IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MISSOURI CENTRAL DIVISION
MILDRED BALDWIN and DOUGLAS ) DYRSSEN SR., on behalf of themselves ) and others similarly situated, ) ) ) Plaintiffs, ) ) v. ) No. 2:21-CV-04066-WJE ) NATIONAL WESTERN LIFE ) INSURANCE COMPANY, ) ) Defendant. )
ORDER Pending before the Court is Defendant National Western Life Insurance Company’s (“NWL”) Motion to Dismiss (Doc. 36), and suggestions in support thereof (Doc. 37) (“Motion to Dismiss”). Plaintiffs Mildred Baldwin and Douglas Dyrssen, Sr. filed suggestions in opposition (Doc. 46), to which NWL timely replied (Doc. 49). The issues are now ripe and ready to be ruled upon. For the reasons that follow, the Court grants in part and denies in part the Motion to Dismiss. I. BACKGROUND Ms. Baldwin and Mr. Dyrssen filed this putative class action on behalf of themselves and three classes of NWL policy holders and former employees: a nationwide class, statewide Missouri class, and statewide California class. (Doc. 31 at ¶¶ 21, 86-89). Plaintiffs claim NWL failed to properly protect their personally identifying information (“PII”), and that NWL’s poor response to a subsequent data breach compromised that PII. (Id. at ¶¶ 21-56, 69-72). Ms. Baldwin, a Missouri resident, purchased a life insurance policy from NWL in 1994, and provided her PII to NWL to enroll in the policy. (Id. at ¶¶ 73-75). Mr. Dyrssen, a California resident, worked as an independent insurance agent selling NWL insurance policies from 1993 to 1994, and provided his PII to NWL to work as an independent agent on behalf of the company. (Id. at ¶¶ 79-81). Beginning on August 7, 2020, or earlier, digital intruders gained unauthorized access to NWL’s computer systems and acquired policyholders’ and employees’ PII. (Id. at ¶¶ 31-
32). On August 15, 2020, NWL discovered that unauthorized persons had accessed its computer systems when malicious software caused its systems to malfunction. (Id. at ¶¶ 31-35). On August 18, 2020, an independent data security research team informed NWL that PII was extracted from its system, including customer Social Security numbers, dates of birth, full names, dates of death, states of residence, policy numbers, and policy termination dates. (Id. at ¶¶ 36-40). The independent data security research team identified an online post wherein perpetrators of the data breach claimed responsibility for the attack. (Id. at ¶ 36). In the online post made on August 18, 2020, REvil, a ransomware operator, disclosed that it was responsible for the attack. (Id.). In the post, REvil claimed that it stole 656 gigabytes of confidential data from NWL during the breach, consisting of 25,110 folders that contained 453,695
files. (Id.). Days later, REvil made another post detailing the information gained during its attack. (Id. at ¶ 38). Specifically, on August 23, 2020, REvil made an online post that included NWL policyholders’ and employees’ PII. (Id. at ¶¶ 38-40). REvil claimed that it targeted NWL and NWL’s customers specifically, and solicited ransom payments directly from NWL policyholders whose PII was stolen. (Id. at ¶¶ 43-44). On or about September 29, 2020, NWL enlisted a third-party firm to assess the scope of the data breach. (Id. at ¶ 46). The third-party firm was tasked with identifying all the individuals potentially impacted by the data breach and the stolen information associated with each individual. (Id.). On or about December 21, 2020, NWL publicly acknowledged the data breach. (Id. at ¶ 47). Beginning on or about January 14, 2021, NWL began notifying impacted individuals about the data breach by mail. (Id. at ¶¶ 48-49). In doing so, NWL disclosed that the recipients’ personal information was stolen in a data breach, but did not outline specifically the types of PII stolen. (Id. at ¶¶ 49, 51). The letters likewise advised recipients of a high likelihood that their personal
information would be misused, and that recipients should contact credit-reporting bureaus to place security freezes or fraud alerts on their credit reports. (Id. at ¶¶ 53-54). Ms. Baldwin received a notice of data breach letter from NWL on or about January 25, 2021. (Id. at ¶ 76). Mr. Dyrssen also received a notice of data breach letter from NWL in late January 2021. (Id. at ¶ 82). The notice letters informed Ms. Baldwin and Mr. Dyrssen of the data breach and that there was a risk that their PII would be misused. (Id. at ¶¶ 76, 82). However, the letters did not inform them that customers’ and employees’ PII was posted online in August 2020. (Id. at ¶¶ 77, 83). Ms. Baldwin originally filed her Class Action Petition in the Circuit Court of Pettis County, Missouri. (Doc. 1 at ¶¶ 1-2). NWL removed the case to this Court on April 1, 2021. (Doc. 1).
