UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
Chantal ATTIAS, et al.,
Plaintiffs,
v. Case No. 15-cv-00882 (CRC)
CAREFIRST, INC., et al.,
Defendants.
MEMORANDUM OPINION
Plaintiffs brought this putative class action against D.C.-area health insurer CareFirst and
various of its affiliates after CareFirst suffered a data breach in 2014. The breach compromised
the names, birthdates, email addresses, and subscriber identification numbers of over one million
of CareFirst’s insureds. The named plaintiffs are seven of those insureds, and they lodge a host
of contract, tort, and state-specific statutory claims against the company stemming from the
breach.
CareFirst has now twice moved to dismiss the complaint. On the first occasion, the Court
granted the motion on standing grounds and dismissed the complaint in its entirety. That
decision was reversed by the D.C. Circuit, which concluded that plaintiffs’ heightened risk of
future identity theft satisfied the injury-in-fact requirement of Article III standing. On remand,
CareFirst renewed its motion to dismiss the complaint for failure to state a claim, which the
Court granted in substantial part. All told, the Court dismissed all the claims in the complaint
save two claims advanced by the two named plaintiffs who alleged actual misuse of their
exposed data. The Court then issued a final order as to the dismissed claims under Federal Rule
of Civil Procedure 54(b), thereby permitting plaintiffs to appeal. However, the D.C. Circuit concluded that the requirements of Rule 54(b) had not been met and thus dismissed the appeal
for lack of jurisdiction.
Following remand, plaintiffs filed the present motion for reconsideration of the Court’s
dismissal of their claims under Rule 12(b)(6). Reconsideration is warranted, plaintiffs argue, to
clarify that D.C. law does not require actual damages to sustain a breach of contract claim; to
address intervening D.C. Circuit precedent that, in plaintiffs’ view, widens the scope of “actual
damages” stemming from the data breach; and to correct the Court’s prior analysis of the
relationship between plaintiffs’ claims under the District of Columbia Consumer Protection
Procedures Act and their breach of contract claims. For the following reasons, the Court will
grant the motion in part and deny it in part.
I. Background
A. Factual Background
The Court presumes familiarity with its two prior opinions, Attias v. CareFirst, Inc., 199
F. Supp. 3d 193 (D.D.C. 2016) (“Attias I”), and Attias v. CareFirst, Inc., 365 F. Supp. 3d 1
(D.D.C. 2019) (“Attias II”), which fully recount the background facts. The Court will only
briefly summarize them here.
CareFirst, Inc. and certain of its affiliates (collectively, “CareFirst”) operate a group of
health insurance companies that provide coverage to over one million people in the District of
Columbia, Maryland, and Virginia. See Second Am. Class Action Compl., ¶ 23 (“SAC”) ECF
No. 9. To receive CareFirst insurance, customers provide the company with personal
information including their names, addresses, and social security numbers. Id. ¶¶ 26–27. In
June 2014, this information (with the exception, according to CareFirst, of the insureds’ social
security numbers) was compromised when the company suffered a data breach. Id. ¶ 33.
2 CareFirst discovered the breach in April 2015 and notified the public the following month. Id.
¶ 15, 35–36. Shortly thereafter, plaintiffs filed this putative class action.
B. Procedural Background
1. The complaint
The operative complaint names seven plaintiffs: Chantal Attias and Andreas Kotzur of
the District of Columbia, Richard and Latanya Bailey of Virginia, and Curt and Connie Tringler
and Lisa Huber of Maryland. Id. ¶¶ 1–4. They each allege that CareFirst’s carelessness in
handling their personal information violated D.C. tort and contract laws, as well as the consumer
protection statutes of each plaintiff’s home state. All told, the complaint contains eleven claims:
breach of contract (Count I), negligence (Count II), violation of the District of Columbia
Consumer Protection Procedures Act (“CPPA”) (Count III), violation of the District of Columbia
Data Breach Notification Act (Count IV), violation of the Maryland Consumer Protection Act
(“MCPA”) (Count V), violation of the Virginia Consumer Protection Act (“VCPA”) (Count VI),
fraud (Count VII), negligence per se (Count VIII), unjust enrichment (Count IX), breach of the
duty of confidentiality (Count X), and constructive fraud (Count XI).
By way of damages, plaintiffs allege that the data breach heightened their risk of future
identity theft, resulting in “economic and non-economic loss in the form of mental and emotional
pain and suffering,” id. ¶ 38, as well as “years of constant surveillance of their financial and
personal records, monitoring, and loss of rights,” id. ¶ 56. Two plaintiffs, the Baileys of
Virginia, also allege that “they were not given the benefit of the services for which they
bargained[.]” Id. ¶ 114. Two more plaintiffs, the Tringlers of Maryland, allege that they
suffered “tax-refund fraud” because, at least at the time of the complaint, they had not received
an expected federal tax refund. Id. ¶ 57.
