Keown v. International Association of Sheet Metal Air Rail Transportation Workers

• Court: District Court, District of Columbia
• Decided: September 19, 2024
• Docket: Civil Action No. 2023-3570
• Status: Published

Opinion

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

DAVID KEOWN, et al.,

Plaintiffs,

v. Case No. 23-cv-3570 (CRC)

INTERNATIONAL ASSOCIATION OF SHEET METAL AIR RAIL TRANSPORTATION WORKERS,

Defendant.

MEMORANDUM OPINION AND ORDER

Plaintiffs David Keown and Diana Angus are former members of the International

Association of Sheet Metal Air Rail Transportation Workers (“SMART”), a national union based

in Washington, D.C., with over 200,000 members. In September 2023, SMART fell victim to a

cyberattack that compromised personally identifying information (“PII”) it had collected from its

current and past members. After learning that their PII was implicated in the breach, Mr.

Keown, a resident of Georgia, and Ms. Angus, a resident of California, each brought a putative

class action against SMART in this district, seeking damages and injunctive relief on behalf of

themselves and all other affected union members. At the Court’s urging, Plaintiffs consolidated

their claims into a single amended complaint. Together, Plaintiffs now assert four state

common-law counts: negligence, negligence per se, breach of implied contract, and unjust

enrichment. Angus, on behalf of herself and a putative subclass of California plaintiffs, also

raises claims under the California Unfair Competition Law and California Consumer Privacy

Act. SMART moves to dismiss all claims against it, contending that Plaintiffs lack standing to

sue and that they fail to state a claim. The Court determines that both Plaintiffs have standing to bring suit, Keown has

presented a plausible claim of negligence, and both Plaintiffs have plausibly alleged breach of an

implied contract. But the amended complaint fails to state a claim of negligence for Angus, a

claim of unjust enrichment for either Plaintiff, or a cause of action for the California statutory

claims. The Court will therefore grant the motion to dismiss in part and deny it in part.

I. Background

In ruling on the motion to dismiss, the Court must take as true the following factual

background from the allegations in the amended complaint.

Plaintiffs David Keown and Diana Angus are both former members of SMART, a labor

union with 203,000 members spread across North America. See Am. Compl. ¶¶ 25, 132, 145.

Keown is a resident of Georgia, Angus of California, and SMART of the District of Columbia.

Id. ¶¶ 19–21. When Plaintiffs joined SMART, they were required to provide it with their

sensitive PII.

On September 9, 2023, SMART suffered a cyberattack that exposed the records of

roughly 62,000 individuals. Id. ¶¶ 3, 7, 37. Two months later, the union notified Keown and

Angus that their PII, potentially including their names and social security numbers, “may have

been involved.” Id. ¶¶ 37, 136, 148. Though by that point Plaintiffs were no longer SMART

members, the union still retained their PII unencrypted on its servers. See id. ¶ 40. Spurred by

notification of the breach, both Plaintiffs say they have since spent time and energy mitigating

any potential impacts, including by monitoring their bank accounts and contacting their financial

institutions. Id. ¶¶ 137, 151. Keown further alleges that his PII was “disseminated on the dark

web, according to Discover.” Id. ¶ 139. He purportedly experienced a corresponding increase in

spam calls, texts, and emails and claims to suffer “fear, anxiety, and stress” stemming from the

2 breach and subsequent publication of his PII. Id. ¶¶ 140–41. Though Angus does not allege that

her PII made it to the dark web, she also claims to have experienced an increased risk of identity

theft, along with other potential harms. Id. ¶¶ 149–54. Plaintiffs insist that SMART is

responsible for these alleged harms because it “did not use reasonable security procedures and

practices appropriate to the nature of the sensitive information it was maintaining” despite its

representations that it would do so. Id. ¶¶ 43, 52. Plaintiffs also complain that the notice of the

breach failed to inform them of the breach’s “root cause” or whether SMART undertook any

remedial measures to better secure Plaintiffs’ PII. Id. ¶ 38.

Keown sued SMART in November 2023; Angus followed in December 2023.1 After an

initial status conference covering both cases, Plaintiffs filed a joint amended complaint in

January 2024. The amended complaint includes counts for negligence, negligence per se, breach

of implied contract, unjust enrichment, and violations of California’s Unfair Competition Law

and Consumer Privacy Act. Id. ¶¶ 170–276. Plaintiffs seek damages on behalf of all individuals

who were sent a notice of the data breach, as well as injunctive relief requiring SMART to

undertake several data security measures to prevent future harm to Plaintiffs. Id. ¶¶ 158, 202,

204. In its motion to dismiss, SMART contends first that Plaintiffs have not alleged an Article

III injury traceable to its conduct and second that each cause of action is either preempted by

federal labor law or fails to state a claim for relief. See Mot. Dismiss at 1–2.

II. Legal Standards

SMART moves to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and

12(b)(6). A motion to dismiss under “Rule 12(b)(1) presents a threshold challenge to the court’s

1 Angus has since voluntarily dismissed her related case, originally docketed as Angus v. Int’l Ass’n of Sheet Metal Air Rail Transp. Workers, No. 23-cv-3692 (D.D.C. Dec. 12, 2023).

3 jurisdiction, whereas 12(b)(6) presents a ruling on the merits with res judicata effect.” Haase v.

Sessions, 835 F.2d 902, 906 (D.C. Cir. 1987). Under Rule 12(b)(1), the plaintiff “bears the

burden of invoking the court’s subject matter jurisdiction, including establishing the elements of

standing.” Arpaio v. Obama, 797 F.3d 11, 19 (D.C. Cir. 2015). And because the Court has “an

affirmative obligation to ensure that it is acting within the scope of its jurisdictional authority,”

“‘the [p]laintiff’s factual allegations in the complaint . . . will bear closer scrutiny in resolving a

12(b)(1) motion’ than in resolving a 12(b)(6) motion for failure to state a claim.” Grand Lodge

of Fraternal Ord. of Police v. Ashcroft, 185 F. Supp. 2d 9, 13 (D.D.C. 2001) (alterations in

original) (citation omitted). By contrast, to survive a motion to dismiss under Rule 12(b)(6), a

complaint need only “contain sufficient factual matter, accepted as true, to ‘state a claim to relief

that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl.

Corp. v. Twombly, 550 U.S. 544, 570 (2007)). The Court “must take all the factual allegations

in the complaint as true,” though it is “not bound to accept as true a legal conclusion couched as

a factual allegation.” Papasan v. Allain, 478 U.S. 265, 286 (1986). Under either the 12(b)(1) or

12(b)(6) standard, “the allegations of the complaint should be construed favorably to the

pleader.” Walker v. Jones, 733 F.2d 923, 926 (D.C. Cir. 1984).

III. Analysis

The Court will take up SMART’s challenge to the Court’s subject matter jurisdiction

over Plaintiffs’ claims. Concluding that it has jurisdiction, the Court will then analyze Plaintiffs’

common-law claims under the law of the District of Columbia. Finally, the Court will consider

Angus’s California statutory claims. While the Court determines that Plaintiffs have adequately

pled two of the common-law claims (negligence and breach of implied contract), it will grant

SMART’s motion to dismiss the remaining claims.

