Griffey v. Magellan Health Incorporated

• Court: District Court, D. Arizona
• Decided: September 27, 2021
• Docket: 2:20-cv-01282
• Status: Unknown

Opinion

1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA

9 Chris Griffey, individually and on behalf of No. CV-20-01282-PHX-MTL all others similarly situated; et al., 10 ORDER Plaintiffs, 11 v. 12 Magellan Health Incorporated, 13 Defendant. 14

15 Magellan Health, Inc. (“Magellan”) was the subject of a ransomware cyber-attack 16 and data breach. A hacker stole the personally identifiable information (“PII”) and 17 protected health information (“PHI”) of Magellan employees, contractors, and participants 18 in health care benefit plans that Magellan administers. Plaintiffs here represent these 19 categories of individuals. They assert numerous claims against Magellan relating to the 20 data breach. Magellan has moved to dismiss. (Doc. 33, the “Motion”.) The Parties fully 21 briefed the Motion and the Court held oral argument. The Court resolves the Motion as 22 follows. 23 I. FACTUAL BACKGROUND 24 The following facts are taken from the First Amended Consolidated Class Action 25 Complaint (“Amended Complaint”). (Doc. 30.) Magellan is a health care company 26 headquartered in Phoenix, Arizona. It administers health and pharmaceutical benefits to 27 plan members in exchange for fees. (Doc. 30 ¶¶ 30–31.) As part of the administration 28 process, Magellan obtains and stores plan members’ PII and PHI on its servers. (Id. ¶¶ 31– 1 33.) Similarly, Magellan collects PII from its employees as a condition of employment. 2 (Id. ¶¶ 63–64.) Plaintiffs further allege that Magellan’s privacy policy contains express 3 statements whereby Magellan committed to protecting the PII and PHI it collects. 4 (Id. ¶¶ 50–53.) 5 In April 2020, a hacker sent a “spear phishing” email to Magellan employees. 6 (Id. ¶¶ 32, 38.) An employee unwittingly responded to the email, and, in doing so, provided 7 the hacker with access to the Magellan email system. (Id.) A ransomware attack followed. 8 (Id. ¶¶ 32, 38, 82.) The hacker accessed and extracted PII and PHI from Magellan servers. 9 (Id. ¶ 33.) Magellan detected the attack when system files became encrypted. (Id. ¶ 38.) 10 This is a common feature of a successful spear phishing attack. (Id. ¶ 37.) It was Magellan’s 11 second data breach that year. (Id. ¶¶ 32, 38, 82.) 12 Plaintiffs are residents of different states and have different relationships with 13 Magellan, but their claims fall into three categories based on the injury they allegedly 14 suffered. Plaintiffs Chris Griffey, Michael Domingo, Joseph Rivera, and Teresa Culberson 15 received notice of the data breach. (Id. ¶¶ 1, 4, 12–13.) They allege potential risks of future 16 harm, including harm to their PII or PHI. (Id.) Plaintiffs Bharath Rayam and Clara Williams 17 allegedly experienced attempted fraud but suffered no out-of-pocket losses. (Id. ¶¶ 2–3, 6– 18 7.) Finally, Plaintiffs Laura Leather, Daniel Ranson, Mitchell Flanders, and Keith Lewis 19 allege they incurred out-of-pocket expenses in response to the data breach to protect or 20 monitor their PII and PHI. (Id. ¶¶ 5, 8–11, 14–15.) 21 Plaintiffs lay out the nature of their alleged current and future injuries in their 22 Amended Complaint: (1) the compromise, publication, theft, damage to, diminution in 23 value, or unauthorized use of their PII or PHI; (2) out-of-pocket costs associated with the 24 prevention, detection, recovery, and remediation from identity theft or fraud; (3) lost 25 opportunity costs and lost wages associated with efforts expended and the loss of 26 productivity from addressing and attempting to mitigate the actual and future consequences 27 of the data breach; (4) the continued risk to their PII and PHI while in Magellan’s 28 possession if Magellan does not take appropriate measures to protect Plaintiffs’ 1 information; (5) current and future costs in terms of time, effort, and money that will be 2 expended to prevent, detect, contest, remediate, and repair the impact of the data breach 3 for Plaintiffs’ lives; (6) imminent and impending injury arising from the increased risk of 4 fraud and identity theft; (7) injury in ways yet to be discovered and proven at trial; and (8) 5 a heightened risk for financial fraud, medical fraud, identity theft, and attendant damages 6 for the foreseeable future. (Id. ¶¶ 85–86, 91; see id. ¶ 98.) 7 Plaintiffs allege Magellan’s data security infrastructure was inadequate to prevent 8 the cyber-attack. (Id. ¶¶ 85–91.) As a result, all Plaintiffs and the prospective class 9 members allege claims of negligence, negligence per se, breach of implied contract, unjust 10 enrichment, and violations of the Arizona Consumer Fraud Act (“AzCFA”). (Id. ¶ 28.) In 11 addition, Plaintiffs domiciled outside of Arizona allege violations of their state’s consumer 12 protection laws. (Id.) 13 Magellan moves to dismiss the Amended Complaint asserting various arguments: 14 (1) Plaintiffs lack Article III standing; (2) none of Plaintiffs’ claims for relief are properly 15 pleaded; and (3) many of the claims asserted under state consumer protection statutes do 16 not apply to Magellan. 17 II. STANDARD OF REVIEW 18 A complaint must contain “a short and plain statement of the claim showing that the 19 pleader is entitled to relief” such that the defendant is given “fair notice of what 20 the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 21 545, 555 (2007) (quoting Fed. R. Civ. P. 8(a)(2); Conley v. Gibson, 355 U.S. 41, 47 (1957)). 22 A complaint does not suffice “if it tenders ‘naked assertion[s]’ devoid of ‘further factual 23 enhancement.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. 24 at 556). Dismissal under Rule 12(b)(6) “can be based on the lack of a cognizable legal 25 theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri 26 v. Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1988). A complaint, however, should 27 not be dismissed “unless it appears beyond doubt that the plaintiff can prove no set of facts 28 in support of the claim that would entitle it to relief.” Williamson v. Gen. Dynamics Corp., 1 208 F.3d 1144, 1149 (9th Cir. 2000). 2 The Court must accept material allegations in a complaint as true and construe them 3 in the light most favorable to Plaintiffs. North Star Int’l v. Arizona Corp. Comm’n, 720 4 F.2d 578, 580 (9th Cir. 1983). “Indeed, factual challenges to a plaintiff’s complaint have 5 no bearing on the legal sufficiency of the allegations under Rule 12(b)(6).” See Lee v. City 6 of Los Angeles, 250 F.3d 668, 688 (9th Cir. 2001). Review of a Rule 12(b)(6) motion is 7 “limited to the content of the complaint.” North Star Int’l, 720 F.2d at 581. 8 III. DISCUSSION 9 The Court addresses whether Plaintiffs have standing and then addresses whether 10 Plaintiffs have stated a claim in each cause of action. 11 A. Standing 12 The standing doctrine is rooted in Article III of the United States Constitution. To 13 proceed with an action in federal court, a plaintiff must show “(i) that he suffered an injury 14 in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely 15 caused by the defendant; and (iii) that the injury would likely be redressed by judicial 16 relief.” TransUnion LLC v. Ramirez, --- U.S. ---, 141 S. Ct. 2190, 2203 (2021) (citing Lujan 17 v. Defenders of Wildlife, 504 U.S. 555, 560–561 (1992)). Here, redressability and causation 18 are not at issue. The critical inquiry is whether each Plaintiff suffered an actual, concrete 19 injury. Magellan argues that Plaintiffs have not. The Court disagrees. 20 Setting aside the issue of whether Plaintiffs have stated cognizable injuries for the 21 purposes of their substantive claims against Magellan, it is axiomatic that a plaintiff can 22 satisfy the Article III injury-in-fact requirement but, ultimately, fall short of satisfying the 23 cognizable injury requirement for, say, a negligence claim. See Krottner v. Starbucks 24 Corp., 406 F. App’x 129, 131 (9th Cir. 2010). To qualify under this standard, conduct, like 25 Magellan’s here, must create a risk of future injury that is “certainly impending.” Clapper 26 v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013). This Court has previously reasoned that 27 injuries in data breach cases like the ones Plaintiffs allege here satisfy the injury-in-fact 28 requirement. See, e.g., In re Banner Health Data Breach Litig., No. CV-16-02696-PHX- 1 SRB, 2017 WL 6763548, at *2 (D. Ariz. Dec. 20, 2017) (concluding that all of the Plaintiffs 2 in a data breach case involving the theft of individuals’ personal information stored by a 3 health care services provider had alleged an injury-in-fact). 4 For example, in In re Banner Health, the court held that allegations claiming 5 personal information was stolen and then sold for financial gain satisfied Article III 6 standing. Id. at *2. What is more, the court in In re Banner Health also observed that even 7 without allegations such as “who stole [Plaintiffs’] information and what their motives 8 might have been,” Article III standing would still exist in similar data breach cases. See id. 9 (deducing this conclusion through the holding in Krottner v. Starbucks Corp., 628 F.3d 10 1139, 1140 (9th Cir. 2010)). Indeed, the United States Supreme Court has recently 11 recognized that “disclosure of private information” is one of many “[v]arious intangible 12 harms” that satisfy Article III standing. TransUnion LLC, 141 S. Ct. at 2204. Thus, the 13 Court finds these allegations sufficient for the purposes of the standing inquiry. 