3 2. Dismissal for lack of jurisdiction
In September 2015, CareFirst moved to dismiss the complaint for lack of subject matter
jurisdiction under Rule 12(b)(1) and for failure to state a claim under Rule 12(b)(6). See Mot. to
Dismiss, ECF No. 13. The Court granted the Rule 12(b)(1) motion, finding that it lacked subject
matter jurisdiction because plaintiffs failed to satisfy the injury-in-fact requirement of Article III
standing. See Attias I, 199 F. Supp. 3d at 203. Five of the seven plaintiffs (all but the Tringlers)
failed to allege any actual misuse of their information. In accord with several other district court
decisions nationwide—including one dismissing a Maryland federal class action brought by
another group of CareFirst customers affected by the same breach—the Court concluded that
“merely having one’s personal information stolen in a data breach is insufficient to establish
standing to sue the entity from wh[ich] the information was taken.” Id. at 197. As to the
Tringlers, the Court found that they failed to plausibly allege either (i) that their social security
numbers were stolen as part of the breach, or (ii) that tax refund fraud could occur without the
perpetrators having access to such numbers. Id. at 201. The Court therefore concluded that the
Tringlers’ injury was not “fairly traceable” to the breach and that they, too, lacked standing. Id.
(citing Clapper v. Amnesty Int’l, 568 U.S. 398, 409 (2013)).
The D.C. Circuit reversed. See Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017).
The court reasoned that the complaint contained specific allegations that CareFirst “collected and
stored” personal information that could be combined to commit identity theft and fraud—even if
the compromised information did not include plaintiffs’ social security numbers. Id. at 628. The
resulting “risk of future injury” was alone “substantial enough to create Article III standing.” Id.
4 3. Dismissal for failure to state a claim
On remand, CareFirst filed a renewed Rule 12(b)(6) motion to dismiss for failure to state
a claim. See Mot. to Dismiss, ECF No. 44. The Court granted the motion in substantial part,
permitting only two claims brought by the Tringlers to proceed. See Attias II, 365 F. Supp. 3d 1
(D.D.C. 2019). As that opinion is the basis of the present motion for reconsideration, the Court
will describe it in some detail.
In resolving CareFirst’s renewed motion, the Court began by addressing the company’s
argument that plaintiffs failed to plead actual damages as required by nine of the eleven claims—
specifically, those for (1) breach of contract, (2) negligence, (3) negligence per se, (4) fraud, (5)
constructive fraud, (6) breach of duty of confidentiality, (7) violation of the MCPA, (8) violation
of the VCPA, and (9) violation of the D.C. Data Breach Notification Act. The Court addressed
each claim under the relevant governing law (for the most part, D.C. common law) and
concluded that each required an allegation of actual damages.
Turning to the operative complaint, the Court observed four potential theories of
damages: (1) actual misuse of personal information, (2) benefit of the bargain struck in the
underlying insurance contracts, (3) mitigation costs, and (4) emotional distress. Starting from the
top, the Court concluded that “actual misuse” of exposed information clearly qualified as “actual
damages.” Attias II, 365 F. Supp. 3d at 11–12. It stressed, however, that under the D.C. Court
of Appeals’ decision in Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702, 708 (D.C.
2009), actual misuse of personal data under D.C law requires more than a mere threat of future
misuse. Rather, to sufficiently plead actual damages under that theory, D.C. common law
requires the plaintiff to allege an instance of present (or actual) misuse of her personal data. See
id. Only the Tringlers, who alleged that they suffered tax refund fraud as a result of the breach,
5 plausibly alleged such misuse. See SAC ¶ 57. The Court thus concluded that the first theory of
damages had been inadequately alleged by the other plaintiffs. Attias II, 365 F. Supp. 3d at 12.
Plaintiffs’ alternative theories of damages were less convincing. As to the second
theory—benefit of the bargain—plaintiffs “broadly allege[d] that some indeterminate amount of
their health insurance premiums went towards providing data security” that they did not receive.
Id. at 13. Observing that the D.C. Court of Appeals had not spoken on the issue, the Court ruled
in accord with fellow courts in this District that found the theory too amorphous to plausibly
allege injury-in-fact. Id. (citing In re Sci. Applications Int’l Corp. Backup Tape Data Theft
Litig., 45 F. Supp. 3d 14 (D.D.C. 2014) and Austin-Spearman v. AARP & AARP Servs. Inc.,
119 F. Supp. 3d 1, 13–14 (D.D.C. 2015)). As to the third theory—mitigation damages—the
Court looked again to Randolph, where the D.C. Court of Appeals squarely held that costs
associated with “credit monitoring or other security measures to guard against possible misuse of
[plaintiffs’] data” was “not the result of any present injury, but rather the result of the
anticipation of future injury that has not materialized.” 973 A.2d at 708 (cleaned up). See Attias
II, 365 F. Supp. 3d at 14.
The Court then turned to plaintiffs’ fourth and final theory: emotional distress. By this
stage in the analysis, the Court had rejected the economic theories of damages (as explained
above) for all but the Tringlers. Save for the Tringlers, then, plaintiffs were left with claims for
purely emotional distress. Id. at 16–17. This outcome was fatal for plaintiffs’ fraud and MCPA
claims, which permit recovery of emotional distress only where there is an accompanying
allegation of pecuniary (for the fraud claims) or physical (for the MCPA claims) injury. See id.
