hand, contend that the integration clause's language— "This Policy, including the endorsements and the attached papers, if any, constitutes the . . . contract of insurance"—incorporates the privacy obligations in Section 7. As Plaintiffs note, "[i]t defies logic and the plain meaning of `attached papers' for Defendants to argue that this privacy notice, which is physically `attached' to the Policy in the preceding chapter of the same booklet, is not included in this contract." Non-Anthem Opp'n at 8.
Under New Jersey law, "[w]hen the meaning of an integrated contract is ambiguous, the surrounding circumstances may be introduced for the purpose of elucidation." Driscoll Const. Co., Inc. v. State, Dep't of Transp., 853 A.2d 270, 278 (N.J. Super. Ct. App. Div. 2004). However, "[e]ven when the contract on its face is free from ambiguity, evidence of the situation of the parties and the surrounding circumstances and conditions is admissible in aid of interpretation." Id. Thus, "whether the clause under consideration is regarded as clear and certain, or ambiguous and uncertain, if the intention of the parties is not to be gleaned from a reading of the instrument as a whole, the plaintiff should have had the opportunity of presenting evidence of the facts and circumstances surrounding the execution of the [contract]." Id.
With this in mind, the Court finds more persuasive Plaintiffs' reading of the integration clause in Ames' contract. What other meaning could "attached papers" have if not one that includes papers that are literally attached to the Policy? The interpretation advocated by the Non-Anthem Defendants would essentially render superfluous the "attached papers" provision. Such a reading would contravene the New Jersey precedent discussed above, as well as run afoul of the general rule that courts are to "give effect to all parts of the [contract], and an interpretation which gives a reasonable meaning to all its provisions will be preferred to one which leaves a portion of the writing useless or inexplicable." Maryland Cas. Co. v. Hansen-Jensen, Inc., 83 A.2d 1, 4 (N.J. Super Ct. App. Div. 1951).
Plaintiffs have thus sufficiently alleged that Ames' contract expressly attached Horizon Blue Cross Blue Shield of New Jersey's privacy obligations, as contained in Section 7 of Ames' booklet. Having determined that these obligations were expressly attached, the Court need not examine whether these obligations were also incorporated by reference.
Ames seeks damages in the form of Benefit of the Bargain Losses, Loss of Value of PII, and Consequential Out of Pocket Expenses. As to Benefit of the Bargain Losses, the Non-Anthem Defendants' primary contention is that such damages are barred by the filed rate doctrine. The Non-Anthem Defendants state that this doctrine applies because Plaintiffs' request for Benefit of the Bargain Losses would require the Court to recalculate insurance premium rates and determine what a reasonable rate would have been.
"The filed rate doctrine forbids a regulated entity [from] charg[ing] rates for its services other than those properly filed with the appropriate federal [or state] regulatory authority." Weinberg v. Sprint Corp., 801 A.2d 281, 286 (N.J. 2002) (internal quotation marks omitted). "The two core policy goals of the doctrine are (1) the non-discrimination strand, or the prevention of price discrimination by carriers as among ratepayers; and (2) the non-justiciability strand, or the preservation of the role of regulatory agencies in approving reasonable rates and the exclusion of the courts from the rate-making process." Clark v. Prudential Ins. Co. of Am., 736 F.Supp.2d 902, 913 (D.N.J. 2010). The doctrine "is a product of the deference which courts give to the ratemaking and regulatory processes of administrative bodies." Richardson v. Standard Guar. Ins. Co., 853 A.2d 955, 961 (N.J. Super. Ct. App. Div. 2004).
As construed by the New Jersey Supreme Court, "the filed rate doctrine bars money damages from [regulated entities] where the damage claims are premised on state contract principles, consumer fraud, or other bases on which plaintiffs seek to enforce a rate other than the filed rate." Weinberg, 801 A.2d at 287. "[T]here is no fraud exception to the filed rate doctrine." AT & T Corp. v. JMC Telecom, LLC, 470 F.3d 525, 535 (3d Cir. 2006). Consequently, "any remedy requiring a refund of a portion of the filed rate is barred by application of the filed rate doctrine." Smith v. SBC Commc'ns, 839 A.2d 850, 860 (N.J. 2004) (emphasis added).
The filed rate doctrine applies to the instant case. As an initial matter, although Plaintiffs correctly assert that the filed rate doctrine was originally "grounded in federal preemption principles," both state and federal courts in New Jersey have determined that the doctrine also now applies to industries subject to state regulation. See, e.g., Richardson, 853 A.2d at 963 ("[W]e reject plaintiff's argument that the doctrine does not apply to state ratemaking."); Clark, 736 F. Supp. 2d at 914 ("[T]he Court finds that the filed rate doctrine may be applied to rate-making by a New Jersey regulatory agency.").
Notably, in Clark, the district court applied the filed rate doctrine to bar various state law claims asserted against a health insurer. Plaintiffs in Clark asserted causes of action under the New Jersey Consumer Fraud Act and common law fraudulent misrepresentation, fraudulent omission, and breach of the duty of good faith and fair dealing. Id. at 912. Specifically, plaintiffs alleged that defendant, a health insurer, had "affirmatively misrepresented the reason[] for . . . escalating premiums." Id. at 909. According to plaintiffs, defendant had apparently stated that the rising premiums were the result of general increases in medical costs rather than disclosing defendant's decision to prevent new policyholders from joining the insurance plan. Id. at 908. "With [the insurance plan] closed to new entrants, and an insufficient percentage of healthy policyholders remaining to subsidize the costs of unhealthy policyholders," defendant's actions caused the insurance plan to enter into an economically unsustainable "death spiral." Id. Defendant in Clark did not challenge the allegations of affirmative misrepresentation. Instead, defendant focused on the fact that plaintiffs effectively sought "a refund of all moneys acquired by means of unlawful practices"—a form of relief that defendant argued was barred by the filed rate doctrine. Id. at 919.
The Clark court agreed. In reaching this decision, the district court rejected plaintiffs' argument that the filed rate doctrine did not apply to health insurers. Relying upon the New Jersey Superior Court Appellate Division's Richardson decision, the Clark court noted that "(1) many other jurisdictions ha[ve] applied the doctrine to insurance industry rate-making; (2) the insurance industry in New Jersey is heavily regulated; and (3) the statutory framework governing rate-making for [health] insurance in New Jersey is meaningful and extensive." Id. at 915. Notably, all health insurance premiums in New Jersey must be "submitted and approved by the New Jersey Department of Banking and Insurance (DOBI), the state agency specifically authorized by New Jersey law to regulate insurance rates." Id.
Both Richardson and Clark apply here. Indeed, as in both cases, the Non-Anthem Defendants "filed with [DOBI]" the "rates applicable to Ames health plan . . . as required by state law." Non-Anthem Opp'n at 10. Moreover, Plaintiffs' request for Benefit of the Bargain Losses constitutes an attempt to "enforce a rate other than the filed rate." Weinberg, 801 A.2d at 287. As the New Jersey Supreme Court has stated, "any remedy requiring a refund of a portion of the filed rate is barred by application of the filed rate doctrine." Smith, 839 A.2d at 860 (emphasis added). Here, Plaintiffs' request for Benefit of the Bargain Losses naturally represents a refund for the portion of Plaintiffs' premiums that should have, but did not, go towards data security. In opposing the instant motion, Plaintiffs in fact acknowledge that their request for such losses "could involve a refund of some portion of premiums to compensate Plaintiffs for data security that was promised but not delivered." Non-Anthem Opp'n at 15.
In an attempt to distinguish Clark and Richardson, Plaintiffs argue that they are not "challeng[ing] the intrinsic reasonableness of the rates Non-Anthem Defendants charged for health insurance." Id. Instead, "Plaintiffs contend that . . . they should be compensated for Defendants' failure to provide what was promised." Id.
This argument, however, has already been considered and rejected. As the Clark court explained, such a request "would [inevitably] require the Court to determine what rate would have been reasonable and thereby interfere with DOBI's rate-making process." 736 F. Supp. 2d at 919. "[C]laims for compensatory damages or refund based on insurance premiums [plaintiff] paid in previous years are barred by the filed rate doctrine." Id. Similarly, in Richardson, the Appellate Division of the New Jersey Superior Court has held that the filed rate "doctrine precludes a claim for damages which would indirectly cause the application of rates different from the filed rates." 853 A.2d at 967 (emphasis added). That is exactly what would happen here: by asking for an across-the-board premium refund to putative class members, Plaintiffs would "indirectly cause the application of rates different from the filed rates." Id. Finally, in JMC Telecom, the Third Circuit, of which New Jersey is a part, has determined that "the filed rate doctrine has been expanded to exclude claims of insufficient and poor-quality service." 470 F.3d at 532. In the instant case, Plaintiffs' basic contention is that Defendants provided poor quality data security rather than reasonable data security, as Defendants promised to do.
To be fair, the filed rate doctrine is not without criticism. The U.S. Supreme Court has called the doctrine "harsh," a sentiment shared by the Third Circuit. Am. Tel. and Tel. Co. v. Cent. Ofc. Tel., Inc., 524 U.S. 214, 223 (1998) (stating that "the filed rate doctrine may seem harsh in some circumstances," but nonetheless applying doctrine to reverse Ninth Circuit decision); JMC Telecom, 470 F.3d at 533 n.11 ("Although the filed rate doctrine produces harsh results in this case as alleged, such equitable concerns have been rejected by the Supreme Court. . . . This is true regardless of [a defendant's] ulterior motives."). Likewise, various New Jersey judges have described the doctrine as "controversial" and "a legal fiction whose days . . . are numbered." Richardson, 853 A.2d at 962 (quoting Weinberg, 801 A.2d at 294 (Verniero, J., dissenting)). However, an MDL transferee court is "bound by the same substantive legal standards . . . as would have applied in the transferor court." In re Korean Air, 642 F.3d at 699. Those standards, as stated by state and federal courts in New Jersey, provide a clear answer to the issue at hand. Accordingly, the Court finds that Plaintiffs' can not recover Benefit of the Bargain Losses under their New Jersey breach of contract claim.
In addition, the Court denies Plaintiffs' leave to amend, as amendment would be futile. The rules governing the filed rate doctrine have been set forth by federal and state courts in New Jersey. These principles demonstrate that Plaintiffs' request for Benefit of the Bargain Losses inextricably implicates the filed rate doctrine. Plaintiffs are barred from recovering such damages, and amendment would not change this holding.
As to Loss of Value of PII, neither party has identified any authority addressing whether a party may recover for such damages in New Jersey. The Court has found none in its own research. In the absence of such authority, the Court finds dismissal of Plaintiffs' claim for Loss of Value of PII unwarranted.
Two reasons counsel in favor of this finding. First, courts have noted that "California and New Jersey [contract] law are substantially similar" to one another. N.J. Best Phone Cards, Corp. v. NobelTel, LLC, 2013 WL 5937422, *3 (D.N.J. Nov. 4, 2013). As noted above, California Plaintiffs may recover for Loss of Value of PII, and there is no reason why this holding should not also apply to the New Jersey breach of contract claim.
Second, there is at least some case law to suggest that New Jersey courts would be receptive to Loss of Value of PII damages. In Canessa v. J.I. Kislak, Inc., 235 A.2d 62 (N.J. Super. Ct. Law. Div. 1967), plaintiff had his family's picture taken for a local news story by defendant, a local real estate company. After the news story was published, defendant began reprinting and distributing the family's picture without plaintiff's permission. Id. at 65. Plaintiff objected, and sued for invasion of privacy. Defendant argued that plaintiff could not recover damages. Id.
The New Jersey Superior Court disagreed. As the court outlined, plaintiff's "names and likenesses belong to them. As such they are property. They are things of value. Defendant has made them so, for it has taken them for its own commercial benefit." Id. at 76. The Canessa court continued, "New Jersey has always enjoined the use of plaintiff's likeness and name on the specific basis that it was a protected property right. . . . If it is sufficiently a right of `property' to prevent its use, why should it not also be such a right when damages are sought? For the latter wrong there should likewise be a remedy, i.e., damages." Id. (citation omitted). Here, as in Canessa, Plaintiffs allege that their PII had economic value, which was diminished because the Non-Anthem Defendants did not take the necessary steps to protect Plaintiffs' PII.
