JAMES L. ROBART, United States District Judge.
Before the court is Defendant Eddie Bauer, LLC's ("Eddie Bauer") motion to dismiss (2d MTD (Dkt. # 40)) Plaintiff Veridian Credit Union's ("Veridian") first amended putative class action complaint (FAC (Dkt. # 36)).
Veridian alleges the following pertinent facts in its first amended complaint:
Veridian is an Iowa-chartered credit union with its principal place of business in Iowa. (FAC ¶ 11.) Veridian issued payment cards compromised in the Data Breach and alleges that it suffered significant property damage to the unique data included on the payment cards (including the ruination of the payment card itself) and financial losses in connection with covering its customers' losses due to the Data Breach and in reissuing credit and debit cards to its customers. (Id. ¶¶ 8, 22, 96-98, 135.) Veridian alleges that the Data Breach and Veridian's injury were the foreseeable results of Eddie Bauer's inadequate data security measures, which Eddie Bauer knew were insufficient to protect against recognized threats, and Eddie Bauer's refusal to implement industry-standard security measures due to the cost of such measures. (Id. ¶¶ 39-92.)
Veridian filed a putative class action complaint against Eddie Bauer on March 7, 2017. (Compl. (Dkt. # 1).) Eddie Bauer filed a motion to dismiss on April 21, 2017. (MTD (Dkt. # 28).) On June 5, 2017, instead of responding to Eddie Bauer's motion directly, Veridian filed a first amended putative class action complaint. (See FAC.) On June 15, 2017, Eddie Bauer filed a motion to dismiss Veridian's first amended complaint. (See 2d MTD.)
In its first amended complaint, Veridian alleges claims against Eddie Bauer for (1) negligence (FAC ¶¶ 119-28), (2) negligence per se (id. ¶¶ 129-35), (3) declaratory and injunctive relief (id. ¶¶ 136-43), (4) violation of RCW 19.255.020 (FAC ¶¶ 144-51), and (5) violation of Washington's Consumer Protection Act ("CPA"), RCW ch. 19.86 (FAC ¶¶ 152-65). Veridian alleges that Washington law applies to its claims. (Id. ¶¶ 112-18.) Eddie Bauer, however, asserts that Iowa law applies. (2d MTD at 3-9.)
Veridian also brings its first amended complaint as a putative class action. (Id. ¶¶ 99-111.) Specifically, Veridian brings its action "individually and on behalf of all other financial institutions similarly situated" under Federal Rule of Civil Procedure 23. (Id. ¶ 99.) Veridian defines its putative class as:
(Id.)
The court now considers Eddie Bauer's motion to dismiss.
Federal Rule of Civil Procedure 12(b)(6) provides for dismissal of a complaint for "failure to state a claim upon which relief can be granted." Fed. R. Civ. P. 12(b)(6). Although "detailed factual allegations" are not required, a complaint must include "more than an unadorned, the-defendant-unlawfully-harmed-me accusation." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). In other words, a complaint must have sufficient factual allegations to "state a claim to relief that is plausible on its face." Id. (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)). A claim is facially plausible "when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Under Rule 12(b)(6), dismissal can be based on "the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990).
When considering a motion to dismiss under Rule 12(b)(6), the court construes the complaint in the light most favorable to the nonmoving party. Livid Holdings Ltd. v. Salomon Smith Barney, Inc., 416 F.3d 940, 946 (9th Cir. 2005). The court must therefore accept all well-pleaded facts as true and draw all reasonable inferences in the plaintiff's favor. Wyler Summit P'ship v. Turner Broad. Sys., Inc., 135 F.3d 658, 661 (9th Cir. 1998).
The court first addresses which jurisdiction's law applies to Veridian's claims. Veridian asserts that Washington law governs its claims (FAC ¶¶ 112-18; Resp. at 6-8), while Eddie Bauer argues for the application of Iowa law (2d MTD at 5-9).
A "federal court sitting in diversity ordinarily must follow the choice-of-law rules of the State in which it sits." Atl. Marine Constr. Co. v. U.S. Dist. Court for W. Dist. of Tex., 571 U.S. 49, 134 S.Ct. 568, 582, 187 L.Ed.2d 487 (2013) (citing Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 494-96, 61 S.Ct. 1020, 85 S.Ct. 1477 (1941)). "This applies to actions brought under the Class Action Fairness Act [("CAFA"), 28 U.S.C. § 1332(d)(2),] as well, since CAFA is based upon diversity jurisdiction." In re Facebook Biometric Info. Privacy Litig., 185 F.Supp.3d 1155, 1167-68 (N.D. Cal. 2016) (quoting In re NVIDIA GPU Litig., No. C 08-04312, 2009 WL 4020104, at *5 (N.D. Cal. Nov. 19, 2009)). Here, Veridian asserts that the court has original jurisdiction based on CAFA. (FAC ¶ 13.) Accordingly, the court follows the choice-of-law rules of Washington.
