IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF OKLAHOMA
KATHLEEN CARR, individually and on ) Behalf of all similarly situated persons, ) ) Plaintiff, ) ) v. ) No. CIV-23-99-R ) OKLAHOMA STUDENT LOAN ) AUTHORITY; and ) NELNET SERVICING, LLC, ) ) Defendants. )
ORDER Before the Court is Defendant Oklahoma Student Loan Authority’s Motion to Dismiss [Doc. 29] Plaintiffs’ Amended Class Action Complaint [Doc. 22] pursuant to Fed. R. Civ. P. 12(b)(6). Plaintiffs filed a Response [Doc. 43], and Defendants thereafter filed a Reply [Doc. 45]. The motion is now ripe for adjudication. This Court GRANTS Defendant’s Motion to Dismiss in part and DENIES the Motion in part for the reasons below. I. Background Plaintiffs Carr, Killory, and Powell bring this case individually and on behalf of others similarly situated regarding a data breach related to student loan services they received from Defendants Oklahoma Student Loan Authority (“OSLA”) and Nelnet Servicing, LLC. Doc. 22 at 2, ¶ 2-3.1 Plaintiffs allege their personally identifiable information (“PII”) was obtained by malicious actors in 2022 via a data breach of Nelnet’s technology platform. Id. at 3, ¶ 5. Plaintiffs’ exposed PII included their names, addresses,
email addresses, phone numbers, and Social Security numbers. Id. at 13-14, ¶ 41. Plaintiffs claim both Defendants, Nelnet and OSLA, acted negligently in protecting the PII they had been provided. Id. at 3, ¶ 8. Specifically, Plaintiffs claim OSLA committed torts of negligence, negligence per se, and negligent training, hiring, and supervision of Nelnet. Id. at 71-74, 78-80. Plaintiffs bring additional claims against OSLA for an invasion of their
privacy. Id. at 80-83. Defendant OSLA moves to dismiss Plaintiffs’ suit for failure to state a claim. Doc. 29 at 7-8. II. Legal Standard “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal,
556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Fed. R. Civ. P. 8(a)(2) (“A pleading that states a claim for relief must contain . . . a short and plain statement of the claim showing that the pleader is entitled to relief . . . .”). While a complaint “need only give the defendant fair notice of what the claim is and the grounds upon which it rests,” Khalik v. United Air Lines, 671 F.3d 1188, 1191–92 (10th
Cir. 2012) (ellipsis, internal quotation marks, and citations omitted), “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not
1 References to specific paragraphs of the Complaint [Doc. 22] will include a page number and a paragraph number, as some paragraph numbers were inadvertently duplicated. suffice.” Iqbal, 556 U.S. at 678. “Thus, the mere metaphysical possibility that some plaintiff could prove some set of facts in support of the pleaded claims is insufficient; the complainant must give the court reason to believe that this plaintiff has a reasonable
likelihood of mustering factual support for these claims.” Ridge at Red Hawk, L.L.C. v. Schneider, 493 F.3d 1174, 1177 (10th Cir. 2007). The court must draw on its “experience and common sense” when evaluating whether a claim is plausible in a specific context. Iqbal, 556 U.S. at 663-64. III. Discussion
Plaintiffs bring five claims against OSLA. Three sound in negligence. Of these, the Court grants only OSLA’s motion to dismiss the negligence per se claim. Two other claims are based in the general tort of invasion of privacy. The Court grants OSLA’s motion to dismiss these claims. A. Negligence
Plaintiffs adequately allege the elements of a plausible negligence claim against OSLA. In Oklahoma, negligence requires (1) a duty of care owed by the defendant to the plaintiff; (2) the failure of the defendant to meet that duty; and (3) an injury proximately caused by that breach of duty. Franklin v. Toal, 19 P.3d 834, 837 (Okla. 2000). Defendant OSLA argues Plaintiffs fail to plausibly allege this claim because (1) OSLA owed no duty