As to the negligence claims, D.C. law requires plaintiffs pleading purely emotional distress to
satisfy either the “zone of physical danger rule,” Williams v. Baker, 572 A.2d 1062 (D.C. 1990)
6 (en banc), or the “special relationship and undertaking rule,” Hedgepeth v. Whitman Walker
Clinic, 22 A.3d 789, 795 (D.C. 2011). Plaintiffs, who pleaded emotional distress as ancillary
damages, satisfied neither. See Attias II, 365 F. Supp. 3d at 17. The Court thus concluded that
the alleged emotional distress did not sustain plaintiffs’ burden to plead actual damages. 1 Id.
Accordingly, the Court dismissed the claims for breach of contract, negligence,
negligence per se, fraud, constructive fraud, violation of the D.C. Data Breach Notification Act,
violation of the MCPA, violation of the VCPA, and breach of the duty of confidentiality, for all
but the Tringlers. Id. In sum, the Court’s analysis of damages left the Tringlers with all their
claims and the D.C. plaintiffs with only their D.C. CPPA claims. 2 Id.
The Court then addressed CareFirst’s alternative argument that plaintiffs’ tort claims
should be dismissed as duplicative of their contract claims. This argument was premised on the
“independent duty rule,” which requires tort claimants to allege that defendants owed them a
common-law duty of care independent of any contractual relationship. See id. at 18. The Court
determined that plaintiffs ran afoul of this rule because they alleged “no facts separable from the
terms of the contract upon which the tort may independently rest.” Id. (cleaned up). The Court
thus dismissed the tort claims advanced by all plaintiffs (including the Tringlers) based on the
independent duty rule. Id. at 25. It then dismissed the D.C. plaintiffs’ claims under the D.C.
1 Plaintiffs did not seek emotional distress damages for their VCPA, D.C. Data Breach Notification Act, breach of duty of confidentiality, or breach of contract claims. 2 The Court also granted CareFirst’s motion to dismiss plaintiffs’ unjust enrichment claims as precluded by the existence of a valid, enforceable contract. See Attias II, 365 F. Supp. at 25. Plaintiffs have not requested reconsideration of that decision, and the Court finds no reason to disturb it here.
7 CPPA for largely the same reason. Id. at 25–26 (dismissing plaintiffs’ D.C. CPPA claims as
“entirely duplicative of their breach of contract claim”).
All said and done, the Court dismissed all but the Tringlers’ claims for breach of contract
and violations of the MCPA. The Court then sought the parties’ views as to whether it should
enter an order under Federal Rule of Civil Rule 54(b)—which permits certain orders that resolve
some, but not all, claims for relief to be certified as “final”—or, alternatively, under 28 U.S.C.
§ 1292(b). See Feb. 14, 2019, Min. Order. The parties “conferred and agree[d] that the Court
should enter an order under Federal Rule of Civil Procedure 54(b) directing a final appealable
judgment.” Response at 1, ECF No. 59; see also Response at 1, ECF No. 58. Finding no just
reason to delay entry of final judgment on the dismissed claims, the Court entered the requested
order on February 26, 2019. See Order, ECF No. 60. Plaintiffs appealed.
4. Subsequent proceedings
On appeal, the D.C. Circuit considered sua sponte whether the Court properly issued a
final appealable order under Rule 54(b). See Dec. 6, 2019 Per Curiam Order, Attias v. CareFirst,
969 F.3d 412 (2020) (No. 19-7020). The presiding panel requested supplemental briefing on the
issue; both sides responded that Rule 54(b) was satisfied and that the appeal was thus properly
before the Circuit. The panel disagreed. For an otherwise interlocutory order to be certified as a
final judgment under Rule 54(b), it explained, “the order must resolve a distinct claim for relief.”
Attias, 969 F.3d at 417 (cleaned up). The panel reasoned that the Court’s Rule 54(b)
certification failed to satisfy that requirement because the dismissed claims “appear[ed] highly
intertwined” with the Tringlers’ two remaining claims. Id. at 418 (cleaned up). And “if a
disposition is not ‘final’ under Rule 54(b),” the panel continued, “then it likewise cannot qualify
8 as a ‘final decision’ under [28 U.S.C. §] 1291.” Id. at 417. The Circuit thus dismissed the
appeal for lack of jurisdiction. Id. at 418.
So, the case is once again before this Court. Plaintiffs, for their part, request
reconsideration of the Court’s decision to dismiss the bulk of their complaint for failure to plead
actual damages and failure to distinguish their contract claims from their D.C. CPPA claims.
CareFirst opposes reconsideration, and requests that the case be permitted to proceed to
discovery to resolve the narrow question of whether the Tringlers have by now received their tax
refund. The Court held a hearing on plaintiffs’ reconsideration motion on October 21, 2020.
II. Legal Standard
The Court begins with a procedural point. Although plaintiffs filed their motion to
reconsider “pursuant to Federal Rules of Civil Procedure 59(e) and 60,” Pls. Memo. at 1, ECF
No. 65, neither rule permits reconsideration in these circumstances.
For starters, motions for reconsideration under Rule 59(e) “must be filed no later than 28
days after the entry of the judgment.” Plaintiffs missed that deadline by nearly two years.