14 B. Negligence 15 A negligence claim under Arizona law requires proof of four elements: duty, breach, 16 causation, and damages. Quiroz v. ALCOA Inc., 243 Ariz. 560, 563 (2018). Generally 17 speaking, Plaintiffs claim that Magellan owed them a “duty of care to use reasonable means 18 to secure and safeguard its computer property—and Class Members’ PII and PHI held 19 within it—to prevent disclosure of the information, and to safeguard the information from 20 theft.” (Doc. 30 ¶ 119.) They further claim that Magellan breached this duty by employing 21 vulnerable data systems. (Id. ¶ 130.) Magellan’s Motion does not take issue with these 22 allegations. Instead, it argues that Plaintiffs’ Amended Complaint fails to properly allege 23 causation and damages. (Doc. 33 at 4–7.) 24 1. Causation 25 Causation is generally a question of fact for the jury. Cramer v. Starr, 240 Ariz. 4, 26 11 (2016). At the motion to dismiss stage, however, the Court may review the complaint 27 to determine if causation is adequately pleaded. Lexmark Int’l, Inc. v. Static Control 28 Components, Inc., 572 U.S. 118, 134 (2014) (“But like any other element of a cause of 1 action, [proximate causation] must be adequately alleged at the pleading stage in order for 2 the case to proceed.”). A causal or logical relationship between events creates proximate 3 cause; a purely temporal connection may not. Stollenwerk v. Tri-W. Health Care All., 254 4 F. App’x 664, 668 (9th Cir. 2007). 5 Plaintiffs allege that Magellan’s failure to “properly monitor the computer network 6 and systems” containing Plaintiffs’ PII and PHI caused their injuries. (Doc. 30 ¶ 23.) This 7 failure, they claim, caused the data breach and constituted “reckless and negligent 8 conduct.” (Id. ¶ 24.) As a result of Magellan’s negligent behavior, Plaintiffs allege their 9 PII and PHI fell into “the hands of data thieves and [is] available on the dark web.” (Id.) 10 This directly and proximately caused their injuries to occur. (Id. ¶¶ 25–26.) 11 Magellan argues that Plaintiffs cannot draw a sufficiently strong causal link between 12 the data breach and the alleged injuries. (Doc. 33 at 7.) Magellan believes Plaintiffs Griffey, 13 Domingo, Rivera, and Culberson cannot show proximate cause because they only allege 14 the potential for future injuries which cannot be casually linked to the data breach. 15 (Doc. 33 at 7.) Plaintiffs do not contest this argument. (See Doc. 34 at 6–7.) Next, Magellan 16 asserts that Plaintiffs Rayam, Leather, Williams, Ranson, Flanders, and Lewis have not 17 shown a causal link between the data breach and their alleged injuries. (Id.) Instead of 18 showing a logical connection between the data breach and the injuries, Magellan argues 19 that Plaintiffs are relying on a purely temporal argument: the data breach occurred and then 20 these injuries happened. Magellan maintains that this sequence of events does not indicate 21 causality. 22 Focusing on the injuries suffered by the other six plaintiffs, Plaintiffs argue that the 23 connection between the data breach and injuries is not purely temporal. (Id.) They claim 24 the data breach and the events immediately after—increased spam calls, PII and PHI on 25 the “dark web,” fraudulent applications for unemployment benefits, fraudulent accounts 26 being opened, and “other suspicious activities”—are logically connected and sufficient to 27 support allegations of proximate cause. 28 The Court finds the analysis in Stollenwerk instructive in this case. In Stollenwerk, 1 the Ninth Circuit held the theft of a computer hard drive proximately caused the release of 2 personal information held on that hard drive. Stollenwerk, 254 F. App’x at 668. The court 3 reasoned that it was plausible that the thief could have extracted information and then 4 released it. Id. In addition, the plaintiff alleged that he normally refused to transmit his 5 personal information over the internet, habitually shredded mail containing personal 6 information, and had a nearly nonexistent record of personal information being stolen prior 7 to the hard drive theft. Id. And so, the court denied the motion to dismiss for lack of 8 proximate cause. Id. 9 Like in Stollenwerk, Plaintiffs plausibly allege proximate causation because this 10 case has fewer links in the chain of causation. In Stollenwerk the computer hardware was 11 stolen and the court had to assume that the personal information on the hardware could be 12 and was extracted. Here, the personal information in this case was stolen directly. This 13 means that the first link in the chain of causation the court in Stollenwerk deemed plausible 14 is a certainty in this case. Furthermore, like the plaintiffs in Stollenwerk, Plaintiffs here 15 allege that they took reasonable steps to maintain the confidentiality of their PII and PHI. 16 (Doc. 30 ¶ 66.) But, unlike the complaint in Stollenwerk, the Amended Complaint here 17 does not elaborate on the measures taken by Plaintiffs in this case. If it is true that Plaintiffs’ 18 steps to protect their PII or PHI were reasonable, then the allegation that the data breach 19 proximately caused the misappropriation and misuse of Plaintiffs Rayam, Williams, Lewis, 20 Flanders, Ranson, and Leather’s PII and PHI is more plausible than the causation 21 allegations in Stollenwerk. Thus, Plaintiffs Rayam, Williams, Lewis, Flanders, Ranson, and 22 Leathers sufficiently allege causation for the purposes of Rule 12(b)(6). Plaintiffs Griffey, 23 Domingo, Rivera, and Culberson do not because they allege only future injuries. 24 2. Damages 25 Magellan also seeks the dismissal of Plaintiffs’ negligence claim on the separate 26 basis that the Amended Complaint does not allege cognizable injuries. Negligence 27 “damage[s] must be actual and appreciable, non-speculative, and more than merely the 28 threat of future harm.” CDT, Inc. v. Addison, Roberts & Ludwig, C.P.A., P.C., 198 Ariz. 1 173, 176–77 (App. 2000) (quotation omitted). The majority view is that “general 2 allegations of lost time,” “continued risk to [plaintiff’s] personal data,” and “the danger of 3 future harm” are not cognizable injuries. Pruchnicki v. Envision Healthcare Corp., 439 F. 4 Supp. 3d 1226, 1232–33 (D. Nev. 2020), aff’d 845 F. App’x 613 (9th Cir. 2021); accord 5 Krottner v. Starbucks Corp., 406 F. App’x 129, 131 (9th Cir. 2010). Similarly, general 6 allegations that a plaintiff’s personal information has diminished in value are not enough. 7 “In order to survive a motion to dismiss on this theory of damages, a plaintiff ‘must 8 establish both the existence of a market for her personal information and an impairment of 9 her ability to participate in that market.’” Pruchnicki, 439 F. Supp. 3d at 1234 (quoting 10 Svenson v. Google Inc., No. 13-CV-04080-BLF, 2016 WL 8943301, at *9 (N.D. Cal. Dec. 11 21, 2016)). Even with out-of-pocket expenses, paying for additional credit monitoring 12 services requires “a plaintiff to plead that the monitoring costs were both reasonable and 13 necessary.” In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. 14 Supp. 2d 942, 970 (S.D. Cal. 2014), order corrected, (MDD), No. 11MD2258 AJB (MDD), 15 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014). 16 Magellan argues that the Plaintiffs do not allege sufficiently cognizable injuries to 17 support a negligence claim. (Doc. 33 at 4–7.) Plaintiffs Griffey, Domingo, Rivera, and 18 Culberson allege a threat of future injury which is not cognizable under CDT because such 19 allegations qualify as speculative and as threats of future harm. (Id. at 4.) Magellan next 20 observes that Plaintiffs Williams and Rayam do not allege out-of-pocket expenses. 21 (Id. at 5.) Citing cases like Pruchnicki, Magellan concludes Williams and Rayam’s claims 22 are not cognizable. (Id.) After that, Magellan notes that Plaintiffs’ claims that they suffered 23 damages to and diminution in the value of their PII or PHI are not cognizable because they 24 fail to establish a market for their personal information and an impairment on their ability 25 to participate in that market. (Id. at 6.) Finally, while some Plaintiffs incurred out-of-pocket 26 expenses, Magellan argues they fail to allege that their expenditures to mitigate damages 27 were reasonable and necessary. (Id. at 6–7.) 28 Plaintiffs disagree. They initially argue that attempted or actual identity fraud 1 constitutes sufficient damages to support a negligence claim. (Doc. 34 at 3–4.) Then, 2 Plaintiffs rely on out-of-circuit caselaw to challenge Magellan’s arguments about lost time 3 allegations. (See Id. at 4–51.) Finally, Plaintiffs argue that when compromised PII or PHI 4 loses value it is a cognizable injury. (Id. at 6.) 5 Plaintiffs’ allegations of lost time addressing the data breach, continued risk to their 6 PII and PHI, and the danger of future harm are not cognizable injuries for negligence 7 claims. Krottner, 406 F. App’x at 131; Pruchnicki, 439 F. Supp. 3d at 1232–33. The cases 8 Plaintiffs cite are either consistent with this principle or not binding on this court. 