IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF OHIO EASTERN DIVISION ) ) CASE NO.: 1:24 CV 1722 IN RE CBIZ DATA BREACH ) LITIGATION, ) ) JUDGE DONALD C. NUGENT ) ) MEMORANDUM OPINION ) AND ORDER )
This matter is before the Court on Defendant, CBIZ Benefits & Insurance Services, Inc.’s Motion to Dismiss. (ECF #17). Plaintiff filed an Opposition to the motion, and Defendant, filed a Reply. (ECF # 18, 19). After careful consideration, the Court has determined that Defendant’s Motion to Dismiss should be GRANTED in part and DENIED in part.
FACTUAL AND PROCEDURAL OVERVIEW! Plaintiffs Amended Complaint is filed as Consolidated Class Action Complaint alleging that Defendant CBIZ Benefits & Insurance Services, Inc. (“CBIZ”) negligently failed to use The facts as stated in this Memorandum and Order are taken from the Amended Complaint and should not be construed as findings of this Court. In a motion to dismiss, the Court is generally obligated, for the purposes of that motion, to accept as true the facts set forth by the non-moving party, in this case, the Plaintiff. To the extent that Defendant is allowed to make a factual challenge under a 12(b)(1) motion, the Court has addressed any contradictory evidence provided below.
reasonable means to secure and prevent disclosure of the Plaintiffs’ sensitive personal identifying information (“PII”). Plaintiffs also claim that the disclosure of their PII constituted an invasion of privacy and that CBIZ was unjustly enriched by “saving the costs it reasonably should have expended on data security measures to secure Plaintiffs’ and Class members’ PII.” (ECF #16, PageID 165-167). According to the Consolidated Complaint, CBIZ provides financial, benefits, and insurance services to organizations that currently or formerly employed the Plaintiffs and purported class members (collectively “Plaintiffs”). In order to receive these benefits from their employer, the Plaintiffs were required to provide “sensitive, “no-public PII” to their employer, who the provided the information to CBIZ, the third-party administrator of the plans. CBIZ is alleged to have collected this information, and in some cases retained the information even after the employee no longer received benefits or services from their employer. CBIZ did not encrypt or redact the sensitive data, and was aware that there was a risk that this information was vulnerable to cyberattacks. In June of 2024, CBIZ notified Plaintiffs that an unauthorized party had acquired their PII from CBIZ databases. Plaintiffs claim that this information was obtained by a known “cybergang,” known by the name of “Meow Leaks,” who posted the PII on the dark web. Once posted on the dark web, the information can be accessed by other bad actors for the purpose of exploiting or stealing the Plaintiffs’ identities. CBIZ claims that different types of information was obtained on different employees. For example, in some cases social security numbers were accessed, where for others only names and birth dates were acquired. CBIZ states, and Plaintiffs do not dispute, that for those employees whose social security numbers may have been impacted
-2-
CBIZ offered two years of free credit monitoring, fraud consultation, and identity theft restoration, if required. (ECF #17-1, Attach 1-3). Plaintiffs seek compensatory damages, declaratory judgment and injunctive relief requiring CBIZ to “ (a) disclose, expeditiously, the full nature of the Data Breach and the types of PII exposed; (b) implement improved data security practices to reasonably guard against future breaches of PII in Defendant’s possession; and (c) provide, at Defendant’s expense, all impacted Data Breach victims with lifetime identity theft protection services.” (ECF #16, PageID 109).
STANDARD OF REVIEW Defendant seeks dismissal of all claims asserted against it in the amended Consolidated Class Action Complaint, pursuant to Fed. R. Civ. P. 12(b)(1) and 12 (b)(6).
A. Fed. R. Civ. P. 12(b)(1) Defendants argue that Plaintiff(s) have no standing to bring this suit because they have suffered no loss. Consequently, they seek dismissal of the complaint pursuant to Fed. R. Civ. P. 12(b)(1), asserting that this Court lacks subject matter jurisdiction to hear the claims. When evaluating a motion brought under Fed. R. Civ. P. 12(b)(1), this Court’s inquiry is not necessarily limited to the content of the complaint. If the motion raises a factual challenge to the Court’s subject matter jurisdiction, the Court is “not to presume that the factual allegations asserted in the Complaint are true.” Ohio Nat'l Life Ins. Co. v. Unites States, 922 F.2d 320, 325 (6" Cir. 1990). Rather the Court may consider “affidavits, documents, and even a limited evidentiary hearing to resolve disputed jurisdictional facts,” and “will weigh the conflicting evidence to determine
-3-
whether proper jurisdiction exists.” Busacca v. Excavating Bldg. Material & Const. Drivers Union Local 436 Welfare Fund Bd. Of Trs., 953 F.Supp. 867, 870-71 (N.D. Ohio 1996). However, where Defendant’s challenge is to the legal sufficiency of the allegations in the complaint, rather than to the veracity of the factual allegations, this Court is required to, “consider the pleadings and affidavits in a light most favorable to the [non-moving party].” Jones v. City of Carlisle, Ky., 3 F.3d. 945, 947 (6th Cir. 1993) (quoting Welsh v. Gibbs, 631 F.2d 436, 439 (6th Cir. 1980)). Ifthe Court finds that any Plaintiff has standing, it need not consider the issue any further at this stage of the litigation. See Horne v. Flores, 557 U.S. 433, 446 (2009)(citing Vill. of Arlington Heights v. Metro. Hous. Dev. Corp., 429 U.S. 252, 264 n.9 (1977).
