Keown v. International Association of Sheet Metal Air Rail Transportation Workers
This text of Keown v. International Association of Sheet Metal Air Rail Transportation Workers (Keown v. International Association of Sheet Metal Air Rail Transportation Workers) is published on Counsel Stack Legal Research, covering District Court, District of Columbia primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.
Opinion
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
DAVID KEOWN, et al.,
Plaintiffs,
v. Case No. 23-cv-3570 (CRC)
INTERNATIONAL ASSOCIATION OF SHEET METAL AIR RAIL TRANSPORTATION WORKERS,
Defendant.
MEMORANDUM OPINION AND ORDER
Plaintiffs David Keown and Diana Angus are former members of the International
Association of Sheet Metal Air Rail Transportation Workers (“SMART”), a national union based
in Washington, D.C., with over 200,000 members. In September 2023, SMART fell victim to a
cyberattack that compromised personally identifying information (“PII”) it had collected from its
current and past members. After learning that their PII was implicated in the breach, Mr.
Keown, a resident of Georgia, and Ms. Angus, a resident of California, each brought a putative
class action against SMART in this district, seeking damages and injunctive relief on behalf of
themselves and all other affected union members. At the Court’s urging, Plaintiffs consolidated
their claims into a single amended complaint. Together, Plaintiffs now assert four state
common-law counts: negligence, negligence per se, breach of implied contract, and unjust
enrichment. Angus, on behalf of herself and a putative subclass of California plaintiffs, also
raises claims under the California Unfair Competition Law and California Consumer Privacy
Act. SMART moves to dismiss all claims against it, contending that Plaintiffs lack standing to
sue and that they fail to state a claim. The Court determines that both Plaintiffs have standing to bring suit, Keown has
presented a plausible claim of negligence, and both Plaintiffs have plausibly alleged breach of an
implied contract. But the amended complaint fails to state a claim of negligence for Angus, a
claim of unjust enrichment for either Plaintiff, or a cause of action for the California statutory
claims. The Court will therefore grant the motion to dismiss in part and deny it in part.
I. Background
In ruling on the motion to dismiss, the Court must take as true the following factual
background from the allegations in the amended complaint.
Plaintiffs David Keown and Diana Angus are both former members of SMART, a labor
union with 203,000 members spread across North America. See Am. Compl. ¶¶ 25, 132, 145.
Keown is a resident of Georgia, Angus of California, and SMART of the District of Columbia.
Id. ¶¶ 19–21. When Plaintiffs joined SMART, they were required to provide it with their
sensitive PII.
On September 9, 2023, SMART suffered a cyberattack that exposed the records of
roughly 62,000 individuals. Id. ¶¶ 3, 7, 37. Two months later, the union notified Keown and
Angus that their PII, potentially including their names and social security numbers, “may have
been involved.” Id. ¶¶ 37, 136, 148. Though by that point Plaintiffs were no longer SMART
members, the union still retained their PII unencrypted on its servers. See id. ¶ 40. Spurred by
notification of the breach, both Plaintiffs say they have since spent time and energy mitigating
any potential impacts, including by monitoring their bank accounts and contacting their financial
institutions. Id. ¶¶ 137, 151. Keown further alleges that his PII was “disseminated on the dark
web, according to Discover.” Id. ¶ 139. He purportedly experienced a corresponding increase in
spam calls, texts, and emails and claims to suffer “fear, anxiety, and stress” stemming from the
2 breach and subsequent publication of his PII. Id. ¶¶ 140–41. Though Angus does not allege that
her PII made it to the dark web, she also claims to have experienced an increased risk of identity
theft, along with other potential harms. Id. ¶¶ 149–54. Plaintiffs insist that SMART is
responsible for these alleged harms because it “did not use reasonable security procedures and
practices appropriate to the nature of the sensitive information it was maintaining” despite its
representations that it would do so. Id. ¶¶ 43, 52. Plaintiffs also complain that the notice of the
breach failed to inform them of the breach’s “root cause” or whether SMART undertook any
remedial measures to better secure Plaintiffs’ PII. Id. ¶ 38.
Keown sued SMART in November 2023; Angus followed in December 2023.1 After an
initial status conference covering both cases, Plaintiffs filed a joint amended complaint in
January 2024. The amended complaint includes counts for negligence, negligence per se, breach
of implied contract, unjust enrichment, and violations of California’s Unfair Competition Law
and Consumer Privacy Act. Id. ¶¶ 170–276. Plaintiffs seek damages on behalf of all individuals
who were sent a notice of the data breach, as well as injunctive relief requiring SMART to
undertake several data security measures to prevent future harm to Plaintiffs. Id. ¶¶ 158, 202,
204. In its motion to dismiss, SMART contends first that Plaintiffs have not alleged an Article
III injury traceable to its conduct and second that each cause of action is either preempted by
federal labor law or fails to state a claim for relief. See Mot. Dismiss at 1–2.
II. Legal Standards
SMART moves to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and
12(b)(6). A motion to dismiss under “Rule 12(b)(1) presents a threshold challenge to the court’s
1 Angus has since voluntarily dismissed her related case, originally docketed as Angus v. Int’l Ass’n of Sheet Metal Air Rail Transp. Workers, No. 23-cv-3692 (D.D.C. Dec. 12, 2023).
3 jurisdiction, whereas 12(b)(6) presents a ruling on the merits with res judicata effect.” Haase v.
Sessions, 835 F.2d 902, 906 (D.C. Cir. 1987). Under Rule 12(b)(1), the plaintiff “bears the
burden of invoking the court’s subject matter jurisdiction, including establishing the elements of
standing.” Arpaio v. Obama, 797 F.3d 11, 19 (D.C. Cir. 2015). And because the Court has “an
affirmative obligation to ensure that it is acting within the scope of its jurisdictional authority,”
“‘the [p]laintiff’s factual allegations in the complaint . . . will bear closer scrutiny in resolving a
12(b)(1) motion’ than in resolving a 12(b)(6) motion for failure to state a claim.” Grand Lodge
of Fraternal Ord. of Police v. Ashcroft, 185 F. Supp. 2d 9, 13 (D.D.C. 2001) (alterations in
original) (citation omitted). By contrast, to survive a motion to dismiss under Rule 12(b)(6), a
complaint need only “contain sufficient factual matter, accepted as true, to ‘state a claim to relief
that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl.
Corp. v. Twombly, 550 U.S. 544, 570 (2007)). The Court “must take all the factual allegations
in the complaint as true,” though it is “not bound to accept as true a legal conclusion couched as
a factual allegation.” Papasan v. Allain, 478 U.S. 265, 286 (1986). Under either the 12(b)(1) or
12(b)(6) standard, “the allegations of the complaint should be construed favorably to the
pleader.” Walker v.
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
DAVID KEOWN, et al.,
Plaintiffs,
v. Case No. 23-cv-3570 (CRC)
INTERNATIONAL ASSOCIATION OF SHEET METAL AIR RAIL TRANSPORTATION WORKERS,
Defendant.
MEMORANDUM OPINION AND ORDER
Plaintiffs David Keown and Diana Angus are former members of the International
Association of Sheet Metal Air Rail Transportation Workers (“SMART”), a national union based
in Washington, D.C., with over 200,000 members. In September 2023, SMART fell victim to a
cyberattack that compromised personally identifying information (“PII”) it had collected from its
current and past members. After learning that their PII was implicated in the breach, Mr.
Keown, a resident of Georgia, and Ms. Angus, a resident of California, each brought a putative
class action against SMART in this district, seeking damages and injunctive relief on behalf of
themselves and all other affected union members. At the Court’s urging, Plaintiffs consolidated
their claims into a single amended complaint. Together, Plaintiffs now assert four state
common-law counts: negligence, negligence per se, breach of implied contract, and unjust
enrichment. Angus, on behalf of herself and a putative subclass of California plaintiffs, also
raises claims under the California Unfair Competition Law and California Consumer Privacy
Act. SMART moves to dismiss all claims against it, contending that Plaintiffs lack standing to
sue and that they fail to state a claim. The Court determines that both Plaintiffs have standing to bring suit, Keown has
presented a plausible claim of negligence, and both Plaintiffs have plausibly alleged breach of an
implied contract. But the amended complaint fails to state a claim of negligence for Angus, a
claim of unjust enrichment for either Plaintiff, or a cause of action for the California statutory
claims. The Court will therefore grant the motion to dismiss in part and deny it in part.
I. Background
In ruling on the motion to dismiss, the Court must take as true the following factual
background from the allegations in the amended complaint.
Plaintiffs David Keown and Diana Angus are both former members of SMART, a labor
union with 203,000 members spread across North America. See Am. Compl. ¶¶ 25, 132, 145.
Keown is a resident of Georgia, Angus of California, and SMART of the District of Columbia.
Id. ¶¶ 19–21. When Plaintiffs joined SMART, they were required to provide it with their
sensitive PII.