to Plaintiffs it could have breached, (2) Plaintiffs do not show that any such breach proximately caused Plaintiffs’ injuries, and (3) Plaintiffs’ allegations of injuries are insufficient to sustain their claim. Additionally, OSLA points to the general rule in Oklahoma that an owner is not liable for the negligence of its independent contractor, except where the work is inherently dangerous or unlawful, or where the principal owed a contractual or defined legal duty to the injured party. Oklahoma City v. Caple, 105 P.2d 209, 212 (Okla. 1940). OSLA relies on this principle to argue it cannot be held liable for
negligent acts of Nelnet, its independent contractor. Each of OSLA’s arguments is flawed. OSLA owed a duty to Plaintiffs to act reasonably in safeguarding the Plaintiffs’ PII. In Oklahoma, a duty need not be created by statute. Wofford v. Eastern State Hosp., 795 P.2d 516, 519 (Okla. 1990). A duty arises when a party “is put in such a position with regard to another that it is obvious that if he did not use due care in his own conduct he will
cause injury to the other[.]” Id. It is evident and properly alleged that the exposure of a person’s social security number can cause foreseeable injury. Doc. 22 at 15-19, ¶¶ 44-61. Thus, once OSLA requested and collected the Plaintiffs’ sensitive information, OSLA placed upon itself a duty to safeguard that information. Other courts that have addressed sensitive data breaches have found a common law duty for the collector of the data to
safeguard it, even if the collector contracts with another entity to use the data. Charlie v. Rehoboth McKinley Christian Health Care Servs., 598 F. Supp. 3d 1145, 1154-55 (D.N.M. 2022); In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742 at *15 (D.N.J. Dec. 16, 2021) (“That duty did not vanish when Defendants chose to contract with [an independent contractor].”) Plaintiffs
adequately allege such a duty exists. Doc. 22 at 2-4, 71-72, ¶¶ 2, 9, 174-75. The Court agrees. OSLA’s reliance on Oklahoma’s independent contractor rule to disclaim its duty is misplaced. The rule protects against the theory of vicarious liability due to the inability of the principal to control the work of the contractor, not direct liability on behalf of the principal. See Bouziden v. Alfalfa Elec. Co-op., Inc., 16 P.3d 450, 455 (Okla. 2000). Plaintiffs allege that, independent of Nelnet’s own negligence, OSLA acted negligently by
not taking reasonable precautions in selecting and monitoring a vendor or not taking other reasonable steps that would safeguard Plaintiffs’ PII. Doc. 22 at 72, ¶ 175. Such allegations, accepted as true, present a plausible claim of negligence on the part of OSLA. Plaintiffs adequately plead that OSLA’s breach of duty proximately caused their injuries. “It is only where the evidence . . . is insufficient to show a causal connection
between the alleged wrong and the injury that the issue of proximate cause becomes a question of law.” Lockhart v. Loosen, 943 P.2d 1074, 1080 (Okla. 1997) (internal quotation marks omitted). The allegations in Plaintiffs’ Complaint [Doc.
Free access — add to your briefcase to read the full text and ask questions with AI
IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF OKLAHOMA
KATHLEEN CARR, individually and on ) Behalf of all similarly situated persons, ) ) Plaintiff, ) ) v. ) No. CIV-23-99-R ) OKLAHOMA STUDENT LOAN ) AUTHORITY; and ) NELNET SERVICING, LLC, ) ) Defendants. )
ORDER Before the Court is Defendant Oklahoma Student Loan Authority’s Motion to Dismiss [Doc. 29] Plaintiffs’ Amended Class Action Complaint [Doc. 22] pursuant to Fed. R. Civ. P. 12(b)(6). Plaintiffs filed a Response [Doc. 43], and Defendants thereafter filed a Reply [Doc. 45]. The motion is now ripe for adjudication. This Court GRANTS Defendant’s Motion to Dismiss in part and DENIES the Motion in part for the reasons below. I. Background Plaintiffs Carr, Killory, and Powell bring this case individually and on behalf of others similarly situated regarding a data breach related to student loan services they received from Defendants Oklahoma Student Loan Authority (“OSLA”) and Nelnet Servicing, LLC. Doc. 22 at 2, ¶ 2-3.1 Plaintiffs allege their personally identifiable information (“PII”) was obtained by malicious actors in 2022 via a data breach of Nelnet’s technology platform. Id. at 3, ¶ 5. Plaintiffs’ exposed PII included their names, addresses,