Washington employs a two-step approach to choice of law questions. Under Washington's choice-of-law rules, the court first determines whether an actual conflict exists between Washington and other applicable state law. See Burnside v. Simpson Paper Co., 123 Wn.2d 93, 864 P.2d 937, 941 (1994). In the absence of a conflict, Washington law applies. See id.; DP Aviation v. Smiths Indus. Aerospace & Def. Sys. Ltd., 268 F.3d 829, 845 (9th Cir. 2001) (applying Washington law where
"An `actual conflict' exists `between the laws or interests of Washington and the laws or interests of another state' when the ... states' laws could produce different outcomes on the same legal issue." Kelley v. Microsoft Corp., 251 F.R.D. 544, 550 (W.D. Wash. 2008) (quoting Erwin v. Cotter Health Ctrs., 161 Wn.2d 676, 167 P.3d 1112, 1120 (2007)). Veridian asserts in a summary fashion that only a false conflict exists between the laws or interests of Washington and those of Iowa. (See Resp. at 7.) However, as discussed below, the court is persuaded by Eddie Bauer's detailed analysis that an actual conflict exists. (See 2d MTD at 4-5.) The court discusses each of Veridian's claims in turn.
The court first considers Veridian's negligence claim. (FAC ¶¶ 119-28.) In Iowa, "[a]s a general proposition, the economic loss rule bars recovery in negligence when the plaintiff has suffered only economic loss." Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499, 503 (Iowa 2011) (citing Neb. Innkeepers, Inc. v. Pittsburgh-Des Moines Corp., 345 N.W.2d 124, 126 (Iowa 1984)). Indeed, in Iowa, "[t]he well-established general rule is that a plaintiff who has suffered only economic loss due to another's negligence has not been injured in a manner which is legally cognizable or compensable." Id. Further, in Iowa, the economic loss rule "is by no means limited to the situation where the plaintiff and the defendant are in direct contractual privity." Id. at 504.
The Washington Supreme Court, however, no longer applies the economic loss rule but rather the "independent duty doctrine." See Affiliated FM Ins. Co. v. LTK Consulting Servs., Inc., 170 Wn.2d 442, 243 P.3d 521, 526 (2010). In Washington, "[t]he independent duty doctrine ... maintain[s] the boundary between torts and contract in the place of the economic loss rule." Donatelli v. D.R. Strong Consulting Eng'rs, Inc., 179 Wn.2d 84, 312 P.3d 620, 623 (2013) (internal quotation marks omitted) (citing Elcon Constr., Inc. v. E. Wash. Univ., 174 Wn.2d 157, 273 P.3d 965, 969 (2012)). For example, under Washington's independent duty doctrine, a plaintiff can bring a tort claim for conduct arising out of a contractual relationship if the defendant owed him or her a duty of care independent of the contract. Eastwood v. Horse Harbor Found., Inc., 170 Wn.2d 380, 241 P.3d 1256, 1262 (2010).
In addition, unlike Iowa, the independent duty doctrine is not a rule of general application in Washington. Elcon Constr., 273 P.3d at 969. The Washington Supreme Court has taken "great pains to limit" the doctrine and to "clarify that it does not bar tort remedies except in fairly unusual circumstances." Reading Hosp. v. Anglepoint Grp., Inc., No. C15-0251-JCC, 2015 WL 13145347 at *3 (W.D. Wash. May 26, 2015). Indeed, the Washington Supreme Court has applied the doctrine only "to a narrow class of cases, primarily limiting its application to claims arising out of construction on real property and real property sales," Elcon Constr., 273 P.3d at 969, and specifically directs that the doctrine should not apply "`unless and until [the Washington Supreme Court] has ... decided otherwise,'" id. at 969-70 (quoting Eastwood, 241 P.3d at 1276). Due to the
Veridian asserts a separate claim for negligence per se. (FAC ¶¶ 129-35.) Under Iowa law, the violation of a statute may give rise to a claim for negligence per se. See Winger v. CM Holdings, LLC, 881 N.W.2d 433, 448 (Iowa 2016) (quoting Wiersgalla v. Garrett, 486 N.W.2d 290, 292 (Iowa 1992)) ("[I]f a statute or regulation... provides a rule of conduct specifically designed for the safety and protection of a certain class of persons, and a person within that class receives injuries as a proximate result of a violation of the statute or regulation, the injuries would be actionable, as ... negligence per se.") (internal quotation marks and citations omitted). In Washington, however, the violation of a statute or the breach of a statutory duty is not considered negligence per se, but may be considered by the trier of fact only as evidence of negligence. RCW 5.40.050. Thus, assuming Veridian can establish that Eddie Bauer violated a statute that fell within Iowa's negligence per se rule, it might be able to pursue such a claim under Iowa law, but not under Washington law. Thus, an actual conflict exists between the law of Iowa and Washington on this claim.