On September 9, 2023, SMART suffered a cyberattack that exposed the records of
roughly 62,000 individuals. Id. ¶¶ 3, 7, 37. Two months later, the union notified Keown and
Angus that their PII, potentially including their names and social security numbers, “may have
been involved.” Id. ¶¶ 37, 136, 148. Though by that point Plaintiffs were no longer SMART
members, the union still retained their PII unencrypted on its servers. See id. ¶ 40. Spurred by
notification of the breach, both Plaintiffs say they have since spent time and energy mitigating
any potential impacts, including by monitoring their bank accounts and contacting their financial
institutions. Id. ¶¶ 137, 151. Keown further alleges that his PII was “disseminated on the dark
web, according to Discover.” Id. ¶ 139. He purportedly experienced a corresponding increase in
spam calls, texts, and emails and claims to suffer “fear, anxiety, and stress” stemming from the
2 breach and subsequent publication of his PII. Id. ¶¶ 140–41. Though Angus does not allege that
her PII made it to the dark web, she also claims to have experienced an increased risk of identity
theft, along with other potential harms. Id. ¶¶ 149–54. Plaintiffs insist that SMART is
responsible for these alleged harms because it “did not use reasonable security procedures and
practices appropriate to the nature of the sensitive information it was maintaining” despite its
representations that it would do so. Id. ¶¶ 43, 52. Plaintiffs also complain that the notice of the
breach failed to inform them of the breach’s “root cause” or whether SMART undertook any
remedial measures to better secure Plaintiffs’ PII. Id. ¶ 38.
Keown sued SMART in November 2023; Angus followed in December 2023.1 After an
initial status conference covering both cases, Plaintiffs filed a joint amended complaint in
January 2024. The amended complaint includes counts for negligence, negligence per se, breach
of implied contract, unjust enrichment, and violations of California’s Unfair Competition Law
and Consumer Privacy Act. Id. ¶¶ 170–276. Plaintiffs seek damages on behalf of all individuals
who were sent a notice of the data breach, as well as injunctive relief requiring SMART to
undertake several data security measures to prevent future harm to Plaintiffs. Id. ¶¶ 158, 202,
204. In its motion to dismiss, SMART contends first that Plaintiffs have not alleged an Article
III injury traceable to its conduct and second that each cause of action is either preempted by
federal labor law or fails to state a claim for relief. See Mot. Dismiss at 1–2.
II. Legal Standards
SMART moves to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and
12(b)(6). A motion to dismiss under “Rule 12(b)(1) presents a threshold challenge to the court’s
1 Angus has since voluntarily dismissed her related case, originally docketed as Angus v. Int’l Ass’n of Sheet Metal Air Rail Transp. Workers, No. 23-cv-3692 (D.D.C. Dec. 12, 2023).
3 jurisdiction, whereas 12(b)(6) presents a ruling on the merits with res judicata effect.” Haase v.
Sessions, 835 F.2d 902, 906 (D.C. Cir. 1987). Under Rule 12(b)(1), the plaintiff “bears the
burden of invoking the court’s subject matter jurisdiction, including establishing the elements of
standing.” Arpaio v. Obama, 797 F.3d 11, 19 (D.C. Cir. 2015). And because the Court has “an
affirmative obligation to ensure that it is acting within the scope of its jurisdictional authority,”
“‘the [p]laintiff’s factual allegations in the complaint . . . will bear closer scrutiny in resolving a
12(b)(1) motion’ than in resolving a 12(b)(6) motion for failure to state a claim.” Grand Lodge
of Fraternal Ord. of Police v. Ashcroft, 185 F. Supp. 2d 9, 13 (D.D.C. 2001) (alterations in
original) (citation omitted). By contrast, to survive a motion to dismiss under Rule 12(b)(6), a
complaint need only “contain sufficient factual matter, accepted as true, to ‘state a claim to relief
that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl.
Corp. v. Twombly, 550 U.S. 544, 570 (2007)). The Court “must take all the factual allegations
in the complaint as true,” though it is “not bound to accept as true a legal conclusion couched as
a factual allegation.” Papasan v. Allain, 478 U.S. 265, 286 (1986). Under either the 12(b)(1) or
12(b)(6) standard, “the allegations of the complaint should be construed favorably to the
pleader.” Walker v. Jones, 733 F.2d 923, 926 (D.C. Cir. 1984).
III. Analysis
The Court will take up SMART’s challenge to the Court’s subject matter jurisdiction
over Plaintiffs’ claims. Concluding that it has jurisdiction, the Court will then analyze Plaintiffs’
common-law claims under the law of the District of Columbia. Finally, the Court will consider
Angus’s California statutory claims. While the Court determines that Plaintiffs have adequately
pled two of the common-law claims (negligence and breach of implied contract), it will grant
SMART’s motion to dismiss the remaining claims.
4 A. Subject-Matter Jurisdiction
1. Diversity Jurisdiction
Though SMART does not challenge Plaintiffs’ assertion that the Court has diversity
jurisdiction over their state-law claims, it bears clarifying that the Court’s jurisdiction stems from
the Class Action Fairness Act (“CAFA”). CAFA “gives federal courts jurisdiction over certain
class actions . . . if the class has more than 100 members, the parties are minimally diverse, and
the amount in controversy exceeds $5 million.” Dart Cherokee Basin Operating Co., LLC v.
Owens, 574 U.S. 81, 84–85 (2014) (citing 28 U.S.C. §§ 1332(d)(2), (5)(B)). Parties are
considered minimally diverse if “any member of a class of plaintiffs is a citizen of a [s]tate
different from any defendant.” 28 U.S.C. § 1332(d)(2)(A). Here, Plaintiffs allege that
approximately 62,000 people were affected by the data breach, there is minimal diversity
because they are from different states than SMART, and the amount in controversy exceeds $5
million. See Am. Compl. ¶¶ 7, 22. The Court accepts these undisputed allegations as true for
the purposes of asserting jurisdiction. See, e.g., Dart Cherokee, 574 U.S. at 553 (“When a
plaintiff invokes federal-court jurisdiction, the plaintiff’s amount-in-controversy allegation is
accepted if made in good faith.”).
2. Standing
SMART does, however, contest Plaintiffs’ standing to bring suit. Mot. Dismiss at 5–8.
“[S]tanding is an essential and unchanging part of the case-or-controversy requirement of Article
III.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). Its “irreducible constitutional
minimum” consists of “three elements: ‘(1) injury-in-fact, (2) causation, and (3) redressability.’”
Am. Freedom L. Ctr. v. Obama, 821 F.3d 44, 48 (D.C. Cir. 2016) (quoting Lujan, 504 U.S. at
560). “As the party invoking the court’s subject matter jurisdiction, the plaintiff bears the burden
5 of establishing the elements of standing.” Parents v. Garland, 88 F.4th 298, 304 (D.C. Cir.
2023). And “a plaintiff must ‘demonstrate standing separately for each form of relief sought.’”
TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021) (quoting Friends of the Earth, Inc. v.
Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 167, 185 (2000)). Plaintiffs have met their burden of
proving standing here.
SMART first challenges Plaintiffs’ standing to seek damages on the grounds of injury-in-
fact and traceability. In terms of injury-in-fact, SMART contends that the amended complaint is
deficient because Plaintiffs have not yet incurred “out-of-pocket expenditures” or experienced
“financial fraud or identity theft or misuse of [their] information.” Mot. Dismiss at 5–6. But the
D.C. Circuit has squarely ruled that such injuries are not required to support standing in data
breach cases. See Attias v. Carefirst, Inc. (“Attias II”), 865 F.3d 620, 628 (D.C. Cir. 2017).
Rather, a complaint may survive a Rule 12(b)(1) motion where it “plausibly alleges that the
plaintiffs now face a substantial risk of identity theft as a result of [the defendant’s] alleged
negligence in the data breach.” Id. Like the plaintiffs in Attias II, Plaintiffs here have alleged
that SMART collected and stored their PII, including their social security numbers; this sensitive
information was stolen in the breach; and breach of the data “place[s] plaintiffs at a high risk of
financial fraud” and an “increased risk of identity theft.” Id. at 628; see also Am. Compl. ¶¶ 133,
136, 139, 143, 145, 148–50. Keown further alleges that his PII is now “being disseminated on
the dark web, according to Discover.” Am. Compl. ¶ 139. Where, as here, “an unauthorized
party has already accessed personally identifying data on [the defendant’s] servers . . . it is
plausible . . . to infer that this party has both the intent and the ability to use that data for ill.”
Attias II, 865 F.3d at 628.
6 The Supreme Court’s intervening decision in TransUnion does not defeat Plaintiffs’
alleged injury. Though TransUnion requires that plaintiffs show a separate concrete harm in
addition to the risk of future harm to support a claim of damages, 594 U.S. at 436–37, “the
expenditure of time or money on mitigation measures in response to a data breach, such as
purchasing credit monitoring services or taking other steps to prevent fraud, may create a
concrete Article III injury when paired with a risk of future identity theft.” Attias v. CareFirst,
Inc., 344 F.R.D. 38, 47 (D.D.C. 2023) (Cooper, J.). As Keown and Angus have both alleged that
they have pursued such mitigation measures, they have met that standard here. See Am. Compl.
¶¶ 137, 151.
SMART also asserts that plaintiffs have not established that their alleged injuries are
traceable to this data breach because the amended complaint does not plead that this particular
data breach is the only one that implicated plaintiffs’ PII. See Mot. Dismiss at 7–8. But, at the
motion-to-dismiss stage, it is sufficient for the complaint to show that the injuries claimed—
substantial risk of identity theft and Plaintiffs’ corresponding mitigation measures—are “fairly
traceable” to the data breach. Attias II, 865 F.3d at 629 (quoting Lexmark Int’l, Inc. v. Static
Control Components, Inc., 572 U.S. 118, 134 n.6 (2014)); see also In re Unite Here Data Sec.