As to Consequential Out of Pocket Expenses, the SAC states that "Ames has spent numerous hours addressing issues arising from the Anthem data breach." SAC ¶ 85. That allegation, the Non-Anthem Defendants argue, is "not enough to state a breach of contract claim." Non-Anthem Mot. at 9. No New Jersey state courts have ruled on the issue of whether such costs are recoverable. Nor has the Third Circuit or a district court in the Third Circuit provided any guidance.
There are, however, a growing number of courts that have recognized that damages associated with time spent monitoring one's PII are recoverable. First, in Lewert v. P.F. Chang's China Bistro, Inc., 2016 WL 1459226, *1 (7th Cir. Apr. 14, 2016), plaintiff alleged that, "after [defendant] initially announced [a data] breach in June 2014," plaintiff "spent time and effort monitoring his card statements and his credit report to ensure that no fraudulent charges had been made on that card and that no fraudulent accounts had been opened in his name." Like Ames, the Lewert plaintiff did not actually spend money on credit monitoring services. Moreover, at the time that defendant in Lewert announced the data breach, the parties "did not know how many consumers were affected, whether the breach was general or limited to specific locations, or how long the breach lasted." Id. Further investigation revealed that plaintiff in Lewert had not even dined at "[t]he only affected restaurant" in plaintiff's state. Thus, there was no risk that plaintiff's personal information would be compromised as a result of the data breach. Nevertheless, the Seventh Circuit concluded that "the time and effort" the plaintiff had spent "monitoring both his card statements and his other financial information" was "sufficient" to "support standing based on [plaintiff's] injuries." Id. at *1, *3; see also id. (finding "time and money customers spent protecting against future identity theft or fraudulent charges" constitute "injuries sufficient for standing").
Lewert relied significantly upon the Seventh Circuit's decision in Remijas, a case discussed above. On Consequential Out of Pocket Expenses, the Remijas court specifically concluded that "[m]itigation expenses . . . qualify as [an] actual injur[y]" because the harm was imminent: defendant's data had been breached, and this event "made the risk of identity theft and fraudulent charges sufficiently immediate to justify mitigation efforts." Remijas, 794 F.3d at 694.
Consistent with Lewert and Remijas, the Middle District of Alabama recently denied a motion to dismiss in Smith v. Triad of Alabama, LLC, 2015 WL 5793318 (M.D. Ala. Sept. 29, 2015), another data breach case. As the district court summarized, plaintiffs "aver that because of the data breach, they will be required to spend money and time mitigating its effects." Id. at *8. The district court rejected defendant's argument that, "in order to establish standing, [p]laintiffs must allege . . . that they suffered some un-reimbursed or out of pocket expense." Id. After canvassing relevant Eleventh Circuit precedent, the district court concluded that "[t]here is no precedent binding on this court stating that for standing purposes, a victim of identity theft must allege that he or she suffered economic damages or that he/she suffered an un-reimbursed or out-of-pocket expense, and this court will not so hold." Id. at *9.
Finally, this Court's In re Adobe decision also supports Plaintiffs' position. As in Lewert, Remijas, and Smith, this Court held that a data breach creates a "threatened harm" that is "sufficiently concrete and imminent to satisfy" standing. In re Adobe, 66 F. Supp. 3d at 1214. Here, Plaintiffs attempts to respond to this imminent threat—whether by paying out of pocket for credit monitoring or by using their own time for credit monitoring—resulted in damages that may be recoverable.
The Non-Anthem Defendants' reliance upon Holmes v. Countrywide Financial Corp., 2012 WL 2873892 (W.D. Ky. July 12, 2012), is unpersuasive. Plaintiffs in Holmes did assert a New Jersey breach of contract claim arising out of a data breach. Plaintiffs also argued that the time spent "monitoring their credit, researching identity theft, and learning about this case" may "form the foundation for a compensable injury." Id. at *11. The Holmes court disagreed. The Holmes court, however, found no relevant New Jersey state court or Third Circuit decision on point. Instead, the Holmes court relied entirely upon four federal district court opinions, and provided no independent reasoning outside of a citation to these decisions. Holmes—and all the decisions upon which Holmes relies—predate the Seventh Circuit's decisions in Lewert and Remijas, the Middle District of Alabama's decision in Smith, and this Court's decision in In re Adobe. As such, Holmes does not reflect the growing recognition amongst courts of Loss of Value of PII damages. In light of such circumstances, the Court finds Lewert, Remijas, Smith, and In re Adobe more instructive, and thus declines to follow Holmes.
In sum, the Non-Anthem Defendants' motion to dismiss the request for Benefit of the Bargain Losses as to Plaintiffs' New Jersey breach of contract claim is GRANTED with prejudice. The Non-Anthem Defendants' motion to dismiss Plaintiffs' New Jersey breach of contract claim is otherwise DENIED.
The SAC asserts against all Defendants an unjust enrichment claim, brought under New York law. SAC ¶¶ 526-34. According to the SAC, Plaintiffs "conferred a monetary benefit on" Defendants, Defendants "appreciated or had knowledge of the benefits conferred upon them by Plaintiffs," and "[u]nder principals [sic] of equity and good conscience, Defendants . . . should not be permitted to retain the money belonging to Plaintiffs . . . because Defendant[s] failed to implement (or adequately implement) the data privacy and security practices and procedures that Plaintiffs . . . paid for." Id. ¶¶ 528, 529, 532.
Defendants seek dismissal of Plaintiffs' New York unjust enrichment claim on two grounds. First, Defendants contend that "[t]here can be no unjust enrichment claim under New York law where an express contract governs the same subject manner." Anthem Mot. at 13. Second, Plaintiffs' claim "fails because the SAC does not allege facts showing the New York Plaintiffs conferred a benefit on the Anthem Defendants such that they could have been unjustly enriched." Id. at 14. These arguments are addressed in turn.
On the issue of Plaintiffs' express contracts with Defendants, the New York Court of Appeals has noted, "[a] `quasi contract' only applies in the absence of an express agreement, and is not really a contract at all, but rather a legal obligation imposed in order to prevent a party's unjust enrichment." Clark-Fitzpatrick, Inc. v. Long Island R.R. Co., 516 N.E.2d 190, 193 (N.Y. 1987) (emphasis added). "It is impermissible . . . to seek damages in an action sounding in quasi contract where the suing party has fully performed on a valid written agreement, the existence of which is undisputed, and the scope of which clearly covers the dispute between the parties." Id.; accord Corsello v. Verizon N.Y., Inc., 967 N.E.2d 1177, 1185 (N.Y. 2012) ("An unjust enrichment claim is not available where it simply duplicates, or replaces, a conventional contract . . . claim.").
Consistent with Clark-Fitzpatrick and Corsello, the parties agree that Plaintiffs' New York unjust enrichment claim is duplicative of Plaintiffs' New York breach of contract claim. Anthem Mot. at 13; Anthem Opp'n at 12. In other words, if New York Plaintiffs can obtain relief via contract, then New York Plaintiffs may not seek relief via unjust enrichment.
However, the parties have not designated a New York breach of contract claim as one of the selected claims, and there has been no briefing as to the scope and breadth of New York Plaintiffs' contracts. As a result, the parties did not include the New York Plaintiffs' contracts in the record.
The parties have, however, selected a California breach of contract claim. Several courts have held that California and New York contract law are similar to one another. See, e.g., Be In, Inc. v. Google, Inc., 2013 WL 5568706, *6 (N.D. Cal. Oct. 9, 2013) ("[T]he Court agrees that the contract formation law of both California and New York is substantively similar."); Berkson v. Gogo LLC, 97 F.Supp.3d 359, 388 (E.D.N.Y. 2015) ("In the instant case, the substantive contractual laws of New York, California, and Illinois are at issue. These states laws are substantively similar with respect to the issue of contract formation."); cf. First Hill Partners, LLC v. BlueCrest Capital Mgmt. Ltd., 52 F.Supp.3d 625, 634 (S.D.N.Y. 2014) ("[T]here is no actual conflict between the law governing unjust enrichment claims in New York and in California. Under both New York and California law, an unjust enrichment claim is precluded if a valid contract covers the subject matter of the dispute.") (citations and footnote omitted).
As discussed above, on Plaintiffs' California breach of contract claim, the parties disagree over whether Defendants' privacy policies were incorporated into Plaintiffs' contracts. The Court agreed with the Anthem Defendants on the claims brought by California Plaintiffs Daniel Randrup, Kelly Tharp, and Daniel Tharp, but agreed with Plaintiffs as to the remaining California Plaintiffs. Without an opportunity to review the specific contracts at issue for New York Plaintiffs, it is uncertain whether Defendants' privacy obligations were also sufficiently incorporated by reference into New York Plaintiffs' contracts.
Under similar factual circumstances, New York courts have denied motions to dismiss unjust enrichment claims. In Joseph Sternberg, Inc. v. Walber 36th St. Assocs., 187 A.D.2d 225, 228 (N.Y. App. Div. 1993), the New York Supreme Court Appellate Division noted that "where there is a bona fide dispute as to the existence of a contract or where the contract does not cover the dispute in issue, plaintiff may proceed upon a theory of quantum meruit and will not be required to elect his or her remedies." The court subsequently determined that the contract at issue was ambiguous, and that, at the motion to dismiss stage, dismissal was unwarranted.
The Southern District of New York also denied defendant's motion to dismiss in Union Bank, N.A. v. CBS Corp., 2009 WL 1675087 (S.D.N.Y. June 10, 2009). Akin to the instant case, plaintiff in Union Bank asserted a breach of contract and an unjust enrichment claim. After examining the evidence, the district court concluded that it could not "determine as a matter of law and at the inception of this litigation that this dispute will be resolved through application of the [parties' written contracts]." Id. at *8. Citing Joseph Sternberg, the Union Bank court thus decided that plaintiff's unjust enrichment claim should not be dismissed. Id. at *9.
Following Sternberg and Union Bank, the Court finds that, it is unclear whether New York Plaintiffs' contract claim is duplicative of, and thus precludes, New York Plaintiffs' unjust enrichment claim. Thus, the Court denies Defendants' motions to dismiss based on their contention that Plaintiffs' New York unjust enrichment claim overlaps with Plaintiffs' New York contract claim.
As to Defendants' other contention—that Plaintiffs did not confer a monetary benefit on Defendants—the Court finds instructive Georgia Malone & Co., Inc. v. Rieder, 973 N.E.2d 743, 746 (N.Y. 2012). In Georgia Malone, the New York Court of Appeals stated that, for purposes of an unjust enrichment claim, "[a] plaintiff must allege that (1) the other party was enriched, (2) at that party's expense, and (3) that it is against equity and good conscience to permit the other party to retain what is sought to be recovered." Id. (internal quotation marks omitted). "[A] plaintiff need not be in privity with the defendant to state a claim for unjust enrichment." Id. There must only "exist a relationship or connection between the parties that is not too attenuated." Id. (internal quotation marks omitted). At first blush, the SAC appears to meet all three of these requirements: Plaintiffs aver (1) that they paid premiums or fees that went to Defendants, (2) that Defendants knew of these payments, and (3) that Defendants should return a portion of what was paid. SAC ¶¶ 528, 529, 532.
Defendants, however, contend that Plaintiffs do not "allege any facts showing [that] their premiums were in fact paid to Anthem." Anthem Mot. at 15. According to Defendants, all New York Plaintiffs were covered under ASO agreements; as such, Plaintiffs' employers, and not Plaintiffs, paid Defendants.
The Court disagrees with Defendants as to New York Plaintiffs Barbara Gold ("Gold"), Matthew Gates ("Gates"), and Juan Carlos Cerro ("Cerro"). Gold, Gates, and Cerro all state that they paid health insurance premiums on a regular basis. SAC ¶¶ 87-89. These premiums were aggregated by their respective employers, who then paid Defendants. Thus, Defendants knew or should have known that some portion of Gold, Gates, and Cerro's insurance expenses had been paid by the premiums that Gold, Gates, and Cerro paid. That is all that Gold, Gates, and Cerro need to plead to avoid dismissal.