email addresses, phone numbers, and Social Security numbers. Id. at 13-14, ¶ 41. Plaintiffs claim both Defendants, Nelnet and OSLA, acted negligently in protecting the PII they had been provided. Id. at 3, ¶ 8. Specifically, Plaintiffs claim OSLA committed torts of negligence, negligence per se, and negligent training, hiring, and supervision of Nelnet. Id. at 71-74, 78-80. Plaintiffs bring additional claims against OSLA for an invasion of their
privacy. Id. at 80-83. Defendant OSLA moves to dismiss Plaintiffs’ suit for failure to state a claim. Doc. 29 at 7-8. II. Legal Standard “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal,
556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Fed. R. Civ. P. 8(a)(2) (“A pleading that states a claim for relief must contain . . . a short and plain statement of the claim showing that the pleader is entitled to relief . . . .”). While a complaint “need only give the defendant fair notice of what the claim is and the grounds upon which it rests,” Khalik v. United Air Lines, 671 F.3d 1188, 1191–92 (10th
Cir. 2012) (ellipsis, internal quotation marks, and citations omitted), “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not
1 References to specific paragraphs of the Complaint [Doc. 22] will include a page number and a paragraph number, as some paragraph numbers were inadvertently duplicated. suffice.” Iqbal, 556 U.S. at 678. “Thus, the mere metaphysical possibility that some plaintiff could prove some set of facts in support of the pleaded claims is insufficient; the complainant must give the court reason to believe that this plaintiff has a reasonable
likelihood of mustering factual support for these claims.” Ridge at Red Hawk, L.L.C. v. Schneider, 493 F.3d 1174, 1177 (10th Cir. 2007). The court must draw on its “experience and common sense” when evaluating whether a claim is plausible in a specific context. Iqbal, 556 U.S. at 663-64. III. Discussion
Plaintiffs bring five claims against OSLA. Three sound in negligence. Of these, the Court grants only OSLA’s motion to dismiss the negligence per se claim. Two other claims are based in the general tort of invasion of privacy. The Court grants OSLA’s motion to dismiss these claims. A. Negligence
Plaintiffs adequately allege the elements of a plausible negligence claim against OSLA. In Oklahoma, negligence requires (1) a duty of care owed by the defendant to the plaintiff; (2) the failure of the defendant to meet that duty; and (3) an injury proximately caused by that breach of duty. Franklin v. Toal, 19 P.3d 834, 837 (Okla. 2000). Defendant OSLA argues Plaintiffs fail to plausibly allege this claim because (1) OSLA owed no duty
to Plaintiffs it could have breached, (2) Plaintiffs do not show that any such breach proximately caused Plaintiffs’ injuries, and (3) Plaintiffs’ allegations of injuries are insufficient to sustain their claim. Additionally, OSLA points to the general rule in Oklahoma that an owner is not liable for the negligence of its independent contractor, except where the work is inherently dangerous or unlawful, or where the principal owed a contractual or defined legal duty to the injured party. Oklahoma City v. Caple, 105 P.2d 209, 212 (Okla. 1940). OSLA relies on this principle to argue it cannot be held liable for
negligent acts of Nelnet, its independent contractor. Each of OSLA’s arguments is flawed. OSLA owed a duty to Plaintiffs to act reasonably in safeguarding the Plaintiffs’ PII. In Oklahoma, a duty need not be created by statute. Wofford v. Eastern State Hosp., 795 P.2d 516, 519 (Okla. 1990). A duty arises when a party “is put in such a position with regard to another that it is obvious that if he did not use due care in his own conduct he will
cause injury to the other[.]” Id. It is evident and properly alleged that the exposure of a person’s social security number can cause foreseeable injury. Doc. 22 at 15-19, ¶¶ 44-61. Thus, once OSLA requested and collected the Plaintiffs’ sensitive information, OSLA placed upon itself a duty to safeguard that information. Other courts that have addressed sensitive data breaches have found a common law duty for the collector of the data to