Veridian also asserts a claim for declaratory and injunctive relief. (FAC ¶¶ 136-43.) Iowa law recognizes that an "injunction may be obtained as an independent remedy by an action in equity, or as an auxiliary remedy in any action." Iowa R. Civ. P. 1.1501. Indeed, "[u]nder Iowa law, a request for permanent injunctive relief alone can serve as the underlying claim for a request for a temporary injunction in an equitable action." Johnson v. Moody, No. 416CV00449RGESBJ, 2016 WL 8839427, at *4 (S.D. Iowa Nov. 14, 2016); see also Lewis Invs., Inc. v. City of Iowa City, 703 N.W.2d 180, 184 (Iowa 2005) (stating that "the plaintiff's underlying claim is an equitable action for permanent injunctive relief"). In contrast to Iowa's law, Washington does not recognize a standalone claim for injunctive relief, but rather views an injunction as a form of relief available for some causes of action. See, e.g., Hockley v. Hargitt, 82 Wn.2d 337, 510 P.2d 1123, 1132 (1973) (distinguishing between a cause of action based on the CPA and the forms of relief that are potentially available, including damages and an injunction); see also Robinson v. Wells Fargo Bank Nat'l Ass'n, No. C17-0061JLR, 2017 WL 2311662, at *5 (W.D. Wash. May 25, 2017) ("Injunctive relief is available only if [the plaintiff] is entitled to such a remedy on an independent cause of action."). Indeed, Veridian acknowledges that Iowa recognizes a "standalone" claim for injunctive relief while Washington does not. (Resp. at 6 n.7.) Thus, there is an actual conflict between the laws of Iowa
Finally, Eddie Bauer asserts that there is an actual conflict between the law of Iowa and Washington with respect to Veridian's statutory claims. Veridian alleges a claim based on RCW 19.255.020, which is a Washington statute that addresses unauthorized cyber-intrusions on the account information of credit card and debit card holders. (FAC ¶¶ 144-51.) There is no Iowa counterpart to this Washington statute. Veridian also alleges a statutory claim based on Washington's CPA. (FAC ¶¶ 152-65.) Unlike Washington's CPA, however, Iowa's Consumer Fraud Act ("CFA") requires the state attorney general to approve the filing of a class action lawsuit under the statute. Iowa Code § 714H.7. Thus, the court concludes that an actual conflict exists as to the law of the two states regarding Veridian's substantive statutory claims.
If an actual conflict exists, Washington requires application of the law of the forum that has the "most significant relationship" to the action. See Johnson, 555 P.2d at 1000. Application of the "most significant relationship" test is a two-step process. See id. First, the court determines which state has the most significant relationship to the cause of action. Id. Second, if the relevant contacts to the cause are balanced, the court then considers "the interests and public policies of potentially concerned states and ... the manner and extent of such policies as they relate to the transaction at issue." Id. at 1001 (quoting Potlatch No. 1 Fed. Credit Union v. Kennedy, 76 Wn.2d 806, 459 P.2d 32, 35 (1969)).
In determining the state with the most significant relationship to the occurrence and the parties, the court considers "(a) the place where the injury occurred, (b) the place where the conduct causing the injury occurred, (c) the domicil, residence, nationality, place of incorporation and place of business of the parties, and (d) the place where the relationship, if any, between the parties is centered." Brewer v. Dodson Aviation, 447 F.Supp.2d 1166, 1175-76 (W.D. Wash. 2006) (discussing Washington law and citing the Restatement (Second) of Conflict of Laws § 145(2) (1971)). The court's approach is not merely to count contacts, but rather to consider which contacts are the most significant and
Eddie Bauer asserts that the injury at issue occurred in Iowa because that is where Veridian and the majority of its customers are located.