B.. Fed. R. Civ. P. 12(b)(6) On a motion brought under Fed. R. Civ. P. 12(b)(6), this Court’s inquiry is limited to the content of the complaint, although matters of public record, orders, items appearing in the record of the case, and exhibits attached to the complaint may also be taken into account. See Chester County Intermediate Unit v. Pennsylvania Blue Shield, 896 F.2d 808 (3rd Cir. 1990). “A plaintiff's obligation to provide the ‘grounds’ of his ‘entitle[ment] to relief? requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atl’ Corp. v. Twombly, 550 U.S. 544, 555 (2007)(quoting Papasan v. Allain, 478 U.S. 265, 286, 106 S. Ct. 2932, 92 L. Ed. 2d 209 (1986)). “Factual allegations must be enough to raise a right to relief above the speculative level,” and to “state a claim that is plausible on its face.” Twombly at 555,570. A claim is plausible “when the plaintiff pleads factual conduct that
-4-
allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. In deciding a Rule 12(b)(6) motion, this Court must determine not whether the complaining party will prevail in the matter but whether it is entitled to offer evidence to support the claims made in its complaint. See Scheuer v. Rhodes, 416 U.S. 232, 236 (1974). In evaluating a motion for dismissal under Rule 12(b)(6), the district court must “consider the pleadings and affidavits in a light most favorable to the [non-moving party].” Jones v. City of Carlisle, Ky., 3 F.3d. 945, 947 (6th Cir. 1993) (quoting Welsh v. Gibbs, 631 F.2d 436, 439 (6th Cir. 1980)). However, though construing the complaint in favor of the non-moving party, a trial court will not accept conclusions of law or unwarranted inferences cast in the form of factual allegations. See City of Heath, Ohio v. Ashland Oil, Inc., 834 F.Supp. 971, 975 (S.D. Ohio 1993).
ANALYSIS A. Standing/Jurisdiction Article III, §2 of the United States Constitution gives federal courts the authority to preside over cases or controversies between citizens of different states. The United States Supreme Court has long held that, in order to invoke the court’s power, a litigant must establish standing to sue by proving that they have a genuine personal stake in outcome of the case. See,e.g., Warth v. Seldin, 422 U.S. 490, 498 (1975); TransUnion LLC v. Ramirez, 594 US. 413, 423 (2021). “[S]tanding imports justiciability: whether the plaintiff has made a ‘case or controversy’ between himself and the defendant within the meaning of Article II. Warth, 422
-5-
U.S. at 498-99. To establish standing the plaintiffs bear the burden of showing that they “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). An ‘injury in fact” is a “concrete and particularized” invasion or violation of a protected interest that is “actual, or imminent, not conjectural hypothetical.” Spokeo, 578 U.S. at 339 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 559-60 (1992)); see also, TransUnion LIC v. Ramirez, 594 U.S. 413, 423 (2021). An injury in fact does not have to be economic in nature. Village of Arlington Heights v. Metropolitan Housing Dev. Corp., 429 U.S. 252, 262-263 (1977). (“It has long been clear that economic injury is not the only kind of injury that can support a plaintiff's standing.”). While the injury may be intangible, in order to qualify as a concrete injury under Article III courts may look to history and tradition to see if it bears “a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Dickson v. Direct Energy, LP, 69 F.4th 338, 343 (6™ Cir. 2023). A future injury is not an “actual injury” unless it is “certainly impending.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 n.5 (2013).” In a putative class action, each individual Plaintiff must still satisfy the injury requirement in order to participate in the action. See, Soehnlen v. Fleet Owners Ins. Fund, 844 F.3d 576, 582
O.R.C. §2323.56 defines “future damages,” for purposes of assessing damages in a tort action, as “any damages that result from an injury to person that is a subject of a tort action and that will accrue after the verdict or determination of liability by the trier of fact is rendered in that tort action. The case law establishes the standard by which “future damages” must be established. The plaintiff must prove that they are “certainly impending” in order to recover. -6-
(6" cir. 2016). However, individual standing for each putative plaintiff need not be established to defeat a motion to dismiss on jurisdictional grounds. The individual determinations are more suited to decisions on class certification or on a motion for summary judgment. As long there is one individual plaintiff who has demonstrated standing, the Court has jurisdiction to hear the case. See, Arlington Heights, 429 U.S. at 264, and n. 9. The Complaint alleges that the Plaintiffs’ personal identifying information was obtained from CBIZ by an “unknown and unauthorized third party.” (ECF #1, PageID 3). Asa result, they claim to have suffered the following injuries: (i) invasion of privacy; (11) theft of their PII; (iii) lost or diminished value of their PII (iv) lost time and opportunity costs associated with attempting to mitigate the consequences of the data breach; (v) loss of benefit of the bargain; (vi) actual misuse of the compromised data consisting of an increase in spam calls, texts, and/or emails; (vii) Plaintiff's PII being disseminated on the dark web; (viii) nominal damages; (ix) the continued and increased risk that their PII is available or left unprotected for unauthorized access and use (ECF #1, PageID 3, 23). The factual allegations underlying these injuries claim that the Plaintiffs’ PII, including names, dates of birth, and in some cases Social Security numbers, was not encrypted when it was
