KATHERINE A. ROBERTSON, Magistrate Judge.
Ten present or former employees and the spouse of a former employee (collectively "Plaintiffs") of NEO Technology Solutions ("NEO Tech") d/b/a OnCore Holdings, LLC, OnCore Manufacturing, LLC, Natel Engineering Co., Inc., NEO Tech, North America, and NEO Tech Inc. (collectively "Defendants"), brought this putative class action claiming that Defendants disclosed the employees' 2016 Internal Revenue Service ("IRS") Form W-2 information, including their Social Security numbers, to an unauthorized third party. Plaintiffs' Second Amended Complaint ("Complaint") alleges that Defendants are liable for negligence (Count I) and for violations of Massachusetts and California statutes (Count II) and seeks a Declaratory Judgment (Count III) (Dkt. No. 45). Defendants have moved to dismiss the Complaint pursuant to Fed. R. Civ. P. 12(b)(1) and 12(b)(6) (Dkt. No. 48). The motion has been referred to the undersigned for a report and recommendation (Dkt. No. 53). See 28 U.S.C. § 636(b)(1)(B); Fed. R. Civ. P. 72. For the reasons that follow, I recommend that the Rule 12(b)(1) motion be ALLOWED in part and DENIED in part because ten of the eleven Plaintiffs have standing to sue. I further recommend that the Rule 12(b)(6) motion be DENIED as to Count I of the Complaint, which alleges negligence, and ALLOWED as to Count II, which alleges the state law claims, and Count III, which requests declaratory relief.
Before January 2017, NEO Tech had experienced two data breaches resulting in the unauthorized disclosure of employees' health insurance and retirement information (Dkt. No. 45 ¶¶ 9, 48). Thereafter, NEO Tech's Information Technology Department recommended that encryption software be utilized to protect sensitive personal identification information ("PII"), but NEO Tech's management failed to heed that advice (Dkt. No. 45 ¶¶ 9, 48, 50).
On Friday, January 27, 2017, Zareen Mohta, NEO Tech's Vice President of Human Resources, responded to an e-mail "phishing" scam by forwarding to an unidentified cyber-criminal the unencrypted data that was used to prepare the 2016 IRS Forms W-2, Wage and Tax Statements, for 1,400 of Defendants' current or former employees who worked principally in Massachusetts, Ohio, and California (Dkt. No. 45 ¶¶ 2, 3, 6, 7, 38, 44). The W-2 data included each employee's name, address, Social Security number, and compensation (Dkt. No. 45 ¶ 2). Although the W-2 data was password protected and Ms. Mohta did not initially reveal the password, she later responded to the hacker's request for a password by providing a "strong[]" password hint thereby permitting the hacker to gain access to the W-2 data (Dkt. No. 45 ¶¶ 7, 8, 45).
Cyber-criminals can use W-2 information, including an employee's name, address, and Social Security number, to steal an employee's identity and fraudulently obtain employment, loans, and credit cards and file tax returns in an employee's name (Dkt. No. 45 ¶¶ 41, 54). Hackers can also use the W-2 data to steal government benefits and create false identifications for future use (Dkt. No. 45 ¶¶ 41, 54). Stolen W-2 information can be sold on the "dark markets" (Dkt. No. 45 ¶ 41).
NEO Tech's management immediately learned of the data breach and responded by notifying the employees of the breach at a meeting on Tuesday, January 31, 2017 (Dkt. No. 45 ¶¶ 10, 11, 47, 49). On that date, NEO Tech distributed a letter from Chief Financial Officer ("CFO") Laura L. Siegal describing the steps it had taken to guard the employees against "potential fraud," and the actions the employees could take to protect themselves from identity theft (Dkt. No. 45 ¶¶ 38, 47, 51; Dkt. No. 52-1 at 2-7).
Ten of the eleven named Plaintiffs are Defendants' current or former employees and one, Kristine Tansil, is the spouse of John Tansil, a former employee (Dkt. No. 45 ¶¶ 24-34). Plaintiffs allege that they and their families have suffered or are likely to suffer the following injuries as a result of the data breach:
(Dkt. No. 45 ¶¶ 24-34).
"A motion to dismiss for lack of subject matter jurisdiction under Fed. R. Civ. P. 12(b)(1) is appropriate when the plaintiff lacks standing to bring the claim." Edelkind v. Fairmont Funding, Ltd., 539 F.Supp.2d 449, 453 (D. Mass. 2008), abrogated on other grounds by Culhane v. Aurora Loan Servs. of Neb., 708 F.3d 282 (1st Cir. 2013). "Courts assess such motions using the familiar standard applicable to motions filed under Federal Rule of Civil Procedure 12(b)(6): a complaint's well-pleaded facts must be credited as true, and all reasonable inferences from the complaint must be drawn in the plaintiff's favor." Oyola v. Cavalry SPV I, LLC, CIVIL ACTION NO. 4:17-cv-40083-TSH, 2018 WL 1940313, at *3 (D. Mass. Mar. 1, 2018), adopted, 4:17-CV-40083, 2018 WL 2010574 (D. Mass. Mar. 21, 2018) (citing Kerin v. Titeflex Corp, 770 F.3d 978, 981 (1st Cir. 2014); Katz v. Pershing, LLC, 672 F.3d 64, 70 (1st Cir. 2012); Nisselson v. Lernout, 469 F.3d 143, 150 (1st Cir. 2006)). "However, `this tenet does not apply to "statements in the complaint that merely offer legal conclusions couched as facts or are threadbare or conclusory,'" or to allegations so `speculative that they fail to cross "the line between the conclusory and the factual."'" Blum v. Holder, 744 F.3d 790, 795 (1st Cir. 2014) (citations omitted). Because a court that lacks subject matter jurisdiction "has no authority to address the dispute presented," Attias v. Carefirst, Inc., 865 F.3d 620, 624 (D.C. Cir. 2017), cert. denied, 138 S.Ct. 981 (2018), "[w]hen a court is confronted with motions to dismiss under both Rules 12(b)(1) and 12(b)(6), it ordinarily ought to decide the former before broaching the latter." Deniz v. Municipality of Guaynabo, 285 F.3d 142, 149 (1st Cir. 2002).
"Article III of the Constitution limits federal courts' jurisdiction to certain `Cases' and `Controversies.'" Clapper v. Amnesty Int'l USA, 568 U.S. 398, 408 (2013). "One element of the case-or-controversy requirement is that [plaintiffs], based on their complaint, must establish that they have standing to sue." Raines v. Byrd, 521 U.S. 811, 818 (1997). See also Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). "In essence the question of standing is whether the litigant is entitled to have the court decide the merits of the dispute or of particular issues." Warth v. Seldin, 422 U.S. 490, 498 (1975). "The standing inquiry is claim-specific: a plaintiff must have standing to bring each and every claim that []he asserts." Katz, 672 F.3d at 71 (citing Pagán v. Calderón, 448 F.3d 16, 26 (1st Cir. 2006)).
To establish standing, a plaintiff must: (1) allege an injury in fact; (2) show a "causal connection between the injury and the conduct complained of"; and (3) demonstrate that the injury will "`likely . . . be redressed by a favorable decision'" of the court. Defs. of Wildlife, 504 U.S. at 560-61 (quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 38 (1976)). As the parties invoking federal jurisdiction, Plaintiffs bear the burden of establishing those elements. See id. at 561 (citing FW/PBS, Inc. v. Dallas, 493 U.S. 215, 231 (1990)). "Since they are not mere pleading requirements but rather an indispensable part of the plaintiff's case, each element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation." Id. (citing Lujan v. Nat'l Wildlife Fed'n, 497 U.S. 871, 883-89 (1990); Gladstone, Realtors v. Vill. of Bellwood, 441 U.S. 91, 114-15 & n.31 (1979)). "At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss [the court] `presum[es] that general allegations embrace those specific facts that are necessary to support the claim.'" Id. (quoting Nat'l Wildlife Fed'n, 497 U.S. at 889).
"`That a suit may be a class action . . . adds nothing to the question of standing, for even named plaintiffs who represent a class "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong."'" Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 n.6 (2016) (quoting Simon, 426 U.S. at 40 n.20). "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton, 414 U.S. 488, 494 (1974). Because Defendants challenge the three elements of standing (Dkt. No. 49 at 10-18), in order to maintain the class action, the allegations in the complaint must be sufficient to establish an injury in fact, causation, and redressability as to at least one of the eleven named Plaintiffs. See id.
"[T]he injury-in-fact requirement . . . serves to ensure that the plaintiff has a personal stake in the litigation." Attias, 865 F.3d at 626. An injury in fact is "an invasion of a legally protected interest which is (a) concrete and particularized and (b) `actual or imminent, not "conjectural" or "hypothetical."'" Defs. of Wildlife, 504 U.S. at 560 (citations and footnote omitted) (quoting Whitmore v. Arkansas, 495 U.S. 149, 155 (1990)). "A `concrete' injury must be `de facto'; that is, it must actually exist." Spokeo, 136 S. Ct. at 1548 (citation omitted). "Particularity demands that a plaintiff must have personally suffered some harm." Katz, 672 F.3d at 71 (citing Defs. of Wildlife, 504 U.S. at 560 n.1). "The requirement of an actual or imminent injury ensures that the harm has either happened or is sufficiently threatening; it is not enough that the harm might occur at some future time." Id. (citing Defs. of Wildlife, 504 U.S. at 564).
Beginning with named Plaintiff Kristine Tansil, who was Plaintiff John Tansil's spouse and was not employed by Defendants, the court agrees with Defendants that she and other employees' family members did not suffer an injury in fact and, thus, do not have standing to sue (Dkt. No. 45 ¶¶ 1, 27, 29; Dkt. No. 49 at 18-19). "[A] party `generally must assert his own legal rights and interests, and cannot rest his claim to relief on the legal rights or interests of third parties.'" Kowalski v. Tesmer, 543 U.S. 125, 129 (2004) (quoting Warth, 422 U.S. at 499). Plaintiffs cannot and do not contend that non-employees' PII was on the stolen W-2 forms.
As to the ten remaining named Plaintiffs, recognizing that actual or potential identity theft "constitute[s] a concrete and particularized injury," Defendants do not challenge that requirement. Attias, 865 F.3d at 627. See also In re: SuperValu, Inc., 870 F.3d 763, 770 (8th Cir. 2017) ("Defendants appear to concede that identity theft constitutes an actual, concrete, and particularized injury.") (citing Attias, 865 F.3d at 627); In re: Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 633 n.10 (3d Cir. 2017) ("There is no doubt that the Plaintiffs complain of a particularized injury — the disclosure of their own private information."). Defendants contend that Plaintiffs lack standing because the Complaint fails to allege an actual or imminent injury in fact.
Defendants argue that the six named Plaintiffs who allege that their identities were stolen — Portier, Batalha, Roda, Perez, Scoles, and Pease — were not actually injured because the thefts were discovered and none of the Plaintiffs were "harm[ed] or incur[ed] any expense" (Dkt. No. 49 at 14-15, 17-18; Dkt. No. 60 at 2). However, "standing [i]s not confined to those who c[an] show `economic harm.'" United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S. 669, 686 (1973). An individual whose identity was stolen by someone who gained unauthorized access to the person's PII — particularly his or her Social Security number — and used the stolen identity has suffered an actual injury for purposes of standing. See Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018) (Plaintiffs "suffered actual harm in the form of identity theft and credit card fraud."); Katz, 672 F.3d at 80 (an injury in fact has occurred where confidential data has been accessed through a security breach and the persons involved in the security breach have used the "ill-gotten information.").