Both parties acknowledged this Court’s proper personal jurisdiction and venue in Plaintiffs’ Motion for Leave to File Amended Complaint and to Set a Briefing Schedule, which effectively mooted NWL’s initial Motion to Dismiss. (Doc. 21 at 2-3). Plaintiffs then filed a nine-count Amended Complaint alleging negligence, negligence per se, invasion of privacy, breach of express/implied contractual duty, unjust enrichment, violation of the Unfair Competition Law of California (“UCL”), violation of the California Consumer Privacy Act, violation of California’s Consumer Legal Remedies Act (“CLRA”), and violation of the California Consumer Records Act. (Doc. 31 at ¶¶ 96-197). NWL subsequently filed the instant Motion to Dismiss which is now ripe for disposition. (Doc. 36). In its Motion to Dismiss, NWL argues that Plaintiffs fail to allege an actual or compensable injury resulting from NWL’s mishandling of PII. (Doc. 37 at 7). NWL further alleges that Ms. Baldwin cannot sustain claims for negligence per se, invasion of privacy, breach of
express/implied contractual duty, or unjust enrichment. (Id. at 20-26). Finally, NWL alleges that the California statutes on which Mr. Dyrssen relies are inapplicable to conduct outside the state of California and fail for a variety of other reasons. (Id. at 26-29). II. STANDARD OF REVIEW: RULE 12(b)(6) Under Federal Rule of Civil Procedure 12(b)(6), the Court may dismiss a complaint for “fail[ing] to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). A complaint survives a Rule 12(b)(6) motion if it contains “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is plausible on its face when “the plaintiff pleads factual content that allows the court to draw the reasonable inference that the
defendant is liable for the misconduct alleged.” Glick v. Western Power Sports, Inc., 944 F.3d 714, 717 (8th Cir. 2019) (quoting Iqbal, 556 U.S. at 678). “While legal conclusions can provide the framework of a complaint, they must be supported by factual allegations.” Iqbal, 556 U.S. at 679. The factual allegations “do not need to be ‘detailed,’ but they must be ‘more than labels and conclusions’ or ‘a formulaic recitation of the elements of a cause of action.’” In re SuperValu, Inc., 925 F.3d 955, 962 (8th Cir. 2019) (quoting Twombly, 550 U.S. at 555). Specifically, the standard requires “more than a sheer possibility that a defendant has acted unlawfully.” Iqbal, 556 U.S. at 678. “Determining whether a claim is plausible is a ‘context-specific task that requires the reviewing court to draw on its judicial experience and common sense.’” Hamilton v. Palm, 621 F.3d 816, 818 (8th Cir. 2010) (quoting Iqbal, 556 U.S. at 679). However, the Court must “accept the factual allegations in the complaint as true and draw all reasonable inferences in the nonmovant’s favor.” Cook v. George’s, Inc., 952 F.3d 935, 938 (8th Cir. 2020) (citing Blankenship v. USA Truck, Inc., 601 F.3d 852, 853 (8th Cir. 2010)).
III. ANALYSIS A. NWL’s challenge to standing in a 12(b)(6) motion fails. To challenge Plaintiffs’ claims generally, NWL argues that Plaintiffs failed to allege an injury sufficient to sustain any claim against it, describing Plaintiffs’ injuries as “vague and conclusory.” (Doc. 37 at 12). NWL relies on TransUnion LLC v. Ramirez, 141 S.Ct. 2190 (2021), to assert that Plaintiffs’ “entire case is premised on an alleged risk of future harm completely untethered from any actual, present injuries.” (Id.). NWL stresses that Plaintiffs’ injuries do not satisfy the constitutional requirements of standing. (Id.). First, any standing challenge must be brought under Federal Rule of Civil Procedure 12(b)(1). Standing is required for this Court to have subject-matter jurisdiction. See ABF Freight
Sys., Inc. v. Int’l Bhd. of Teamsters, 645 F.3d 954, 958 (8th Cir. 2011) (internal citations omitted). A Rule 12(b)(1) motion allows for a party to explicitly challenge this Court’s subject-matter jurisdiction. See Fed. R. Civ. P. 12(b)(1). However, the instant Motion to Dismiss was filed pursuant to Rule 12(b)(6). (Doc. 37 at 7). Thus, this Court finds that NWL’s standing challenge is not proper pursuant to Rule 12(b)(6) and could have been pursued via a Rule 12(b)(1) motion. Furthermore, NWL muddles the constitutional injury-in-fact analysis for standing with the injury analysis in the context of a Rule 12(b)(6) motion, which, of course, explores whether Plaintiffs can maintain their substantive claims. (See Doc. 37 at 12-20). This meshing of legal avenues renders inapplicable much of NWL’s cited case law. The Eighth Circuit clearly holds that “[i]t is crucial . . . not to conflate Article III’s requirement of injury in fact with a plaintiff’s potential causes of action, for the concepts are not coextensive.” Carlsen v. GameStop, Inc., 833 F.3d 903, 909 (8th Cir. 2016) (internal citations omitted). NWL’s reliance on cases, including TransUnion, which it cites to support its proposition that Plaintiffs’ injuries are too speculative,