-7-
stolen from CBIZ’s databases by an unauthorized party. (ECF #1, PageID 6-8). Plaintiffs also allege that, in some cases, the PII has been posted to the Dark Web, where it could be sold to other bad actors. (ECF #1, PageID 8). They assert that access to a stolen social security number gives thieves an increased ability to “access bank accounts, credit cards, driving records, tax and employment histories and other private information,” and to “impersonate you, obtain credit and open bank accounts, apply for jobs, steal your tax refunds, get medical treatment, and steal your government benefits.” (ECF #1, PageID 16-17). Plaintiffs do not allege that their information has yet been used in any way that has caused them actual monetary loss. They retain access to and use of their information. They have not alleged that the stolen PII included phone numbers or email addresses. CBIZ notified those affected that they should take measures to monitor their accounts and credit reports for a year, and should take other precautions such as placing fraud alerts on their accounts and contacting consumer reporting bureaus.” (ECF#1, PageID 26). The Complaint acknowledges that CBIZ offered 24 months of identity monitoring services, and asserts that this is insufficient to protect against future fraud or misuse of their information. (ECF #1, PageID14). Implementation of preventative measures has allegedly caused Plaintiffs lost time and other opportunity costs, and they allege it will continue to do so for years to come. Plaintiffs further assert that the stress of an on-going risk that their PII will be misused causes them emotional distress and mental stress or anguish. In order to establish standing, Plaintiffs need only allege some injury in fact that is traceable to the Defendant’s alleged conduct. Defendants may be correct that some of the injuries in the Complaint are not be supported by the factual allegations provided, or may not be
-8-
compensable under the causes of action asserted. They also correctly note that the potential for future injury is generally not treated as an injury in fact for purposes of standing unless it is “certainly impending.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 n.5 (2013). However, the question of whether is it is “certainly impending” may be a factual question that is not determinable at the motion to dismiss stage. Further, this general rule does not apply when the “exposure to the risk of harm itself causes a separate concrete harm,” or when Plaintiffs seek an injunction to prevent future harm. TransUnion, 594 U.S. at 436. TransUnion may preclude Plaintiffs from recovering damages for costs that may be, but have not yet been, incurred responding to a risk of uncertain future harm. However, it does not go so far as to prevent any possibility of recovery for costs that were actually incurred in a reasonable attempt to mitigate a risk caused by the Defendant. See generally, Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384, 388 (6" cir. 2016)(“allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish cognizable Article III injury at the pleading stage of litigation.”). At a minimum, Plaintiffs have alleged already realized injuries through invasion of privacy, loss of benefit of the bargain, emotional stress, and the expenditure of time and resources to monitor and take other preventative measures to protect themselves from a risk future harm. The Complaint alleges that, at least, their emotional stress and the need for preventative measures is fairly traceable to the CBIZ’s failure to protect their PII through encryption or other protective measures. There is no dispute that bad actors obtained Plaintiffs’ PII from CBIZ’s databases. There is also no dispute that Plaintiffs have been encouraged, by CBIZ, to take measures to mitigate the potential for future damage that could result from the bad
-9-
actor’s access to that data. Therefore, the Complaint alleges sufficient injury, traceable to the Defendant’s alleged conduct, to support standing in this case. In addition, Plaintiffs seek injunctive relief that is aimed at preventing or reducing the likelihood of future harm made possible by CBIZ’s alleged failures. When injunctive relief is sought, future injuries are cognizable as injuries in fact. Therefore, even if some, or all, of the alleged injuries fall away during the course of discovery and other pre-trial proceedings, the allegations are sufficient to establish standing at this point in the litigation.