Mandarin Trading Ltd. v. Wildenstein, 944 N.E.2d 1104 (N.Y. 2011), does not hold to the contrary. In that case, the New York Court of Appeals again emphasized that "privity is not required for an unjust enrichment claim." Id. at 1111. The court, however, dismissed the unjust enrichment claim at issue because there were no allegations of even "an awareness by [defendant] of [plaintiff's] existence." Id. Such circumstances do not apply here. By virtue of collecting Plaintiffs' PII, maintaining a nationwide database of Plaintiffs' PII, and providing administrative services to Plaintiffs, Defendants were aware of Gold, Gates, and Cerro's existence. The relationship between Gold, Gates, and Cerro and Defendants is thus "not too attenuated" to state a New York unjust enrichment claim. Rieder, 973 N.E. 2d at 746; Mandarin Trading, 944 N.E. 2d at 1111. Defendants' motions to dismiss the New York unjust enrichment claims of Gold, Gates, and Cerro are therefore DENIED.
The Court, however, finds Defendants' arguments more relevant as to New York Plaintiff Marne Onderdonk ("Onderdonk"). The SAC states that "Onderdonk was enrolled in the New York State Health Insurance Program (NYSHIP) for Government Employees." SAC ¶ 90. Empire BlueCross Blue Shield provided administrative services to NYSHIP. Id. The SAC, however, does not state that Onderdonk paid premiums, rates, or any other fees to NYSHIP or Empire BlueCross Blue Shield. Indeed, based on the SAC, it is unclear whether there is any economic relationship between Onderdonk, NYSHIP, and Empire BlueCross Blue Shield. Such allegations do not pass muster under Mandarin Trading. Accordingly, Defendants' motion to dismiss Onderdonk's New York unjust enrichment claim is GRANTED. However, Plaintiffs shall have leave to amend Onderdonk's claim. It is possible that, after amendment, Plaintiffs will be able to plead a sufficiently close economic relationship between Onderdonk and Empire BlueCross Blue Shield. Amendment therefore may not be futile.
California's Unfair Competition Law ("UCL") provides a cause of action for business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus & Prof. Code § 17200, et seq. "The UCL's coverage is sweeping, and its standard for wrongful business conduct intentionally broad." Moore v. Apple, Inc., 73 F.Supp.3d 1191, 1204 (N.D. Cal. 2014) (internal quotation marks omitted). "Although the UCL targets a wide range of misconduct, its remedies are limited because UCL actions are equitable in nature." Pom Wonderful LLC v. Welch Foods, Inc., 2009 WL 5184422, *2 (C.D. Cal. Dec. 21, 2009). "Remedies for private individuals bringing suit under the UCL are limited to restitution and injunctive relief." Id.
Each prong of the UCL provides a separate and distinct theory of liability, Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007), and Plaintiffs assert that Defendants' conduct was unlawful, unfair, and fraudulent, see SAC ¶ 542. Before addressing whether Plaintiffs have sufficiently pleaded liability under these prongs, however, the Court must determine whether Plaintiffs have standing to bring suit. In order to establish standing under the UCL, "a plaintiff must make a twofold showing: he or she must demonstrate injury in fact and a loss of money or property caused by unfair competition." Susilo v. Wells Fargo Bank, N.A., 796 F.Supp.2d 1177, 1195-96 (C.D. Cal. 2011) (internal quotation marks omitted).
As to whether Plaintiffs have demonstrated "injury in fact" and "a loss of money or property caused by unfair competition," id., the California Supreme Court has stated that "[t]here are innumerable ways in which economic injury from unfair competition may be shown," Kwikset Corp. v. Superior Court, 246 P.3d 877, 885 (Cal. 2011). A plaintiff may, for instance,
Id. at 885-86. Here, Plaintiffs seek recovery under the UCL for two forms of economic injury: Benefit of the Bargain Losses and Consequential Out of Pocket Expenses.
The Court has already determined that California Plaintiffs Michael Bronzo, Mary Ella Carter, Kenneth Coonce, Steve Kawai, and Kenneth Solomon may recover Benefit of the Bargain Losses under their California breach of contract claim. As Defendants acknowledge, that finding also means that those California Plaintiffs' have sufficiently alleged economic injury for purposes of the UCL. Anthem Mot. at 15. Whether the remaining California Plaintiffs—Daniel Randrup, Kelly Tharp, Daniel Tharp, Joseph Blanchard, Lillian Brisko, and Alvin Lawson—have sufficiently alleged UCL standing is a closer call. Answering this question requires the Court to examine (a) the differences between Article III standing and UCL standing, and (b) the differences between California contract law and the UCL.
"Although the requirements of federal standing under Article III and the requirements of standing under California's consumer protection statutes overlap, there are important differences." In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F.Supp.2d 942, 965 (S.D. Cal. 2012) (citing Troyk v. Farmers Grp., Inc., 90 Cal.Rptr.3d 589, 625 n.31 (Ct. App. 2009)). "For example, under Article III a plaintiff must allege: (1) an injury in fact; (2) causation; and (3) likelihood that the injury will be redressed by a favorable decision." Id. On the other hand, for purposes of the UCL, a plaintiff need meet only "the first element (i.e., an injury in fact)." Id. (internal quotation marks omitted).
However, under the UCL, a party must show that he has lost money or property in order to satisfy this injury in fact requirement. Ehret v. Uber Technologies, Inc., 68 F.Supp.3d 1121, 1132 (N.D. Cal. 2014) ("Whereas a federal plaintiff's injury in fact may be intangible and need not involve lost money or property, . . . a UCL plaintiff's injury in fact [must] specifically involve lost money or property.") (internal quotation marks omitted).
This "lost money or property" requirement may, in some circumstances, impose a more stringent standard for standing under the UCL as compared to Article III. Id. Nevertheless, California Plaintiffs have met this more stringent standard. Each California Plaintiff states that they paid money for health insurance premiums, which were used to pay for services offered by Defendants. See, e.g., SAC ¶ 16 ("Plaintiff Daniel Randrup . . . was enrolled in a health plan . . . that was administered by . . . Anthem Blue Cross of California, and [Randrup] paid premiums on a regular basis."). Thus, each California Plaintiff has "lost money or property," as required under the UCL.
There are also a number of important distinctions between California contract law and the UCL. In general, the UCL sweeps more broadly. See, e.g., Hale v. Sharp Healthcare, 108 Cal.Rptr.3d 669, 675-81 (Ct. App. 2010) (upholding UCL claim but dismissing breach of contract claim); Ehret, 68 F. Supp. 3d at 1139-41 (same). Two particular differences help explain the UCL's broader scope, and are of relevance to the instant motions.
First, under the UCL, a plaintiff may bring suit against a third party even if the plaintiff is not an intended third party beneficiary. Compare Bus. to Bus. Mkts., Inc. v. Zurich Specialties, 37 Cal.Rptr.3d 295, 298 (Ct. App. 2005) (stating, in a breach of contract case, that a party owes duties to intended, but not incidental, third party beneficiaries), with Ferrington v. McAfee, Inc., 2010 WL 3910169, *8 (N.D. Cal. Oct. 5, 2010) ("[T]he UCL permits restitution from a defendant whose unfair business practices caused plaintiff to pay money to a third party, as long as it is reasonable to infer that the defendant indirectly received that money from the third party.").
On this point, Defendants make much of the California Supreme Court's statement in Korea Supply Co. v. Lockheed Martin Corp., 63 P.3d 937, 947 (Cal. 2003), that "[a]ny award that plaintiff would recover from defendants [under the UCL] would not be restitutionary as it would not replace any money or property that defendants took directly from plaintiff." Non-Anthem Mot. at 12; Anthem Mot. at 10 n.15. This statement, Defendants argue, demonstrates that Plaintiffs can not seek restitution under the UCL if a Plaintiff is covered by an ASO agreement, as such Plaintiffs did not pay Defendants directly. Applied here, this argument would, in practice, set a higher bar for UCL standing than under a conventional breach of contract claim, as no Plaintiff under an ASO agreement could bring a UCL claim.
California courts, however, have rejected the reading of Korea Supply that Defendants have advocated. In Shersher v. Superior Court, 65 Cal.Rptr.3d 634, 636 (Ct. App. 2007), defendant Microsoft Corporation ("Microsoft") argued that plaintiff could not seek restitution because plaintiff "purchased Microsoft's product from a retailer." Thus, plaintiff did not "pa[y] money directly to" Microsoft. Id. The California Court of Appeal rejected this argument and found Microsoft's reliance upon Korea Supply misplaced. After reviewing the facts in Korea Supply, the California Court of Appeal concluded that the case's holding was "a narrow one": namely, "the holding of Korea Supply on the issue of restitution is that the remedy the plaintiff seeks must be truly `restitutionary in nature'—that is, it must represent the return of money or property the defendant acquired through its unfair practices." Id. at 639. Importantly, "[n]othing in the language of Korea Supply suggests that the [California] Supreme Court intended to preclude consumers from seeking the return of money they paid for a product that turned out to be not as represented." Id. (emphasis added).
In Troyk, a case decided after Shersher, the California Court of Appeal once again reiterated that "Korea Supply [was] inapposite . . . and does not hold that a plaintiff who paid a third party money (i.e., money in which the plaintiff had a vested interest) may not seek UCL restitution from a defendant whose unlawful business practice caused the plaintiff to pay that money." Troyk, 90 Cal. Rptr. 3d at 616; see People v. Sarpas, 172 Cal.Rptr.3d 25, 43-48 (Ct. App. 2014) (canvassing decisions that have criticized Korea Supply).
Following Shersher and Troyk, federal courts—including this Court—have generally declined to adopt Defendants' reading of Korea Supply. See, e.g., Lopez v. United Parcel Serv., Inc., 2010 WL 728205, *10 (N.D. Cal. 2010) (rejecting reliance upon direct payment argument and stating that "UPS's suggestion that Korea Supply is in any way apposite to the present case is flatly wrong."); McAfee, 2010 WL 3910169, *7 ("[A]s the California Court of Appeals has noted, [the holding in Korea Supply] was directed to the particular facts of [the case], which involved plaintiffs who never had an ownership interest in the money allegedly obtained through defendant's unfair business practices.").
In accord with this line of cases, the Court does not adopt Defendants' reading of Korea Supply here. Although California Plaintiffs might not have paid Defendants directly, they nonetheless paid premiums which were then used to pay Defendants. Defendants' alleged failure to provide certain services led Plaintiffs, via the UCL, to seek "the return of money or property [that Defendants] acquired through its unfair practices." Shersher, 65 Cal. Rptr. 3d at 639.
A second notable difference between contract law and the UCL is that the UCL provides for liability under three separate prongs: the unlawful, the unfair, and the fraudulent prong. As explained by the district court in Ehret, a "UCL claim . . . is [thus] not limited to the structures of the alleged contractual terms." Ehret, 68 F. Supp. 3d at 1141. The UCL's "prescriptions are aimed at unlawful or unfair [or fraudulent] business practices (wherein a violation may be found even if conduct violates no specific law [or contract])." Id.
This distinction is critical to understanding why all California Plaintiffs have alleged economic injury sufficient to establish UCL standing. California Plaintiffs, for instance, claim that Defendants engaged in unlawful business practices by violating HIPAA, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act ("FTC Act"), California's Unfair Insurance Practice Statutes, California's Insurance Information and Privacy Protection Act ("CIIPA"), California's Confidentiality of Medical Information Act ("CMIA"), and Cal. Civ. Code § 1798.2. SAC ¶ 316, 317, 542. Defendants do not contest that the contracts or agreements for California Plaintiffs included provisions agreeing to comply with some (or all) of these laws.