Incident Litig., No. 24-cv-1565 (JSR), 2024 WL 3413942, at *4 (S.D.N.Y. July 15, 2024)
(rejecting the same argument because “[t]he fact that there have been other large data breaches,
and the speculative possibility that plaintiffs were subjected to them, are matters well beyond the
allegations in the complaint and cannot be used to support defendant’s motion to dismiss”).
Assuming, as the Court must, that Plaintiffs will prevail on the merits of their claim that
SMART’s negligent handling of their data resulted in unauthorized access to that data, the
7 corresponding risk of financial fraud and identity theft is fairly traceable to SMART’s conduct.
See Attias II, 865 F.3d at 629 (quoting Lexmark Int’l, Inc., 572 U.S. at 134 n.6).
Next, SMART contends that Plaintiffs have not alleged standing to pursue injunctive
relief because, in its view, the data breach was an isolated event that is unlikely to recur. Mot.
Dismiss at 8. But Plaintiffs need not allege a “credible threat” that SMART “will again be
attacked by cybercriminals” to survive a 12(b)(1) motion to dismiss. Id. Plaintiffs allege that
their PII “remains unencrypted” and “backed up in Defendant’s possession” such that it “is
subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate
and adequate measures to protect [it].” Am. Compl. ¶ 92. “[G]iven [the] Plaintiffs’ allegations
regarding [Defendant’s] continued failure to adequately secure its databases, it is reasonable to
infer that there remains a ‘substantial risk’ that their personal information will be stolen from
[SMART] again in the future.” See In re U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928
F.3d 42, 54–55 (D.C. Cir. 2019). This “substantial risk” is sufficient to support standing for
injunctive relief. Id. at 59; see also TransUnion, 594 U.S. at 415 (“[M]aterial risk of future harm
can satisfy the concrete-harm requirement in the context of a claim for injunctive relief to
prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and
substantial.”).
Satisfied that it has jurisdiction, the Court now turns to Plaintiffs’ asserted claims.
B. Common Law Claims
Plaintiffs assert four common-law counts against SMART: (1) negligence; (2) negligence
per se; (3) breach of implied contract; and (4) unjust enrichment. As SMART points out, the
amended complaint does not specify under which state’s common law Plaintiffs seek relief. See
Mot. Dismiss at 9. SMART’s motion to dismiss assumes that the law of either the District of
8 Columbia or Plaintiffs’ home forums will apply. See, e.g., id. at 18–19 (discussing negligence
per se under D.C., Georgia, and California common law). Keown and Angus respond that
discovery is necessary to determine which state has the most significant relationship to the
dispute, as well as the citizenship of all putative class members. Opp’n at 14–16. The Court first
addresses the threshold choice-of-law issue before analyzing each of the claims.
1. Choice of Law
When exercising diversity jurisdiction, federal courts apply the substantive law of the
forum state, including its choice-of-law rules. Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S.
487, 496 (1941); Shaw v. Marriott Int’l, Inc., 605 F.3d 1039, 1045 (D.C. Cir. 2010). Under the
District of Columbia’s choice-of-law rules, courts apply “a modified ‘governmental interests
analysis[,]’ which seeks to identify the jurisdiction with the ‘most significant relationship’ to the
dispute.” Washkoviak v. Student Loan Mktg. Ass’n, 900 A.2d 168, 180 (D.C. 2006) (quoting
Moore v. Ronald Hsu Constr. Co., 576 A.2d 734, 737 (D.C. 1990)). “Under this approach, the
first step is to determine whether a ‘true conflict’ exists—that is, whether more than one
jurisdiction has a potential interest in having its law applied and, if so, whether the law of the
competing jurisdictions is different.” GEICO v. Fetisoff, 958 F.2d 1137, 1141 (D.C. Cir. 1992)
(citations omitted). If there is a conflict, courts then “evaluate the governmental policies
underlying the applicable laws and determine which jurisdiction’s policy would be more
advanced by the application of its law to the facts of the case,” considering “the four factors
enumerated in the Restatement (Second) of Conflict of Laws § 145.” Washkoviak, 900 A.2d at
180 (quoting District of Columbia v. Coleman, 667 A.2d 811, 816 (D.C. 1995)). Where no
conflict exists between the interested states’ laws, D.C. law applies by default. See Beach TV
9 Props., Inc. v. Solomon, 306 F. Supp. 3d 70, 92 (D.D.C. 2018) (citing GEICO, 958 F.2d at
1141).
a. True Conflict
Both Plaintiffs’ home states and the District of Columbia have an interest in having their
laws applied. The amended complaint states that Keown is a Georgia resident, Angus is a
California resident, and SMART is “governed under the laws of the District of Columbia” with a
principal place of business in the District of Columbia. Am. Compl. ¶¶ 19–21. Plaintiffs’ home
forums have an interest in protecting their residents from injury, while the District of Columbia
has an interest in preventing entities within its borders from engaging in tortious conduct. Cf.
Washkoviak, 900 A.2d at 180–81 (“Wisconsin has a powerful interest in protecting its residents
from fraud and misrepresentation, while the District of Columbia has an equally strong interest
in ensuring that its corporate citizens refrain from fraudulent activities.”). Plaintiffs also assert
that the putative class members’ states of residency may have interests at stake, Opp’n at 29, but
the Court need not consider putative class member residencies prior to certification. See
Washkoviak, 900 A.2d at 176 n.11; Margolis v. U-Haul Int’l, Inc., 818 F. Supp. 2d 91, 105
(D.D.C. 2011) (“The plaintiff has not moved for class certification and no class has been
certified. Therefore, the residency of the putative class is irrelevant here.”). With the relevant
jurisdictions identified, the Court will next consider whether a “true conflict” exists between the
laws of the three jurisdictions.
There does not appear to be a conflict in how the relevant jurisdictions assess breach-of-
contract or unjust enrichment claims in the data-breach context. In considering breach-of-
contract claims arising from data breaches, all three jurisdictions have applied substantially
similar tests to reach the same outcome. See Attias v. CareFirst, Inc. (“Attias VII”), No. 15-CV-
10 882 (CRC), 2023 WL 5952052, at *6 (D.D.C. Sept. 13, 2023); Tracy v. Elekta, Inc., 667 F.
Supp. 3d 1276, 1287 (N.D. Ga. 2023); In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d
1130, 1144 (C.D. Cal. 2021). Likewise, though D.C.’s federal and state courts have yet to fully
adjudicate unjust enrichment claims in the data-breach context, the elements of the claim are
similar across the three jurisdictions. See Peart v. D.C. Hous. Auth., 972 A.2d 810, 813–14
(D.C. 2009); St. Paul Mercury Ins. Co. v. Meeks, 508 S.E.2d 646, 648 (Ga. 1998); Peterson v.
Cellco P’ship, 80 Cal. Rptr. 3d 316, 324 (Cal. Ct. App. 2008). Therefore, by default, the Court
will apply D.C. law to these claims. See Beach TV Props., Inc., 306 F. Supp. 3d at 92.
There may, however, be a conflict with respect to the law of negligence in these
jurisdictions. Though Georgia, California, and D.C. all set forth a similar formulation of the
standard elements of duty, breach, causation, and damages, see Hedgepeth v. Whitman Walker
Clinic, 22 A.3d 789, 793 (D.C. 2011) (en banc); John B. v. Superior Ct., 137 P.3d 153, 159 (Cal.
2006); Weller v. Blake, 726 S.E.2d 698, 702 (Ga. 2012), they have applied those elements
differently in such data-breach cases. For example, when assessing the damages element,
Georgia recognizes the risk of harm presented by “data in the hands of criminals,” Tracy, 667 F.
Supp. 3d at 1283 (citing Collins v. Athens Orthopedic Clinic, P.A., 837 S.E.2d 310 (Ga. 2019)),
California recognizes increased time spent on credit monitoring, see, e.g., In re Solara Med.
Supplies, LLC Customer Data Sec. Breach Litig., 613 F. Supp. 3d 1284, 1295–96 (S.D. Cal.
2020), but D.C. recognizes neither, see Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702,
708 (D.C. 2009). As a result, the Court must proceed to determine which jurisdiction’s policy
would be better advanced by application of its law to the facts of the case under the Restatement
factors. The Court determines that the factors moderately favor application of D.C. law, see
infra Part II.B.i.b, so it will apply D.C. law to the negligence counts as well. While this analysis
11 is close, D.C. law would have applied even if it was inconclusive. See Wu v. Stomber, 750 F.3d
944, 949 (D.C. Cir. 2014).
b. Governmental Interests Test
To determine which state has the greater interest in a dispute, D.C. courts look to four
factors: “a) the place where the injury occurred; b) the place where the conduct causing the
injury occurred; c) the domicile, residence, nationality, place of incorporation and place of
business of the parties; and d) the place where the relationship is centered.” See Washkoviak,
900 A.2d at 180 (quoting Coleman, 667 A.2d at 816).
The first factor, the location of the injury, is indeterminate. Plaintiffs have experienced
some of their alleged injuries in their home forums, including their emotional distress and time
spent responding to the data breach. See Am. Compl. ¶¶ 199–200. But other alleged injuries,
like Plaintiffs’ loss of privacy and the devaluation of their PII, logically stem from the place
where cybercriminals accessed the data. See id. ¶ 199. And still other purported injuries, like
Plaintiffs’ loss of the benefit of the bargain and the risk of misuse of PII, cannot be said to stem
from one location. See id. Therefore, this factor does not clearly favor any one jurisdiction.
