IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION
LAMONT BRACY, on behalf of himself
and all others similarly situated,
Plaintiff,
v. CIVIL ACTION FILE
NO. 1:23-CV-5743-TWT AMERICOLD LOGISTICS LLC,
Defendant.
OPINION AND ORDER This is a data breach case. It is before the Court on the Defendant’s Motion to Dismiss [Doc. 32]. As explained below, the Defendant’s Motion to Dismiss [Doc. 32] is GRANTED in part and DENIED in part. I. Background1 This case involves the allegedly improper handling of the putative class’s personal data. Defendant Americold Logistics LLC is a limited liability company and a “global leader in temperature-controlled warehousing and logistics.” (Am. Consol. Class Action Compl. ¶¶ 28, 34). Six of the seven named Plaintiffs are individuals who either have been employed by the Defendant or applied for employment with the Defendant. ( ¶¶ 178, 192, 207, 220, 222, 232, 244, 255). One of the named Plaintiffs receives employee benefits through her father’s employment with the Defendant. ( ¶ 206).
1 The Court accepts the facts as alleged in the Amended Consolidated Class Action Complaint as true for purposes of the present Motion to Dismiss. , 941 F.3d 1116, 1122 (11th Cir. 2019). On or around April 26, 2023, the Defendant discovered that cybercriminals had infiltrated its network servers and exfiltrated private information of over 129,600 individuals. ( ¶ 4). The Cactus cybercriminal
ransomware gang (“Cactus Gang”) claimed responsibility for the cyberattack. ( ¶ 5). The Cactus Gang’s modus operandi is to sell unencrypted private information on the dark web. ( ¶ 71). All of the Plaintiffs provided their private information to the Defendant and subsequently received a notice letter stating that an unauthorized party accessed and removed data from the Defendant’s network. ( ¶¶ 178, 180, 192, 194, 196, 207, 209-10, 220, 224,
232, 235-36, 244, 247, 256-57, 259). The Cactus Gang has posted on the internet that information from the Defendant’s networks would be coming soon. ( ¶ 71). It has already leaked a 6-gigabyte archive of accounting and financial documents—including sensitive private information—that it allegedly stole from the Defendant’s network. ( ¶ 6). Based on these facts, the Plaintiffs have filed this putative class action against the Defendant for allegedly failing to properly secure and safeguard
their private information. ( ¶ 1). The Defendant now moves to dismiss the Amended Consolidated Class Action Complaint in its entirety. II. Legal Standard A complaint should be dismissed under Rule 12(b)(6) only where it appears that the facts alleged fail to state a “plausible” claim for relief.
2 , 556 U.S. 662, 678 (2009); Fed. R. Civ. P. 12(b)(6). A complaint may survive a motion to dismiss for failure to state a claim, however, even if it is “improbable” that a plaintiff would be able to prove those facts; even if the
possibility of recovery is extremely “remote and unlikely.” , 550 U.S. 544, 556 (2007). In ruling on a motion to dismiss, the court must accept the facts pleaded in the complaint as true and construe them in the light most favorable to the plaintiff. , 711 F.2d 989, 994-95 (11th Cir. 1983); , 40 F.3d
247, 251 (7th Cir. 1994) (noting that at the pleading stage, the plaintiff “receives the benefit of imagination”). Generally, notice pleading is all that is required for a valid complaint. , 753 F.2d 974, 975 (11th Cir. 1985). Under notice pleading, the plaintiff need only give the defendant fair notice of the plaintiff’s claim and the grounds upon which it rests. , 551 U.S. 89, 93 (2007) (citing , 550 U.S. at 555).
III. Discussion The Defendant argues that the Plaintiffs lack standing to bring their claims and—even if they had standing—that they fail to state any of their claims. The Court considers each argument in turn.
