IN THE UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF TEXAS DALLAS DIVISION
RONNYE HAWKINS, et al., § § Plaintiffs, § § v. § Civil Action No. 3:24-CV-01545-N § SCOUT ENERGY MANAGEMENT, § LLC, § § Defendant. §
MEMORANDUM OPINION AND ORDER
This Order addresses Defendant Scout Energy Management, LLC’s (“Scout”) motion to dismiss [29]. First, the Court holds that Plaintiffs have standing to bring all their claims except the declaratory and injunctive relief claim. Then, for the reasons below, the Court grants the motion to dismiss as to the unjust enrichment claim and denies the motion to dismiss as to the breach of implied contract and negligence claims. The Court defers ruling on the negligence per se and California Consumer Privacy Act claims until a ruling on class certification. I. ORIGINS OF THE MOTION Scout is an investment company in the energy industry.1 Pls.’ Am. Compl. ¶ 20 [24]. On January 10, 2024, Scout was the target of a cybersecurity attack. Id. ¶ 26. In that attack, an unauthorized actor gained access to Scout’s security systems and accessed
1 For the purposes of this motion, the Court accepts the truth of all well-pleaded facts in the complaint. Scout’s investment customers’ personal identifying information (“PII”), including their names and Social Security numbers. Id. ¶¶ 26–27, 91; see also Def.’s Mot. Dismiss, Ex. A [29-1]. The hacker retained access to Scout’s systems until April 2, 2024. Pls.’ Am.
Compl. ¶ 26. After Scout became aware of the data breach, Scout took steps to secure the network and investigate the nature and scope of the breach and discovered that approximately 51,031 of its customers were victims of the breach. Id. ¶ 28. Scout notified its customers of the data breach on June 14, 2024. Id. ¶ 30. Plaintiffs are a putative class of Scout customers whose PII was accessed during the
data breach. Id. ¶¶ 3, 8–15, 90–106. They allege that the hacker likely stole their PII during the data breach and then sold their PII on the dark web.2 Id. ¶¶ 29, 54, 69, 86. Plaintiffs allege that they have already experienced phishing attempts by telephone and through email. Id. ¶ 98. Named Plaintiffs include Ronnye Hawkins, Doyle McGraw, Teresa Williams, and
Stephen Vaught. Id. ¶¶ 8–15. All Named Plaintiffs allege that they received notices that their PII, including their names and Social Security numbers, had been improperly accessed or obtained by unauthorized third parties. Id. ¶¶ 109, 116, 128, 136. Additionally, Hawkins alleges that he received an alert in June 2024 that an unauthorized person attempted to open a bank account in his name. Id. ¶ 109. Moreover, all Named Plaintiffs plead that that they
2 “The dark web is an area of the internet accessible only by using an encryption tool. It provides anonymity and privacy online, and perhaps consequently, frequently attracts those with criminal intentions.” United States v. Schultz, 88 F.4th 1141, 1142 n.1 (5th Cir. 2023) (citing Gareth Owen & Nick Savage, The Tor Dark Net, Global Commission on Internet Governance, Paper Series No. 20, 1 (2015)). have spent multiple hours, and anticipate spending additional time, on efforts to react to and protect themselves from harm resulting from the data breach. Id. ¶¶ 110–11, 114, 119, 123, 125, 129–30, 133, 137–38, 141.
Named Plaintiffs bring this action on behalf of themselves and on behalf of all other persons similarly situated in a proposed Nationwide Class and California Subclass. Id. ¶¶ 142–43. The claims on behalf of Named Plaintiffs and the Nationwide Class include (1) negligence, (2) negligence per se, (3) breach of implied contract, (4) unjust enrichment, and (5) declaratory and injunctive relief. Id. ¶¶ 155–214, 224–33. Moreover, Vaught and
the California Subclass bring a claim for violation of the California Consumer Privacy Act, CAL. CIV. CODE § 1798.150(a) (“CCPA”). Id. ¶¶ 215–23. Scout brings this motion to dismiss, arguing first that Plaintiffs lack standing to bring the claims and second that the Court should dismiss all the claims because Plaintiffs fail to state any claim upon which relief can be granted. See generally Def.’s Mot.