safeguard it, even if the collector contracts with another entity to use the data. Charlie v. Rehoboth McKinley Christian Health Care Servs., 598 F. Supp. 3d 1145, 1154-55 (D.N.M. 2022); In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742 at *15 (D.N.J. Dec. 16, 2021) (“That duty did not vanish when Defendants chose to contract with [an independent contractor].”) Plaintiffs
adequately allege such a duty exists. Doc. 22 at 2-4, 71-72, ¶¶ 2, 9, 174-75. The Court agrees. OSLA’s reliance on Oklahoma’s independent contractor rule to disclaim its duty is misplaced. The rule protects against the theory of vicarious liability due to the inability of the principal to control the work of the contractor, not direct liability on behalf of the principal. See Bouziden v. Alfalfa Elec. Co-op., Inc., 16 P.3d 450, 455 (Okla. 2000). Plaintiffs allege that, independent of Nelnet’s own negligence, OSLA acted negligently by
not taking reasonable precautions in selecting and monitoring a vendor or not taking other reasonable steps that would safeguard Plaintiffs’ PII. Doc. 22 at 72, ¶ 175. Such allegations, accepted as true, present a plausible claim of negligence on the part of OSLA. Plaintiffs adequately plead that OSLA’s breach of duty proximately caused their injuries. “It is only where the evidence . . . is insufficient to show a causal connection
between the alleged wrong and the injury that the issue of proximate cause becomes a question of law.” Lockhart v. Loosen, 943 P.2d 1074, 1080 (Okla. 1997) (internal quotation marks omitted). The allegations in Plaintiffs’ Complaint [Doc. 22 at 39, 71-72, ¶¶ 122, 174-78] are sufficient, at this stage of litigation, for the claim to proceed. Plaintiffs satisfactorily plead they suffered a variety of injuries because of OSLA’s
negligence. OSLA methodically argues that each of Plaintiffs’ alleged harms is either too speculative, not concrete enough, or not plausibly connected to OSLA’s negligence.2 The Court need only address one type of alleged harm to sustain the claim. Plaintiffs allege they have each spent considerable time and effort to mitigate the fallout of the data breach by monitoring their financial accounts, setting up fraud alerts,
2 OSLA uses caselaw examining whether alleged injuries are sufficient for Article III’s standing requirement of injury-in-fact, D.L. v. Unified School Dist. No. 497, 596 F.3d 768, 774 (10th Cir. 2010), but does not expressly make an argument that Plaintiffs lack Constitutional standing. To the extent OSLA does argue Plaintiffs lack standing, this court rejects it because adequately pled damages are sufficient to show injury-in-fact. See Meier v. Chesapeake Operating L.L.C., 324 F.Supp.3d 1207, 1212-13 (W.D. Okla. 2018). and otherwise being hypervigilant for the consequences of their PII being exposed.3 Other courts that have addressed similar cases have found these types of mitigating efforts “easily qualif[y] as a concrete injury.” Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 694
(7th Cir. 2015); e.g. Hall v. Centerspace, LP, No. 22-CV-2028, 2023 WL 3435100 at *7- 8 (D. Minn. May 12, 2023) (collecting cases where courts have found cognizable damages in similar circumstances at the motion-to-dismiss stage). These alleged damages are neither speculative, uncertain, nor hypothetical future harms. Rather, they represent a concrete opportunity cost of time incurred by Plaintiffs at the recommendation of Defendant. See
Doc. 22-1 (“We [OSLA] encourage you to remain vigilant against incidents of identity theft and fraud over the next 24 months, by reviewing your account statements and monitoring . . . for suspicious activity[.]”). The alleged damages due to mitigation efforts are sufficiently pled to allow the negligence action to proceed; the Court need not address other categories of damages alleged or the respective arguments in response.
Plaintiffs adequately allege a plausible claim of negligence against OSLA by identifying a duty OSLA held to Plaintiffs, alleging facts making a breach of that duty plausible, and pleading concrete damages stemming from that breach. Therefore, Defendant OSLA’s motion to dismiss Plaintiffs’ Third Cause of Action [Doc. 22 at 71] is DENIED.