Although there may be some question as to whether Plaintiff Roda's claim that his income tax return was "diverted" and Plaintiff Perez's claim that his identity was stolen are sufficiently specific to allege actual injuries (Dkt. No. 45 ¶¶ 30, 32), the Complaint adequately alleges facts to support the contention that four Plaintiffs suffered actual injuries because their identities were stolen and used to perpetrate a fraud. Fraudulent income tax returns were filed using Plaintiffs Portier's and Scoles' names, addresses, and social security numbers, causing their refunds to be delayed (Dkt. No. 45 ¶¶ 24, 33).
The cases upon which Defendants rely to support their claim that no Plaintiff suffered an actual injury, Torres v. Wendy's Co., 195 F.Supp.3d 1278, 1282 (M.D. Fla. 2016), Burton v. MAPCO Express, Inc., 47 F.Supp.3d 1279, 1281, 1285 (N.D. Ala. 2014), and In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4759588, at *4 (N.D. Ill. Sept. 3, 2013), vacated and remanded sub nom. Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018), are readily distinguishable because they addressed the theft of credit and debit card data (Dkt. No. 49 at 14). Cancelling and replacing stolen debit and credit cards limits the damage caused by the theft of debit and credit card information. In contrast, stolen Social Security numbers, which are not usually replaced, have been characterized as the keys to the kingdom for an identity thief (Dkt. No. 45 ¶ 55). See In re: SuperValu, Inc., 870 F.3d at 770.
The ten named Plaintiffs, including the Plaintiffs who have not alleged actual harm, claim that they have standing based on injuries in fact arising from the risk of identity theft in the future and from the time and expenses incurred in mitigating future harm.
Relying on Clapper, 568 U.S. at 416, Defendants contend that the allegations of the increased risk of future identity theft do not constitute an injury in fact because the risk is not "imminent" and is too speculative (Dkt. No. 49 at 11-18; Dkt. No. 60 at 3-4). Plaintiffs counter that, in view of the fact that some Plaintiffs' identities have already been stolen, the ten remaining named Plaintiffs have standing because they face a substantial risk of future identity theft (Dkt. No. 54 at 15-17). Plaintiffs have the better argument.
An "`[a]llegation[] of possible future injury' [is] not sufficient" to establish Article III standing. Clapper, 568 U.S. at 409 (first alteration in original) (quoting Whitmore, 495 U.S. at 158). However, "[a]n allegation of future injury may suffice if the threatened injury is `certainly impending,' or there is a `substantial risk' that the harm will occur." Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Clapper, 568 U.S. at 409, 414 n.5). The First Circuit applies the Supreme Court's "disjunctive framing of the test" and will find that an "injury is imminent if it is certainly impending or if there is a substantial risk that harm will occur." Reddy v. Foster, 845 F.3d 493, 500 (1st Cir. 2017). Excluding Ms. Tansil, the remaining named Plaintiffs have shown, at least, a substantial risk that future harm will occur.
The First Circuit addressed standing for a victim of a data breach in Katz and found that the plaintiff did not have standing because she failed to present evidence that an unauthorized user had ever accessed her PII. See Katz, 672 F.3d at 79-80. The First Circuit, however, has not yet confronted the question presented here; that is, whether victims of a data breach who allege that they will face the possibility of future identity theft because cyber-criminals have already used the stolen PII have suffered an injury in fact. There is a split among the circuits that have addressed this scenario. See Beck v. McDonald, 848 F.3d 262, 273 (4th Cir. 2017), cert. denied sub nom. Beck v. Shulkin, 137 S.Ct. 2307 (2017) ("Our sister circuits are divided on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft."). The Sixth, Seventh, Ninth, and D.C. Circuits have found that allegations of the threatened risk of future identity theft constitute an injury in fact if the threat is "sufficiently imminent." Id. See In re Zappos.com, Inc., 888 F.3d 1020, 1023, 1027 (9th Cir. 2018), cert. denied sub nom. Zappos.com v. Stevens, 139 S.Ct. 1373 (2019) (Krottner v. Starbucks, Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010), controlled the court's holding); Attias, 865 F.3d at 628-29; Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388-89 (6th Cir. 2016) (unpublished); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967-68 (7th Cir. 2016) (following Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 691-94 (7th Cir. 2015)). On the other hand, like the First Circuit in Katz, the Second and Eighth Circuits have found that plaintiffs who merely alleged an increased risk of future harm did not have standing. See In re: SuperValu, Inc., 870 F.3d at 770; Whalen v. Michaels Stores, Inc., 689 F. App'x 89, 90-91 (2d Cir. 2017) (unpublished summary opinion); Katz, 672 F.3d at 80. The Third and Fourth Circuits have "straddled the circuit split with decisions finding no injury in fact based on an increased risk of identity theft based on one set of facts and a cognizable injury in fact on another set of facts." In re: 21st Century Oncology Customer Data Sec. Breach Litig. (hereinafter 21st Century), 380 F.Supp.3d 1243, 1251 (M.D. Fla. 2019). Compare Hutton, 892 F.3d at 622 (plaintiffs sufficiently alleged an imminent threat of injury) and In re: Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d at 639 n.19 (indicating, in dicta, that the theft of "easily accessible" personal information combined with the fact that someone had been a victim of identity theft was sufficient to establish an increased risk of future injury) with Beck, 848 F.3d at 274-76 ("the mere theft [of PII] without more cannot confer Article III standing.") and Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (the increased risk of identity theft was too hypothetical and speculative to establish a "certainly impending" injury in fact).
Based on the observation that "the differing sets of facts involved in each circuit's decision are what appear to have driven the ultimate decision on standing, not necessarily a fundamental disagreement on the law," one district court analyzed the circuit courts' decisions and identified three common factors that have been used to determine "the question of whether a plaintiff has adequately alleged an injury in fact based on an increased risk of identity theft." 21st Century, 380 F. Supp. 3d at 1251. See also In re: SuperValu, Inc., 870 F.3d at 769 (the circuits' dissimilar results "ultimately turned on the substance of the allegations before each court.").
The first factor is the motive or intent of the unauthorized third party who gained access to the PII. See 21st Century, 380 F. Supp. 3d at 1251-52. If it is reasonable to infer from the allegations in the complaint that the hackers gained access to the PII intending to use it to perpetrate fraud, courts have found that a cognizable future injury in fact was adequately alleged. See In re Zappos.com, Inc., 888 F.3d at 1029 n.13 (finding an injury in fact based on the threat of future identity theft where plaintiffs alleged "that hackers specifically targeted their PII on Zappos's servers."); In re: Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d at 639 n.19 ("The theft appears to have been directed towards the acquisition of . . . personal information" that could be used to steal identities); Galaria, 663 F. App'x at 388 ("Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in [p]laintiffs' complaints."); Remijas, 794 F.3d at 693 ("Why else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities."). Compare Beck, 848 F.3d at 274 (finding no injury in fact where there was no evidence that the person who stole a laptop computer "stole the laptop with the intent to steal [the plaintiff's] private information" and distinguishing cases in which "the data thief intentionally targeted the personal information compromised in the data breaches."); Reilly, 664 F.3d at 44 (the risk of identity theft was not imminent where there was "no evidence that the intrusion was intentional or malicious.").
Second, the type of information that was seized is a factor in the analysis of whether or not the risk of future identity theft constitutes an injury in fact. See In re: SuperValu, Inc., 870 F.3d at 770 ("`The type of data compromised in a breach can effectively determine the potential harm that can result.'") (citation omitted); 21st Century, 380 F. Supp. 3d at 1253. "The courts addressing this factor have made a distinction between easily changeable or replaceable information, such as credit and debit card information, and personally identifiable information, such as social security numbers, birth dates, or driver's license numbers, which is more static." 21st Century, 380 F. Supp. 3d at 1253. Courts disagree on whether stolen credit and debit card information can enable a thief to steal the holder's identity. Compare In re Zappos.com Inc., 888 F.3d at 1027 and Remijas, 794 F.3d at 694 (finding an injury in fact) with In re: SuperValu, Inc., 870 F.3d at 770 and Whalen, 689 F. App'x at 91-92 (finding no injury). However, if sensitive PII including Social Security numbers are stolen, courts consistently have found an injury in fact because that pilfered data can be misused for identity theft. See Attias, 865 F.3d at 629 (where the data breach exposed Social Security numbers, "a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that plaintiffs allege was taken"); In re: Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d at 629-30, 639 n.19 ("The information that was stolen [including Social Security numbers] was highly personal and could be used to steal one's identity.").
Finally, in determining whether the risk of future identity theft constitutes an injury in fact, courts have examined whether or not the stolen data was "actually accessed" and whether or not "there have been prior instances of misuse stemming from the same [data breach]." 21st Century, 380 F. Supp. 3d at 1254-55. If identity theft has occurred, courts are more apt to find an imminent harm. See Hutton, 892 F.3d at 622 (where plaintiffs alleged that their "data was stolen, accessed, and used in a fraudulent manner," they sufficiently alleged an imminent threat of injury); Attias, 865 F.3d at 628 ("an unauthorized party has already accessed [PII] on [defendant's] servers, and it is much less speculative — at the very least, it is plausible — to infer that this party has both the intent and the ability to use that data for ill."); In re: Horizon Healthcare Servs. Inc., Data Breach Litig., 846 F.3d at 639 n.19 (explaining, in dicta, that a material risk of harm to plaintiffs existed because one plaintiff "alleged that he had already been a victim of identity theft as a result of the breach"). On the other hand, courts are less likely to find an injury in fact where there are no allegations of fraudulent misuse of the stolen information. See Beck, 848 F.3d at 274-76 (the "enhanced risk of future identity theft" was deemed "too speculative" because plaintiffs did not allege that data was "accessed or misused."); Reilly, 664 F.3d at 43 (finding that plaintiffs' alleged injury was not "`certainly impending'" where they had "yet to suffer any harm, and their alleged increased risk of future injury [was] nothing more than speculation."); Katz, 672 F.3d at 80 (finding no actual or impending injury because plaintiff failed to "identify any incident in which her data has ever been accessed by an unauthorized person").
Here, the Complaint's allegations, and the reasonable inferences that can be drawn therefrom, when viewed under the plaintiff-favorable standard applicable to motions to dismiss, satisfy the three factors that are identified in 21st Century. See Reddy, 845 F.3d at 497. First, from the fact that the cyber thief specifically targeted the W-2 forms, which contained each current or former employee's name, address, and Social Security number, it is reasonable to infer that the thief intended to use the information for unlawful purposes (Dkt. No. 45 ¶¶ 2, 3, 41).