Typically, courts elect to consider motions filed after the Rule 59(e) deadline under Rule 60(b),
which permits reconsideration of a court’s “final judgment” in certain circumstances. Fed. R.
Civ. P. 60(b); see, e.g., Owen-Williams v. BB & T Inv. Servs., Inc., 797 F. Supp. 2d 118, 121–22
(D.D.C. 2011). Save for the more permissive deadline, however, “in most cases, the bar stands
even higher for a party to prevail on a Rule 60(b) motion[.]” Uberoi v. EEOC, 271 F. Supp. 2d
1, 2 (D.D.C. 2002). That’s because Rule 60(b) motions are granted in very limited
circumstances, requiring a showing of “fraud, mistake, extraordinary circumstances, or other
enumerated situations.” Id. at 3.
9 Though plaintiffs neglect to specify which portion of Rule 60(b) they believe permits
reconsideration, only the “catchall provision,” Rule 60(b)(6), is arguably applicable. Resort to
Rule 60(b)(6) is “appropriate only in extraordinary circumstances,” however. Kramer v. Gates,
481 F.3d 788, 790 (D.C. Cir. 2007) (cleaned up). Here, plaintiffs’ motion is based partly on
previously available authority that plaintiffs seemingly overlooked and partly on intervening case
law. Typically, neither scenario is considered extraordinary circumstances warranting
reconsideration under Rule 60(b)(6). See Walsh v. Hagee, 10 F. Supp. 3d 15, 19 (D.D.C. 2013)
(extraordinary circumstances not presented by “theories or arguments that could have been raised
previously”) (cleaned up); Kramer v. Gates, 481 F.3d 788, 791–92 (D.C. Cir. 2007)
(extraordinary circumstances not presented by “an intervening change in case law”) (cleaned up).
Regardless, reconsideration under Rule 60(b)(6) is barred by a more glaring obstacle—
the rule explicitly applies to only final orders. See Fed. R. Civ. P. 60(b) (providing that “the
court may relieve a party or its legal representative from a final judgment, order, or proceeding”)
(emphasis added). And plaintiffs seek reconsideration of an order that the D.C. Circuit has
declared to be non-final and interlocutory. See Attias, 969 F.3d at 417–18.
All is not lost for plaintiffs, however. Because they seek reconsideration of an
interlocutory order, the Court may consider it within its discretion under Rule 54(b). See, e.g.,
Pinson v. DOJ, 321 F.R.D. 1, 3–4 (D.D.C. 2017) (reconsidering motion filed under Rules 59(e)
and 60 under Rule 54(b)). Rule 54(b) provides:
When an action presents more than one claim for relief . . . the court may direct entry of a final judgment as to one or more, but fewer than all, claims . . . . Otherwise, any order or other decision . . . does not end the action as to any of the claims or parties and may be revised at any time before the entry of a judgment adjudicating all the claims and all the parties’ rights and liabilities.
10 Fed. R. Civ. P. 54(b) (emphasis added). The distinction between the various rules is a
meaningful one, as the standard for review of interlocutory decisions is more permissive than
that applied to motions for reconsideration under Federal Rules of Civil Procedure 59(e) or
60(b). See, e.g., Williams v. Savage, 569 F. Supp. 2d 99, 108 (D.D.C. 2008). As the D.C.
Circuit has explained, “Rule 54(b)’s approach to the interlocutory presentation of new arguments
as the case evolves can be more flexible” than under Rule 59(e), “reflecting the inherent power
of the rendering district court to afford such relief from interlocutory judgments as justice
requires.” Cobell v. Jewell, 802 F.3d 12, 25 (D.C. Cir. 2015) (cleaned up).
The “as justice requires” standard “leave[s] a great deal of room for the court’s
discretion” and, at times, “amounts to determining whether relief upon reconsideration is
necessary under the relevant circumstances.” Lewis v. Dist. of Columbia, 736 F. Supp. 2d 98,
102 (D.D.C. 2010) (cleaned up). That being said, the court’s discretion under Rule 54(b) is not
boundless, but rather is “limited by the law of the case doctrine and subject to the caveat that
where litigants have once battled for the court’s decision, they should neither be required, nor
without good reason permitted, to battle for it again.” Id. (cleaned up).
III. Analysis
Plaintiffs seek reconsideration of the Court’s prior opinion for three reasons. First,
plaintiffs contend that, contrary to the Court’s initial conclusion, actual damages are not required
to state a claim for breach of contract under D.C. common law. Second, plaintiffs argue that
intervening D.C. Circuit caselaw treats data-breach mitigation expenses as “actual damages” and
thereby eliminates the Court’s basis for dismissing nine of their eleven claims. And third,
plaintiffs maintain that the Court clearly erred in concluding that CareFirst’s alleged breach of
contract is not actionable under the D.C. CPPA. The Court will address each contention in turn.
11 A. Whether Plaintiffs’ Contract Claims Require an Allegation of Actual Damages.
The Court begins with plaintiffs’ request for reconsideration of their contract claims. As
explained, the Court previously dismissed all but the Tringlers’ contract claims on the grounds
that none of the other plaintiffs pleaded actual damages. See Attias II, 969 F. Supp. 3d at 9–10,
17. For the premise that plaintiffs must allege actual damages to support a breach of contract
claim under D.C. law, the Court pointed to Cahn v. Antioch Univ., 482 A.2d 120, 130 (D.C.