Dismiss [29]. II. LEGAL STANDARDS Rule 12(b)(1) Standard Under the United States Constitution, a federal court may decide only actual “cases” or “controversies.” U.S. CONST. art. III, § 2. A court properly dismisses a case where it
lacks the constitutional power to decide it. Home Builders Ass’n of Miss., Inc. v. City of Madison, 143 F.3d 1006, 1010 (5th Cir. 1998). “The justiciability doctrines of standing, mootness, political question, and ripeness all originate in Article III’s ‘case’ or ‘controversy’ language.” Choice Inc. of Tex. v. Greenstein, 691 F.3d 710, 715 (5th Cir. 2012) (internal quotation marks omitted) (quoting Daimler Chrysler Corp. v. Cuno, 547 U.S. 332, 352 (2006)). “Standing and ripeness are required elements of subject matter jurisdiction and are therefore properly challenged on a Federal Rule of Civil Procedure
12(b)(1) motion to dismiss.” Roman Cath. Diocese v. Sebelius, 927 F. Supp. 2d 406, 415– 16 (N.D. Tex. 2013) (citing Xerox Corp. v. Genmoora Corp., 888 F.2d 345, 350 (5th Cir. 1989) and Western Geco L.L.C. v. Ion Geophysical Corp., 776 F. Supp. 2d 342, 350 (S.D. Tex. 2011)). The standing requirement has three elements: (1) injury in fact, (2) causation, and
(3) redressability. See Bennett v. Spear, 520 U.S. 154, 167 (1997). The injury cannot be merely “conjectural or hypothetical.” Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009). Causation requires that the injury “fairly can be traced to the challenged action of the defendant” rather than to “the independent action of some third party not before the court.” Simon v. E. Ky. Welfare Rts. Org., 426 U.S. 26, 41–42 (1976). And redressability
requires that it is likely, “as opposed to merely ‘speculative,’ that the injury will be ‘redressed by a favorable decision.’” Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992) (quoting Simon, 426 U.S. at 38, 43). When “‘standing is challenged on the basis of the pleadings,’ [courts] must ‘accept as true all material allegations of the complaint and . . . construe the complaint in favor of the complaining party.’” Ass’n of Am. Physicians &
Surgeons, Inc. v. Tex. Med. Bd., 627 F.3d 547, 550 (5th Cir. 2010) (omission in original) (quoting Pennell v. City of San Jose, 485 U.S. 1, 7 (1988)). Rule 12(b)(6) Standard When deciding a Rule 12(b)(6) motion to dismiss, a court must determine whether the plaintiff has asserted a legally sufficient claim for relief. Blackburn v. City of Marshall,
42 F.3d 925, 931 (5th Cir. 1995). A viable complaint must include “enough facts to state a claim to relief that is plausible on its face.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). To meet this “facial plausibility” standard, a plaintiff must plead “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). A court generally
accepts well-pleaded facts as true and construes the complaint in the light most favorable to the plaintiff. Gines v. D.R. Horton, Inc., 699 F.3d 812, 816 (5th Cir. 2012). But a plaintiff must provide “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555 (citations omitted). “Factual allegations must be enough to raise a right to relief above the speculative level . .
. on the assumption that all the allegations in the complaint are true (even if doubtful in fact).” Id. (citations omitted). In ruling on a Rule 12(b)(6) motion, a court generally limits its review to the face of the pleadings, accepting as true all well-pleaded facts and viewing them in the light most favorable to the plaintiff. See Spivey v. Robertson, 197 F.3d 772, 774 (5th Cir. 1999). However, a court may also consider documents outside of the pleadings if they fall within
certain limited categories. First, a “court is permitted . . . to rely on ‘documents incorporated into the complaint by reference, and matters of which a court may take judicial notice.’” Dorsey v. Portfolio Equities, Inc., 540 F.3d 333, 338 (5th Cir. 2008) (quoting Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322 (2007)). Second, a “written document that is attached to a complaint as an exhibit is considered part of the complaint and may be considered in a 12(b)(6) dismissal proceeding.” Ferrer v. Chevron Corp., 484
F.3d 776, 780 (5th Cir. 2007). Third, a “court may consider documents attached to a motion to dismiss that ‘are referred to in the plaintiff’s complaint and are central to the plaintiff’s claim.’” Sullivan v. Leor Energy, LLC, 600 F.3d 542, 546 (5th Cir. 2010) (quoting Scanlan v. Tex. A&M Univ., 343 F.3d 533, 536 (5th Cir. 2003)). Finally, in “deciding a 12(b)(6) motion to dismiss, a court may permissibly refer to matters of public
record.” Cinel v. Connick, 15 F.3d 1338, 1343 n.6 (5th Cir. 1994) (citation omitted); see also, e.g., Funk, 631 F.3d at 783 (stating, in upholding district court’s dismissal pursuant to Rule 12(b)(6), that the “district court took appropriate judicial notice of publicly-available documents and transcripts produced by the [Food and Drug Administration], which were matters of public record directly relevant to the issue at
