UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF NEW YORK JACOB BAGGETT, on behalf of himself } and all others similarly situated, ) Plaintiff, v. Case No, 1:24-cv-635 STATE UNIVERSITY OF NEW YORK AT NIAGARA, NIAGARA COUNTY ) COMMUNITY COLLEGE, ) Defendant. ORDER ON MOTION TO DISMISS (Doc. 15) Plaintiff Jacob Baggett brings this putative class action against defendant State University of New York at Niagara, Niagara County Community College (“NCCC”), where he was a student from 2010 to 2013. (Doc. 11 § 38.) Plaintiff alleges that Defendant failed to “properly secure and safeguard personally identifiable information,” and that, following a data breach on January 17, 2024, Defendant failed to provide adequate notice to Plaintiff and other Class Members “that their information had been subject to unauthorized access by an unknown third party,” and also failed to provide them with adequate notice as to “precisely what type of | information was accessed.” Cd. 91,3.) The First Amended Class Action Complaint (“Amended Complaint”) lists four causes of action: negligence (including an assertion of negligence per se) (Count ]), breach of implied contract (Count I), unjust enrichment (Count ITD), and “declaratory and injunctive relief’ (Count 1V). The Amended Complaint also seeks damages. (/d. at 43.)
Currently pending is Defendant’s Motion to Dismiss under Fed. R. Civ. P. 12(b)(1) and 12(b)(6), (Doc. 15.) Plaintiff opposes the motion (Doc. 16), and Defendant has filed a reply (Doc. 17). The court heard argument on November 3, 2025. Background Mr. Baggett ts “very careful about sharing his sensitive Private Information,” (Doc. 11 Atall relevant times, he and the putative class members “have taken reasonable steps to maintain the confidentiality of their Private Information,” (See id, {| 30.) Mr. Baggett was a student at NCCC from 2010 to 2013. (Doc, 11 938.) He paid NCCC for its services. (id. | 182.) He alleges on information and belief that NCCC “funds its data security measures entirely from its general revenue” and that, “[a]s such, a portion of the payments made by or on behalf of Plaintiff and the Class Members is to be used to provide a reasonable level of data security.” Ud. J 183-184.) . In the “ordinary course” of its business as an educational institution, NCCC collected the “Private Information” or “Personally Identifying Information” (“PI”), of its employees and students; the information collected included Social Security numbers (“SSNs”). Ud. §f 1, 2, 23, 29.) Mr. Baggett provided his own Private Information to NCCC. Ud. 9 40.) Ina “Privacy Policy,’ NCCC represented that it would not disclose the Private Information to unauthorized third parties. Ud. | 175.) NCCC stored the Private Information on its computer network. (Ud. {J 23, 73.) According to the Amended Complaint, the Private Information stored on NCCC’s computer network “was likely not encrypted because if properly encrypted then cybercriminals would not have acquired and accessed Plaintiff’s and Class Members’ Private Information.” (Ud. ¥ 26; see also id. 9, 33-35, 66 (asserting that the stored Private Information was unencrypted).) In
addition to failing to encrypt the Private Information, NCCC used “antivirus and malware protection software [that was] in need of security updating,” and maintained “inadequate procedures for handling phishing emails or emails containing viruses or other malignant computer code.” Ud. § 90.) On January 17, 2024—after Mr. Baggett had concluded his studies there—NCCC became aware that an unauthorized party accessed NCCC’s computer network (the “Data Breach” or “Data Incident”), Ud. [J 3, 24.) NCCC immediately launched an investigation, which confirmed that an “unauthorized actor” accessed NCCC’s systems on January 17, 2024, and that during this intrusion the unauthorized actor “had access to files that included the names and Social Security numbers of Plaintiff and those similarly situated.” Ud. Jf 4, 25.) The Amended Complaint does not directly characterize the type of cyberattack perpetrated against NCCC but suggests in several instances that it was a “ransomware” attack. (See id. $4] 50 & n.1, 54 n.3, 61 n.8, 70-71, 72 n.12.) Mr. Baggett first received notice of the Data Breach by letter on or about May 17, 2024. (See id. § 5,41.) The letter stated: On January 17, 2024, we detected an incident that impacted the availability and functionality of our computer network. Upon learning of the incident, we immediately took measures to help secure our network, began an investigation, and reported the incident to law enforcement. Through our investigation, we determined that, on January 17, 2024, an unauthorized actor accessed and acquired certain files contained on our network. We received the files and, on April 16, 2024, determined that they contained your name and Social Security number. Ud. 46.) NCCC directed Mr. Baggett to “take certain steps to protect his Private Information and otherwise mitigate his damages.” (Jd. { 44.) NCCC also offered Mr, Baggett 12 months of identity monitoring services but did not automatically enrol! him for those services. (/d. 7 106— 107.)