B. Causes of Action A “federal court sitting in diversity ordinarily must follow the choice-of-law rules of the State in which it sits.” Atl. Marine Const. Co. v. U.S. Dist. Ct. For W. Dist. Of Texas, 571 U.S. 49, 65 (2013). When looking at tort claims, Ohio choice of law rules focus on which state possesses the most significant relationship to the tort injury. The parties agree, for purposes of this motion only, that Ohio tort law applies. (ECF #17-1, PageID 196; ECF # 18, PageID 249). 1. Negligence To properly state a claim for negligence under Ohio law, a plaintiff must allege three elements: (1) the existence of a legal duty, (2) the defendant’s breach of that duty; and, (3) injury that is proximately caused the plaintiff's injury. See, e.g., Mussivand v. David, 45 Ohio St. 3d 314, 318, 544 N.E. 2d 265 (1989). a. Existence of a Legal Duty In Counts One and Two, Plaintiffs assert claims for negligence and negligence per se. The claim for negligence per se relies on their assertion that Defendant violation Section 5 of the
-10-
FTC Act, 15 U.S.C. §45, by failing to use “reasonable measures to protect PII.” The Complaint also makes bare allegations that Defendant violated “[v]arious FTC publications and orders,” but fails to identify any such publications or orders. Although Plaintiffs appear to have abandoned the negligence per se claim in Count Two by failing to counter Defendant’s argument seeking its dismissal, the Court will address the claim briefly below. i. Stautory Duty/Negligence Per Se When a statute does not expressly provide for civil liability, the court must determine whether its violation supports a finding of negligence per se. “Where there exists a legislative enactment commanding or prohibiting for the safety of others the doing of a specific act and there is a violation of such enactment solely by one whose duty it is to obey it, such violation constitutes negligence per se; but where there exists a legislation enactment expressing for the safety of others, in general or abstract terms, a rule of conduct, negligence per se has no application and liability must be determined by the application of the test of due care as exercised by a reasonably prudent person under the circumstances of the case.” Mussivand at 319-320 (quoting Eisenhuth v. Moneyham, 161 Ohio St. 367, 119 N.E. 2d 440, ¥ 3 syllabus (1954)). Plaintiffs have not identified any legislative enactment requiring a specific act or omission on the part of companies who collect or store other individual’s PII. The only legislation they cite in the Complaint is an FTC order that prohibits “unfair . . . practices in or affecting commerce.” Plaintiffs acknowledge that “there is no express statutory duty under Ohio law to protect personal information in this context.” (ECF #18, PageID 251). This language, at best, expresses a generalized rule of conduct in the most abstract of terms. Therefore, it creates no specific duty and its violation does not equate to negligence per se. Count Two, must,
-11-
therefore, be dismissed. The Ohio legislature has addressed the issue of PII security and has created a safe harbor for businesses who follow the data security industry protocols as set forth in the Act. O.R.C. §1354.02. However, they explicitly refrained from creating a private cause of action against companies that failed to meet any minimum security standards. Ohio Senate Bill 220, □□□□ Gen. Assmb. (2018), §3B; but see, Mulkey v. RoundPoint Mortg. Servicing Corp., No. 1:21 CV 1058, 2021 WL 5804575, at *3 (N.D. Ohio Dec. 7, 2021). Just because the statute did not explicitly create a new private cause of action, does not mean Plaintiffs have no redress for negligence related to the safekeeping of PII. The fact that a statute provides an affirmative statutory defense against breach of data claims implies that the law recognizes a potential cause of action for such claims. See, Mulkey v. Roundpoint Mortg. Serv. Grp., 2021 U.S. Dist. LEXIS 234110 (N.D. Ohio, 2021). Therefore, there is no basis upon which to impose a specific statutory duty, or to find negligence per se, but neither is there a statutory bar to a finding of common law negligence if an entity acts unreasonably with regard to safeguarding other people’s PII.