9 (See Doc. 34 at 4.) Plaintiffs’ claims of future injury simply are not cognizable. Thus, even 10 if Plaintiffs Griffey, Domingo, Rivera, and Culberson sufficiently alleged causation, their 11 claims would still be dismissed for failure to state a claim. 12 Although Plaintiffs Williams and Rayam experienced attempted fraud, their claims 13 are not cognizable. Whether any fraud will actually occur in the future is speculative. As a 14 result, Plaintiffs only suffer a threat of future injuries. But Arizona law requires negligence 15 damages to be more than merely a threat of future harm. CDT, 198 Ariz. at 176–177. 16 Threats of future harm, on their own, are not cognizable negligence injuries. 17 Courts also recognize that merely alleging a diminution in value to somebody’s PII 18 or PHI is insufficient; the plaintiff must demonstrate a market exists for the personal 19 information at issue and an impairment in a plaintiff’s ability to participate in that market. 20 See Pruchnicki, 439 F. Supp. 3d at 1234 (citing the Svenson test). The Amended Complaint 21 demonstrates neither. Plaintiffs only identify an illegal market for their personal 22 information, the “dark web.” This Court declines to recognize the “dark web” as a 23 legitimate market by which individuals may sell their information. Furthermore, Plaintiffs 24 fail to allege that the availability of their information on the “dark web” lowers the value 25 of their information. What is more, in support of their negligence claims, Plaintiffs argue 26 1 Citing In re Facebook Litig., 572 F. App’x 494 (9th Cir. 2014), In re Marriott Int’l, Inc., 27 Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 461 (D. MD. 2020), In re Experian Data Breach Litig., No. SACV151592AGDFMX, 2016 WL 7973595, at *5 (C.D. Cal. 28 Dec. 29, 2016), and In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD- 02752-LHK, 2017 WL 3727318, at *13 (N.D. Cal. Aug. 30, 2017 1 that compromised PII inherently loses value. (Doc. 34 at 6.) Their argument reflects a 2 fundamental misunderstanding of the law. In re Facebook only applied to breach of 3 contract and fraud claims, not negligence claims; In re Experian applied In re Facebook 4 and thus cannot be used to show compromised PII inherently loses value in negligence 5 claims; and In re Yahoo discussed standing, not cognizable injury in negligence claims. 6 Moreover, Plaintiffs’ citation to In re Marriott that PII or PHI has value in our digital 7 economy actually supports the test articulated in Svenson. Svenson acknowledged that PII 8 and PHI have value in our economy and that a plaintiff must identify a market in which he 9 would like to sell his or her data. This, unlike the observation in In re Marriott, proposes a 10 means to measure the value of PII or PHI. Thus, without identifying a market in which they 11 can or could and intend or intended to sell their information, Plaintiffs here fail to 12 demonstrate a loss in value of their PII or PHI. 13 Finally, Plaintiffs Lewis, Flanders, Ranson, and Leathers allege damages due to out- 14 of-pocket expenses spent on credit monitoring services in addition to the identity 15 monitoring services provided by Magellan. (Doc. 30 ¶ 90.) Even when out-of-pocket 16 expenses are alleged, Plaintiffs must also allege that the monitoring costs were reasonable 17 and necessary. In re Sony, 996 F. Supp. 2d at 970. Plaintiffs fail to allege their out-of- 18 pocket expenses were necessary in the Amended Complaint. (See generally Doc. 30.) Even 19 if Plaintiffs had offered a conclusory allegation that their out-of-pocket expenses were 20 reasonable and necessary, they would still need to properly allege that the identity 21 monitoring services offered by Magellan were inadequate in some way to justify the out- 22 of-pocket expenses. Yet Plaintiffs allege no metric or measure indicating their risk 23 increased such that the identity monitoring services provided by Magellan were inadequate. 24 (Doc. 30 ¶ 90; see generally Doc. 30.) Without substantiating their claims that Magellan’s 25 services were inadequate, Plaintiffs have no argument that their out-of-pocket expenses 26 were reasonable or necessary. 27 Thus, Plaintiffs fail to state a claim alleging a cognizable tort injury. And so, all 28 negligence claims will be dismissed with leave to amend. 1 3. Negligence Per Se 2 Magellan moves to dismiss Plaintiffs’ separately pleaded claim for negligence per 3 se. “Negligence per se is not a cause of action separate from common law negligence. It is 4 a doctrine under which a plaintiff can establish the duty and breach elements of a 5 negligence claim based on a violation of a statute that supplies the relevant duty of care.” 6 Craten v. Foster Poultry Farms Inc., 305 F. Supp. 3d 1051, 1054 n.2 (D. Ariz. 2018). 7 Indeed, Plaintiffs at oral argument all but conceded that negligence per se is not a separate 8 cause of action. Plaintiffs’ negligence per se claim will be dismissed with prejudice to the 9 extent that it is a stand-alone claim for relief. If Plaintiffs choose to file a seconded amended 10 complaint, this does not preclude them from applying the theory of negligence per se to 11 their negligence claims. 12 4. Economic Loss Doctrine 13 Magellan argues that Plaintiffs’ negligence claims should be dismissed under the 14 economic loss doctrine. According to Magellan, Plaintiffs are limited to contract damages. 15 Plaintiffs respond that Arizona’s version of the economic loss doctrine does not extend 16 beyond product liability and construction defect cases. They also argue that Magellan’s 17 argument is self-contradictory because it denies the existence of any contract. 18 “The ‘economic loss doctrine’ bars plaintiffs, in certain circumstances, from 19 recovering economic damages in tort.” Flagstaff Affordable Housing Ltd. Partnership v. 20 Design Alliance, Inc., 223 Ariz. 320, 321 (2010). The doctrine advances “[t]he contract 21 law policy of upholding the expectations of the parties.” Id. at 325. The Arizona Supreme 22 Court has stated, “[o]ur adoption of the economic loss doctrine in construction defect cases 23 reflects our assessment of the relevant policy concerns in that context; it does not suggest 24 that the doctrine should be applied with a broad brush in other circumstances.” Id. at 329. 25 The parties have not cited any Arizona case where the economic loss doctrine was applied 26 outside the context of products liability or construction defect cases. Given the Arizona 27 Supreme Court’s direction that the economic loss doctrine should be applied only in limited 28 contexts, this Court will not expand the doctrine to apply in data breach cases without more 1 direct guidance from the Arizona courts that such doctrine is applicable in this category of 2 cases. 3 C. Unjust Enrichment 4 “Unjust enrichment occurs when one party has and retains money or benefits that in 5 justice and equity belong to another.” Trustmark Ins. Co. v. Bank One, Arizona, NA, 202 6 Ariz. 535, 541 (Ct. App. 2002), as corrected (June 19, 2002). Arizona courts require a 7 plaintiff to show five elements: “(1) an enrichment; (2) an impoverishment; (3) a 8 connection between the enrichment and the impoverishment; (4) the absence of 9 justification for the enrichment and the impoverishment; and (5) the absence of a legal 10 remedy.” Id. Plaintiffs who have “already received the benefit of [their] contractual 11 bargain” cannot recover under a theory of unjust enrichment. Adelman v. Christy, 90 F. 12 Supp. 2d 1034, 1045 (D. Ariz. 2000). Thus, if Plaintiffs recover under their implied 13 contracts theory, they cannot recover for unjust enrichment. But a plaintiff is permitted to 14 plead alternative claims of relief in the complaint; “the mere existence of a contract 15 governing the dispute does not automatically invalidate an unjust enrichment alternative 16 theory of recovery.” Id. And so, although recovery for breach of an implied contract would 17 preclude recovery for unjust enrichment, Plaintiffs may plead both breach of implied 18 contract and unjust enrichment in their Amended Complaint. 19 Some Plaintiffs were employees of Magellan, some were contractors, and others 20 were beneficiaries of health care plans administered by Magellan or one of its affiliates or 21 subsidiaries.2 (Doc. 30 ¶¶ 167–176.) Yet the allegations for unjust enrichment are 22 substantially the same for all Plaintiffs. (Id.) Plaintiffs allege that they provided money or 23 labor to Magellan affiliates and subsidiaries by which Magellan was enriched. (Id. ¶ 167.) 24 The money provided or the benefit conferred by Plaintiffs’ labor was intended, in part, to 25 be used by Magellan to fund “adequate security” for the PII and PHI it stored. (Id.) 26 Magellan enriched itself by spending less than it should have on data security and did not 27 2 The Amended Complaint does not clearly explain whether Plaintiffs Williams and Lewis 28 still receive health care services administered by Magellan or one of Magellan’s affiliates or subsidiaries. (Doc. 30 ¶¶ 5, 14.) 1 provide a reasonable amount of security to protect Plaintiffs’ PII or PHI. (Id. ¶ 168.) 2 Cutting corners on data security led to the data breach. (Id.) There is no justification for 3 Magellan’s decision. (Id. ¶ 169.) Plaintiffs further allege that Magellan’s data security was 4 inadequate because this was the second data breach for Magellan in a year and because 5 Magellan should have known about and implemented industry standards for data security. 