IN RE WAWA, INC. DATA SECURITY LITIGATION

• Court: District Court, E.D. Pennsylvania
• Decided: May 6, 2021
• Docket: 2:19-cv-06019
• Status: Unknown

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA : CIVIL ACTION

IN RE WAWA, INC. This document applies to the DATA SECURITY LITIGATION : Financial Institution Track.

No. 19-6019 : and all related cases. MEMORANDUM PRATTER, J. May 6, 2021 Wawa, Inc., which operates a chain of convenience stores and gas stations throughout the eastern United States, experienced a data security incident in March 2019, when hackers accessed Wawa’s point-of-sale systems and installed malware that targeted in-store payment terminals and gas station fuel dispensers. The hackers obtained customer payment card information over the next several months. This information was later made available for purchase on the “dark web.” Wawa disclosed the data breach in December 2019. Lawsuits followed. This Court’s case management plan created three distinct tracks for the litigation: the Consumer Track, the Employee Track, and the Financial Institution Track. This Memorandum addresses the Financial Institution Track. The Financial Institution Track Plaintiffs (“Institutions”) assert three causes of action, all of which arise from alleged losses from the data breach related to notifying customers of potential fraud, investigating claims of fraudulent activity on customer accounts, and canceling and reissuing customer payment cards. Wawa moves to dismiss all three causes of action. For the reasons that follow, the Court will grant in part and deny in part Wawa’s motion.

BACKGROUND In March 2019, hackers breached Wawa’s point-of-sale systems and installed malware on payment terminals and fuel dispensers, which enabled them to steal customer payment card data for the next nine months. Doc. No. 128 (Am. Compl.) 2. This data was later posted for sale on the “dark web.” Jd. 43. Wawa publicly acknowledged the data breach in late December 2019. Id. 45. The Institutions initially were Inspire Federal Credit Union, Insight Credit Union, and the Greater Cincinnati Credit Union. They filed a consolidated amended class action complaint pursuant to the Class Action Fairness Act of 2004, 28 U.S.C. § 1332(d), alleging that at least one class member is of diverse citizenship from Wawa, there are more than 100 potential class members, and the aggregate amount in controversy exceeds $5 million.| Am. Compl. § 14. In their Amended Complaint, the Institutions bring suit on behalf of financial institutions who allegedly sustained financial losses as a result of the Wawa data security breach, including reimbursing payment card account holders for fraudulent or unauthorized charges, canceling and reissuing cards, and investigating and monitoring the compromised accounts. Jd. J 6. The Institutions state that “financial institutions and credit card processing companies have issued rules and standards governing the basic measures and protections that merchants must take to ensure consumers’ valuable data is protected.” Jd. 425. Thus, they argue that Wawa had a duty to reasonably comply with these requirements and safeguard payment card data. Jd. J 27, 46. Moreover, the Institutions allege that Wawa was on notice regarding potential security vulnerabilities in its point-of-sale systems and the risk that payment card information could be

1 These credit unions are based in Pennsylvania, Florida, and Ohio, respectively. Am. Compl. {§ 7- Wid. Institutions allege that the estimated cost just to reissue compromised cards is over $10 million. Id.

improperly accessed because other stores across the United States had previously experienced high-profile data breaches, and Visa had alerted merchants about potential vulnerabilities. Id. 28-32. Consequently, the Institutions argue that Wawa’s deficient security measures and vulnerable point-of-sale systems led to a data breach that went undetected for almost nine months. Id. 35, 41. The Institutions bring claims for negligence (Count I), negligence per se (Count II), and declaratory and injunctive relief (Count III). Jd. 4 78-103. LEGAL STANDARD A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) tests the legal sufficiency of acomplaint. It requires a court to assess whether a complaint has “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is plausible when its factual allegations are “enough to raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555-56. “The Third Circuit instructs the reviewing court to conduct a two-part analysis. First, any legal conclusions are separated from the well-pleaded factual allegations and disregarded. Second, the court determines whether the facts alleged establish a plausible claim for relief.” Satterfield v. Gov't Ins. Employees Co., No. 20-cv-1400, 2020 WL 7229763, at *1 (E.D. Pa. Dec. 8, 2020) (citing Fowler v. UPMC Shadyside, 578 F.3d 203, 210-11 (3d Cir. 2009)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Jgbal, 556 U.S. at 678. DISCUSSION Wawa asks the Court to dismiss all three counts in the Institutions’ Amended Complaint for failure to state a claim upon which relief can be granted under Rule 12(b)(6). As to negligence,