As for the second factor—the conduct causing injury—the complaint allegations favor
application of D.C. law. As Plaintiffs note, “to determine the place where the conduct causing
injury occurred in data breach case, courts generally focus on the location of the servers from
where the data was hacked” or, in the absence of such a location, “have applied the law of the
forum state” or “look[ed] to defendants’ headquarters or possibly where cybersecurity decisions
were made.” Opp’n at 15 (citing In re Blackbaud, Inc., Customer Data Breach Litig., 567 F.
Supp. 3d 667, 675 (D.S.C. 2021); In re Mednax Servs., Inc., Customer Data Sec. Breach Litig.,
603 F. Supp. 3d 1183, 1199 (S.D. Fla. 2022)). Each of these alternatives points to the District of
12 Columbia. Plaintiffs allege that SMART’s place of business is in the District of Columbia, that
SMART “maintains Class Members’ PII in this District,” and that “decisions made by
Defendant’s governance and management personnel or inaction by those individuals that led to
the Data Breach” occurred in the District of Columbia. See Am. Compl. ¶ 24. At the motion-to-
dismiss stage, the Court must take these allegations as true, even though discovery may later
reveal that Plaintiffs’ data was housed or SMART’s decision-making actually took place
elsewhere. Therefore, with no pled connections to Plaintiffs’ home forums, this factor favors the
District of Columbia. See In re APA Assessment Fee Litig., 766 F.3d 39, 54 (D.C. Cir. 2014).
Next, “the domicil[e], residence, nationality, place of incorporation[,] and place of
business of the parties” is “split evenly” among the three states, as each party hails from a
different one. Id. (quoting Washkoviak, 900 A.2d at 181). While Plaintiffs point out that this
case is a “putative nationwide class” and “the state citizenship of all putative Class Members is
not yet known,” Opp’n at 29, as the Court noted above, “[a] class action, when filed, includes
only the claims of the named plaintiff or plaintiffs.” Molock v. Whole Foods Mkt. Grp., Inc.,
952 F.3d 293, 298 (D.C. Cir. 2020) (quoting Gibson v. Chrysler Corp., 261 F.3d 927, 940 (9th
Cir. 2001)).
The final factor, the place where the relationship is centered, is neutral. Where, as here,
“the parties cite no case law directly addressing where the relationship between a national
nonprofit organization and its members is ‘centered[,’] . . . the fourth factor does not weigh
strongly in favor of either party.” In re APA Assessment Fee Litig., 766 F.3d at 54.
Taken together, the factors somewhat favor application of D.C. law. Given that D.C.
courts apply D.C. law even “where the [Restatement] factors do not point to a clear answer,” the
Court finds this outcome all the more appropriate here. Wu, 750 F.3d at 949 (citing
13 Washkoviak, 900 A.2d at 176). Moreover, applying D.C. law “works no unfairness to plaintiffs,
because they chose to pursue their claim in the District of Columbia.” In re APA Assessment
Fee Litig., 766 F.3d at 55 (citation omitted). Though the Court will apply D.C. law to each claim
in ruling on the motion to dismiss, the Court “leave[s] open the possibility that, after both parties
have been afforded the opportunity to conduct discovery and present evidence, [the Court] may
conclude . . . that [a foreign jurisdiction] has a greater interest than the District of Columbia in
the resolution of this controversy[.]” Washkoviak, 900 A.2d at 183.
The Court now turns to each of Plaintiffs’ asserted common-law claims: (1) negligence;
(2) negligence per se; (3) breach of implied contract; and (4) unjust enrichment.
2. Negligence & Negligence Per Se
Plaintiffs contend that SMART’s mishandling of their sensitive PII was negligent (Count
1) and negligent per se under Section 5 of the Federal Trade Commission Act (“FTC Act”)
(Count 2). See Am. Compl. ¶¶ 170–224 (citing 15 U.S.C. § 45).
“[A] claim alleging the tort of negligence must show: (1) that the defendant owed a duty
to the plaintiff, (2) breach of that duty, and (3) injury to the plaintiff that was proximately caused
by the breach.” Hedgepeth, 22 A.3d at 793. “The same is true of negligence-per-se,” Tolson v.
The Hartford Fin. Servs. Grp., Inc., 278 F. Supp. 3d 27, 36 (D.D.C. 2017), because “negligence
per se is not in and of itself a separate legal claim—rather, it permits a plaintiff under ‘certain
circumstances and under specified conditions,’ to ‘rely on a statute or regulation as proof of the
applicable standard of care,’” Hunter ex rel. A.H. v. District of Columbia, 64 F. Supp. 3d 158,
188–89 (D.D.C. 2014) (quoting McNeil Pharm. v. Hawkins, 686 A.2d 567, 578 (D.C. 1996)).
SMART moves to dismiss both counts, asserting that (1) the federal-law duty of fair
representation preempts any common law negligence claim against the union; (2) the FTC Act
14 cannot serve as the statutory basis for negligence per se; and (3) Plaintiffs fail to allege any
actual damages. Because negligence per se “is not in and of itself a separate legal claim,” id., the
Court will consider Plaintiffs’ negligence per se “claim” as one possible theory of proving
SMART’s duty and breach. Ultimately, the Court concludes that Plaintiffs’ negligence claims
are not preempted but that only Keown has plausibly alleged the elements of such a claim.
a. Preemption
The National Labor Relations Act (“the NLRA”) imposes a duty on unions “as the
exclusive bargaining representative of the employees . . . fairly to represent all of those
employees.” United Steelworkers of Am. v. Rawson, 495 U.S. 362, 372 (1990) (quoting Vaca v.
Sipes, 386 U.S. 171, 177 (1967)). This “duty of fair representation” applies to both the union’s
“collective bargaining . . . and . . . its enforcement of the resulting collective bargaining
agreement.” Id. (quoting Vaca, 386 U.S. at 177). Under the duty of fair representation, “the
exclusive agent’s statutory authority to represent all members of a designated unit includes a
statutory obligation to serve the interests of all members without hostility or discrimination
toward any, to exercise its discretion with complete good faith and honesty, and to avoid
arbitrary conduct.” Vaca, 386 U.S. at 177. Breach of this duty occurs “only when a union’s
conduct toward a member of the collective bargaining unit is arbitrary, discriminatory, or in bad
faith.” Id. (quoting Vaca, 386 U.S. at 190). As SMART would have it, this duty preempts any
state-law negligence claim. Mot. Dismiss at 10–14. The Court disagrees.
The D.C. Circuit has held that the duty of fair representation preempts “identical” state
law claims. See May v. Shuttle, Inc., 129 F.3d 165, 179 (D.C. Cir. 1997) (citing Nellis v. Air
Line Pilots Ass’n, 15 F.3d 50, 51 (4th Cir. 1994)). In May, for example, the Circuit determined
that the plaintiffs’ state-law fraud claim was preempted because the plaintiffs’ counsel
15 effectively conceded that it arose from the “collective bargaining agreement,” under which
“lying . . . [was not] condoned.” Id. In reaching this conclusion, the Circuit relied on the Fourth
Circuit’s decision in Nellis, which held that the duty of fair representation preempted state-law
contract claims arising from duties “were ‘mere refinements’ of the federal duty of fair
representation.” 15 F.3d at 51.
Here, Plaintiffs’ claims challenging negligent data storage are not “identical” to a duty of
fair representation claim. Rather, their negligence counts are premised on alleged duties
separate from the duty of fair representation, including duties of care imposed by the FTC Act
and SMART’s promises to Plaintiffs regarding its data security. Opp’n at 16. Moreover, unlike
in May, where the alleged duty arose from the parties’ collective bargaining agreement and
thereby fell within the scope of its duty of fair representation, neither party here suggests that
their collective bargaining agreement imposed on SMART a duty to protect its members’ PII.
The union characterizes Plaintiffs’ negligence claim as a challenge to its “administration of its
dues collection system,” Mot. Dismiss at 14, to which the duty of fair representation applies. But
SMART’s use of Plaintiffs’ PII for dues collection does not transform its allegedly improper
storage of that information into representational activity.2 Plaintiffs’ claims are therefore not
preempted.
2 Because Plaintiffs’ claims “involve[] union activity that [is] peripheral to the concern of the applicable federal statutes and present[s] only a tangential or remote potential conflict with the federal regulatory scheme,” Condon v. Loc. 2944, 683 F.2d 590, 595 (1st Cir. 1982), the Court need not address whether, as SMART contends, the duty of fair representation preempts the “field” of “all forms of representational conduct,” Mot. Dismiss at 13. The circuits are split on whether they consider the duty of fair representation as a species of field or conflict preemption. See Figueroa v. Foster, 864 F.3d 222, 228–32 (2d Cir. 2017) (explaining that the First, Fifth, and Tenth Circuits understand the duty to preempt all state-law causes of action in the regulated field, while the Second, Fourth, Eighth, and Ninth Circuits have adopted a narrower, conflict-preemption approach). The D.C. Circuit has not weighed in on this split but, for the reasons discussed, SMART’s argument is unavailing under either theory.