Mr. Baggett asserts that NCCC “waited two months” before reporting the Data Breach to government agencies and did not send the notice of the Data Breach until four months after the breach occurred. (See id. #95, 12.) Plaintiff claims that, “{a]s a result of this delayed response, Plaintiff and Class Members had no idea their Private Information had been compromised.” Cd. { 13.) Plaintiff further claims that he and the putative class members “were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm.” (/d.; see also id. § 109.) “[Ajscertainable losses,” according to the Amended Complaint, include “loss of the benefit of their bargain, out-of-pocket expenses, and the value of their time reasonably incurred to remedy or mitigate the effects of the attack and the substantial and imminent risk of identity theft.” Ud. | 8; see also id. 15, 45-46, 94, 116.) Rule 12(b) Standards Rule 12(b)(1). “A district court properly dismisses an action under Fed, R. Civ. P. 12(b)(1) for lack of subject matter jurisdiction if the court ‘lacks the statutory or constitutional power to adjudicate it. ...°” Cortlandt St. Recovery Corp, v. Hellas Telecomms., Sart, 790 F.3d 411, 417 (2d Cir. 2015) (quoting Makarova v. United States, 201 F.3d 110, 113 Qd Cir. 2000)). Such jurisdiction is lacking where constitutional (Article III) standing is absent. Carter v. HealthPort Techs., LLC, 822 F.3d 47, 54 (2d Cir. 2016), “[S]tanding must be assessed as to each plaintiff....” Seife v. US. Dep't of Health & Human Servs., 440 F, Supp. 3d 254, 272 (S.D.N.Y. 2020). This is also true in class actions: “[E]ven named plaintiffs who represent a class ‘must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.’” Lewis v. Casey, 518 U.S. 343, 357 (1996) (quoting Simon v. E. Ky. Welfare Rights Org, 426 U.S, 26, 40 1.20 (1976)); see also TransUnion LIC vy. Ramirez,
,
594 U.S. 413, 431 (2021) (“Every class member must have Article IIT standing in order to recover individual damages.”). Here, NCCC’s Rule 12(b){1) motion is “based solely on the allegations of the complaint.” Carter, 822 F.3d at 56. Plaintiff has “no evidentiary burden” in opposing such a “facial” motion. In resolving the Rule 12(b)(1) motion, the court’s task is to determine whether the Amended Complaint “allege[s] facts that affirmatively and plausibly suggest that [the plaintiff] has standing to sue.” Jd. (alterations in original; quoting Amidax Trading Grp. v. S.W.LET. SCRL, 671 F.3d 140, 145 (2d Cir. 2011) (per curiam). Rule 12(b)(6). To survive a Rule 12(b)(6) motion to dismiss for failure to state a claim, the Amended Complaint “must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Eastman Kodak Co. v. Henry Bath LLC, 936 F.3d 86, 93 (2d Cir. 2019) (internal quotation marks omitted) (quoting Ashcroft v. Igbal, 556 U.S. 662, 678 (2009)). In evaluating Defendant’s Rule 12(b)(6) motion, the court must “draw{] all reasonable inferences in favor of the plaintiff[s].” Biocad JSC v. F. Hoffman-La Roche, 942 F.3d 88, 93 (2d Cir. 2019), “Dismissal is appropriate when ‘it is clear from the face of the complaint . . . that the plaintiff's claims are barred as a matter of law.’” /d. (alteration in original) (quoting Parkcentral Glob. Hub Ltd. v. Porsche Auto Holdings SE, 763 F.3d 198, 208-09 (2d Cir. 2014)). “The moving party has the burden of demonstrating its entitlement to relief under Rule 12(b)(6).” Bradstreet v. City of Rochester, No. 23-CV-06147, 2024 WL 1178338, at *16 (W.D.N.Y, Mar. 19, 2024) (cleaned up; quoting Stephens Inc. v. Flexiti Fin. Inc., No. 18-CV- 8185, 2019 WL 2725627, at *7 (S.D.NLY. July 1, 2019)),
Analysis L Jurisdiction Under Rule 12(b)(1) The court begins with the question of jurisdiction under Rule 12(b)(1). See Daly v. Citigroup Inc., 939 F.3d 415, 426 (2d Cir. 2019) (“We consider the Rule 12(b)(1) challenge first since if we must dismiss the complaint for lack of subject matter jurisdiction, the defendants’ defenses and objections become moot and do not need to be determined,” (cleaned up).} “To establish Article standing under the U.S. Constitution, a plaintiff must show (1) an injury in fact (2) caused by the defendant, (3) that would likely be redressable by the court.” Bohnak y. Marsh & McLennan Cos., 79 F 4th 276, 279-80 (2d Cir. 2023) (quoting Thole v. U.S. Bank N.A., 590 U.S. 538, 540 (2020)). “Injury in fact,’ in turn, embodies three components: it must be ‘concrete, particularized, and actual or imminent.’” Jd. at 280 (quoting Thole, 590 U.S. at 540), “[W]ith respect to the question whether an injury arising from risk of future harm is sufficiently ‘concrete’ to constitute an injury in fact, TransUnion controls; with respect to the question whether the asserted injury is ‘actual or imminent,’ the McMorris framework continues to apply in data breach cases... Jd. (referring to TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), and McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 Qd Cir, 2021)). NCCC asserts that Mr. Baggett lacks standing because (A) the loss or diminished value of his Private Information is not a cognizable injury and because (B) his alleged risk of future identity theft and potential mitigation efforts are also insufficient to confer standing. (Doc, 15-1 at 12.) In support of both points, NCCC cites In re: Practicefirst Data Breach Litigation, No, 21-CV-00790, 2022 WL 354544 (W.D.N.Y. Feb. 2, 2022), report and recommendation adopted, 2022 WL 3045319 (W.D.N.Y. Aug. 1, 2022). The Practicefirst court discussed both
TransUnion and McMorris, but did not have the benefit of the Second Circuit’s decision in Bohnak analyzing those two cases. In opposition to NCCC’s arguments on standing, Mr. Baggett asserts that the facts in this case are “functionally identical to those at issue in Bohnak.” (Doc. 16 at 7.) NCCC urges the court to distinguish Bohnak because, in NCCC’s view, the MceMorris factors in this case weigh against Mr. Baggett’s standing. (Doc. 17 at 6.) The court considers the parties’ arguments in the context of the two components of the injury-in-fact analysis that are at issue here: concreteness and imminence.! A. “Concrete” Harms As discussed in In re Christie's Data Breach Litigation, the Bohnak court recognized two categories of harm that both qualified as “concrete”: (1) the exposure of the plaintiff's private information “to an unauthorized malevolent actor”; and (2) expenses “associated with the prevention, detection, and recovery from identity theft” resulting from the risk of future harm stemming from the exposure of the plaintiff's private information. 767 F. Supp. 3d 12, 15 (S.D.N.Y. 2025) (quoting Bohnak, 79 F.4th at 286). The former category of harm was an “intangible harm” that courts have “traditionally recognized as providing a basis for lawsuits in American courts.” Bohnak, 79 F.4th at 286 (quoting TransUnion, 594 U.S. at 417). Whether the latter category constitutes an “imminent” harm is evaluated under MfeMorris, but Bohnak expressly indicates that such harm meets the “concreteness” inquiry. NCCC’s reliance on Practicefirst and on Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735 (W.D.N.Y. 2017), is misplaced. In both of those cases, this court rejected assertions that
' As in Bohnak, 79 F.4th at 289 n.7, neither party has suggested that the “particularity” requirement might not be met in this case.