. ii. Common law duty In the absence of a particularized statutory duty, the Court must determine whether CBIZ owed the Plaintiffs a common law duty of ordinary care upon receiving their PII. “A person’s failure to exercise ordinary care in doing or failing to do something will not amount to actionable negligence unless such person owed to someone injured by such failure a duty to exercise such ordinary care.” United States Fire Ins. Co. v. Paramount Fur Service, Inc., 168 Ohio St. 431, 156 N.E. 2d 121 (1959). A common-law duty of care is generally imposed requiring every person or other legal entity to exercise the level of care of an ordinarily reasonable and prudent
-12-
person would show under the same or similar circumstances. In other words, a person should exercise the care necessary to avoid injuring another person. Mussivand at 318-19 (citing Gedeon vy. East Ohio Gas Co., 128 Oho St. 335, 338, 190 N. E. 924, 925 (1934) and 70 Ohio Jurisprudence 3d (1986) 62, Negligence, Section 19. The standard changes when the alleged injury stems from a failure to prevent harm by another. “There is no duty to prevent a third
person from causing harm to another absent a special relationship between the parties.” Simpson v. Big Bear Stores Co., 652 N.E. 2d 702, 705 (Ohio 1995). All but three of Plaintiffs’ claims of injury rest on the theory that CBIZ failed to effectively prevent other third party actors from causing harm to the Plaintiffs through misuse of their PII. The facts alleged in the Complaint make clear that invasion of privacy,’ theft of PII, lost or diminished value of PII, misuse of the data, dissemination on the dark web, and other nominal damages are all harms that were, or are at risk of being imposed due to the bad acts of the third party, known as MeowLeaks. Under Ohio law, there is no duty to prevent other third
party actors from causing Plaintiffs’ harm unless the defendant had a special relationship with the plaintiffs. Plaintiffs do not allege any special relationship. (ECF #18, PageID 251). Therefore, these alleged injuries do not support a claim for negligence against CBIZ because they do not identify a legally recognizable duty to protect Plaintiffs from the bad acts of third parties. It follows then, that CBIZ could only be liable under a negligence theory based on a The facts allege invasion of privacy not only by MeowLeaks’ illegal theft of Plaintiffs’ PII, but also by CBIZ’s alleged “publication” of their information in a manner that makes it accessible to the public. To the extent that the invasion of privacy claim stems from CBIZ’ alleged “publication,” it would be its own claim, separate from any injury under a negligence theory. It will be addressed as such below. -13-
breach of the general duty to act as a reasonable and prudent person would to prevent the injuries associated with Plaintiffs mitigation efforts to prevent future harm, and the emotional strain of knowing that their PII remains accessible by bad actors and has the potential to cause future harm.* Defendant asks this Court to find that no common law duty exists to safeguard other people’s personal information. However, they do not cite any Ohio or Sixth Circuit law that clearly supports this request. Absent some direct guidance from the Ohio courts, or the Sixth Circuit applying Ohio law, this Court sees no reason to exempt businesses who collect PII from the general duty of reasonable care under common law negligence standards. b. Breach of Duty Plaintiffs have sufficiently alleged a breach of the duty of reasonable care with their claim that CBIZ failed to reasonably protect their PII, which was entrusted to them as part of their agreement with Plaintiffs’ employers. Plaintiffs claim that CBIZ retained PI in their databases even after they had no legitimate need for it. They also claim that the PII was stored without encryption, and that CBIZ did not utilize reasonable and prudent methods to keep the information secure. These allegations, if true, could be sufficient to establish the breach of duty element of Plaintiffs’ negligence claim. c. Injury Plaintiffs assert they have suffered direct harm due to CBIZ’s failure to adequately protect their PII. The injuries that are directly linked to Defendants’ conduct, and do not rely on
—_ The other remaining alleged injury, “loss of the benefit of the bargain,” is not an injury recognizable under a common law negligence theory. Rather, it would arise under the theory of unjust enrichment, and will be addressed accordingly below. -14-
additional bad acts by a third party are: (1) “lost time and opportunity costs associated with attempting to mitigate the consequences of the data breach;” and, (2) “the continued and increased risk that their PII is available or left unprotected for unauthorized access and use.” The second description of injury is further clarified in the Complaint as alleging an injury of emotional distress and mental stress or anguish. The question becomes whether these are cognizable injuries under a cause of action for common law negligence. The first alleged injury addresses harm that has already occurred, as well costs that will continue to occur over time. The second alleges an injury based on the fear of future harm. i. Future Damages Ohio law does not bar recovery for future damages in all instances. As discussed above in relation to standing, a plaintiff generally cannot recover for a future loss, unless it is “certainly impending,” Clapper, 568 U.S. 398, 409 n. 5. The Sixth Circuit, applying Ohio law, has held that “certainly impending” does not mean that Plaintiffs must make a showing that the harm is “literally certain” in order to recover. Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384, 388 (6" Cir. 2016). Ohio Revised Code §2323.56 recognizes the potential for recovery of “future damages” in a tort action,. Further, the United States Supreme Court has acknowledged that future harms can be considered when assessing damages when “exposure to the risk of harm itself causes a separate concrete harm.” Potential future injuries can support injunctive relief, and in this context can also be a basis for recovery. TransUnion, 594 U.S. at 436. A motion to dismiss is not the appropriate time to determine whether any alleged future injuries are “certainly impending.” ii. Past Damages