1984), where the D.C. Court of Appeals observed that a “[i]t is clear in contract law that a
plaintiff is not required to prove the amount of his damages precisely; however, the fact of
damage and a reasonable estimate must be established.” (cleaned up).
In hindsight, the Courts’ reliance on Cahn may have been misplaced. As a fellow judge
on this Court recently observed, “there is a conflict within the caselaw” as to whether “proof of
actual damages is an element of a [D.C.] contract claim.” Moini v. LeBlanc, 456 F. Supp. 3d 34,
51 (D.D.C. 2020). On the one hand, the D.C. Court of Appeals has clearly indicated that
damages are required for a prima facie contract claim. See Cahn, 482 A.2d at 130; see also
Osbourne v. Capital City Mortg. Corp., 727 A.2d 322, 324–25 (D.C. 1999) (observing that a
“prima facie case for breach of contract . . . required some proof of damages”). On the other
hand, the D.C. Court of Appeals has since stated, in Wright v. Allen, that “the absence of
specific monetary injury does not prevent the accrual of a cause of action for breach of
contract[.]” 60 A.3d 749, 753 (D.C. 2013) (cleaned up). Wright explained that “[e]ven where
monetary damages cannot be proved” the prevailing party may be entitled to nominal damages,
specific performance, or declaratory relief. Id. at 206 & n.3; see also Francis v. Rehman, 110
A.3d 615, 620 (D.C. 2015) (“to state a claim for breach of contract so as to survive a Rule
12(b)(6) motion to dismiss, it is enough for the plaintiff to describe the terms of the alleged
contract and the nature of the defendant’s breach”).
12 The D.C. Court of Appeals appears not to have addressed this apparent conflict, and this
Court is not poised to resolve it on the present motion. The Court notes, however, that Wright
and Francis both post-date Cahn and Osbourne, and in order “[t]o properly discern the content of
state law,” it is this Court’s duty to “defer to the most recent decisions of the state’s highest
court.” Easaw v. Newport, 253 F. Supp. 3d 22, 34 (D.D.C. 2017) (emphasis added) (cleaned up).
The more recent cases thus favor permitting plaintiffs’ contract claims to proceed. The Court
will, therefore, grant plaintiffs’ motion to reconsider this issue and reinstate their contract claims
(Count I). 3
B. Whether Plaintiffs Alleged Actual Damages in Light of Intervening Precedent.
Plaintiffs next request reconsideration of whether they did, in fact, plead actual damages
in light the D.C. Circuit’s intervening decision in In re: U.S. Office of Pers. Mgmt. Data Sec.
Breach Lit., 928 F.3d 42 (D.C. Cir. 2019) (“OPM”). To address this argument, the Court will
first briefly recount the Circuit’s ruling in OPM before turning to whether it warrants
reconsideration of the Court’s dismissals.
1. The OPM decision
In OPM, plaintiffs filed suit against the Office of Personnel Management (“OPM”)
following a series of cyberattacks that exposed multiple OPM databases, including ones
containing information drawn from federal employment background investigations. Id. at 50.
The attacks allegedly compromised plaintiffs’ social security numbers, home addresses, and
fingerprints. Id. at 50. The claims included violations of the Privacy Act of 1974, 5 U.S.C.
§ 552a, a federal statute governing the handling of confidential records by Executive Branch
3 The Court reaches this conclusion despite the fact that plaintiffs failed to cite either Wright or Francis in their briefing on the motion to dismiss.
13 agencies. The Privacy Act permits recovery for certain violations of its terms where, among
other things, plaintiffs have suffered “actual damages” due to an agency’s willful violation. Id.
at 64 (cleaned up).
OPM sought dismissal of plaintiffs’ Privacy Act claims on the grounds that they failed to
plead the requisite damages. The district court granted the motion for all but two plaintiffs who
allegedly had incurred out-of-pocket expenses as a result of actual identity theft. In re OPM
Security Breach Lit., 266 F. Supp. 3d 1, 40 (D.D.C. 2017) aff’d in part, rev’d in part and
remanded, 928 F.3d 42 (D.C. Cir. 2019). In the district court’s view, “actual damages” excluded
allegations of identity theft, lost time, or emotional distress unaccompanied by any attendant out-
of-pocket expenses. Id. at 39–40. The court further concluded that the cost of credit monitoring
services did not suffice “because expenditures undertaken voluntarily to prevent possible future
harm [did] not constitute actual damages attributable to OPM.” Id. at 40.
The D.C. Circuit reversed in relevant part. Specifically, the court found that even those
plaintiffs who had not incurred any pecuniary losses because of a past instance of identity theft
had adequately alleged actual damages within the meaning of Privacy Act. OPM, 928 F.3d at
64–66. Such plaintiffs included those who “purchased credit protection and/or credit repair
services after learning of the breach.” Id. at 65. The court construed these types of prophylactic
expenses, despite (in some cases) having accrued wholly apart from any alleged misuse of
plaintiffs’ personal data, as the “paradigmatic example of ‘actual damages’ resulting from the
violation of privacy protections.” Id. at 65.
