UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK
---------------------------------------------------------- X : NANCY BOHNAK and JANET LEA SMITH, : : ORDER AND OPINION on behalf of themselves and all others similarly : DENYING IN PART AND situated, : GRANTING IN PART MOTION : T O D I S M I S S F O R L A CK OF Plaintiffs, : SUBJECT-MATTER -against- : JURISDICTION AND FAILURE : TO STATE A CLAIM MARSH & MCLENNAN COS., INC and : MARSH & MCLENNAN AGENCY LLC, : 21 Civ. 6096 (AKH) : Defendants. : ---------------------------------------------------------- X
ALVIN K. HELLERSTEIN, U.S.D.J.: Plaintiffs Nancy Bohnak (“Bohnak”) and Janet Lea Smith (“Smith”), (collectively “Plaintiffs”) bring a nationwide class action complaint against Defendants Marsh & McLennan Companies, Inc. and Marsh & McLennan Agency, LLC (“Defendant MMA”), (collectively “Defendants”), for alleged injuries arising from a data breach compromising Plaintiffs’ personally-identifiable information (“PII”) in Defendants’ possession. Complaint (“Compl.), ECF No. 1. Plaintiffs bring state-law claims for (1) negligence, (2) breach of implied contract, and (3) breach of confidence. They allege jurisdiction pursuant to 28 U.S.C. 1332(d) (class action alleging damages in excess of $5 million exclusive of interest and costs, more than 100 members in the proposed class, and diverse citizenship between at least one Class Member and Defendants). Defendants move to dismiss for lack of subject-matter jurisdiction (R. 12(b)(1)) and for failure to state a claim upon which relief may be granted (R. 12(b)(6)). (ECF No. 23). For the reasons discussed below, Defendants’ motion to dismiss for lack of subject matter jurisdiction is denied, and their motion to dismiss for failure to state a claim is granted. BACKGROUND The following facts are taken from the Complaint, which I must “accept[] as true” for the purpose of this motion. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Plaintiffs are Florida residents and former employees of Defendant MMA, Compl. ¶¶ 58, 67, providing
professional services in the areas of risk, strategy, and people,” Id. ¶ 26, and serving the risk prevention and insurance needs of middle market companies in the United States. Id. ¶ 4. Defendants are New York corporations that stored the PII of at least 7,000 individuals—data which included “Social Security or other federal tax identification numbers, driver’s license or other government issued identification, and passport information”— including, but not limited to, Plaintiffs’ Social Security or other federal tax id number, which Defendants acquired directly from Plaintiffs, or through Defendants’ purchase of or merger with Plaintiffs’ former employers. Id. ¶ 7–8, 58, 67. The PII of individuals is of “high value to criminals,” and evidenced by the prices they will pay through the dark web. Id. ¶ 44. Social security numbers are among the most useful kind of personal information to have stolen because they may be put to a variety of
fraudulent uses and are difficult for an individual to change, particularly because an individual cannot obtain a new Social Security number without significant paperwork and evidence of actual misuse. Id. ¶¶ 45–46. Notwithstanding the sensitivity of the information in Defendants’ possession, none of the data was encrypted. Id. ¶ 8. In contrast, Plaintiffs Bohnak and Smith were very careful about sharing their PII and have never knowingly transmitted their unencrypted sensitive PII over the internet or any other unsecured source. Id. ¶¶ 61, 70. They store any documents containing their PII in a safe and secure location or destroy the documents. Id. ¶¶ 62, 71. Further they diligently choose unique usernames and passwords for their various online accounts. Id. On June 30, 2021, Plaintiffs received the following Notice of Data Breach from Defendants: WHAT HAPPENED. On April 26, 2021, we discovered that an unauthorized actor had leveraged a vulnerability in a third party’s software since at least April 22, to gain access to a limited set of data in our environment. As soon as we became aware of the issue, we launched an investigation and took measures to restrict any further unauthorized activity or access to data; that access ended on April 30.