3 A. Standing For a plaintiff to have Article III standing, they “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the
defendant, and (3) that is likely to be redressed by a favorable judicial decision.” , 578 U.S. 330, 338 (2016) (citations omitted). “The party invoking federal jurisdiction bears the burden of establishing these elements.” , 504 U.S. 555, 561 (1992) (citations omitted). Furthermore, “standing is not dispensed in gross; rather, plaintiffs must demonstrate standing for each claim that they press and for each form of
relief that they seek (for example, injunctive relief and damages).” , 594 U.S. 413, 431 (2021) (citations omitted). The Defendant argues that five of the seven Plaintiffs have failed to plausibly allege an injury-in-fact and that the other two have failed to plausibly allege that their injuries are fairly traceable to the Defendant. The Court finds that all of the Plaintiffs have standing at this stage of the litigation. “At the pleading stage, general factual allegations of injury resulting
from the defendant’s conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support the claim.” , 504 U.S. at 561 (quotation marks and citation omitted). “But this does not mean that allegations of injury can push a plaintiff across the standing threshold. Rather, a plaintiff must set forth
4 general factual allegations that plausibly and clearly allege a concrete injury, and that injury must be actual or imminent, not conjectural or hypothetical.” , 986 F.3d 1332, 1337-38 (11th Cir.
2021) (quotation marks and citations omitted). The Plaintiffs first argue that they alleged an injury-in-fact because “their Private Information was posted to the dark web by cybercriminals.” (Pls.’ Br. in Opp’n to Mot. to Dismiss, at 4). However, only two of the seven Plaintiffs allege that they were notified that their information is on the dark web. Setting aside the dispute as to the traceability of those notices to the Defendant’s
conduct, that leaves five Plaintiffs who have not received such a notification. Those Plaintiffs rely on allegations that the Cactus Gang claimed that it accessed and exfiltrated their private information and that they leaked six gigabytes of documents that they allegedly stole from Americold. (Am. Consol. Class Action Compl. ¶¶ 5-6). The documents leaked allegedly included sensitive private information. ( ¶ 6). However, there are no allegations that plausibly establish that these Plaintiffs’ private information is on the dark
web. The best they can say is that their “unencrypted Private Information will logically end up for sale on the dark web.” ( ¶ 71). That is not enough to say that “all Plaintiffs plausibly allege their information was exposed on the dark web after the Data Breach.” (Pls.’ Br. in Opp’n to Mot. to Dismiss, at 5).
5 However, “evidence of actual misuse is not necessary for a plaintiff to establish standing following a data breach.” , 986 F.3d at 1343 (citations omitted). “When there is no actual injury, an imminent injury must be
‘certainly impending,’ as allegations of possible future injury are not sufficient. It need not be ‘literally certain’ that the injury will come about, but there must be a ‘substantial’ risk.” , 999 F.3d 1247, 1262 (11th Cir. 2021) (quotation marks and citations omitted). In , the Eleventh Circuit held that the plaintiffs had standing for the risk of future harm. It based that holding on both “the colossal amount of
sensitive data stolen” as well as the type of data solen “including Social Security numbers, names, and dates of birth.” Moreover, “[t]he actual identity theft already suffered by some Plaintiffs further demonstrates the risk of identity theft all Plaintiffs face—though actual identity theft is by no means required when there is a sufficient risk of identity theft.” Here, the Plaintiffs allege that at least 129,600 individuals were impacted by the data breach. (Am. Consol. Class Action Compl. ¶ 50). While
this is a far cry from the over 145 million names, dates of birth, and social security numbers, , that were hacked in the Equifax breach, , 999 F.3d at 1262, it is still a large number of individuals. The type of private information accessed in this data breach “includes full names, Social Security numbers, addresses, driver's license numbers, state identification
6 numbers, passport numbers, financial account information, health insurance information, and medical information.” (Am. Consol. Class Action Compl. ¶ 56). This allegation undermines the Defendant’s reliance on , 986 F.3d
1332. There, the Eleventh Circuit held that there was not a substantial risk of future harm because “Tsao ha[d] not alleged that social security numbers, birth dates, or driver's license numbers were compromised in the PDQ breach, and the card information allegedly accessed by the PDQ hackers generally [could not] be used alone to open unauthorized new accounts.” at 1343 (quotation marks and citation omitted). By contrast and similar to , 999 F.3d