hand”). III. THE COURT DETERMINES PLAINTIFFS HAVE STANDING Scout argues that Plaintiffs lack standing because they failed to plead facts sufficient to allege that they suffered a legally cognizable injury in fact. Def.’s Mot. Dismiss 4–13. In response, Plaintiffs assert that they have alleged concrete and particularized harms
through (1) a post-breach increase in phishing communications; (2) misuse of Hawkins’s PII in the form of an unauthorized person attempting to open a bank account in his name; (3) diminution in PII value; (4) the likely theft of their PII; (5) opportunity costs associated with mitigating exposure of PII; (6) emotional distress; (7) violations of their privacy rights; (8) loss of the benefit of the bargain; and (9) imminent risk of future harm. Pls.’ Resp. 4–13 [32]. Standard for Standing in Data Breach Cases
In Cabezas v. Mr. Cooper Group, Inc., 2025 WL 2053287, at *6 (N.D. Tex. 2025) (Godbey, C.J.), this Court adopted the factor test established by the Second Circuit in McMorris v. Carlos Lopez & Associates, 995 F.3d 295 (2d Cir. 2021) to determine whether an injury in the data breach context is sufficiently imminent for purposes of standing. The test looks at three non-exhaustive factors:
(1) Whether the data at issue was compromised “as the result of a targeted attack intended to obtain the plaintiffs’ data”; (2) Whether “at least some part of the compromised dataset has been misused — even if plaintiffs’ particular data . . . has not yet been affected”; and (3) Whether the data at issue “is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.” McMorris, 995 F.3d at 301–02. The test does not require fulfillment of each factor, but rather uses these, along with other relevant factors, as guidance to show whether the plaintiff has shown an injury in fact sufficient for standing. Id. at 302 (“These factors are by no means the only ones relevant . . . [a]fter all, determining standing is an inherently fact-specific inquiry.”); see also Clemens v. ExecuPharm Inc., 48 F.4th 146, 154 (3d Cir. 2022) (“Of note, misuse is not necessarily required.”). The Second Circuit, building on the cases following McMorris, has also determined that exposure of PII “as a result of a targeted attempt by a third party to access the data set” is sufficient to show a concrete and imminent injury for the purposes of standing. Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 288–89 (2d Cir. 2023). The court in that case compared an exposure of PII by data breach to the Supreme Court’s ruling in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), where the Supreme Court “recognized that ‘disclosure of private information’ was an intangible harm ‘traditionally recognized as
providing a basis for lawsuits in American courts.’” Bohnak, 79 F.4th at 286 (quoting TransUnion, 594 U.S. at 425). “The Eleventh Circuit also relies on TransUnion to add the caveat that ‘mere risk of future harm, without more, does not give rise to Article III standing for recovery of damages, even if it might give rise to Article III standing for purposes of injunctive relief.’” Cabezas, 2025 WL 2053287, at *4 (quoting Green-
Cooper v. Brinker Int’l, Inc., 73 F.4th 883, 889 (11th Cir. 2023)). However, the Green- Cooper court did determine standing existed where plaintiffs’ pleading extended beyond mere risk of harm and alleged that their credit card and personal information was “exposed for theft and sale on the dark web.” Green-Cooper, 73 F.4th at 889. The Court Holds Plaintiffs Have Sufficiently Alleged an Injury in Fact
Phishing communications do not constitute an injury in fact. — First, Plaintiffs have alleged an increase in phishing attempts by telephone and through email. Pls.’ Am. Compl. ¶ 98. Courts have held that an allegation of an increase in spam phone calls or phishing communications is insufficient to establish an injury in fact. See, e.g., Cabezas, 2025 WL 2053287, at *5 (collecting cases); see also Legg v. Leaders Life Ins. Co., 574 F. Supp. 3d 985, 993 (W.D. Okla. 2021) (“But the receipt of phishing emails, while perhaps
‘consistent with’ data misuse, does not ‘plausibly suggest’ that any actual misuse of [PII] has occurred.”). The Court agrees with these rulings that spam and phishing communications alone are not enough to establish injury in fact. Plaintiffs have not established standing under theories of diminution of value or loss of benefit of the bargain. — The Court decides that the Plaintiffs’ claims of injury in fact based on a diminution in value of their PII and a lack of benefit of the bargain are
not persuasive. “Courts are divided on whether diminution of value of personal information constitutes a concrete harm.” Hulse v. Acadian Ambulance Serv. Inc., 2025 WL 1453847, at *8 (W.D. La. 2025). But “district courts in Texas have been more skeptical” than many other courts as to a diminution of value for PII claim. In re ESO Sols., Inc. Breach Litig., 2024 WL 4456703, at *7 (W.D. Tex. 2024).