WHAT INFORMATION WAS INVOLVED. We have determined that the personal information involved in this incident included your name and the following: Social Security or other federal tax id number.
WHY DO WE HAVE YOUR DATA. We held this information because you are a current or former colleague, spouse or dependent of a colleague, employee or former employee of a client, contractor, applicant, investor, or because we or one of our businesses purchased or merged with a business with whom you had such a relationship.
WHAT WE ARE DOING. We notified law enforcement and took immediate actions to terminate the unauthorized actor’s access and prevent future access. These measures included resetting IT administrator access rights, and imposing additional restrictions on access to various systems on our network.
Id. ¶¶ 59, 68, 30, Ex. 1. Plaintiffs allege that Defendants failed to: “(i) adequately protect the PII of Plaintiffs and Class Members; (ii) warn Plaintiffs and Class Members of Defendants’ inadequate information security practices; and (iii) effectively secure hardware containing protected PII using reasonable and effective security procedures free of vulnerabilities and incidents.” Id. ¶ 14. As a result, Plaintiffs allege that they have suffered injuries which include: “(i) lost or diminished value of PII; (ii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII; (iii) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach, including but not limited to lost time, and (iv) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) may remain backed up in Defendants’ possession and is subject to further
unauthorized disclosures so long as Defendants fails to undertake appropriate and adequate measures to protect the PII.” Id. ¶ 15. Plaintiffs bring state law claims of negligence, breach of implied contract, and breach of confidence. Defendants move to dismiss the Complaint for lack of subject-matter jurisdiction and failure to state a claim upon which relief may be granted. DISCUSSION I. Legal Standard “A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court ‘lacks the statutory or constitutional power to adjudicate it.’” Mastafa v. Chevron Corp., 770 F.3d 170, 177 (2d Cir. 2014) (quoting Makarova v. United
States, 201 F.3d 110, 113 (2d Cir. 2000)). The plaintiff has the burden of proving by “a preponderance of the evidence that it exists.” Id. “[T]he court must take all facts alleged in the complaint as true and draw all reasonable inferences in favor of plaintiff, but jurisdiction must be shown affirmatively, and that showing is not made by drawing from the pleadings inferences favorable to the party asserting it.” Morrison v. Nat'l Austl. Bank Ltd., 547 F.3d 167, 170 (2d Cir. 2008) (citations and internal quotation marks omitted), aff'd, 561 U.S. 247 (2010).
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK
---------------------------------------------------------- X : NANCY BOHNAK and JANET LEA SMITH, : : ORDER AND OPINION on behalf of themselves and all others similarly : DENYING IN PART AND situated, : GRANTING IN PART MOTION : T O D I S M I S S F O R L A CK OF Plaintiffs, : SUBJECT-MATTER -against- : JURISDICTION AND FAILURE : TO STATE A CLAIM MARSH & MCLENNAN COS., INC and : MARSH & MCLENNAN AGENCY LLC, : 21 Civ. 6096 (AKH) : Defendants. : ---------------------------------------------------------- X