Some of the named Plaintiffs allege that they have suffered harm from the purchase of identity theft and credit monitoring services to safeguard against misuse of their PII (Dkt. No. 45 ¶¶ 25, 27, 34). In addition, the ten employee Plaintiffs allege that they have expended time to rectify the damage and potential damage caused by the data breach and claim that they will be required to purchase identity theft and credit monitoring services for twenty years (Dkt. No. 45 ¶¶ 20, 24-34). Citing Clapper, 568 U.S. at 402, Defendants counter that Plaintiffs have impermissibly manufactured standing "by choosing to make expenditures based on hypothetical future harm that is not certainly impending" (Dkt. No. 49 at 15-17). Because the risk that Plaintiffs' PII will be misused in the future is not so attenuated as to preclude a finding of an injury in fact, Plaintiffs' position concerning mitigation expenses bolsters their claim of imminent injury.
"Mitigation expenses do not qualify as actual injuries when the harm is not imminent." Remijas, 794 F.3d at 694. However, courts have "recognized standing to sue on the basis of costs incurred to mitigate or avoid harm when a substantial risk of harm actually exists." Hutton, 892 F.3d at 622 (citing Clapper, 568 U.S. at 414 n.5). Assuming that Plaintiffs suffered an injury in fact based on an imminent risk of future identity theft, the time and expenses the ten named Plaintiffs have incurred to protect against that threat would also qualify as an adequate injury in fact. See Galaria, 663 F. App'x at 388 (plaintiffs' expenditure of "time and money to monitor their credit, check their bank statements, . . . modify their financial accounts" and obtain credit freezes was "a concrete injury suffered to mitigate an imminent harm, and satisf[ied] the injury requirement of Article III standing"); Remijas, 794 F.3d at 692, 694 (plaintiffs who made expenditures of time and money for credit monitoring and identity theft protection had standing because they faced the threat of imminent harm); Sackin v. TransPerfect Glob., Inc., 278 F.Supp.3d 739, 746-47 (S.D.N.Y. 2017) ("When a future harm is sufficiently imminent to support standing, a plaintiff's expenses in taking reasonable measures to prevent the harm's fruition also may be viewed as an injury in fact.") (citing Hedges v. Obama, 724 F.3d 170, 196 (2d Cir. 2013)).
Accordingly, the allegations in the Complaint are sufficient to demonstrate that the ten named employee Plaintiffs have suffered an injury in fact.
Defendants challenge causation on the ground that the Complaint fails to allege that the Plaintiffs' stolen PII was not accessed by means of another data breach, such as the Equifax breach in 2018, the Anthem breach in 2015, and the Target breach in 2013 (Dkt. No. 49 at 13). Other courts have rejected similar arguments.
The causation element "requires the plaintiff to show a sufficiently direct causal connection between the challenged action and the identified harm." Katz, 672 F.3d at 71 (citing Defs. of Wildlife, 504 U.S. at 560). "Such a connection `cannot be overly attenuated.'" Id. (quoting Donahue v. City of Boston, 304 F.3d 110, 115 (1st Cir. 2002)). "But Article III standing does not require that the defendant be the most immediate cause, or even a proximate cause, of the plaintiffs' injuries; it requires only that those injuries be `fairly traceable' to the defendant." Attias, 865 F.3d at 629 (citing Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014)).
The fact that Plaintiffs' PII might have been exposed through an unrelated data breach "does nothing to negate the plaintiffs' standing to sue." Remijas, 794 F.3d at 696. "It is certainly plausible for pleading purposes that their injuries are `fairly traceable' to the data breach at [NEO Tech]." Id. "If there are multiple companies that could have exposed the plaintiffs' private information to the hackers, then `the common law of torts has long shifted the burden of proof to defendants to prove that their negligent actions were not the "but-for" cause of the plaintiff's injury.'" Id. (quoting Price Waterhouse v. Hopkins, 490 U.S. 228, 263 (1989) (O'Connor, J. concurring)). At this stage of the litigation, it is sufficient that NEO Tech admits that employees' 2016 W-2 Form data was stolen and that it notified its employees of the breach (Dkt. No. 52-1 at 2-12). "Those admissions and actions by [Defendants] adequately raise the plaintiffs' right to relief above the speculative level." Id. (citing Twombly, 550 U.S. at 570). See Attias, 865 F.3d at 629 ("Because we assume, for purposes of the standing analysis, that plaintiffs will prevail on the merits of their claim that [defendant] failed to properly secure their data and thereby subjected them to a substantial risk of identity theft, we have little difficulty concluding that their injury in fact is fairly traceable to [defendant].") (citation omitted).
To the extent Defendants contend that Plaintiffs do not have standing because the named Plaintiffs who suffered actual injuries did not incur an economic loss, Defendants' argument ignores Plaintiffs' mitigation expenses and future injuries (Dkt. No. 49 at 14-15).
In order to satisfy the redressability element, "[t]he plaintiff[s] must show that a favorable resolution of [their] claim[s] would likely redress the professed injury." Katz, 672 F.3d at 72. "[S]elf-imposed risk-mitigation costs . . . can satisfy the redressability requirement, when combined with a risk of future harm that is substantial enough to qualify as an injury in fact." Attias, 865 F.3d at 629. "The fact that [P]laintiffs have reasonably spent money to protect themselves against a substantial risk creates the potential for them to be made whole by monetary damages." Id. See Remijas, 794 F.3d at 696-97 (a judicial decision can compensate plaintiffs for mitigation expenses and future injuries.).
In summary, in this court's view, the Complaint adequately alleges facts to establish that all named Plaintiffs except Kristine Tansil have suffered an injury in fact, that Defendants caused the injury, and that Plaintiffs' injuries can be redressed by a favorable resolution of their claims. Accordingly, the court recommends that Defendants' motion to dismiss for lack of jurisdiction be allowed as to Kristine Tansil, and denied as to the ten remaining named Plaintiffs.
As to the ten named Plaintiffs who have standing, Mr. Tansil is a California resident and the other nine Plaintiffs either currently live in Massachusetts or resided in Massachusetts at the time of the data breach (Dkt. No. 45 ¶¶ 24-34). Under the laws of Massachusetts and California, to adequately plead a negligence claim, a plaintiff must sufficiently allege facts to establish "[1] that the defendant owed the plaintiff a duty of reasonable care, [2] that the defendant breached this duty, [3] that damage resulted, and [4] that there was a causal relation between the breach of the duty and the damage." Jupin v. Kask, 849 N.E.2d 829, 834-35 (Mass. 2006). See Artiglio v. Corning Inc., 957 P.2d 1313, 1318 (Cal. 1998) (same). Plaintiffs allege that Defendants were negligent in failing to (1) safeguard their W-2 data, and (2) timely disclose the data breach (Dkt. No. 45 ¶¶ 79-90). Defendants challenge the adequacy of the Complaint as to all four elements of negligence (Dkt. No. 49 at 20-23). See Anderson v. Hannaford Bros. Co., 659 F.3d 151, 157 (1st Cir. 2011) ("To survive a motion to dismiss, a complaint must `set forth "factual allegations, either direct or inferential, respecting each material element necessary to sustain recovery under some actionable legal theory."'") (quoting Gagliardi v. Sullivan, 513 F.3d 301, 305 (1st Cir. 2008)).
"`Whether there is a duty to be careful is a question of law,' which [the courts] determine `by reference to existing social values and customs and appropriate social policy.'" Jupin, 849 N.E.2d at 832 (citations omitted). See also Regents of the Univ. of Cal. v. Superior Court, 413 P.3d 656, 669 (Cal. 2018) ("Whether a new duty should be imposed in any particular context is essentially a question of public policy."). "`"No better general statement can be made than that the courts will find a duty where, in general, reasonable persons would recognize it and agree that it exists."'" Jupin, 849 N.E.2d at 835 (quoting Luoni v. Berube, 729 N.E.2d 1108, 1113 (Mass. 2000)). "`The assertion that liability must . . . be denied because defendant bears no duty to plaintiff "begs the essential question — whether the plaintiff's interests are entitled to legal protection against the defendant's conduct."'" Id. (alterations in original) (quoting Tarasoff v. Regents of the Univ. of Cal., 551 P.2d 334, 342 (Cal. 1976)). In determining whether a duty exists, courts first examine whether or not the harm was reasonably foreseeable. See id. If it was, a duty of reasonable care may be imposed unless public policy militates against imposing it. See id. at 836. See also Regents of the Univ. of Cal., 413 P.3d at 669 (in determining the existence of a duty, the court assesses foreseeability and public policy concerns).
"In general, anyone who does an affirmative act is under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act." RESTATEMENT (SECOND) OF TORTS § 302 cmt. a (AM. LAW INST. 1965). See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 966 (S.D. Cal. 2014), order corrected by MDL No. 11md2258 AJB (MDD), 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014) ("`A basic principle of negligence law is that ordinarily everyone has a duty to refrain from affirmative acts that unreasonably expose others to a risk of harm.'") (quoting Yakubowicz v. Paramount Pictures Corp., 536 N.E.2d 1067, 1070 (Mass. 1989)). As employees, Plaintiffs were obligated to provide Defendants with their PII including their Social Security numbers, which NEO Tech stored on its computer system (Dkt. No. 45 ¶¶ 2, 5, 53, 82). It is reasonable to conclude that NEO Tech's affirmative acts of collecting and storing Plaintiffs' PII gave rise to a duty to exercise due care to safeguard the employees' PII. See Mullins v. Pine Manor Coll., 449 N.E.2d 331, 336 (Mass. 1983) (citing RESTATEMENT (SECOND) OF TORTS § 323 (AM. LAW INST. 1965)).
Although, in general, "there is no duty to protect others from the criminal or wrongful activities of third persons," id. at 334, there is an exception to this rule when the harm is foreseeable. See Jupin, 849 N.E.2d at 836; Foley v. Boston Hous. Auth., 555 N.E.2d 234, 236 (Mass. 1990); Husband v. Dubose, 531 N.E.2d 600, 602 (Mass. App. Ct. 1988) (whether a person has a duty to protect another from the harm caused by a third party "involve[s], to some extent, the foreseeability of the harm"); RESTATEMENT (SECOND) OF TORTS § 302B (AM. LAW INST. 1965) ("An act or an omission may be negligent if the actor realizes or should realize that it involves an unreasonable risk of harm to another through the conduct of the other or a third person which is intended to cause harm, even though such conduct is criminal."); see also RESTATEMENT (SECOND) OF TORTS § 448 (AM. LAW INST. 1965) (if an actor's negligent conduct affords an opportunity for a third person to commit a crime, the actor will be liable for the criminal act of the third person if, "at the time of [the actor's] negligent conduct, [he] realized or should have realized that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.").
Here, the risk that a cyber-criminal would access the PII of Defendants' employees and misuse it was reasonably foreseeable (Dkt. No. 45 ¶ 83). Even before an unauthorized third party gained access to Plaintiffs' PII through the phishing scam in January 2017, employees' health insurance and retirement plan information had been stolen (Dkt. No. 45 ¶ 48). Thereafter, NEO Tech's management failed to heed its Information Technology Department's recommendation to use encryption software (Dkt. No. 45 ¶¶ 48, 50). Because Defendants had experienced a prior data breach, Defendants could be expected to foresee the risk that Plaintiffs' unencrypted PII could be accessed and misused by third party criminals. In similar situations, other courts have found that defendants owed plaintiffs a duty of reasonable care. See Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1039 (N.D. Cal. 2019) ("The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information."); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d at 964-66 (finding a legal duty where plaintiffs provided their PII to defendant as part of a commercial transaction and defendant "failed to employ reasonable security measures to protect their Personal Information, including the utilization of industry-standard encryption").