"In the case of personal injuries or of injuries to tangible things, the place where the injury occurred is a contact that, as to most issues, plays an important role in the selection of the state of the applicable law." Restatement (Second) of Conflict of Laws § 145, cmt. e (1971). "Situations do arise, however, where the place of injury will not play an important role in the selection of the state of the applicable law. This will be so, for example, when the place of injury can be said to be fortuitous... or when ... injury has occurred in two or more states." Id.; see Kelley, 251 F.R.D. at 552 ("Here, the Defendant's allegedly unfair or deceptive acts caused injury throughout the country. The location of the harm suffered is fortuitous.").
Veridian alleges that Eddie Bauer's conduct with respect to the Data Breach caused injury in a variety of states throughout country (FAC ¶¶ 1, 7-9, 60, 99); thus, the location of the alleged harm was fortuitous, and the place of injury does not play an important role in the court's choice of law analysis here.
Eddie Bauer argues that the location where the alleged conduct causing the injury occurred is unknown because "[t]he location where the [cyber] attack was launched is unknown" and Veridian fails to allege that the computer servers that were attacked are located in Washington. (2d MTD at 7.) Again, Eddie Bauer misconstrues the crux of Veridian's allegations. Veridian is not suing the cyber attacker. Veridian is suing Eddie Bauer for negligence and other misconduct related to its management's decisions concerning Eddie Bauer's internal data security and the Data Breach. (See FAC ¶¶ 113-15.) Veridian alleges that Eddie Bauer "orchestrated and implemented" the decisions that lead to the Data Breach "at its corporate headquarters in Bellevue, Washington," and its failure to employ adequate data security measures "emanated from [its] headquarters." (Id. ¶¶ 113-14.) Based on these allegations, the court concludes that the place where the conduct alleged to have caused the injury occurred was in Washington.
When the injury occurs in two or more states or the location of the injury is fortuitous, the weight the court gives to the place where the alleged conduct causing
The third factor the court considers is "the domicil, residence, nationality, place of incorporation and place of business of the parties" Brewer, 447 F.Supp.2d at 1175-76. The fourth factor is "the place where the relationship, if any, between the parties is centered." Id. The court considers these factors together.
Eddie Bauer is a citizen of Washington, which is also where it maintains its principal place of business. (FAC ¶ 13.) Veridian is an Iowa-chartered credit union with its principal place of business in Iowa (id. ¶ 11), although if a nationwide class is certified there will be plaintiff's domiciled in many states (see id. ¶ 99). "[T]he importance of these contacts depends largely upon the extent to which they are grouped with other contacts." Restatement (Second) of Conflict of Laws § 145, cmt. e (1971). The fact that one of the parties is domiciled in a particular state is of little significance, but gains significance if the domicile or principal place of business for all parties is located in the same state. Id. Because there is no grouping of contacts in this instance, the court finds this factor of minimal significance to its choice of law analysis.
Further, the parties' relationship is not centered in any one place. The parties did not contract with one another.
The parties agree that neither of these factors should play a significant role in the court's choice of law analysis. (See 2d MTD at 8-9; Resp. at 8 ("As to the third and fourth factors, the putative class is domiciled in all states, while Eddie Bauer is domiciled in Washington, and thus `the parties' relationship is not centered in any particular place because the parties did not contract with one another.'") (quoting Kelley, 251 F.R.D. at 552).) Thus, these factors have little bearing on the court's choice of law analysis.
The court is mindful that it is not to merely count contacts but to consider which contacts are the most significant and where those contacts are found. Johnson, 555 P.2d at 1000. Relying on this guidance,
Assuming, arguendo, that the foregoing contacts were evenly balanced, the court would still apply Washington law. "If the contacts are evenly balanced, the second step of the analysis involves an evaluation of the interests and public policies of the concerned states to determine which state has the greater interest in determination of the particular issue." Schmahl v. Macy's Dep't. Stores, Inc., No. CV-09-68-EFS, 2010 WL 3061526, at *6 (E.D. Wash. July 30, 2010); Zenaida-Garcia v. Recovery Sys. Tech., Inc., 128 Wn.App. 256, 115 P.3d 1017, 1020 (2005). This step turns on the purpose of the law and the issues involved. Kelley, 251 F.R.D. at 553. When "the primary purpose of the tort rule involved is to deter or punish misconduct [and not merely to compensate the victim for her injuries] ... the state where the conduct took place may ... [have the] most significant relationship." Id. (quoting Restatement (Second) of Conflict of Laws § 145, cmt. c (1971)).