at 1262, it is “unequivocal” the amount of “damage that can be done with th[e] type of data” accessed and exfiltrated in this case. Moreover, the Plaintiffs allege that the data was exfiltrated by a cybercriminal ransomware gang whose modus operandi is selling private information on the dark web. (Am. Consol. Class Action Compl. ¶ 71). That gang has said the Americold information would be coming and has already allegedly leaked six gigabytes of data that included private information. (
¶¶ 6, 71). Based on all of this, the Court has “no hesitation in holding that Plaintiffs adequately alleged that they face a ‘material’ and ‘substantial’ risk of identity theft that satisfies the concreteness and actual-or-imminent elements.” , 999 F.3d at 1262 (citations omitted).2
2 Inside its arguments about injury-in-fact, the Defendant slips in what 7 Given this holding, the mitigation efforts are also injuries-in-fact for purposes of Article III. , 979 F.3d 917, 931 (11th Cir. 2020) (“[A]ny assertion of wasted time and effort necessarily
rises or falls along with this Court's determination of whether the risk posed . . . is itself a concrete harm”). Altogether, the Court finds that these allegations are sufficient for the Plaintiffs to meet their burden at this stage as to all claims and all forms of relief. Accordingly, it need not consider other possible theories of standing. , 396 F. Supp. 3d 1044, 1050 (N.D. Ala. 2019) (“Because the court finds standing based on
Plaintiffs’ claimed representational injuries, it need not consider whether the loss of federal and private funds or the disruption of Representative Brooks’ congressional district would confer standing.”). Similarly, the Defendant’s argument about traceability is in reference to another theory of standing. Specifically, the Defendant argues that two of the Plaintiffs do not have standing on the basis of receiving notice that their private information is on the dark web. Because the Court finds that all
is really a redressability argument: that an injunction requiring the Defendant to adopt better security measures would do nothing about the data that the Cactus Gang has already exfiltrated. (Def.’s Br. in Supp. of Mot. to Dismiss, at 6-7). However, unlike the Defendant’s cited authority— , 72 F.4th 365, 378 (1st Cir. 2023)—the Plaintiffs here allege risk of future breaches by the Defendant’s continued possession of their data. (Am. Consol. Class Action Compl. ¶¶ 176, 189, 204, 217, 230, 242, 253, 265, 388-90). That is enough at this stage. 8 Plaintiffs have standing by virtue of the risk of future harm and mitigation efforts, the Court need not assess this argument. The Court holds that at this stage of the litigation all of the Plaintiffs have met their burden of establishing
standing. B. Negligence (Count I) The Defendant contends that the Plaintiffs’ negligence claim should be dismissed because they fail to allege any cognizable damages proximately caused by the cyber-attack. (Def.’s Br. in Supp. of Mot. to Dismiss, at 14-17). “[I]n , the Georgia Supreme Court
recognized a cognizable injury where a criminal theft of the plaintiffs’ personal data allegedly put them at an imminent and substantial risk of identity theft. 307 Ga. 555, 837 S.E.2d 310, 316-18 (2019).” , 69 F.4th 1213, 1218 (11th Cir. 2023). The Defendant attempts to distinguish this case from because in the plaintiffs alleged the cybercriminals had offered their personal data for sale to other criminals. (Reply Br. in Supp. of Mot. to Dismiss, at 8). But, as the Plaintiffs had already
pointed out in their Response, the Georgia Supreme Court expressly stated that its “conclusion also does not depend on the allegation that one named plaintiff already has experienced identity theft.” , 307 Ga. at 564 n. 8. To the contrary, “the allegation that the data was in the hands of criminals seemed to weigh most heavily in the Georgia Supreme Court’s analysis.”
9 , 667 F. Supp. 3d 1276, 1282 (N.D. Ga. 2023). Put more broadly, this Court interprets as holding that an injury exists where, at the very least, criminals have hacked into a data system and exfiltrated personally identifiable information and protected health information. That conclusion is consistent both with and common sense. Once criminals have stolen personal data, they can offer it for sale, hold it for ransom, or use it for any other criminal purpose they desire. There is no meaningful difference at the motion to dismiss stage between data that is in the hands of criminals and data that plaintiffs know exists on the dark web; both present an imminent and substantial risk of harm as the data is capable of being used by criminals for illicit purposes.