standing could be established because data breaches diminished the value of the plaintiffs’ PIL. See Practicefirst, 2022 WL 354544, at *7 (“[P]laintiffs have failed to allege a concrete or actual injury based on a diminution in value of their... PIL as a result of the data breach.”); Fero, 236 F. Supp. 3d at 755 (complaint lacked “factual allegations to support the proposition that their personal information was made less valuable to them as a result of the breach, or that the data breach negatively impacted the value of their data such that Plaintiffs could not use or sell it”). Like the plaintiffs in those cases, Mr. Baggett has asserted that the Data Breach resulted in “lost or diminished value of Private Information.” (Doc. 11 | 15(), see also id. | 47.) But Mr, Baggett does not rely sole/y on that alleged harm. As in Bohnak, Mr. Baggett also alleges “expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of [his] Private Information.” (Doc. 11 § 15(ii).) And, like the lead named plaintiff in Bohnak, Mr. Baggett has not asserted “a common law claim for public disclosure of private facts,” 79 F.4th at 286, but he does allege exposure of PII to “an unknown and unauthorized third party”—i.e., a hacker (Doc. 11 ff 11, 17)—just like the alleged exposure of PII to the “unauthorized malevolent actor” in Bohnak, 79 F 4th at 286. Bohnak teaches that both of those categories of alleged harm are “concrete.” B. Actual or Imminent Harms As in Bohnak, the conclusion above that Mr. Baggett has plausibly alleged at least two “concrete” harms does not resolve the jurisdictional question because the standing inquiry also requires that the alleged harm be “actual or imminent.” Bohnak, 79 F.4th at 287, As to the “intangible” harm of exposure of Mr. Baggett’s Private Information to an unauthorized bad actor, that harm “has actually happened,” so it is unnecessary to evaluate “imminence” under the McMorris factors. In re Christie’s Data Breach Litig., 767 F. Supp. 3d at 15 (quoting Soule v,
Conn. Ass’n of Schs., Inc., 90 F.4th 34, 46 (2d Cir. 2023) (en banc)). That conclusion might be sufficient to conclude that the court has jurisdiction. As other courts have suggested, Bohnak atguably abrogated Practicefirst insofar as Practicefirst held that the exposure of sensitive private data is not itself a “concrete” injury analogous to the tort of public disclosure of private information, See Miller y. Syracuse Univ., 662 F, Supp. 3d 338, 354 (N,D.N.Y. 2023).
The court nevertheless proceeds to consider the “imminence” question as to the claim of future harm for “expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of [Plaintiff's] Private Information.” (Doc. 11 § 15(i).) The McMorris factors apply to that inquiry. ‘The first and “most important” factor “is whether the data was compromised as the result of a targeted attack intended to get PII” Bohnak, 79 F.4th at 288 (citing McMorris, 995 F.3d at 301). The second factor recognizes that imminence is more likely “where some part of the compromised dataset has been misused—even if'a plaintiff's own data has not.” Id. (citing McMorris, 995 F.3d at 301). Finally, courts may consider “whether the exposed PII is of the type ‘more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.’” (quoting McMorris, 995 F.3d at 302). The court considers each factor in turn, 1, Targeted Attack to Obtain PH NCCC asserts that this factor weighs in its favor because, in NCCC’s view, the Amended Complaint lacks “any allegation that Plaintiffs name and Social Security number (or that of any other putative plaintiff) were specifically targeted in the Data Incident.” (Doc. 15-1 at 14.) Mr. Baggett maintains that the analysis on this factor should be the same as in Bohnak because the incident “was not an inadvertent, intra-company disclosure” but was instead “a targeted attack” perpetrated by an unauthorized bad actor. Bohnak, 79 F 4th at 289, In reply, NCCC does not
dispute that the Data Breach was a targeted attack. But NCCC asserts that the Amended Complaint lacks allegations that the attack was “designed to subsequently commit identity theft.” (Doc. 17 at 7.) NCCC concedes that “subsequent identity theft as the objective of a surreptitious hack is a reasonable inference.” (/d.) But, according to NCCC, this is true only “in the absence of facts suggesting an alternative objective.” (Jd) And, according to NCCC, the attack in this case was a “ransomware” attack-—“designed to extort a ransom payment”—not to obtain PII for use in subsequent identity theft. Ud.) A “ransomware” cyberattack “involves the denial of access to information until the subject of the attack pays a fee or ‘ransom’ to regain use of its data.” Practicefirst, 2022 WL 354544, at *5, “[T]he primary purpose of a ransomware attack is the exchange of money for access to data, not identity theft.” Jd The Practicefirst court noted that the plaintiffs in that case “seem to concede this fact.” Id. But the Practicefirst plaintiffs argued that “because their [private information] was exfiltrated or copied from defendants’ system as part of the ransomware attack, the hacker must intend to use the data, in the future, for identity theft or fraud.” fd. The court rejected that argument as “both speculative and belied by the complaint, which fails to allege that any of the over 1.2 million people affected by the data breach have experienced attempted or actual identity theft, or a similar type of fraud or attempted fraud, in over a year following the ransomware attack.” Jd, The court concluded that the plaintiffs had failed to “plausibly allege that this data breach was the type of cyber-attack targeted to obtain confidential information for purposes of identity theft, as opposed to garden-variety ransomware attack.” Jd. Although Bohnak apparently did not involve a “ransomware” cyberattack, nothing in the court’s decision indicates that the type of cyberattack that exposes the PII necessarily alters the