6 (Id. ¶¶ 80–82.) Plaintiffs did not allege what actions Magellan took that were inadequate 7 or which features of its data security system were below industry standards. (Id.) But, 8 according to Plaintiffs, they have stated a claim for unjust enrichment. (Id.) 9 Magellan argues that Plaintiffs’ claims fail because Plaintiffs admit that Magellan 10 was not paid directly by Plaintiffs, indicating there was no enrichment. Also, Plaintiffs 11 received the health care services to which they were entitled, so they were not 12 impoverished. (Doc. 33 at 11; Doc. 35 at 7–8.) Plaintiffs counter that the enrichment does 13 not have to come from direct payment or services to Magellan because unjust enrichment 14 is an equitable doctrine. (Doc. 34 at 11–12.) Additionally, Plaintiffs argue their 15 impoverishment stems from Magellan’s lack of adequate data security. (Id.) Plaintiffs’ data 16 were entitled to more security than provided. (Id.) 17 On this issue, the parties cited three cases with conflicting holdings. Compare In re 18 Banner Health, 2017 WL 6763548 at *6 (holding that plaintiffs in a similar data breach 19 adequately pleaded unjust enrichment), with Irwin v. Jimmy John’s Franchise, LLC, 175 20 F. Supp. 3d 1064, 1071–1072 (C.D. Ill. 2016) (applying Arizona law and dismissing unjust 21 enrichment claims even though Jimmy John’s did not have data security for customer credit 22 card information) and In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft 23 Litig., 45 F. Supp. 3d 14, 30 (D.D.C. 2014) (holding a similar claim did not meet Article 24 III standing). 25 Irwin concerned customers who paid for sandwiches at Jimmy John’s restaurants. 26 Customers who paid with their credit cards claimed Jimmy John’s was unjustly enriched 27 because the company did not provide reasonable data security for customer credit card 28 information. Irwin, 175 F. Supp. 3d at 1071. In Irwin, Jimmy John’s had a group of separate 1 cash-only customers who paid the same price as those who purchased food with a credit 2 card. Id. at 1071–1072. Thus, the entire price paid by credit card users accounted for the 3 sandwiches they purchased. See id. This was the same amount paid by cash customers. And 4 so, Irwin held the credit-paying plaintiffs did not experience an impoverishment because 5 they “did not pay for a side order of data security and protection” with their sandwiches. 6 Id. at 1072. None of the money paid could be reasonably attributed to credit card security. 7 Here, unlike Irwin, the Amended Complaint does not specify whether Plaintiffs all 8 paid by the same means and at the same price for health care services.3 Likewise, all 9 employees or contractors turned over the same PII as a condition of working for or with 10 Magellan. The Amended Complaint identifies no group that paid the same price for 11 services and required no data security. And the Amended Complaint identifies no group or 12 groups that provided services without turning over their PII. On balance, Irwin’s logic and 13 conclusion that Plaintiffs could not expect to receive data security does not apply in this 14 case. 15 In re Banner Health and In re Science Applications came to opposite conclusions 16 with similar facts. In re Science Applications involved a government data breach which 17 resulted in the increased risk of identity theft for approximately 4.7 million people. 45 F. 18 Supp. 3d at 19–22. The court required Plaintiffs to allege a market difference between the 19 value of services received and the price paid to establish Article III standing. In re Science 20 Applications, 45 F. Supp. 3d at 30. As explained elsewhere in this order, however, this 21 Court concludes that the Plaintiffs have standing. In re Banner Health concerned a data 22 breach during which hackers accessed the PII and PHI of “nearly 4 million patients, 23 insurance plan members, plan beneficiaries, payment card users, and healthcare providers.” 24 In re Banner Health, 2017 WL 6763548 at *1. The plaintiffs alleged that Banner Health 25 “failed to provide adequate data security.” Id. at *6. Specifically, the plaintiffs in In re 26 Banner Health pointed to the lack of a “multi-factor authentication for remote access to 27 3 The Amended Complaint only states that Magellan received the fees that Plaintiffs paid 28 to Magellan’s affiliates and subsidiaries and the states in which they operate. (Doc. 30 ¶ 31.) 1 computer networks that contain sensitive information.” Plaintiffs’ Consolidated Amended 2 Class Action Complaint at 34, In re Banner Health Data Breach Litig., 2017 WL 6763548 3 (D. Ariz. Dec. 20, 2017) (No. 16-02696). The Court concluded that the plaintiffs had 4 adequately pleaded unjust enrichment. In re Banner Health, 2017 WL 6763548 at *6. But 5 this Court does not follow In re Banner Health’s conclusion because Plaintiffs here allege 6 no specific reasons explaining why Magellan’s data security was inadequate. 7 Plaintiffs offer two post hoc explanations when alleging that Magellan’s data 8 security services were “inadequate.” First, they allege that two data breaches in a year 9 necessarily implies that Magellan’s data security was inadequate. That is not enough. As a 10 matter of logic, however, the existence of an adequate data security infrastructure and two 11 data breaches in a year are not mutually exclusive. 12 Second, they allege that Magellan should have known about industry standards and 13 did not meet those standards. Plaintiffs allege that Magellan did not implement a series of 14 policies, procedures, and “best practices” outlined by private cyber-security firms and the 15 Department of Health and Human Services’ Office for Civil Rights (“HHS”). (See Id ¶ 80– 16 82.) But the Amended Complaint does not explain with which of the many standards listed 17 Magellan failed to comply. (Id.) Plaintiffs’ Amended Complaint also does not specify of 18 which standards Magellan should have been or was aware. (Id.) In addition, Plaintiffs’ 19 allegations do not explain whether Magellan’s data security systems were better or worse 20 than the standards articulated in the Amended Complaint. As written, the Amended 21 Complaint could be read to assert that Magellan’s data security systems did not follow the 22 standards outlined by private cyber-security firms or HHS because Magellan’s data 23 security systems were better. Thus, it is unclear what standard determines a security system 24 is inadequate and which parts, if any, of Magellan’s data security systems were below 25 industry standards. 26 Even if everything Plaintiffs allege is true, there are plausible explanations beyond 27 the existence of an inadequate data security system that account for Magellan’s second data 28 breach in a year. Alleging that a system was inadequate because a negative result occurred 1 is conclusory, and Plaintiffs’ claim that Magellan’s system fell below an ill-defined 2 standard is conclusory. The Court is permitted to disregard conclusory allegations. And so, 3 the Court finds that Plaintiffs fail to properly allege that Magellan’s data security was 4 inadequate. 5 Without Plaintiffs properly alleging that Magellan’s systems were inadequate, there 6 is no way to establish on the pleadings that Magellan was enriched, that Plaintiffs were 7 impoverished, or that there was a connection between the enrichment and impoverishment. 8 Thus, Plaintiffs fail to state a claim for unjust enrichment and will be granted leave to 9 amend. 10 D. Implied Contract 11 Contracts consist of an offer, acceptance, consideration, and intent by the parties to 12 be bound by the contract. Day v. LSI Corp., 174 F. Supp. 3d 1130, 1153 (D. Ariz. 2016), 13 aff’d, 705 F. App’x 539 (9th Cir. 2017). Contracts can be implied in law and in fact. Barmat 14 v. John & Jane Doe Partners A-D, 155 Ariz. 519, 521–522 (1987). Implied in fact contracts 15 are enforceable contracts, but, unlike express contracts, implied in fact contracts are created 16 by “conduct rather than words [to convey] the necessary assent and undertakings.” Barmat, 17 155 Ariz. at 521 (quoting 1 A. Corbin, Corbin on Contracts § 18, at 39 (1963)). Plaintiffs 18 allege that Magellan has violated the terms of the parties’ implied contracts established by 19 Magellan’s privacy policy. (Doc. 30 ¶¶ 52–53.) In addition to the express statements in the 20 privacy policy, Plaintiffs allege that the implied contracts also incorporated Magellan’s 21 HIPAA obligations. (Id. ¶¶ 51–53.) At bottom, Plaintiffs and Magellan disagree over two 22 issues: (1) Did Plaintiffs sufficiently allege the terms of the implied in fact contracts? (2) 23 Did Plaintiffs adequately allege consideration in the implied in fact contracts? 24 1. Terms of the Implied Contracts 25 In a breach of contract claim, the plaintiff must demonstrate that the breach caused 26 an injury. Thomas v. Montelucia Villas, LLC, 232 Ariz. 92, 96 (2013). A calculation of 27 damages cannot be speculative. See Cole v. Atkins, 69 Ariz. 81, 86 (1949) (holding a party 28 cannot recover “for speculative or remote damages”); e.g. Lindsey v. Univ. of Arizona, 157 1 Ariz. 48, 54 (App. 1987) (holding employee social reputation damages are too speculative). 