2. Application of OPM to plaintiffs’ claims
Plaintiffs argue that OPM requires broad reconsideration of the nine claims previously
dismissed for failure to plead actual damages. Plaintiffs home in on the Court’s rejection of their
14 mitigation theory of damages, which in their view closely resembles the theory of damages
alleged in OPM. 4 They argue that OPM’s acceptance of out-of-pocket expenses resulting from
“credit protection and/or credit repair services” as “actual damages” under the Privacy Act,
OPM, 928 F.3d at 65, undermines this Court’s prior finding that mitigation costs “cannot be
recovered as consequential damages because there is not an actual injury, only an anticipated
one,” Attias II, 365 F. Supp. 3d at 15.
The Court begins with a preliminary point: plaintiffs are mistaken that OPM is
“controlling on the issue of damages[.]” Pls. Memo. at 4; see also Reply Mot. at 4, ECF No. 71
(claiming that “OPM is controlling authority”). As this Court sits in diversity, plaintiffs’ claims
are governed by the substantive laws of D.C., Virginia, and Maryland. By contrast, OPM
construed actual damages in the context of a federal statute that is not at issue in this litigation.
And as the Court previously stated, the state law context is “all the more salient in a data breach
case” because “federal courts across the country have applied the relevant state law to claims
arising out of data breaches to very different effect.” Attias II, 365 F. Supp. 3d at 8. This
context is especially important when considering the meaning of “actual damages,” which is a
term of art that retains a “chameleon like quality” and resists any “all-purpose definition.”
Federal Aviation Admin. v. Cooper, 566 U.S. 284, 294 (2012).
4 Plaintiffs also assert that “applying the law of OPM supports that [p]laintiffs have pled damages in this case including both economic and non-economic damage.” Pls. Memo. at 3–4. Plaintiffs are incorrect. In fact, OPM reiterated that “[a]ctual damages’ within the meaning of the Privacy Act are limited to proven pecuniary or economic harm.” OPM, 928 F.3d at 64 (emphasis added).
15 Against this backdrop, the Court turns to plaintiffs’ contention that reconsideration of
“actual damages” is warranted in light of OPM. The Court will begin with the claims governed
by D.C. law before turning to those governed by Virginia and Maryland law.
a. D.C. claims
Seven claims previously dismissed for failure to plead actual damages are governed by
D.C. law—namely, plaintiffs’ claims for breach of contract (Count I), negligence (Count II),
negligence per se (Count VIII), fraud (Count VII), constructive fraud (Count XI), breach of duty
of confidentiality (Count X), and violation of the D.C. Data Breach Notification statute (Count
IV). 5
As previously explained, plaintiffs argue that the mitigation costs found to be “actual
damages” in OPM “share[] many similarities” to those rejected by this Court’s prior ruling. Pls.
Memo. at 6. That may be so. 6 Regardless, the D.C. Court of Appeals has squarely held that
“actual damages” exclude a data-breach plaintiff’s mitigation costs absent any actual misuse of
the plaintiff’s data. See Randolph, 973 A.2d at 708. Like plaintiffs here, the plaintiffs in
5 The parties agree (albeit for different reasons) that the Security Breach Protection Amendment Act of 2020, which amended provisions of the D.C. Data Breach Notification Act and CPPA, does not affect the analysis of plaintiffs’ claims under the respective statutes. See Pls. Supp. Memo., ECF No. 73; Defs. Supp. Memo., ECF No. 74. 6 While both complaints allege something akin to mitigation damages, the OPM complaint includes far more detailed allegations of misuse than the complaint presented to the Court here. See Consolidated Am. Compl., In re OPM Data Security Breach Lit., ECF No. 63. To take but a few examples, several of the OPM plaintiffs were informed that unknown individuals had either used or attempted to use their social security numbers, id. ¶¶ 14, 17, 41, 50, had falsely filed for their tax returns, id. ¶¶ 28, 29, 30, and had created fraudulent financial accounts in their names, id. ¶¶ 13, 28, 29, 30, 41, 45, 49. These claims were presented with extensive details, including when and how plaintiffs discovered the misuse and the steps plaintiffs took in response that caused them pecuniary harm. See id. The present complaint, by contrast, includes only one allegation of misuse with virtually no attendant detail.
16 Randolph sued their insurance company after their personal information was compromised due
to the company’s alleged carelessness. Id. at 705. There, too, plaintiffs claimed to have incurred
expenses on credit monitoring services and other mitigation measures taken to abate the
increased risk of future identity theft. Id. at 708. The Court of Appeals upheld the dismissal of
the complaint, finding that plaintiffs failed to state a claim. The court reasoned that while
damages caused by “present injury” suffice to state a claim, mitigation damages incurred by “the
anticipation of future injury that has not materialized” do not. Id. Drawing such a distinction,
the court noted, was in accord with “other courts that have dismissed similar negligence actions
for failure to state a claim, or have entered summary judgment for defendants, in the absence of
allegations of present injury to plaintiffs.” Id. at 708 n.9 (collecting cases). The court thus
concluded that mitigation damages failed to state a claim for actual harm under D.C. law.