are not on point. (See Doc. 37 at 12). NWL correctly asserts that “[t]he existence of a legally cognizable injury is a ‘threshold issue’ that must be decided at the outset of the case.” (Doc. 49 at 3) (citing City of Clarkson Valley v. Mineta, 495 F.3d 567, 569 (8th Cir. 2007)). However, NWL fails to cite to any authority of a court performing an injury-in-fact analysis to establish standing pursuant to a Rule 12(b)(6) motion. Thus, at this stage in the legal proceedings, and absent relevant support in the case law, this Court will not engage in an injury-in-fact analysis to determine whether the Plaintiffs maintain standing to pursue their claims. B. Plaintiffs sufficiently pleaded their injuries to support their substantive claims, except for their claims for damages for emotional distress. NWL maintains that Plaintiffs’ injuries are too vague, speculative, and conclusory to
support their substantive claims under a Rule 12(b)(6) motion. (Doc. 37 at 12-20). Specifically, NWL challenges whether Plaintiffs’ injuries, including time and effort monitoring accounts, emotional distress, and “spam” phone calls and emails are sufficient to sustain Plaintiffs’ tort claims, breach of contract claims, unjust enrichment claim, and California statutory claims. (Id. at 12-13). NWL relies on cases that analyze injury within the context of standing. (See id. at 13-17). First, this Court finds that purported time and effort monitoring accounts can qualify as an injury to support Plaintiffs’ claims. NWL argues that “a hypothetical harm which may (or may not) come to plaintiff in the future” is too speculative to support recovery in torts. (Id. at 13) (quoting Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1054-55 (E.D. Mo. 2009)). While NWL attempts to analogize this case with Amburgy, the cases are distinguishable. In Amburgy, plaintiffs’ names, dates of birth, Social Security numbers, and prescription information were allegedly stolen during a data breach that resulted from defendant’s inadequate security measures. 671 F. Supp. 2d at 1049. However, the unauthorized persons who committed the data
breach in Amburgy only threatened to make the information public. Id. Crucially, in this instant case Plaintiffs allege that their PII was made public in an online post by REvil. (Doc. 31 at ¶¶ 8, 59-60). Unlike Amburgy, the actual online post goes beyond mere speculation of a future injury. Here, Plaintiffs allege that their PII was publicly disclosed online, which requires them to monitor their accounts. (Id. at ¶¶ 8, 59-60, 78, 84). NWL cites to cases that analyze injury in the context of standing to further challenge the nature of Plaintiffs’ injury, but for reasons previously discussed this Court finds the cases unpersuasive. (See Doc. 37 at 14-15). Second, this Court will dismiss Plaintiffs’ claims for damages for emotional distress. NWL argues that Ms. Baldwin’s allegations of emotional distress are insufficient because Ms. Baldwin fails to plead a medically diagnosable injury. (Id. at 15-16). Under Missouri law, “[w]here the
plaintiff is a direct victim of defendant’s negligence and seeks damages for emotional distress, the plaintiff is required to prove two additional elements: (1) the defendant should have realized that his conduct involved an unreasonable risk of causing the distress and (2) the emotional distress or mental injury must be medically diagnosable and must be of sufficient severity so as to be medically significant.” Biersmith v. Curry Ass’n Mgmt., Inc., 359 S.W.3d 84, 88 (Mo. Ct. App. 2011) (internal citation omitted); see, e.g., Couzens v. Donohue, 854 F.3d 508, 518 (8th Cir. 2017) (citing Thornburg v. Fed. Express Corp., 62 S.W.3d 421, 427 (Mo. Ct. App. 2001)). This Court finds that Plaintiffs only allege that they suffered emotional distress, but there is no indication in their Amended Complaint of the severity of that distress or that it was medically diagnosable. (See Doc. 31 at ¶¶ 62, 105). Moreover, in their Suggestions in Opposition, Plaintiffs do not refute NWL’s argument regarding the additional elements they must allege to claim emotional distress. For these reasons, the Court will dismiss Plaintiffs’ claims for damages for emotional distress. Third, this Court finds that the allegations of spam phone calls and emails can qualify as