Washington has the paramount interest in applying its law to this action. In addition to its negligence claims, Veridian also asserts claims based on RCW 19.255.020, which is designed to fight unauthorized cyber-intrusions into credit card and debit card holders' data, and the CPA. (FAC ¶¶ 144-65.) The CPA targets all unfair trade practices either originating from Washington businesses or harming Washington citizens. Kelley, 251 F.R.D. at 553. Application of the CPA to Veridian's claims effectuates the broad deterrent purpose of CPA, especially as applied to one of Washington's leading corporate citizens. See id. (citing Restatement (Second) of Conflict of Laws § 145, cmt. c (1971); RCW 19.86.920). The same is true of RCW 19.255.020, which applies to credit card processors and businesses, rendering them potentially liable to financial institutions if they fail to "take reasonable care to guard against unauthorized access to account information." Id. Thus, the court concludes that Washington law applies to this action and now considers Eddie Bauer's motion to dismiss each of Veridian's claims.
As noted above, Washington does not recognize negligence per se as a separate cause of action. See supra § III.B.1.b. Although the violation of a statute or the breach of a statutory duty "may be considered by the trier of fact as evidence of negligence," RCW 5.40.050, Veridian may not assert a separate cause of action for negligence per se in Washington. Accordingly, the court dismisses this cause of action (see FAC ¶¶ 129-35) with prejudice and without leave to amend.
As also noted above, Veridian asserts a claim for injunctive and declaratory relief based on the federal Declaratory Judgment Act, 28 U.S.C. §§ 2201-02. (See Resp. at 6 n.7); see supra n.4. As the court explained, the Declaratory Judgment Act "only creates a remedy." See Confederated Tribes, 873 F.2d at 1225. Further, "[a] permanent injunction is a form of relief that the court may grant when a plaintiff succeeds on a substantive cause of action that lends itself to this remedy." Dinkins v. Schinzel, No. 217CV01089JADGWF, 2017 WL 4891524, at *2 (D. Nev. Oct. 30, 2017). Although Veridian may continue to request declaratory and injunctive relief in an amended complaint, these items are requests for relief and not separate legal causes of action. See Barton v. Capital One Bank (USA), N.A., No. 12-cv-05412-JST, 2013 WL 12173918, at *8 (N.D. Cal. Apr. 4, 2013); Santos v. Countrywide Home Loans, No. 2:09-02642 WBS DAD, 2009 WL 3756337, at *5 (E.D. Cal. Nov. 6, 2009) ("Declaratory and injunctive relief are not independent claims, rather they are forms of relief."). Thus, the court dismisses Veridian's cause of action for declaratory and injunctive relief, but with leave to amend as described above.
Under Washington law, to state a claim for negligence, Veridian must adequately allege "(1) the existence of a duty to the plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the breach as the proximate cause of the injury." Degel v. Majestic Mobile Manor, 129 Wn.2d 43, 914 P.2d 728, 731 (1996). The existence of a duty "is a question of law and depends on mixed considerations of logic, common sense, justice, policy, and precedent." Snyder v. Med. Serv. Corp., 145 Wn.2d 233, 35 P.3d 1158, 1164 (2001). "Duty in a negligence action is a threshold question" and "may be predicated `on violation of statute or of common law principles of negligence.'" Jackson v. City of Seattle, 158 Wn.App. 647, 244 P.3d 425, 428 (2010) (quoting Burg v. Shannon & Wilson, Inc., 110 Wn.App. 798, 43 P.3d 526, 530 (2002)); Alhadeff v. Meridian on Bainbridge Island, LLC, 167 Wn.2d 601, 220 P.3d 1214, 1222 (2009) (same).
Eddie Bauer argues that Veridian's negligence claim must be dismissed because Eddie Bauer owes no duty to Veridian. (2d MTD at 20-25.) Veridian argues that Eddie Bauer owes it a duty predicated on common law principles of negligence and on the violation of two statutes. (Resp. at 2-3, 9-17.) The court analyzes each basis for a duty in turn.