4 A. Subject-Matter Jurisdiction

1. Diversity Jurisdiction

Though SMART does not challenge Plaintiffs’ assertion that the Court has diversity

jurisdiction over their state-law claims, it bears clarifying that the Court’s jurisdiction stems from

the Class Action Fairness Act (“CAFA”). CAFA “gives federal courts jurisdiction over certain

class actions . . . if the class has more than 100 members, the parties are minimally diverse, and

the amount in controversy exceeds $5 million.” Dart Cherokee Basin Operating Co., LLC v.

Owens, 574 U.S. 81, 84–85 (2014) (citing 28 U.S.C. §§ 1332(d)(2), (5)(B)). Parties are

considered minimally diverse if “any member of a class of plaintiffs is a citizen of a [s]tate

different from any defendant.” 28 U.S.C. § 1332(d)(2)(A). Here, Plaintiffs allege that

approximately 62,000 people were affected by the data breach, there is minimal diversity

because they are from different states than SMART, and the amount in controversy exceeds $5

million. See Am. Compl. ¶¶ 7, 22. The Court accepts these undisputed allegations as true for

the purposes of asserting jurisdiction. See, e.g., Dart Cherokee, 574 U.S. at 553 (“When a

plaintiff invokes federal-court jurisdiction, the plaintiff’s amount-in-controversy allegation is

accepted if made in good faith.”).

2. Standing

SMART does, however, contest Plaintiffs’ standing to bring suit. Mot. Dismiss at 5–8.

“[S]tanding is an essential and unchanging part of the case-or-controversy requirement of Article

III.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). Its “irreducible constitutional

minimum” consists of “three elements: ‘(1) injury-in-fact, (2) causation, and (3) redressability.’”

Am. Freedom L. Ctr. v. Obama, 821 F.3d 44, 48 (D.C. Cir. 2016) (quoting Lujan, 504 U.S. at

560). “As the party invoking the court’s subject matter jurisdiction, the plaintiff bears the burden

5 of establishing the elements of standing.” Parents v. Garland, 88 F.4th 298, 304 (D.C. Cir.

2023). And “a plaintiff must ‘demonstrate standing separately for each form of relief sought.’”

TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021) (quoting Friends of the Earth, Inc. v.

Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 167, 185 (2000)). Plaintiffs have met their burden of

proving standing here.

SMART first challenges Plaintiffs’ standing to seek damages on the grounds of injury-in-

fact and traceability. In terms of injury-in-fact, SMART contends that the amended complaint is

deficient because Plaintiffs have not yet incurred “out-of-pocket expenditures” or experienced

“financial fraud or identity theft or misuse of [their] information.” Mot. Dismiss at 5–6. But the

D.C. Circuit has squarely ruled that such injuries are not required to support standing in data

breach cases. See Attias v. Carefirst, Inc. (“Attias II”), 865 F.3d 620, 628 (D.C. Cir. 2017).

Rather, a complaint may survive a Rule 12(b)(1) motion where it “plausibly alleges that the

plaintiffs now face a substantial risk of identity theft as a result of [the defendant’s] alleged

negligence in the data breach.” Id. Like the plaintiffs in Attias II, Plaintiffs here have alleged

that SMART collected and stored their PII, including their social security numbers; this sensitive

information was stolen in the breach; and breach of the data “place[s] plaintiffs at a high risk of

financial fraud” and an “increased risk of identity theft.” Id. at 628; see also Am. Compl. ¶¶ 133,

136, 139, 143, 145, 148–50. Keown further alleges that his PII is now “being disseminated on

the dark web, according to Discover.” Am. Compl. ¶ 139. Where, as here, “an unauthorized

party has already accessed personally identifying data on [the defendant’s] servers . . . it is

plausible . . . to infer that this party has both the intent and the ability to use that data for ill.”

Attias II, 865 F.3d at 628.

6 The Supreme Court’s intervening decision in TransUnion does not defeat Plaintiffs’

alleged injury. Though TransUnion requires that plaintiffs show a separate concrete harm in

addition to the risk of future harm to support a claim of damages, 594 U.S. at 436–37, “the

expenditure of time or money on mitigation measures in response to a data breach, such as

purchasing credit monitoring services or taking other steps to prevent fraud, may create a

concrete Article III injury when paired with a risk of future identity theft.” Attias v. CareFirst,

Inc., 344 F.R.D. 38, 47 (D.D.C. 2023) (Cooper, J.). As Keown and Angus have both alleged that

they have pursued such mitigation measures, they have met that standard here. See Am. Compl.

¶¶ 137, 151.

SMART also asserts that plaintiffs have not established that their alleged injuries are

traceable to this data breach because the amended complaint does not plead that this particular

data breach is the only one that implicated plaintiffs’ PII. See Mot. Dismiss at 7–8. But, at the

motion-to-dismiss stage, it is sufficient for the complaint to show that the injuries claimed—

substantial risk of identity theft and Plaintiffs’ corresponding mitigation measures—are “fairly

traceable” to the data breach. Attias II, 865 F.3d at 629 (quoting Lexmark Int’l, Inc. v. Static

Control Components, Inc., 572 U.S. 118, 134 n.6 (2014)); see also In re Unite Here Data Sec.

Incident Litig., No. 24-cv-1565 (JSR), 2024 WL 3413942, at *4 (S.D.N.Y. July 15, 2024)

(rejecting the same argument because “[t]he fact that there have been other large data breaches,

and the speculative possibility that plaintiffs were subjected to them, are matters well beyond the

allegations in the complaint and cannot be used to support defendant’s motion to dismiss”).

Assuming, as the Court must, that Plaintiffs will prevail on the merits of their claim that

SMART’s negligent handling of their data resulted in unauthorized access to that data, the

7 corresponding risk of financial fraud and identity theft is fairly traceable to SMART’s conduct.

See Attias II, 865 F.3d at 629 (quoting Lexmark Int’l, Inc., 572 U.S. at 134 n.6).

Next, SMART contends that Plaintiffs have not alleged standing to pursue injunctive

relief because, in its view, the data breach was an isolated event that is unlikely to recur. Mot.

Dismiss at 8. But Plaintiffs need not allege a “credible threat” that SMART “will again be

attacked by cybercriminals” to survive a 12(b)(1) motion to dismiss. Id. Plaintiffs allege that

their PII “remains unencrypted” and “backed up in Defendant’s possession” such that it “is

subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate

and adequate measures to protect [it].” Am. Compl. ¶ 92. “[G]iven [the] Plaintiffs’ allegations

regarding [Defendant’s] continued failure to adequately secure its databases, it is reasonable to

infer that there remains a ‘substantial risk’ that their personal information will be stolen from

[SMART] again in the future.” See In re U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928

F.3d 42, 54–55 (D.C. Cir. 2019). This “substantial risk” is sufficient to support standing for

injunctive relief. Id. at 59; see also TransUnion, 594 U.S. at 415 (“[M]aterial risk of future harm

can satisfy the concrete-harm requirement in the context of a claim for injunctive relief to

prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and

substantial.”).