Public policy also favors the imposition of a legal duty on Defendants. In analyzing whether or not a duty should be imposed as a matter of public policy, Massachusetts courts weigh the seriousness of the potential injury against the cost of preventing the harm. See Jupin, 849 N.E.2d at 838-40. Because Social Security numbers are the gold standard for identity theft, their theft is significant. Indeed, Defendants acknowledged the severity of the harm that could befall a victim of identity theft in their letters to Plaintiffs by warning them of the potential for fraudulent use of their PII, such as the filing of false tax returns to obtain refunds, the unauthorized use of existing credit cards, the opening of new credit accounts or changing existing accounts, and the sale of PII on the dark web (Dkt. No. 52-1 at 2-7, 9-10, 14-17). Access to Social Security numbers causes long-lasting jeopardy because the Social Security Administration does not normally replace Social Security numbers (Dkt. No. 45 ¶ 55). See Bass, 394 F. Supp. 3d at 1034 ("A social security number derives its value in that it is immutable."); Corona v. Sony Pictures Entm't, Inc., No. 14-CV-09600 RGK (Ex.), 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015) ("It is commonly known that the consequences resulting from identity theft can be both serious and long-lasting.").
In contrast to the severity of harm, Defendants do not argue that the costs of securing PII by training employees or installing encryption software would be unduly burdensome or that they are potentially liable to an unlimited class of persons. See Jupin, 849 N.E.2d at 838-39. By definition, in the instant case liability cannot extend beyond those who are required to entrust their PII to Defendants as a condition of employment. Recognizing such a duty would ensure that the holder of Social Security numbers uses adequate measures, including encryption, to secure the information in its custody to prevent unauthorized access to it. See id.
Moreover, the laws of Massachusetts and California reflect "the societal concern with [Social Security numbers] reaching the hands of unauthorized users" thereby supporting the imposition of a duty on defendants. Jupin, 849 N.E.2d at 840. In Massachusetts, the Fair Information Practices Act ("FIPA") requires a holder that "collects, uses, maintains or disseminates personal data" to "take reasonable precautions to protect personal data from dangers of . . . identity theft . . . or other physical threat." Mass. Gen. Laws ch. 66A §§ 1, 2(d). In addition, Mass. Gen. Laws ch. 93H imposes a duty on an agency, a "person, corporation, association, partnership or other legal entity" to report a security breach or the unauthorized use of personal information. See Mass. Gen. Laws ch. 93H, §§ 1, 3. If a security breach involves a Social Security number, the entity that becomes aware of the breach is required to provide free credit monitoring services to each resident whose Social Security number was disclosed for a minimum of eighteen months. See Mass. Gen. Laws ch. 93H, § 3A(a).
Based on the allegations in the Complaint, the risk that Plaintiffs' Social Security numbers would be exposed to a cyber-criminal was foreseeable and, in this court's view, Massachusetts and California would find that public policy weighs in favor of imposing a duty on Defendants to act with reasonable care with respect to employees' PII.
Plaintiffs allege that NEO Tech breached its duty to exercise reasonable care in "holding, safeguarding and protecting" the Plaintiffs' W-2 data from "wrongful disclosure" by failing to "maintain proper security measures, policies and procedures" and train its employees to guard against the unauthorized release of the data (Dkt. No. 45 ¶¶ 84, 88). Defendants counter that they complied with any duty they had by password protecting their W-2 data and by timely notifying employees of the breach (Dkt. No. 49 at 20).
Because Plaintiffs claim that Defendants failed to employ reasonable security measures, including encryption, which was recommended by the Information Technology Department after two previous data breaches and to adequately train its employees to guard against a phishing scam, the Complaint adequately alleges that Defendants breached their duty of reasonable care. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d at 966 (applying Massachusetts and California law and finding a breach of duty to protect PII from the unauthorized disclosure to third parties).
Plaintiffs allege that their injuries were caused by Defendants' failures to safeguard their W-2 information (Dkt. No. 45 ¶¶ 86, 87). Defendants' response that a third party might have caused Plaintiffs' injuries is unpersuasive (Dkt. No. 49 at 20-21).
"To state a claim for negligence, plaintiffs must plead facts that plausibly connect the alleged breach of duty to the harm plaintiffs suffered." Castillo v. Seagate Tech., LLC, Case No. 16-cv-01958-RS, 2016 WL 9280242, at *4 (N.D. Cal. Sept. 14, 2016). "The necessary causal connection may be found `[i]f the injury to the plaintiff was a foreseeable result of the defendant's negligent conduct.'" Adams v. Congress Auto Ins. Agency, Inc., 65 N.E.3d 1229, 1237 (Mass. App. Ct. 2016), review denied, 86 N.E.3d 243 (Mass. 2017) (alteration in original) (quoting Kent v. Commonwealth, 771 N.E.2d 770, 777 (Mass. 2002)). Here, Plaintiffs have adequately alleged that a third party hacking scheme was reasonably foreseeable. There is at least a plausible inference that Defendants' failure to institute adequate security measures to protect Plaintiffs' W-2 information from hackers proximately caused Plaintiffs' injuries. See Top Trade v. Grocery Outlet, Case No. 2:17-cv-08467-SVW-MRW, 2018 WL 6038297, at *4 (C.D. Cal. May 9, 2018) (finding that the failure to adequately secure an internet server and an email system caused the damage wrought by a spoofing attack); Cole v. Town of Los Gatos, 140 Cal.Rptr.3d 722, 739 (Cal. Ct. App. 2012) (the misconduct of a third party will not ordinarily break the chain of causation if the misconduct itself was foreseeable to the defendant); Reid v. City of Boston, 129 N.E.3d 867, 877 (Mass. App. Ct.), review denied, 132 N.E.3d 947 (Mass. 2019) ("the intervening acts of a third party that are a reasonably foreseeable result of the original negligence will not break the chain of causation, even if those acts are criminal."). "`It is irrelevant whether [the defendant] foresaw or should have foreseen the specific danger that occurred. . . . It is sufficient that the same general kind of harm was a foreseeable consequence of the defendant's risk-creating conduct.'" Reid, 129 N.E.3d at 877 (quoting Jupin, 849 N.E.2d at 837 n.8).
Plaintiffs claim that Defendants' negligence caused the following injuries: (1) losses due to delayed income tax refunds (Portier and Scoles) and credit card fraud (Batalha and Pease); (2) out-of-pocket expenses, including the cost of identity theft protection (Snelgrove, Tansil, Pease); (3) lost wages in varying amounts for the time expended to address and rectify the harm caused by the data breach; and (4) the costs of addressing the harm they may suffer in the future (Dkt. No. 45 ¶¶ 24-34, 87, 89). Defendants contend that the Complaint fails to adequately allege actual monetary losses, that credit monitoring was not required because Defendants provided free credit monitoring services, and that mitigation costs and time and effort expended to rectify harm or prevent future harm are not cognizable injuries (Dkt. No. 49 at 21-23).
"`"Damages" is the word which expresses in dollars and cents the injury sustained by a plaintiff.'" Donovan v. Philip Morris USA, Inc., 914 N.E.2d 891, 899 (Mass. 2009) (quoting Turcotte v. DeWitt, 131 N.E.2d 195, 197 (Mass. 1955)). "`A negligence action may not be maintained unless one has suffered injury or damage.'" Id. (quoting Cannon v. Sears, Roebuck & Co., 374 N.E.2d 582, 584 (Mass. 1978)). "[I]njury and damages are integrally related: there can be no invasion of the rights of another unless legal damage is caused, and for that reason nominal damages cannot be recovered." Id. See Castillo, 2016 WL 9280242, at *4 ("Negligence claims also require plaintiffs to connect the defendant's allegedly negligent conduct to a cognizable, nonspeculative harm."); Corona, 2015 WL 3916744, at *3 (a viable negligence claim requires a showing of an actual loss).
First, Plaintiffs Portier, Scoles, Batalha, and Pease allege harm from the fact that their personal information was misused. Relying on the case law addressing standing, Defendants allege that those Plaintiffs were not injured because "none of the instances of attempted identity theft or fraudulent credit charges resulted in any economic loss because it was discovered immediately by Experian, the IRS, . . . Plaintiff, or the credit card company before it could cause any actual damage to those Plaintiffs" (Dkt. No. 49 at 22). Although some courts have found that plaintiffs whose personal information was actually misused have suffered "an actual injury for which they may recover," In re: Banner Health Data Breach Litigation, No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *8 (D. Ariz. Dec. 20, 2017), California and Massachusetts require a measurable loss as a necessary element of a negligence claim. See Corona, 2015 WL 3916744, at *3; Donovan, 914 N.E.2d at 899. Consequently, the court agrees with Defendants that Scoles, Batalha, and Pease have failed to adequately allege monetary losses. See In re: SuperValu, Inc., Customer Data Sec. Breach Litig., Court File No. 14-MD-2586 ADM/TNL, 2018 WL 1189327, at *11 (D. Minn. Mar. 7, 2018), aff'd sub nom. In re: SuperValu, Inc., 925 F.3d at 955 ("Data breach cases in Illinois and elsewhere have repeatedly held that a cardholder's mere allegation of an unauthorized charge, unaccompanied by an out-of-pocket loss, is not sufficient to state an actionable injury.") (citing cases); Savidge v. Pharm-Save, Inc., CIVIL ACTION NO. 3:17-CV-00186-TBR, 2017 WL 5986972, at *4 (W.D. Ken. Dec. 1, 2017) (there was no cognizable injury from the filing of a fraudulent tax return that the IRS did not process).
However, the Complaint adequately alleges that Portier suffered harm when a fraudulent tax return was filed under his social security number and the receipt of his tax refund was delayed. He claims that because he did not receive his tax refund on time to pay his child's camp tuition, he had to pay the tuition with a credit card, which resulted in the payment of interest on the outstanding credit card balance that, otherwise, he would not have had to pay (Dkt. No. 45 ¶ 24). Cf. In re: Yahoo! Inc. Customer Data Sec. Breach Litig., Case No. 16-MD-02752-LHK, 2017 WL 3727318, at *14 (N.D. Cal. Aug. 30, 2017) (a delayed tax refund was a cognizable injury for the standing analysis).