16 b. Duty & Breach
“As a general rule, the plaintiff in a negligence action bears the burden of proving ‘the
applicable standard of care[] [and] a deviation from that standard by the defendant[.]’” McNeil
Pharm., 686 A.2d at 577 (quoting Toy v. District of Columbia, 549 A.2d 1, 6 (D.C. 1988)). In
their opposition brief, Plaintiffs seek to locate SMART’s duty of care in three sources: (1) the
FTC Act (as the basis of their negligence per se theory), (2) “the standard duties of care in
Defendant’s industry,” and (3) “Defendant’s own promises and representations that were made
to Plaintiffs, regarding its data security.” Opp’n at 16. None of these sources impose a duty on
SMART that plausibly gives rise to a negligence claim. However, the Court finds that Plaintiffs
have adequately alleged that SMART had (and deviated from) a common-law duty of care to
protect their PII from foreseeable risk of theft. See Am. Compl. ¶¶ 188–92.
The FTC Act cannot serve as the basis of Plaintiffs’ negligence per se theory under D.C.
law, which permits “[v]iolation of a statute or regulation [to] constitute negligence per se only ‘if
the statute is meant to promote safety, if the plaintiff is a member of the class to be protected by
the statute, and if the defendant is a person upon whom the statute imposes specific duties.’”
Night & Day Mgmt., LLC v. Butler, 101 A.3d 1033, 1039 (D.C. 2014) (quoting Ginsberg v.
Granados, 963 A.2d 1134, 1140 (D.C. 2009)). The FTC Act, which declares unlawful “[u]nfair
methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or
affecting commerce,” 15 U.S.C. § 45, is not “meant to promote safety.” Night & Day Mgmt.,
LLC, 101 A.3d at 1039; cf. In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d
374, 407–08 (E.D. Va. 2020) (concluding that the FTC Act could underpin a negligence per se
theory under New York but not Virginia law because, like D.C., negligence per se under Virginia
law requires a public safety purpose, and “Section 5 of the FTC was intended to prevent unfair
17 and deceptive trade practices”). Therefore, it is not a viable source of an alleged negligence
claim against SMART.
Nor are “the standard duties of care in [SMART’s] industry” or “[SMART’s] own
promises and representations that were made to Plaintiffs, regarding its data security.” Plaintiffs
do not identify the source of any “standard duties of care” for the labor union industry apart from
the duty of fair representation, see Am. Compl. ¶¶ 87–91 (listing several alleged “best practices”
for “labor unions dealing with sensitive PII” without alleging the source of these practices or any
duty to follow them), on which Plaintiffs expressly disavow reliance, Opp’n at 19 (“Here, there
is no ‘fair representation’ claim[.]”). As to SMART’s alleged promises of data security, the
amended complaint points only to the union’s website privacy policy, which, by its own terms,
applies just to “information collected from visitors to the web site.” Am. Compl. ¶ 30. Plaintiffs
do not allege that they gave their PII to SMART as visitors to its website and do not respond to
SMART’s observation that the website policy does not apply to them as a result. Consequently,
these sources also cannot support Plaintiffs’ claimed duty of care.
But Plaintiffs adequately pled that SMART violated a common-law duty of care when it
failed to protect their PII from foreseeable risks. See id. ¶¶ 188–92. As this Court has
recognized in the past, “there are some circumstances under District of Columbia law where
even a failure to act will give rise to a legal duty.” Attias v. CareFirst, Inc. (“Attias III”), 365 F.
Supp. 3d 1, 20 (D.D.C. 2019). “[C]onsideration of whether a duty exists to protect another from
intervening criminal acts includes consideration of heightened foreseeability.” Bd. of Trs. of
Univ. of D.C. v. DiSalvo, 974 A.2d 868, 871–72 (D.C. 2009). Where “the injury that befell the
plaintiff was ‘reasonably foreseeable’ to the defendant, then courts will usually conclude that the
18 defendant owed the plaintiff a duty to avoid causing that injury[.]” Hedgepeth, 22 A.3d at 793.
This duty is also informed by the relationship between the parties. Id.
Here, Plaintiffs allege that SMART had a duty “to protect[] Plaintiffs and the Class from
the risk of foreseeable criminal conduct of third parties[.]” Am. Compl. ¶ 195. In support of this
legal conclusion, Plaintiffs allege that they were required to give their highly sensitive PII to
SMART as members of the organization. Id. ¶ 27. Risk of unauthorized access to this
information was foreseeable, they allege, because SMART held it unencrypted on its servers, an
“inadequate security practice[],” and there had been a “high known frequency of cyberattacks
and data breaches in the labor union industry.” Id. ¶¶ 28, 188–89. Though they do not delve into
specifics, Plaintiffs further allege that there were “repeated warnings and alerts directed to
protecting and securing sensitive data,” a “substantial increase in cyber-attacks and/or data
breaches targeting labor unions that collect and store PII, like Defendant, preceding the date of
the breach,” and a high “prevalence of public announcements of data breach and data security
compromise.” Id. ¶¶ 55, 56, 67. Plaintiffs further contend that SMART could have prevented
the disclosure of their PII merely “by properly securing and encrypting the files and file servers
containing the PII of Plaintiffs and Class Members.” Id. ¶ 54.
Taking these allegations as true and drawing all reasonable inferences from them, the
complaint plausibly alleges that SMART failed to take reasonable steps to protect Plaintiffs’ PII
despite the foreseeable risk of a cyberattack. Cf. Attias III, 365 F. Supp. 3d at 21 (finding no
duty of care where the plaintiffs had not alleged known issues with the organization’s data
security system or other recent highly publicized data breaches in that industry). Moreover, to
the extent SMART’s alleged failure to take these measures would violate the FTC Act, such
evidence also supports Plaintiffs’ claim of duty and breach. See Rong Yao Zhou v. Jennifer Mall
19 Rest., Inc., 534 A.2d 1268, 1274 (D.C. 1987) (“Where the court does not perceive a public safety
purpose in the legislative enactment, the statutory violation may be admitted as evidence of
negligence, although it does not constitute negligence per se.” (quoting Stevens v. Hall, 391 A.2d
792, 795–96 (D.C. 1978)); In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d at
407 (collecting cases finding that the FTC Act creates a “duty [that] is ascertainable as it relates
to data breach cases” and that inadequate security measures may violate this duty).
c. Causation & Injury
Moving to causation and injury, “[t]o maintain an action for negligence, a plaintiff must
allege more than speculative harm from defendant’s allegedly negligent conduct.” Randolph,
973 A.2d at 708. Plaintiffs here present six forms of actual harm allegedly caused by the data
breach: (1) heightened risk of misuse of personal information; (2) time, effort, and future costs to
mitigate the risk of harm; (3) lost benefit of the bargain; (4) diminution in value of their private
information; (5) loss of privacy; and (6) emotional distress. Opp’n at 24–28. Each of these
harms, Plaintiffs argue, is sufficient to establish causation and injury. To support that argument,
however, Plaintiffs cite only cases considering the injury-in-fact requirement for standing. See,
e.g., Opp’n at 24–27. That won’t do because “[p]laintiffs may satisfy the Article III injury-in-
fact requirement and yet fail to adequately plead damages for a particular cause of action.”
Attias III, 365 F. Supp. 3d at 9. Moreover, D.C. law, which holds that “speculative harm, or the
threat of future harm—not yet realized—does not suffice to create a cause of action for
negligence,” forecloses many of Plaintiffs’ alleged forms of damages. In re Estate of Curseen v.
Buchanan Ingersoll, P.C., 890 A.2d 191, 193 n.3 (D.C. 2006). After considering each of
Plaintiffs’ theories of actual harm under D.C. law, the Court concludes that Keown’s claim
survives, while Angus’s does not.
20 i) Heightened Risk of Misuse & Mitigation Efforts
The District of Columbia Court of Appeals has expressly declined to treat heightened risk
of misuse of personal information and lost time spent on mitigation measures as actual damages
for the purpose of a negligence claim in the data breach context. See Randolph, 973 A.2d at 708.
Randolph precludes recovery on this theory for Angus, who alleges solely that she “faces a
substantial risk” of “illegal schemes,” that she expended “time and effort” to mitigate any effect
of the data breach, and that she “may incur out-of-pocket costs for protective measures” in the
future. Am. Compl. ¶¶ 150–52; see also Randolph, 973 A.2d at 708 (“To the extent that
[plaintiffs] allege actual harm from expenses they have incurred to undertake credit monitoring
or other security measures to guard against possible misuse of their data, they have alleged an
injury that is ‘not the result of any present injury, but rather the [result of] the anticipation of
future injury that has not materialized.’” (quoting In re Estate of Curseen, 890 A.2d at 194)).
By contrast, Keown alleges that his PII was “disseminated on the dark web” because of
the data breach and that he has “experienc[ed] an increase in spam calls, texts, and/or emails.”
Am. Compl. ¶¶ 139–40. He further alleges that he has “spent significant time” dealing with
these effects that he “otherwise would have spent on other activities, including but not limited to
work and/or recreation.” Id. ¶ 137. This expenditure of time is much closer to the present injury
of scammers using Keown’s PII than to efforts to mitigate potential future harm. As a result,
Keown “has gone well beyond pleading the anticipation of future injury and has instead alleged
an actual injury resulting from [SMART’s] conduct” sufficient to support a negligence claim
under D.C. law. Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30, 37 (D.D.C. 2020)
(considering a plaintiff whose PII was posted on social media).