Eddie Bauer first asserts that under common law principles of negligence in Washington it owes no duty to Veridian as a matter of law. (2d MTD at 20-24.) Eddie Bauer argues that Veridian, as "a sophisticated financial institution," is not within the class of individuals to whom Eddie Bauer owes a duty. (2d MTD at 20-21.) Indeed, Eddie Bauer argues that, by suing
Eddie Bauer is correct that under Washington law "an actor ordinarily owes no duty to protect an injured party from harm caused by the criminal acts of third parties." Parrilla v. King Cty., 138 Wn.App. 427, 157 P.3d 879, 884 (2007). Indeed, the Washington Supreme Court has "not yet found a duty to protect a third party from the criminal acts of another absent a special relationship." Robb v. City of Seattle, 176 Wn.2d 427, 295 P.3d 212, 216 (2013). Nevertheless, the Washington Court of Appeals has found that the affirmative act of an alleged tortfeaser combined with the foreseeability and magnitude of the risk created by the alleged tortfeaser may justify imposing such a duty under the Restatement (Second) of Torts § 302B, comment e. Id. (citing Parrilla, 157 P.3d at 884-85). The crux of the issue lies in the distinction between an action or "misfeasance," on the one hand, and an omission or "nonfeasance," on the other. Id. As the Washington Supreme Court has explained:
Id. at 217. Thus, to impose liability on Eddie Bauer for the criminal actions of a hacker in creating the Data Breach, Veridian must either allege that a "special relationship" exists between Veridian and Eddie Bauer, or that Eddie Bauer's action surrounding the Data Breach constituted malfeasance, rather than merely nonfeasance.
Veridian asserts that a "special relationship" exists between itself and Eddie Bauer because Eddie Bauer "voluntarily assumed the duty to protect [Veridian's] property, i.e.[,] its payment card data, and [Veridian] relied on [Eddie Bauer] to keep its property safe." (Resp. at 14 (citing Merriman v. Am. Guarantee & Liab. Ins. Co., 198 Wn.App. 594, 396 P.3d 351, 363-64 (2017)).) Veridian provides scant analysis of Merriman and the court does not view Merriman as analogous. In Merriman, the Washington Court of Appeals found that an insurance adjuster owed a duty to certain insureds based on specific duties that the adjuster had voluntarily assumed. 396 P.3d at 367. The Court of Appeals, however, based its decision in part on "whether providing a legal duty of care would advance or frustrate relevant insurance law." Id. at 366. "Both courts and the legislature have recognized that insurance contracts are imbued with public policy concerns." Nat'l Sur. Corp. v. Immunex Corp., 176 Wn.2d 872, 297 P.3d 688, 690 (2013). Those same public policy concerns are not at issue here. Veridian cites no other Washington case in support of its assertion that the court should find a "special relationship" between two sophisticated business entities engaged in the type of non-contractual relationship alleged here. (See Resp. at 14.) Given the paucity of Washington legal authority, the court concludes that Veridian's allegations of trust and reliance between two sophisticated business entities are insufficient to establish a special relationship. Concluding otherwise would stretch Washington law beyond its current confines.
Assuming that there is no "special relationship" between Veridian and Eddie Bauer, Eddie Bauer may still have a duty to Veridian if Eddie Bauer engaged in an affirmative act or "misfeasance" such that
The court's analysis of whether Veridian has adequately alleged that Eddie Bauer owes it a duty, however, is not yet complete. Veridian also alleges that Eddie Bauer owes it a duty predicated upon two statutes: (1) Section 5 of the Federal Trade Commission Act of 1914 ("FTC Act"), 15 U.S.C. § 45; and (2) RCW 19.255.020, a Washington statute designed to address damage to financial institutions from the unauthorized cyber-intrusions of the account information of credit card and debit card holders. The court addresses the existence of a duty predicated upon each of these statutes in turn.
As previously noted, in Washington, the violation of a statute or the breach of a statutory duty is not considered negligence per se, but may be considered by the trier of fact as evidence of negligence. RCW 5.40.050; see supra §§ III.B.1.b. In deciding "whether violation of a public law or regulation shall be considered in determining liability," Washington courts turn to the Restatement (Second) of Torts § 286. Barrett v. Lucky Seven Saloon, Inc., 152 Wn.2d 259, 96 P.3d 386, 390 (2004). Under this provision of the Restatement, "[t]he court may adopt as the standard of conduct of a reasonable [person] the requirements of a legislative enactment... whose purpose is found to be exclusively or in part (a) to protect a class of persons that includes the person whose interest is invaded, and (b) to protect the particular interest which is invaded, and (c) to protect that interest against the kind of harm which has resulted, and (d) to protect that interest against the particular hazard from which the harm results." Restatement (Second) of Torts § 286 (1965).