"In recent years, a growing number of [c]ourts have recognized that the purchase of credit monitoring services and the costs expended to deal with fraudulent activity following the theft of PII, when spent with the knowledge that stolen information has already been misused, can constitute cognizable injuries." Savidge v. Pharm-Save, Inc., 2017 WL 5986972, at *5 (citing cases). See id. at *6 (recognizing the purchase of identity protection services as an injury caused by negligence); Castillo, 2016 WL 9280242, at *4 (recognizing out-of-pocket expenses as cognizable injuries); Corona, 2015 WL 3916744, at *4 (finding that plaintiffs adequately alleged cognizable injuries in the form of costs related to credit monitoring, identity theft protection, and penalties); Anderson, 659 F.3d at 166 (finding plaintiffs' purchases of identity theft insurance and credit monitoring services to protect against fraud were cognizable injuries). Thus, Snellgrove's, Tansil's, and Pease's claims that they incurred costs to purchase credit monitoring services and Pease's assertion that he expended other amounts to address the consequences of the data breach — $11,000 in fraudulent charges on his credit card — and to mitigate future harm are also sufficient to allege cognizable injuries (Dkt. No. 45 ¶¶ 25, 27, 34). The fact that Defendants provided two years of free credit monitoring and identity theft protection for the victims of the data breach did not preclude Plaintiffs from purchasing enhanced services or protection after the free services expired. See Castillo, 2016 WL 9280242, at *4. Plaintiffs' allegations that they purchased credit monitoring services and incurred out-of-pocket expenses to respond to the data breach are sufficient at this stage of the litigation to show injuries that would entitle Plaintiffs to relief.
Third, although "general allegations of lost time are too speculative to constitute cognizable injury," Corona, 2015 WL 3916744 at *4, the named Plaintiffs have assigned a monetary value to a specific number of hours they expended to address and monitor the consequences of the data breach (Dkt. No. 45 ¶¶ 24-34). According to the RESTATEMENT (SECOND) OF TORTS, § 919(1) (AM. LAW INST. 1979), "[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened." In Massachusetts, this has been read to include "`the value of [a considerable amount of] time spent' in seeking to prevent or undo the harm" caused by the misuse of PII. Kuhn v. Capital One Fin. Corp., No. 05-P-810, 2006 WL 3007931, at *3 (Mass. App. Ct. Oct. 23, 2006) (unpublished) (quoting RESTATEMENT (SECOND) OF TORTS, § 919 cmt. 2 (AM. LAW INST. 1979)). See Dieffenbach, 887 F.3d at 828 ("[T]he value of one's own time needed to set things straight is a loss from an opportunity-cost perspective [which] can justify money damages just as they support standing.") (cited with approval in Bass, 394 F. Supp. 3d at 1035, 1039).
To the extent the Complaint states cognizable injuries, Defendants claim that the economic loss doctrine bars negligence claims asserting purely economic losses (Dkt. No. 49 at 21-22). "The economic-loss rule is an `obscure' but important legal doctrine, which holds that a plaintiff may not recover economic losses resulting from the defendant's negligence without corresponding physical damage to the plaintiff's person or property." Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L. Rev. 255, 297 (2005) (footnote omitted). "Not all states have adopted the economic loss rule, and those that have vary widely in their understanding of the doctrine's scope." Banknorth, N.A. v. B.J.'s Wholesale Club, Inc., 394 F.Supp.2d 283, 287 (D. Me. 2005). "While some states apply the economic loss doctrine only in products liability cases or when it is apparent that a plaintiff in privity with the defendant is seeking to circumvent provisions of the contract, other states apply the doctrine widely, barring all claims in tort that fail to allege either personal injury or property damage." Id. (citations omitted). "Still other states appear to view the economic loss doctrine as a proxy for determining whether a defendant owes a special duty to the plaintiff, and undertake a foreseeability analysis in applying the doctrine." Id. Because Plaintiff John Tansil worked for Defendants in California and was a California resident at the time of the data breach and the other named Plaintiffs lived and worked in Massachusetts, and because those states' treatment of the economic loss doctrine differ, the application of the economic loss doctrine to Mr. Tansil's claims and to those of the named Massachusetts Plaintiffs are discussed separately.
California applies the economic loss rule to "prevent[] the law of contract and the law of tort from dissolving one into the other." Robinson Helicopter Co. v. Dana Corp., 102 P.3d 268, 273 (Cal. 2004) (citation omitted). See Aas v. Superior Court, 12 P.3d 1125, 1135 (Cal. 2000), superseded by statute on other grounds as recognized in McMillin Albany LLC v. Superior Court, 408 P.3d 797 (Cal. 2018) ("A person may not ordinarily recover in tort for the breach of duties that merely restate contractual obligations."). "However, the economic loss rule does not prevent recovery in tort if a `special relationship' exists between the plaintiff and the defendant." In re: Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F.Supp.3d 1113, 1131 (N.D. Cal. 2018) (quoting J'Aire Corp. v. Gregory, 598 P.2d 60, 63 (Cal. 1979); Biakanja v. Irving, 320 P.2d 16, 19 (Cal. 1958)).
California courts consider six criteria to determine whether a special relationship exists:
J'Aire, 598 P.2d at 63. "All six factors must be considered by the court and the presence or absence of one factor is not decisive." In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d at 968 (citing Kalitta Air, LLC v. Cent. Tex. Airborne Sys., Inc., 315 F. App'x 603, 605-06 (9th Cir. 2008)).
Applying those criteria to the facts pled in the Complaint, it can reasonably be concluded that a special relationship existed between Mr. Tansil and Defendants. First, the transaction that gave rise to the data breach was intended to affect Mr. Tansil because Defendants required their employees to provide their PII as a condition of employment (Dkt. No. 45 ¶ 5). See Corona, 2015 WL 3916744, at *5 (where the plaintiffs gave their PII to their employer in order to receive compensation and employment benefits, there could be "no doubt" that the transaction was "intended to affect" them). Second, the prior data breaches and the failure to encrypt the data made the harm foreseeable (Dkt. No. 45 ¶¶ 9, 48). See id. (data breach and resulting injury to former employees were foreseeable because the defendant had been the victim of other data breaches). Compare Castillo, 2016 WL 9280242, at *6 (finding that the complaint failed to adequately allege the foreseeability of the data breach where there was no evidence that defendants knew of similar scams that phished for W-2 information). Next, Mr. Tansil adequately alleges that he suffered injuries and that there was "a close connection between [Defendants'] conduct (releasing personal identifying information) and the harm [he] suffered (identity theft)" (Dkt. No. 45 ¶ 27). Id. at *5. "Once the [PII] was released to the wrong individuals, the filing of false tax returns [and the fraudulent use of credit cards were] a natural consequence flowing from the careless release of information." Id. "Fifth, the moral blame attached to Defendant's conduct is high, given [Mr. Tansil's] allegations that Defendant failed to take the appropriate measures to protect [his] information" (Dkt. No. 45 ¶¶ 48, 50). Gardner v. Health Net, Inc., Case No. CV 10-2140 PA (CWx), 2010 WL 11571242, at *3 (C.D. Cal. Nov. 29, 2010). "Finally, the policy of preventing future harm supports the availability of damages here, given the prevalence of identity theft and the need to protect [employees'] confidential information." Id. See Castillo, 2016 WL 9280242, at *5 ("the need to protect [employees'] sensitive information from similar attacks in the future is great."). Under California law, because the Complaint adequately alleges a special relationship between Defendants and Mr. Tansil, the economic loss doctrine should not apply to bar his negligence claims. See also Bass, 394 F. Supp. 3d at 1039 (finding that the economic loss rule did not apply because "plaintiff alleged his lost time as a harm and so does not allege pure economic loss.").
Relying on In re TJX Cos. Retail Sec. Breach Litig. (hereinafter TJX), 564 F.3d 489 (1st Cir. 2009), and Cumis Ins. Soc'y, Inc. v. B.J.'s Wholesale Club, Inc. (hereinafter Cumis), 918 N.E.2d 36 (Mass. 2009), Defendants contend that the Massachusetts Plaintiffs' negligence claims are barred by the economic loss doctrine (Dkt. No. 49 at 21-22).
Defendants have not identified any case that applied Massachusetts' view of the economic loss doctrine to a claim for negligence based on the theft and misuse of employees' PII that they entrusted to their employer as a condition of employment, and the court has not found any. In the circumstances, a "federal court sitting in diversity [is] charged with predicting how [the state supreme court] would decide if presented with the identical issue." Dumas v. Infinity Broad. Corp., 416 F.3d 671, 680 n.11 (7th Cir. 2005). See Losacco v. F.D. Rich Constr. Co., 992 F.2d 382, 384 (1st Cir. 1993) ("When the highest state court has not issued a definitive ruling on the precise issue at hand, the federal courts may refer to analogous decisions, considered dicta, scholarly works, or other reliable sources to ascertain how the highest court would rule."). The question here is not free from doubt. Nonetheless, because the facts of TJX and Cumis are distinguishable from the facts of the instant case, because the legal landscape concerning liability for data breaches and identity theft is substantially different than it was when TJX and Cumis were decided ten years ago, and because the application of the economic loss doctrine in Massachusetts and Pennsylvania has been similar, in this court's view, Massachusetts appellate courts would likely follow a recent decision of the Pennsylvania Supreme Court, which permitted recovery for pecuniary losses caused by negligence in a case with comparable facts. See Dittman v. UPMC, 196 A.3d 1036, 1056 (Pa. 2018); see also S. Indep. Bank v. Fred's, Inc., CASE NO. 2:15-CV-799-WKW, 2019 WL 1179396, at *15 n.10 (M.D. Ala. Mar. 13, 2019) (finding that Dittman put the state of Pennsylvania's economic loss rule "in doubt").
In Massachusetts, generally speaking, "`the economic loss doctrine bars recovery unless the plaintiffs can establish that the injuries they suffered due to the defendants' negligence involved physical harm or property damage, and not solely economic loss.'" Saunwin Int'l Equities Fund LLC v. Donvill Kent Asset Mgmt. Inc., Civil Action No. 17-11585-FDS, Civil Action No. 17-11631-FDS, 2018 WL 3543533, at *18 (D. Mass. July 20, 2018) (quoting Cumis, 918 N.E.2d at 46). "The rule establishes limitations on damages a plaintiff may plead and recover in a negligence action." Wyman v. Ayer Props., LLC, 11 N.E.3d 1074, 1079 (Mass. 2014). See TJX, 564 F.3d at 498 ("Like `duty' and `proximate cause,' the doctrine cabins what could otherwise be open-ended negligence liability to anyone affected by a negligent act."); Stop & Shop Cos. v. Fisher, 444 N.E.2d 368, 371 (Mass. 1983) (the economic loss doctrine barred recovery for loss of business revenue caused by defendant's negligent collision with a bridge causing obstruction of access to plaintiff's business). It is well-settled that the economic loss doctrine bars liability for negligence where there was a contract between the plaintiff and the defendant or where, in a products liability case, the defective product damages itself and no other person or property. See Rule v. Fort Dodge Animal Health, Inc., 604 F.Supp.2d 288, 293 (D. Mass. 2009), aff'd, 607 F.3d 250 (1st Cir. 2010) ("The rationale for the economic loss rule is that when a commercial product fails without harming persons or other property, `the resulting loss due to repair costs, decreased value, and lost profits is essentially the failure of the purchaser to receive the benefit of its bargain — traditionally the core concern of contract law.'") (quoting E. River Steamship Corp. v. Transamerica Delaval Inc., 476 U.S. 858, 870 (1986)); Strategic Energy, LLC v. W. Mass. Elec. Co., 529 F.Supp.2d 226, 237 (D. Mass. 2008) ("the underlying rationale of the economic loss rule [is] the idea that "`parties to a contract may allocate their risks by agreement and do not need the special protections of tort law to recover for damages caused by a breach of the contract."'") (quoting Arthur D. Little Int'l v. Dooyang Corp., 928 F.Supp. 1189, 1202 (D. Mass. 1996)); Sebago, Inc. v. Beazer E., Inc., 18 F.Supp.2d 70, 89 (D. Mass. 1998) ("The rationale underlying the economic loss doctrine is that damage to a product itself `means simply that the product has not met the customer's expectations, or, in other words, that the customer has received "insufficient product value." The maintenance of product value and quality is precisely the purpose of express and implied warranties.'") (quoting E. River Steamship Corp., 476 U.S. at 872).