Satisfied that it has jurisdiction, the Court now turns to Plaintiffs’ asserted claims.

B. Common Law Claims

Plaintiffs assert four common-law counts against SMART: (1) negligence; (2) negligence

per se; (3) breach of implied contract; and (4) unjust enrichment. As SMART points out, the

amended complaint does not specify under which state’s common law Plaintiffs seek relief. See

Mot. Dismiss at 9. SMART’s motion to dismiss assumes that the law of either the District of

8 Columbia or Plaintiffs’ home forums will apply. See, e.g., id. at 18–19 (discussing negligence

per se under D.C., Georgia, and California common law). Keown and Angus respond that

discovery is necessary to determine which state has the most significant relationship to the

dispute, as well as the citizenship of all putative class members. Opp’n at 14–16. The Court first

addresses the threshold choice-of-law issue before analyzing each of the claims.

1. Choice of Law

When exercising diversity jurisdiction, federal courts apply the substantive law of the

forum state, including its choice-of-law rules. Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S.

487, 496 (1941); Shaw v. Marriott Int’l, Inc., 605 F.3d 1039, 1045 (D.C. Cir. 2010). Under the

District of Columbia’s choice-of-law rules, courts apply “a modified ‘governmental interests

analysis[,]’ which seeks to identify the jurisdiction with the ‘most significant relationship’ to the

dispute.” Washkoviak v. Student Loan Mktg. Ass’n, 900 A.2d 168, 180 (D.C. 2006) (quoting

Moore v. Ronald Hsu Constr. Co., 576 A.2d 734, 737 (D.C. 1990)). “Under this approach, the

first step is to determine whether a ‘true conflict’ exists—that is, whether more than one

jurisdiction has a potential interest in having its law applied and, if so, whether the law of the

competing jurisdictions is different.” GEICO v. Fetisoff, 958 F.2d 1137, 1141 (D.C. Cir. 1992)

(citations omitted). If there is a conflict, courts then “evaluate the governmental policies

underlying the applicable laws and determine which jurisdiction’s policy would be more

advanced by the application of its law to the facts of the case,” considering “the four factors

enumerated in the Restatement (Second) of Conflict of Laws § 145.” Washkoviak, 900 A.2d at

180 (quoting District of Columbia v. Coleman, 667 A.2d 811, 816 (D.C. 1995)). Where no

conflict exists between the interested states’ laws, D.C. law applies by default. See Beach TV

9 Props., Inc. v. Solomon, 306 F. Supp. 3d 70, 92 (D.D.C. 2018) (citing GEICO, 958 F.2d at

1141).

a. True Conflict

Both Plaintiffs’ home states and the District of Columbia have an interest in having their

laws applied. The amended complaint states that Keown is a Georgia resident, Angus is a

California resident, and SMART is “governed under the laws of the District of Columbia” with a

principal place of business in the District of Columbia. Am. Compl. ¶¶ 19–21. Plaintiffs’ home

forums have an interest in protecting their residents from injury, while the District of Columbia

has an interest in preventing entities within its borders from engaging in tortious conduct. Cf.

Washkoviak, 900 A.2d at 180–81 (“Wisconsin has a powerful interest in protecting its residents

from fraud and misrepresentation, while the District of Columbia has an equally strong interest

in ensuring that its corporate citizens refrain from fraudulent activities.”). Plaintiffs also assert

that the putative class members’ states of residency may have interests at stake, Opp’n at 29, but

the Court need not consider putative class member residencies prior to certification. See

Washkoviak, 900 A.2d at 176 n.11; Margolis v. U-Haul Int’l, Inc., 818 F. Supp. 2d 91, 105

(D.D.C. 2011) (“The plaintiff has not moved for class certification and no class has been

certified. Therefore, the residency of the putative class is irrelevant here.”). With the relevant

jurisdictions identified, the Court will next consider whether a “true conflict” exists between the

laws of the three jurisdictions.

There does not appear to be a conflict in how the relevant jurisdictions assess breach-of-

contract or unjust enrichment claims in the data-breach context. In considering breach-of-

contract claims arising from data breaches, all three jurisdictions have applied substantially

similar tests to reach the same outcome. See Attias v. CareFirst, Inc. (“Attias VII”), No. 15-CV-

10 882 (CRC), 2023 WL 5952052, at *6 (D.D.C. Sept. 13, 2023); Tracy v. Elekta, Inc., 667 F.

Supp. 3d 1276, 1287 (N.D. Ga. 2023); In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d

1130, 1144 (C.D. Cal. 2021). Likewise, though D.C.’s federal and state courts have yet to fully

adjudicate unjust enrichment claims in the data-breach context, the elements of the claim are

similar across the three jurisdictions. See Peart v. D.C. Hous. Auth., 972 A.2d 810, 813–14

(D.C. 2009); St. Paul Mercury Ins. Co. v. Meeks, 508 S.E.2d 646, 648 (Ga. 1998); Peterson v.

Cellco P’ship, 80 Cal. Rptr. 3d 316, 324 (Cal. Ct. App. 2008). Therefore, by default, the Court

will apply D.C. law to these claims. See Beach TV Props., Inc., 306 F. Supp. 3d at 92.

There may, however, be a conflict with respect to the law of negligence in these

jurisdictions. Though Georgia, California, and D.C. all set forth a similar formulation of the

standard elements of duty, breach, causation, and damages, see Hedgepeth v. Whitman Walker

Clinic, 22 A.3d 789, 793 (D.C. 2011) (en banc); John B. v. Superior Ct., 137 P.3d 153, 159 (Cal.

2006); Weller v. Blake, 726 S.E.2d 698, 702 (Ga. 2012), they have applied those elements

differently in such data-breach cases. For example, when assessing the damages element,

Georgia recognizes the risk of harm presented by “data in the hands of criminals,” Tracy, 667 F.

Supp. 3d at 1283 (citing Collins v. Athens Orthopedic Clinic, P.A., 837 S.E.2d 310 (Ga. 2019)),

California recognizes increased time spent on credit monitoring, see, e.g., In re Solara Med.

Supplies, LLC Customer Data Sec. Breach Litig., 613 F. Supp. 3d 1284, 1295–96 (S.D. Cal.

2020), but D.C. recognizes neither, see Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702,

708 (D.C. 2009). As a result, the Court must proceed to determine which jurisdiction’s policy

would be better advanced by application of its law to the facts of the case under the Restatement

factors. The Court determines that the factors moderately favor application of D.C. law, see

infra Part II.B.i.b, so it will apply D.C. law to the negligence counts as well. While this analysis

11 is close, D.C. law would have applied even if it was inconclusive. See Wu v. Stomber, 750 F.3d

944, 949 (D.C. Cir. 2014).

b. Governmental Interests Test

To determine which state has the greater interest in a dispute, D.C. courts look to four

factors: “a) the place where the injury occurred; b) the place where the conduct causing the

injury occurred; c) the domicile, residence, nationality, place of incorporation and place of

business of the parties; and d) the place where the relationship is centered.” See Washkoviak,

900 A.2d at 180 (quoting Coleman, 667 A.2d at 816).

The first factor, the location of the injury, is indeterminate. Plaintiffs have experienced

some of their alleged injuries in their home forums, including their emotional distress and time

spent responding to the data breach. See Am. Compl. ¶¶ 199–200. But other alleged injuries,

like Plaintiffs’ loss of privacy and the devaluation of their PII, logically stem from the place

where cybercriminals accessed the data. See id. ¶ 199. And still other purported injuries, like

Plaintiffs’ loss of the benefit of the bargain and the risk of misuse of PII, cannot be said to stem

from one location. See id. Therefore, this factor does not clearly favor any one jurisdiction.