an injury to support Plaintiffs’ claims. NWL argues that “there are no facts tying the Security Incident to such phone calls and emails.” (Doc. 37 at 17). However, tellingly, NWL does not cite to any case law to support the proposition that there must be a closer link between the data breach and alleged spam phone calls and emails. (See id.). It is true that to bring a claim of negligence in Missouri, the plaintiff must allege, among other factors, “a proximate cause between the conduct and the resulting injury.” Amburgy, 671 F. Supp. 2d at 1054 (quoting Hoover’s Dairy, Inc. v. Mid– America Dairymen, Inc./Special Prods., Inc., 700 S.W.2d 426, 431 (Mo. banc 1985)). However, in the Amended Complaint, Mr. Dyrssen alleges that “[h]e receives 2-3 spam calls per day in addition to a few scam emails per week, all of which he attributes to the NWL data breach (because he was not receiving anywhere near the same amount of spam phone calls and emails until after
the Data Breach occurred).” (Doc. 31 at ¶ 84). Thus, Mr. Dyrssen sufficiently pleads that the data breach is the proximate cause of the spam phone calls and emails. This Court will not address NWL’s argument regarding the extent to which these spam calls and emails are attributable to the data breach because that is a fact-intensive inquiry that is inappropriate for purposes of this Motion to Dismiss. See Cook, 952 F.3d at 938. Fourth, Plaintiffs’ claims regarding other Class Members’ injuries will not be dismissed. NWL argues that the injuries Plaintiffs allege, including injury to PII, prophylactic measures undertaken by Class Members, delays in receipt of tax refunds, and risks of a future NWL security incident, are too vague, speculative, and generic. (See Doc. 37 at 17-20). To make these arguments, NWL cites case law focused on injury in the context of standing, which this Court again finds unpersuasive.1 (Id.). Not only that, but this Court finds that Plaintiffs do allege they suffered actual injuries. (See Doc. 31 at ¶¶ 60-69, 121-22). NWL does not directly challenge the existence of these injuries but only attempts to argue that the Amended Complaint does not state
them in enough detail. (See Doc. 37 at 17-20). Where the Court must draw all reasonable inferences in favor of the nonmovant, the injuries alleged are sufficient to sustain Plaintiffs’ substantive claims for purposes of this Motion to Dismiss. See Cook, 952 F.3d at 938. C. Count II, the negligence per se claim, is properly pleaded and will not be dismissed. NWL challenges Ms. Baldwin’s negligence per se claim. (Doc. 37 at 20-21). First, NWL argues that Ms. Baldwin failed to plead any of the elements of negligence per se. (Id. at 20). Second, NWL contends that Ms. Baldwin failed to show causation and injury. (Id.). Third, NWL states that Section V of the Federal Trade Commission Act (“Section 5”) cannot form the basis of a negligence per se claim because it does not outline a “definite standard of care.” (Id.) (quoting Lowdermilk v. Vescovo Bldg. & Realty Co., Inc., 91 S.W.3d 617, 629 (Mo. Ct. App. 2002)). NWL
also argues that the injuries Ms. Baldwin alleges are not the type of injuries that Section 5 was designed to prevent. (Doc. 37 at 21).
1 NWL cites Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017), In re SuperValu, Inc., No. 14-MD-2586 ADM/TNL, 2016 WL 81792 (D. Minn. Jan. 7, 2016), Darnell v. Wyndham Capital Mortgage, Inc., No. 3:20-CV- 00690-FDW-DSC, 2021 WL 1124792 (W.D.N.C. Mar. 24, 2021), Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524 (D. Md. 2016), Kimbriel v. ABB, Inc., No. 5:19-CV-BO, 2019 WL 4861168 (E.D.N.C. Oct. 1, 2019), and Attias v. CareFirst, Inc., 365 F. Supp. 3d 1 (D.D.C. 2019). Kuhns is the one case NWL cites that addresses injury outside of the standing context. 868 F.3d 711. Kuhns addresses what damages are sufficient to allege breach of contract. Id. at 717-18. This Court will address Kuhns to the extent necessary when it addresses the breach of contract claims in Section III.E. Regarding the tax refund delay, NWL cites Attias. 365 F. Supp. 3d at 11. NWL argues that Attias supports its proposition that Plaintiffs’ delayed tax refund claim should be dismissed. (Doc. 37 at 19). However, even assuming that the “tax-refund fraud” in Attias is synonymous with the delay in receipt of tax refunds here, the court in Attias concluded that plaintiffs who pleaded actual tax-refund fraud could survive a Rule 12(b)(6) motion, but that claims by plaintiffs who may experience tax-refund fraud should be dismissed. See Attias, 365 F. Supp. 3d at 11-12. Since Plaintiffs’ claim an actual delay in the receipt of their tax refunds, their claims on behalf of a class who suffered that injury would survive a motion to dismiss. (Doc. 31 at ¶ 62). This Court finds that Ms. Baldwin sufficiently pleads the elements of negligence per se. There are four elements to a claim of negligence per se under Missouri law: (1) the defendant violated a statute or regulation; (2) the injured plaintiff was a member of the class of persons intended to be protected by the statute or regulation; (3) the injury complained of was the kind the statute or regulation was designed to prevent; and (4) the violation of the statute or regulation was the proximate cause of the injury.