analysis of the first McMorris factor. Instead, the court considered more generally “whether an individual whose personally identifying information (‘PII’) is exposed to unauthorized actors” has suffered an injury. See Bohnak, 79 F 4th at 279. Other courts have expressly identified a “ransomware” attack as sufficient to satisfy the first McMorris factor? At this early stage of the case, it is plausible that the bad actor seeking to extort NCCC into paying a ransom to regain use of its data would also seck to obtain additional payouts by selling the PII that was accessed. The court respectfully declines to follow Practicefirst insofar as that case reasoned that such a dual motive or “double extortion” was speculative. No speculation is required to find this plausible. 2. Misuse of Any Part of the Compromised Dataset As to the second factor, NCCC argues there is no allegation “that the relevant data has been misused.” (Doc. 15-1 at 14.) Mr. Baggett apparently does not dispute this assertion, but instead maintains that the other two McMorris factors are sufficient to weigh in favor of standing. (See Doc. 16 at 7.) 3. Type of PI and “Perpetual Risk” NCCC concedes that the third MfcMorris factor weighs in Mr, Baggett’s favor because his SSN was exposed in the Data Breach. (Doc. 15-1 at 14.) The court agrees this factor favors jurisdiction. See Bohnak, 79 F Ath at 289 (hackers’ acquisition of name and SSN “is exactly the kind of information that gives rise to a high risk of identity theft’), Here, as in Bohnak, two of
* See, e.g., LaSalle v. Adoptions from the Heart, Inc,, No. 25-974, 2025 WL 2214096, at *4 (E.D. Pa. Aug. 1, 2025) (articulating first factor as an inquiry into whether “the data breach was intentional” and whether “known hackers or ransomware can be identified” (emphasis added)); Cabezas v. Mr. Cooper Grp. Inc., No. 23-CV-2453, 2025 WL 2053287, at *6 (N.D. Tex. July 22, 2025) (ransom cyberattack was “a targeted attack intended to obtain the plaintiffs’ data”); In re Canon U.S.A, Data Breach Litig., No. 20-CV-6239, 2022 WL 22248656, at *5 Mar. 15, 2022) (ransomware attack was “a targeted attempt to obtain the plaintiffs’
the three McMorris factors weigh in favor of jurisdiction. See id. (unnecessary to establish all three factors for a finding of imminence). In sum, the allegations plausibly support the conclusion that the exposure of Mr. Baggett’s Private Information is a “‘concrete” and “actual” injury and that the claimed injury as to costs associated with preventing and recovering from misuse of that information is a “concrete” and “imminent” injury. II. Plausibility of Claims for Relief Under Rule 12(b)(6) In addition to its jurisdictional arguments, NCCC contends that Mr. Baggett has failed to plausibly state any claim for relief. The court reviews each of NCCC’s points on this topic below. There is no dispute that New York law applies to each of these claims. A, Injury (Counts I and ID) A plausible allegation of harm is essential for Mr. Baggett’s claims for negligence (Count J) and breach of implied contract (Count Il). See Process Am., Inc. v. Cynergy Holdings, LLC, 839 F.3d 125, 141 (2d Cir. 2016) (“Proof of damages is an essential element of a claim for breach of contract under New York law,.”); Curley v. AMR Corp., 153 F.3d 5, 13 Qd Cir, 1998) (damage is an essential element of negligence under New York law). NCCC argues that: (1) the
. mere risk of future identity theft is insufficient; (2) absent a substantial risk of future identity theft, the time a plaintiff spends protecting himself against that threat is insufficient; (3) diminished value of PI following a data breach is not sufficient unless there is a market for the information and a showing of how the value of the information decreased due to its exposure; and (4) Mr. Baggett cannot recover on a benefit-of-the-bargain theory because he does not allege that he specifically paid NCCC for data security. (Doc. 15-1 at 18-20.) In response, Mr. Baggett asserts that “Bohnak disposes of this argument.” (Doc. 16 at 8.) NCCC replies that “allegations of injury deemed sufficient to support Article IIT standing are not