Pennsylvania's economic loss doctrine mirrors the rule in Massachusetts. See Sovereign Bank v. B.J.'s Wholesale Club, Inc., 533 F.3d at 175 ("The [Pennsylvania] Economic Loss Doctrine provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage.") (quoting Adams v. Copper Beach Townhome Cmtys., L.P., 816 A.2d 301, 305 (Pa. Super. Ct. 2003)). Massachusetts and Pennsylvania "embraced [a] fairly robust per se economic loss rule[], and data security breach claims decided under those states' underlying common law have not fared well." Catherine M. Sharkey, Symposium: Can Data Breach Claims Survive the Economic Loss Rule? 66 DePaul L. Rev. 339, 350 (2017). Accord Fred's, Inc., 2019 WL 1179396, at *15 ("At least two states, Massachusetts and Pennsylvania, apply a stringent version of the . . . rule to bar tort recovery for pure economic losses in general.").
In Dittman, however, the Pennsylvania Supreme Court found that the economic loss doctrine did not bar employees from recovering monetary losses that were caused by their employer's negligence in circumstances that are strikingly similar to those in the instant case. As a condition of employment, the employees were required to supply their employer, the defendant UPMC, with their personal and financial information, including their social security numbers; the defendant collected and stored the employees' PII on their internet accessible computer system; the employees' PII, which was not encrypted or adequately secured, was accessed and stolen from the defendant's computer system; and the stolen data was used to file fraudulent tax returns. See Dittman, 196 A.3d at 1038-39. Given those facts, the court was tasked with answering two interrelated questions concerning whether an employer who stores its employees' PII could be held liable under a negligence theory for the monetary losses incurred by the employees who were the victims of a data breach committed by a third party:
Id. at 1043. The majority of the court answered "yes" to both questions.
As to the first question concerning the defendant's duty, the majority concluded that because the defendant undertook the affirmative acts of collecting and storing its employees' personal and financial information on its internet accessible computer system, it had a common law duty to exercise reasonable care to protect the data from the foreseeable risk of a data breach. See id. at 1046-48. In rejecting the defendant's argument that a third party's criminal conduct caused the employees' harm and superseded the defendant's duty to its employees, the court stated, "[t]he alleged conditions surrounding [the defendant's] data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in [defendant's] computer system and steal [e]mployees' information; thus, the data breach was `within the scope of the risk created by' [the defendant]." Id. at 1048 (citation omitted).
As to the second question concerning the applicability of the economic loss doctrine, the majority limited the rule's scope by permitting recovery of pecuniary losses in negligence cases in which the defendant's legal duty is separate and distinct from a duty that arises from a contract between the parties. The court noted that its precedent did not "stand for the proposition that the economic loss doctrine . . . precludes all negligence claims seeking solely economic damages." Id. at 1054. "`Pennsylvania has long recognized that purely economic losses are recoverable in a variety of tort actions including . . . professional malpractice actions. . . .' [and that] `a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law.'" Id. at 1052 (quoting Bilt Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270, 288 (Pa. 2005)). Consequently, according to the majority, "under Pennsylvania's economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant's breach of a legal duty arising under common law that is independent of any duty assumed pursuant to a contract." Id. at 1038. Because the employees established that the defendant's duty to safeguard their PII did not arise from a contract between the parties, the majority determined that the economic loss doctrine did not bar the employees' negligence claims. See id. at 1054-56.
Based on the factual similarities between Dittman and the instant case and the legal parallels between the application of Pennsylvania's economic loss doctrine and that of Massachusetts, in the view of the undersigned, it is likely that the Massachusetts Supreme Judicial Court ("SJC") would apply Dittman's reasoning and permit recovery for pecuniary losses due to Defendants' negligence in the circumstances presented here. First, given that "`imposition of a duty generally responds to changed social conditions,'" Jupin, 849 N.E.2d at 835-36 (quoting Petolicchio v. Santa Cruz Cty. Fair & Rodeo Ass'n, 866 P.2d 1342, 1348 (Ariz. 1994)), Massachusetts law would support imposing a duty on employers who collect and store employees' PII that is comparable to the duty articulated by the Dittman majority. See id. at 836-37.
Second, like Pennsylvania, Massachusetts permits recovery of purely economic losses for a range torts. See, e.g., Sebago, Inc., 18 F. Supp. 2d at 96 ("negligent misrepresentation claims stemming from the provision of services.") (citing cases); Ravnikar v. Bogojavlensky, 782 N.E.2d 508, 511 (Mass. 2003) (defamation); Shafir v. Steele, 727 N.E.2d 1140, 1146 (Mass. 2000) (libel); Clark v. Rowe, 701 N.E.2d 624, 626-27 (Mass. 1998) (legal malpractice); Abrams v. Factory Mut. Liab. Ins. Co., 10 N.E.2d 82, 84 (Mass. 1937), abrogated on other grounds by Hartford Cas. Ins. Co. v. N. H. Ins. Co., 628 N.E.2d 14 (Mass. 1994) ("negligence in the manner of performing [a contractual] duty as distinguished from mere failure to perform it, causing damage, is a tort."); Frank Cooke, Inc. v. Hurwitz, 406 N.E.2d 678, 685-86 (Mass. App. Ct. 1980) (accountant malpractice). Moreover, like the Pennsylvania Supreme Court in Dittman, courts applying Massachusetts law have examined the "`source of the duty'" that was allegedly breached and have permitted recovery in tort if the duty arises independently of a party's contractual obligations. Dittman, 196 A.3d at 1054 (quoting Bilt-Rite, 866 A.2d at 288). See Szulik v. State St. Bank & Tr. Co., 935 F.Supp.2d 240, 270-71 (D. Mass. 2013) (in determining whether the economic loss doctrine barred a negligence claim, the court examined the origin of the duties the plaintiff sought to enforce); Strategic Energy, LLC, 529 F. Supp. 2d at 236-37 (the economic loss doctrine did not require dismissal of a negligence claim where some of the duties that a party allegedly breached were mandated by statute and, thus, were independent of the negotiated contract); Anderson v. Fox Hill Vill. Homeowners Corp., 676 N.E.2d 821, 823 (Mass. 1997) (distinguishing negligence in performing a duty under a contract (a tort) from a failure to perform the duty (a breach of contract) and noting that tort obligations "`are in general obligations that are imposed by law on policy considerations to avoid some kind of loss to others. They are obligations imposed apart from and independent of promises made and therefore apart from any manifested intention of parties to a contract or other bargaining transaction.'") (quoting WILLIAM LLOYD PROSSER & W. PAGE KEETON, TORTS § 92, at 656 (5th ed. 1984)). Because, here, the common law, rather than any negotiated agreement, would be the source of Defendants' duty to safeguard Plaintiffs' W-2 information, the SJC likely would conclude that the economic loss doctrine should not bar Plaintiffs' negligence claim.
Further, there is authority stating that "Massachusetts courts have declined to apply the economic loss doctrine to tort claims against a fiduciary." Szulik, 935 F. Supp. 2d at 271 n.11 (citing Clark, 701 N.E.2d at 626). Although "an employer generally does not owe a fiduciary duty to an employee," Estate of Moulton v. Puopolo, 5 N.E.3d 908, 921 (Mass. 2014), where there is a special relationship between an employer and employee, the employer has a duty to protect the employee from harm. See Colella v. Children's Hosp. Corp., Civil Action No. 14-11687-LTS, 2014 WL 12581775, at *5 (D. Mass. Nov. 4, 2014) (implying that exceptions exist to the general rule that there is no fiduciary relationship between employee and employer); UBS Fin. Servs., Inc. v. Aliberti, 133 N.E.3d 277, 288 (Mass. 2019) (established facts may give rise to fiduciary duties); Warsofsky v. Sherman, 93 N.E.2d 612, 615 (Mass. 1950) (listing "employer and employee" as one "familiar and well recognized form[] of fiduciary relationship").
"In deciding whether a special relationship exists between a particular plaintiff and defendant, [the court's] foremost consideration is whether `a defendant reasonably could foresee that he would be expected to take affirmative action to protect the plaintiff and could anticipate harm to the plaintiff from the failure to do so.'" Adams, 65 N.E.3d at 1235 (quoting Irwin v. Ware, 467 N.E.2d 1292, 1300 (1984)). Based on the allegations in the Complaint, a special relationship can be inferred between Plaintiffs and Defendants because NEO Tech had exclusive control over their employees' PII that it collected and stored, Plaintiffs, who were "`powerless'" to protect their PII, relied on NEO Tech to safeguard their PII from cyber thieves, and NEO Tech should have reasonably foreseen the harm that befell Plaintiffs when it failed to adequately secure their PII (Dkt. No. 45 ¶ 83). Clark, 701 N.E.2d at 626-27 (quoting Berman v. Coakley, 137 N.E. 667, 670 (Mass. 1923)). See id. at 627 (permitting recovery for economic loss due to legal malpractice based on the imbalance of power between the parties); Foley, 555 N.E.2d at 237 n.5 (noting that "[a] number of jurisdictions have held that the employer-employee relationship may in certain circumstances give rise to a duty to protect the employees from the criminal acts of third parties" where the criminal acts are reasonably foreseeable) (citing cases); Adams, 65 N.E.3d at 1236 ("companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against misuse of that data."); see also Dittman, 196 A.3d at 1056-57 (an employer who collects its employees' PII has a "special relationship" with those employees with respect to their PII) (Saylor, C.J., concurring and dissenting).
Because there is support for Massachusetts to join the other states that permit recovery for economic losses in data breach cases, the court recommends the denial of so much of Defendants' motion to dismiss as challenges the adequacy of the Massachusetts Plaintiffs' negligence claim that is based on the breach of Defendants' duty to safeguard Plaintiffs' W-2 information.
Assuming without deciding that Defendants failed to comply with their duty to disclose the data breach within a reasonable time, Plaintiffs' negligence claim based on that theory fails. As to Plaintiffs who were employed by Defendants when the breach occurred on Friday, January 27, 2017, Defendants notified them on the second business day following the breach (Dkt. No. 45 ¶¶ 3, 24, 25, 28, 31, 32, 33). Plaintiffs who were no longer employed by Defendants in January 2017 — Batalha and Roda, who had been employed in Massachusetts, and Mr. Tansil, who had been employed in California — received notification on February 10, 2017, which was fourteen days after the data breach (Dkt. No. 45 ¶¶ 26, 27, 30).