As the Court has noted, for purposes of bringing a breach of contract claim, California Plaintiffs "must . . . do something more . . . than merely point to allegations of a statutory violation." Berger, 476 F. Supp. 2d at 1177. Plaintiffs need not, though, do anything more to allege an unlawful claim under the UCL. "By proscribing any unlawful business practice," the UCL "borrows violations of other laws and treats them as unlawful practices that the UCL makes independently actionable." Rose v. Bank of Am., N.A., 304 P.3d 181, 185 (Cal. 2013) (internal quotation marks and alteration omitted). In other words, the UCL's unlawful prong creates causes of action for statutory violations that might not otherwise be actionable via private contract.
Taken together, the three features discussed above—that a plaintiff must show lost money or property, that a plaintiff need not be an intended third party beneficiary to bring a UCL claim, and that UCL liability is often broader than contract liability—provide an answer to the standing inquiry here. All California Plaintiffs paid premiums, which were in turn used to pay for services by Defendants. As part of these services, Defendants were, at minimum, required to comply with certain privacy laws, which Defendants allegedly did not do. California Plaintiffs have thus established economic injury because they have "surrender[ed] in a transaction more, or acquire[d] in a transaction less, than he or she otherwise would have," Kwikset, 246 P.3d at 885, because of Defendants' unlawful, unfair, or fraudulent conduct.
As discussed above, Plaintiffs allege that Defendants violated seven statutes: HIPAA, the Gramm-Leach-Bliley Act, the FTC Act, California's Unfair Insurance Practice Statutes, CIIPA, CMIA, and Cal. Civ. Code § 1798.82. Defendants contend that Plaintiffs have failed to state a claim under three statutes: CMIA, CIIPA, and Cal. Civ. Code § 1798.82. Defendants do not challenge Plaintiffs' allegations as to the remaining statutes. Thus, even if the Court were to grant Defendants' motion, Plaintiffs' UCL claim under the unlawful prong would still survive.
This is effectively the position Plaintiffs have taken in their own briefing. Instead of developing specific arguments to challenge Defendants' contentions, Plaintiffs urge the Court to defer ruling on Defendants' arguments, as Plaintiffs would have a viable claim under the unlawful prong in any event. As Defendants point out, however, a decision from the Court now could help "determine the scope of this case going forward," particularly as to the breadth of fact and expert discovery and the issues to be decided at summary judgment. Anthem Reply at 10.
Accordingly, because Plaintiffs have not challenged Defendants' arguments as to the CMIA, CIIPA, and Cal. Civ. Code § 1798.82, Defendants' motion to dismiss these statutes under the UCL's unlawful prong is GRANTED with prejudice.
"The `unfair' prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law." In re Adobe, 66 F. Supp. 3d at 1226. "The UCL does not define the term `unfair.' . . . [And] the proper definition of `unfair' conduct against consumers `is currently in flux' among California courts." Id.
Some California courts apply a balancing approach, which requires courts to "weigh the utility of the defendant's conduct against the gravity of the harm to the alleged victim." Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (internal quotation marks omitted). Other California courts have held that "unfairness must be tethered to some legislatively declared policy or proof of some actual or threatened impact on competition." Lozano, 504 F.3d at 735 (internal quotation marks omitted). Finally, one California court has adopted the three-part test set forth in § 5 of the Federal Trade Commission Act: "(1) the consumer injury must be substantial; (2) the injury must not be outweighed by any countervailing benefits to consumers or competition; and (3) it must be an injury that consumers themselves could not reasonably have avoided." Camacho v. Auto. Club of Southern California, 48 Cal.Rptr.3d 770, 777 (Ct. App. 2006). The Court refers to these tests as the "balancing test," the "tethering test," and the "FTC test," respectively.
In the First Motion to Dismiss Order, the Court concluded that "dismissal of Plaintiffs' UCL claim under the unfair prong [was] unwarranted." First MTD Order at 40. "In In re Adobe, this Court observed that various California statutes—including several statutes upon which Plaintiffs rely here—reflect California's public policy of protecting customer data." Id. (internal quotation marks omitted). "Whether Defendants' public policy violation is outweighed by the utility of their conduct under the balancing test is a question to be resolved at a later stage in this litigation." Id. Thus, "based on the balancing test alone," Defendants' first round motions to dismiss were denied. Id. (emphasis added).
In the instant motions, Defendants request that the Court find that several statutes listed in the SAC do not support an unfair claim. Anthem Mot. at 18. These statutes include the ones discussed above (CMIA, CIIPA, and Cal. Civ. Code §1798.82), as well as the Gramm-Leach-Bliley Act and the California Data Breach Statute. Id. Defendants argue that Plaintiffs can not prove that Defendants violated these statutes. Id. Thus, Defendants argue, dismissal is warranted because an unfair prong claim must be based upon a public policy that is "`tethered' to specific constitutional, statutory, or regulatory provisions." Anthem Reply at 11 (quoting Gregory v. Albertson's Inc., 128 Cal.Rptr.2d 389, 395 (Ct. App. 2002)).
These arguments are misdirected. Whether or not Plaintiffs can establish that Defendants violated a particular statute concerns the UCL's unlawful prong, not the unfair prong. Compare Aleksick v. 7-Eleven, Inc., 140 Cal.Rptr.3d 796, 801 (Ct. App. 2012) (discussing a UCL claim brought under the unlawful prong and holding that "[w]hen a statutory claim fails, a derivative UCL claim also fails."), with Cel-Tech Commc'ns, Inc. v. Los Angeles Cellular Tel. Co., 973 P.2d 527, 561 (Cal. 1999) ("It would be impossible to draft in advance detailed plans and specifications of all acts and conduct to be prohibited, since unfair . . . business practices [under the UCL] may run the gamut of human ingenuity and chicanery.") (citation and alteration omitted). Put another way, whether Defendants' violated a particular statute does not necessarily mean that the statute does not reflect a public policy to protect consumer privacy.
More importantly, Defendants' arguments regarding the unfair prong, as Defendants note, address the tethering test. However, in the First Motion to Dismiss Order, the Court concluded that Plaintiffs had sufficiently alleged an unfair prong violation based on the balancing test alone. First MTD Order at 40. Defendants' briefing does not mention, much less discuss, the balancing test—the basis of the Court's original decision. Accordingly, Defendants' motion to dismiss Plaintiffs' UCL claim under the unfair prong is DENIED.
"To state a claim under the `fraud' prong of [the UCL], a plaintiff must allege facts showing that members of the public are likely to be deceived by the alleged fraudulent business practice." Antman v. Uber Technologies, Inc., 2015 WL 6123054, *6 (N.D. Cal. Oct. 19, 2015). Claims under the fraud prong of the UCL are subject to the particularity requirements of Federal Rule of Civil Procedure 9(b). Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 2009). Under this Rule, "[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake." Fed. R. Civ. P. 9(b). Plaintiffs must include "an account of the time, place, and specific content of the false representations" at issue. Swartz v. KPMG LLP, 476 F.3d 756, 764 (9th Cir. 2007) (internal quotation marks omitted). Additionally, "a plaintiff stating a claim under the `fraud' prong must plead actual reliance." In re Carrer IQ, Inc., 78 F. Supp. 3d at 1111.
In the First Motion to Dismiss Order, the Court dismissed Plaintiffs' UCL claim under the fraud prong. The Court observed that although Defendants allegedly "promised to carry out reasonable security measures, but ultimately failed to carry through with this promise," Plaintiffs had not included the time that any misrepresentations or omissions had been made, as required by Rule 9(b). First MTD Order at 41.
The SAC seeks to cure this particular deficiency. The SAC, for instance, includes copies of the 2014 Annual Privacy Notice, which was made available prior to the Anthem data breach. See ECF No. 473-5 at 16-22 (copy of 2014 Annual Privacy Notice). Plaintiffs also allege that Anthem's Personal Information (Including Social Security Number) Privacy Protection Policy has not changed since 2010, and has been publicly available on Anthem's website since that time. SAC ¶ 165. Finally, Plaintiffs allege that Defendants violated the UCL's fraud prong under both an affirmative misrepresentation and fraudulent omission theory of liability. Id. ¶ 542. Under either liability theory, Plaintiffs state that they "would not have enrolled in Defendants' insurance and health benefit services . . . had [they] known about Defendants' substandard data security practices." Id.
In response, Defendants claim that "[n]o Plaintiff [has] allege[d] that he or she reviewed or relied on any Anthem data security practices at the time he or she enrolled or re-enrolled in an Anthem plan." Anthem Mot. at 16. Plaintiffs' apparent failure to comply with this actual reliance requirement, Defendants argue, is fatal to their UCL claim. Because the actual reliance requirement operates somewhat differently for omission and misrepresentation claims, the Court considers these claims separately.
In most cases, "a plaintiff in a fraud by omission suit will not be able to specify the time, place, and specific content of an omission as precisely as would a plaintiff in a false representation claim." Falk v. Gen. Motors Corp., 496 F.Supp.2d 1088, 1098-99 (N.D. Cal. 2007); see also Gold v. Lumber Liquidators, Inc., 2015 WL 7888906, *10 (N.D. Cal. Nov. 30, 2015) (same). Accordingly, "a fraud by omission or fraud by concealment claim can succeed without the same level of specificity required by a normal fraud claim." Baggett v. Hewlett-Packard Co., 582 F.Supp.2d 1261, 1267 (C.D. Cal. 2007) (internal quotation marks omitted); accord MacDonald v. Ford Motor Co., 37 F.Supp.3d 1087, 1096 (N.D. Cal. 2014) ("[C]laims based on an omission can succeed without the same level of specificity required by a normal fraud claim[,] . . . [b]ecause the plaintiffs are alleging a failure to act instead of an affirmative act.") (internal quotation marks and alteration omitted); Montich v. Miele USA, Inc., 849 F.Supp.2d 439, 451 (D.N.J. 2012) ("[The] heightened [pleading] standard [under Rule 9(b)] is somewhat relaxed in a case based on a fraudulent omission.").
The natural consequence of such reasoning is, as the California Court of Appeal has stated, that "[r]eliance can be prove[n] in a fraudulent omission case by establishing that had the omitted information been disclosed, the plaintiff would have been aware of it and behaved differently." Hoffman v. 162 North Wolfe LLC, 175 Cal.Rptr.3d 820, 833-34 (Ct. App. 2014). In In re Carrier IQ, a consumer class action involving an omission of "a material fact exclusively in [d]efendant's knowledge," the district court determined that the actual reliance test, as stated in Hoffman, could be met based on two factors. 78 F. Supp. 3d at 1114.
First, "[p]laintiffs have alleged that had they been aware of the [material fact], they would not have purchased [their] affected mobile devices." Id.; see also Elias v. Hewlett-Packard Co., 2014 WL 493034, *6 (N.D. Cal. Feb. 5, 2014) ("Plaintiff has adequately pleaded materiality by alleging that he would have acted differently by not purchasing the computer as ordered had he known about the insufficiency."). Second, the In re Carrier IQ complaint "contain[ed] extensive allegations regarding the public outcry regarding the [material fact] once its existence became public knowledge—including media reports and Senator Franken sending letters of inquiry to mobile carriers. The intensity of their outcry underscores the materiality of the alleged omission." 78 F. Supp. 3d at 1114.
Both of these factors are also at play in the instant case. Here, the SAC alleges that "Plaintiffs would not have enrolled in Defendants' insurance and health benefit services if they had known about Defendants' substandard data security practices." SAC ¶ 542; see also id. ¶ 185 (same). Moreover, the public response following the Anthem data breach has been as extensive as the response in In re Carrier IQ. Approximately 80 million Americans have been affected by the breach, at least 130 individual cases have been brought in state and federal court, and several state attorneys general have written letters to Anthem requesting that Anthem take more immediate measures to address the fallout from the breach. SAC ¶ 384 n.21.
Thus, under the reasoning of Hoffman and In re Carrier IQ, the Court finds that Plaintiffs have sufficiently pleaded actual reliance for purposes of stating a UCL violation based on Defendants' alleged fraudulent omissions.