2 Contract terms cannot be vaguely pleaded. Even at the motion to dismiss stage, courts 3 cannot be left to “guess” how a party failed to perform their contractual obligations. Kuhns 4 v. Scottrade, Inc., 868 F.3d 711, 718 (8th Cir. 2017). 5 Plaintiffs allege that Magellan failed to uphold its bargain when it did not “properly 6 monitor the computer network and systems” containing Plaintiffs’ PII or PHI. (Id. ¶ 23.) 7 This failure to provide adequate data security violated the implied contracts and caused the 8 data breach. (Id. ¶¶ 24, 156–162.) Because Magellan violated the implied contracts, 9 Plaintiffs allege their PII and PHI fell into “the hands of data thieves and [is] available on 10 the dark web.” (Id.) And this caused their injuries and damages to occur. (Id. ¶ 25–26; 11 see Id. ¶ 163.) 12 Magellan argues Plaintiffs do not sufficiently allege the terms of the implied 13 contracts. (Doc. 33 at 9; Doc. 35 at 6–7.) Magellan believes the privacy policy does not 14 establish any implied contracts and only applies to the use of its website. (Doc. 35 at 7.) 15 Furthermore, even if implied contracts were formed, Magellan asserts Plaintiffs do not 16 sufficiently allege what Magellan specifically promised to do to protect against cyber- 17 attacks. (Doc. 33 at 9.) 18 Plaintiffs counter that they do allege implied contracts with specific terms. 19 (See generally, Doc. 34 at 9–11.) Plaintiffs believe that their health care services fees or 20 labor “were inextricably linked” with the surrender of PII or PHI. (Id. at 9.) Thus, “the 21 parties manifested a joint understanding that Plaintiffs’ PII and PHI would be reasonably 22 safeguarded by Defendant and only disclosed to authorized parties.” (Id.) 23 Plaintiffs allege that Magellan’s privacy policy posted on its website established 24 terms for a promise to protect their PII and PHI beyond the requirements of HIPPA. 25 (See Doc. 30 ¶¶ 52–53, 154–155.) But Plaintiffs allege no facts concerning the applicability 26 or scope of Magellan’s privacy policy beyond the allegations that it applies and that 27 Magellan implemented data security below industry standards in violation of it. On a 28 motion to dismiss, the Court must assume Plaintiffs’ factual allegations are true, but the 1 Court has no obligation to consider conclusory or nonexistent allegations. Plaintiffs fail to 2 allege specific terms of the implied contracts: when and to what extent did the contract 3 apply? Without more, Plaintiffs’ argument boils down to the same argument in their unjust 4 enrichment claims. Because there was a data breach, Magellan’s data security must have 5 been inadequate, which is a breach of the implied contracts. And, because Magellan did 6 not conform to an unclear standard of data security, Magellan must have breached the 7 implied contracts. As with their unjust enrichment claims, Plaintiffs’ allegations are 8 conclusory. Thus, Plaintiffs fail to state a claim. 9 2. Consideration 10 Normally, courts do not examine the adequacy of the parties’ consideration. Carroll 11 v. Lee, 148 Ariz. 10, 13–14 (1986). It is, however, well established that “a promise to 12 perform a pre-existing duty is insufficient consideration.” Hisel v. Upchurch, 797 F. Supp. 13 1509, 1521 (D. Ariz. 1992) (citing Restatement (Second) of Contracts § 73 (1981)). 14 See, e.g., In re Banner Health, 2017 WL 6763548, at *3. Thus, courts will examine the 15 existence, rather than the adequacy, of consideration. See, e.g., id. 16 Some courts maintain that the receipt of PII or PHI implies assent to protect that 17 information. E.g. Castillo v. Seagate Technology, LLC, No. 16-CV-01958-RS, 2016 WL 18 9280242 at *9 (N.D. Cal. Sept. 14, 2016). Other courts hold that privacy policies must 19 promise to do more than that which is legally mandated to establish consideration. For 20 example, In re Banner Health considered language in a privacy policy similar to the 21 language in Magellan’s privacy policy. See In re Banner Health, 2017 WL 6763548, at *4 22 (“Banner is committed to protecting the confidentiality of information about you, and is 23 required by law to do so . . . .”). The court held, “this language could arguably be read as a 24 promise to keep patient information confidential,” but “it cannot be read as a promise to do 25 anything above and beyond what is already required by law.” Id. The court ruled that the 26 defendant “was already under a preexisting legal duty to protect [p]laintiff’s information.” 27 Id. Thus, without a promise beyond that legal duty, the court found that no implied contract 28 was formed because there was no consideration. See id. (citing Hisel, 797 F. Supp. at 1521). 1 Plaintiffs allege Magellan’s privacy policy promised data security beyond the level 2 Magellan was legally required to supply as consideration for implied contracts with 3 Plaintiffs. (Doc. 30 ¶¶ 52–53, 157.) Specifically, they allege that Magellan “expressly 4 promised Plaintiffs . . . that it would only disclose PII or PHI under certain circumstances, 5 none of which,” applied to the data breach. (Id. ¶ 154.) They also allege Magellan 6 “promised to comply with industry standards and to make sure Plaintiffs’ . . . PII and PHI 7 would remain protected.” (Id. ¶ 155.) Finally, Plaintiffs allege that they had a reasonable 8 belief that Magellan’s “data security practices complied with relevant laws and regulations 9 and were consistent with industry standards.” (Id. ¶ 159.) 10 Magellan argues there was no consideration because Magellan’s only promise was 11 to do something which it was already legally obligated to do, and such promises do not 12 constitute consideration. (Doc. 33 at 10; Doc. 35 at 6–7.) Plaintiffs disagree. They believe 13 Magellan’s request for privacy information was an exchange of promises. (Doc. 34 at 10.) 14 They assert Plaintiffs who were members and paid for health care services exchanged fees 15 and data for health care services and data security. (Id.) Plaintiffs who were employed by 16 or contracted with Magellan exchanged labor and data for financial compensation and data 17 security. (Id.) Finally, they believe Magellan’s privacy policy established implied in fact 18 contracts that promised a level of data security beyond Magellan’s legal requirements. 19 (Id. at 10–11.) 20 Plaintiffs here fail to allege consideration because they did not allege that Magellan 21 promised to act beyond the existing HIPPA mandates. Magellan’s privacy policy 22 statements—“your personal privacy is important to us” and “Magellan uses physical, 23 technical, and administrative safeguards to protect any personally identifiable data stored 24 on its computers. Only authorized employees and third parties have access to the 25 information you provide to Magellan for providing service to you”—are like the statements 26 in In re Banner Health. They do not suggest any promise beyond Magellan’s legal 27 obligations. Thus, without more, there is no consideration between Plaintiffs and Magellan. 28 Plaintiffs therefore fail to state a claim for breach of implied contract. 1 E. Rule 9(b) 2 Plaintiffs allege that Magellan’s actions violated its privacy policy because 3 Magellan knew or should have known its data security was inadequate. (Doc. 30 ¶¶ 52–53, 4 183.) Plaintiffs also allege that Magellan committed active fraud, fraud-by-omission, or 5 both by concealing material facts about its data security. (Id. ¶¶ 52–53, 181, 183.) 6 Additionally, Plaintiffs allege the privacy policy applies to their PII or PHI because they 7 were required to surrender their information to either receive health care services or to 8 work for Magellan. (Id. ¶53.) Because Magellan violated its privacy policy, according to 9 Plaintiffs, they assert claims under the AzCFA and the consumer protection laws of the 10 states in which they live. (Id. ¶ 28.) 11 “It is established law, in this circuit and elsewhere, that Rule 9(b)’s particularity 12 requirement applies to state-law causes of action.” Vess v. Ciba-Geigy Corp. USA, 317 13 F.3d 1097, 1103 (9th Cir. 2003); e.g. Lorona v. Arizona Summit L. Sch., LLC, 188 F. Supp. 14 3d 927, 935 (D. Ariz. 2016) (applying Rule 9(b) to the AzCFA). When “alleging fraud or 15 mistake, Federal Rule of Civil Procedure 9(b) requires a party to state with particularity 16 the circumstances constituting fraud including the who, what, when, where and how of the 17 misconduct charged.” Loomis v. U.S. Bank Home Mortg., 912 F. Supp. 2d 848, 856 18 (D. Ariz. 2012) (internal quotation marks omitted). “In addition, the plaintiff must set forth 19 what is false or misleading about a statement.” Id. 20 Magellan argues that Rule 9(b) applies to these claims and that these allegations 21 lack the required specificity because Plaintiffs fail to articulate the “who, what, when, 22 where, and how” of the data breach. (Doc. 33 at 12–14; Doc. 35 at 8–9.) Magellan asserts 23 that Plaintiffs do not articulate where the misrepresentations took place, when these actions 24 happened, what statements were misrepresentations, and how the statements were a 25 misrepresentation. (Id.) Plaintiffs maintain Rule 9(b) does not apply to their consumer 26 protection claims, and, even if it did, they adequately articulated the who, Magellan; what, 27 misrepresentations about their data security system; where, in Magellan’s privacy policy; 28 when, during the class period; and how, failing to protect Plaintiffs’ sensitive information 1 as promised in the privacy policy. (Doc. 34 at 14.) 