Williams v. Bayer Corp., 541 S.W.3d 594, 605 (Mo. App. W.D. 2017) (internal quotations omitted). Ms. Baldwin pleads that NWL violated Section 5, which prohibits “unfair… practices in or affecting commerce.” (Doc. 31 at ¶ 109) (quoting 15 U.S.C. § 45). Moreover, she pleads that Section 5 prohibits “the unfair act or practice by businesses, such as Defendant, of failing to use reasonable measures to protect customers or, in this case, policyholders’ PII.” (Doc. 31 at ¶ 109). This sufficiently pleads that Section 5 meant to protect individuals like Ms. Baldwin. Additionally, this statement adequately alleges that Section 5 meant to prevent the type of harm she claims. She pleads that “[b]ut for Defendant’s wrongful and negligent breach of its duties owed to Plaintiff Baldwin and the Missouri Class, Plaintiff Baldwin and the members of the Missouri Class would not have been injured.” (Id. at ¶ 115). Taken together, Ms. Baldwin sufficiently pleads all the elements of negligence per se for the purposes of this Motion to Dismiss. In addition, Ms. Baldwin sufficiently alleges causation and injury. NWL merely cites its earlier arguments that Plaintiffs have not shown injury-in-fact. (Doc. 37 at 20). However, and as earlier outlined, Plaintiffs adequately pleaded injuries to survive a motion to dismiss. Plaintiffs claim that NWL mishandled their PII and failed to inform parties impacted by the data breach in violation of Section 5, which caused them injuries including, but not limited to, loss of time and money, lost control over the value of their PII, losses relating to exceeding credit and debit card limits, damaged credit scores, and unauthorized use of stolen personal information. (Doc. 31 at ¶¶ 30, 116-18). NWL’s unsupported argument that “as discussed above, Baldwin fails to [show causation and injury]” does not refute the causal connection between NWL’s failures and the alleged injuries. (Doc. 37 at 20). Accordingly, the Court finds this argument unpersuasive. This Court finds that Ms. Baldwin sufficiently pleads, for purposes of this Motion to
Dismiss, that Section 5 can support a claim for negligence per se. Several courts have held, looking at applicable state law schemes, that Section 5 can serve as a negligence per se claim’s statutory basis.2 Other courts have not.3 Because several courts have recognized Section 5 as adequate support for a negligence per se claim, and absent binding authority as to whether Section 5 can support a negligence per se claim, this Court declines to find that Ms. Baldwin’s claim merits dismissal at this stage. D. Ms. Baldwin states a claim for invasion of privacy, so Count III will not be dismissed. NWL challenges Ms. Baldwin’s invasion of privacy claim. (Doc. 37 at 21-22). Specifically, NWL contends that Ms. Baldwin fails to state a claim for “unreasonable publicity given to the other’s private life” because she fails to show that there was public disclosure of
embarrassing private facts. (Id.) (citing Sullivan v. Pulitzer Broad. Co., 709 S.W.2d 475, 477 (Mo. 1986)).
2 See, e.g., In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 481-82 (D. Md. 2020) (holding plaintiffs have adequately pleaded negligence per se under Georgia Law using Section 5); Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 760-61 (C.D. Ill. 2020) (“[T]he FTC Act can serve as the basis of a negligence per se claim.”); In re Capital One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 406-08 (E.D. Va. 2020) (holding that a negligence per se claim under New York law could be premised on the FTC Act). 3 See, e.g., In re Brinker Data Incident Litig., No. 18-CV-686-J-32MCR, 2020 WL 691848, at *9 (M.D. Fla. Jan. 27, 2020) (holding that FTC Act cannot be the basis of negligence per se claim under Florida law, which squarely forecloses negligence per se claims that rely on a federal statute without a private right of action); In re Sonic Corp. Customer Data Sec. Breach Litig. (Fin. Institutions), No. 17-MD-2807, 2020 WL 3577341, at *6 (N.D. Ohio July 1, 2020) (“While the FTC and other courts have interpreted Section 5’s terms to apply to data security requirements, the statute’s actual terms do not lay out positive, objective standards that, if violated, could give the standard for a negligence per se claim under Oklahoma law.” (footnotes omitted)). The Court finds that the invasion of privacy claim should stand. First, NWL assumes that Ms. Baldwin asserts a claim for “unreasonable publicity given to the other’s private life.” (Doc. 37 at 21-22). However, “unreasonable publicity given to the other’s private life” is just one of four overlapping invasion of privacy claims. Sofka v. Thal, 662 S.W.2d 502, 509-10 (Mo. 1983).
The Missouri Supreme Court has held that “‘invasion of privacy’ is a general term used to describe four different torts, each with distinct elements and each describing a separate interest that can be invaded, although the separate interests may, and often do, overlap.” Id. Plaintiffs’ Amended Complaint does not specify which invasion of privacy tort they will advance at trial. (See Doc. 31 at ¶¶ 120-25). Even if Ms. Baldwin is asserting “unreasonable publicity given to the other’s private life,” she alleged facts sufficient to support this claim. NWL argues that to assert this claim, Ms. Baldwin must demonstrate public disclosure of embarrassing private facts. (Doc. 37 at 21-22) (citing Sullivan, 709 S.W.2d at 477). In the Amended Complaint, it is alleged that REvil publicized Plaintiffs’ PII online to extort ransom from NWL. (Doc. 31 at ¶ 122). These facts allege public
disclosure. Moreover, in their Amended Complaint, Plaintiffs assert that “the disclosure of PII is certain to embarrass them and offend their dignity… [and] the original disclosure is devastating to Plaintiff Baldwin and the Missouri Class members….” (Id. at ¶ 124). NWL attempts to argue that the PII posted online does not amount to “embarrassing private information.” (Doc. 37 at 22). However, the extent of the embarrassment caused by the disclosure of Ms. Baldwin’s PII is a fact inquiry that this Court will not entertain in the instant Motion to Dismiss. See e.g., Cooper v. Hutcheson, 472 F. Supp. 3d 509, 516 (E.D. Mo. 2020). This Court may accept that there was public disclosure of Ms. Baldwin’s embarrassing private facts because the Court must assume all factual allegations in the Amended Complaint are true. See Cook, 952 F.3d at 938. Therefore, Ms. Baldwin’s invasion of privacy claim will not be dismissed. E. The breach of contract claim, Count IV, is pleaded sufficiently and will not be dismissed.