Even if the Court decided that diminution of value is a concrete harm, because Plaintiffs fail to allege that they intended or attempted to sell their data and were forced to do so at a diminished price, the Court determines that they have not plausibly pled diminution of value. See In re ESO, 2024 WL 4456703, at *7 (rejecting diminution of value claim because even “if diminished PII was cognizable in the Fifth Circuit, Plaintiffs
do not plausibly show their PII has diminished in value. Plaintiffs fail to allege that they attempted to or would have ever sold their PII.”); Williams v. Bienville Orthopaedic Specialist, LLC, 737 F. Supp. 3d 411, 422 (S.D. Miss. 2024) (rejecting the same because there “is no allegation that any of the plaintiffs . . . intend to sell their private information.”). Likewise, Plaintiffs fail to plead a loss of benefit of the bargain because they do not
allege that they bargained for and paid for the protection of their PII. See id. (“There is no allegation that any of the plaintiffs paid a certain amount of money to [the company] in exchange for protection of their private information.”). At most, Plaintiffs have alleged that Scout promises to comply with industry standards related to data security and PII and comply with federal and state laws protecting consumer PII. Pls.’ Am. Compl. ¶¶ 22, 37– 49. “Benefit of the bargain theories for standing are disfavored in the data breach context.” Cabezas, 2025 WL 2053287, at *6 (collecting cases). “And even courts willing to entertain
this theory of standing consistently reject this theory in data breach cases where plaintiffs have not alleged that the value of the goods or services they purchased was diminished as a result of the data breach.” Podroykin v. Am. Armed Forces Mut. Aid Ass’n, 634 F. Supp. 3d 265, 272 (E.D. Va. 2022) (cleaned up). The Court determines that Plaintiffs have not sufficiently alleged either that data protection was part of the bargain for services with
Scout, or that they have lost any of services they bargained for under their contract with Scout. Therefore, both these theories are unavailing. Plaintiffs have sufficiently alleged an increased risk of future harm. — Next, the Court uses the McMorris test to analyze risk of imminent future harm for standing in
the data breach context. First, the Court determines that the PII at issue was compromised “as the result of a targeted attack intended to obtain the plaintiffs’ data.” McMorris, 995 F.3d at 301. Plaintiffs allege that the data breach was a “targeted cyberattack” in which the hacker gained access to “certain of Scout’s computer systems on which the [PII] was stored unencrypted in an internet accessible environment.” Pls.’ Am. Compl. ¶¶ 1, 26. Moreover,
each of the Named Plaintiffs allege that they received notices that their PII had been improperly accessed by the hacker. Id. ¶¶ 109, 116, 128, 136. Next, Plaintiffs have sufficiently alleged that “at least some part of the compromised dataset has been misused.” McMorris, 995 F.3d at 301. Hawkins alleges that due to the exposure of his data to third parties, “an unauthorized person attempted to open a bank account at Chase Bank in [his] name in June 2024.” Pls.’ Am. Compl. ¶ 94. Moreover, Plaintiffs allege that their PII was sold on the dark web following the data breach. Id. ¶ 29.