As for the second factor—the conduct causing injury—the complaint allegations favor

application of D.C. law. As Plaintiffs note, “to determine the place where the conduct causing

injury occurred in data breach case, courts generally focus on the location of the servers from

where the data was hacked” or, in the absence of such a location, “have applied the law of the

forum state” or “look[ed] to defendants’ headquarters or possibly where cybersecurity decisions

were made.” Opp’n at 15 (citing In re Blackbaud, Inc., Customer Data Breach Litig., 567 F.

Supp. 3d 667, 675 (D.S.C. 2021); In re Mednax Servs., Inc., Customer Data Sec. Breach Litig.,

603 F. Supp. 3d 1183, 1199 (S.D. Fla. 2022)). Each of these alternatives points to the District of

12 Columbia. Plaintiffs allege that SMART’s place of business is in the District of Columbia, that

SMART “maintains Class Members’ PII in this District,” and that “decisions made by

Defendant’s governance and management personnel or inaction by those individuals that led to

the Data Breach” occurred in the District of Columbia. See Am. Compl. ¶ 24. At the motion-to-

dismiss stage, the Court must take these allegations as true, even though discovery may later

reveal that Plaintiffs’ data was housed or SMART’s decision-making actually took place

elsewhere. Therefore, with no pled connections to Plaintiffs’ home forums, this factor favors the

District of Columbia. See In re APA Assessment Fee Litig., 766 F.3d 39, 54 (D.C. Cir. 2014).

Next, “the domicil[e], residence, nationality, place of incorporation[,] and place of

business of the parties” is “split evenly” among the three states, as each party hails from a

different one. Id. (quoting Washkoviak, 900 A.2d at 181). While Plaintiffs point out that this

case is a “putative nationwide class” and “the state citizenship of all putative Class Members is

not yet known,” Opp’n at 29, as the Court noted above, “[a] class action, when filed, includes

only the claims of the named plaintiff or plaintiffs.” Molock v. Whole Foods Mkt. Grp., Inc.,

952 F.3d 293, 298 (D.C. Cir. 2020) (quoting Gibson v. Chrysler Corp., 261 F.3d 927, 940 (9th

Cir. 2001)).

The final factor, the place where the relationship is centered, is neutral. Where, as here,

“the parties cite no case law directly addressing where the relationship between a national

nonprofit organization and its members is ‘centered[,’] . . . the fourth factor does not weigh

strongly in favor of either party.” In re APA Assessment Fee Litig., 766 F.3d at 54.

Taken together, the factors somewhat favor application of D.C. law. Given that D.C.

courts apply D.C. law even “where the [Restatement] factors do not point to a clear answer,” the

Court finds this outcome all the more appropriate here. Wu, 750 F.3d at 949 (citing

13 Washkoviak, 900 A.2d at 176). Moreover, applying D.C. law “works no unfairness to plaintiffs,

because they chose to pursue their claim in the District of Columbia.” In re APA Assessment

Fee Litig., 766 F.3d at 55 (citation omitted). Though the Court will apply D.C. law to each claim

in ruling on the motion to dismiss, the Court “leave[s] open the possibility that, after both parties

have been afforded the opportunity to conduct discovery and present evidence, [the Court] may

conclude . . . that [a foreign jurisdiction] has a greater interest than the District of Columbia in

the resolution of this controversy[.]” Washkoviak, 900 A.2d at 183.

The Court now turns to each of Plaintiffs’ asserted common-law claims: (1) negligence;

(2) negligence per se; (3) breach of implied contract; and (4) unjust enrichment.

2. Negligence & Negligence Per Se

Plaintiffs contend that SMART’s mishandling of their sensitive PII was negligent (Count

1) and negligent per se under Section 5 of the Federal Trade Commission Act (“FTC Act”)

(Count 2). See Am. Compl. ¶¶ 170–224 (citing 15 U.S.C. § 45).

“[A] claim alleging the tort of negligence must show: (1) that the defendant owed a duty

to the plaintiff, (2) breach of that duty, and (3) injury to the plaintiff that was proximately caused

by the breach.” Hedgepeth, 22 A.3d at 793. “The same is true of negligence-per-se,” Tolson v.

The Hartford Fin. Servs. Grp., Inc., 278 F. Supp. 3d 27, 36 (D.D.C. 2017), because “negligence

per se is not in and of itself a separate legal claim—rather, it permits a plaintiff under ‘certain

circumstances and under specified conditions,’ to ‘rely on a statute or regulation as proof of the

applicable standard of care,’” Hunter ex rel. A.H. v. District of Columbia, 64 F. Supp. 3d 158,

188–89 (D.D.C. 2014) (quoting McNeil Pharm. v. Hawkins, 686 A.2d 567, 578 (D.C. 1996)).

SMART moves to dismiss both counts, asserting that (1) the federal-law duty of fair

representation preempts any common law negligence claim against the union; (2) the FTC Act

14 cannot serve as the statutory basis for negligence per se; and (3) Plaintiffs fail to allege any

actual damages. Because negligence per se “is not in and of itself a separate legal claim,” id., the

Court will consider Plaintiffs’ negligence per se “claim” as one possible theory of proving

SMART’s duty and breach. Ultimately, the Court concludes that Plaintiffs’ negligence claims

are not preempted but that only Keown has plausibly alleged the elements of such a claim.

a. Preemption

The National Labor Relations Act (“the NLRA”) imposes a duty on unions “as the

exclusive bargaining representative of the employees . . . fairly to represent all of those

employees.” United Steelworkers of Am. v. Rawson, 495 U.S. 362, 372 (1990) (quoting Vaca v.

Sipes, 386 U.S. 171, 177 (1967)). This “duty of fair representation” applies to both the union’s

“collective bargaining . . . and . . . its enforcement of the resulting collective bargaining

agreement.” Id. (quoting Vaca, 386 U.S. at 177). Under the duty of fair representation, “the

exclusive agent’s statutory authority to represent all members of a designated unit includes a

statutory obligation to serve the interests of all members without hostility or discrimination

toward any, to exercise its discretion with complete good faith and honesty, and to avoid

arbitrary conduct.” Vaca, 386 U.S. at 177. Breach of this duty occurs “only when a union’s

conduct toward a member of the collective bargaining unit is arbitrary, discriminatory, or in bad

faith.” Id. (quoting Vaca, 386 U.S. at 190). As SMART would have it, this duty preempts any

state-law negligence claim. Mot. Dismiss at 10–14. The Court disagrees.