ALVIN K. HELLERSTEIN, U.S.D.J.: Plaintiffs Nancy Bohnak (“Bohnak”) and Janet Lea Smith (“Smith”), (collectively “Plaintiffs”) bring a nationwide class action complaint against Defendants Marsh & McLennan Companies, Inc. and Marsh & McLennan Agency, LLC (“Defendant MMA”), (collectively “Defendants”), for alleged injuries arising from a data breach compromising Plaintiffs’ personally-identifiable information (“PII”) in Defendants’ possession. Complaint (“Compl.), ECF No. 1. Plaintiffs bring state-law claims for (1) negligence, (2) breach of implied contract, and (3) breach of confidence. They allege jurisdiction pursuant to 28 U.S.C. 1332(d) (class action alleging damages in excess of $5 million exclusive of interest and costs, more than 100 members in the proposed class, and diverse citizenship between at least one Class Member and Defendants). Defendants move to dismiss for lack of subject-matter jurisdiction (R. 12(b)(1)) and for failure to state a claim upon which relief may be granted (R. 12(b)(6)). (ECF No. 23). For the reasons discussed below, Defendants’ motion to dismiss for lack of subject matter jurisdiction is denied, and their motion to dismiss for failure to state a claim is granted. BACKGROUND The following facts are taken from the Complaint, which I must “accept[] as true” for the purpose of this motion. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Plaintiffs are Florida residents and former employees of Defendant MMA, Compl. ¶¶ 58, 67, providing
professional services in the areas of risk, strategy, and people,” Id. ¶ 26, and serving the risk prevention and insurance needs of middle market companies in the United States. Id. ¶ 4. Defendants are New York corporations that stored the PII of at least 7,000 individuals—data which included “Social Security or other federal tax identification numbers, driver’s license or other government issued identification, and passport information”— including, but not limited to, Plaintiffs’ Social Security or other federal tax id number, which Defendants acquired directly from Plaintiffs, or through Defendants’ purchase of or merger with Plaintiffs’ former employers. Id. ¶ 7–8, 58, 67. The PII of individuals is of “high value to criminals,” and evidenced by the prices they will pay through the dark web. Id. ¶ 44. Social security numbers are among the most useful kind of personal information to have stolen because they may be put to a variety of
fraudulent uses and are difficult for an individual to change, particularly because an individual cannot obtain a new Social Security number without significant paperwork and evidence of actual misuse. Id. ¶¶ 45–46. Notwithstanding the sensitivity of the information in Defendants’ possession, none of the data was encrypted. Id. ¶ 8. In contrast, Plaintiffs Bohnak and Smith were very careful about sharing their PII and have never knowingly transmitted their unencrypted sensitive PII over the internet or any other unsecured source. Id. ¶¶ 61, 70. They store any documents containing their PII in a safe and secure location or destroy the documents. Id. ¶¶ 62, 71. Further they diligently choose unique usernames and passwords for their various online accounts. Id. On June 30, 2021, Plaintiffs received the following Notice of Data Breach from Defendants: WHAT HAPPENED. On April 26, 2021, we discovered that an unauthorized actor had leveraged a vulnerability in a third party’s software since at least April 22, to gain access to a limited set of data in our environment. As soon as we became aware of the issue, we launched an investigation and took measures to restrict any further unauthorized activity or access to data; that access ended on April 30.
WHAT INFORMATION WAS INVOLVED. We have determined that the personal information involved in this incident included your name and the following: Social Security or other federal tax id number.
WHY DO WE HAVE YOUR DATA. We held this information because you are a current or former colleague, spouse or dependent of a colleague, employee or former employee of a client, contractor, applicant, investor, or because we or one of our businesses purchased or merged with a business with whom you had such a relationship.
WHAT WE ARE DOING. We notified law enforcement and took immediate actions to terminate the unauthorized actor’s access and prevent future access. These measures included resetting IT administrator access rights, and imposing additional restrictions on access to various systems on our network.