3 Plaintiff Carr alleges she has spent twenty hours on these efforts. Doc. 22 at 43, ¶ 114. Plaintiffs Killory and Powell allege they have each spent one hundred hours on these efforts. Id. at 46, 49, ¶¶ 127, 141. B. Negligence Per Se Plaintiffs do not adequately allege a claim of negligence per se against OSLA for violating the Oklahoma Office of Management and Enterprise Services’ Information
Security Policies, Procedures, and Guidelines (“InfoSecPPG”).4 The InfoSecPPG was created by statutory directive. 62 O.S. § 34.12(A). It establishes mandatory baseline standards for state agencies to protect the information assets of the state. See InfoSecPPG [Doc. 43-1] at 7-9. Plaintiffs allege OSLA, a state agency, failed to comply with InfoSecPPG, and, by not complying, negligently allowed their PII to be stolen. OSLA
argues (1) InfoSecPPG is preempted by federal law in relation to OSLA; (2) Plaintiffs are not within the proper class of persons to bring a negligence per se claim using InfoSecPPG; and (3) if applicable, any violation of InfoSecPPG is not the proximate cause of Plaintiffs’ injuries. InfoSecPPG is not preempted by federal law, and it remains applicable to OSLA.
OSLA does not argue InfoSecPPG has no applicability to OSLA; rather, OSLA argues InfoSecPPG’s standards are preempted by similar requirements promulgated by the Department of Education’s Office of Federal Student Aid (“FSA”). OSLA points to the three familiar methods of preemption to claim FSA requirements preempt InfoSecPPG: express, field, and conflict preemption. See English v. Gen. Elec. Co., 496 U.S. 72, 78-79
(1990). However, none of these theories of preemption invalidate InfoSecPPG’s
4 State of Oklahoma Office of Management and Enterprise Services, Information Security Policy, Procedures, Guidelines, Version 1.5, accesshttps://oklahoma.gov/omes/divisions/information- services/about-information-services/policy-and-standards.html. background applicability to OSLA. OSLA points to, and the Court finds, no authority within FSA requirements that expressly preempts applicable state standards. While the FSA requirements are robust, the scheme of federal regulation is not “so pervasive as to
make reasonable the inference that Congress left no room for the States to supplement it[.]” Id. at 79 (quotinq Rice v. Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947)). Finally, OSLA is correct that some FSA standards supersede InfoSecPPG requirements. However, that does not mean they conflict to the extent OSLA would be unable to comply with both state and federal requirements. Id. In fact, the statute establishing InfoSecPPG expressly
contemplates that applicable federal standards may supersede the minimum standards set by Oklahoma. 62 O.S. § 34.12(A)(3) (“Where standards required . . . by agencies of the federal government are more strict than state minimum standards, such federal requirements shall be applicable[.]”) In effect, InfoSecPPG establishes baseline and gap- filling standards that remain applicable to OSLA. FSA requirements supplement and
supersede, but do not invalidate, InfoSecPPG’s applicability to OSLA. Plaintiffs adequately allege OSLA did not comply with the state’s baseline standards. Doc. 22 at 72- 74, ¶¶ 181-91. The fatal flaw for Plaintiffs’ negligence per se claim, however, is that InfoSecPPG was enacted to protect the State of Oklahoma, not the Plaintiffs. In Oklahoma, a negligence
per se claim requires three elements be shown: “(1) the injury must have been caused by the violation; (2) the injury must be of a type intended to be prevented by the statute; and (3) the injured party must be a member of the class intended to be protected by the statute.” McGee v. El Patio, LLC, 524 P.3d 1283, 1286 (Okla. 2023). InfoSecPPG’s purpose is repeatedly stated as “protection of the information assets of the State of Oklahoma” and as applying to “State information.” Doc. 43-1 at 7-9. Neither the policies themselves nor InfoSecPPG’s originating statute refer to the protection of individuals’ information for the
sake of the individuals; rather, the statute and policies concern the design of systems protecting “information of the State.” See 62 O.S. § 34.12; Doc. 43-1 at 10. While it could be argued that one of the “information assets” InfoSecPPG protects is PII of people like Plaintiffs, the text of InfoSecPPG indicates only that its data security policies are for the benefit of the State.
Additionally, Plaintiffs point to no case using InfoSecPPG (or other similar state regulations)5 for the purposes of demonstrating InfoSecPPG is a sound basis for their negligence per se claim. Plaintiffs provide only that they “were within the class of persons that these regulatory requirements and [statute] were intended to protect” without further explanation in their Complaint. Doc. 22 at 74, ¶ 188. This conclusory statement cannot be
credited as true. Iqbal, 556 U.S. at 678. Plaintiffs are not able to sustain their claim of negligence per se because they are not within the class of persons InfoSecPPG sought to protect. Although InfoSecPPG is not preempted by federal law with relation to OSLA, it is not a proper basis for Plaintiffs’ claim. Accordingly, the Court need not address OSLA’s causation argument. Defendant
OSLA’s motion to dismiss Plaintiffs’ Fourth Cause of Action [Doc. 22 at 72] is GRANTED.