21 ii) Lost Value
Plaintiffs next contend that they were harmed by “lost benefit of the bargain” and “lost or
diminished value of PII.” Am. Compl. ¶¶ 131, 198; Opp’n at 25–27. This argument fails. Even
under the more lenient standard for injury-in-fact, courts in this district have rejected the benefit-
of-the-bargain theory, including in the commercial context where plaintiffs have allegedly “paid
money that could have gone towards a better data-security policy.” In re Sci. Applications Int’l
Corp. Backup Tape Data Theft Litig. (“SAIC”), 45 F. Supp. 3d 14, 30 (D.D.C. 2014); see
Austin-Spearman v. AARP & AARP Servs. Inc., 119 F. Supp. 3d 1, 13–14 (D.D.C. 2015); Attias
III, 365 F. Supp. 3d at 12. Plaintiffs here would not have been able to satisfy even this rejected
theory given that they have not alleged that they paid any money that could have gone to data
security. Consequently, their unsupported allegations that their union memberships somehow
lost value because of a data breach that occurred years after they left the union certainly fails the
more stringent standard of actually pleading damages.
The Court similarly finds the alleged loss of value of Plaintiffs’ PII insufficient to state a
claim of actual damages. As two courts in this district have observed in rejecting this theory in
the injury-in-fact context, Plaintiffs “do not allege facts to support the inference of their
allegation that their personal information became less valuable as a result of the [data] breach or
that they attempted to sell their information and were rebuffed because of a lower price-point
attributable to the breach.” Welborn v. Internal Revenue Serv., 218 F. Supp. 3d 64, 78 (D.D.C.
2016). Though Plaintiffs allege that personal information “can be sold at a price ranging from
$40 to $200” and that theirs has now decreased in “rarity,” Am. Compl. ¶¶ 71, 153, the
“[p]laintiffs do not contend that they intended to sell [their] information on the cyber black
market in the first place, so it is uncertain how they were injured by this alleged loss,” SAIC, 45
22 F. Supp. 3d at 30. To the contrary, Keown and Angus both allege that they are “very careful
about sharing [their] Private Information.” Am. Compl. ¶¶ 135, 146. Because Plaintiffs do not
show how they were injured by any alleged loss in value of their PII, this theory does not support
their negligence claim.
iii) Privacy
Plaintiffs next contend that they have experienced a loss of privacy due to the data
breach. Id. ¶¶ 138, 156. Injury to a legally recognized intangible interest, such as a plaintiff’s
privacy, may constitute “damage to the interests of the plaintiff” sufficient to support a claim of
negligence if the defendant has a duty to prevent such damage. District of Columbia v. Cooper,
483 A.2d 317, 321 (D.C. 1984); see also Tyson v. District of Columbia, No. 20-CV-1450 (RC),
2021 WL 860263, at *3 (D.D.C. Mar. 8, 2021) (sustaining a negligence claim where the injury
was “restriction[] on [the plaintiff’s] liberty” resulting from failure to timely release him from
prison); cf. SAIC, 45 F. Supp. 3d at 29 (holding that plaintiffs whose stolen data was used had
claimed an “injury to their privacy” sufficient for standing purposes). However, “[f]or a person’s
privacy to be invaded, their personal information must, at a minimum, be disclosed to a third
party.” SAIC, 45 F. Supp. 3d at 28.
Mr. Keown has plausibly alleged that public disclosure on the dark web of his social
security number and name, as well as possibly other information, constitutes an actual harm to
his interest in privacy that is both judicially cognizable and recognized at common law. See
Randolph, 973 A.2d at 710 (“In this age of identity theft and other wrongful conduct through the
unauthorized use of electronically-stored data, . . . conduct giving rise to unauthorized viewing of
personal information such as a plaintiff’s Social Security number and other identifying
information can constitute an intrusion that is highly offensive to any reasonable person, and
23 may support an action for invasion of privacy[.]”); Magruder v. Cap. One, Nat’l Ass’n, 540 F.
Supp. 3d 1, 11 (D.D.C. 2021) (“[T]here is ‘a significant history, including at common law, of
lawsuits based on [] the unauthorized disclosure of a person’s private information[.]’” (quoting
Gambles v. Sterling Infosystems, Inc., 234 F. Supp. 3d 510, 522 (S.D.N.Y. 2017)). Though
“invasion of privacy” is an intentional tort, Randolph, 973 A.2d at 711, “one incident may give
rise to claims of intentional tort or negligence,” if “presented individually and founded on
appropriate evidence.” Sabir v. District of Columbia, 755 A.2d 449, 452 (D.C. 2000). In this
case, Keown has plausibly alleged “that the defendant, in the process of engaging in the conduct
that included the intentional tort, was also breaching another recognized duty owed the plaintiff.”
McCracken v. David Walls–Kaufman, 717 A.2d 346, 351 (D.C. 1998). He has therefore
plausibly alleged a negligence claim separate from the elements of an intentional tort.
Ms. Angus, on the other hand, does not allege that her PII “has been viewed nor that [her]
information has been exposed in a way that would facilitate easy, imminent access.” SAIC, 45
F. Supp. 3d at 29. The hackers may have accessed the records of 62,000 individuals, but they
did not necessarily “read, cop[y], or underst[an]d [every individual’s] data.” Id. (citing Reilly v.
Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011)). Unlike Keown, Angus does not allege any
present effects of the data breach demonstrating that her PII was publicly disclosed or even
actually compromised. See Am. Compl. ¶ 37 (noting that recipients of the notice of breach only
“may have [had data] involved”). Accordingly, Keown has stated a claim under this theory, but
Angus has not.
24 iv) Emotional Distress
Finally, both Keown and Angus allege they have suffered emotional distress in
connection with the data breach.3 Keown claims he experiences “fear, anxiety, and stress” as a
result of the publication of his PII on the dark web following the breach. Id. ¶ 141. Because this
emotional distress stems from the invasion of another legally protected interest—one in
privacy—Keown may seek so-called “parasitic” damages. Hedgepeth, 22 A.3d at 809
(“Damages for emotional distress also are awarded as part of compensation for violation of
statutory and common law rights that result in foreseeable emotional distress.”). Angus,
however, does not tie her claimed emotional distress to any other theory of injury. And in the
District of Columbia, “[t]o state a claim where emotional distress is the only injury suffered, the
plaintiff must satisfy either the ‘zone of physical danger’ rule . . . or the special relationship and
undertaking rule[.]” Attias III, 365 F. Supp. 3d at 16 (first quoting Williams v. Baker, 572 A.2d
1062 (D.C. 1990) (en banc); then citing Hedgepeth, 22 A.3d at 810). Angus does not allege that
the data breach placed her in physical danger, and Plaintiffs have disclaimed reliance on a special
relationship theory. See Opp’n at 18 (“It is not the ‘special relationship’ between the Parties here
that forms the duty.”). Therefore, Angus cannot rest her negligence action on emotional-distress
damages alone.
In sum, Keown has plausibly alleged that the data breach resulted in time spent
responding to scammers, an invasion of his privacy, and emotional distress. Because his injuries
are neither purely economic nor purely emotional, Keown need not allege a special relationship
3 While the amended complaint does not directly state that Angus has experienced emotional distress, it generally alleges that the “Plaintiffs and the Class have suffered . . . emotional distress.” Am. Compl. ¶ 200. The Court will evaluate this claim as if directly alleged by Angus.
25 to recover. See Gutrejman v. United States, 527 F. Supp. 3d 1, 8 (D.D.C. 2021) (noting that the
“economic loss doctrine” “bars recovery ‘of purely economic losses in negligence, subject to
only one limited exception where a special relationship exists’” (quoting Aguilar v. RP MRP
Wash. Harbour LLC, 98 A.3d 979, 985–86 (D.C. 2014)). On the other hand, Angus fails to
plausibly allege any present injury sufficient to support a claim of negligence because she has
not alleged that her PII was viewed, published, or used in any way. The Court will therefore
deny SMART’s motion to dismiss Count 1 as to Keown but grant the motion as to Angus.
3. Breach of Implied Contract
Count 3 of the amended complaint alleges that when Plaintiffs entrusted SMART with
their PII, the parties entered into an implied contract for SMART to
(a) use such PII for business purposes only, (b) take reasonable steps to safeguard that PII, (c) prevent unauthorized disclosures of the PII, (d) provide Plaintiffs and Class Members with prompt and sufficient notice of any and all unauthorized access and/or theft of their PII, (e) reasonably safeguard and protect the PII of Plaintiffs and Class Members from unauthorized disclosure or uses, [and] (f) retain the PII only under conditions that kept such information secure and confidential.
Am. Compl. ¶¶ 223–29. They further allege that SMART “promulgated, adopted, and
implemented written privacy policies whereby it expressly promised Plaintiffs and Class
Members that it would only disclose PII under certain circumstances, none of which relate to the
Data Breach” and “promised to comply with industry standards and to make sure that Plaintiffs’
and Class Members’ PII would remain protected.”4 Id. ¶¶ 233–34. Plaintiffs also claim to have
had the “reasonable belief and expectation that Defendant would use part of its earnings to obtain
adequate data security.” Id. ¶ 235. Yet SMART purportedly “breached the implied contracts it
4 The Court understands Plaintiff’s reference to “written privacy policies” that include “express[] promise[s]” solely as evidence supporting the existence of an implied contract, rather than as the basis for an express contract. See Am. Compl. ¶ 233.
26 made with Plaintiffs and the Class by failing to safeguard and protect their personal information,
by failing to delete the information of Plaintiffs and the Class once the relationship ended, and by
failing to provide accurate notice to them that personal information was compromised as a result
of the Data Breach,” causing damages to Plaintiffs. Id. ¶¶ 239–40.