The Court concludes that these allegations are sufficient to allege that at least some portion of the data was misused. Finally, the Court decides that the particular data at issue, including Plaintiffs’ names and Social Security numbers, id. ¶ 27, is the type of data that is “likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.” McMorris,
995 F.3d at 302. This is precisely the type of data contemplated by the court in McMorris. See id. (“Naturally, the dissemination of high-risk information such as Social Security numbers and dates of birth — especially when accompanied by victims’ names — makes it more likely that those victims will be subject to future identity theft or fraud.”). Because the Court concludes that all three McMorris factors weigh toward a
determination that Plaintiffs have shown an imminent risk of future harm, the Court holds that all Plaintiffs have standing based on the risk of future harm. Exposure of Plaintiffs’ data to a third-party and on the dark web does sufficiently constitute an injury in fact. — Additionally, Plaintiffs have established a present injury in their allegations of the sale or exposure of their PII to the dark web. All
Named Plaintiffs allege that their PII was improperly accessed or obtained by unauthorized third parties during the data breach. Pls.’ Am. Compl. ¶¶ 109, 116, 128, 136. Plaintiffs also allege that their PII was “stolen in the Data Breach, and subsequently sold on the dark web following the Data Breach, as that is the modus operandi of all cybercriminals performing this type of activity.” Id. ¶ 29. The Court decides Plaintiffs have sufficiently alleged that their PII was exposed to a third party and placed on the dark web. Therefore, following the theory of the Second Circuit in Bohnok, based on the Supreme Court’s ruling
in TransUnion, the Court holds that Plaintiffs also have standing based on the exposure of data to an unauthorized third party, similar to a claim for public disclosure of private facts. Plaintiffs have standing for mitigation costs and emotional distress. — As other courts have held, mitigation costs cannot themselves create standing. See Logan v. Marker
Grp., Inc., 2024 WL 3489208, at *6 (S.D. Tex. 2024) (holding that because the court determined “that the risk of future identity theft based on the data breach is not a concrete injury sufficient to confer standing, Plaintiffs’ . . . harms based on fear of that hypothetical future harm is also insufficient to establish standing.”); Perlaki v. J.B. Poindexter & Co., Inc., 2025 WL 754503, at *4 (S.D. Tex. 2025) (“To establish standing, [plaintiff’s] lost
time claim must bear a close relationship to some cognizable harm.”). However, where courts have already established a risk of future harm, emotional distress and mitigation costs, “when coupled with the risk of harm . . . is a concrete injury sufficient to confer standing.” Hulse, 2025 WL 1453847, at *8. The Court denies standing for the declaratory and injunctive relief sought by Plaintiffs because it is based on a speculative future harm not sufficiently imminent or substantial to be a concrete harm. — Finally, for the declaratory and injunctive relief
claim, Plaintiffs plead that “Scout’s existing security measures do not comply with its . . . contractual obligations and duties of care to provide reasonable security procedures and practices” and ask the Court to enjoin Scout to remedy the deficient security measures in order to protect its customers’ data from a future attack. Pls.’ Am. Compl. ¶¶ 225–30. While Plaintiffs have pled that Scout retains their data and have identified security
measures that could be improved, this claim for declaratory and injunctive relief is based entirely on the speculative risk of a second data breach. Courts have held that the future harm of a second cyberattack is too speculative and not sufficiently imminent to support an injury in fact. See Williams, 737 F. Supp. 3d at 426
(“Plaintiffs do not have standing to seek declaratory or injunctive relief because they have failed to allege facts ‘tending to show that a second data breach is currently impending or there is a substantial risk that one will occur.’” (quoting Hummel v. Teijin Auto. Techs., Inc., 2023 WL 6149050, at *14 (E.D. Mich. 2023))); Hulse, 2025 WL 1453847, at *9 (discussing the Third Circuit’s holding of the same and concluding that “Plaintiffs lack standing to seek injunctive relief based on the prospect of future cyberattacks”). The Court
therefore holds that Plaintiffs lack standing to seek declaratory and injunctive relief for the speculative future harm of a second cyberattack. Plaintiffs Sufficiently Allege Causation and Redressability Because Plaintiffs have sufficiently alleged an injury in fact, the Court turns to whether Plaintiffs have pled sufficient facts to establish that the injury is fairly traceable to
the data breach and whether the alleged injury would be redressed by a favorable decision. Scout argues that there is no correlation between Plaintiffs’ alleged injuries and the data breach. Def.’s Mot. Dismiss 6–7. The Court disagrees. Plaintiffs have sufficiently alleged that Scout failed to adequately prepare for a cyberattack and secure their PII. Pls.’ Am. Compl. ¶¶ 37–49. They further plead that Scout was subject to a cyberattack where
Plaintiffs’ PII was seized. Id. ¶¶ 26–27. This PII included their names and Social Security numbers. Id. ¶¶ 27, 91. Plaintiffs also allege this is exactly the information that identity thieves use for crimes including credit card, bank, and finance fraud. Id. ¶ 63. Courts have determined that “the plaintiff’s burden is relatively modest at the pleading stage of the litigation.” Williams, 737 F. Supp. 3d at 423 (citation and internal
quotation marks omitted). In data breach cases, the pleading standard for causation can be met where a plaintiff has pled “(1) the defendant failed to secure his private information, (2) its network was subsequently hacked, (3) the plaintiff’s private information was stolen by hackers, and (4) the plaintiff became the victim of [the pled injury in fact].” Id.; see also Merrell v. 1st Lake Props., Inc., 2023 WL 6316257, at *4 (E.D. La. 2023) (“Plaintiff has alleged that he does not recall receiving any other notices of data breach, and that his
PII was compromised because defendant failed to implement minimum safeguards. . . . At this stage, nothing further is required to establish traceability for constitutional purposes.”). The Court thus holds that Plaintiffs have adequately pled causation. Defendants do not argue that Plaintiffs have not established redressability. The Court determines that the alleged injury would be redressable via money damages.