at 1283; , 2024 WL 519722, at *9 (N.D. Ga. Feb. 9, 2024) (upholding “Plaintiff’s arguments and citation of authority on damages based on substantially increased risk of identity theft” even without allegations of actual misuse.).3 The Court agrees with this reading of . There is no doubt that the Plaintiffs have plausibly alleged that their private information is in the hands of criminals. (Am. Consol. Class Action Compl. ¶¶ 4-6, 50, 54-56, 71). That constitutes a cognizable harm under . Because the Defendant issued notice letters to the Plaintiffs stating there had been a data breach that may have affected their personal information and because the Cactus Gang took
3 The Defendant’s only case to the contrary is , 2022 WL 3699967 (N.D. Ga. July 22, 2022). That case relied on standing cases to conclude that the plaintiffs did not allege a cognizable injury. at *3-4. The Court has already analyzed those cases and concluded that the Plaintiffs here meet their burden. 10 credit for the Americold breach and announced that it would be posting the information from it soon, the Court finds that the allegations sufficiently assert that Plaintiffs’ information is in the hands of criminals because of this data
breach. ( ). Thus, the Court will not dismiss the Plaintiffs’ negligence claim for lack of causation or cognizable damages. C. Negligence Per Se (Count II) The Plaintiffs base their negligence per se claim on an alleged violation of Section 5 of the FTC Act. (Am. Consol. Class Action Compl. ¶ 319). “In determining whether the violation of a statute or ordinance is negligence per
se as to a particular person,” a court must “decide (1) whether the injured person falls within the class of persons it was intended to protect and (2) whether the harm complained of was the harm it was intended to guard against.” , 165 Ga. App. 546, 546 (1983) (citations omitted). The Defendant asserts that this claim fails because the “Plaintiffs do not—and cannot—allege that they fall within the class of persons Section 5 was intended to protect.” (Def.’s Br. in Supp. of Mot. to
Dismiss, at 17).4 The Court agrees.
4 The Defendant also argues that the negligence per se claim should be dismissed for failure to allege causation of a cognizable injury. (Def.’s Br. in Supp. of Mot. to Dismiss, at 14). That argument fails for the same reasons stated in the previous section. 11 Section 5 of the FTC Act states, “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45(a)(1). It further
specifies that the FTC “shall have no authority . . . to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). “Congress, through [Section] 5, charged the FTC with protecting consumers as
well as competitors.” , 405 U.S. 233, 244 (1972); , 283 U.S. 643, 647-48 (1931) (“The paramount aim of the act is the protection of the public from the evils likely to result from the destruction of competition or the restriction of it in a substantial degree.”). The Plaintiffs are neither consumers nor competitors. They are current and former employees as well as one beneficiary of an employee. Courts have
largely held that plaintiffs who are not consumers or competitors are not within the class of persons protected by Section 5 of the FTC Act. , , 267 F. Supp. 3d 1288, 1297 n. 4 (D. Colo. 2017) (“Plaintiffs have alleged no harm from ‘the destruction of competition,’ and they are neither Noodles & Company’s consumers nor its
12 competitors, so they cannot recover under a theory of negligence per se based on alleged violations of the FTC Act.”); , 353 F. Supp. 3d 1070, 1086 (D. Colo. 2018)
(dismissing negligence per se claim when “Plaintiffs here are financial institutions who are neither consumers nor competitors of Chipotle. Nor have Plaintiffs alleged that they were otherwise harmed by destruction of competition resulting from Chipotle’s acts.”); , 2023 WL 3057428, at *3 (W.D. Wash. Mar. 27, 2023) 2023 WL 4131746 (W.D. Wash. June 22, 2023) (rejecting argument based on duty
arising from Section 5 when “Plaintiffs allege no harm from ‘the destruction of competition,’ and Plaintiffs do not sufficiently allege they are customers nor competitors of MCG Health.”). The cases that have found otherwise have relied heavily on the FTC’s interpretation of the FTC Act. , 2023 WL 5167366, at *9 (N.D. Ga. July 19, 2023); , 650 F. Supp. 3d 743, 755 (D. Minn. 2023). These decisions are of dubious