As with Plaintiffs’ negligence claims, SMART first contends that this claim is preempted
by federal law and then asserts that Plaintiffs fail to state a claim.
SMART posits that Plaintiffs’ breach-of-implied-contract claim is preempted by section
301(a) of the Labor Management Relations Act (“LMRA”). Mot. Dismiss at 23–25. Section
301 preempts application of state law “only if such application requires the interpretation of a
collective-bargaining agreement.” Lingle v. Norge Div. of Magic Chef, Inc., 486 U.S. 399, 413
(1988)). “[Section] 301 pre-emption merely ensures that federal law will be the basis for
interpreting collective-bargaining agreements, and says nothing about the substantive rights a
[s]tate may provide to workers when adjudication of those rights does not depend upon the
interpretation of such agreements.” Id. at 409.
The parties here are governed by a union constitution, which “is a ‘contract’ within the
plain meaning of § 301(a).” United Ass’n of Journeymen & Apprentices v. Loc. 334, 452 U.S.
615, 622 (1981). So, if the breach-of-implied-contract claim relied on the SMART Constitution,
the claim would be preempted. See Mot. Dismiss at 24 (citing Saunders v. Hankerson, 312 F.
Supp. 2d 46, 72 (D.D.C. 2004)). But Plaintiffs’ claim is neither predicated on nor requires
interpretation of the SMART Constitution. Indeed, the Constitution, which is attached as an
exhibit to the union’s motion to dismiss, nowhere references SMART’s data security obligations.
27 Accordingly, the Court need not look to or interpret the Constitution in evaluating Plaintiffs’
claims, and Plaintiffs’ breach-of-implied-contract claims are not preempted by LMRA § 301.
b. Validity of the Claim
Plaintiffs rest their breach-of-implied-contract claim largely on SMART’s receipt of
highly sensitive PII and alleged representations concerning data security. Opp’n at 33–34.
“Under D.C. law, an implied-in-fact contract contains ‘all necessary elements of a binding
agreement,’ differing from other contracts ‘only in that it has not been committed to writing’ and
is instead ‘inferred from the conduct of the parties.’” Camara v. Mastro’s Rests. LLC, 952 F.3d
372, 375 (D.C. Cir. 2020). To prevail on a breach-of-implied-contract claim, then, a party must
establish “(1) a valid contract between the parties; (2) an obligation or duty arising out of the
contract; (3) a breach of that duty; and (4) damages caused by breach.” Shaffer v. Geo. Wash.
Univ., 27 F.4th 754, 762 (D.C. Cir. 2022). “[A]ll the necessary elements of an express
contract—including offer, acceptance, and consideration—must be shown in order to establish
the existence of an implied-in-fact contract.” Paul v. Howard Univ., 754 A.2d 297, 311 (D.C.
2000). SMART contends that the amended complaint flunks these requirements because it fails
to show (1) consideration, (2) agreement as to material terms, and (3) intent to be bound. Mot.
Dismiss at 25–27. Plaintiffs respond that providing their PII so that SMART could fulfill its
union duties was consideration, and that SMART’s acceptance of the information manifested
assent and an intent to reasonably protect it from unlawful access. Opp’n at 33–36. The Court
agrees with Plaintiffs.
“[I]t is difficult to imagine how, in our day and age of data and identity theft, the
mandatory receipt of Social Security numbers or other sensitive personal information would not
imply the recipient’s assent to protect the information sufficiently.” Attias VII, 2023 WL
28 5952052, at *6 (quoting Castillo v. Seagate Tech., LLC, No. 16-CV-01958 (RS), 2016 WL
9280242, at *9 (N.D. Cal. Sept. 14, 2016)). The Court then joins numerous other courts in
concluding that an obligation to “reasonably safeguard the [plaintiffs’] PII from unauthorized
access or disclosure” is sufficiently definite to support an implied contract. Am. Compl. ¶ 232;
see also, e.g., Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st Cir. 2011). Moreover,
SMART’s affirmative representation on its website that it “has security measures in place to
protect against the loss, misuse[,] or alteration of information collected from visitors to the web
site” supports an inference that the organization implicitly promised “its union members,
including Plaintiffs and Class Members, that the PII collected from them as a condition of being
a union member at SMART would be kept safe, confidential, [and] that the privacy of that
information would be maintained,” even if Plaintiffs did not submit their PII through SMART’s
website. Am. Compl. ¶¶ 29–30. While discovery may show that SMART did provide
reasonable safeguards for the data, this potential evidence goes to the question of breach, not
whether an implied contract was formed.
SMART does not dispute that, to the extent Plaintiffs have plausibly pled an implied
contract, they have also plausibly pled its breach. See id. ¶ 239 (alleging SMART’s breach).
And because “it is enough for the plaintiff to describe the terms of the alleged contract and the
nature of the defendant’s breach” to “state a claim for breach of contract [sufficient] to survive a
Rule 12(b)(6) motion to dismiss,” the Court denies SMART’s motion to dismiss Count 3.
Francis v. Rehman, 110 A.3d 615, 620 (D.C. 2015) (quoting Nattah v. Bush, 605 F.3d 1052,
1058 (D.C. Cir. 2010)); see also Wright v. Allen, 60 A.3d 749, 753 & n.3 (D.C. 2013).5
5 As the Court has observed in the past, Wright and Francis are in some tension with the D.C. Court of Appeals’ earlier decisions in Cahn v. Antioch University, 482 A.2d 120 (D.C. 1984), and Osbourne v. Capital City Mortgage Corp., 727 A.2d 322 (D.C. 1999), which appeared
29 4. Unjust Enrichment
Count 4 of the amended complaint alleges that SMART was unjustly enriched by
Plaintiffs’ submission of their PII. Am. Compl. ¶¶ 243–54. To state a claim for unjust
enrichment, Plaintiffs must show “(1) [they] conferred a benefit on the defendant; (2) the
defendant retains the benefit; and (3) under the circumstances, the defendant’s retention of the
benefit is unjust.” Peart, 972 A.2d at 813–14. This “quasi-contract” is “not really a contract, but
a legal obligation closely akin to a duty to make restitution.” Bloomgarden v. Coyer, 479 F.2d
201, 210 (D.C. Cir. 1973). “In general, a plaintiff cannot maintain an unjust enrichment claim
concerning an aspect of the parties’ relationship that was governed by a contract.” Smith v.
Rubicon Advisors, LLC, 254 F. Supp. 3d 245, 249–50 (D.D.C. 2017) (citing In re APA
Assessment Fee Litig., 766 F.3d at 46); see also Bloomgarden, 479 F.2d at 210 (noting that this
principle extends to implied contracts). Here, the Court need not consider whether Plaintiffs may
plead unjust enrichment in the alternative to their breach-of-implied-contract claim because they
have failed to plead unjust enrichment as a matter of law.
Plaintiffs assert that they conferred a benefit on SMART in the form of valuable PII and
that the union’s retention of benefits derived from the information is unjust given its failure to
secure that information against breach. Opp’n at 37–38. This argument suffers from three
defects.
First, even assuming Plaintiffs’ data has some intrinsic value, the amended complaint
does not explain how SMART “derived a substantial economic benefit” from receiving or
to require proof of actual damages to state a claim for breach of contract. See Attias v. CareFirst, Inc. (“Attias V”), 518 F. Supp. 3d 43, 52 (D.D.C. 2021). However, as in Attias V, the Court will “defer to the most recent decisions of the state’s highest court” and allow Plaintiffs’ breach-of- contract claims to proceed. Id. (quoting Easaw v. Newport, 253 F. Supp. 3d 22, 34 (D.D.C. 2017)).
30 retaining it beyond “perform[ing] the services it provides.” Am. Compl. ¶ 35. Nor does it say
how performing those services benefitted SMART rather than Plaintiffs as its members. Second,
though Plaintiffs allege that the data breach somehow shows they were “not fully
compensate[d]” for their PII, id. ¶ 247, they do not allege that they provided the union their PII
with an understanding that they would be paid for it. Where, as here, a “plaintiff did not
contemplate a personal fee, or the defendant could not have reasonably supposed that he did,”
restitution is an inappropriate remedy. See Bloomgarden, 479 F.2d at 211–12. And third, under
D.C. law, “unjust enrichment should be limited or denied if ‘the proper measure of recovery
poses insurmountable difficulties of calculation.’” Salem Media Grp., Inc. v. Awan, 301 A.3d
633, 660 (D.C. 2023) (deciding that a defamation plaintiff could not seek disgorgement of profits
from a defamatory book because it would be impossible to determine how much profit came
from the defamatory statements alone). It is unclear from the amended complaint what funds
Plaintiffs request when they ask for “refunds, restitution, and/or damages . . . and/or an order
proportionally disgorging all profits, benefits, and other compensation obtained by Defendant
from its wrongful conduct.” Am. Compl. ¶ 253. Though Plaintiffs restate several harms they
allegedly experienced as a result of the breach, id. ¶ 252, “[w]here there has been an unjust
enrichment, the plaintiff’s remedy is restitution, which is typically measured by reference to the
defendant’s gain rather than the plaintiff’s loss.” Peart, 972 A.2d at 820. Plaintiffs’ failure to
state what exactly SMART gained is therefore fatal to their unjust enrichment claim.