IV. THE COURT GRANTS IN PART AND DENIES IN PART THE MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM Next, Scout moves to dismiss Plaintiffs’ remaining claims for failure to state a claim upon which relief can be granted. Def.’s Mot. Dismiss 13–24. The Court addresses each of the remaining claims in turn. The Court Denies the Motion as to the Breach of Implied Contract Claim Under Texas law, to state a claim for breach of contract, Plaintiffs must allege “(1) the existence of a valid contract; (2) performance or tendered performance by the plaintiff; (3) breach of the contract by the defendant; and (4) damages sustained by the
plaintiff as a result of the breach.” Smith Int’l, Inc. v. Egle Grp., LLC, 490 F.3d 380, 387 (5th Cir. 2007) (quoting Valero Mktg. & Supply Co. v. Kalama Int’l, L.L.C., 51 S.W.3d 345, 351 (Tex. App. — Houston [1st Dist.] 2001, no pet.)). The existence of a valid contract, whether express or implied, requires: “(1) an offer, (2) an acceptance, (3) a meeting of the minds, (4) each party’s consent to the terms, and (5) execution and delivery
of the contract with the intent that it be mutual and binding.” DeClaire v. G & B McIntosh Fam. Ltd. P’ship, 260 S.W.3d 34, 44 (Tex. App. — Houston [1st Dist.] 2008, no pet.); see Univ. Nat’l Bank v. Ernst & Whinney, 773 S.W.2d 707, 710 (Tex. App. — San Antonio 1989, no writ) (“The elements of a contract, express or implied, are identical.”). In an express contract, the parties usually state and agree to specific terms. Haws & Garrett
Gen. Contractors, Inc. v. Gorbett Bros. Welding Co., 480 S.W.2d 607, 609 (Tex. 1972). However, an implied contract arises when the parties’ conduct creates an inference of mutual intention to contract. Id. Plaintiffs assert that they “entered into implied contracts with [Scout] under which
[Scout] agreed to safeguard and protect such information and to timely and accurately notify Plaintiffs . . . that their information had been breached and compromised.” Pls.’ Am. Compl. ¶ 186. Specifically, Plaintiffs claim that in accepting Plaintiffs’ payment for services and accepting possession of their PII, Scout implicitly agreed to protect their PII. Id. ¶¶ 190–92. Plaintiffs plead that the implied promises include
(i) taking steps to ensure that any agents who are granted access to [PII] also protect the confidentiality of that data; (ii) restricting access to qualified and trained agents; (iii) designing and implementing appropriate retention policies to protect the information against criminal data breaches; (iv) applying or requiring proper encryption; (v) multifactor authentication for access; and (vi) other steps to protect against foreseeable data breaches.