value since the Supreme Court subsequently decided , 603 U.S. 369, 412 (2024), which requires courts to “exercise their independent judgment” rather than deferring to agency interpretations of their statutory authority. Because the Plaintiffs are neither consumers nor competitors of the Defendant, the Court concludes that they are not in the class
13 of persons protected by Section 5 of the FTC Act. The Court will therefore dismiss Count II of the Amended Consolidated Class Action Complaint. D. Breach of Implied Contract (Count III)
The Defendant argues that none of the Plaintiffs plausibly allege a meeting of the minds. (Def.’s Br. in Supp. of Mot. to Dismiss, at 18-20). Under Georgia law, “to enforce a specific contract provision, a party must demonstrate a ‘meeting of the minds’ as to the key contract provisions.” , 69 F.4th at 1221. This is true even when the party asserts a claim for breach of implied contract. ; , 175 Ga. App. 258, 259
(1985). The Plaintiffs assert that they have alleged a meeting of the minds by identifying a 2021 Privacy Notice published by the Defendant. (Pls.’ Br. in Opp’n to Mot. to Dismiss, at 18-19). They rely on v. , 2024 WL 470250, at *5 (N.D. Ga. Jan. 16, 2024), which permitted an implied contract claim to proceed on an Americold Privacy Notice. As Plaintiffs note, the court there stated, “[o]ther courts have found that plaintiffs state a
claim for breach of implied contract by pointing to a document such as a privacy policy that indicates a defendant’s intent to protect the personal information of employees or employment applicants.” (citations omitted). While that is true, this case is distinguishable because here there is no allegation that the Plaintiffs read, reviewed, relied on, or were in any way aware of the Privacy
14 Notice when they gave the Defendant their personal information. In and in , 631 F. Supp. 3d 573, 591 (N.D. Ill. 2022), there is no discussion about whether the
plaintiffs knew about the Privacy Notice at the time they provided their personal information.5 Meanwhile, in other cases that have declined to dismiss implied contract claims, the plaintiffs did allege some form of knowledge. , , 2023 WL 5417330, at *6 (E.D.N.Y. Aug. 22, 2023) (“Plaintiff alleges that when she provided her PII and PHI as a prerequisite to her employment, Defendant
agreed and promised (through its privacy policy) to safeguard that information from unauthorized disclosure. Without this implied contract to protect her data, Plaintiff asserts that she would not have entrusted Defendant with her PII or PHI.”); , 2021 WL 3406374, at *12 (S.D.N.Y. Aug. 4, 2021) (“Plaintiff alleges that based on these representations, GE's current and former employees reasonably believed that GE, and any third parties GE contracted with, would protect their Personal Financial
5 In , 2024 WL 470250, at *5, the defense argued that the date of the privacy notice was after the dates in which the plaintiffs applied for employment. However, because the date on the privacy notice was for the most recent update, the court found it plausible that prior versions existed at the time the plaintiffs applied. While this is in some sense a discussion about whether the plaintiffs could have plausibly known about the privacy notice at the time of applying, it is not the same as failing to allege that they read, relied on, or were aware about the privacy notice at the time of applying. 15 Information [“PFI”], including the PFI of their beneficiaries.” (alterations and quotation marks omitted)). This case is more similar to
, 362 F. Supp. 3d 1295, 1332 (N.D. Ga. 2019). Like here, the plaintiffs there did “not explicitly allege[] that they read the Privacy Policy, or otherwise relied upon or were aware of the representations and assurances made in the Privacy Policy when choosing to use the Defendants’ services.” This court held that “[w]ithout such a showing, the Plaintiffs have failed to establish the essential element of mutual assent.” (citation omitted). The
same is true here. Without a showing of mutual assent, all of the Plaintiffs fail to state a claim for breach of implied contract, and the Court will dismiss the Count as such.6 E. Unjust Enrichment (Count IV) The essential elements for an unjust enrichment claim under Georgia law are that “(1) a benefit has been conferred, (2) compensation has not been given for receipt of the benefit, and (3) the failure to so compensate would be
unjust.” , 914 F. Supp. 2d 1301, 1309 (N.D. Ga. 2012). The Defendant contends that the Plaintiffs fail to allege any benefit that they conferred on the Defendant. (Def.’s Br. in Supp. of Mot. to Dismiss, at 20-22).