The D.C. Circuit has held that the duty of fair representation preempts “identical” state

law claims. See May v. Shuttle, Inc., 129 F.3d 165, 179 (D.C. Cir. 1997) (citing Nellis v. Air

Line Pilots Ass’n, 15 F.3d 50, 51 (4th Cir. 1994)). In May, for example, the Circuit determined

that the plaintiffs’ state-law fraud claim was preempted because the plaintiffs’ counsel

15 effectively conceded that it arose from the “collective bargaining agreement,” under which

“lying . . . [was not] condoned.” Id. In reaching this conclusion, the Circuit relied on the Fourth

Circuit’s decision in Nellis, which held that the duty of fair representation preempted state-law

contract claims arising from duties “were ‘mere refinements’ of the federal duty of fair

representation.” 15 F.3d at 51.

Here, Plaintiffs’ claims challenging negligent data storage are not “identical” to a duty of

fair representation claim. Rather, their negligence counts are premised on alleged duties

separate from the duty of fair representation, including duties of care imposed by the FTC Act

and SMART’s promises to Plaintiffs regarding its data security. Opp’n at 16. Moreover, unlike

in May, where the alleged duty arose from the parties’ collective bargaining agreement and

thereby fell within the scope of its duty of fair representation, neither party here suggests that

their collective bargaining agreement imposed on SMART a duty to protect its members’ PII.

The union characterizes Plaintiffs’ negligence claim as a challenge to its “administration of its

dues collection system,” Mot. Dismiss at 14, to which the duty of fair representation applies. But

SMART’s use of Plaintiffs’ PII for dues collection does not transform its allegedly improper

storage of that information into representational activity.2 Plaintiffs’ claims are therefore not

preempted.

2 Because Plaintiffs’ claims “involve[] union activity that [is] peripheral to the concern of the applicable federal statutes and present[s] only a tangential or remote potential conflict with the federal regulatory scheme,” Condon v. Loc. 2944, 683 F.2d 590, 595 (1st Cir. 1982), the Court need not address whether, as SMART contends, the duty of fair representation preempts the “field” of “all forms of representational conduct,” Mot. Dismiss at 13. The circuits are split on whether they consider the duty of fair representation as a species of field or conflict preemption. See Figueroa v. Foster, 864 F.3d 222, 228–32 (2d Cir. 2017) (explaining that the First, Fifth, and Tenth Circuits understand the duty to preempt all state-law causes of action in the regulated field, while the Second, Fourth, Eighth, and Ninth Circuits have adopted a narrower, conflict-preemption approach). The D.C. Circuit has not weighed in on this split but, for the reasons discussed, SMART’s argument is unavailing under either theory.

16 b. Duty & Breach

“As a general rule, the plaintiff in a negligence action bears the burden of proving ‘the

applicable standard of care[] [and] a deviation from that standard by the defendant[.]’” McNeil

Pharm., 686 A.2d at 577 (quoting Toy v. District of Columbia, 549 A.2d 1, 6 (D.C. 1988)). In

their opposition brief, Plaintiffs seek to locate SMART’s duty of care in three sources: (1) the

FTC Act (as the basis of their negligence per se theory), (2) “the standard duties of care in

Defendant’s industry,” and (3) “Defendant’s own promises and representations that were made

to Plaintiffs, regarding its data security.” Opp’n at 16. None of these sources impose a duty on

SMART that plausibly gives rise to a negligence claim. However, the Court finds that Plaintiffs

have adequately alleged that SMART had (and deviated from) a common-law duty of care to

protect their PII from foreseeable risk of theft. See Am. Compl. ¶¶ 188–92.

The FTC Act cannot serve as the basis of Plaintiffs’ negligence per se theory under D.C.

law, which permits “[v]iolation of a statute or regulation [to] constitute negligence per se only ‘if

the statute is meant to promote safety, if the plaintiff is a member of the class to be protected by

the statute, and if the defendant is a person upon whom the statute imposes specific duties.’”

Night & Day Mgmt., LLC v. Butler, 101 A.3d 1033, 1039 (D.C. 2014) (quoting Ginsberg v.

Granados, 963 A.2d 1134, 1140 (D.C. 2009)). The FTC Act, which declares unlawful “[u]nfair

methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or

affecting commerce,” 15 U.S.C. § 45, is not “meant to promote safety.” Night & Day Mgmt.,

LLC, 101 A.3d at 1039; cf. In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d

374, 407–08 (E.D. Va. 2020) (concluding that the FTC Act could underpin a negligence per se

theory under New York but not Virginia law because, like D.C., negligence per se under Virginia

law requires a public safety purpose, and “Section 5 of the FTC was intended to prevent unfair

17 and deceptive trade practices”). Therefore, it is not a viable source of an alleged negligence

claim against SMART.

Nor are “the standard duties of care in [SMART’s] industry” or “[SMART’s] own

promises and representations that were made to Plaintiffs, regarding its data security.” Plaintiffs

do not identify the source of any “standard duties of care” for the labor union industry apart from

the duty of fair representation, see Am. Compl. ¶¶ 87–91 (listing several alleged “best practices”

for “labor unions dealing with sensitive PII” without alleging the source of these practices or any

duty to follow them), on which Plaintiffs expressly disavow reliance, Opp’n at 19 (“Here, there

is no ‘fair representation’ claim[.]”). As to SMART’s alleged promises of data security, the

amended complaint points only to the union’s website privacy policy, which, by its own terms,

applies just to “information collected from visitors to the web site.” Am. Compl. ¶ 30. Plaintiffs

do not allege that they gave their PII to SMART as visitors to its website and do not respond to

SMART’s observation that the website policy does not apply to them as a result. Consequently,

these sources also cannot support Plaintiffs’ claimed duty of care.

But Plaintiffs adequately pled that SMART violated a common-law duty of care when it

failed to protect their PII from foreseeable risks. See id. ¶¶ 188–92. As this Court has

recognized in the past, “there are some circumstances under District of Columbia law where

even a failure to act will give rise to a legal duty.” Attias v. CareFirst, Inc. (“Attias III”), 365 F.

Supp. 3d 1, 20 (D.D.C. 2019). “[C]onsideration of whether a duty exists to protect another from

intervening criminal acts includes consideration of heightened foreseeability.” Bd. of Trs. of

Univ. of D.C. v. DiSalvo, 974 A.2d 868, 871–72 (D.C. 2009). Where “the injury that befell the

plaintiff was ‘reasonably foreseeable’ to the defendant, then courts will usually conclude that the

18 defendant owed the plaintiff a duty to avoid causing that injury[.]” Hedgepeth, 22 A.3d at 793.

This duty is also informed by the relationship between the parties. Id.