Wawa argues that the parties are bound by contract and that the economic loss doctrine bars recovery in tort because no duty independent of contract exists. As to negligence per se, Wawa asserts that Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a), which these plaintiffs invoke for their Count II, does not provide for a private cause of action, and the Institutions do not qualify as consumers, the group of people that the FTC Act was designed to protect. Lastly, regarding declaratory and injunctive relief, Wawa contends that this claim should be dismissed because it duplicates the Institutions’ negligence claims. The Court addresses each claim in turn. I. Negligence Wawa argues that the Institutions’ negligence claim is barred by the economic loss doctrine. This doctrine holds that, in most circumstances, tort liability is not available for purely economic losses suffered by a business when it has already ordered its affairs with other entities by contract. Wawa states that so-called “Payment Card Rules” set forth the rights and responsibilities of payment card network participants, including card issuers, like the Institutions, and merchants, like Wawa. Accordingly, Wawa claims all members of these financial networks agree to be bound by these rules, thus thwarting a negligence suit. A. Admissibility of the Payment Card Rules The parties dispute whether the Court can consider these rules. Wawa refers to them in its motion and also attaches several exhibits from Visa and Mastercard. In general, “a district court ruling on a motion to dismiss may not consider matters extraneous to the pleadings.” Jn re Burlington Coat Factory Sec. Litig., 114 F.3d 1410, 1426 Gd Cir. 1997). But an exception to this general rule exists for documents that are integral to, or directly mentioned in, a plaintiff's complaint. The Third Circuit Court of Appeals has explained that this “integral documents

exception” exists because it is “not unfair to hold a plaintiff accountable for the contents of documents it must have used in framing its complaint, nor should a plaintiff be able to evade accountability for such documents simply by not attaching them to his complaint.” Schmidt v. Skolas, 770 F.3d 241, 250 (3d Cir. 2014). The Institutions argue that, at most, they make only a “cursory” reference to the existence of these Rules in their Amended Complaint and this is not enough to consider them incorporated by reference. Although the Amended Complaint does not refer to specific rules by name, it does mention (1) the requirement that card issuers reimburse cardholders for unauthorized charges and (2) “the rules and standards [issued by financial institutions and credit card processing companies] governing the basic measures and protections that merchants must take to ensure consumers’ valuable data is protected.” Am Compl. 6, 25, 46-50, 86-87. The Institutions do not allege a breach of contract in their Amended Complaint, nor do they mention the purported contracts that Wawa argues control the issues. But the Institutions do note that the Payment Card Industry Data Security Standard (PCI DSS), which is “the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data,” must be met. Jd. J] 46-50. The Court finds that the Institutions’ Amended Complaint makes more than a mere cursory reference to these Rules. Thus, the Court can consider the function these Rules serve.” Although the Court is cognizant of Wawa’s argument regarding the potential dispositive effect of these Payment Card Rules, now is not the time to address that full-blown argument. Rather, the Court finds that the Institutions have set forth a plausible negligence claim based on the argument that

2 The Third Circuit Court of Appeals has previously explained that rules, such as Visa’s Operating Regulations, “address virtually every aspect of the Visa payment system, and impose both general and specific requirements on participants in the network.” Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162, 165 (Gd Cir. 2008).

Wawa owed them an independent duty in light of recent Pennsylvania case law as described below, given that, as these plaintiffs correctly argue, “[a]t best, Wawa’s reference to such ‘contracts,’ even if properly considered at this procedural stage, raise fact issues which cannot be resolved” at this stage. B. The Economic Loss Doctrine Wawa argues that any losses resulting from the data breach raise a contractual issue. Therefore, Wawa claims that it cannot be held liable in tort for any alleged negligence arising from the breach because, under Pennsylvania law, the Institutions’ negligence claim is barred by the economic loss doctrine. Wawa emphasizes that the Payment Card Rules address a card issuer’s rights to recover costs following a data security breach. Wawa relies on the Seventh Circuit Court of Appeals’ decision in. Community Bank of Trenton v. Schnuck Markets, Inc. where that court explained that the contracts governing card networks “provide a cost recovery process that allows issuing banks to seek reimbursement for at least some . . . losses” sustained from a data breach. 887 F.3d 803, 809 (7th Cir. 2018). Wawa also highlights that that court declined to recognize any other supplemental liability besides what was provided for by contract in that case. Jd. at 814-15. The Institutions maintain that separate from any contract, Wawa owed them a common law duty to exercise reasonable care and that it breached that duty by failing to utilize proper security protocols that would have adequately protected sensitive payment card information. Am. Compl. { 79-81. They argue that by affirmatively choosing to accept payment cards, Wawa assumed a common law duty to safeguard any data gleaned from those transactions from the foreseeable harm that would result in the event of a breach. Because such a “duty arises by operation of law and independently of” any contract, the Institutions contend that the economic loss doctrine does not apply and their negligence claim should be allowed to proceed. The Institutions also assert that