6 Because the Court will dismiss all Plaintiffs on this ground, it does not analyze the parties’ arguments about consideration. 16 The Plaintiffs counter that the conferral of their private information and the savings the Defendant enjoyed by not implementing adequate data security are each cognizable benefits. (Pls.’ Br. in Opp’n to Mot. to Dismiss, 20-21). The
Court disagrees with the Plaintiffs and will dismiss this claim. i. Direct Benefit of Private Information For starters, the only case that the Plaintiffs provide for the proposition that they conferred a benefit to the Defendant by providing their private information is . (Pls.’ Br. in Opp’n to Mot. to Dismiss, at 20). However, that case involved a claim for breach of
implied contract rather than unjust enrichment. Even assuming the Court would agree that an applicant for employment “provide[s] consideration by providing valuable property, his PI,” , 650 F. Supp. 3d at 757, consideration may be furnished without conferring a benefit to the other party. RESTATEMENT (SECOND) OF CONTRACTS § 71 (1981); RESTATEMENT (FIRST) OF CONTRACTS § 75 (1932). By contrast, courts that have faced similar arguments in the context of
unjust enrichment have regularly rejected them. , , 732 F. Supp. 3d 765, 782 (S.D. Ohio 2024) (“Plaintiffs cannot recover the ‘value’ of their PII because they fail to allege Limestone benefited in that amount, for example by selling or profiting off of their PII in any way, or, frankly, that Plaintiffs were deprived of the value of their PII when they gave
17 it to Limestone.”); , 2023 WL 7410641, at *6 (N.D. Ill. Nov. 9, 2023) (“Defendant’s alleged retention of Plaintiffs’ [sensitive personal information] does not confer a benefit on
Defendant’s [sic] as that term is understood for purposes of unjust enrichment.”); , 2023 WL 8540911, at *5 (D.N.J. May 5, 2023). Similar to the plaintiffs in those cases, the Plaintiffs here do not explain how the Defendant benefitted by having the Plaintiffs’ private information. The closest they get is by alleging that the Defendant “derives value from this
information because it allows Defendant to operate its business and generate revenue.” (Am. Consol. Class Action Compl. ¶ 353). Without any factual allegations as to how the Defendant profited from Plaintiffs’ private information, this is too conclusory to plausibly state that the Plaintiffs conferred a benefit. , 736 F. Supp. 3d 639, 652 (S.D. Ind. June 5, 2024) (“Plaintiffs have not alleged that Defendants benefited from the PII information other than as incidental to benefitting from
Plaintiffs’ compensated labor. The PII is better understood as necessary to conduct business operations, not a good whose inherent value was extracted by Defendants.”). ii. Cost-Savings Benefit The Plaintiffs also contend that the “Defendant was enriched by the
18 savings it enjoyed from not implementing and maintaining adequate data security.” (Pls.’ Br. in Opp’n to Mot. to Dismiss, at 20). There is a split of authority as to whether this theory is sufficient to state a claim. Some courts
have permitted unjust enrichment claims to proceed on a cost-savings theory. , , 278 F. Supp. 3d 739, 751 (S.D.N.Y. 2017) (“TransPerfect was enriched at Plaintiffs’ expense when it chose to cut costs by not implementing security measures to protect Plaintiffs’ PII which Defendant required or obtained in the course of Plaintiffs’ employment.”); , 2024 WL 2965642, at *7 (W.D. Ky.
June 12, 2024) (“[Plaintiffs] . . . allege that PharMerica enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiffs’ and Class Members’ Personal Information. Accordingly, Plaintiffs have stated a claim for unjust enrichment.” (quotation marks omitted)). Other courts have dismissed such claims. , , 2022 WL 22894854, at *12 (D.N.J. Mar. 16, 2022) (“As an
initial matter, Plaintiffs’ ‘cost-saving’ theory falls flat. Any financial benefit that Long & Foster enjoyed due to alleged ‘cost-saving’ on data security measures was not a benefit conferred for which Plaintiffs could reasonably expect remuneration.” (citation omitted)); , 2023 WL 3057428, at *6 (“Plaintiff provides conclusory
19 allegations that MCG Health saved costs it should have reasonably expended on data security. These conclusory allegations are insufficient to show unjust enrichment.” (citations omitted)).
The Court agrees with the latter cases. The decisions regarding what cybersecurity measures to implement and how much to spend on them were decisions made by the Defendant. Those decisions may give rise to a cognizable negligence claim, but it cannot be plausibly maintained that any decision to save money on cybersecurity measures was a benefit conferred (directly or indirectly) by the Plaintiffs to the Defendant. Since the Plaintiffs fail to
plausibly allege that they conferred a benefit to the Defendant, the Court will dismiss their unjust enrichment claim. F. Litigation Expenses (Count V) A plaintiff may recover litigation expenses where the plaintiff has specially pleaded it and “where the defendant has acted in bad faith, has been stubbornly litigious, or has caused the plaintiff unnecessary trouble and expense.” O.C.G.A. § 13-6-11. The Defendant raises two arguments as to the
Plaintiffs’ claim for litigation expenses. First, it contends that the count should be dismissed because all of the underlying claims should be dismissed. (Def.’s Br. in Supp. of Mot. to Dismiss, at 22). Because at least one of the Plaintiffs substantive claims survives this Motion to Dismiss, this argument is without merit.