Id. ¶¶ 59, 68, 30, Ex. 1. Plaintiffs allege that Defendants failed to: “(i) adequately protect the PII of Plaintiffs and Class Members; (ii) warn Plaintiffs and Class Members of Defendants’ inadequate information security practices; and (iii) effectively secure hardware containing protected PII using reasonable and effective security procedures free of vulnerabilities and incidents.” Id. ¶ 14. As a result, Plaintiffs allege that they have suffered injuries which include: “(i) lost or diminished value of PII; (ii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII; (iii) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach, including but not limited to lost time, and (iv) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) may remain backed up in Defendants’ possession and is subject to further
unauthorized disclosures so long as Defendants fails to undertake appropriate and adequate measures to protect the PII.” Id. ¶ 15. Plaintiffs bring state law claims of negligence, breach of implied contract, and breach of confidence. Defendants move to dismiss the Complaint for lack of subject-matter jurisdiction and failure to state a claim upon which relief may be granted. DISCUSSION I. Legal Standard “A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court ‘lacks the statutory or constitutional power to adjudicate it.’” Mastafa v. Chevron Corp., 770 F.3d 170, 177 (2d Cir. 2014) (quoting Makarova v. United
States, 201 F.3d 110, 113 (2d Cir. 2000)). The plaintiff has the burden of proving by “a preponderance of the evidence that it exists.” Id. “[T]he court must take all facts alleged in the complaint as true and draw all reasonable inferences in favor of plaintiff, but jurisdiction must be shown affirmatively, and that showing is not made by drawing from the pleadings inferences favorable to the party asserting it.” Morrison v. Nat'l Austl. Bank Ltd., 547 F.3d 167, 170 (2d Cir. 2008) (citations and internal quotation marks omitted), aff'd, 561 U.S. 247 (2010). To survive a Rule 12(b)(6) motion to dismiss, Plaintiffs must allege “sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Iqbal, 556 U.S. at 678. A claim is facially plausible when it pleads “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. “Where a complaint pleads facts that are merely consistent with a defendant's liability, it stops short of the line between possibility and plausibility of entitlement to relief.” Id. When considering a motion to dismiss a complaint under Rule 12, the Court must
“accept[] all of the complaint's factual allegations as true and draw[] all reasonable inferences in the plaintiff's favor.” See Katz v. Donna Karan Co. Store, L.L.C., 872 F.3d 114, 118 (2d Cir. 2017). However, the Court is “not bound to accept conclusory allegations or legal conclusions masquerading as factual conclusions.” Id. The Court is limited to a “narrow universe of materials.” Goel v. Bunge, Ltd., 820 F.3d 554, 559 (2d Cir. 2016). “Generally, [courts] do not look beyond ‘facts stated on the face of the complaint, . . . documents appended to the complaint or incorporated in the complaint by reference, and . . . matters of which judicial notice may be taken.’" Id. (quoting Concord Assocs., L.P. v. Entm't Props. Tr., 817 F.3d 46, 51 n. 2 (2d Cir. 2016)) (alterations in original). II. Analysis
A. Subject Matter Jurisdiction Defendants argue that I lack subject-matter jurisdiction because Plaintiffs fail to plausibly allege a concrete injury-in-fact, and thus, lack Article III standing. MTD, at 6–12. “Article III [of the Constitution] confines the federal judicial power to the resolution of ‘Cases or Controversies.’” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2203 (2021). A case or controversy requires the plaintiff to “have a ‘personal stake’ in the case—in other words, standing.” Id. (quoting Raines v. Byrd, 521 U.S. 811, 819 (1997)). To demonstrate standing, “a plaintiff must show (i) that [s]he has suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion, 141 S. Ct. at 2203 (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992)); Clapper v. Amnesty Int’l, USA, 568 U.S. 398, 409 (2013); Lacewell v. Office of the Comptroller of the Currency, 999 F.3d 130, 141 (2d Cir. 2021).