-15-
Trans Union does not prevent Plaintiffs from recovering losses that have already been incurred in a reasonable attempt to mitigate a risk of future harm. See generally, Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384, 388 (6" cir. 2016)(“allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish cognizable Article III injury at the pleading stage of litigation.”). Courts applying Ohio law have also held specifically that “an increased risk of identity theft is cognizable” as a injury under a theory of negligence. Allen v. Wenco Mgmt., LLC, 696 F.Supp. 3d 432 (N.D. Ohio 2023). An allegation of a data breach involving PII, by its very nature, establishes that “there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable. Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiff to wait for actual misuse — a fraudulent charge on a credit card, for example — before taking steps to ensure their own personal and financial security.” Jd. This is especially true when, as in this case, the Defendant from whom the information was obtained, recommended taking preventative measures. Jd. at 388-89. Thus, it is possible that a plaintiff could prove a present injury in the form of mitigation costs. In addition, courts have recognized that the emotional distress or increased anxiety suffered by plaintiffs, based on the knowledge that their PII has been obtained by a bad is a recoverable injury. See, Mulkey, 2021 U.S. Dist. LEXIS 234110. A plaintiff's allegations of emotional distress are “sufficient to confer standing at the motion to dismiss stage.” Thompson v. Equifax Info. Services, LLC, 441 F. Supp. 3d 533, 542-43 (E.D. Mich. 2020); see also, Huff v. Telecheck Services, Inc., 923 F.3d 458, 463 (6th Cir. 2019) (noting that plaintiff could not establish an actual injury because he did "not suggest that he wasted time or suffered emotional
-16-
distress"); Foster v. Health Recovery Servs., 493 F. Supp. 3d 622, 634. Therefore, there is a path to potential recovery for injuries based on lost time and opportunity costs associated with attempts to avoid or mitigate future harm, as well as injuries based on emotional or mental distress. iii. Economic Loss Doctrine Defendant argues that even if Plaintiffs have alleged an actual harm, recovery is barred by the economic loss doctrine. The Ohio Supreme Court has held that the economic loss doctrine generally bars a litigant from recovering damages in tort for injuries of a purely economic nature. See Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc., 106 Ohio St. 3d 412 (2005)(citing Chemtrol Adhesives, Inc. v. Am. Mfrs. Mut. Ins. Co. 42 Ohio St. 3d 40, 45, 537 N.E.2d 154 (1989)). Many courts, along with the Defendants in this case, have cited Corporex in support of a blanket prohibition on the recovery of any “economic losses” under Ohio tort law. This approach overstates the holding of Corporex, and ignores other sources that recognize the potential for recovery of economic damages under Ohio tort law. Ohio Revised Code 2323.56 defines “economic loss” and “noneconomic loss” in the context of calculating damages in a tort action. “Economic loss” is defined as pecuniary harm in the form of: wages, salaries, lost compensation; expenditures for medical care or treatment; and, “any other expenditure incurred as a result of an injury to a person that is a subject of a tort action.” Noneconomic loss is defined as “nonpecuniary harm, that results from an injury to a
person that is a subject of a tort action including, but not limited to, pain and suffering, loss of society, consortium, companionship, care, assistance, attention, protection, advice, guidance, counsel, instruction, training or education, mental anguish, and any other intangible loss.”
-17-
Plaintiffs’ claims for damages resulting from alleged emotional distress and mental stress and anguish qualify as noneconomic harm under Ohio law. Therefore, they are not barred by the economic loss doctrine. Fear is also a cognizable injury that is classified as noneconomic loss. The economic loss doctrine does not preclude recovery for “fear and anxiety” because the alleged fear is based on an “allegation that Plaintiff fear[s] ... some quantifiable physical loss.” Foster v. Health Recovery Servs., Inc., 493 F.Supp. 3d 622, 638 (S.D. Ohio 2020). To the extent that Plaintiffs are seeking to recover damages for economic loss, the Court must examine not only the general rule barring recovery in tort for purely economic losses, but also the exceptions to that general pronouncement. As noted by the Ohio Supreme Court in Corporex, the economic loss doctrine was established to prevent commercial litigants from imposing liability on a party they have a contractual relationship with, for breaching responsibilities or duties that are not addressed within the contract. Corporex at 704; see also, Chemtrol Adhesives, Inc. v. Am. Mfrs. Mut. Ins. Co., 42 Ohio St.3d 40, 45, 537 N.E. 2d 624 (1990). “This rule stems from the recognition of a balance between tort law, designed to redress losses suffered by breach of a duty imposed by law to protect societal interests, and contract law, which holds that ‘parties to a commercial transaction should remain free to govern their own affairs.’” Corporex at | 6, quoting Chemtrol, 42 Ohio St.3d at 42. When a duty arises by agreement, a party’s failure to perform in accordance with the agreement is “‘a creature of contract’ “and can only be enforced by a party to that contract.” Corporex at 705, quoting Floor Craft Floor Covering, Inc. v. Parma Cmty. Gen. Hosp. Ass’n, 54 Ohio St. 3d 1, 4 (1990)(citations omitted). On the other hand, the duty breached in a negligence claim is one imposed by common law, and is meant to establish basic standards of care to protect general