5 Howard v. Zimmer, Inc. confirms only that “[f]ederal regulations may form the basis of a negligence per se claim under Oklahoma law.” 299 P.3d 463, 467 (Okla. 2013). C. Negligent Training, Hiring and Supervision Plaintiffs’ claim of negligent training, hiring, and supervision adequately states a claim, so OSLA’s motion to dismiss this cause of action is denied. This claim is founded
on Plaintiffs’ allegations of direct negligence by OSLA, not vicarious liability for the alleged negligence of Nelnet.6 In Oklahoma, “entities hiring an independent contractor may be liable . . . if the entity fails to exercise ‘due care in selecting a competent contractor for the necessary work.’” Le v. Total Quality Logistics, LLC, 431 P.3d 366, 375 (Okla.Civ.App. Div. 2, 2018) (quoting Hudgens v. Cook Indus., Inc., 521 P.2d 813, 816
(Okla. 1973)). “Competent contractor[] is defined as one who possesses the knowledge, skill, experience, personal characteristics, and available equipment which a reasonable man would realize that an independent contractor must have in order to do the work which he contracts to do without creating unreasonable risk of injury to others” Hudgens at 816. Plaintiffs adequately allege, at this stage, that OSLA did not use “due care” in selecting
and supervising Nelnet. Although InfoSecPPG is not a valid basis for Plaintiffs’ negligence per se cause of action, it still provides relevant guidance for what efforts OSLA should have undertaken in selecting and supervising Nelnet.7 Plaintiffs allege OSLA failed to evaluate Nelnet’s suitability for handling confidential information and “did no background investigation to
6 Section III A, supra at 3. 7 The Court emphasizes that InfoSecPPG’s standards are not dispositive, but remain illustrative at this stage of litigation, in determining what “due care” in selecting a contractor would look like. Plaintiffs must plead enough factual matter such that it is plausible OSLA breached their duty of due care in selecting and supervising Nelnet. Alleging OSLA did not comply with InfoSecPPG’s directives makes such a breach plausible. ensure Nelnet complied” with InfoSecPPG’s best practices. Doc. 22 at 24, ¶ 74. Plaintiffs also allege OSLA knew the security risk inherent in hiring a contractor and chose not to perform reasonable due diligence. Id. at 23-24, ¶ 73. Credited as true, these allegations lead
to a plausible conclusion that OSLA did not exercise due care in selecting a competent contractor. Contrary to Defendant’s arguments, Plaintiffs are not required to show more at this stage. Thus, OSLA’s motion to dismiss Plaintiffs’ Seventh Cause of Action [Doc. 22 at 78] is DENIED. D. Invasion of Privacy
The State of Oklahoma recognizes the tort of invasion of privacy in accord with the four categories defined in the Second Restatement of Torts.8 McCormack v. Oklahoma Pub. Co., 613 P.2d 737, 740 (Okla. 1980). Plaintiffs bring a cause of action under two of these categories: Intrusion upon Seclusion and Publicity Given to a Private Life. The Court finds Plaintiffs do not state a claim upon which relief can be granted. Accordingly,
Defendant’s motion to dismiss is GRANTED with respect to Plaintiffs’ Eighth Cause of Action [Doc. 22 at 80]. i. Intrusion upon Seclusion Plaintiffs’ claim cannot proceed because it is not plausible OSLA committed a nonconsensual intrusion upon Plaintiff’s seclusion. To prevail on this claim, Plaintiffs must
show (1) a nonconsensual intrusion occurred that (2) was highly offensive to the reasonable person. Gilmore v. Enogex, Inc., 878 P.2d 360, 366 (Okla. 1994); see also Munley v. ISC
8 RESTATEMENT (SECOND) OF TORTS §§ 652A – E (AM. LAW INST. 1977). Fin. House, Inc., 584 P.2d 1336, 1339-40 (Okla. 1978) (“One who intentionally intrudes, physically or otherwise . . . is subject to liability . . . .”). “[A]n intrusion occurs when an actor believes, or is substantially certain, that he lacks the necessary legal or personal