Wawa owed them an independent duty to use reasonable care in safeguarding payment card data. Id. They argue that this independent duty was recognized by the Pennsylvania Supreme Court in Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), a case addressed in greater detail below, even though there was contractual privity between the parties in that case vis-a-vis their employment relationship. Wawa disagrees. It points to the Third Circuit Court of Appeals’ decision in Sovereign Bank, in which the appellate court affirmed the dismissal of a financial institution’s negligence claim against a retailer, for failure to protect cardholder data, because “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damages.” 533 F.3d at 175 (quoting Adams v. Copper Beach Townhome Communities, L.P., 816 A.2d 301, 305 (Pa. Super. 2003)). The court held that the economic loss doctrine barred the financial institution’s tort claim. Jd. at 175-77. The economic loss doctrine provides “that tort law is not intended to compensate parties for losses suffered as a result of a breach of duties assumed only by agreement. To recover in negligence there must be a showing of harm above and beyond disappointed expectations evolving solely from a prior agreement.” Chand v. Merck & Co., No. 19-cv-0286, 2019 WL 3387056, at *5 (E.D. Pa. July 26, 2019) (quoting Gongloff Contracting, L.L.C. v. L. Robert Kimball & Assocs., Architects & Engineers, Inc., 119 A.3d 1070, 1074 (Pa. Super. 2015)). In Dittman, employees alleged that their employer had failed to implement adequate security measures on its computer systems which led to their personal information being improperly accessed. 196 A.3d at 1046-48. The employees alleged that this failure was a violation of their employer’s common law duty to exercise reasonable care to protect their information from disclosure. Jd. at 1039. The Pennsylvania Supreme Court agreed, holding that the employer had

breached its common law duty to act with reasonable care in collecting and storing its employees’ personal and financial information. Jd. at 1056. It noted that “under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.” Jd. at 1038. The duty to maintain and protect sensitive data with reasonable care “exists independently from any contractual obligations between the parties.” Jd. at 1056. The Institutions have the stronger argument here on this point. First, Sovereign Bank (the case Wawa invokes) predated Dittman by a decade. In Sovereign Bank, the Court of Appeals explained that the Pennsylvania Supreme Court “never suggested that it intended to severely weaken or undermine the economic loss doctrine .... It simply carved out a narrow exception when losses result from the reliance on the advice of professionals.” 533 F.3d at 178 (citing Bilt- Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270, 286 (Pa. 2005)). However, later in Dittman, the Pennsylvania Supreme Court stated that it found “unpersuasive” the argument that Bilt-Rite “merely created a narrow exception to the otherwise broad economic loss doctrine,” instead explaining that “Pennsylvania permits recovery of purely economic losses in a variety of tort actions.” 196 A.3d at 1054. Furthermore, the Pennsylvania Supreme Court has recently explained that although Dittman may have been its “first opportunity to recognize” the duty to protect sensitive personal information “in the context of computer systems security,” “there is longstanding jurisprudence holding that ‘[i]n scenarios involving an actor’s affirmative conduct, he is generally “under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.”’”” Feleccia v. Lackawanna Coll., 215 A.3d 3, 14 (Pa. 2019)