Id. ¶ 193. Scout moves to dismiss the implied contract claim, arguing first that the pleadings do not support that a bargained-for agreement exists, and second that Plaintiffs’ allegations are vague and conclusory as to how Scout failed to perform. Def.’s Mot. Dismiss 16–18. Other courts that have addressed similar fact patterns have held that an implied contract is sufficiently alleged where the plaintiffs plead that an implied contract was created in the implied promise to protect PII when customers are required to provide PII as a condition of receiving defendant’s services. See, e.g., Hulse, 2025 WL 1453847, at *13 (“It is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other [PII] would not imply the recipient’s assent to protect the information sufficiently.” (quoting McFarlane v. Altice, USA, Inc., 524 F. Supp. 3d 264, 282 (S.D.N.Y. 2021))); In re Arby’s Rest. Grp. Inc. Litig., 2018 WL 2128441, at *16 (N.D. Ga. 2018) (denying motion to dismiss implied-in-fact contract claim because
“data security is at the core of the modern commercial transaction, as understood by both the consumers and retailers”). The Court thus holds Plaintiffs’ pleadings are sufficient to allege the existence of an implied contract to safeguard the PII. Moreover, the Court determines that Plaintiffs adequately identify which reasonable measures Scout should have taken to protect the PII. Plaintiffs point to several statutory
and industry standards setting forth the security measures that they allege Scout should have taken to protect the PII and prevent the data breach. Pls.’ Am. Compl. ¶¶ 37–49. Therefore, the Court denies Scout’s motion to dismiss the claim for breach of implied contract. The Court Denies the Motion as to the Negligence Claim
Under Texas law, a negligence claim requires (1) the existence of a duty; (2) a breach of that duty; and (3) damages proximately caused by the breach. W. Invs., Inc. v. Urena, 162 S.W.3d 547, 550 (Tex. 2005). Scout asserts that Plaintiffs did not adequately plead the duty or damages elements. Def.’s Mot. Dismiss 13–16. Plaintiffs plausibly allege a duty of care. — Scout first argues that Plaintiffs do
not sufficiently allege that Scout owes Plaintiffs a duty of care because there is no special relationship between a business and its customers to safeguard collected customer PII from criminal theft. Def.’s Mot. Dismiss 14. Plaintiffs have alleged that Scout has a duty to safeguard PII entrusted to it because improperly safeguarding data poses a foreseeable risk that could be avoided by the exercise of ordinary care. See Mendez v. Caterpillar, Inc., 2011 WL 6999659, at *10 (W.D. Tex. 2011) (“A duty arises when a person’s conduct poses a foreseeable risk to another that could be avoided by the exercise of ordinary care.”).
“In determining whether there is a duty, the court considers several factors, including the risk, foreseeability, and the likelihood of injury,” weighed against the social utility and cost to the defendant. Washington v. U.S. Dep’t of Hous. & Urban Dev., 953 F. Supp. 762, 773 (N.D. Tex. 1996). Plaintiffs allege that Scout “knew or should have
known” about the risk of a data breach as it “was put on notice of the substantial and foreseeable risk of harm from a data breach.” Pls.’ Am. Compl. ¶ 87; see also id. ¶¶ 33– 36. They also allege that Scout “failed to properly prepare for that risk” by failing “to properly implement basic security practices.” Id. ¶¶ 87, 42. For example, Plaintiffs allege that Scout failed to encrypt sensitive data, failed to monitor its system adequately, and
failed to train employees properly on handing PII. Id. ¶¶ 4, 50. Under Texas common law principles, the Court determines that Scout has a duty to safeguard PII it chooses to retain. In re ESO, 2024 WL 4456703, at *9–10; see In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 397 (E.D. Va. 2020) (analyzing Texas law and determining that where defendants implemented harmful storage of PII “without adequate safeguards to protect against hacking . . . the Texas Supreme Court would recognize a duty separate
and apart from the parties’ contractual relationship”). Plaintiffs plausibly allege damages, and the economic loss rule does not bar Plaintiffs’ negligence claim. — Finally, Scout argues that (1) Plaintiffs plead they suffered damages in a vague and conclusory fashion, and (2) the economic loss rule bars Plaintiffs’
negligence claim to the extent that they allege a loss arising from breach of express or implied contract. Def.’s Mot. Dismiss 14–16. First, the Court determines that Plaintiffs have sufficiently alleged that they suffered damages. They assert that as a result of the data breach, their PII has been sold or exposed
on the dark web, and they have suffered an increased risk of future harm. Pls.’ Am. Compl. ¶¶ 26, 29, 94, 109, 116, 128, 136. Next, the economic loss rule does not bar tort claims “when the duty allegedly breached is independent of the contractual undertaking and the harm suffered is not merely the economic loss of a contractual benefit.” Chapman Custom Homes, Inc. v. Dall.