20 Second, the Defendant argues that the Plaintiffs do not plead any facts that support this claim. The Plaintiffs have alleged that the Defendant was
previously breached and knew or should have known about the weakness of its cybersecurity, including because of a prior data breach. (Am. Consol. Class Action Compl. ¶¶ 74-88). Despite that, the Plaintiffs further allege that the Defendant failed to “use reasonable security procedures and practices appropriate to the nature of the sensitive, unencrypted information they were maintaining for Plaintiffs and Class Members, causing the exposure of
Plaintiffs’ and Class Members’ Private Information.” ( ¶ 73). This is sufficient to allege bad faith under O.C.G.A. § 13-6-11. , 362 F. Supp. 3d at 1345 (“In the Complaint, the Plaintiffs have alleged that the Defendants knew of severe deficiencies in their cybersecurity, and of serious threats, but nonetheless declined to act. Based upon Georgia caselaw, the Court concludes that these allegations are sufficient for a claim of bad faith under section 13-6-11.”); , 742 F. Supp. 3d
1304, 1318-19 (N.D. Ga. July 25, 2024); , 287 Ga. 445, 446 (2010) (“[I]t has long been held ... that in suits where the expenses of litigation might be recovered as part of the damages, it is error for the trial court to direct a verdict therefor. The matter of such expenses is left solely to the jury.”). The Court finds that the Plaintiffs
21 have plausibly alleged bad faith and will accordingly deny the Motion to Dismiss as to Count V. G. GUDTPA (Count VI)
The Defendant argues that the Plaintiffs have not alleged their GUDTPA claim in compliance with Rule 9(b). (Def.’s Br. in Supp. of Mot. to Dismiss, at 23). Rule 9(b) states, “[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions of a person's mind may be alleged generally.” Fed. R. Civ. P. 9(b). When Rule 9(b) applies, the plaintiff
must plead the “who, what, when, where, and how” of the alleged fraud. , 119 F. Supp. 2d 1348, 1353 (N.D. Ga. 2000) (citation omitted). A claim under the GUDTPA is subject to Rule 9(b). , 2017 WL 1836307, at *3 (N.D. Ga. Feb. 21, 2017) (“After review of Defendants’ citation of authority, the Court agrees that Count[] . . . X (violation of Georgia’ [sic] Uniform Deceptive Trade Practices Act) . . . of the Complaint [is] subject to Rule 9(b)’s heightened pleading
requirements.”). The Plaintiffs argue that they meet the heightened pleading standard by pointing to specific misrepresentations in the Defendant’s privacy policy. (Pls.’ Br. in Opp’n to Mot. to Dismiss, at 23). However, the allegations cited merely recite what the Privacy Notice stated. (Am. Consol. Class Action Compl.
22 ¶¶ 37-41, 333-335). They do not allege which of these statements are misrepresentations or in what way they are deceptive. That renders this argument deficient. , 509 F. Supp. 2d
1353, 1358 (N.D. Ga. 2007) (“[C]onclusory allegations that a defendant's conduct was fraudulent and deceptive are not sufficient to satisfy the rule.” (citation omitted)). The Plaintiffs also assert that the Defendant has engaged in deceptive omissions and cites to Paragraphs 388-390 of the Amended Consolidated Class Action Complaint. (Pls.’ Br. in Opp’n to Mot. to Dismiss, at 23). Those
Paragraphs involve the Defendant’s alleged failure to provide “sufficient details regarding the full scope of the Data Breach, or any details related to the remedial measures it has taken to improve its data security practices and more fully safeguard Plaintiffs’ and Class Members’ Private Information from future compromise” (Am. Consol. Class Action Compl. ¶ 388). In doing so, the Defendant has allegedly “continue[d] to represent and imply that its data security measures are adequate to protect Plaintiffs’ and Class Members’
Private Information.” ( ¶ 389). The Plaintiffs assert that the failure to disclose the scope of the breach and the remedial actions taken “place Plaintiffs and Class Members at a future risk of harm” and entitles them to injunctive relief. ( ¶¶ 389-90). Even if this satisfies the heightened pleading requirement, it runs into
23 a damages problem. To state a GUDTPA claim, “the plaintiffs must allege that they are likely to be damaged in the future by an unfair trade practice.” , 356 Ga. App. 776, 779 (2020) (citation omitted).