(alteration in original) (quoting Dittman, 196 A.3d at 1046). Since the Feleccia decision, the Third Circuit Court of Appeals has underscored Dittman’s holding that the economic loss doctrine does not apply where “the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.” Duhring Res. Co. v. United States, 775 F. App’x 742, 747 (3d Cir. 2019) (quoting Dittman, 196 A.3d at 1038). In Schnuck Markets, the Seventh Circuit Court of Appeals affirmed the decision of the district court, finding that “neither Illinois nor Missouri [law] would recognize any of the plaintiff banks’ theories to supplement their contractual remedies for losses they suffered as a result of the Schnucks data breach.” 887 F.3d at 826. But that case concerned the economic loss doctrine under Illinois and Missouri law, not Pennsylvania law. The appellate court noted that the broad economic loss doctrine in those states meant that there was no “paradigmatic or doctrinal reason why either Illinois or Missouri would recognize a tort by the issuing banks in this case, where the claimed conduct and losses are subject to these networks of contracts.” Jd at 816. This differs from Pennsylvania law, especially post-Dittman, which instead focuses on the source of the duty alleged.? Thus, Schnuck Markets is inapplicable here, given the Pennsylvania Supreme Court’s holding in Dittman. The parties also disagree about the scope of the duty recognized in Dittman. Wawa argues that the Pennsylvania Supreme Court only found that employers have a common law duty to safeguard sensitive information that they affirmatively collect from their employees. On the other hand, the Institutions contend that the Dittman court focused on the employer’s acts of collecting sensitive information and storing it in an insecure manner, which created a foreseeable risk of harm—but not that this duty was limited to the context of employers and their employees.

3 Moreover, the Seventh Circuit Court of Appeals found that Illinois law did not recognize a common law duty to protect sensitive information. Schnuck Markets, 887 F.3d at 816.

The Court is not convinced at this time that Dittman is strictly limited to the employer- employee context. In fact, the concurring and dissenting opinion in Dittman urges that the scope of the majority’s holding was most likely not limited solely to the employer-employee context. Chief Justice Saylor, concurring in the judgment, explained that because “an employer who collects confidential personal and financial information from employees stands in such a special relationship to those employees with respect to that information,” he had “no difficulty concluding that such a relationship should give rise to a duty of reasonable care to ensure the maintenance of appropriate confidentiality as against reasonably foreseeable criminal activity.” Dittman, 196 A.3d at 1057 (Saylor, C.J., concurring in the judgment). Had the Dittman majority shared Chief Justice Saylor’s view that the duty to safeguard sensitive information was only applicable to an employer-employee relationship, then one could reason that he would not have written separately to address that exact point.* Instead, this Court is persuaded by the Institutions’ contention that Pennsylvania law, post- Dittman, imparts on companies an independent duty to reasonably secure their payment systems. Wawa argues that the Institutions cannot claim that it owed them an independent duty because their Amended Complaint refers to a set of rules and industry standards that companies must comply with when processing payment card transactions. However, the Institutions seek economic damages via their negligence claim based on their allegations that Wawa violated a duty to protect sensitive payment card information that was independent of any potential contractual relationship

4 Wawa points to a Western District of Pennsylvania case which held that the plaintiff's negligence claim was barred because the parties had “entered into a contract which included an express provision regarding the security services” the defendant was required to provide and how confidential member information was to be protected. See Bessemer Sys. Fed. Credit Union v. Fiserv Sols., LLC, 472 F. Supp. 3d 142, 161 (WD. Pa. 2020). The plaintiff in Bessemer agreed to waive its right to recover tort damages and remedies. Jd. at 156. That court found Dittman distinguishable because it involved an employer-employee relationship. Jd. at 161.

that existed. The Institutions have not asserted any claim for breach of contract. As explained above, their reference to industry security standards, at the motion to dismiss stage, is not enough for the Court to immediately discard their negligence claim based on the purported contracts and Payment Card Rules that Wawa attaches to its motion to dismiss. The next question is whether, assuming that a duty to safeguard information exists, the Institutions’ Amended Complaint adequately asserts facts to support a claim of negligence. A claim for negligence under Pennsylvania law requires proof of four elements: (1) a duty or obligation recognized by the law, requiring the actor to conform to a certain standard of conduct for the protection of others against unreasonable risks; (2) a failure to conform to the standard required; (3) a causal connection between the conduct and the resulting injury; and (4) actual loss or damage resulting in harm to the interests of another. Nw. Mut. Life Ins. Co. v. Babayan, 430 F.3d 121, 139 (3d Cir. 2005). Here, the Institutions have alleged the following: (1) Wawa had a fundamental common law duty to protect sensitive cardholder information; (2) Wawa failed to secure its payment system terminals and created a risk of foreseeable harm to the Institutions; (3) the Institutions received an alert from Visa and Mastercard identifying specific payment cards that were compromised in the Wawa data breach; and (4) the Institutions were forced to incur significant costs associated with mitigating the impact of the breach. Am. Compl. ff 27, 37, 41, 79-81, 88. Wawa contends that the Institutions cannot prove causation because there were numerous breaches at stores such as Neiman Marcus, Michaels, and many others that could have exposed the payment card information.? But accepting the Institutions’ allegations as true, as the Court