-18-
societal interests. See, Corporex at 704. Corporex held that in order to avoid the economic loss doctrine, the duty allegedly breached by the Defendant had to be a duty imposed by law and not a duty imposed as a part of a contractual or other relationship between the parties. ““When a duty in tort exists, a party may recover in tort.” Corporex at 705; see also Navistar v. Dutchmaid Logistics, Inc., 171 N.E.3d 851, 861 (Ohio Ct. App. 5" Dist. 2020)(holding economic loss doctrine does not apply to a “tort claim alleg[ing] a duty was breached independent of the contract.”); Campbell v. Krupp, 195 Ohio App.3d 573, 961 N.E.2d 205 416 (6" Dist. 2011); Eysoldt v. ProScan Imaging, 194 Ohio App.3d 630, 957 N.E.2d 780 421 (1* Dist 2011); Allen v. Wenco Mgmt., LLC, 696 F.Supp. at 439 (stating “even where a plaintiff does allege purely economic loss, the economic-loss rule serve to bar only those negligence claims ‘premised entirely upon the terms of a contract.’”(quoting Corporex at §10)). The duty of reasonable care is a duty imposed under common law negligence principles. CBIZ owed no duty to the Plaintiffs based on any contract or other type of agreement between the parties. In this case, the only duty CBIZ allegedly owed Plaintiffs was a duty arising under the common law to act reasonably in order to avoid injury to others. The Ohio Supreme Court has also recognized that the economic loss doctrine does not apply when a duty imposed under the common law extends to a plaintiff affected by conduct that might fall under a contract between the Defendant and a third party. In other words a plaintiff can bring a tort claim for economic loss against a defendant who should have foreseen that the plaintiff would be damaged by their tortious conduct, even if that conduct was addressed by a
-19-
contract between Defendant and a third party.” Haddon View, 70 Ohio St.2d 154, 436 N.E. 2d 212(1982). Although CBIZ and Plaintiffs were not in privity contractually, CBIZ, as part of its contract with Plaintiffs’ employers, obtained and retained Plaintiffs’ PI in order to manage their benefit programs. Plaintiffs could maintain a negligence claim against Plaintiffs if it was foreseeable that CBIZ’s alleged failure to properly secure the information would cause Plaintiffs to suffer economic harm. Under Hadden, CBIZ’s potential liability to the Plaintiffs does not rely on any contractual relationship and is cannot be barred based on any related contract that existed between CBIZ and the Plaintiffs’ employers. Corporex did not overturn Hadden, or restrict application of the exception acknowledged in Hadden. Rather, it distinguished Hadden noting that in order to become liable for economic losses under these circumstances, the Defendant must know that the plaintiff was relying on Defendant to act truthfully (or in this case, reasonably) to avoid foreseeable harm to the plaintiff. Corporex at 704-05. In this case, there is no dispute that CBIZ understood that they would be custodians of Plaintiffs PII, and, taking the allegations in the Complaint as true, it was foreseeable that Plaintiffs would have relied on CBIZ to secure the PII that had been entrusted to them. For these reasons, Plaintiffs have sufficiently alleged an injury that is legally compensable under Ohio negligence law. 2. Invasion of Privacy Plaintiffs claim that Defendants are liable for invasion of their privacy. The Ohio Supreme Court has recognized a claim for invasion of privacy if a Defendant has: publicized the private affairs of another, with which the public has no legitimate concern; or, has wrongfully There is no allegation in the Complaint that CBIZ’s management of the Plaintiffs’ PII was addressed in its contract with the Plaintiffs’ employers. -20-
intruded into the private activities of another in such a manner as to outrage or cause mental suffering, shame or humiliation to a person of ordinary sensibilities.” Housh v. Peth, 133 N.E.2d 340, syllabus J2 (Ohio 1956). To state a claim for an invasion of the right to privacy in Ohio, Plaintiffs must allege facts sufficient to show: (1) there was a clearly private fact; (2) there was public disclosure of the private fact; and (3) the matter made public is one which would be highly offensive and objectionable to a reasonable person.” Greenwood v. Taft Stettinius & Hollister, 663 N.E.2d 1030, 1035 (Ohio Ct. App. 1* Dist. 1995). The private fact at issue must concern the private life of the plaintiff, not his public life. Killilea v. Sears, Roebuck & Co.,27 Ohio App.3d 163, 499 N.E. 2d 1291 (1985). Plaintiffs’ PII does not clearly satisfy the definition of a “private fact” under the elements of a claim for invasion of privacy. The information at issue may be personal and protectable, in that it provides information to verify a person’s identity, but it is not private in the sense that its disclosure would cause offense, mental suffering, shame, humiliation to a person of ordinary sensibilities. Though there is a financial risk attendant to its unauthorized disclosure, it is typically disclosed by its owners in a multitude of financial and identification scenarios without fear, offense, or suffering, and it is required to be disclosed in order to obtain numerous necessary benefits from filing taxes to obtaining health care. The disclosure of this kind of information may be more akin to the unauthorized disclosure of medical information which Ohio has recognized as the separate tort of breach of confidence. The breach of confidence tort was created because the type of information disclosed did not squarely fit into traditional causes of action, such as invasion of privacy, defamation, implied breach of contract, negligent infliction of emotional distress, and others. See, Biddle v.