ipso facto sufficient to plausibly plead actual damages to support negligence or implied contract claims in data breach cases.” (Doc. 17 at 9.) NCCC further asserts that Bohnak is not binding because the Second Circuit in that case did not specify which state’s law it was applying. (Ud. at 10.) The court begins with the effect of the concrete and actual or imminent harms identified in Bohnak and alleged in this case. The threshold for pleading injury-in-fact (requiring a “colorable” claim of injury) is lower than that for sustaining a valid cause of action (requiring a “plausible” claim). Harry v. Total Gas & Power N. Am., Inc., 889 F.3d 104, 110 (2d Cir. 2018). Thus, as in Harry, it is possible that in some cases a plaintiff might plead “enough facts to make their claim of injury colorable but not enough to make it plausible.” /d.; see also Wallace v. Health Quest Sys,, Ine,, No, 20 CV 545, 2021 WL 1109727, at *5 (S.D.N.Y. Mar. 23, 2021) (“Pleading damages to support a cause of action is distinct from pleading injury-in-fact to support standing.” (citing Doe v. Chao, 540 U.S, 614, 624-25 (2004))); McLoughlin vy. People’s United Bank, Inc., No. 08-cv-00944, 2009 WL 2843269, at *4, 9 (D. Conn, Aug. 31, 2009) (plaintiffs suing bank for compromised data sufficiently alleged injury in fact but failed to state a plausible claim); cf Jn re Whole Foods Mkt. Grp., Inc. Overcharging Litig., 397 F. Supp. 3d 406, 429-30 (S.D.N.Y. 2019) (“[Wlere the standing and merits issues viewed as distinct and were standing held established, the Court would have entered summary judgment for Whole Foods based on John’s failure, as developed above, to establish the merits elements of injury and causation.”). The court in Jn re Unite Here Data Security Incident Litigation discussed the Harry decision and recognized the distinct pleading thresholds for standing and for the merits of a claim. 740 F. Supp, 3d 364, 382 (S.D.N.Y. 2024). But the Unite Here court concluded that-~in
{3
light of Bohnak and adequate allegations of an increased risk of identity theft, “coupled with time and money spent on mitigation”—-the “substantive injury element” under New York law was also satisfied, Jd. Mr, Baggett argues that the court should reach the same conclusion in this case, (Doc. 16 at 8.) NCCC urges the court not to follow Unite Here for two reasons. NCCC argues that Unite Here is distinguishable because the plaintiffs in that case expressly alleged that they spent both time and money trying to mitigate the consequences of the data breach. (Doc. 17 at 10 1.5.) The court cannot distinguish Unite Here on that basis. Mr. Baggett similarly alleges that he “spent time dealing with the consequences of the Data Breach,” including by setting up a credit alert and “self-monitoring his accounts.” (Doc. 11945.) He also alleges “out-of-pocket expense” in mitigation efforts. Ud. | 8; see also id. J 15, 116, 165(iv), 178, 191Giv).) NCCC also asserts that the relevant portion of the Unite Here decision does not cite New York cases which, in NCCC’s view, indicate “that New York law requires an actual injury to support a negligence claim.” (Doc. 17 at 10 n.5; see also Doc, 15-1 at 18 (citing cases),.) NCCC correctly cites cases like Wallace for the proposition that, “[ujnder New York law, a ‘threat of harm is insufficient to impose liability against a defendant in a tort context.’” Wallace, 2021 WL 1109727, at *7 (quoting Caronia v, Philip Morris USA, Inc., 22 N.Y¥.3d 439, 446 (2013)). In New York, “a plaintiff may only recover damages for a risk of future harm if he or she alleges an expense is ‘reasonably certain to be incurred’ by virtue of that risk.” Jd. (quoting Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273, 281 (S.D.N.Y. 2008)). Applying that law, the Wallace court held that the plaintiffs alleging claims arising out of a data breach had failed to plead cognizable damages based on the “speculative possibility” that they “might, at
some point in the future, be victims of fraud and thereby incur monetary or other damages.” Jd. at *8. Here, Mr. Baggett seeks to recover damages based in part on an alleged future risk of identity theft. (Doc. 11 4 8.) As discussed in Wallace, that alleged future harm is not cognizable. However, Mr. Baggett also seeks to recover damages for other alleged harms, including lost time and money addressing the consequences of the exposure of his Private Information. (/d. J] 8, 15, 45, 116, 165(év), 178, 191@iv).) While lost time alone might not be sufficient, “lost time and money” is. See Wallace, 2021 WL 1109727, at *7; see also Unite Here, 740 F. Supp. 3d at (concluding that “time and money spent on mitigation” was sufficient to allege plausible injury). Mr. Baggett also alleges a loss of the benefit of his bargain with NCCC. (Doc. 119 8.) The court considers that issue below, Ultimately, the court finds Unite Here persuasive on this issue and concludes that NCCC has not met its burden to obtain dismissal under Rule 12(b)\(6) for lack of plausible allegations of injury. B. Negligence Per Se (Count I) The negligence claim includes an allegation that NCCC violated § 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45, and that this violation “constitutes negligence per se.” (Doc. 11 □ 81, 162.) There is no dispute that the FTC Act does not contain a private tight of action. See Alfred Dunhill Ltd. v. Interstate Cigar Co., 499 F.2d 232, 237 (2d Cir, 1974) (“[T]he provisions of the Federal ‘Trade Commission Act may be enforced only by the Federal Trade Commission. Nowhere does the Act bestow upon either competitors or consumers standing to enforce its provisions.”), NCCC asserts that the lack of a private right of action in the FTC Act bars the negligence-per-se theory. (Doc. 15-1 at 21 n.2.)