There can be no argument that OPM somehow overturned Randolph. Thus, Randolph
remains binding D.C. law and continues to govern plaintiffs’ D.C. law claims. Cf. Guo Wengui
v. Clark Hill, PLC, 440 F. Supp. 3d 30, 37–38 (D.D.C. 2020) (concluding that plaintiff stated a
negligence claim under D.C. law following data breach because, unlike the plaintiffs in
Randolph, the plaintiff alleged that his information “ha[d] already been employed” by hackers)
(emphasis in original). And Randolph requires data-breach plaintiffs to plead more than
mitigation damages to state a claim under D.C. law. Accordingly, OPM provides no basis for the
Court to revisit its dismissal of plaintiffs’ D.C. claims.
Moreover, plaintiffs’ motion for reconsideration ignores the Court’s alternative basis for
dismissing their five tort claims: the independent duty rule. See Attias II, 365 F. Supp. 3d at 18–
19. As noted above, the Court concluded that plaintiffs’ tort claims ran afoul of that rule because
plaintiffs had “failed to allege a duty to reasonably safeguard insureds’ data separate from
17 CareFirst’s contractual duties.” Id. Plaintiffs do not argue that OPM altered the application of
the independent duty rule (nor could they, as the rule was not at issue in OPM). As such, the
Court further concludes that plaintiffs’ tort claims were properly dismissed on this independent
basis.
In sum, the Court will deny plaintiffs’ motion to reconsider its dismissal of plaintiffs’
claims for negligence (Count II), negligence per se (Count VIII), fraud (Count VII), constructive
fraud (Count XI), breach of duty of confidentiality (Count X), and violation of the D.C. Data
Breach Notification statute (Count IV). 7
b. Virginia and Maryland claims
Plaintiffs also seek reconsideration of their claims under the consumer protection laws of
Virginia and Maryland. See Va. Code Ann. § 59.1-204; Md. Code Ann., Com. Law § 14-308.
As previously stated, both statutes require allegations of actual damages to state a claim. See Va.
Code Ann. § 59.1-204(a); Md. Code Ann., Com. Law § 13-408(a). To the Court’s knowledge,
however, no court in either state has addressed whether expenses incurred to mitigate the risk of
future identity theft qualify as “actual damages” absent any actual misuse of the plaintiff’s
exposed data. The Court will thus briefly survey each state’s consumer protection code in
assessing whether reconsideration is warranted.
The Court begins with the claims alleged under the VCPA. Va. Code § 59.1-204(A)
states, “Any person who suffers loss as the result of a violation of this chapter shall be entitled to
initiate an action to recover actual damages, or $500, whichever is greater.” While it is clear that
7 Plaintiffs’ contract claims—which were initially dismissed for failure to plead actual damages under D.C. law—have been reinstated on other grounds, see section III.A supra.
18 the VCPA requires “loss” in order for a plaintiff to recover, “Virginia courts have provided little
guidance with respect to the meaning of ‘loss’ under the Virginia CPA.” In re Gen. Motors LLC
Ignition Switch Litig., 339 F. Supp. 3d 262, 332 (S.D.N.Y. 2018) (“General Motors”). The
General Motors court observed that the VCPA’s text permits recovery of either actual damages
or $500. Id. And while Virginia’s courts appear not to have said so expressly, other courts
interpreting analogous provisions have construed the alternative statutory remedy to be “a civil
penalty” available “where the consumer’s actual damages may otherwise be de minimis,
speculative, or too difficult to prove, but where the consumer can show that a loss has been
suffered[.]” Andreason v. Felsted, 137 P.3d 1, 5 (Utah Ct. App. 2006); see also General Motors,
339 F. Supp. 3d at 332 (construing Virginia and Utah consumer protection codes consistently
“[i]n light of the similarities in language between [their] consumer protection statutes”). The
court in General Motors thus characterized the VCPA’s “loss” requirement as “expansive”
relative to the “vast majority” of other states’ codes. Id. at 327, 332 (concluding that Virginia
was one of only six states that permits recovery for “lost free or personal time” stemming from
consumer protection violations).
This expansive interpretation of recoverable damages under the VCPA is bolstered by
Supreme Court of Virginia’s broad view of “actual damages” in other contexts. See News
Leader Co. v. Kocen, 3 S.E.2d 385, 391 (Va. 1939). In Kocen, for example, the court defined
“actual damages” as “cover[ing] all loss recoverable as a matter of right and includ[ing] all
damages other than punitive or exemplary damages.” Id. A number of Virginia circuit courts
have applied Kocen to conclude that the VCPA permits plaintiffs to recover for noneconomic
damages, see, e.g., Wingate v. Insight Health Corp., 87 Va. Cir. 227, 2013 WL 9564175 at *8
(Va. Cir. Ct. 2013), although that conclusion is not unanimous, see Humphrey v. Leewood
19 Healthcare Ctr., 73 Va. Cir. 346, 2007 WL 6013573 at *2–3 (Va. Cir. Crt. 2007) (summarizing
the dispute).