-21-
Warren General Hospital, 86 Ohio St. 3d 395, 715 N.E.2d 518 (Ohio 1999). Similarly, the publication of non-medical PII, such as social security numbers, names, dates of birth, and contact information may be information that most people would expect to be protected from unauthorized disclosure, even though it does not generally implicate the type of harm that an invasion of privacy claim is meant to address. Neither party has presented any law that would support extending the tort of breach of confidence to non -medical PII, nor has the Court found any evidence that Ohio courts has recognized such a claim in the context of PII. In fact, Ohio courts have explicitly declined to extend the tort of breach of confidence, as established by Biddle, to protect non-medical information. See, e.g, Brickman v. Maximus, Inc., 2002 U.S. Dist. LEXIS 20567 (S.D. Ohio 2022); Valente v. Porter, Wright, Morris & Arthur, LLP, 2010 Ohio 6201, 2010 WL 5239186, at *2 (Ohio Ct. App. 2010). The fact that the breach of confidence tort does not apply outside of the protection of medical information does not, however, mean that courts should allow an invasion of privacy claim if to do so would “stretch the traditional theories beyond their reasonable bounds, or ignore or circumvent otherwise sound legal doctrinal limitations, in order to achieve justice” for PII disclosures. Jd. at 523. Even if the PII at issue did constitute the type of private information that the tort of invasion of privacy is meant to protect, Plaintiffs do not plausibly allege that the Defendant disclosed this information to the public. The publicity element of this tort requires that the Defendant communicate the information “to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Yoder v. Ingersoll-Rand Co., 172 F.3d 51 (6" Cir. 1998). In this case, Plaintiffs voluntarily provided the
-22-
PII to CBIZ, through their employers, for the purpose of obtaining benefits. CBIZ accepted, stored, and retained the data on a web-accessible database. Plaintiffs do not allege that this database was accessible to the public. Rather they argue that it this database had a vulnerability that failed to prevent unauthorized access by professional hackers. There is no allegation that CBIZ, itself, disclosed the information to any third party, nor is there any allegation that the information on the database was, or is, accessible to the general public. The fact that a database can be hacked does not mean that it is accessible to, let alone communicated to the general public. See, Marlin v. Associated Materials, LLC, No. 5:23 CV 1621, 2024 WL 2319115, at *3 (N.D. Ohio, May 22, 2024)(“access by a single unauthorized party” does not equate to widespread disclosure that would satisfy the publication requirement for invasion of privacy); Foster v. Health Recovery Servs., Inc., 493 F. Supp. 3d 622, 636 (S.D. Ohio 2020). For these reasons, Plaintiffs have failed to state a claim for invasion of privacy. 3. Unjust enrichment Ohio law provides that plaintiffs may recover for a claim of unjust enrichment if they can show all of the requisite elements, including: (1) a benefit conferred by a plaintiff upon a defendant; (2) knowledge by the defendant of the benefit; and, (3) retention of the benefit by the defendant under circumstances where it would be unjust to do so without payment. Johnson v. Microsoft Corp., 106 Ohio St.3d 278, 286 (2005). The Complaint contains no allegations that would plausibly support an unjust enrichment claim in this case. Plaintiffs claim that they provided their PII in order to obtain benefits from their employers. The employers, who are not a party to this action, contracted with the Defendant to provide those benefits to the employees. Plaintiffs were not in privity with CBIZ and there was
-23-
no implied agreement or reciprocal promise made by CBIZ to safeguard the information in exchange for Plaintiffs’ disclosure of the information. © The PII was necessary in order to process the benefits but provided no financial or other benefit to CBIZ. There are no allegations that CBIZ benefitted from the value of the PII, itself. The fact that PII was required to process benefits and to allow CBIZ to fulfill its contract with the third party employers does not mean that they benefitted in any concrete way from the information. Further, their collection of the PII did not diminish the Plaintiffs own access to or ability to access any inherent value in the PII. Finally, the benefit, if any, that the Plaintiffs were to receive by permitting their information to be stored by CBIZ was access to benefits through their employers. Plaintiffs do not claim that they contracted, bargained for, or relied on any other benefit from CBIZ, and there are no allegations that Plaintiffs failed to receive the benefits their employers obtained for them using CBIZ’s services. Therefore, Plaintiffs have failed to allege facts that could plausibly support a claim for unjust enrichment against the Defendant, CBIZ. If the duty to safeguard the information originated from an implied promise offered in exchange for the receipt of the PII, it is very possible that the economic loss doctrine may then apply to negate and negligence claims asserting economic loss. -24-
CONCLUSION For the reasons set forth above Defendant’s Motion to Dismiss the Amended (Consolidated) Class Action Complaint, (ECF #17), is GRANTED in part and DENIED in part. Plaintiffs have standing to assert this action and have stated a claim for Negligence in Count One of the Complaint. The Complaint does not adequately state a claim for Negligence Per Se, Invasion of Privacy, or Unjust Enrichment. Therefore, Counts Two through Four are dismissed with prejudice. The next status conference is set for June 10, 2025 at 9:30 a.m, by telephone. IT IS SO ORDERED.
DONALD C. Sick United States District Judge
DATED: 2 1015
-25-