Mr, Baggett maintains that his claim for negligence per se “may be founded on a federal statute without a private right of action.” (Doc. 16 at 9.) He concedes that district courts have reached differing conclusions as to “whether a victim of data breach can properly invoke the FTC Act in support of a claim for negligence per se,” but he contends that, absent binding authority on the question, the court should allow the negligence per se claim to proceed. (a. at 10.) In reply, NCCC argues that the cases Mr. Baggett cites are “issued by courts in other jurisdictions and/or decided under different contexts.” (Doc. 17 at 11.) Mr. Baggett has not cited, and the court has not found, any New York court decision or any federal court decision within the Second Circuit concluding that a negligence-per-se action under New York law can be sustained based on a violation of the FTC Act. As explained in Cohen v. Northeast Radiology, P.C., the absence of a private right of action in the FTC Act “weighs heavily against implying a private right of action necessary to sustain a negligence per se claim based upon... the FTC Act.” No. 20 CV 1202, 2021 WL 293123, at*7 (G.D.NY. 28, 2021). Absent any case within the Circuit recognizing such a cause of action, and in light of New York court decisions declining to do so, the Cohen court dismissed the negligence- per-se claim in that case. /d. (citing Smahaj v. Retrieval-Masters Creditors Bureau, Inc., 69 Misc. 3d 597, 608 (Sup. Ct. Westchester Cnty. 2020), and Abdale v. N. Shore Long Island Jewish Health Sys., Inc., 49 Misc. 3d 1027, 1038 (Sup. Ct. Queens Cnty. 2015)). That reasoning is persuasive here. And the court agrees with NCCC that the cases Mr. Baggett cites are distinguishable or otherwise not persuasive, The court in Cohen v. Fairbank Reconstruction Corp. reasoned that the plaintiff properly alleged violation of the Federal Meat Inspection Act (“FMIA”), 21 U.S.C. § 601 et seq., and denied the defense motion for summary judgment on a negligence-per-se claim based on violation of that statute. 35 Misc. 3d 1205(A)
(Sup. Ct. Albany Cnty. 2012). But the FTC Act was not at issue in Fairbank Reconstruction, and it does not appear from the decision that any party raised the FMIA’s lack of a private cause of action. In contrast, New York cases like Smahaj and Abdale, cited above, specifically address the FTC Act and dismissed negligence-per-se claims based on alleged violations of that statute. Mr, Baggett also cites a trio of federal cases from outside the Second Circuit: Tracy y. Elekta, Inc., 667 F, Supp. 3d 1276 (N.D. Ga, 2023), Perry v. Bay & Bay Transportation Services, Ine., 650 F. Supp. 3d 743 (CD. Minn. 2023), and In re Capital One Consumer Data Security Breach Litigation, 488 F. Supp. 3d 374 (E.D. Va. 2020), Of those, only Capital One applies New York law. In that case, the court concluded that the plaintiffs plausibly alleged a claim for negligence per se “because New York law would permit the Plaintiffs to assert a negligence per se claim premised on a federal statute and because Plaintiffs have adequately done so here—importing the standard of care from the FTC Act.” Capital One, 488 F, Supp. 3d at 407-08 (citing cases). But that analysis was unpersuasive in Jn re GE/CBPS Data Breach Litigation, No, 20 Civ. 2903, 2021 WL 3406374 (S.D.N.Y. Aug. 4, 2021). The court in that case cited Capital One as a single authority contrary to multiple other state and federal court holdings applying New York law in this context, GE/CBPS, 2021 WL 3406374, at *10, The court follows GE/CBPS and concludes that the weight of authority goes against a plausible negligence- per-se theory in this case, Cc, Breach of Implied Contract (Count ID NCCC argues that the breach-of-implied-contract claim in Count II should be dismissed for failure to allege “the existence and breach of any reasonably certain terms regarding data security.” (Doc. 15-1 at 21.) Citing Unite Here, Mr. Baggett maintains that NCCC “breached its
implied contracts by providing substandard data security.” (Doc. 16 at 10-12.) NCCC replies that “Plaintiff has not identified any specific actions that NCCC allegedly failed to take that would have protected against sophisticated criminals gaining access to and holding NCCC’s network hostage.” (Doc, 17 at 12.) Citing Troy v. American Bar Ass’n, No, 23-CV-03053, 2024 WL 1886753, NCCC further asserts that the Amended Complaint “fail[s] to allege Aow the defendant .. . breached the contract.” Ud. at 13.) The court considers NCCC’s arguments regarding contract formation and breach in turn. 1, Contract Formation In Unite Here, the plaintiffs sued their labor union on multiple theories, including breach of implied contract, after a cyberattack on the union exposed personal information that the plaintiffs had supplied, including names, SSNs, dates of birth, and medical information. Unite Here, 740 F. Supp. 3d at 371-72. According to the complaint in Unite Here, the union “solicited, offered, and invited class members to provide their Private Information, an offer to which plaintiffs agreed, and that as part of this transaction it was understood and agreed that defendant was required to reasonably safeguard the Private Information from unauthorized access or disclosure.” fd. at 384 (cleaned up). The complaint also alleged on information and belief that the union “promised to comply with industry standards to protect plaintiffs’ data and at all relevant times Defendant promulgated, adopted, and implemented written privacy policies whereby it expressly promised Plaintiffs and Class Members that it would only disclose Private Information under certain circumstances, none of which relate to the Data Breach.” Jd. (internal quotation marks omitted). The court concluded that the breach-of-implied-contract claim survived the union’s Rule 12(b)(6) challenge, reasoning that “(t]he fact plaintiffs turned over their data, entrusting it to defendants, combined with the complaint’s other allegations gives rise
18 .
to a plausible inference that the parties mutually agreed defendant would safeguard that data.” Id. NCCC agrees that an implied contract may arise “as an inference from the facts and circumstances of the case, though not formally stated in words, and is derived from the presumed intention of the parties as indicated by their conduct.” Liebowitz v. Cornell Univ., 584 F.3d 487, 506-07 (2d Cir. 2009). But NCCC asks the court not to infer the existence of a contract because, in NCCC’s view, “Plaintiff has failed to allege any facts showing the claim’s essential elements” such as mutual assent and consideration. (Doc. 15-1 at 22.) The court is unpersuaded because at this stage of the case the court must draw all reasonable inferences in the plaintiff's favor. Here, it is reasonable to infer that Mr. Baggett paid NCCC for his course of instruction, thus satisfying the consideration requirement. And, as in Unite Here, the allegations support a plausible inference that the parties mutually agreed that NCCC would take reasonable steps to safeguard the Private Information. 2. Breach The court in Troy ruled that an implied contract existed between the American Bar Association (“ABA”) and the plaintiff ABA members, who had provided the ABA with their names, email addresses, and credit card information. Troy, 2024 WL 1886753, at *4. But the court held that the plaintiffs had failed to allege “how ABA has breached said contract.” Jd. More particularly, the court reasoned that “Plaintiffs fail to identify which ‘commercially reasonable security measure’ ABA did not implement to protect their data.” Jd. In Troy, the only allegation concerning the ABA’s security measures was its use of “hashed” and “salted” passwords, which was allegedly inadequate security. Jd. at *4—5.