"California's Unfair Competition Law ["UCL"] proscribes all [1] unlawful, [2] unfair, or [3] fraudulent business acts or practices." Castillo, 2016 WL 9280242, at *6 (citing Cal. Bus. & Prof. Code § 17200 et seq.). "The UCL's coverage is sweeping, and its standard for wrongful business conduct intentionally broad." Moore v. Apple, Inc., 73 F.Supp.3d 1191, 1204 (N.D. Cal. 2014). "Each prong of the UCL is a separate and distinct theory of liability. . . ." Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007). "[A] UCL claim "`must identify the particular section of the statute that was violated, and must describe with reasonable particularity the facts supporting the violation."'" In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d at 989 (quoting Baba v. Hewlett-Packard Co., No. C 09-05946 RS, 2010 WL 2486353, at *6 (N.D. Cal. June 16, 2010)). California Plaintiff John Tansil makes claims under all three prongs of the statute.
"The `unlawful' prong of the UCL prohibits "`anything that can properly be called a business practice and that at the same time is forbidden by law."'" In re Adobe Sys., Inc. Privacy Litig, 66 F.Supp.3d 1197, 1225 (N.D. Cal. 2014) (quoting Cel-Tech Commc'ns, Inc. v. Los Angeles Cellular Tel. Co., 973 P.2d 527, 539 (Cal. 1999)). "The UCL's unlawful prong allows plaintiffs to `borrow' other laws and make claims independently actionable under the UCL." Castillo, 2016 WL 9280242, at *6 (quoting Cel-Tech Commc'ns, Inc., 973 P.2d at 539). Mr. Tansil identified Defendants' alleged violation of California's Customer Records Act ("CRA"), Cal. Civ. Code § 1798.80, et seq., and pertinent facts to support his claim (Dkt. No. 45 ¶¶ 72, 93, 94).
Defendants' argument — that the CRA applies only to customers — is not supported by the holding of Castillo, which found a violation of the CRA in circumstances similar to those presented here (Dkt. No. 49 at 25). In Castillo, the court found that "[a]lthough the CRA is primarily concerned with the protection of customer data, . . . and provides remedies only for customers harmed by its violation, . . . its plain language nonetheless operates to protect some non-customer information." Castillo, 2016 WL 9280242, at *7 (citations omitted). See Cal. Civ. Code §§ 1798.81.5(a)-(b), 1798.82. The Castillo employees' allegation that their employer failed to adequately safeguard their PII from exposure to unauthorized third parties was sufficient to withstand dismissal under the UCL's unlawful prong. See Castillo, 2016 WL 9280242, at *7.
"The `unfair' prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law." In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1225. "What activities constitute `unfair' business practices under the UCL is an issue currently in flux." Castillo, 2016 WL 9280242, at *7 (citing Davis v. HSBC Bank Nev., N.A., 691 F.3d 1152, 1169 (9th Cir. 2012)).
Bardin v. DaimlerChrysler Corp., 39 Cal.Rptr.3d 634, 636 (Cal. Ct. App. 2006) (citations omitted). "Absent guidance from the California courts about the proper definition of an `unfair' business practice, federal courts have applied both tests." Castillo, 2016 WL 9280242, at *7 (citing Lozano, 504 F.3d at 736) (citations omitted).
Plaintiff Tansil has sufficiently stated a claim under the "public policy" test because he has adequately pled a violation of the CRA. See id.; In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d at 990. In addition, NEO Tech "cannot offer a compelling reason or justification for its allegedly weak security protocol and mishandling of information that would outweigh the effect on [P]laintiff[]" of having his W-2 information stolen and misused by cyber thieves. Castillo, 2016 WL 9280242, at *7. Consequently, Mr. Tansil has adequately alleged a claim under this balancing test.
Defendants seek dismissal of the UCL fraud claim on the ground that the Complaint fails to allege a "fraudulent or deceptive statement" (Dkt. No. 49 at 25). However, Plaintiff grounds his fraud claim on Defendants' allegedly fraudulent concealment of their inadequate protection of their employees' W-2 information that was stored in NEO Tech's computers (Dkt. No. 45 ¶ 99).
The fraud prong of the UCL addresses "whether `members of the public are likely to be deceived'" by a defendant's acts. Thomas v. Sprint Sols., Inc., No. C08-5119 TEH, 2010 WL 1263189, at *6 (N.D. Cal. Mar. 30, 2010) (citation omitted). "`In order to be deceived, members of the public must have had an expectation or an assumption about' the matter in question." Collins v. eMachines, Inc., 134 Cal.Rptr.3d 588, 595 (Cal. Ct. App. 2011) (citation omitted). "For an omission claim to be actionable under the UCL, `the omission must be contrary to a representation actually made by the defendant, or an omission of a fact the defendant was obliged to disclose.'" In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1229 (quoting Daugherty v. Am. Honda Motor Co., 51 Cal.Rptr.3d 118, 126 (Cal. Ct. App. 2007)). "Although a UCL claim need not plead the elements of common law fraudulent deception, it must allege the existence of a duty to disclose, Berryman v. Merit Prop. Mgmt., Inc., [Cal. Rptr. 3d 177, 188 (Cal. Ct. App. 2007)], as well as reliance, In re Tobacco II Cases, [207 P.3d 20, 40 (Cal. 2009)]." Barocio v. Bank of Am., N.A., No. C 11-5636 SBA, 2012 WL 3945535, at *8 (N.D. Cal. Sept. 10, 2012). As to the duty to disclose,
Thomas, 2010 WL 1263189, at *6 (alteration in original) (citation omitted). In addition, "there are two `sub-elements' that must be satisfied to establish reliance: (1) that had the omitted information been disclosed, one would have been aware of it; and (2) behaved differently." Hamm v. Mercedes-Benz USA, LLC, Case No. 5:16-cv-03370-EJD, 2019 WL 4751911, at *6 (N.D. Cal. Sept. 30, 2019).
The allegations in the Complaint, and the reasonable inferences that can be drawn therefrom, when viewed under the plaintiff-favorable standard that is applicable at this stage of the litigation, are adequate to state a viable claim for fraud under the UTC based on a material omission, albeit barely. From Plaintiff's allegations that he "would have insisted that [his] W-2 information be more securely protected and removed from NEO Tech's systems promptly after [his] employment ended," and that NEO Tech had experienced two data breaches prior to January 2017, it is reasonable to infer that NEO Tech had exclusive knowledge of the vulnerabilities of its computer system in which its employees' PII was stored and did not share this information with its employees who reasonably expected that NEO Tech would safeguard the sensitive information that they were required to submit (Dkt. No. 45 ¶¶ 9, 48, 99). The information NEO Tech concealed about its subpar security system was material. See Hamm, 2019 WL 4751911, at *6 ("`That one would have behaved differently can be presumed, or at least inferred, when the omission is material.'") (quoting Daniel v. Ford Motor Co., 806 F.3d 1217, 1225 (9th Cir. 2015)). As to the duty to disclose element, the allegations that Mr. Tansil was required to entrust his W-2 information to Defendants as a condition of his employment and that NEO Tech had absolute control of that information is sufficient to establish Defendants' fiduciary duty (Dkt. No. 45 ¶¶ 5, 15, 53, 81, 83, 101). See Thomas, 2010 WL 1263189, at *6. In addition, it is reasonable to infer that NEO Tech had exclusive knowledge of the flaws in its security. See id. As to the first prong of the reliance element, that the employees would have been aware of the inadequate security measures if their employer had disclosed them is a plausible supposition. See Baranco v. Ford Motor Co., 294 F.Supp.3d 950, 967 (N.D. Cal. 2018). As to the second prong, Plaintiff has adequately alleged that he would have acted differently by demanding additional security measures if the weaknesses in the system had been disclosed (Dkt. No. 45 ¶ 99). See Hamm, 2019 WL 4751911, at *6. "For these reasons, the [c]ourt concludes that Plaintiff [has] adequately pleaded that [Defendants] had a duty to disclose that [their] security practices were not up to industry standards, that this omission was material, and that Plaintiff[] relied on this omission to [his] detriment." In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1231.
Although it appears that Mr. Tansil has adequately stated violations of the UCL, he has not demonstrated an entitlement to relief. "`A UCL action is equitable in nature; damages cannot be recovered. . . . [California's courts] have stated under the UCL, "[p]revailing plaintiffs are generally limited to injunctive relief and restitution."'" In re Tobacco II Cases, 207 P.3d at 29 (second alteration in original) (citations omitted) (quoting Korea Supply Co. v. Lockheed Martin Corp., 63 P.3d 937, 943 (Cal. 2003)). Defendants argue that relief is not available because Plaintiff fails to allege that Defendants obtained money or other financial benefits by their conduct (Dkt. No. 49 at 26). See Kwikset Corp., 946 P.3d at 895 ("A restitution order against a defendant thus requires both that money or property have been lost by a plaintiff, on the one hand, and that it have been acquired by a defendant, on the other."). Plaintiff, for his part, does not contend that he is entitled to restitution, but contends that he is entitled to injunctive relief in the form of an order requiring Defendants to take steps to avoid future security breaches by engaging outside security auditors to ensure compliance with prudent industry practices, providing training and education for employees who have access to employees' personal and confidential information, and conducting periodic internal security checks (Dkt. No. 45 ¶ 102). However, Plaintiff "do[es] not allege a threat of continuing misconduct" as is required to obtain injunctive relief. Smith v. Antioch Unified Sch. Dist., Case No. 16-cv-01676-RS, 2016 WL 5419434, at *4 (N.D. Cal. Sept. 26, 2016). See Sun Microsystems, Inc. v. Microsoft Corp., 188 F.3d 1115, 1123 (9th Cir. 1999) abrogated on other grounds by eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388 (2006) (injunctive relief is not available without a showing that past conduct will probably recur). Plaintiff's conclusory and speculative assertion that he is "at risk for future identity theft and fraudulent activity" is insufficient to demonstrate an actionable threat of future harm (Dkt. No. 45 ¶ 100). See Castillo, 2016 WL 9280242, at *8 (rejecting request for injunctive relief based on plaintiffs' claim that "they face[d] an `increased risk of future identity theft'").
Because Mr. Tansil fails to allege that "a `real or immediate threat' exists that [he] will be wronged again," Rahman v. Mott's LLP, No. CV 13-3482 SI, 2014 WL 5282106, at *5 (N.D. Cal. Oct. 15, 2014) (quoting City of Los Angeles v. Lyons, 461 U.S. 95, 111 (1983)), he has not shown that he is entitled to relief under the UCL. See Ice Cream Distribs. of Evansville v. Dreyer's Grand Ice Cream, Inc., 487 F. App'x 362, 363 (9th Cir. 2012) (affirming dismissal of plaintiff's UCL claim where plaintiff failed to plead entitlement to restitution or injunctive relief). Accordingly, the court recommends that so much of Count II as alleges a violation of the UCL be dismissed.
In Count II, the Massachusetts Plaintiffs allege a cause of action under Mass. Gen. Laws ch. 93H and 201 Mass. Code Regs. § 17.00 et seq. (Dkt. No. 45 ¶¶ 93, 95).