In evaluating Section 5 of the FTC Act, the court finds that Veridian
Unlike Section 5 of the FTC Act, however, the court finds that, in the context of this lawsuit, RCW 19.255.020 meets the test of Section 286 of the Restatement. RCW 19.255.020 states in pertinent part:
RCW 19.255.020(3)(a).
Based on its application of Section 286 of the Restatement, the court concludes that the "reasonable care" standard found in RCW 19.255.020 defines the minimum standard of conduct under Washington law for processors or businesses whose alleged failure to protect from unauthorized access credit and debit card account information that is in their possession causes damage to financial institutions. See Barrett, 96 P.3d at 393 (concluding based on the application of the four-part test of Section 286 of the Restatement that RCW 66.44.200(1), which forbids the selling of alcohol "to any person apparently under the influence of liquor," defines the minimum standard of conduct for commercial hosts whose alleged overservice causes a drunk driving accident injuring a third party); see also Kappelman v. Lutz, 141 Wn.App. 580, 170 P.3d 1189, 1196 (2007), aff'd, 167 Wn.2d 1, 217 P.3d 286 (2009) ("When a statute meets [the test of Section 286 of the Restatement], evidence of a statutory violation is admissible on the issue of negligence.... And the party offering the evidence is entitled to a jury instruction consistent with RCW 5.40.050.") (citing 6 Wash. Prac., Wash. Pattern Jury Instructions: Civil 60.03, at 481 (2005) (WPI)).
Veridian alleges a claim directly based on Eddie Bauer's violation of RCW 19.255.020. (FAC ¶¶ 144-51.) Eddie Bauer argues that Veridian's claim must be dismissed because Veridian fails to specifically allege that it reissued cards to Washington residents. (2d MTD at 25.) The statute states in part that, in the event of certain unauthorized cyber-intrusions, a "business"
Washington's CPA prohibits "[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce." RCW 19.86.020. "To prevail in a private CPA claim, the plaintiff must prove (1) an unfair or deceptive act or practice, (2) occurring in trade or commerce, (3) affecting the public interest, (4) injury to a person's business or property, and (5) causation." Panag v. Farmers Ins. Co. of Wash., 166 Wn.2d 27, 204 P.3d 885, 889 (2009). Failure to satisfy even one element is fatal to a CPA claim. Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wn.2d 778, 719 P.2d 531, 539-40 (1986).
Eddie Bauer asserts that the court should dismiss Veridian's CPA claim because Veridian fails to adequately allege the first element of a CPA claim — an unfair or deceptive act or practice. (2d MTD at 27-30). Veridian asserts that its allegations that Eddie Bauer failed to provide reasonable cyber security measures to protect the account information on its customers' credit and debit cards constitutes either an "unfair or deceptive act or practice" under the CPA. (Resp. at 23-25.)
"Because the [CPA] does not define `unfair' or `deceptive,' [the Washington Supreme Court] has allowed the definitions to evolve through a gradual process of judicial inclusion and exclusion." Saunders v. Lloyd's of London, 113 Wn.2d 330, 779 P.2d 249, 256 (1989) (internal quotations omitted). Either an unfair or a deceptive act can be the basis for a CPA claim. Klem v. Wash. Mut. Bank, 176 Wn.2d 771, 295 P.3d 1179, 1187 (2013) ("The `or' between `unfair' and `deceptive' is disjunctive."). "An unfair act is established by evidence that it (1) causes or is likely to cause substantial injury, which (2) consumers cannot avoid, and (3) is not `outweighed by countervailing benefits.'" Merriman, 396 P.3d at 368 (quoting Klem, 295 P.3d at 1187 and 15 U.S.C. § 45(n)).
Based on the Washington courts' definition and the liberal construction the court applies to the CPA, the court finds that Veridian's allegations sufficiently constitute an "unfair act" under the statute. Veridian alleges that Eddie Bauer failed to take proper measures to protect account information of credit and debit card holders with respect to its POS and data security systems. (FAC ¶¶ 5, 39, 40-42, 57-62, 71-76, 81, 82-86, 157.) Indeed, "[t]he key wrongdoing at issue in this litigation" is "Eddie Bauer's [alleged] failure to employ adequate data security measures." (Id. ¶ 114.) In light of known cyber-intrusion risks and breaches, Veridian alleges that it was foreseeable that Eddie Bauer's failure to take reasonable security measures to protect the data of payment card holders would result in harm to thousands of customers and the payment card issuers, and Eddie Bauer's failure did, in fact, result in this harm. (Id. ¶¶ 1, 7-9, 46-56, 83, 93-98.) These allegations constitute "substantial injury" to consumers. See Merriman, 396 P.3d at 368.