Plumbing Co., 445 S.W.3d 716, 718 (Tex. 2014). When determining whether an action sounds in tort or contract such that the economic loss doctrine may preclude a particular tort claim, Texas courts “look to the source of the duty allegedly violated and the nature of the claimed loss.” El Paso Mktg., LP v. Wolf Hollow I, L.P., 383 S.W.3d 138, 143 (Tex. 2012). Here, the Court has determined that the duty to safeguard data does not arise
solely out of the implied contract, and the claimed loss extends beyond the economic losses of the benefits under the contract. Therefore, the Court holds that the economic loss rule does not bar the negligence claim at this stage. The Court Grants the Motion as to the Unjust Enrichment Claim Plaintiffs assert a claim for unjust enrichment. See Pls.’ Am. Compl. ¶¶ 200–14. First, Scout argues that Texas courts do not recognize unjust enrichment as an independent
cause of action. Def.’s Mot. Dismiss 19–20. Federal district courts have been inconsistent in their treatment of the issue of unjust enrichment. Compare Taylor v. Trevino, 569 F. Supp. 3d 414, 435 (N.D. Tex. 2021) (stating that unjust enrichment is not an independent cause of action), with Banion v. Geovera Specialty Ins. Co., 2016 WL 7242536, at *3 (S.D. Tex. 2016) (“Texas courts recognize unjust enrichment as an independent cause of
action.”). Further, some Texas Supreme Court caselaw suggests that plaintiffs may bring claims for unjust enrichment. See Elledge v. Friberg-Cooper Water Supply Corp., 240 S.W.3d 869, 870–71 (Tex. 2007) (“Unjust enrichment claims are governed by the two-year statute of limitations.”). Because Scout does not conclusively establish that Texas does not permit unjust enrichment, it has not demonstrated that Plaintiffs have failed to state a claim
on this basis. Next, Scout argues that Plaintiffs fail to allege that Scout “obtained a benefit from Plaintiffs by fraud, duress, or the taking of an undue advantage,” as necessary to state a claim for unjust enrichment. Def.’s Mot. Dismiss 20; Sullivan v. Leor Energy, LLC, 600 F.3d 542, 550 (5th Cir. 2010) (“A plaintiff may recover under an unjust enrichment theory ‘when one person has obtained a benefit from another by fraud, duress, or the taking of an
undue advantage.’” (quoting Heldenfels Bros. v. City of Corpus Christi, 832 S.W.2d 39, 41 (Tex. 1992))). Plaintiffs plead that Scout “funds its data security measures entirely from its general revenue,” and that Scout should have used a portion of Plaintiffs’ payments to Scout “for data security measures to secure” their PII. Pls.’ Am. Compl. ¶¶ 202–06. Moreover,
Plaintiffs allege that Scout “enriched itself by saving the costs it reasonably should have expended on data security measures” and avoided “its data security obligations at the expense of Plaintiffs . . . by utilizing cheaper, ineffective security measures.” Id. ¶ 207. However, these pleadings fail to connect how such a purported benefit was obtained by fraud, duress, or taking of an undue advantage. These pleadings do not support that
Plaintiffs ever paid Scout for the specific purpose of data security, and because no money was paid for the particular purpose, there is no reasonable interpretation of the facts that plausibly supports that money was obtained fraudulently as though for data security and then used instead for some advantage to Scout. See Cabezas, 2025 WL 2053287, at *12. Because the Court determines that the elements of unjust enrichment are not met,
the Court dismisses this claim. V. THE COURT DEFERS JUDGMENT ON THE NEGLIGENCE PER SE AND CCPA CLAIMS Scout also seeks dismissal of Plaintiffs’ negligence per se and CCPA claims. See Def.’s Mot. Dismiss 15–16, 22–24. The Court defers judgment on both claims. First, unlike Plaintiffs’ other common law claims, the law governing negligence per se varies significantly between states. See, e.g., Cabezas, 2025 WL 2053287, at *12. Accordingly, because a law other than Texas law may apply, and because the law
governing negligence per se varies between states, the Court defers judgment on the negligence per se claim until choice-of-law analysis is completed at the class certification stage. Second, Vaught and the California Subclass bring a CCPA claim against Scout. Pls.” Am. Compl. {| 215—23. Class certification is a logical antecedent to the analysis of the CCPA claim, which derives from the subclass within the larger class. Accordingly, the Court also defers judgment on the CCPA claim until the class certification stage. CONCLUSION
As an initial matter, the Court determines that Plaintiffs have standing to bring all the claims except the declaratory and injunctive relief claim and thus grants the motion to dismiss as to that claim. Then, the Court holds that Plaintiffs have alleged sufficient facts to state a claim for their breach of implied contract and negligence claims and denies the motion to dismiss as to those claims. Next, the Court decides that Plaintiffs have not alleged facts sufficient to state a claim for unjust enrichment and grants the motion as to that claim. Because Plaintiffs did not seek leave to amend their complaint, and amendment would be futile, the Court dismisses the declaratory and injunctive relief and unjust enrichment claims with prejudice. Finally, the Court defers judgment on the negligence per se and state law claims until the class certification stage. Signed August 5, 2025. / ;
Chief United States District Judg
MEMORANDUM OPINION AND ORDER — PAGE 22