Concreteness The Complaint alleges that Plaintiffs will suffer a future, indefinite risk of identity theft, and that they have lost time and money responding to this risk. I hold that, under the Supreme Court’s latest pronouncement in TransUnion, Plaintiffs cannot allege a concrete injury relying solely upon a future risk of harm; however, Plaintiffs may, and do, plausibly allege that the exposure to the risk of identify theft causes concrete injury, and thus, have Article III standing. A concrete injury is “real, and not abstract.” TransUnion, 141 S. Ct. at 2204 (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016)). As to the types of harms that are concrete, certain harms readily qualify as concrete. These include traditional tangible harms,
such as physical and monetary injuries. Id. But intangible harms can also be concrete, and can give rise to Article III standing. Id. “[H]istory and tradition offer a meaningful guide to the types of cases [and alleged injuries] that Article III empowers federal courts to consider.” Id. (citing Sprint Communications Co. v. APCC Servs., Inc., 554 U.S. 269, 274 (2008)). The Supreme Court has instructed that “courts should assess whether the alleged injury to the plaintiff has a ‘close relationship’ to a harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.” Id. (quoting Spokeo, 578 U.S. at 341). The inquiry asks “whether plaintiffs have identified a close historical or common-law analogue for their asserted injury . . . but does not require an exact duplicate in American history or tradition.” Id. In addition, where a legislature supplies a cause of action, courts may look to legislative intent, as the views of Congress or a state legislature may be “instructive,” and both Congress and state legislative bodies may “elevate to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Id. at 2204–05; Maddox v. N.Y. Mellon Trust Co., N.A., 997
F.3d 436, 443–44 (2d Cir. 2021) (holding that state legislatures have the power “to recognize or create legally protectible interests whose invasion gives rise to Article III standing, subject to the same general limitations that the Supreme Court has alluded to with respect to Congress’s ability to do so”). Although the Supreme Court has never addressed the question of whether an increased risk of identify theft caused by a data breach causes concrete or “certainly impending” injury-in-fact, the Second Circuit recently decided the question in McMorris v. Carlos Lopez & Associates, LLC. It held that plaintiffs alleging a risk of future harm arising out of a data breach may have standing. 995 F.3d 295, 301 (2d Cir. 2021). The McMorris court provided a three- factor test for analyzing whether an alleged “risk of identity theft or fraud is sufficiently
‘concrete, particularized, and . . . imminent.’” Id. (quoting Thole v. U.S. Bank N.A., 140 S. Ct. 1615, 1618 (2020)). These factors include, but are not limited to: (i) whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data; (ii) whether the plaintiffs can show that at least some part of the compromised dataset has been misused—even if plaintiffs’ particular data has not yet been affected; and (iii) whether the type of data is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud, such as Social Security numbers and date of birth, particularly when accompanied by victims’ names. Id. at 301–03. McMorris ruled also that expenses reasonably incurred to mitigate a substantial risk of future identity theft or fraud may also qualify as injury-in-fact, but only where a substantial risk exists in the first instance, not when plaintiffs incur expenses protecting themselves against a “speculative threat.” Id. at 303 (quoting Clapper, 568 U.S. at 416) (“[P]laintiffs ‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’”).
After the Second Circuit decided McMorris, but before Plaintiffs brought this action, the Supreme Court decided TransUnion, which also presented a question about whether a future risk of harm is sufficiently concrete to support Article III standing. There, the plaintiffs brought a class-action against a defendant credit-reporting company under the federal Fair Credit Reporting Act, alleging harm stemming from erroneous alerts in the plaintiffs’ credit reports, which flagged them as potential terrorists. See TransUnion, 141 S. Ct. at 2211. However, the defendant had disseminated the credit reports of some of the class members to third parties, and it challenged the standing of those members whose reports had not been disseminated, arguing that those members had not alleged a concrete injury. Id. The class members argued that even absent dissemination, they suffered concrete harm and proffered two theories of standing—that
the presence of the erroneous alert in their credit profiles itself caused concrete harm akin to that caused by defamation, or in the alternative, that they suffered a risk of future harm when and if their reports were disseminated. See id. The Court rejected both theories. First, it found that the mere presence of the erroneous alert did not cause concrete injury because the harm did not closely resemble that associated with common-law defamation. See id. at 2209–10. Because libel and slander per se require evidence of publication, which is traditionally “presumed to cause a harm, albeit not a readily quantifiable harm,” the plaintiffs’ failure to allege dissemination was fatal to the first theory. Id. at 2210. As to the plaintiffs’ second theory (the risk of future harm), the Court found it too speculative to support standing because there was no evidence in the record establishing “a serious likelihood of disclosure,” and in its absence, courts “cannot simply presume a material risk of concrete harm.” Id. at 2212 (citation omitted). In addition, the Court held that plaintiffs cannot maintain a suit for retrospective damages based upon “the mere risk of future harm—at
least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210. The TransUnion Court’s rejection of the mere risk of future harm calls into question the continuing validity of McMorris and Plaintiffs’ primary theory of standing in this case. Moreover, even assuming that a risk of harm can still give rise to Article III standing, Plaintiffs’ allegations do not establish that “the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.’” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Clapper, 568 U.S. at 409). The Complaint explains why PII is valuable and how, and for how much, it can be sold on the “dark web.” It cites Social Security numbers, at issue here, as among the worst kind of personal information to have stolen because
they may be put to a variety of fraudulent uses. It notes that they are difficult for an individual to change because to do so, an individual must show evidence of actual, ongoing fraud activity to obtain a new number. At best, these allegations establish the severity of harm that could result. The Complaint is bereft, however, of allegations suggesting Plaintiffs will suffer this harm, or do so imminently. In fact, Plaintiffs’ allegation that “fraudulent activity . . . may not come to light for years” suggests just the opposite. Given that Plaintiffs do not allege any misuse of their—or any other class members’—data, I find the Complaint’s allegations of future risk of harm too speculative to support Article III standing. Although TransUnion foreclosed Plaintiffs’ reliance on the mere future risk of harm, it did not foreclose Plaintiffs’ second theory. Plaintiffs may have Article III standing, so long as they plausibly allege that the exposure to identity theft itself “causes a separate concrete harm.” Id. I hold that they do.