Wawa also takes issue with the Institutions’ allegation that Wawa owed them a duty of care “as a result of the special relationship that existed between Wawa and Plaintiffs and members of the class.” See Am. Compl. § 82. Pennsylvania courts have recognized that a plaintiff and defendant in a “special relationship” also represent an exception to the economic loss doctrine. Enslin v. The Coca-Cola Co., 136 F. Supp. 3d 654, 672 (E.D. Pa. 2015), aff'd, 739 F. App’x 91 (3d Cir. 2018). Such a relationship “generally involves a situation where by virtue of the respective strength and weakness of the parties, one has the

must at the motion to dismiss stage, they have sufficiently pled their claim for negligence. See In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1318 (N.D. Ga. 2019) (noting that plaintiffs need not demonstrate that “other breaches did not cause [their] injuries” because an allegation of harm “is sufficient at the pleading stage to establish that the Data Breach was the proximate cause of this harm”). Such factual disputes and potential causation issues are not properly resolved on a motion to dismiss. For the foregoing reasons, the Court finds that the Institutions have sufficiently pled a claim for negligence based on their allegations that Wawa’s affirmative conduct, in collecting payment card information and storing it in an insecure manner, created a risk of foreseeable harm from third parties and led to a data breach that proximately caused the Institutions’ alleged injuries. II. Negligence Per Se The Institutions also allege negligence per se, claiming that Wawa violated Section 5 of the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Am, Compl. fj 89-95. See 15 U.S.C. § 45(a)(1). In Pennsylvania, plaintiffs asserting a claim for negligence per se must demonstrate that: “‘1) the statute or regulation clearly applies to the conduct of the defendant; 2) the defendant violated the statute or regulation; 3) the violation of the statute proximately caused the plaintiff’s injuries; and 4) the statute’s purpose is, at least in part, to protect

power to take advantage of or exercise undue influence over the other.” Valley Forge Convention & Visitors Bureau v. Visitor’s Servs., Inc., 28 F. Supp. 2d 947, 952 (E.D. Pa. 1998). The relationship between Wawa and the Institutions does not fit these criteria. Such a relationship has typically only been found between an attorney and client, an elderly widow without a formal education and her sole business counselor, and a widow and her sons upon whom she relied to manage her property. Id. at 952-53. Suffice it to say, these relationships do not lead inexorably to contemplating Wawa and the Institutions as such.

the interest of the plaintiff individually, as opposed to the public.” Mest v. Cabot Corp., 449 F.3d 502, 518 (3d Cir. 2006). Here, the Institutions have alleged that (1) Section 5 of the FTC Act applies to Wawa’s conduct; (2) Wawa violated Section 5 by failing to secure sensitive card payment data; and (3) Wawa’s violations of Section 5, and its failure to secure this data, proximately caused the Institutions’ injuries. Am. Compl. {{ 55, 83, 90-95. They also alleged that the harm that occurred “is the type of harm the FTC Act was intended to guard against.” Jd. 4 94. But the Institutions’ negligence per se claim falters on the fourth factor—how Section 5’s purpose is to protect the Institutions individually as opposed to the general public. See Mest, 449 F.3d at 518 (noting that claim “must fail because the plaintiffs cannot demonstrate that the statute’s purpose is to protect the interest of the plaintiffs in particular as opposed to the general public”). However, the Institutions’ negligence per se claim is beset by a larger issue, namely that “under Pennsylvania law, ‘[n]egligence per se is not a separate cause of action, but is instead of theory of liability that supports a negligence claim.’” Sipp-Lipscomb y. Einstein Physicians Pennypack Pediatrics, No. 20-cv-1926, 2020 WL 7353105, at *3 (E.D. Pa. Dec. 9, 2020) (alteration in original) (quoting Simmons v. Simpson House, Inc., 224 F. Supp. 3d 406, 413 (E.D. Pa. 2016)). For this reason, “[w]here a plaintiff alleges negligence and negligence per se as separate causes of action, courts within the Third Circuit routinely dismiss the negligence per se claim as subsumed within the standard negligence claim.” Jn re Rutter’s Inc. Data Sec. Breach Litig., No. 20-cv-382, 2021 WL 29054, at *10 (M.D. Pa. Jan. 5, 2021) (listing cases). Typically, plaintiffs are granted leave to amend their complaint to incorporate their claim for negligence per se under a claim for general negligence. Jd Thus, because the Court finds that the Institutions