NWL argues that Ms. Baldwin’s claim for breach of contract should be dismissed because she failed to plead the existence of a contract. (Doc. 37 at 22-24). Specifically, NWL argues that Ms. Baldwin cannot sustain her breach of contract cause of action because no contract existed between the parties. (Id. at 22-23). Since NWL’s Privacy Policy was not established until 2004, ten years after Ms. Baldwin did business with NWL, NWL argues that no contract existed that it could breach. (Id.). In addition, NWL states that NWL did not breach any contract because Ms. Baldwin failed to specify the obligations that NWL did not perform. (Id. at 23-24). Lastly, NWL contends that Ms. Baldwin does not sufficiently plead that an implied contract existed between NWL and Plaintiffs. (Id. at 24). Ms. Baldwin disagrees. (Doc. 46 at 25-27). This Court finds that Ms. Baldwin pleads facts to establish that a valid contract did exist
between the parties. Under Missouri law, “[t]he essential elements of any contract . . . are ‘offer, acceptance, and bargained for consideration.’” Baker v. Bristol Care, Inc., 450 S.W.3d 770, 774 (Mo. 2014) (internal quotations omitted). Ms. Baldwin alleges that a contract formed between the parties when NWL offered to provide her life insurance. (Doc. 31 at ¶ 127). She accepted by providing payment and her PII to NWL. (Id. at ¶¶128-30). Further, Ms. Baldwin pleads that she provided payment and her PII and NWL provided a life insurance policy, which amounts to bargained for consideration. (Id.). Thus, Ms. Baldwin put forth facts, which this Court must assume as true, that amount to offer, acceptance, and bargained for consideration. Ms. Baldwin sufficiently pleads that a valid contract existed between the parties under Missouri law for purposes of this Motion to Dismiss. Further, this Court finds that Ms. Baldwin sufficiently pleads that NWL breached that contract. To establish breach of contract under Missouri law, there are four elements: “(1) the
existence of an enforceable contract; (2) the presence of mutual obligations under the contract; (3) failure to perform an obligation specified in the contract; and (4) damages.” In re Luebbert, 987 F.3d 771, 785 n.4 (8th Cir. 2021) (quoting Sch. Dist. of Kansas City v. Bd. of Fund Comm’rs, 384 S.W.3d 238, 259 (Mo. Ct. App. 2012)). Ms. Baldwin pleads that in entering the contract with NWL, NWL “promised to maintain safeguards to protect customers’ PII,” but breached this contract by failing to maintain such safeguards. (Doc. 31 at ¶¶ 129-33). Ms. Baldwin pleads that she and purported Class Members “would not have entrusted their PII to Defendant in the absence of such an agreement” and that NWL’s “failure to ensure the confidentiality and integrity of electronic PII… [violated] 45 C.F.R. § 164.306(a)(1).”4 (Id. at ¶¶ 132-33). Finally, this Court finds that Ms. Baldwin sufficiently pleads that an implied contract
existed between the parties. She alleges that by providing PII to NWL, an implied contract was created that NWL would take “appropriate measures to safeguard their PII.” (Doc. 46 at 25-26) (citing Boatmen’s Bank of Mid-Missouri v. Crossroads W. Shopping Ctr., Ltd., 907 S.W.2d 800, 803 (Mo. App. 1995)) (“When the parties to a contract have not agreed with respect to a term which is essential to determination of their rights and duties, the term which is reasonable in the circumstances is supplied by the Court.”)). Indeed, some federal courts hold that the transfer of
4 These alleged facts distinguish this case from Kuhns, where in Kuhns the plaintiffs did not plead, in regards to their breach of contract claim, that the defendant violated a law or that defendant somehow misrepresented the conditions of the contract. 868 F.3d at 717. PII from one party to another in exchange for services creates an implied contract to secure it.5 Others have not.6 Yet, in light of the procedural standard at this early stage of litigation, the Court finds that in addition to breach of an express contract, Plaintiffs sufficiently allege that NWL breached its obligations of an implied contract by failing to secure Ms. Baldwin’s and purported
Class Members’ PII. F. The unjust enrichment claim, Count V, is properly pleaded and will not be dismissed. NWL next asserts that Ms. Baldwin does not state a claim for unjust enrichment because she does not plead that she provided any benefit to NWL or that she received anything less than what she bargained for from NWL. (Doc. 37 at 24-26). Moreover, NWL argues that since Ms. Baldwin is already arguing that there is an express contract governing the subject of the transaction, she cannot also claim unjust enrichment. (Id. at 24-25). Ms. Baldwin alleges that she conferred a benefit upon NWL when she paid for life insurance and that part of those payments were for data security. (Doc. 31 at ¶¶ 143-44; Doc. 45 at 21). She states that she was deprived the full benefit of these payments because NWL did not provide the data security for