Determining whether Plaintiffs' have sufficiently alleged actual reliance for purposes of affirmative misrepresentation liability is a harder question—and one that has caused significant disagreement amongst courts in this district. Compare, e.g., Opperman v. Path, Inc., 84 F.Supp.3d 962, 978 (N.D. Cal. 2015) ("If a plaintiff sufficiently alleges exposure to a long-term advertising campaign [for purposes of a misrepresentation claim], she need not plead specific reliance on an individual representation."), with Yastrab v. Apple Inc., 2016 WL 1169424, *6 (N.D. Cal. Mar. 25, 2016) ("[T]he court disagrees with Opperman to the extent it holds that a . . . plaintiff is . . . excused from complying with Rule 9(b) when pleading a long-term advertising campaign.").
The heart of this disagreement lies in how the California Supreme Court's opinion in In re Tobacco II Cases should be interpreted. In In re Tobacco II, 207 P.3d 20, 28 (Cal. 2009), plaintiffs sought to represent a class comprised of all "people [who] smoked in California one or more cigarettes during the applicable class period and were exposed to Defendants' marketing and advertising activities in California." While the In re Tobacco II case was pending in trial court, California voters enacted Proposition 64, which imposed "an actual reliance requirement on plaintiffs prosecuting a private enforcement action under the UCL's fraud prong." Id. at 39.
In interpreting this requirement in the affirmative misrepresentation context, the California Supreme Court noted that, "[w]hile a plaintiff must show that the misrepresentation was an immediate cause of the injury-producing conduct" for purposes of actual reliance, "the plaintiff need not demonstrate [that] it was the only cause." Id. "It is enough that the representation has played a substantial part, and so had been a substantial factor, in influencing his decision." Id. Moreover, a plaintiff does not necessarily "need to demonstrate individualized reliance on specific misrepresentations to satisfy the reliance requirement." Id. at 40. Instead, "where, as here, a plaintiff alleges exposure to a long-term advertising campaign, the plaintiff is not required to plead with an unrealistic degree of specificity that the plaintiff relied on particular advertisements or statements." Id. The In re Tobacco II court summarized its conclusions thusly: "a plaintiff must plead and prove actual reliance to satisfy the standing requirement of [the UCL] but, consistent with the principles set forth above, is not required to necessarily plead and prove individualized reliance on specific misrepresentations or false statements where . . . those misrepresentations and false statements were part of an extensive and long-term advertising campaign." Id. at 40-41.
Although In re Tobacco II appeared to relax Rule 9(b)'s requirements when a defendant's misrepresentations are "extensive and long-term," there has been considerable uncertainty over the scope of this exception. In Mazza v. American Honda Motor Co., Inc., 666 F.3d 581, 595-96 (9th Cir. 2012), for example, the Ninth Circuit held that a series of "product brochures and TV commercials" fell "short of the extensive and long-term fraudulent advertising campaign at issue in Tobacco II." Id. at 596 (internal quotation marks and alteration omitted).
In an attempt to bring clarity to In re Tobacco II, U.S. District Judge Jon Tigar, in Opperman v. Path, "identified six factors from the prior case law that bear on whether a plaintiff has pleaded an advertising campaign in accordance with Tobacco II." 84 F. Supp. 3d at 976. Those factors are as follows:
Id. at 976-77. Other courts, including this Court, have followed the Opperman test in whole or in part. See, e.g., Phillips v. Apple Inc., 2016 WL 1579693, *7 (N.D. Cal. Apr. 19, 2016) (citing Opperman for the principle that a misrepresentation "claim requires plaintiffs to plead reliance on at least some misleading partial representations.") (alteration omitted); People for the Ethical Treatment of Animals v. Whole Foods Mkt. Cal., Inc., 2016 WL 362229, *5 (N.D. Cal. Jan. 29, 2016) (applying Opperman). On the other hand, some courts, as noted above, have found the Opperman analysis to be in conflict with the more demanding pleading requirements of Rule 9(b). See, e.g., Yastrab, 2016 WL 1169424, *5-*6 (citing cases).
In any event, the Court need not decide whether the six factor test in Opperman applies here because, even if it did, the SAC's allegations would be unable to sufficiently establish actual reliance as to Plaintiffs' affirmative misrepresentation claim. Indeed, Plaintiffs have failed to satisfy the first Opperman factor: "a plaintiff must allege that she actually saw or heard the defendant's advertising campaign." 84 F. Supp. 3d at 976. There are eleven California Plaintiffs. None allege that they saw, read, or—for that matter—even knew about Anthem's privacy policies prior to the data breach. After examining the nearly 300 pages in the SAC, the Court has identified a single sentence that refers to reliance: "In reliance upon [Defendants' negligent] misrepresentations, Plaintiffs . . . purchased insurance or health benefits services from Defendants." SAC ¶ 523. This is the sort of sentence that even the Opperman court found insufficient for purposes of UCL liability. 84 F. Supp. 3d at 978 (stating that the "single and bare allegation that [p]laintiffs viewed Apple's website, saw in-store advertisements, and/or were aware of Apple's representations regarding the safety and security of the iDevices prior to purchasing their own iDevices" does not satisfy In re Tobacco II) (internal quotation marks omitted).
Consequently, Defendants' motions to dismiss Plaintiffs' UCL claim under the fraud prong as it relates to a misrepresentation theory of liability is GRANTED. Plaintiffs, though, shall have leave to amend. It is possible that, after amendment, California Plaintiffs will be able to allege that they viewed, heard, or read Defendants' privacy policies, and thus relied upon these policies to purchase insurance or health benefits services. Amendment would thus not be futile.
New York General Business Law ("GBL") § 349 prohibits "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service." N.Y. Gen. Bus. § 349(a). To successfully assert a claim under this section, "a plaintiff must allege that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice." Orlander v. Staples, Inc., 802 F.3d 289, 300 (2d Cir. 2015). In moving to dismiss Plaintiffs' GBL § 349 claim, Defendants contend, as to (3), that Plaintiffs have failed to "state with particularity the time that the specific misrepresentations [at issue] occurred," and that Plaintiffs have "not alleged any actual harm," Anthem Mot. at 18, 20. The Court addresses these arguments in turn.
As to whether Plaintiffs have pleaded their GBL § 349 claim with sufficient particularity, Defendants' contention rests upon the fact that the Court should have, in the First Motion to Dismiss Order, applied Rule 9(b) to Plaintiffs' GBL § 349 claim.
This argument is problematic in two respects. First, GBL § 349 is a New York state law, and New York is in the Second Circuit. The Second Circuit has expressly held that Rule 9(b) does not apply to GBL § 349 claims. Pelman ex rel. Pelman v. McDonald's Corp, 396 F.3d 508, 511 (2d Cir. 2005) ("[A]n action under § 349 is not subject to the pleading-with-particularity requirements of Rule 9(b), but need only meet the bare-bones notice-pleading requirements of Rule 8(a).") (citation omitted). This Court, as the MDL transferee court, "is generally bound by the same substantive legal standards . . . as would have applied in the transferor court." In re Korean Air, 642 F.3d at 699. Thus, had this suit stayed in or been transferred to New York, Defendants do not dispute that the New York federal district court would not have applied Rule 9(b) to Plaintiffs' GBL § 349 claim. Second, the Ninth Circuit has never held that Rule 9(b) should apply to GBL § 349. The only courts to have done so are district courts in the Central and Northern Districts of California, and these courts did so with little analysis or review of pertinent New York or Second Circuit precedent.
In any event, the Court need not decide whether Rule 9(b) applies to Plaintiffs' GBL § 349 claim. As Defendants acknowledge, Plaintiffs' GBL § 349 claim rises and falls with Plaintiffs' UCL claim brought under the fraud prong. Anthem Mot. at 19 ("The Court's Rule 9(b) analysis under the UCL . . . applies here [to Plaintiffs' GBL § 349 claim] with equal force.") (internal quotation marks omitted). Because the Court has determined that Plaintiffs' UCL fraud claim under a fraudulent omissions theory satisfies the requirements of Rule 9(b), Plaintiffs' GBL § 349 claim also survives dismissal.
Next, Defendants contend that Plaintiffs can not seek Loss of Value of PII and that the Court misread the Second Circuit's decision in Orlander v. Staples in finding, in the First Motion to Dismiss Order, that Plaintiffs could seek Benefit of the Bargain Losses. Anthem Mot. at 20.
Both arguments lack merit. As outlined above, Plaintiffs may recover damages for Loss of Value of PII as to their California breach of contract and New Jersey breach of contract claims. Defendants have identified no authority as to why this holding should not also apply to Plaintiffs' GBL § 349 claim. In addition, the Court did not misread Orlander. In Orlander, the Second Circuit determined that plaintiff had "sufficiently alleged an injury stemming from [a] misleading practice" by stating that "he would not have purchased [a set of services] had he known that [d]efendant intended to decline to provide him any [such] services" during the first year of his contract. 802 F.3d at 301. That reasoning, the Court determined, "directly govern[ed] Plaintiffs' claim" for Benefit of the Bargain Losses. First MTD Order at 48. This conclusion regarding Orlander continues to apply: Defendants promised to implement certain security measures, Defendants allegedly failed to implement such measures, and Plaintiffs would not have entrusted their PII to Defendants had Defendants disclosed Defendants' alleged failure to implement such measures.
However, as noted above, New York Plaintiff Marne Onderdonk has not alleged that she paid premiums or fees for health services. Thus, based on the allegations in the SAC, Onderdonk can not recover Benefit of the Bargain Losses. Consistent with the Court's ruling on Onderdonk's unjust enrichment claim, Plaintiffs shall have leave to amend Onderdonk's GBL § 349 claim, as amendment may not be futile. The Court thus GRANTS with leave to amend Defendants' motions to dismiss Onderdonk's claim for Benefit of the Bargain Losses under GBL § 349. Defendants' motions to dismiss Plaintiffs' GBL § 349 claim are otherwise DENIED.
The Georgia Insurance Information and Privacy Protection Act ("IIPA") states that "[a]n insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction" unless the disclosure falls under a set of specific exceptions. Ga. Code Ann. § 33-39-14.
In the First Motion to Dismiss Order, the Court dismissed Plaintiffs' IIPA claim with leave to amend. The Court determined that the parties had presented "an issue of first impression: whether the IIPA, which proscribes the unlawful disclosure of personal information, also applies to the theft of one's personal information." First MTD Order at 59. After examining the statutory text, case law, and other canons of statutory interpretation, the Court answered this question in the negative. Id. at 59-65. As the Court noted, disclosure under the IIPA means "an active, voluntary decision by the information holder to provide data to an unauthorized third party." Id. at 63. That is not what happened here: Plaintiffs' PII was stolen by a group of cyberattackers.
In the SAC, Plaintiffs now assert that "[REDACTED\]" SAC ¶ 1002. The parties dispute whether this new allegation sufficiently satisfies the IIPA's disclosure requirement. Additionally, the Anthem Defendants argue that, even if Plaintiffs' PII was affirmatively disclosed, Plaintiffs' claim "fails because the SAC does not allege facts showing the Georgia Plaintiffs incurred any actual damages." Anthem Mot. at 21. The Court need not address this damages argument because, after again examining the IIPA's text and pertinent case law, the Court finds that Plaintiffs' new allegations fail to state a claim for relief.
As to the statutory text, the IIPA states that "[a]n insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information . . . unless the disclosure" falls under a set of 18 exceptions. These exceptions allow the insurance institution, agent, or insurance-support organization to disclose an individual's personal information "[t]o a medical-care institution or medical professional," Ga. Code Ann. § 33-39-14(4), "[t]o an insurance regulatory authority," Ga. Code Ann. § 33-39-14(5), and "[t]o a law enforcement or other governmental authority," Ga. Code Ann. § 33-39-14(6), among other entities. The apparent principle behind these exceptions is that the insurance institution, agent, or insurance-support organization must intentionally provide an individual's personal information to a third party: disclosure, in other words, is meant to be intentional, not unintentional or unknowing.
Two other IIPA provisions lend support to this reading. First, Ga. Code Ann. § 33-39-22 states that "[n]o cause of action in the nature of . . . negligence shall arise against any person for disclosing personal or privileged information in accordance with this chapter." Ga. Code Ann. § 33-39-22 (emphasis added). However, Ga. Code Ann. § 33-39-22 goes on to note that "this Code section shall provide no immunity for disclosing or furnishing false information with malice or willful intent to injure any person." Id. (emphasis added). Thus, Ga. Code Ann. § 33-39-22 clearly draws a distinction between negligent, unintentional acts and willful, intentional acts. The IIPA does not punish negligent, unintentional conduct; it punishes willful, intentional conduct.