Plaintiffs seek to enforce chapter 93H through chapter 93A. According to the Complaint, Defendants allegedly violated Mass. Gen. Laws ch. 93A, §§ 2(a) and 9 ("Chapter 93A") by failing to encrypt Plaintiffs' social security numbers and by unreasonably delaying the notice of the data breach as required by Mass. Gen. Laws ch. 93H and the regulations promulgated thereunder (Dkt. No. 45 ¶¶ 95, 96). Defendants argue that chapter 93H does not provide for a private cause of action and, to the extent it does, they complied with the regulation's notice requirement and the Complaint fails to sufficiently allege a violation of the regulations that require encryption in specific circumstances (Dkt. No. 49 at 24; Dkt. No 60 at 8).
The SJC has not weighed in on the question of whether chapter 93H can be enforced by a private right of action through Chapter 93A. The court need not address this question because it is well-established that Chapter 93A does not apply to claims made by an employee against an employer. See Debnam v. FedEx Home Delivery, 766 F.3d 93, 96-97 (1st Cir. 2014) ("an employee cannot bring a suit against his or her employer under Chapter 93A."); Vertex Surgical, Inc. v. Paradigm Biodevices, Inc., 648 F.Supp.2d 226, 231 n.2 (D. Mass. 2009) ("[A] federal court, in applying state law, must look to the pronouncements of the [SJC], as the highest court in Massachusetts."); Anzalone v. Mass. Bay Transp. Auth., 526 N.E.2d 246, 248 (Mass. 1988) (Chapter 93A does not apply to a suit brought by employees against their employer); Manning v. Zuckerman, 444 N.E.2d 1262, 1266 (Mass. 1983) ("disputes between an employer and an employee . . . are principally `private in nature' and do not occur in the ordinary `conduct of any trade or commerce' as contemplated by the statute.").
Here, Plaintiffs contend that, by violating Mass. Gen. Laws ch. 93H, § 3(b) and 201 Mass. Code Regs § 17.04, Defendants engaged in unfair or deceptive acts or practices that are actionable under Chapter 93A. To establish entitlement to relief under Chapter 93A, the Complaint must plead sufficient facts to demonstrate
UBS Fin. Servs., Inc., 133 N.E.3d at 291 (quoting Rafferty v. Merck & Co., 92 N.E.3d 1205, 1222 (Mass. 2018)).
Assuming that violations of Mass. Gen. Laws ch. 93H, § 3(b) and 201 Mass. Code Regs. § 17.04 could apply to NEO Tech, which was located in California, and could constitute unfair or deceptive acts or practices, the Complaint nonetheless fails to allege facts sufficient to establish that the unfair or deceptive acts or practice injured Plaintiffs "in the conduct of any trade or commerce." Mass. Gen. Laws ch. 93A, § 2(a).
Mass. Gen. Laws Ann. ch. 93A, § 1(b).
"`Trade or commerce' refers to transactions in a `business context,' Lantner v. Carson, 373 N.E.2d 973, 976 (Mass. 1978), which, in turn, is `determined by the facts of each case,' on consideration of `the nature of the transaction, the character of the parties and their activities, and whether the transaction was motivated by business or personal reasons.'" Feeney v. Dell, Inc., 908 N.E.2d 753, 770 (Mass. 2009) (quoting Poznik v. Mass. Med. Prof'l Ins. Ass'n, 628 N.E.2d 1, 3 (Mass. 1994)). See UBS Fin. Servs., Inc, 133 N.E.3d at 292; Klairmont v. Gainsboro Rest., Inc., 987 N.E.2d 1247, 1256 (Mass. 2013). While Defendants were engaged in trade or commerce, Plaintiffs were employees, not consumers, who provided their Social Security numbers as a condition of employment. There is no allegation that Defendants acquired the information for a commercial purpose beyond the purpose of complying with federal and state laws governing the employer-employee relationship. Furthermore, the claims arise wholly from Plaintiffs' status as Defendants' current or former employees. It is well-settled that Chapter 93A does not apply to claims by an employee against an employer. See Allstate Ins. Co. v. Fougere, CIVIL ACTION NO. 16-11652-JGD, 2019 WL 4776986, at *17 (D. Mass. Sept. 30, 2019) (". . . 93A does not apply to . . . a suit by an employee against his or her employer."); Anzalone, 526 N.E.2d at 248 (same); Manning, 444 N.E.2d at 1266 ("Disputes arising out of the employment relationship between an employer and an employee are not cognizable under [Chapter] 93A.").
Plaintiffs have not pointed to any exception to the bar against an employee asserting a Chapter 93A claim against his or her employer and the court is aware of none. A federal court sitting in diversity does not have the power to overrule SJC precedent. The First Circuit has "`warned, time and again, that litigants who reject a state forum in order to bring suit in federal court under diversity jurisdiction cannot expect that new [state-law] trails will be blazed.'" Carlton v. Worcester Ins. Co., 923 F.2d 1, 3 (1st Cir. 1991) (alteration in original) (quoting Ryan v. Royal Ins. Co., 916 F.2d 731, 744 (1st Cir. 1990)); see also Porter, 913 F.2d at 40-41; Croteau v. Olin Corp., 884 F.2d 45, 46 (1st Cir. 1989); Taylor v. Aetna Cas. & Sur. Co., 867 F.2d 705, 706 (1st Cir. 1989) (per curiam); Cantwell v. Univ. of Mass., 551 F.2d 879, 880 (1st Cir. 1977). "Particularly where, as here, suitors seek to annul long-standing state precedent closely in point, they are hard put to complain if a federal court, called upon, in effect, to overrule the highest court of the state on a matter of state law, adopts a more deferential stance." Carlton, 923 F.2d at 3. See Santiago v. Sherwin Williams Co., 3 F.3d 546, 549 (1st Cir. 1993) ("When a plaintiff invokes diversity jurisdiction to bring a state law claim in federal court, th[e] [court's] survey [of applicable law] is somewhat circumscribed, for it is settled that, in ordinary circumstances, a plaintiff who `selects a federal forum in preference to an available state forum may not expect the federal court to steer state law into unprecedented configurations.'") (quoting Martel v. Stafford, 992 F.2d 1244, 1247 (1st Cir. 1993)). Consequently, the allegations in the Complaint are insufficient to state a cause of action under Chapter 93A.
For the foregoing reasons, the court recommends allowing so much of the motion to dismiss Count II as challenges the viability of an alleged violation of Chapter 93A based on Defendants' failure to comply with Mass. Gen. Laws ch. 93H, § 3(b) and 201 Mass. Code Regs. § 17.04.
Plaintiffs "seek a declaration that [1] NEO Tech's existing security measures do not comply with its obligations [to safeguard Plaintiffs' W-2 information], and [2] that to comply with its obligations, NEO Tech must implement and maintain "`additional'" reasonable security measures on behalf of Plaintiffs and the Nationwide Class . . ." (Dkt. No. 45 ¶ 106). Defendants contend that Count III should be dismissed because Plaintiffs are not seeking declaratory relief under the Declaratory Judgment Act. Instead, their first ground seeks a declaration that NEO Tech failed to comply with the law, which is duplicative of the other claims, and their second ground seeks an injunction without meeting the criteria necessary to obtain one (Dkt. No. 49 at 26-27; Dkt. No. 60 at 11).
"The federal Declaratory Judgment Act provides that `[i]n a case of actual controversy within its jurisdiction . . . any court of the United States . . . may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.'" In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1219 (alteration in original) (quoting 28 U.S.C. § 2201(a)). The Act "allows parties who are uncertain of their legal rights to seek a declaration of rights from a federal court prior to injury." Bellwether Cmty. Credit Union v. Chipotle Mexican Grill, Inc., 353 F.Supp.3d 1070, 1088 (D. Colo. 2018) (citing Kunkel v. Cont'l Cas. Co., 866 F.2d 1269, 1274 (10th Cir. 1989)).
In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1219-20 (quoting MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 127 (2007)) (alteration in original)). The granting of declaratory relief is discretionary. See Ernst & Young v. Depositors Econ. Prot. Corp., 45 F.3d 530, 534 (1st Cir. 1995).
Plaintiffs' first ground would not entitle them to relief because it merely duplicates the claim that NEO Tech owed Plaintiffs a duty to safeguard their W-2 information from exposure to cyber-criminals. "Because the relief sought is duplicative of [Plaintiffs'] claim[] for negligence . . . [their first] claim under the Declaratory Judgment Act [should be] dismissed." Rudolph v. Hudson's Bay Co., 18-cv-8472 (PKC), 2019 WL 2023713, at *15 (S.D.N.Y. May 7, 2019). See, e.g., Amusement Indus., Inc. v. Stern, 693 F.Supp.2d 301, 311 (S.D.N.Y. 2010) ("The fact that a lawsuit has been filed that will necessarily settle the issues for which the declaratory judgment is sought suggests that the declaratory judgment will serve `no useful purpose.'") (citations omitted).
Similarly, the second ground is not sufficient to state a claim for declaratory relief. Although Plaintiffs provide detailed descriptions of the "additional" steps that, in their opinion, NEO Tech should take to implement reasonable security measures, the use of the word "additional" suggests that NEO Tech adopted new protections after the data breach (Dkt. No. 45 ¶ 106). Because the Complaint does not contain factual allegations to support the contention that Plaintiffs' W-2 information remains at risk of exposure to unauthorized third parties, there is no basis for the court to exercise its discretion to grant so much of Count III as seeks a declaration that NEO Tech should implement the security measures Plaintiffs propose. Cases in which declaratory relief was granted are factually distinguishable. Compare Hameed-Bolden v. Forever 21 Retail, Inc., Case No.: CV 18-03019 SJO (JPRx), 2018 WL 6802818, at *9 (C.D. Cal. Oct. 1, 2018) (permitting request for declaratory relief to proceed where plaintiffs alleged that their PII remained vulnerable based on the remaining inadequacies of defendants' computer systems); In re: Home Depot, Inc. Customer Data Sec. Breach Litig., MDL DOCKET NO. 2583, 1:14-md-2588-TWT, 2016 WL 2897520, at *5 (N.D. Ga. May 18, 2016) (denying a motion to dismiss plaintiff's claim for declaratory relief when the plaintiffs "pleaded that the defendant's security measures continue to be inadequate and that they will suffer substantial [future] harm" without relief); In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1221 (denying a motion to dismiss plaintiffs' request for declaratory relief where the complaint alleged that defendant breached its contractual obligation to provide "`reasonable security'" by failing to follow "a number of standard [security] industry practices"). Accordingly, the court recommends that Count III be dismissed.
For the foregoing reasons, on Defendants' Motion to Dismiss (Dkt. No. 48), the court recommends that: (1) the motion to dismiss for lack of jurisdiction be allowed as to Kristine Tansil, and denied as to the other Plaintiffs; (2) so much of the motion to dismiss as is addressed to Count I be denied as described herein; and (3) so much of the motion to dismiss as is addressed to Counts II and III be allowed.
Without directly addressing whether or not Chapter 93A provides a private right of action for a violation of 93H, the Massachusetts Appeals Court in Adams, 65 N.E.3d at 1239, which was decided after Katz, analyzed whether a violation of chapter 93H constituted an unfair or deceptive act under Chapter 93A, suggested that such a claim was theoretically viable, but determined that the motorist's factual allegations in the complaint were too vague to state a claim against an insurance agency under Chapter 93A. See Adams, 65 N.E.3d at 1239.