Here, Plaintiffs allege that SMART had a duty “to protect[] Plaintiffs and the Class from

the risk of foreseeable criminal conduct of third parties[.]” Am. Compl. ¶ 195. In support of this

legal conclusion, Plaintiffs allege that they were required to give their highly sensitive PII to

SMART as members of the organization. Id. ¶ 27. Risk of unauthorized access to this

information was foreseeable, they allege, because SMART held it unencrypted on its servers, an

“inadequate security practice[],” and there had been a “high known frequency of cyberattacks

and data breaches in the labor union industry.” Id. ¶¶ 28, 188–89. Though they do not delve into

specifics, Plaintiffs further allege that there were “repeated warnings and alerts directed to

protecting and securing sensitive data,” a “substantial increase in cyber-attacks and/or data

breaches targeting labor unions that collect and store PII, like Defendant, preceding the date of

the breach,” and a high “prevalence of public announcements of data breach and data security

compromise.” Id. ¶¶ 55, 56, 67. Plaintiffs further contend that SMART could have prevented

the disclosure of their PII merely “by properly securing and encrypting the files and file servers

containing the PII of Plaintiffs and Class Members.” Id. ¶ 54.

Taking these allegations as true and drawing all reasonable inferences from them, the

complaint plausibly alleges that SMART failed to take reasonable steps to protect Plaintiffs’ PII

despite the foreseeable risk of a cyberattack. Cf. Attias III, 365 F. Supp. 3d at 21 (finding no

duty of care where the plaintiffs had not alleged known issues with the organization’s data

security system or other recent highly publicized data breaches in that industry). Moreover, to

the extent SMART’s alleged failure to take these measures would violate the FTC Act, such

evidence also supports Plaintiffs’ claim of duty and breach. See Rong Yao Zhou v. Jennifer Mall

19 Rest., Inc., 534 A.2d 1268, 1274 (D.C. 1987) (“Where the court does not perceive a public safety

purpose in the legislative enactment, the statutory violation may be admitted as evidence of

negligence, although it does not constitute negligence per se.” (quoting Stevens v. Hall, 391 A.2d

792, 795–96 (D.C. 1978)); In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d at

407 (collecting cases finding that the FTC Act creates a “duty [that] is ascertainable as it relates

to data breach cases” and that inadequate security measures may violate this duty).

c. Causation & Injury

Moving to causation and injury, “[t]o maintain an action for negligence, a plaintiff must

allege more than speculative harm from defendant’s allegedly negligent conduct.” Randolph,

973 A.2d at 708. Plaintiffs here present six forms of actual harm allegedly caused by the data

breach: (1) heightened risk of misuse of personal information; (2) time, effort, and future costs to

mitigate the risk of harm; (3) lost benefit of the bargain; (4) diminution in value of their private

information; (5) loss of privacy; and (6) emotional distress. Opp’n at 24–28. Each of these

harms, Plaintiffs argue, is sufficient to establish causation and injury. To support that argument,

however, Plaintiffs cite only cases considering the injury-in-fact requirement for standing. See,

e.g., Opp’n at 24–27. That won’t do because “[p]laintiffs may satisfy the Article III injury-in-

fact requirement and yet fail to adequately plead damages for a particular cause of action.”

Attias III, 365 F. Supp. 3d at 9. Moreover, D.C. law, which holds that “speculative harm, or the

threat of future harm—not yet realized—does not suffice to create a cause of action for

negligence,” forecloses many of Plaintiffs’ alleged forms of damages. In re Estate of Curseen v.

Buchanan Ingersoll, P.C., 890 A.2d 191, 193 n.3 (D.C. 2006). After considering each of

Plaintiffs’ theories of actual harm under D.C. law, the Court concludes that Keown’s claim

survives, while Angus’s does not.

20 i) Heightened Risk of Misuse & Mitigation Efforts

The District of Columbia Court of Appeals has expressly declined to treat heightened risk

of misuse of personal information and lost time spent on mitigation measures as actual damages

for the purpose of a negligence claim in the data breach context. See Randolph, 973 A.2d at 708.

Randolph precludes recovery on this theory for Angus, who alleges solely that she “faces a

substantial risk” of “illegal schemes,” that she expended “time and effort” to mitigate any effect

of the data breach, and that she “may incur out-of-pocket costs for protective measures” in the

future. Am. Compl. ¶¶ 150–52; see also Randolph, 973 A.2d at 708 (“To the extent that

[plaintiffs] allege actual harm from expenses they have incurred to undertake credit monitoring

or other security measures to guard against possible misuse of their data, they have alleged an

injury that is ‘not the result of any present injury, but rather the [result of] the anticipation of

future injury that has not materialized.’” (quoting In re Estate of Curseen, 890 A.2d at 194)).

By contrast, Keown alleges that his PII was “disseminated on the dark web” because of

the data breach and that he has “experienc[ed] an increase in spam calls, texts, and/or emails.”

Am. Compl. ¶¶ 139–40. He further alleges that he has “spent significant time” dealing with

these effects that he “otherwise would have spent on other activities, including but not limited to

work and/or recreation.” Id. ¶ 137. This expenditure of time is much closer to the present injury

of scammers using Keown’s PII than to efforts to mitigate potential future harm. As a result,

Keown “has gone well beyond pleading the anticipation of future injury and has instead alleged

an actual injury resulting from [SMART’s] conduct” sufficient to support a negligence claim

under D.C. law. Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30, 37 (D.D.C. 2020)

(considering a plaintiff whose PII was posted on social media).

21 ii) Lost Value

Plaintiffs next contend that they were harmed by “lost benefit of the bargain” and “lost or

diminished value of PII.” Am. Compl. ¶¶ 131, 198; Opp’n at 25–27. This argument fails. Even

under the more lenient standard for injury-in-fact, courts in this district have rejected the benefit-

of-the-bargain theory, including in the commercial context where plaintiffs have allegedly “paid

money that could have gone towards a better data-security policy.” In re Sci. Applications Int’l

Corp. Backup Tape Data Theft Litig. (“SAIC”), 45 F. Supp. 3d 14, 30 (D.D.C. 2014); see

Austin-Spearman v. AARP & AARP Servs. Inc., 119 F. Supp. 3d 1, 13–14 (D.D.C. 2015); Attias

III, 365 F. Supp. 3d at 12. Plaintiffs here would not have been able to satisfy even this rejected

theory given that they have not alleged that they paid any money that could have gone to data

security. Consequently, their unsupported allegations that their union memberships somehow

lost value because of a data breach that occurred years after they left the union certainly fails the

more stringent standard of actually pleading damages.

The Court similarly finds the alleged loss of value of Plaintiffs’ PII insufficient to state a

claim of actual damages. As two courts in this district have observed in rejecting this theory in

the injury-in-fact context, Plaintiffs “do not allege facts to support the inference of their

allegation that their personal information became less valuable as a result of the [data] breach or

that they attempted to sell their information and were rebuffed because of a lower price-point

attributable to the breach.” Welborn v. Internal Revenue Serv., 218 F. Supp. 3d 64, 78 (D.D.C.