have sufficiently pled a claim for negligence, it will dismiss Count II of the Institutions’ Amended Complaint without prejudice. It is not lost on the Court that dismissal without prejudice of the Institutions’ negligence per se claim does not resolve the issue of whether they can in fact utilize Section 5 of the FTC Act as the basis for a negligence per se theory. Wawa argues that the Institutions’ negligence per se claim must be dismissed because the FTC Act does not provide a private right of action. Wawa contends that under Pennsylvania law, “if a statute does not provide for a private cause of action, a negligence per se claim based on that statute will not lie.” But the Court agrees with the approach taken by the court in Rutter’s. There, after dismissing the plaintiffs’ negligence per se claim while finding that their negligence claim could proceed, that court declined to “reach a decision on the viability” of an alternative theory of negligence at the motion to dismiss stage. Rutter’s, 2021 WL 29054, at *11. Instead, it noted that a motion for summary judgment or pre-trial motion practice would be a more appropriate vehicle “to analyze the applicability of the FTC Act as a predicate for a Pennsylvania negligence per se claim.” Jd. II. Declaratory and Injunctive Relief Lastly, the Institutions request both declaratory and injunctive relief. They allege that the Declaratory Judgment Act, 28 U.S.C. § 2201, authorizes the Court to enter a judgment declaring the rights and legal relations of the parties. Am. Compl. J] 96-99. They also seek injunctive relief requiring Wawa to employ adequate security protocols for its payment systems moving forward. Id. J§ 100-03. Wawa argues that the Institutions’ claim for a declaratory judgment must fail because it is duplicative of their negligence claims. “Courts generally decline granting declaratory relief when the claim for declaratory judgment is entirely duplicative of another claim in the cause of action.”

Butta v. GEICO Cas. Co., 400 F. Supp. 3d 225, 233 (E.D. Pa. 2019). In Smithkline Beecham Corporation v. Continental Insurance Company, the court dismissed the plaintiff's claims for declaratory judgment because they were duplicative of its claims for breach of contract. No. 04- ev-2252, 2004 WL 1773713, at *1 (E.D. Pa. Aug. 4, 2004) (“This raises the exact same issue to be decided in a declaratory judgment action, the purpose of which is to determine the respective rights and duties of the parties involved.”). The court noted that the plaintiff could be afforded full relief on its breach of contract claims and, thus, would suffer no prejudice from the dismissal of its declaratory judgment claims. /d. at *2. The Institutions respond by framing their claim for declaratory and injunctive relief as forward-looking because the relief they seek is to ensure that Wawa utilizes proper security measures in the future. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F. Supp. 3d 1113, 1139 (N.D. Cal. 2018) (denying dismissal of “forward-looking” declaratory relief claim because it served a “distinct purpose” from the plaintiffs’ contract claims which sought retrospective relief for security breach). A dismissal of the Institutions’ claim for declaratory and injunctive relief at this stage would “curtail [the Court’s] broad equity powers to fashion the most complete relief possible,” and even though the Court “may ultimately agree [] that claims for injunctive relief are inappropriate, dismissal at this stage of the proceedings would be premature.” Jn re K-Dur Antitrust Litig., 338 F. Supp. 2d 517, 550 (D.N.J. 2004). Accordingly, the Court will deny Wawa’s motion to dismiss the Institutions’ claim for declaratory and injunctive relief.

CONCLUSION For the reasons set forth in this Memorandum, the Court grants in part and denies in part Wawa’s motion to dismiss. An appropriate order follows.

BY THE CQURT: a LJ () y Vb, GENE E.K PRATTER UNITED STATES DISTRICT JUDGE