Second, Ga. Code Ann. § 33-39-19, a section entitled "Monetary Penalties," states: "[i]n any case where a hearing . . . results in the finding of a knowing violation of this chapter, the Commissioner [of Insurance of the State of Georgia] may . . . order payment of a monetary penalty of not more than $500.00 for each violation but not to exceed $10,000.00 in the aggregate for multiple violations." Ga. Code Ann. § 33-39-19 (emphasis added). Again, consistent with Ga. Code Ann. § 33-39-22, Ga. Code Ann. § 33-39-19 seeks to penalize knowing conduct, not unknowing conduct.
Considered together, Ga. Code Ann. § 33-39-14, Ga. Code Ann. § 33-39-22, and Ga. Code Ann. § 33-39-19 evince an intent by the Georgia Legislature to prevent willful and knowing disclosure. The allegations in the SAC simply do not rise to this level. As the SAC states, "[REDACTED\]" SAC ¶ 349. Nowhere in these allegations do Plaintiffs aver that the Amerigroup employee knowingly or intentionally sought to disclose Plaintiffs' PII. Indeed, the SAC's next paragraph states that "[t]he [REDACTED\] attack occurred because Anthem and Anthem Affiliates did not . . . [REDACTED\]." Id. ¶ 350 (emphasis added). Plaintiffs also analogize the Anthem Defendants' actions as being akin to "a company negligently le[aving] the `bank vault' open"—the exact sort of negligent conduct that the IIPA does not look to punish. Id. ¶ 6; Ga. Code Ann. § 33-39-22.
The reasonable inference to draw from these allegations is that the employee in question did not know that the [REDACTED\] would allow cyberattackers to access the Anthem Database because Defendants did not provide [REDACTED\] due to Defendants' negligence. Thus, based on the statutory text, the SAC fails to state a claim under the IIPA.
Case law lends additional weight to this conclusion. As the Court noted in its First Motion to Dismiss Order, the Federal Privacy Act defines "disclosure" to "mean[] providing personal review of a record, or a copy thereof, to someone other than the data subject or the data subject's authorized representative." 5 C.F.R. § 297.102. First MTD Order at 61. The First Motion to Dismiss Order went on to observe that courts have restricted this definition to situations where information holders have willfully provided data to an unauthorized third party.
In Walia v. Chertoff, 2008 WL 5246014, *6 (E.D.N.Y. Dec. 17, 2008), for instance, plaintiff's medical and legal records were placed in an unlocked credenza located in the office of plaintiff's supervisor. Other employees, including those not authorized to review plaintiff's medical and legal records, had access to this office. Upon learning these facts, plaintiff brought suit against his employer. The Walia court rejected plaintiff's Federal Privacy Act claim and held that plaintiff's claim rested on "the accessibility of [plaintiff's] medical and legal records to individuals in the office." Id. at *11. Mere accessibility, however, is insufficient to constitute "willful or intentional disclosure by the agency, a required element of a [Federal Privacy Act] claim." Id. As in Walia, Plaintiffs' IIPA claim continues to pivot around the idea of access and accessibility, and not willful and active disclosure. See SAC ¶ 1002 ("Anthem . . . allowed the cyberattackers to see and obtain individually-identifiable [PII].").
In re SAIC, another case that the Court discussed in its First Motion to Dismiss Order, also suggests that disclosure requires some sort of knowledge or intent. See, e.g., 45 F. Supp. 3d at 29 (describing disclosure as the "imparting of information which . . . was previously unknown to the person to whom it was imparted.").
Finally, in the First Motion to Dismiss Order, the Court found inapposite Plaintiffs' reliance upon Shames-Yeakel v. Citizens Financial Bank, 677 F.Supp.2d 994, 1008 (N.D. Ill. 2009). In Shames-Yeakel, the district court stated that "[i]f th[e] duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts." Id. This holding, however, was problematic in two ways. First, the decision was, "at the very least, in tension with" binding Seventh Circuit precedent. First MTD Order at 63. The Shames-Yeakel court did not discuss or refer to the Seventh Circuit's opinion in Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007), which would have precluded plaintiffs in Shames-Yeakel from proceeding with their claims as a matter of law. Second, and of importance to the instant motion, "with respect to the specific statement quoted by Plaintiffs—that a bank's duty not to disclose must include a duty to protect customers' personal information—the Shames-Yeakel court did not discuss, refer to, or cite any supporting authority." First MTD Order at 64. "In the nearly six and a half years since the Shames-Yeakel decision, no federal or state court has cited Shames-Yeakel for this proposition." Id. That fact remains unchanged since the First Motion to Dismiss Order was issued on February 14, 2016.
As alleged in the SAC, Plaintiffs' IIPA claim is little more than an attempt to have the Court adopt Shames-Yeakel in substance if not in name. Indeed, as Plaintiffs state, "[t]he [REDACTED\] attack occurred because Anthem and Anthem Affiliates did not use [data security] practices consistent with industry standards." SAC ¶ 350 (emphasis added). What the Anthem Defendants should have done, according to Plaintiffs, is "[REDACTED\]." Id. That request for relief is no different from the finding in Shames-Yeakel that the "duty to disclose" requires banks to "employ sufficient security measures to protect their customers' online accounts." 677 F. Supp. 2d at 1008. The Court declined to follow Shames-Yeakel in the First Motion to Dismiss Order, and declines now to adopt a reading of the IIPA that would essentially adopt Shames-Yeakel in substance. Walia and In re SAIC remain more persuasive, and argue against Plaintiffs' reading of the IIPA.
Accordingly, the Court GRANTS Anthem Defendants' motion to dismiss Plaintiffs' IIPA claim. In addition, the Court declines to provide Plaintiffs leave to amend, as amendment would be futile. The Court has already provided Plaintiffs an opportunity to amend. However, Plaintiffs have not—in either the CAC or the SAC—alleged that the Anthem Defendants intentionally or knowingly allowed cyberattackers to access the Anthem Database. Rather, the gist of Plaintiffs' case is that "Defendants failed to implement basic industry-accepted data security tools to prevent cyberattackers from accessing the Anthem Database." SAC ¶ 5. In fact, according to Plaintiffs, Defendants' data security was so lacking that Defendants did not even know that the Anthem Database had been breached until January 27, 2015—more than two months after cyberattackers connected to the Anthem Database. Id. ¶¶ 355, 366. In sum, Plaintiffs' case does not provide for IIPA liability. The Anthem Defendants' motion to dismiss Plaintiffs' IIPA claim is therefore GRANTED with prejudice.
The Court turns next to Plaintiffs' third party beneficiary claim for breach of contract under federal law. On this claim, Plaintiffs assert that Blue Cross Blue Shield Association ("BCBSA") "had a valid, binding, and enforceable express contract with OPM [the Office of Personnel Management] to provide insurance and other benefits to those [Federal Employee] Plaintiffs who received health insurance and related benefits under the Federal BCBSA Plan." SAC ¶ 503. This contract is hereinafter referred to as the "Federal BCBSA contract."
The Court denied the Non-Anthem Defendants' motion to dismiss this claim in the First Motion to Dismiss Order. See First MTD Order 65-80. In reaching this determination, the Court found that the Federal Employee Plaintiffs were "intended third party beneficiaries of the Federal BCBSA contract," id. at 66; that the Federal Employee Plaintiffs' claim was not a claim for "health benefits," id. at 70; and that OPM did not have exclusive enforcement authority over a breach of the Federal BCBSA contract, id. at 72-76.
The Non-Anthem Defendants do not challenge any of these conclusions. Instead, the Non-Anthem Defendants' arguments largely repeat those addressed in earlier portions of the instant Order: (1) that Plaintiffs can not recover Benefit of the Bargain Losses because OPM—and not Plaintiffs—"paid money to BCBSA," (2) that Plaintiffs can not recover for Loss of Value of PII, (3) and that time spent "addressing issues arising from the Anthem data breach" is "insufficient to show cognizable contract damages." Non-Anthem Mot. at 13-14. For the reasons stated below, the Court finds these arguments are unavailing.
"When the United States enters into contract relations, its rights and duties therein are governed generally by the law applicable to contracts between private individuals." Mobil Oil Expl. & Producing Se., Inc. v. United States, 530 U.S. 604, 607 (2000); see also Interface Kanner, LLC v. JPMorgan Chase Bank, N.A., 704 F.3d 927, 932 (11th Cir. 2013) ("When interpreting contracts under federal law, courts look to general common law on contracts."). In determining the nature of the general common law on contracts, the U.S. Supreme Court has previously looked to the Restatement of Contracts. Mobil Oil, 530 U.S. at 608 ("The Restatement of Contracts reflects many of the principles of contract law that are applicable to this action.").
On damages, the Restatement allows parties to recover expectation, reliance, and restitution damages. Restatement (Second) of Contracts § 344. The Restatement defines expectation damages as a party's "interest in having the benefit of his bargain by being put in as good a position as he would have been in had the contract been performed." Id. Reliance damages are a party's "interest in being reimbursed for loss caused by reliance on the contract by being put in as good a position as he would have been in had the contract not been made." Id. Finally, restitution damages "restore[] to [a party] any benefit that he has conferred on the other party." Id. Where possible, "contract damages" should "protect an injured party's `expectation interest'—that is, the interest in having the benefit of the bargain." ATACS Corp. v. Trans World Commc'ns, Inc., 155 F.3d 659, 669 (3d Cir. 1998). However, "other theories of damages provide alternative avenues for contract enforcement" where the expectation interest may be uncertain. Id.
Plaintiffs' request for Benefit of the Bargain Losses plainly constitutes a request for expectation damages. Such damages, as noted above, are the preferred basis for contract recovery. The Non-Anthem Defendants do not contest this point. Instead, the Non-Anthem Defendants argue only that OPM bargained with BCBSA, and that therefore only OPM can recover for Benefit of the Bargain Losses.
General contract law principles, however, do not support this contention. As the Court has previously determined, the Federal Employee Plaintiffs are intended third party beneficiaries who may assert against BCBSA a breach of contract claim. In the context of such third party beneficiary claims, courts have repeatedly held that the beneficiary may seek to enforce rights and recover damages that were available to the contracting party. See, e.g., Beckett v. Air Line Pilots Ass'n, 995 F.2d 280, 286 (D.C. Cir. 1993) ("[I]t is a fundamental principle of contract law that parties to a contract may create enforceable contract rights in a third party beneficiary."); Gen. Ins. Co. of Am. v. Interstate Serv. Co., 701 A.2d 1213, 1218 (Md. Ct. Spec. App. 1997) (holding that "the third party beneficiary rule followed by the majority of jurisdictions in this country" allows "third party beneficiary[] rights [that] are [as] extensive [as] those rights provided by the express terms of the contract") (alteration omitted); Restatement (Second) of Contracts § 304 ("A promise in a contract creates a duty in the promisor to any intended beneficiary to perform the promise, and the intended beneficiary may enforce the duty."). Thus, under these principles, Plaintiffs may, as intended third party beneficiaries, recover Benefit of the Bargain Losses.
The Non-Anthem Defendants' attempt to obscure the financial relationship between Plaintiffs and BCBSA is inapposite. Specifically, the Non-Anthem Defendants state that BCBSA "do[es] not receive premiums as they are paid into [the Employees Health Benefits] Fund." Non-Anthem Reply at 10. Instead, all "premiums are placed in a special letter of credit account." Id. BCBSA then "draw[s] directly from the letter of credit account to pay for benefit claims and . . . administrative expenses." Id. This sort of arrangement does nothing to change the financial relationship between Plaintiffs and BCBSA. Plaintiffs paid premiums, which were placed in an account, from which BCBSA drew to pay expenses. The fundamental relationship stays the same: Plaintiffs paid the Non-Anthem Defendants for services, and Plaintiffs now allege that the Non-Anthem Defendants did not perform these services as promised. Plaintiffs may recover Benefit of the Bargain Losses for the alleged breach by bringing suit as an intended third party beneficiary.