2016). Though Plaintiffs allege that personal information “can be sold at a price ranging from

$40 to $200” and that theirs has now decreased in “rarity,” Am. Compl. ¶¶ 71, 153, the

“[p]laintiffs do not contend that they intended to sell [their] information on the cyber black

market in the first place, so it is uncertain how they were injured by this alleged loss,” SAIC, 45

22 F. Supp. 3d at 30. To the contrary, Keown and Angus both allege that they are “very careful

about sharing [their] Private Information.” Am. Compl. ¶¶ 135, 146. Because Plaintiffs do not

show how they were injured by any alleged loss in value of their PII, this theory does not support

their negligence claim.

iii) Privacy

Plaintiffs next contend that they have experienced a loss of privacy due to the data

breach. Id. ¶¶ 138, 156. Injury to a legally recognized intangible interest, such as a plaintiff’s

privacy, may constitute “damage to the interests of the plaintiff” sufficient to support a claim of

negligence if the defendant has a duty to prevent such damage. District of Columbia v. Cooper,

483 A.2d 317, 321 (D.C. 1984); see also Tyson v. District of Columbia, No. 20-CV-1450 (RC),

2021 WL 860263, at *3 (D.D.C. Mar. 8, 2021) (sustaining a negligence claim where the injury

was “restriction[] on [the plaintiff’s] liberty” resulting from failure to timely release him from

prison); cf. SAIC, 45 F. Supp. 3d at 29 (holding that plaintiffs whose stolen data was used had

claimed an “injury to their privacy” sufficient for standing purposes). However, “[f]or a person’s

privacy to be invaded, their personal information must, at a minimum, be disclosed to a third

party.” SAIC, 45 F. Supp. 3d at 28.

Mr. Keown has plausibly alleged that public disclosure on the dark web of his social

security number and name, as well as possibly other information, constitutes an actual harm to

his interest in privacy that is both judicially cognizable and recognized at common law. See

Randolph, 973 A.2d at 710 (“In this age of identity theft and other wrongful conduct through the

unauthorized use of electronically-stored data, . . . conduct giving rise to unauthorized viewing of

personal information such as a plaintiff’s Social Security number and other identifying

information can constitute an intrusion that is highly offensive to any reasonable person, and

23 may support an action for invasion of privacy[.]”); Magruder v. Cap. One, Nat’l Ass’n, 540 F.

Supp. 3d 1, 11 (D.D.C. 2021) (“[T]here is ‘a significant history, including at common law, of

lawsuits based on [] the unauthorized disclosure of a person’s private information[.]’” (quoting

Gambles v. Sterling Infosystems, Inc., 234 F. Supp. 3d 510, 522 (S.D.N.Y. 2017)). Though

“invasion of privacy” is an intentional tort, Randolph, 973 A.2d at 711, “one incident may give

rise to claims of intentional tort or negligence,” if “presented individually and founded on

appropriate evidence.” Sabir v. District of Columbia, 755 A.2d 449, 452 (D.C. 2000). In this

case, Keown has plausibly alleged “that the defendant, in the process of engaging in the conduct

that included the intentional tort, was also breaching another recognized duty owed the plaintiff.”

McCracken v. David Walls–Kaufman, 717 A.2d 346, 351 (D.C. 1998). He has therefore

plausibly alleged a negligence claim separate from the elements of an intentional tort.

Ms. Angus, on the other hand, does not allege that her PII “has been viewed nor that [her]

information has been exposed in a way that would facilitate easy, imminent access.” SAIC, 45

F. Supp. 3d at 29. The hackers may have accessed the records of 62,000 individuals, but they

did not necessarily “read, cop[y], or underst[an]d [every individual’s] data.” Id. (citing Reilly v.

Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011)). Unlike Keown, Angus does not allege any

present effects of the data breach demonstrating that her PII was publicly disclosed or even

actually compromised. See Am. Compl. ¶ 37 (noting that recipients of the notice of breach only

“may have [had data] involved”). Accordingly, Keown has stated a claim under this theory, but

Angus has not.

24 iv) Emotional Distress

Finally, both Keown and Angus allege they have suffered emotional distress in

connection with the data breach.3 Keown claims he experiences “fear, anxiety, and stress” as a

result of the publication of his PII on the dark web following the breach. Id. ¶ 141. Because this

emotional distress stems from the invasion of another legally protected interest—one in

privacy—Keown may seek so-called “parasitic” damages. Hedgepeth, 22 A.3d at 809

(“Damages for emotional distress also are awarded as part of compensation for violation of

statutory and common law rights that result in foreseeable emotional distress.”). Angus,

however, does not tie her claimed emotional distress to any other theory of injury. And in the

District of Columbia, “[t]o state a claim where emotional distress is the only injury suffered, the

plaintiff must satisfy either the ‘zone of physical danger’ rule . . . or the special relationship and

undertaking rule[.]” Attias III, 365 F. Supp. 3d at 16 (first quoting Williams v. Baker, 572 A.2d

1062 (D.C. 1990) (en banc); then citing Hedgepeth, 22 A.3d at 810). Angus does not allege that

the data breach placed her in physical danger, and Plaintiffs have disclaimed reliance on a special

relationship theory. See Opp’n at 18 (“It is not the ‘special relationship’ between the Parties here

that forms the duty.”). Therefore, Angus cannot rest her negligence action on emotional-distress

damages alone.

In sum, Keown has plausibly alleged that the data breach resulted in time spent

responding to scammers, an invasion of his privacy, and emotional distress. Because his injuries

are neither purely economic nor purely emotional, Keown need not allege a special relationship

3 While the amended complaint does not directly state that Angus has experienced emotional distress, it generally alleges that the “Plaintiffs and the Class have suffered . . . emotional distress.” Am. Compl. ¶ 200. The Court will evaluate this claim as if directly alleged by Angus.

25 to recover. See Gutrejman v. United States, 527 F. Supp. 3d 1, 8 (D.D.C. 2021) (noting that the

“economic loss doctrine” “bars recovery ‘of purely economic losses in negligence, subject to

only one limited exception where a special relationship exists’” (quoting Aguilar v. RP MRP

Wash. Harbour LLC, 98 A.3d 979, 985–86 (D.C. 2014)). On the other hand, Angus fails to

plausibly allege any present injury sufficient to support a claim of negligence because she has

not alleged that her PII was viewed, published, or used in any way. The Court will therefore

deny SMART’s motion to dismiss Count 1 as to Keown but grant the motion as to Angus.

3. Breach of Implied Contract

Count 3 of the amended complaint alleges that when Plaintiffs entrusted SMART with

their PII, the parties entered into an implied contract for SMART to

(a) use such PII for business purposes only, (b) take reasonable steps to safeguard that PII, (c) prevent unauthorized disclosures of the PII, (d) provide Plaintiffs and Class Members with prompt and sufficient notice of any and all unauthorized access and/or theft of their PII, (e) reasonably safeguard and protect the PII of Plaintiffs and Class Members from unauthorized disclosure or uses, [and] (f) retain the PII only under conditions that kept such information secure and confidential.

Am. Compl. ¶¶ 223–29. They further allege that SMART “promulgated, adopted, and

implemented written privacy policies whereby it expressly promised Plaintiffs and Class

Members that it would only disclose PII under certain circumstances, none of which relate to the

Data Breach” and “promised to comply with industry standards and to make sure that Plaintiffs’

and Class Members’ PII would remain protected.”4 Id. ¶¶ 233–34. Plaintiffs also claim to have

had the “reasonable belief and expectation that Defendant would use part of its earnings to obtain

adequate data security.” Id. ¶ 235. Yet SMART purportedly “breached the implied contracts it

4 The Court understands Plaintiff’s reference to “written privacy policies” that include “express[] promise[s]” solely as evidence supporting the existence of an implied contract, rather than as the basis for an express contract. See Am. Compl. ¶ 233.