2 The Court addresses whether Plaintiffs’ AzCFA, California Unfair Competition 3 Law (“UCL”), Florida Unfair and Deceptive Trade Practices Act (“DUTPA”), Missouri 4 Merchandising Practices Act (“MoMPA”), Pennsylvania Unfair Trade Practices and 5 Consumer Protection Law (“CPL”), and Wisconsin Deceptive Trade Practices Act 6 (“DTPA”) claims satisfy Rule 9(b) in turn. 7 1. AzCFA 8 All Plaintiffs assert an AzCFA claim. When filing an AzCFA claim, “a plaintiff in 9 a fraud-by-omission suit faces a slightly more relaxed burden, due to the fraud-by-omission 10 plaintiff’s inherent inability to specify the time, place, and specific content of an omission 11 in quite as precise a manner.” In re Arizona Theranos, Inc., Litig., 256 F. Supp. 3d 1009, 12 1023 (D. Ariz. 2017), on reconsideration in part, No. 2:16-CV-2138-HRH, 2017 WL 13 4337340 (D. Ariz. Sept. 29, 2017). Thus, courts still apply Rule 9(b) to AzCFA claims, but 14 relax the burden by not requiring Plaintiffs to articulate the time, place, and specific content 15 of an omission precisely. E.g. Lorona, 188 F. Supp. 3d at 935. 16 Regardless of the type of fraud alleged, Plaintiffs’ AzCFA claims fail because even 17 when applying the lower standard articulated in Theranos, they fail to adequately articulate 18 the “how” of the data breach. Plaintiffs’ argument that Magellan’s data security was 19 inadequate simply because there was a data breach is the same argument they made for 20 unjust enrichment. And, as with Plaintiffs’ unjust enrichment claims, this Court holds the 21 argument that a system was inadequate because a negative result occurred is conclusory. 22 Plaintiffs fail to specify how Magellan’s security was inadequate. Thus, Plaintiffs fail to 23 state an AzCFA claim and shall be given leave to amend. 24 2. Californica UCL 25 Rule 9(b) apples to claims asserted under the California UCL. See, e.g., In re Google 26 Android Consumer Priv. Litig., No. 11-MD-02264 JSW, 2013 WL 1283236 at *9 (N.D. 27 Cal. Mar. 26, 2013). As with his AzCFA claim, Ranson’s UCL claim fails because he has 28 not explained with any specificity how Magellan’s data security was inadequate beyond 1 pointing to the fact that a security breach happened. That is a conclusory allegation. And 2 so, Ranson fails to state a California UCL claim and shall be given leave to amend. 3 3. Florida DUTPA 4 There is a district split about whether Rule 9(b) applies to the Florida DUTPA. But, 5 generally, “where the gravamen of the claim sounds in fraud . . . Rule 9(b) applies.” 6 See State Farm Mut. Auto. Ins. Co. v. Performance Orthopaedics & Neurosurgery, LLC, 7 278 F. Supp. 3d 1307, 1328 (S.D. Fla. 2017); see, e.g., In re Monat Hair Care Prod. Mktg., 8 Sales Pracs., & Prod. Liab. Litig., No. 18-MD-02841, 2019 WL 5423457, at *7 n.11 (S.D. 9 Fla. Oct. 23, 2019) (applying Rule 9(b) “where such claims sound in fraud”). Here, the 10 Court finds this case “sounds in fraud” because Plaintiffs’ argument is that Magellan 11 portended it would furnish a level of data security far greater than it actually did. Thus, the 12 Court applies Rule 9(b). As with his AzCFA claim, Lewis’ Florida claim fails because he 13 has not explained with any specificity how Magellan’s data security was inadequate 14 beyond pointing to the fact that a security breach happened. That is a conclusory allegation. 15 Thus, Lewis fails to state a Florida DUTPA claim and shall be given leave to amend. 16 4. MoMPA 17 Griffey’s MoMPA claims are subject to Rule 9(b) because this case sounds in fraud. 18 See Kuhns v. Scottrade, Inc., 868 F.3d 711, 719 (8th Cir. 2017) (applying Rule 9(b) to 19 MoMPA claims that sound in fraud). Griffey’s MoMPA claim fails because he has not 20 explained with any specificity how Magellan’s data security was inadequate beyond 21 pointing to the fact that a security breach happened. That is a conclusory allegation. And 22 so, Griffey fails to state an MoMPA claim and shall be given leave to amend. 23 5. Pennsylvania CPL 24 Plaintiff Domingo’s Pennsylvania CPL claim is subject to Rule 9(b). See Schmidt v. 25 Ford Motor Co., 972 F. Supp. 2d 712, 720 (E.D. Pa. 2013). As with his AzCFA claim, 26 Domingo’s Pennsylvania claim fails because he has not explained with any specificity how 27 Magellan’s data security was inadequate beyond pointing to the fact that a security breach 28 happened. That is a conclusory allegation. Thus, Domingo fails to state a Pennsylvania 1 CPL claim and shall be given leave to amend. 2 6. Wisconsin DTPA 3 Rule 9(b) applies to the Wisconsin DTPA. See Murillo v. Kohl’s Corp., 197 F. Supp. 4 3d 1119, 1129–1130 (E.D. Wis. 2016). As with his AzCFA claim, Rivera’s Wisconsin 5 claim fails because he has not explained with any specificity how Magellan’s data security 6 was inadequate beyond pointing to the fact that a security breach happened. That is a 7 conclusory allegation. Rivera fails to state a Wisconsin DTPA claim and shall be given 8 leave to amend. 9 F. NYGBL § 349 Material Misrepresentation or Omission 10 Under New York law, “[d]eceptive acts or practices in the conduct of any business, 11 trade or commerce or in the furnishing of any service” are unlawful. N.Y. Gen. Bus. Law 12 § 349. A cause of action under § 349 has three elements: “(1) defendant’s deceptive acts 13 were directed at consumers, (2) the acts are misleading in a material way, and (3) the 14 plaintiff has been injured as a result.” Dixon v. Ford Motor Co., No. 14-CV-6135 JMA 15 ARL, 2015 WL 6437612, at *7 (E.D.N.Y. Sept. 30, 2015) (citing Maurizio v. Goldsmith, 16 230 F.3d 518, 521 (2d Cir. 2000) (per curiam)). “Whether a representation or an omission, 17 the deceptive practice must be ‘likely to mislead a reasonable consumer acting reasonably 18 under the circumstances.’” Id. (citing Stutman v. Chem. Bank, 95 N.Y.2d 24, 29 (2000)). 19 Plaintiff Leather alleges that Magellan misrepresented material facts about its data 20 security practices in its privacy policy, leading to the disclosure of her personal 21 information. (Doc. 30 ¶¶ 221–229.) Specifically, Leather alleges the privacy policy listed 22 several promises that Magellan did not keep when protecting her personal information. 23 (Id. ¶¶ 221–225.) She also alleges this conduct was unconscionable, unfair, and was the 24 direct and proximate cause of her data being stolen. (Id. ¶¶ 226–227.) Thus, she seeks relief 25 under NYGBL § 349. (Id. ¶¶ 228–229.) 26 New York courts apply different standards based on the language in a privacy 27 policy. One court granted a motion to dismiss based on whether a claim was adequately 28 alleged under § 349. Abdale v. N. Shore Long Island Jewish Health Sys., Inc., 19 N.Y.S.3d 1 850, 859 (N.Y. Sup. Ct. 2015). In Abdale, the privacy policy “guarantee[d]” that 2 unauthorized third parties would not have access to the plaintiffs’ personal information. Id. 3 By contrast, Magellan’s privacy policy does not explicitly “guarantee” protection from 4 third parties. (Doc. 30 ¶ 52.) Despite “guaranteeing” protection, the Abdale court held that 5 the privacy policy statements “[did] not constitute an unlimited guaranty that patient 6 information could not be stolen or . . . hacked.” Abdale, 19 N.Y.S.3d at 859. Thus, the 7 “[d]efendants’ alleged failure to safeguard [the] plaintiffs’ [PHI] and [PII] from theft did 8 not [mislead] the plaintiffs in any material way and [did] not constitute a deceptive practice 9 within the meaning of the statute.” Id. at 859–860. 10 The court in Fero did not apply the same standard as Abdale on a similar motion to 11 dismiss. Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 776 (W.D.N.Y. 2017), 12 on reconsideration, 304 F. Supp. 3d 333 (W.D.N.Y. 2018), order clarified, 502 F. Supp. 13 3d 724 (W.D.N.Y. 2020), and order clarified, 502 F. Supp. 3d 724 (W.D.N.Y. 2020). The 14 privacy policy in Fero stated that defendants would comply with the requirements of 15 relevant federal and state laws pertaining to the privacy and security of New York class 16 members’ personal information. Id. at 776–777. Because at least one other district court 17 had previously stated nearly identical language was sufficient to support an NYGBL § 349 18 allegation, Fero declined to dismiss the claims. Id. at 777. The court did so because it 19 believed applying Abdale when a company’s privacy policy had stronger language resulted 20 in “thinly-reasoned” and unpersuasive judicial opinions. Id. The court reached this 21 conclusion, in part, because “whether a particular act or practice is deceptive is usually a 22 question of fact” as the privacy policy becomes stronger. Id. at 777 (citing Quinn v. 23 Walgreen Co., 958 F. Supp. 2d 533, 543 (S.D.N.Y. 2013)). 24 Magellan argues Leather’s allegations are conclusory because she fails to identify 25 the specific misrepresentations Magellan made and the additional disclosures Magellan 26 should have made. (Doc. 33 at 14; Doc. 35 at 9.) Magellan also argues that, even if Leather 27 properly alleged her claim, it still fails under the standard articulated in Abdale. 