permission to commit the intrusive act.” Dubbs v. Head Start, Inc., 336 F.3d 1194, 1221 (10th Cir. 2003) (analyzing Oklahoma’s tort of Intrusion upon Seclusion) (internal quotation marks omitted). Plaintiffs conflate the consensual acts of OSLA with the intrusive acts of other third parties in pleading this claim against Defendant. The only intentional acts OSLA undertook with respect to Plaintiffs’ PII were
neither intrusive nor highly offensive to a reasonable person. Plaintiffs plead they “shared PII with Defendants[.]” Doc. 22 at 80, ¶ 220. Thus, Plaintiffs willingly provided OSLA with their PII. Therefore, OSLA could not plausibly have had the requisite intent to intrude upon Plaintiffs’ seclusion. Furthermore, the only intentional act OSLA undertook with the PII was sharing it with Nelnet so that OSLA could service Plaintiffs’ loans. OSLA’s
sharing of the data with a technology provider to further its service to Plaintiffs is hardly offensive. Plaintiffs attribute the intentional and highly offensive acts of hackers to OSLA. However, Plaintiffs do not plausibly plead that OSLA intended the harmful breach to occur. Accordingly, Plaintiffs’ remedy against OSLA only properly sounds in negligence, not an
intentional tort. ii. Publicity Given to a Private Life Plaintiffs’ claim for Publicity Given to a Private Life fails for similar reasons. OSLA did not give publicity to Plaintiffs’ PII; the unidentified hackers did. The tort has “three constituent elements: (1) publicity (2) which is unreasonable and (3) is given as a private fact.” Eddy v. Brown, 715 P.2d 74, 77 (Okla. 1986). “Publicity . . . means that the matter is made public, by communicating it to the public at large, or to so many persons that the
matter must be regarded as substantially certain to become one of public knowledge.” Id. at 78 (quoting RESTATEMENT (SECOND) OF TORTS § 652D). Once again, Plaintiffs conflate the inoffensive actions of OSLA with the malicious actions of the unidentified hackers. Plaintiffs only allege that OSLA shared Plaintiffs’ PII with Nelnet. Doc. 22 at ¶ 2. Thus, OSLA communicated Plaintiffs’ PII to only one party
for the purpose of servicing Plaintiffs’ loans. In doing so, OSLA was not “communicating the matter to the public at large” or sharing the data with substantial certainty it would become public knowledge. Parties dispute whether publication of matter on the dark web is sufficient to satisfy the publicity element of the tort; the Court need not decide whether it is. OSLA only
communicated Plaintiffs’ PII to Nelnet, not the dark web. Plaintiffs cite examples applying other states’ law wherein a reckless Defendant could be liable for this intentional tort. Bowen v. Paxton Media Grp., LLC, 21-CV-00143, 2022 WL 4110319 at *7-8 (W.D. Ky. Sept. 8, 2022). This Court is not persuaded. The Court finds an intervening illegal act over which OSLA had no control does not subject OSLA to liability on this tort. See Corcoran
v. Sw. Bell Tel. Co., 572 S.W.2d 212, 215 (Mo. App. 1978) (holding that when Defendant neither intended nor permitted publication of the private fact by illegal action of a third party, Defendant could not be liable for this tort). To the extent Plaintiffs argue OSLA permitted such an illegal act by not exercising due care, Plaintiffs’ claim sounds in negligence. IV. Conclusion Plaintiffs properly state claims against Defendant OSLA for negligence and negligent hiring, training, and supervision. Their claims for negligence per se, Intrusion upon Seclusion, and Publicity Given as a Private Fact fail for the reasons set forth above. Accordingly, the Court GRANTS Defendant’s Motion to Dismiss with respect to Plaintiffs’ Fourth and Eighth Causes of Action. The Court DENIES Defendant’s Motion with respect to Plaintiffs’ Third and Seventh Causes of Action. IT IS SO ORDERED this 19th day of October 2023.
UNITED STATES DISTRICT JUDGE