which she expected and paid. (Doc. 31 at ¶¶ 145-46). The result, she claims, was the Data Breach. (Id. at ¶¶ 30, 145-47) Under Missouri law, “[a] claim for unjust enrichment has three elements: a benefit conferred by a plaintiff on a defendant; the defendant’s appreciation of the fact of the benefit; and
5 See Mackey v. Belden, Inc., No. 21-CV-00149-JAR, 2021 WL 3363174 at *11 (E.D. Mo. Aug. 3, 2021) (“At this early stage of litigation, this Court finds that Mackey has sufficiently alleged that Belden abused its discretion under the supposed implied contract by failing to adequately secure PII.”) (citation omitted); Perdue, 455 F. Supp. 3d at 764; Irwin v. Jimmy John’s Franchise, 175 F. Supp. 3d 1064, 1070 (C.D. Ill. 2016); In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 531-32 (N.D. Ill. 2011); Hiscox Ins. Co. v. Warden Grier, LLP, 474 F. Supp. 3d 1004, 1009-10 (W.D. Mo. 2020). 6 See J.R. v. Walgreens Boots All., Inc., 470 F. Supp. 3d 534, 558-59 (D.S.C. 2020) (holding that no contract could be implied where customers did not know that their PII would be shared by a pharmacy operator, a term prohibiting such use of their PII could not be implied); see also Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 865 (N.D. Cal. 2011) (holding that the express provisions of defendant’s privacy policy, which waived liability for unauthorized access of personal information on secure servers, implied a contract to protect that data on unsecured servers). the acceptance and retention of the benefit by the defendant in circumstances that would render that retention inequitable.” Topchian v. JPMorgan Chase Bank, N.A., 760 F.3d 843, 854 (8th Cir. 2014) (quoting Hertz Corp. v. RAKS Hospitality, Inc., 196 S.W.3d 536, 543 (Mo. Ct. App. 2006)). Crucially, “[t]here can be no unjust enrichment claim, however, where an express contract exists.”
Id. (quoting Howard v. Turnbull, 316 S.W.3d 431, 436 (Mo. Ct. App. 2010)). The Court finds that Ms. Baldwin states a claim for unjust enrichment for the purposes of this Motion to Dismiss. First, she pleads that Plaintiffs conferred a benefit on NWL because they provided payment to NWL to receive their life insurance policies. (Doc. 31 at ¶¶ 143-44). In addition, Ms. Baldwin pleads that in exchange for payment, she and members of the purported Classes believed NWL would securely maintain their PII. (Id. at ¶ 145-46). However, Ms. Baldwin pleads that she and members of the purported Classes did not receive the benefit of securely maintained PII because their PII was disclosed in a data breach. (Id.). Courts within the Eighth Circuit have similarly allowed unjust enrichment claims for stolen PII when the plaintiff provided payment based on an understanding that their PII would be secure. See, e.g., In re Target Corp.
Data Sec. Breach Litigation, 66 F. Supp. 3d 1154, 1178 (D. Minn. 2014). Moreover, NWL is correct in asserting that Ms. Baldwin cannot prosecute both breach of an express contract and unjust enrichment. (Doc. 37 at 24-25) (citing Howard, 316 S.W.3d at 436). However, the Amended Complaint specifically asserts that the unjust enrichment claim is an alternative claim to the breach of contract claim. (Doc. 31 at ¶ 142). Therefore, at this stage, this Court will not dismiss Plaintiffs’ unjust enrichment claim. G. Claims alleging violation of the Unfair Competition Law of California (Count VI) and California’s Consumer Legal Remedies Act (Count VIII) will survive. NWL, a Colorado corporation with a principal place of business in Texas, argues California law is “inapplicable” to the claims of this case. (Doc. 37 at 26). Specifically, NWL argues that this case relates to conduct “occurring outside the state of California” and that the Dormant Commerce Clause requires that California law only apply within the state of California. (Id.). To
the contrary, Mr. Dyrssen contends that there will be no extraterritorial application of the California laws in violation of the Dormant Commerce Clause. (Doc. 46 at 29). Mr. Dyrssen “seeks to apply California law to California residents like himself for acts occurring in the State of California, for harm incurred in California.” (Id.). This Court finds that the Amended Complaint clearly states that the charges relate to conduct occurring “in the course of [NWL’s] business of marketing, offering for sale, and selling goods and services throughout the United States, including sales in the State of California.” (Doc. 31 at ¶ 150). Mr. Dyrssen pleads that he and the purported California Class were harmed in California. (Id. at ¶¶ 149-57). Whether the data breach happened in California or not is not relevant to the application of California law. Therefore, this Court will not dismiss and finds the UCL and CLRA are applicable to the claims of this case.