28 (Doc. 33 at 14; Doc. 35 at 9.) Although Leather believes the Court should apply Fero, 1 Magellan maintains that this Court should apply the standard in Abdale because the facts 2 in this case more closely align with the facts in Abdale. (Doc. 35 at 9.) Leather disagrees 3 and insists that the Court should follow Fero because it is plausible that the representations 4 made on Magellan’s website could be interpreted as more akin to the statements in Fero. 5 Thus, Magellan’s privacy policy could have led her to believe that Magellan provided more 6 data security than it did. 7 Even if the privacy policy applies to Magellan’s data security measures for its health 8 care plans, Abdale is more closely aligned with the facts in this case. Here, Leather did not 9 allege that Magellan’s privacy policy made statements as strong as the statements in Fero. 10 (See Doc. 30 ¶ 52.) Indeed, Leather never alleges that Magellan “guaranteed” anything. Id. 11 Like in Abdale, Magellan’s privacy policy does not amount to an unlimited guaranty 12 protecting PII and PHI from data breaches. Leather alleges that the policy was inadequate 13 and did not comply with New York state law. (Doc. 30 ¶ 221.) But Leather fails to offer 14 an explanation as to how or why Magellan’s policy was misleading, noncompliant, or 15 inadequate; such accusations are conclusory. Thus, Leather fails to state an NYGBL § 349 16 claim and shall be given leave to amend. 17 G. Virginia Code § 18.2-186.6 Unreasonable Delay 18 Data breaches involving personal information must be disclosed to the Virginia 19 Attorney General and any affected Virginia Resident without unreasonable delay. Va. Code 20 Ann. § 18.2-186.6. Whether a delay was reasonable requires courts to look beyond the 21 length of the delay and consider the facts alleged. See Razuki v. Caliber Home Loans, Inc., 22 No. 17CV1718-LAB (WVG), 2018 WL 6018361, at *2 (S.D. Cal. Nov. 15, 2018) 23 (applying a California law with similar language and holding notice delayed by five months 24 was reasonable). 25 Plaintiff Flanders alleges Magellan’s disclosure of the data breach was untimely, 26 thus establishing a claim under Va. Code § 18.2-186.6. (Doc. 30 ¶¶ 245–253.) Flanders 27 seeks actual damages, injunctive relief, and attorneys fees. (Doc. 30 ¶ 253.) Magellan 28 argues the delay between the breach and notice was less than a month which is not an 1 unreasonable delay. (Doc. 33 at 16; Doc. 34 at 11.) There is no case law directly on point, 2 but Magellan points to Razuki where the court examined a similar statute and held that a 3 five-month delay was reasonable. (Doc. 33 at 16; Doc. 34 at 11.) It stands to reason that a 4 one-month delay would be reasonable under Razuki. Plaintiff counters that whether the 5 delay was reasonable is a question of fact not suited for a motion to dismiss and that 6 anything beyond immediate notice may be unreasonable. (Doc. 34 at 16.) 7 Flanders presents no facts to indicate there was an unreasonable delay. Flanders was 8 given notice within a month of the data breach. After a similar data breach and interpreting 9 a similar California law, the court in Razuki firmly held that a five-month delay was 10 reasonable. The Court does not adopt Razuiki’s five-month rule. But the Court does 11 conclude that written notice delayed less than a month in data breach cases the size and 12 scope of Magellan’s data breach here is reasonable. Because Magellan’s notice was 13 reasonable, Plaintiff Flanders fails to state a claim, and it is unlikely that this claim can be 14 cured by amendment. Nonetheless, because the Court is giving Plaintiff leave to amend 15 other counts, and because of this Circuit’s liberal amendment policy, the Court will permit 16 Plaintiff Flanders leave to amend this claim. 17 H. California Consumer Protection Act 18 California law establishes a cause of action for consumers whose personal 19 information is stolen in a data breach “as a result of the business’s violation of the duty to 20 implement and maintain reasonable security procedures and practices appropriate to the 21 nature of the information to protect the personal information.” Cal. Civ. Code 22 § 1798.150(a)(1). Consumers can recover “actual pecuniary damages” or statutory 23 damages. Cal. Civ. Code § 1798.150(a)–(b). 24 Plaintiff Ranson alleges that Magellan violated its duty under California law to 25 protect his information and that Magellan’s violation caused his personal information to be 26 stolen. (Doc. 30 ¶¶ 198–208.) Specifically, he alleges that Magellan failed to prevent the 27 data breach and should have known their data security system was inadequate. (Id. ¶ 203.) 28 As a result, he alleges lost money or property and seeks actual pecuniary and statutory 1 damages. (Id. ¶ 205–208.) 2 Magellan argues Ranson’s allegations fail to establish damages. (Doc. 33 at 17; 3 Doc. 35 at 11.) Ranson’s allegations are not “actual pecuniary damages” because Ranson 4 never alleges that he ever paid any out-of-pocket expenses. (Doc. 35 at 11.) Ranson 5 counters that, even if Magellan is right, he need not show he suffered actual loss because 6 statutory damages are available. (Doc. 34 at 17.) Magellan responds that Ranson has not 7 complied with the California Consumer Protection Act notice requirement and thus is not 8 entitled to statutory damages. (Doc. 35 at 11.) 9 Ranson did not allege sufficient facts to establish how or why Magellan’s systems 10 were inadequate or unreasonable or how or why Magellan knew or should have known its 11 systems were inadequate or unreasonable. Instead, Ranson relies on the same conclusory 12 allegations found elsewhere in the Amended Complaint. That is, because there was a 13 breach, Magellan’s data security was inadequate. This argument is insufficient to survive 14 Magellan’s motion to dismiss. Thus, Ranson fails to state a claim and shall be given leave 15 to amend. 16 Even if Ranson adequately alleged Magellan had a deficient data security system, 17 he insufficiently alleges damages. First, Ranson alleges no out-of-pocket expenses. Thus, 18 his case does not present any “actual pecuniary damages.” Indeed, by his own admission, 19 Ranson’s claims only qualify for statutory damages. (See Doc. 34 at 17.) Second, although 20 Ranson argues his claim can survive Magellan’s motion to dismiss because he is eligible 21 for statutory damages, the Amended Complaint clearly states Ranson has not sought 22 statutory damages at this time. (Doc. 30 ¶ 207.) And so, Ranson fails to state a claim and 23 shall be given leave to amend. 24 I. Alternative Reasons to Dismiss 25 In the alternative to these arguments, the Court finds a number of claims should be 26 dismissed for failure to state a claim with leave to amend for the following reasons: 27 1. “Sale” of “Merchandise” under the AzCFA or the MoMPA 28 Arizona and Missouri law create a private right of action when there is a fraudulent 1 sale of merchandise or services. See Davis v. Bank of Am. Corp., No. CV 12-01059-PHX- 2 NVW, 2012 WL 3637903, at *4–5 (D. Ariz. Aug. 23, 2012) (citing the AzCFA); Kuhns, 3 868 F.3d at 718–719 (citing the MoMPA). Both states’ statutory schemes define a “sale” 4 as a sale for consideration. A.R.S. § 44-1521(7); Mo. Ann. Stat. § 407.010(6). Both state 5 codes maintain “objects, wares, goods, commodities, intangibles, real estate or services” 6 are “merchandise.” A.R.S. § 44-1521(5); Mo. Ann. Stat. § 407.010(4). 7 Plaintiffs Griffey, Rayam, Domingo, Ranson, and Flanders worked for, but did not 8 receive health care services from, Magellan or one of Magellan’s affiliates or subsidiaries 9 as employees or contractors. (Doc. 30 ¶¶ 1–4, 8–11.) These Plaintiffs were required to 10 disclose personal information when working for Magellan or one of Magellan’s affiliates 11 or subsidiaries. (Doc. 30 ¶¶ 63–64.) Plaintiffs Griffey, Rayam, Domingo, Ranson, and 12 Flanders allege the exchange of information and labor for financial compensation and data 13 security constituted a “sale” of “merchandise” under the AzCFA and MoMPA. 14 (Doc. 30 ¶¶ 177–186, 209–219.) Plaintiff Williams also asserts an AzCFA claim as a 15 former employee or contractor, but unlike Griffey, Rayam, Domingo, Ranson, and 16 Flanders, she received health care services from Magellan or one of Magellan’s affiliates 17 or subsidiaries. (Doc. 30 ¶¶ 6–7; Doc. 34 at 16.) 18 Magellan argues that employees and contractors do not qualify under either the 19 AzCFA or MoMPA because neither relationship constitutes “merchandise.” 20 (Doc. 33 at 16; Doc. 35 at 10.) Additionally, Magellan argues that the AzCFA and MoMPA 21 are intended to be applied in merchant-consumer transactions and that Plaintiffs Griffey, 22 Rayam, Domingo, Ranson, and Flanders transactions with Magellan were not merchant- 23 consumer transactions. (Doc. 33 at 16; Doc. 35 at 10.) Plaintiffs do not contest these 24 assertions in their response. (Doc. 34 at 16.) 25 Magellan also argues that Williams’ health care services were merely incidental to 26 the work she did for Magellan. (Doc. 35 at 10.) Magellan claims that Williams’ services 27 were not provided “in the connection with the sale . . . of any merchandise.” (Id.) As a 28 result, it believes the AzCFA does not apply to her claims. (Id.) Williams argues this 1 distinction is immaterial; she was “a member of a health care plan serviced by Magellan” 2 and the AzCFA applies. 