Next, as to Loss of Value of PII, such damages implicate the reliance interest, defined as a party's "interest in being reimbursed for loss[es] caused by reliance on the contract by being put in as good a position as he would have been in had the contract not been made." Restatement (Second) of Contracts § 344. Reliance damages are recoverable where the expectation interest is difficult to ascertain. See, e.g., Glendale Fed. Bank, FSB v. United States, 239 F.3d 1374, 1380-1383 (Fed. Cir. 2001) (awarding reliance damages after concluding that expectation interest would be too difficult to quantify). Here, it remains unclear whether Plaintiffs will be able to sufficiently calculate their expectation or Benefit of the Bargain damages. Furthermore, a growing number of federal courts have now recognized Loss of Value of PII as a viable damages theory, perhaps indirectly acknowledging the difficulty in calculating Benefit of the Bargain Losses. See, e.g., In re Facebook, 572 F. App'x at 494. Accordingly, given the uncertainty in this case as to Plaintiffs' Benefit of the Bargain Losses and the trend towards recognizing Loss of Value of PII, Plaintiffs' request for Loss of Value of PII does not warrant dismissal.
Lastly, Plaintiffs' request for Consequential Out of Pocket Expenses also implicates the reliance interest. See Boulevard Assocs. v. Sovereign Hotels, Inc., 861 F.Supp. 1132 (D. Conn. 1994) (stating that consequential damages are reliance damages). As with Plaintiffs' request for Loss of Value of PII, a growing number of courts now recognize that individuals may be able to recover Consequential Out of Pocket Expenses that are incurred because of a data breach, including for time spent reviewing one's credit accounts. See, e.g., Lewert, 2016 WL 1459226, *3. The Court found these authorities persuasive as to Plaintiffs' California and New Jersey breach of contract claims, and does the same here. Accordingly, the Non-Anthem Defendants' motion to dismiss Plaintiffs' third party beneficiary claim under federal law is DENIED.
Finally, Defendants contend that some (but not all) of the claims brought by certain Plaintiffs are subject to ERISA preemption. Anthem Mot. at 23-25; Non-Anthem Mot. at 11-12. The specific claims at issue are detailed below.
The Court finds Defendants' contentions unavailing, because (1) Defendants are precluded from asserting an ERISA preemption defense as to Plaintiffs' UCL claims, (2) the presumption against preemption applies, (3) Defendants' privacy obligations are not "benefits" for purposes of ERISA express or complete preemption, and (4) even if Defendants' privacy obligations were considered "benefits," there is a genuine dispute concerning whether Plaintiffs' ERISA employee benefit plan incorporated these obligations. These reasons are discussed in detail below.
In the first round motions to dismiss, Defendants asserted ERISA preemption as to the California breach of contract claims of Kenneth Coonce, Daniel Tharp, and Kelly Tharp. Defendants also asserted ERISA preemption as to the New York unjust enrichment and GBL § 349 claims of Matthew Gates. ECF No. 410 at 11-12; 22. Defendants did not, however, assert ERISA preemption as to Plaintiffs' UCL claim.
Federal Rule of Civil Procedure 12(g)(2) states that "[e]xcept as provided in Rule 12(h)(2) or (3), a party that makes a motion under this rule must not make another motion under this rule raising a defense or objection that was available to the party but omitted from its earlier motion." Federal Rule of Civil Procedure 12(h)(2), in turn, provides that arguments which pertain to a plaintiff's "[f]ailure to state a claim upon which relief can be granted . . . may be raised: (A) in any pleading allowed or ordered under Rule 7(a); (B) by a motion under Rule 12(c); or (C) at trial."
Here, Defendants have asserted, for the first time, an ERISA preemption defense as to Plaintiffs' UCL claim, which Defendants did not assert in their first round motions to dismiss. Defendants have not asserted this defense in a pleading, a Rule 12(c) motion, or at trial—the only exceptions listed under Rule 12(g)(2). Instead, Defendants have asserted this defense in a second round motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6). Defendants are foreclosed from doing so because of Rule 12(g)(2) and Rule 12(h)(2).
Indeed, despite two rounds of briefing, Defendants have not explained why they did not assert ERISA preemption as to Plaintiffs' UCL claim in their first round motions to dismiss. Like the SAC, the CAC included enrollment information on the health insurance or health services plans for each California Plaintiff. See, e.g., ECF No. 334-6 ¶¶ 15-24. Moreover, the fact that Defendants asserted ERISA preemption as to the California breach of contract claims of Kenneth Coonce, Daniel Tharp, and Kelly Tharp suggests that Defendants knew which Plaintiffs were enrolled in ERISA plans.
A number of cases lend additional support to the Court's application of waiver here. First, in Herron v. Best Buy Stores, LP, 2013 WL 4432019, *4 (E.D. Cal. Aug. 16, 2013), defendant Toshiba had "failed to squarely raise [an] argument in its initial dismissal motion, even though the argument was available to Toshiba when it originally sought to dismiss Plaintiff's complaint." Accordingly, "this portion of Toshiba's dismissal motion [was] not considered." Id. Similarly, in Federal Agricultural Mortgage Corp. v. It's A Jungle Out There, Inc., 2005 WL 3325051, *5 (N.D. Cal. Dec. 7, 2005), the district court stated that, "[a]lthough the Ninth Circuit has not had occasion to apply this principle, the weight of authority outside this circuit holds that where the complaint is amended after the defendant has filed a Rule 12(b) motion, the defendant may not thereafter file a second Rule 12(b) motion asserting objections or defenses that could have been asserted in the first motion." See also Wright & Miller, 5C Federal Practice & Procedure § 1388, 491-95 (3d ed. 2004) (citing cases applying Rule 12(g)(2) and Rule 12(h)(2)).
Finally, this Court recently applied Rule 12(g)(2) and Rule 12(h)(2) in a substantially similar situation in Northstar Financial Advisors Inc. v. Schwab Investments, 135 F.Supp.3d 1059 (N.D. Cal. 2015). In Northstar, defendants had asserted a preemption defense based on the Securities Litigation and Uniform Securities Act ("SLUSA") in moving to dismiss the second amended complaint. Defendants did not assert SLUSA preclusion in moving to dismiss the third amended complaint. Later, in moving to dismiss the fourth amended complaint, defendants once again sought to assert SLUSA preclusion. As in the instant action, defendants did not provide an explanation as to why they had previously abandoned their SLUSA preclusion defense. Id. at 1071-72. This Court concluded that defendants in Northstar could not assert SLUSA preclusion in moving to dismiss the fourth amended complaint. Id. at 1072. Several courts have cited this holding from Northstar with approval. See, e.g., Jaeger v. Howmedica Osteonics Corp., 2016 WL 520985, *4-*6 (N.D. Cal. Feb. 10, 2016); Johnson v. Serenity Transp., Inc., 2016 WL 270952, *7 (N.D. Cal. Jan. 22, 2016).
Accordingly, based on the authority above, the Court finds that Defendants are precluded from asserting ERISA preemption as to Plaintiffs' UCL claim.
Defendants asserted ERISA preemption as to Coonce's California breach of contract and Gates' New York unjust enrichment and GBL § 349 claims in their first round motions to dismiss. In the First Motion to Dismiss Order, the Court dismissed with leave to amend Plaintiffs' California breach of contract and New York unjust enrichment claims without reaching the question of ERISA preemption, and requested additional briefing from the parties on whether ERISA preemption apples to Gates' GBL § 349 claim.
With this background in mind, the Court begins its ERISA preemption analysis on Coonce's California breach of contract and Gates' New York unjust enrichment and GBL § 349 claims by taking note of two important considerations: the presumption against preemption and the two forms of ERISA preemption.
First, the U.S. Supreme Court has repeatedly emphasized that there is a presumption against federal preemption of state laws. See generally Wyeth v. Levine, 555 U.S. 555, 565 (2009) ("In all pre-emption cases . . . we start with the assumption that the historic police powers of the States were not to be superseded by the Federal Act unless that was the clear and manifest purpose of Congress.") (quoting Medtronic, Inc. v. Lohr, 518 U.S. 470, 485 (1996)). As discussed at greater length below, that presumption applies with equal force to cases involving ERISA preemption. See, e.g., N.Y. State Conference of Blue Cross & Blue Shield Plans v. Travelers Ins. Co., 514 U.S. 645, 654 (1995) (applying presumption against preemption in ERISA case). Indeed, in De Buono v. NYSA-ILA Med. and Clinical Services Fund, 520 U.S. 806, 813-14 (1997), the U.S. Supreme Court went so far as to remark that, "[i]n order to evaluate whether the normal presumption against pre-emption has been overcome in a particular [ERISA] case," a court "must go beyond the unhelpful text [of ERISA] . . . and look instead to the objectives of the ERISA statute as a guide to the scope of the state law that Congress understood would [or would not] survive."
Next, "[t]here are two strands of ERISA preemption: (1) `express' preemption under ERISA § 514(a), 29 U.S.C. § 1144(a); and (2) preemption due to a `conflict' with ERISA's exclusive remedial scheme set forth in [ERISA § 502(a),] 29 U.S.C. § 1132(a)." Fossen v. Blue Cross & Blue Shield of Mont., Inc., 660 F.3d 1102, 1107 (9th Cir. 2011). Most courts refer to this latter form of preemption as "complete preemption." Marin Gen. Hosp. v. Modesto & Empire Traction Co., 581 F.3d 941, 944 (9th Cir. 2009); Wurtz v. Rawlings Co., 761 F.3d 232, 241 (2nd Cir. 2014). The Court has also referred to ERISA § 502(a) preemption as "complete preemption" in prior Orders, and does the same in the instant Order. See, e.g., In re Anthem, Inc. Data Breach Litig., 2015 WL 7443779, *3 (N.D. Cal. Nov. 24, 2015).
"Under § 514(a), ERISA broadly preempts any and all State laws insofar as they may now or hereafter relate to any covered employee benefit plan." Fossen, 660 F.3d at 1108 (internal quotation marks and alteration omitted) (emphasis added). "[T]he words `relate to,'" however, "cannot be taken too literally." Roach v. Mail Handlers Benefit Plan, 298 F.3d 847, 849 (9th Cir. 2002). "If `relate to' were taken to extend to the furthest stretch of its indeterminacy, then for all practical purposes pre-emption would never run its course, for `really, universally, relations stop nowhere.''" Travelers, 514 U.S. at 655 (alteration omitted). Instead, "relates to" must be "read in the context of the presumption that in fields of traditional state regulation the historic police powers of the States are not to be superseded by a Federal Act unless that was the clear and manifest purpose of Congress." Roach, 298 F.3d at 850 (internal quotation marks and alterations omitted).
Under ERISA § 502(a), on the other hand, a civil enforcement action may be brought:
29 U.S.C. § 1132(a). Pursuant to this provision, a "state-law cause of action that duplicates, supplements, or supplants the ERISA civil enforcement remedy" is preempted because it "conflicts with the clear congressional intent to make the ERISA remedy exclusive." Aetna Health Inc. v. Davila, 542 U.S. 200, 209 (2004).
Under U.S. Supreme Court precedent, both forms of ERISA preemption are subject to the presumption against preemption. See Travelers, 514 U.S. at 655-56 (applying presumption to ERISA express preemption); Rush Prudential HMO, Inc. v. Moran, 536 U.S. 355, 377-80, 387 (2002) (reviewing ERISA complete preemption precedent and concluding that "in the field of health care, a subject of traditional state regulation, there is no ERISA preemption without clear manifestation of congressional purpose.") (alteration omitted). Both the Second and Ninth Circuits, the circuits where Gates and Coonce respectively reside, are in accord. See, e.g., Stevenson v. Bank of N.Y. Co., Inc., 609 F.3d 56, 59 (2nd Cir. 2010) ("This circuit has previously held that the analysis of ERISA preemption must start with the presumption that Congress does not intend to supplant state law.") (internal quotation marks omitted); Wurtz, 761 F.3d at 237-38 (same). Indeed, as the Ninth Circuit observed in Dishman v. Unum Life Insurance Co. of America, 269 F.3d 974, 984 (9th Cir. 2001), "[w]e are certain that the objective of Congress in crafting [ERISA § 514(a)] was not to provide ERISA administrators with blanket immunity from garden variety torts which only peripherally impact daily plan administration."