Eddie Bauer argues, however, that Veridian nevertheless has failed to adequately allege an "unfair act" because consumers could have avoided the risk of data theft by paying for items at Eddie Bauer stores with cash. (2d MTD at 30.) In light of the ubiquitous use of credit and debit cards in all types of commerce, the court finds this argument disingenuous. See, e.g., Perfect 10, Inc. v. Visa Int'l Serv. Ass'n, 494 F.3d 788, 817 (9th Cir. 2007) (Kozinski, J. dissenting) ("Credit cards are ubiquitous...."); Price v. Synapse Grp., Inc., No. 16-CV-01524-BAS-BLM, 2017 WL 3131700, at *4 (S.D. Cal. July 24, 2017) ("[I]n a modern economy ... credit card transactions are a ubiquitous feature.")
Further, the court agrees with Veridian that customers had no way of knowing that Eddie Bauer's cyber-security measures were allegedly deficient or that Eddie Bauer had allegedly failed to implement appropriate software updates or other reasonable security measures. (See FAC ¶ 159.) Without this knowledge, and given the broad adoption of credit and debit cards as forms of payment in our economy, consumers had scant ability to avoid the harms engendered by Eddie Bauer's alleged security failures.
Eddie Bauer further argues that Veridian has not alleged an act or practice that is "likely to cause substantial harm" because inadequate security practices do not by themselves cause direct harm to consumers, but rather only cause harm when the information is stolen by a third party. (2d MTD at 30.) The court agrees with Veridian that this argument distorts the causation analysis under the CPA. (See Resp. at 25.) Courts apply a "but for" proximate causation standard under the CPA, and the unfair act or practice need not be the sole proximate cause of the harm. Indoor Billboard/Washington Inc. v. Integra Telecom of Wash., Inc., 162 Wn.2d 59, 170 P.3d 10, 22 (2007); see also FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 246 (3d Cir. 2015) (noting that the risk of foreseeable harm from inadequate data security is sufficient under the FTC Act, and an unfair act need not be the most proximate cause of an injury). Here, Eddie Bauer's alleged failure to take reasonable security measures constitutes an unfair act because it knowingly and foreseeably put Eddie Bauer's customers and payment card financial institutions at
Based on the foregoing analysis, the court GRANTS in part and DENIES in part Eddie Bauer's motion to dismiss (Dkt. # 40). Veridian may file an amended complaint that is consistent with court's rulings herein.
The court denies Eddie Bauer's request that it take judicial notice of certain pages from Veridian's website. Although a court may consider materials that are properly the subject of judicial notice under Federal Rule of Evidence 201 on a motion to dismiss, see Lee v. City of L.A., 250 F.3d 668, 689 (9th Cir. 2001), pages from a party's website generally do not meet those standards, see Spy Optic, Inc. v. Alibaba.Com, Inc., 163 F.Supp.3d 755, 763 (C.D. Cal. 2015) ("[P]rivate corporate websites, particularly when describing their own business, generally are not the sorts of sources whose accuracy cannot reasonably be questioned.") (quoting Victaulic Co. v. Tieman, 499 F.3d 227, 237 (3d Cir. 2007) (internal quotation marks omitted). The court also declines to consider the declaration offered by Veridian. (See Slessor Decl.) "As a general rule, a district court may not consider any material beyond the pleadings in ruling on a Rule 12(b)(6) motion." Lee, 250 F.3d at 688 (internal quotation marks and citations omitted). Veridian offers no exception to this general rule that would permit the court to consider its counsel's declaration (see generally Resp.), and accordingly the court declines to do so.
Eddie Bauer also asserts that if a Washington vendor has a duty beyond simply protecting card issuers for the costs of reissuing cards to Washington residents, "then RCW 19.255.020 would be completely unnecessary and meaningless." (Reply at 12-13.) The court disagrees. The remedies that the Legislature provides in the case of violation of RCW 19.255.020 are distinct from common law remedies available in a negligence action. For example, "[i]n any legal action brought pursuant to [RCW 19.255.020(3)(a)], the prevailing party is entitled to recover its reasonable attorneys' fees and costs incurred in connection with the legal action." Id. The same is not true for a common law negligence action. Accordingly, the court rejects Eddie Bauer's argument.