3 Arizona and Missouri require a consumer-merchant relationship to apply the 4 AzCFA or the MoMPA. See A.R.S. § 44-1522 (AzCFA applies when acts are taken “in 5 connection with the sale or advertisement of any merchandise.”); Mo. Ann. Stat. § 407.020 6 (MoMPA applies when acts are taken “in connection with the sale or advertisement of any 7 merchandise in trade or commerce.”); Powers v. Guar. RV, Inc., 229 Ariz. 555, 561 8 (Ct. App. 2012) (“The [A]CFA is designed to root out and eliminate unlawful practices in 9 merchant-consumer transactions.” (alterations omitted)); Berry v. Volkswagen Grp. of Am., 10 Inc., 397 S.W.3d 425, 439 (Mo. 2013) (“[T]he fundamental purpose of the [MoMPA] . . . is 11 the protection of consumers from false, fraudulent and deceptive merchandising practices.” 12 (quotations omitted)). 13 Plaintiffs Griffey, Rayam, Domingo, Ranson, and Flanders did not have a 14 consumer-merchant relationship with Magellan or Magellan’s affiliates or subsidiaries 15 because they were not the target of a sale or advertisement of health care services or data 16 security. Any data security Magellan provided was incidental to their employment. 17 Similarly, Williams’ health care services were incidental to her employment and do not 18 implicate the merchant-consumer relationship contemplated by the AzCFA. And so, the 19 AzCFA and MoMPA do not apply to Plaintiffs Griffey, Rayam, Domingo, Ranson, 20 Flanders, and Williams. Thus, they fail to state a claim, however, because the Court is 21 giving Plaintiffs leave to amend other counts, and because of this Circuit’s liberal 22 amendment policy, the Court will permit Plaintiffs Griffey, Rayam, Domingo, Ranson, 23 Flanders, and Williams leave to amend this claim. 24 2. Extraterritoriality 25 Many of the non-Arizona consumer protection causes of action Plaintiffs allege rely 26 on laws that do not apply extraterritorially. That is, these laws require that liability-creating 27 conduct occurs within the state. See, e.g., Terpin v. AT&T Mobility, LLC, 399 F. Supp. 3d 28 1035, 1047 (C.D. Cal. 2019) (maintaining the UCL only applies when liability-creating 1 conduct occurs in California); Eli Lilly & Co. v. Tyco Integrated Sec., LLC., No. 13-80371- 2 CIV, 2015 WL 11251732, at *4 (S.D. Fla. Feb. 10, 2015) (holding the Florida DUTPA 3 only applies to actions that occur within Florida, but the actions need not occur exclusively 4 in Florida); State ex rel. Nixon v. Estes, 108 S.W.3d 795, 800–01 (Mo. Ct. App. 2003) 5 (“[T]he trade or commerce [must] originate or occur in or from the state of Missouri.” 6 (citations omitted)); Goshen v. Mut. Life Ins. Co. of New York, 98 N.Y.2d 314, 325 (2002) 7 (“[T]o qualify as a prohibited act under the statute, the deception of a consumer must occur 8 in New York.”); T&M Farms v. CNH Indus. Am., LLC, 488 F. Supp. 3d 756, 763 (E.D. 9 Wis. 2020) (“[T]he Wisconsin DTPA does not apply unless a person makes a deceptive 10 representation that is likely to reach and induce action by a purchaser in Wisconsin.”). 11 Plaintiffs Ranson, Lewis, Griffey, Leather, and Rivera live in California, Florida, 12 Missouri, New York, and Wisconsin respectively. (Doc. 30 ¶¶ 1, 5, 8–10, 12, 14.) Each 13 brings a consumer protection claim based on the law of their state. (See Id. ¶¶ 187, 209, 14 220, 254, 275.) They allege Magellan’s computer systems are likely based in Arizona. 15 (Doc. 30 ¶ 18.) Aside from suffering their alleged injuries in their domicile state, they do 16 not allege that any other conduct occurred outside of Arizona. (See generally id.) 17 Magellan contends that the determinative issue is where the liability-creating 18 conduct occurs. (Doc. 35 at 9.) Magellan then highlights that Plaintiffs allege all relevant 19 conduct likely occurred in Arizona. (Doc. 33 at 15.) Thus, Magellan reasons, because each 20 of these statutes only apply when liability-creating conduct occurs inside the respective 21 state, all five claims should be dismissed. (Id.) Magellan also asserts that discovery is not 22 necessary because Plaintiffs fail to allege that any liability-creating conduct occurred 23 outside of Arizona. (Doc. 35 at 10.) 24 Plaintiffs argue that the determinative issue is whether a plaintiff suffers in-state 25 harm. (Doc. 34 at 15.) Because Plaintiffs allege they live in California, Florida, Missouri, 26 New York, and Wisconsin and suffered injuries while living in those states, they believe 27 they have stated a claim. (Id.) In the alternative, Plaintiffs argue that no discovery has taken 28 place to determine where the wrongful conduct occurred. 1 The Court must assume that all nonconclusory allegations made by the Plaintiffs are 2 true at the motion to dismiss stage, but the Court cannot assume facts that are not alleged. 3 Alleging that some liability-creating conduct likely occurred in Arizona is not the same as 4 alleging that conduct occurred or likely occurred in California, Florida, Missouri, New 5 York, or Wisconsin. Aside from the fact that they are residents of these five states, Plaintiffs 6 allege no facts in the Amended Complaint as to whether any liability-creating conduct 7 occurred outside of Arizona. For example, Plaintiff Ranson may have a California claim 8 that applies extraterritorially. But Plaintiffs did not plead any facts describing liability 9 creating conduct that occurred in California. For California UCL, Florida DUTPA, 10 Missouri MPA, NYGBL § 349, and Wisconsin DTPA claims, alleging that any injury 11 occurred in a state is not sufficient to state a claim. Thus, Plaintiffs Ranson, Lewis, Griffey, 12 Leather, and Rivera fail to state a claim under their respective state’s consumer protection 13 laws and shall be given leave to amend. 14 J. Leave to Amend 15 Federal Rule of Civil Procedure 15(a) provides that leave to amend should be freely 16 granted “when justice so requires.” Fed. R. Civ. P. 15(a)(2). “The power to grant leave to 17 amend . . . is entrusted to the discretion of the district court, which ‘determines the 18 propriety of a motion to amend by ascertaining the presence of any of four factors: bad 19 faith, undue delay, prejudice to the opposing party, and/or futility.’” Serra v. Lappin, 600 20 F.3d 1191, 1200 (9th Cir. 2010) (quotation omitted). District courts properly deny leave to 21 amend if the proposed amendment would be futile or the amended complaint would be 22 subject to dismissal. Saul v. United States, 928 F.2d 829, 843 (9th Cir. 1991). “[A] 23 proposed amendment is futile only if no set of facts can be proved under the amendment 24 to the pleadings that would constitute a valid and sufficient claim.” Miller v. Rykoff-Sexton, 25 Inc., 845 F.2d 209, 214 (9th Cir. 1988). 26 Plaintiffs’ negligence per se claim is dismissed with prejudice because negligence 27 per se is not an individual claim which Plaintiffs may assert. The negligence per se 28 arguments should be subsumed in Plaintiffs’ generalized negligence claims. Thus, 1 Plaintiffs are still permitted to argue negligence per se as a legal theory should they choose 2 to refile a negligence claim. 3 Plaintiffs’ negligence, unjust enrichment, implied contract, and consumer protection 4 causes of action suffer from a similar, non-futile flaw: they have not pleaded necessary 5 facts to establish a cause of action. The negligence claim sufficiently alleges causation but 6 fails to articulate a cognizable injury upon which relief can be granted. The unjust 7 enrichment, implied contract, and consumer protection claims do not articulate enough 8 facts to establish how Magellan’s data security measures were inadequate or below 9 industry standards. Simply arguing that because there were two data breaches in a year, the 10 system must have been inadequate is not enough. Admittedly, how a second amended 11 complaint could remedy Plaintiff Flanders’ Va. Code Ann. § 18.2-186.6 claim and 12 Plaintiffs Griffey, Rayam, Domingo, Ranson, and Flanders’ AzCFA and MoMPA claims 13 is unclear. But, the Court grants leave to amend those claims. And so, because each of these 14 claims could, presumably, be remedied in an amended complaint, it would be inappropriate 15 to simply dismiss with prejudice at this time. Thus, leave to amend shall be granted on the 16 negligence, unjust enrichment, implied contract, and consumer protection claims. That 17 being said, Plaintiffs and their attorneys are reminded of their obligations under Rule 11, 18 Fed. R. Civ. P., and elsewhere that claims asserted in a second amended complaint must 19 be “warranted by existing law or by a nonfrivolous argument for extending, modifying, or 20 reversing existing law or for establishing new law.” Rule 11(b)(2). 21 V. CONCLUSION 22 Accordingly, 23 IT IS ORDERED granting Magellan’s Motion to Dismiss (Doc. 33). Magellan’s 24 Motion as to all claims is granted for failure to state a claim, with leave to amend, with the 25 exception of Plaintiffs’ negligence per se claims which are dismissed with prejudice. 26 IT IS FURTHER ORDERED that Plaintiffs shall file a Second Amended 27 Complaint, if they so choose, no later than 14 days after this Order is filed. 28 1 IT IS FURTHER ORDERED that, if Plaintiffs fail to file an amended complaint 2|| within 14 days of the date of this Order, the Clerk of the Court shall enter judgment || dismissing this entire case with prejudice. 4 Dated this 27th day of September, 2021. 5 ° Wichal T. Hburde Michael T. Liburdi 8 United States District Judge 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

- 33 -