Certain types of intangible harms have long been judicially cognizable, and are therefore, concrete. These include reputational harm and privacy-related harms that form the basis for the common-law torts of defamation, public disclosure of private information (“PDPF”), and intrusion upon seclusion. Id. at 2204 (citing Meese v. Keene, 481 U.S. 465, 473 (1987), Davis v. Federal Election Commission, 554 U.S. 724, 733 (2008), and Gadelhak v. AT&T Services, Inc., 950 F.3d 458, 462 (7th Cir. 2020)). Although not recognized under New York law, see Farrow v. Allstate Ins. Co., 53 A.D.3d 563, 862 (App. Div. 2008), the privacy tort of PDPF applies where the defendant “gives publicity to a matter concerning the private life of another” where the matter involves facts that “(a) would be highly offensive to a reasonable person, and (b) [are] not of legitimate concern to the public.” Rest. (2d) of Torts § 652D. I find
that the data breach’s exposure of Plaintiffs’ PII causes a separate concrete harm, analogous to that associated with the common-law tort of public disclosure of private information. The Complaint alleges: Both Bohnak and Smith were careful about sharing their PII and have never knowingly transmitted their unencrypted sensitive PII over the internet or any other unsecured source. They store any documents containing their PII in a safe and secure location or destroy the documents and diligently choose unique usernames and passwords for their various online accounts. PII is, by nature and definition, “private” information and of no legitimate concern to the public. Plaintiffs’ efforts were directed at keeping their PII confidential and guarding against disclosure. Therefore, a data breach exposing and disclosing this information to third parties without authorization or consent could plausibly be offensive to a reasonable person, and allegedly caused similar harm to Plaintiffs. As to Defendants’ conduct, the Complaint alleges that Defendants failed to safeguard Plaintiffs’ PII, and this inaction facilitated the data breach and theft of Plaintiffs’ PII.