With the foregoing framework in mind, the Court notes also that no circuit court has ever applied ERISA preemption—express or complete—to preclude a plaintiff from moving forward with state law claims arising out of a data breach. Thus, by asking the Court to find Plaintiffs' claims to be both expressly and completely preempted, Defendants have essentially requested that the Court break new ground to find that the presumption against preemption is overcome in a field where it has never been applied before. For the reasons that follow, the Court finds that Defendants have failed to carry this burden.
ERISA § 502(a) completely preempts actions based upon state law "[1] to recover benefits due to him under the terms of his plan, [2] to enforce his rights under the terms of the plan, or [3] to clarify his rights to future benefits under the terms of the plan." 29 U.S.C. § 1132(a).
The parties have not cited any case law interpreting the meaning of [2], "to enforce his rights under the terms of the plan," and the Court has not found any Second or Ninth Circuit case law on point. In fact, based on the Court's review, the most pertinent discussion of this provision appears to have been by the en banc Fifth Circuit in Arana v. Ochsner Health Plan, 338 F.3d 433 (5th Cir. 2003) (en banc). In Arana, the Fifth Circuit noted that, "one could [also] say that [plaintiff] seeks to enforce his rights under the terms of the plan, for he seeks to determine his entitlement to retain the benefits based on the terms of the plan." Id. at 438.
With Arana in mind, the key inquiry here is thus whether Coonce and Gates's claims are for ERISA benefits, as all three parts of ERISA § 502(a) refer to benefits: recovering benefits owed, enforcing rights to retain benefits, and clarifying terms of future benefits. 29 U.S.C. § 1132(a), Arana, 338 F.3d at 438. To put it another way, ERISA complete preemption applies where ERISA benefits are at issue, and does not apply when ERISA benefits are not at issue.
ERISA's statutory text does not define the term "benefit." However, several statutory subsections suggest that benefits must concern payments for healthcare-related services. Under 29 U.S.C. § 1191b, for instance, a subsection addressing rules governing group health plans, the subsection lists some examples of benefits, such as "[c]overage for on-site medical clinics," "dental or vision benefits," and "[h]ospital indemnity or other fixed indemnity insurance." 29 U.S.C. § 1191b. Likewise, 29 U.S.C. § 1133, the subsection that addresses claims processing, requires all ERISA plans to "provide adequate notice in writing to any participant or beneficiary whose claim for benefits under the plan has been denied" and to "afford a reasonable opportunity [to be heard] to any participant whose claim for benefits has been denied." 29 U.S.C. § 1133. Notably, of the numerous mentions of the term "benefit" in ERISA, none suggest that protecting customer PII should be considered an ERISA benefit.
Both the Second and Ninth Circuits have adopted a similar understanding. In Stevenson, for example, the Second Circuit described ERISA's "central" purpose as concerning "the determination of eligibility for benefits, amounts of benefits, or means of securing unpaid benefits." 609 F.3d at 59. Laws that "tend to control or supersede" this central purpose "have typically been found to be preempted." Id. Similarly, in Wurtz, the Second Circuit determined that tort damages that a plaintiff receives from an automobile accident, which may in fact overlap or supplement the medical benefits that a plaintiff receives, should not be considered "benefits" for purposes of ERISA § 502. 761 F.3d at 242-43. The Second Circuit counseled courts to read "benefits" narrowly, and expressly disapproved of the district court's "expansive interpretation of complete preemption." Id. at 242.
In reaching its decision, the Wurtz court cited the Ninth Circuit's decision in Marin General Hospital with approval. Id. at 244. In that case, the Ninth Circuit also read "benefits" in a limited manner, and found that not even a medical reimbursement claim was subject to ERISA complete preemption. 581 F.3d at 950. The Marin General Hospital court, moreover, stated that "[i]t is not enough for complete preemption that the contract and tort claims `relate to' the underlying ERISA plan, or that ERISA § 502(a)(1)(B) may provide a similar remedy." Id. at 950. Thus, Defendants' point in the instant motions that individuals may obtain partial premium refunds as a remedy under ERISA § 502(a) does not, standing by itself, mean that ERISA complete preemption applies.
Although plaintiffs' claims in Stevenson, Wurtz, and Marin General Hospital did appear to relate to plaintiffs' healthcare expenses (e.g., claims for medical reimbursement, tort damages arising from medical injuries), the circuit courts in these cases nonetheless declined to apply ERISA complete preemption. Instead, all three courts emphasized the importance of construing ERISA benefits in a narrow manner. Here, unlike in Stevenson, Wurtz, and Marin General Hospital, Plaintiffs' claims do not even implicate medical or healthcare expenses. Plaintiffs instead bring suit because Defendants failed to comply with certain privacy obligations—a legal area where ERISA is silent.
As a final matter, in Marin General Hospital, the Ninth Circuit drew upon its reasoning in Cedars-Sinai Medical Center v. National League of Postmasters of the United States, 497 F.3d 972 (9th Cir. 2007). See 581 F.3d at 950. In Cedars-Sinai, the Ninth Circuit declined to find that a claim for "breach of contract and negligent misrepresentation in connection with partial reimbursement of claims for medical treatment" was preempted by the Federal Employee Health Benefits Act ("FEHBA"). Id. Although the Marin General Hospital court acknowledged that "FEHBA and ERISA are different federal statutes," id., it noted that "their preemption provisions are analytically similar," and are often interpreted together. Id.
This discussion of the interplay between FEHBA and ERISA provides yet another reason to support the Court's finding that Plaintiffs' claims are not claims for ERISA benefits. In the First Motion to Dismiss Order, the Court examined whether "Plaintiffs' third party beneficiary claims [under FEHBA] constitute[d] health benefits claims" for purposes of the Federal BCBSA contract. First MTD Order at 68. After examining federal regulations, case law, and the Federal BCBSA contract's text, the Court determined that "Plaintiffs' third party beneficiary claim [was] not a `health benefits claim.'" Id. at 70. Health benefits claims are expenses that concern one's medical care or health coverage, not one's data privacy. Defendants have not challenged the Court's interpretation of FEHBA. Given the similarity between FEHBA and ERISA preemption, it would make little sense for the Court to adopt a different understanding of the term "benefit" for purposes of ERISA preemption.
Accordingly, for the reasons stated above, the Court finds that Coonce and Gates's claims are not completely preempted by ERISA.
On express preemption, the Court must determine whether Coonce and Gates's claims "relate to" their ERISA benefit plans. 29 U.S.C. § 1144(a). As noted above, the U.S. Supreme Court has emphasized that this term can not be read literally: "[i]f `relate to' were taken to extend to the furthest stretch of its indeterminacy, then for all practical purposes pre-emption would never run its course, for really, universally, relations stop nowhere." Travelers, 514 U.S. at 655 (alteration and internal quotation marks omitted). Such an interpretation would "read the presumption against pre-emption out of the law," id. and is "a result [that] no sensible person could have intended," Gobeille v. Liberty Mut. Ins. Co., 136 S.Ct. 936, 943 (2016) (internal quotation marks omitted).
As such, U.S. Supreme Court precedent "to date has described two categories of state laws that ERISA [expressly] pre-empts." Id. "First, ERISA pre-empts a state law if it has a `reference to' ERISA plans. To be more precise, where a State's law acts immediately and exclusively upon ERISA plans or where the existence of ERISA plans is essential to the law's operation, that `reference' will result in pre-emption." Id. (internal quotation marks, citation, ellipses, and alterations omitted). "Second, ERISA pre-empts a state law that has an impermissible `connection with' ERISA plans, meaning a state law that governs a central matter of plan administration or interferes with nationally uniform plan administration." Id. (internal quotation marks and ellipses omitted).
The claims at issue do not fall under either of these categories. The "reference to" prong analysis is straightforward. In Liberty Mutual Insurance Co. v. Donegan, 746 F.3d 497, 500 (2d Cir. 2014), the Second Circuit was presented with a Vermont law that required all state health insurers, health care providers, health care facilities, and governmental agencies to file certain reports with the Vermont government. On the "reference to" prong, the Second Circuit concluded that "[t]he Vermont statute and regulation lack reference to an ERISA plan because they apply to all health care payers and do not act exclusively upon ERISA plans." Id. at 508 n.9 (internal quotation marks omitted). Here, too, California contract law, New York unjust enrichment law, and GBL § 349 do not "act exclusively upon ERISA plans," id., nor are "the existence of ERISA plans . . . essential to the [their] operation," Gobeille, 136 S. Ct. at 943. These laws are laws of general application, and do not focus exclusively (or, for that matter, even primarily) upon ERISA plan administration.
The analysis of the "connection with" prong is more demanding, but the result remains the same. On this prong, the U.S. Supreme Court has advised courts to consider "the objectives of the ERISA statute as a guide to the scope of the state law that Congress understood would survive and the nature of the effect of the state law on ERISA plans." Gobeille, 136 S. Ct. at 943 (internal quotation marks and citation omitted). A number of cases have discussed "the objectives of the ERISA statute" in some detail. Id. In Travelers, for instance, the U.S. Supreme Court stated that in enacting ERISA's express preemption provision, "Congress intended to ensure that plans and plan sponsors would be subject to a uniform body of benefits law." 514 U.S. at 656 (internal quotation marks omitted) (emphasis added). Citing Travelers, the Ninth Circuit held in Dishman that "ERISA preempts state laws that mandate employee benefit structures or their administration." 269 F.3d at 981 (internal quotation marks and alteration omitted) (emphasis added). Thus, if a "statute governs the payment of benefits, a central matter of plan administration," it will be found to be expressly preempted. Id. at 982 (internal quotation marks omitted). Finally, in Gerosa v. Savasta & Co., 329 F.3d 317, 324 (2nd Cir. 2003), the Second Circuit observed that "state laws that . . . tend to control or supersede central ERISA functions— such as state laws affecting the determination of eligibility for benefits, amounts of benefits, or means of securing unpaid benefits—have typically been found to be preempted." Even in Wise v. Verizon Communications Inc., 600 F.3d 1180, 1190 (9th Cir. 2010), a case upon which Defendants rely, the Ninth Circuit determined that plaintiff's claim was expressly preempted because it was a "claim for recovery of past and future benefits." Namely, plaintiff sought to recover lost disability insurance benefits, not damages related to a data breach.
The general thrust of Travelers, Dishman, Gerosa, and Wise is that laws that implicate the administration of ERISA benefits are subject to express preemption, and laws that do not are not preempted. See Dishman, 269 F.3d at 984 (finding that invasion of privacy claim not subject to ERISA preemption). As noted above, the claims here do not implicate ERISA "benefits." Consequently, Coonce and Gates's claims are not expressly preempted.
As a final matter, the Court notes the parties' disagreement as to whether Coonce and Gates's contracts also constitute the "written ERISA plan instrument." Anthem Opp'n at 25. The crux of Plaintiffs' argument is that the official ERISA plan documents and the written contracts are not the same documents, and that further discovery is needed to determine what documents form the set of official ERISA plan documents. Defendants challenge this argument. Such a dispute again highlights why dismissal as a matter of law is inappropriate at this time: further discovery is necessary to determine which documents constitute the ERISA plan documents.
For all the reasons stated above, Defendants' motions to dismiss certain claims as preempted by ERISA are DENIED.
To conclude:
The second round motions to dismiss are otherwise DENIED. Should Plaintiffs elect to file an amended complaint curing the deficiencies identified herein, Plaintiffs shall do so by July 11, 2016, the deadline to which the parties have stipulated for the addition of parties. Failure to meet the July 11, 2016 deadline to file an amended complaint or failure to cure the deficiencies identified in this Order will result in a dismissal with prejudice of the deficient claims or theories. Plaintiffs may not add new causes of actions or parties without leave of the Court or stipulation of the parties pursuant to Federal Rule of Civil Procedure 15.