The court concludes that Troy is distinguishable on the issue of breach. The court assumes that the Troy court correctly determined as a matter of law that using “hashed” and “salted” passwords is insufficient to plausibly support a failure to follow industry practices that the contracting parties would have expected. But the Amended Complaint in this case does not allege that NCCC used hashed or salted passwords. Instead, the Amended Complaint identifies multiple alleged failures on NCCC’s part, including: e Failing to maintain an adequate data security system to reduce the risk of data breaches, e Failing to adequately protect the Personal Information of Plaintiff and the Class; e Failing to properly monitor their own data security systems for existing intrusions; ¢ Failing to train employees in the proper handling of emails containing the means by which the cyberattacks were able to first access Defendant’s networks, and to and maintain adequate email security practices; e Failing to put into place proper procedures, software settings, and data security software protections to adequately protect against a blunt force intrusion; e Failing to ensure the confidentiality and integrity of electronic PHI it created, received, maintained, and/or transmitted, in violation of 45 C.F.R. § 164,306(a)cD; ¢ Failing to implement policies and procedures to prevent, detect, contain, and correct security violations in violation of 45 C.ELR. § 164.308(a)()@; e Failing to implement procedures to review records of information system activity regularly, such as audit logs, access reports, and security incident tracking reports in violation of 45 C.F.R. § 164.308(a)()Gi)\(D); * Failing to protect against reasonably anticipated threats or hazards to the security or integrity of electronic PHI in violation of 45 C.F.R. § 164.306(a)(2); e Failing to comply with FTC guidelines for cybersecurity, in violation of Section 5 of the FTC Act; and e Failing to adhere to industry standards for cybersecurity. (Doc. 11 89 (bullet points substituted for index letters),) The Unite Here court found that a similar list of alleged failures supported plausible claims of breach of the standard of care for purposes of a negligence claim. Unite Here, 740 F.3d at 384, And failure “to exercise due care in performing the services required by the contract” can support a claim for breach of that
contract. Lenard v. Design Studio, 889 F. Supp. 2d 518, 528 n.6 (S.D.N.Y. 2012) (quoting Santulli v. Englert, Reilly & McHugh, P.C., 78 N.Y.2d 700, 705, 579 N.Y.S.2d 324, 586 N.E.2d 1014 (1992)). The court therefore concludes that the Amended Complaint plausibly alleges breach of an implied contract. D, Unjust Enrichment (Count EI) “The basic elements of an unjust enrichment claim in New York require proof that (1) defendant was enriched, (2) at plaintiffs expense, and (3) equity and good conscience militate against permitting defendant to retain what plaintiff is seeking to recover.” Pauwels y. Deloitte LLP, 83 F.4th 171, 186 (2d Cir. 2023) (quoting Briarpatch Ltd., L.P. v. Phoenix Pictures, Inc., 373 F.3d 296, 306 (2d Cir. 2004)}). NCCC argues that the Amended Complaint lacks any allegations to support the first element—that NCCC was enriched. (Doc. 15-1 at 23.) NCCC also asserts that the unjust-enrichment claim should be dismissed as duplicative of the tort and contract claims. Ud. at 24-25.) The court considers those arguments in turn. 1. Enrichment Element NCCC contends that courts dismiss unjust-enrichment claims in data-breach cases “where the plaintiff fails to adequately plead that the defendant profited from the plaintiff's information, that the plaintiff infended to pay the defendant extra for data security and that the defendant did not use those funds accordingly, and/or that the defendant employed deficient security measures.” (Doc. 15-1 at 24.) The discussion above addresses the plausibility of the claim that NCCC employed deficient security measures. For the reasons below, NCCC’s remaining arguments for dismissal of the unjust-enrichment claim are not persuasive. The cases upon which NCCC relies do not support the proposition that the defendant in a data-breach case involving a claim of unjust enrichment must have been enriched from the
private information that the plaintiff supplied to the defendant. The plaintiffs in Jn re American Medical Collection Agency, Inc. Customer Data Security Breach Litigation were patients of the defendant healthcare providers that hired a collection agency to collect medical debts. No, 19- md-2904, 2021 WL 5937742, at *1 (D.N.J. Dec. 16, 2021). ‘The plaintiffs’ personal information was exposed when the collection agency was hacked. The plaintiffs brought an unjust- enrichment claim against the healthcare providers, arguing that the providers were unjustly enriched “by their collection of and failure to secure Personal Information.” /d. at *18. The court dismissed that claim for lack of any allegation that the defendants “receive[d] any additional value from Plaintiffs Personal Information.” /d. The unjust-enrichment claim in this case is broader. The claim here alleges that Mr. Baggett conferred a benefit on NCCC by providing his “valuable Private Information.” (Doc. 11 { 182.) But the claim also alleges that he conferred a benefit on NCCC “by paying for Defendant’s services.” Ud.) The American Medical Collection Agency decision does not discuss that basis for the “enrichment” element. Mr. Baggett’s payment for services also distinguishes this case from Jn re Waste Managemént Data Breach Litigation, No, 21cv6147, 2022 WL 561734 (S.D.N_Y. Feb, 24, 2022). The plaintiffs in that data-breach case were employees of the corporate defendant, not customers. There is no indication that they paid the defendant for any services, It remains to consider NCCC’s argument that the unjust-enrichment claim fails for lack of any allegation that “the piaintiff intended to pay the defendant extra for data security and that the defendant did not use those funds accordingly.” (Doc. 15-1 at 24; see also Doe. 17 at 13.) NCCC cites Brush vy, Miami Beach Healthcare Group Ltd., 238 F. Supp. 3d 1359 (S.D. Fla. 2017), for the proposition that some additional payment specifically for data security is necessary