Here PDPF does not provide a perfect analog because Defendants did not willfully disclose and publicize Plaintiffs’ PII. However, in light of the TransUnion Court’s admonition that common- law analogs need not provide “an exact duplicate,” as well as its explicit reference to PDPF as an example of traditionally judicially cognizable intangible harm, I find the fit sufficiently close. Accordingly, I hold that Plaintiffs have alleged an intangible concrete injury, analogous to that associated with the common-law tort of public disclosure of private information, and therefore have Article III standing. B. Failure to State a Claim for Relief Defendants argue that Plaintiffs fail to state claims for negligence or negligence per se, breach of implied contract, or breach of confidence because Plaintiffs do not allege
damages, the existence of an implied contract, or the existence of a confidential relationship. See MTD, at 14–22. I hold that Plaintiffs’ failure to plausibly allege damages is fatal to their request for monetary damages, and their failure to plausibly allege irreparable injury fatal to their request for injunctive relief. While the Complaint may satisfy the requirements of Article III, it ultimately falls short in establishing that Plaintiffs have suffered legally cognizable injury to support their substantive claims. It is unclear whether Florida or New York law applies to Plaintiffs’ tort or contract claims;1 however, the result is the same, as both require cognizable damages in order to state a claim for relief. To be cognizable under Florida or New York law, damages must be capable of proof with reasonable certainty and not merely speculative, and they must be proximately caused by the defendant. See, e.g., Casa Clara Condominium Ass’n v. Charley
Toppino & Sons, 620 So. 2d 1244, 1247 (Fla. 1993) (affirming that Florida contract law is subject to the economic loss rule, and that Florida tort law requires injury before a negligence action exists); Kenford Co. v. County of Erie, 67 N.Y.2d 257, 261 (N.Y. Ct. App. 1986) (stating that future losses in contract actions may only be recovered where the damages are capable of proof with reasonable certainty and not the result of other intervening causes); Zarin v. Reid & Priest, 184 A.D.2d 385 388 (1st App. Div. 1st Dept. 1992) (indicating that damages claimed in a negligence action must be “actual and ascertainable” and resulting from the proximate cause of a defendant’s breach of duty). Plaintiffs fail to plausibly allege cognizable damages. Plaintiffs can only speculate as to whether they will suffer harm at some unknown future date. They also can only
speculate about the extent of that harm, if and when it does materialize. These damages are neither certain nor capable of proof with reasonable certainty. As to Plaintiffs’ allegations that they have suffered loss of time and money responding to the increased risk of harm, these damages are not cognizable because they are not proximately caused by the harm of disclosure— the only harm for which I have found Plaintiffs have Article III standing, and the only “harm” that Defendants have caused.
1 Plaintiffs are Florida domiciliaries, while Defendants are New York domiciliaries. Although federal courts apply the choice of law rules of the forum State, here New York, see Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496–97 (1941), no such analysis is required because Plaintiffs’ claims fail under both States’ laws. Plaintiffs also pray for injunctive relief, including but not limited to, an order prohibiting Defendants from engaging in wrongful acts; requiring Defendants to protect all collected data with encryption; requiring Defendants to destroy Plaintiffs’ PII; requiring Defendants to implement a comprehensive Information Security Program; and, prohibiting
Defendants from storing Plaintiffs’ PII on a cloud-based database. A plaintiff seeking injunctive relief must show “(1) that it has suffered an irreparable injury; (2) that remedies available at law, such as monetary damages, are inadequate to compensate for that injury; (3) that considering the balance of hardships between the plaintiff and defendant, a remedy in equity is warranted; and (4) that the public interest would not be disserved by a permanent injunction.” eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388, 391, (2006). “[W]hen an injury is compensable through money damages[, however,] there is no irreparable harm.” Beautiful Home Textiles (USA), Inc. v. Burlington Coat Factory Warehouse Corp., No. 13-CV-1725, U.S. Dist. LEXIS 114010, at *31 (S.D.N.Y. Aug. 15, 2014) (quoting JSG Trading Corp. v. Tray-Wrap, Inc., 917 F.2d 75, 79 (2d Cir. 1992)). Plaintiffs’ claims for injunctive relief are based upon the same facts as their
claims for monetary relief, which indicates that their harms are compensable through money damages, and precludes a finding of irreparable harm. Thus, Plaintiffs cannot state a claim for injunctive relief. Because Plaintiffs fail to plausibly allege reasonably certain damages proximately caused by Defendants, and cannot show irreparable harm warranting injunctive relief, the motion to dismiss for failure to state a claim is granted. CONCLUSION For the reasons discussed, the motion to dismiss for lack of subject matter jurisdiction is denied, and the motion to dismiss for failure to state a claim is granted. The argument currently scheduled for January 27, 2022 is canceled. The Clerk of the Court shall terminate the motion (ECF No. 23) and grant judgment to Defendants. SO ORDERED. Dated: January 17, 2022 __ _/s/ Alvin K. Hellerstein_____ New York, New York ALVIN K. HELLERSTEIN United States District Judge