As for plaintiffs’ Maryland claims, the MCPA appears to be more restrictive than its
Virginia counterpart with respect to proving actual loss and damages. For instance, there is no
statutory award for plaintiffs to recover in lieu of actual damages. To the contrary, the Maryland
Court of Appeals has emphasized that the MCPA requires plaintiffs to have suffered an
“objectively identifiable” loss, as “measured by the amount the consumer spent or lost as a result
of his or her reliance on the sellers’ misrepresentation.” Lloyd v. Gen. Motors Corp., 916 A.2d
257, 277 (Md. 2007); see also Citaramanis v. Hallowell, 613 A.2d 964, 969–71 (Md. 1992).
Nonetheless, the Court concludes that both the VCPA and the MCPA claims warrant
reconsideration following OPM. While this result is more clearly warranted in light of
Virginia’s more expansive consumer protection code, 8 the MCPA’s somewhat more stringent
requirements present a closer question. At bottom, however, absent any biding authority to the
contrary from either state, the Court concludes that the D.C. Circuit, consistent with its reasoning
in OPM, would be more likely than not to treat mitigation expenses as actual damages under
8 The Court notes that there is some disagreement as to whether the class action device is available to plaintiffs alleging consumer protection claims under Virginia law in federal court. Compare Allen v. ConAgra Foods, Inc., 331 F.R.D. 641, 667–68 (N.D. Cal. 2019) (declining to certify class of plaintiffs bringing VCPA claims because “class actions are not generally allowed in Virginia”) (cleaned up) with Chisolm v. TranSouth Fin. Corp., 194 F.R.D. 538, 561 (E.D. Va. 2000) (certifying class of plaintiffs bringing VCPA claims). However, “[t]he question of whether a class action may be maintained with respect to the [VCPA] is proper to consider at the class certification stage rather than in considering a motion to dismiss[.]” Mouzon v. Radiancy, Inc., 200 F. Supp. 3d 83, 90 (D.D.C. 2016). This is particularly true where, as here, “[d]efendants are not arguing (on this basis) that the [complaint] fails to state a claim as to the named Virginia plaintiffs.” Id.
20 both statutes. The Court will thus grant reconsideration of plaintiffs’ claims under the VCPA
and MCPA and will reinstate Count V and Count VI. 9
C. Whether Reconsideration of Plaintiffs’ D.C. CPPA Claims is Warranted.
Finally, the Court turns to plaintiffs’ request for reconsideration of their D.C. CPPA
claims based on Velcoff v. Medstar Health, Inc., 186 A.3d 823, 827 (D.C. 2018). 10 The Court
dismissed plaintiffs’ D.C. CPPA claims because they were either (i) duplicative of the contract
claims, see Jacobson v. Hofgard, 168 F. Supp. 3d 187, 199–200, 206–07 (D.D.C. 2016); or (ii)
based on an allegation of intentional breach of contract, see Slinski v. Bank of Am., N.A., 981 F.
Supp. 2d 19, 36 (D.D.C. 2013). Attias II, 365 F. Supp. 3d at 26. Plaintiffs argue that Velcoff
undermines the Court’s reasoning. Not so. In Velcoff, the trial court dismissed the plaintiff’s
CPPA claims for failure to specify which provisions of the CPPA were violated by defendant’s
illegal trade practices. 186 A.3d at 827. The D.C. Court of Appeals rejected that reasoning,
explaining that “matching allegations of the complaint to the corresponding subsections of the
9 In reaching this conclusion, the Court notes that neither party presented briefing on whether mitigation expenses are recoverable under the VCPA or MCPA. The research reflected above is the Court’s own. As a result, the Court could revisit this issue—including defendants’ prior argument that plaintiffs lack a remedy under the VCPA because CareFirst is an insurance company—at summary judgment with the benefit of more comprehensive submissions from the parties.
Additionally, the Court notes that this conclusion does not affect its prior treatment of plaintiffs’ claims for emotional damages under the MCPA, which were dismissed for failure to allege any “consequential physical injury.” See Attias II, 365 F. Supp. 3d at 17 (quoting Sager v. Hous. Comm’n of Anne Arundel Cty., 855 F. Supp. 3d 524, 548–49 (D. Md. 2012)) (cleaned up). 10 Plaintiffs erroneously construe Velcoff as intervening authority. See Pls. Memo. at 9 (claiming that the Court’s prior decision warrants reconsideration due to “newly available controlling authority” including Velcoff). In fact, the ruling was issued prior to plaintiffs filing their reply brief. Plaintiffs thus had the opportunity to raise the case prior to the Court’s ruling.
21 CPPA is a straightforward task.” Id. Plainly, that decision does not purport to implicate whether
a breach of contract, intentional or otherwise, is actionable under the CPPA. The Court therefore
declines to reconsider its dismissal of plaintiffs’ claims under the CPPA (Count III).
IV. Conclusion
For the foregoing reasons, the Court will grant in part and deny in part plaintiffs’ Motion
for Reconsideration. A separate Order shall accompany this memorandum opinion.
CHRISTOPHER R. COOPER United States District Judge
Date: January 29, 2021