This conclusion does not conflict with Plaintiffs’ cited authorities. In every cited case
upholding a claim of unjust enrichment in the data breach context, the defendant clearly
“profited from [the plaintiff’s] purchase” of goods or services. Rudolph v. Hudson’s Bay Co.,
No. 18-CV-8472 (PKC), 2019 WL 2023713, at *12 (S.D.N.Y. May 7, 2019); see also In re
31 Ambry Genetics Data Breach Litig., 567 F. Supp. 3d at 1145 (“Plaintiffs allege that they paid
Defendants money for Defendants’ services, and expected that a portion of their payments would
go toward ‘data management and security.’”); In re Unite Here, 2024 WL 3413941, at *13 (“If
plaintiffs’ payment of this union dues included a requirement that a portion of the dues would go
to data security . . . and defendant instead shirked that duty (resulting in the data’s theft),
defendant would have arguably been unjustly enriched to the extent of those improper savings.”).
It is unclear whether the D.C. Court of Appeals would allow unjust enrichment claims to proceed
on such a theory. But even if it did, the amended complaint does not identify any profit reaped
by SMART that is attributable to use of Plaintiffs’ data, nor does it allege that Plaintiffs gave
SMART any money that should have been used for data security. The Court will therefore grant
SMART’s motion to dismiss Count 4.
C. Statutory Claims
Finally, Angus brings claims under the California Unfair Competition Law (“UCL”) and
California Consumer Privacy Act (“CCPA”) on behalf of a putative California subclass. The
UCL prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive,
untrue or misleading advertising[.]” Cal. Bus. & Prof. Code § 17200. The CCPA requires
“business[es] that collect[] a consumer’s personal information [to] implement reasonable security
procedures and practices appropriate to the nature of the personal information to protect the
personal information from unauthorized or illegal access, destruction, use, modification, or
disclosure[.]” Cal. Civ. Code § 1798.100. SMART moves to dismiss both claims on the ground
that these statutes, largely created for consumer protection, do not apply to it as a labor union.
Mot. Dismiss at 31–32, 35–36. Angus responds that discovery is needed to determine whether
SMART is engaged in commercial business practices as alleged in the amended complaint.
32 Opp’n at 38–39, 41–42. Again, the Court must begin with a choice-of-law analysis. See In re
APA Assessment Fee Litig., 766 F.3d at 51 (applying choice-of-law analysis to statutory
consumer protection claim); Pietrangelo v. Wilmer Cutler Pickering Hale & Dorr, LLP, 68 A.3d
697, 713–14 (D.C. 2013) (same). It concludes that there is no true conflict, so D.C. law applies,
under which Angus does not have a cause of action.
The Court first finds that both California and the District of Columbia have an interest in
having their laws applied. California has an interest in applying the UCL, which “manifest[s]
California’s obvious interest in protecting its residents from fraud.” In re APA Assessment Fee
Litigation, 766 F.3d at 52 (internal quotation marks omitted). The District of Columbia has a
similar interest manifested in its Consumer Protection Procedures Act (“DCPPA”), D.C. Code
§§ 28–3901 et seq., which “prohibits a wide variety of deceptive trade practices perpetrated
against consumers,” In re APA Assessment Fee Litigation, 766 F.3d at 52 (quoting Busby v.
Capital One, N.A., 772 F. Supp. 2d 268, 279 (D.D.C. 2011)).
Both jurisdictions also have an interest in applying their data security laws—for
California, the CCPA, and for the District of Columbia, the Consumer Security Breach
Notification Act (“CSBA”), codified as amended at D.C. Code § 28–3851, et seq. As relevant
here, the CSBA requires entities that “possess personal information of an individual residing in
the District” to implement “reasonable security safeguards.” D.C. Code. §§ 28–3852.01. These
jurisdictions maintain these interests regardless of whether their substantive laws provide or
withhold liability in this particular situation. See In re APA Assessment Fee Litig., 766 F.3d at
52 (“A ‘rule which exempts the actor from liability for harmful conduct’ may embody an interest
in protecting ‘defendants against being harassed by such actions.’” (quoting Restatement
33 (Second) of Conflict of Laws § 145 cmt. c (1971)). As a result, because more than one
jurisdiction has an interest in the dispute, the next issue is whether their laws are in true conflict.
All the relevant statutes appear to foreclose Angus’s suit because SMART is a labor
union, not a commercial business. The DCPPA reads:
An action brought by a person under this subsection against a nonprofit organization shall not be based on membership in such organization, membership services, training or credentialing activities, sale of publications of the nonprofit organization, medical or legal malpractice, or any other transaction, interaction, or dispute not arising from the purchase or sale of consumer goods or services in the ordinary course of business.
D.C. Code § 28–3905(k)(5). This provision also applies to enforcement of the CSBA. See D.C.
Code § 28–3853 (providing that a violation of the CSBA is enforceable as an “unfair or
deceptive trade practice” pursuant to the DCPPA). The DCPPA defines a “nonprofit
organization” as an entity that “[i]s neither organized nor operating, in whole or in significant
part, for profit.” Id. § 28-3901(a)(14). Similarly, the CCPA applies only to “business[es],” Cal.
Civ. Code § 1798.150, and defines a business as “[a] sole proprietorship, partnership, limited
liability company, corporation, association, or other legal entity that is organized or operated for
the profit or financial benefit of its shareholders or other owners.” Cal. Civ. Code
§ 1798.140(d)(1). As for the UCL, both state and federal courts in California have found it
inapplicable to voluntary member associations unless the dispute arises from the sale of goods.
See That v. Alders Maint. Ass’n, 142 Cal. Rptr. 3d 458, 464 (Cal. Ct. App. 2012) (finding that a
homeowners’ association was not subject to the UCL because the association “d[id] not
participate as a business in the commercial market, much less compete in it”); Babb v. California
Tchrs. Ass’n, 378 F. Supp. 3d 857, 882 n.13 (C.D. Cal. 2019), aff’d sub nom. Martin v.
California Tchrs. Ass’n, No. 19-55761, 2022 WL 256360 (9th Cir. Jan. 26, 2022) (“[T]he UCL
claim fails because the Union Defendants are not a ‘business’ and collecting agency fees in
34 compliance with state law is not a ‘business act or practice.’”); Bermudez v. Serv. Emps. Int’l
Union, Loc. 521, No. 18-CV-04312 (VC), 2019 WL 1615414, at *1, n.1 (N.D. Cal. Apr. 16,
2019). Because SMART’s purported failures to “implement and maintain reasonable security
and privacy measures” is not alleged to have arisen from the sale of goods, Angus’s UCL claim
would similarly fail. See Am. Compl. ¶¶ 258, 261. Therefore, application of any of these laws
would “produce the identical result as D.C. law,” so there is no true conflict and D.C. law applies
by default. Pietrangelo, 68 A.3d at 714.
Angus’s primary response is that discovery is necessary to determine whether SMART is
“organized or operated for the profit or financial benefit of its owners,” Am. Compl. ¶ 269, as
she alleges in the complaint. See Opp’n at 38–39, 41–42. But the Court need not “accept as true
the complaint’s factual allegations insofar as they contradict exhibits to the complaint or matters
subject to judicial notice.” Kaempe v. Myers, 367 F.3d 958, 963 (D.C. Cir. 2004). SMART’s
public filings with the Internal Revenue Service, of which the Court may take judicial notice,
confirm that it is tax exempt organization pursuant to 26 U.S.C. § 501(c)(5). See International
Association of Sheet Metal Air Rail and Transportation Workers, Internal Revenue Serv.,
https://perma.cc/79L6-8AHB (EIN: XX-XXXXXXX); Arab v. Blinken, 600 F. Supp. 3d 59, 63 n.1
(D.D.C. 2022) (“The Court may take judicial notice of information posted on official public
websites of government agencies.” (citing Cannon v. District of Columbia, 717 F.3d 200, 205 n.2
(D.C. Cir. 2013))). And a 501(c)(5) organization must, by law, “[h]ave no net earnings inuring
to the benefit of any member.” 26 C.F.R. § 1.501(c)(5)–1(a). Because SMART is a nonprofit
and Angus’s claim does not “aris[e] from the purchase or sale of consumer goods or services,”
the DCCPA, like the CCPA and UCL, does not provide a cause of action. D.C. Code § 28–
3905(k)(5). Accordingly, the Court will dismiss Counts 5 and 6 of the amended complaint.
35 ***
In conclusion, Keown has plausibly alleged a common-law negligence claim (Count 1),
and both Plaintiffs have alleged a breach-of-implied-contract claim (Count 3) against SMART.
The Court will dismiss all other counts for failure to state a claim.
IV. Conclusion
For these reasons, it is hereby
ORDERED that [ECF No. 13] Defendant’s Motion to Dismiss is GRANTED in part and
DENIED in part. The Court hereby dismisses Counts 2, 4, 5, and 6 as they apply to both
plaintiffs and dismisses Count 1 as it applies to Plaintiff Angus. It is further
ORDERED that SMART shall file an Answer to the remaining claims by October 3,
2024.
SO ORDERED.
CHRISTOPHER R. COOPER United States District Judge
Date: September 19, 2024
Related
Cite This Page — Counsel Stack
Keown v. International Association of Sheet Metal Air Rail Transportation Workers, Counsel Stack Legal Research, https://law.counselstack.com/opinion/keown-v-international-association-of-sheet-metal-air-rail-transportation-dcd-2024.