NWL further asserts that the Court should dismiss the UCL claim because Mr. Dyrssen does not maintain “any consumer relationship” with NWL and, “[c]onsequently, the UCL offers him no remedy.” (Doc. 37 at 27). Mr. Dyrssen states that there is simply no requirement that he be a “consumer” for the UCL to apply, and that he is clearly not a “relatively sophisticated” corporate plaintiff operating pursuant to a detailed commercial contract. (Doc. 46 at 30). This Court finds that the purpose of the UCL is to “protect both consumers and competitors by promoting fair competition in commercial markets for goods and services . . . [and the California Legislature] intended this ‘sweeping language’ to include ‘anything that can properly be called a business practice and that at the same time is forbidden by law.” Kwikset Corp. v. Super. Ct., 246 P.3d 877, 883 (Cal. 2011) (internal citations omitted). There appears to be no requirement for Mr. Dyrssen or the California Class to be consumers. They are clearly protected by the UCL’s “broad, sweeping language.” Id. (internal citations omitted). Therefore, the Court will not dismiss and finds that the UCL offers a remedy.
Alternatively, NWL asserts that Mr. Dyrssen cannot sustain a UCL claim because he fails to show a qualifying injury. (Doc. 37 at 27). Mr. Dryssen argues he has amply demonstrated both injury and damages. (Doc. 46 at 30-31). This Court finds Mr. Dyrssen properly pleads in the Amended Complaint his injuries resulting from NWL’s alleged UCL violation. (See Doc. 31 at ¶¶ 148-60). NWL’s arguments do nothing to refute those claims and the Court will not dismiss. Next, NWL argues that Mr. Dyrssen is bootstrapping violations of the California Consumer Protection Act and the Federal Trade Commission Act onto his UCL claim. (Doc. 37 at 28). Specifically, NWL asserts that neither the California Consumer Protection Act nor the Federal Trade Commission Act provide a private right to action. (Id.). Mr. Dyrssen argues that the UCL claim is not a bootstrap of either statute, and that the UCL claim is for fraudulent omission,
unlawful acts, and unfair acts. (Doc. 46 at 31). The Court finds the citation to the California Consumer Protection Act and the Federal Trade Commission Act only set out the standards of care that Mr. Dyrssen alleges that NWL violated. Thus, this Court will not dismiss the UCL claim. Lastly, NWL also challenges Mr. Dyrssen’s claim pursuant to the CLRA, arguing he was not a consumer. (Doc. 37 at 29). Moreover, NWL suggests that life insurance does not qualify as a “good or service,” which is required under the CLRA. (Id.). Finally, NWL challenges the CLRA claim because it alleges that Mr. Dyrssen did not comply with the pre-suit notice requirement. (Id.). Mr. Dyrssen contends he is a “consumer” within the meaning of the CLRA and sought the services of NWL (the service of providing life insurance to policy holders) for his personal financial benefit. (Doc. 46 at 31). He does not allege that life insurance is a “service.” Rather, the “good or service” he purchased from NWL was “being able to sell NWL policies as an independent agent.” (Doc. 31 at ¶ 81). He contends pre-suit notice is not required where only injunctive relief is sought under the CLRA. (Doc. 46 at 31). For the purposes of this Motion to Dismiss, Plaintiffs
sufficiently pleaded that Mr. Dyrssen was a consumer for the purposes of CLRA. Moreover, pre- suit notice is not required when only injunctive relief is sought. Rosales v. FitFlop USA, LLC, 882 F. Supp. 2d 1168, 1177 (S.D. Cal. 2012) (“1782(d) allows a plaintiff to bring a CLRA action for injunctive relief without compliance with the notice provisions of subdivision (a).”). Plaintiffs indeed seek injunctive relief in this case. (Doc. 31 at ¶ 182). This CLRA claim survives. H. Claims alleging violation of the California Consumer Privacy Act (Count VII) and California Consumer Records Act (Count IX) will not be dismissed. While NWL suggests generally that all of Mr. Dyrssen’s statutory claims should be dismissed, it does not directly or specifically challenge the claims alleging violation of the California Consumer Privacy Act or California Consumer Records Act. Therefore, Counts VII
and IX survive this Motion to Dismiss. IV. CONCLUSION Accordingly, it is hereby ORDERED that NWL’s Motion to Dismiss (Doc. 36) is GRANTED in part and DENIED in part. The claims for damages for emotional distress are dismissed. All other claims survive. Dated this 15th day of September, 2021, at Jefferson City, Missouri.
Willie J. Epps, Jr. United States Magistrate Judge