Here, the Plaintiffs state they face a risk of future harm because they “are not fully informed as to whether Defendant’s data security measures have been improved since the Data Breach.” (Am. Consol. Class Action Compl. ¶ 389). The Plaintiffs cite to no cases supporting that as a cognizable form of damages. Nor do they provide any explanation as to how their risk of future harm is any different based on whether or not they know the scope of the data breach or
the subsequent remedial actions taken. Without doing so, the Court cannot find that they have plausibly alleged a likelihood of future damages stemming from the alleged unfair trade practice. Thus, the Court will dismiss Count VI of the Amended Consolidated Class Action Complaint. H. Declaratory Judgment (Count VII) The Defendant moves to dismiss the Plaintiffs’ request for declaratory judgment and injunctive relief on several grounds. The Court rejects all of
them. First, the Defendant argues that “the Declaratory Judgment Act does not provide an independent cause of action, and instead, functions as a procedural device for the district courts to provide remedies.” (Def.’s Br. in Supp. of Mot. to Dismiss, at 24-25) (quotation marks and citations omitted).
24 However, courts have rejected that exact argument. , , 2016 WL 2897520, at *4 (“[T]he Defendant argues that the Plaintiffs are pursuing an impermissible
standalone claim for injunctive relief and impermissibly requesting an injunction related to a negligence claim. Not so. Instead, the Plaintiffs ask for an injunction corresponding to their declaratory judgment claim. Such a claim is permissible under the Declaratory Judgment Act.” (citations omitted)); , 2022 WL 3704003, at *10 (N.D. Ga. Aug. 19, 2022). Meanwhile, neither of the cases that the Defendant cites provide
support for dismissal. The court in , 2023 WL 6542759, at *3 (M.D. Ga. Oct. 6, 2023), dismissed the declaratory judgment claim because it was “entirely unclear what declaration of rights Watson seeks.” The Plaintiffs here explicitly state which declarations they are seeking. (Am. Consol. Class Action Compl. ¶ 399). In , 547 F.3d 1292, 1294 (11th Cir. 2008), the Eleventh Circuit heard the case after the district court “awarded injunctive relief and over $22 million in restitution or
disgorgement pursuant to the Declaratory Judgment Act.” It vacated that ruling after finding that the award was not “necessary or proper” under the Declaratory Judgment Act because it “circumvented the express remedies provided by Congress in this context.” at 1299. By contrast, this case is still in the pleading stage, and the Defendant has not identified any way in which
25 an award would circumvent express remedies provided by Congress. The Court therefore finds both of these cases inapposite and declines to dismiss on this ground.
Second, the Defendant argues that Plaintiffs’ other claims for legal damages preclude this claim because declaratory and injunctive remedies are only proper when there is no adequate remedy at law. (Def.’s Br. in Supp. of Mot. to Dismiss, at 25). However, “[a] party may state as many separate claims or defenses as it has, regardless of consistency.” Fed. R. Civ. P. 8(d)(3). Moreover, “[t]he existence of another adequate remedy does not preclude a
declaratory judgment that is otherwise appropriate.” Fed. R. Civ. P. 57. The fact that the Plaintiffs allege other claims at law therefore does not preclude this claim from proceeding. Lastly, the Defendant asserts in a footnote that the claim should be dismissed because it is duplicative. (Def.’s Br. in Supp. of Mot. to Dismiss, at 25 n. 7). However, a pleading “may include relief in the alternative or different types of relief,” and as just stated, “[t]he existence of another adequate remedy
does not preclude a declaratory judgment that is otherwise appropriate.” Fed. R. Civ. P. 8(a)(3), 57. Moreover, “motions to dismiss test validity of claims, not redundancy.” , 2023 WL 3555006, at *4 (M.D. Fla. Mar. 3, 2023). The Court therefore will not dismiss this Count as duplicative at this time.
26 IV. Conclusion For the foregoing reasons, the Defendant’s Motion to Dismiss [Doc. 32] is GRANTED as to Counts IJ, IT], IV, & VI and DENIED as to Counts I, V, & VII. SO ORDERED, this 19th day of February, 2025.
Frterms. 21- Fairer g A hare. AY” Ae THOMAS W. THRASH, JR. United States District Judge