to support an unjust-enrichment claim. The Brush court analyzed claims under Florida law brought by a former patient of healthcare providers after a data breach exposed the plaintiff's personal information. The court dismissed the unjust-enrichment claim, reasoning: The factual allegations—viewed in their entirety and in the light most favorable to the Piaintiff—do not establish that: (1) she conferred payment—above and beyond the money owed for her medical treatment; (2) the Defendant knew Plaintiff paid additional remuneration for data security; and (3) Defendants accepted more money than was owed for their healthcare services. . id. at 1369, The Brush court was applying Florida law, not New York law. On the “enrichment” element for purposes of New York law, the court agrees with Plaintiff that Sackin v. TransPerfect Global, Inc., 278 F. Supp. 3d 739 (S.D.N.Y. 2017), is more persuasive. The court in that data-breach case held that the plaintiffs adequately alleged all three elements of unjust enrichment under New York law: [Flirst, that TransPerfect received the benefits of Plaintiffs’ labor; second, that TransPerfect was enriched at Plaintiffs’ expense when it chose to cut costs by not implementing security measures to protect Plaintiffs’ PII which Defendant required or obtained in the course of Plaintiffs’ employment; and third, that it would be inequitable and unconscionable to allow TransPerfect to retain the money it saved by shirking data-security, while leaving Plaintiffs to suffer the consequences, id, at 751. The Sackin court did not require that the benefit the plaintiffs conferred upon their employer with their labor needed to include some “extra” or specially designated amount specifically to ensure that the employer would protect the plaintiffs’ PII. The court declines to impose such a requirement in this case. 2, Duplicative of Tort and Contract Claims NCCC’s second argument for dismissal of the unjust-enrichment claim is that the claim improperly seeks to duplicate a conventional contract or tort claim. (Doe. 15-1 at 24.) NCCC relies upon two federal cases in addition to Waste Management: Toretto v, Donnelley Financial
Solutions, Inc., 583 F, Supp. 3d 570 (S.D.N.Y. 2022), and Trainum v. Rockwell Collins, Ine., No. 16-cv-7005, 2017 WL 2377988 (S.D.N.Y. May 31, 2017). Each of those cases dismissed unjust-enrichment claims as duplicative of other claims,’ and in doing so each cited Corsello v. Verizon N.Y, Inc., 18 N.Y.3d 777, 944 N.Y.S.2d 732, 967 N.E.2d 1177 (2012). Corsello, in turn, stands for the proposition that “[a]n unjust enrichment claim is not available where it simply duplicates, or replaces, a conventional contract or tort claim.” 18 N.¥.3d at 790, As this court has recognized, however, “Fed. R. Civ. P. 8(d)(2) allows a party to set out two or more statements of a claim or defense alternatively or hypothetically.” Busre/ Inc. v. Datton, No, 20-cv-1767, 2021 WL 2980494, at *13 (W.D.NLY,. July £5, 2021) (cleaned up; quoting U.S. Bank Nat’! Ass’n v. BEPRUT, LLC, 230 F, Supp. 3d 253, 266 (S.D.N.Y,. 2017)). Thus, “even though Plaintiffs may not ultimately recover under both the breach of contract and unjust enrichment claims, courts in this Circuit routinely allow plaintiffs to plead such claims in the alternative.” BFPRUT, 230 F. Supp, at 266, And, in this case, NCCC’s arguments against the existence of an implied-in-fact contract indicate that Plaintiff should be able to proceed (even if not ultimately recover) on the unjust-enrichment claim. See Wallace, 2021 WL 1109727, at *11 (“[B]ecause defendant disputes whether a contract exists, plaintiffs may proceed with their claims for both breach of implied contract and unjust enrichment.”); Sackin, 278 F, Supp, 3d at 751-52 (“Here, although the Complaint adequately pleads an implied-in-fact contract, Defendant's opposition suggests that it will dispute that Defendant agreed to be bound in an implied contract with Plaintiffs.”).
3 The Toreffo court granted summary judgment to the defendants on the unjust- enrichment claim. 583 F. Supp. 3d at *20.
E. Declaratory and Injunctive Relief (Count IV) NCCC’s final argument is that Count [V—entitled “Declaratory and Injunctive Relief’— cannot proceed as a “standalone” cause of action. (Doc, 15-1 at 25.) Mr. Baggett concedes that the Declaratory Judgment Act does not create an independent cause of action, He maintains that Count [V should remain in the case because the claims in Counts I-III are plausible. (See Doc. 16 at 13.) Because the court concludes that Counts J-III survive NCCC’s motion to dismiss (except the portion of Count I that consists of a negligence-per-se claim), the court also concludes that NCCC is not entitled to dismissal of Count IV, Conclusion Defendant’s Motion to Dismiss (Doc, 15) is GRANTED as to the negligence per se portion of Count I but is otherwise DENIED. . Dated this thay of December, 2025.
Geoffrey W. Crawford, Judge United States District Court