26 made with Plaintiffs and the Class by failing to safeguard and protect their personal information,

by failing to delete the information of Plaintiffs and the Class once the relationship ended, and by

failing to provide accurate notice to them that personal information was compromised as a result

of the Data Breach,” causing damages to Plaintiffs. Id. ¶¶ 239–40.

As with Plaintiffs’ negligence claims, SMART first contends that this claim is preempted

by federal law and then asserts that Plaintiffs fail to state a claim.

SMART posits that Plaintiffs’ breach-of-implied-contract claim is preempted by section

301(a) of the Labor Management Relations Act (“LMRA”). Mot. Dismiss at 23–25. Section

301 preempts application of state law “only if such application requires the interpretation of a

collective-bargaining agreement.” Lingle v. Norge Div. of Magic Chef, Inc., 486 U.S. 399, 413

(1988)). “[Section] 301 pre-emption merely ensures that federal law will be the basis for

interpreting collective-bargaining agreements, and says nothing about the substantive rights a

[s]tate may provide to workers when adjudication of those rights does not depend upon the

interpretation of such agreements.” Id. at 409.

The parties here are governed by a union constitution, which “is a ‘contract’ within the

plain meaning of § 301(a).” United Ass’n of Journeymen & Apprentices v. Loc. 334, 452 U.S.

615, 622 (1981). So, if the breach-of-implied-contract claim relied on the SMART Constitution,

the claim would be preempted. See Mot. Dismiss at 24 (citing Saunders v. Hankerson, 312 F.

Supp. 2d 46, 72 (D.D.C. 2004)). But Plaintiffs’ claim is neither predicated on nor requires

interpretation of the SMART Constitution. Indeed, the Constitution, which is attached as an

exhibit to the union’s motion to dismiss, nowhere references SMART’s data security obligations.

27 Accordingly, the Court need not look to or interpret the Constitution in evaluating Plaintiffs’

claims, and Plaintiffs’ breach-of-implied-contract claims are not preempted by LMRA § 301.

b. Validity of the Claim

Plaintiffs rest their breach-of-implied-contract claim largely on SMART’s receipt of

highly sensitive PII and alleged representations concerning data security. Opp’n at 33–34.

“Under D.C. law, an implied-in-fact contract contains ‘all necessary elements of a binding

agreement,’ differing from other contracts ‘only in that it has not been committed to writing’ and

is instead ‘inferred from the conduct of the parties.’” Camara v. Mastro’s Rests. LLC, 952 F.3d

372, 375 (D.C. Cir. 2020). To prevail on a breach-of-implied-contract claim, then, a party must

establish “(1) a valid contract between the parties; (2) an obligation or duty arising out of the

contract; (3) a breach of that duty; and (4) damages caused by breach.” Shaffer v. Geo. Wash.

Univ., 27 F.4th 754, 762 (D.C. Cir. 2022). “[A]ll the necessary elements of an express

contract—including offer, acceptance, and consideration—must be shown in order to establish

the existence of an implied-in-fact contract.” Paul v. Howard Univ., 754 A.2d 297, 311 (D.C.

2000). SMART contends that the amended complaint flunks these requirements because it fails

to show (1) consideration, (2) agreement as to material terms, and (3) intent to be bound. Mot.

Dismiss at 25–27. Plaintiffs respond that providing their PII so that SMART could fulfill its

union duties was consideration, and that SMART’s acceptance of the information manifested

assent and an intent to reasonably protect it from unlawful access. Opp’n at 33–36. The Court

agrees with Plaintiffs.

“[I]t is difficult to imagine how, in our day and age of data and identity theft, the

mandatory receipt of Social Security numbers or other sensitive personal information would not

imply the recipient’s assent to protect the information sufficiently.” Attias VII, 2023 WL

28 5952052, at *6 (quoting Castillo v. Seagate Tech., LLC, No. 16-CV-01958 (RS), 2016 WL

9280242, at *9 (N.D. Cal. Sept. 14, 2016)). The Court then joins numerous other courts in

concluding that an obligation to “reasonably safeguard the [plaintiffs’] PII from unauthorized

access or disclosure” is sufficiently definite to support an implied contract. Am. Compl. ¶ 232;

see also, e.g., Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st Cir. 2011). Moreover,

SMART’s affirmative representation on its website that it “has security measures in place to

protect against the loss, misuse[,] or alteration of information collected from visitors to the web

site” supports an inference that the organization implicitly promised “its union members,

including Plaintiffs and Class Members, that the PII collected from them as a condition of being

a union member at SMART would be kept safe, confidential, [and] that the privacy of that

information would be maintained,” even if Plaintiffs did not submit their PII through SMART’s

website. Am. Compl. ¶¶ 29–30. While discovery may show that SMART did provide

reasonable safeguards for the data, this potential evidence goes to the question of breach, not

whether an implied contract was formed.

SMART does not dispute that, to the extent Plaintiffs have plausibly pled an implied

contract, they have also plausibly pled its breach. See id. ¶ 239 (alleging SMART’s breach).

And because “it is enough for the plaintiff to describe the terms of the alleged contract and the

nature of the defendant’s breach” to “state a claim for breach of contract [sufficient] to survive a

Rule 12(b)(6) motion to dismiss,” the Court denies SMART’s motion to dismiss Count 3.

Francis v. Rehman, 110 A.3d 615, 620 (D.C. 2015) (quoting Nattah v. Bush, 605 F.3d 1052,

1058 (D.C. Cir. 2010)); see also Wright v. Allen, 60 A.3d 749, 753 & n.3 (D.C. 2013).5

5 As the Court has observed in the past, Wright and Francis are in some tension with the D.C. Court of Appeals’ earlier decisions in Cahn v. Antioch University, 482 A.2d 120 (D.C. 1984), and Osbourne v. Capital City Mortgage Corp., 727 A.2d 322 (D.C. 1999), which appeared

29 4. Unjust Enrichment

Count 4 of the amended complaint alleges that SMART was unjustly enriched by

Plaintiffs’ submission of their PII. Am. Compl. ¶¶ 243–54. To state a claim for unjust

enrichment, Plaintiffs must show “(1) [they] conferred a benefit on the defendant; (2) the

defendant retains the benefit; and (3) under the circumstances, the defendant’s retention of the

benefit is unjust.” Peart, 972 A.2d at 813–14. This “quasi-contract” is “not really a contract, but

a legal obligation closely akin to a duty to make restitution.” Bloomgarden v. Coyer, 479 F.2d

201, 210 (D.C. Cir. 1973). “In general, a plaintiff cannot maintain an unjust enrichment claim

concerning an aspect of the parties’ relationship that was governed by a contract.” Smith v.

Rubicon Advisors, LLC, 254 F. Supp. 3d 245, 249–50 (D.D.C. 2017) (citing In re APA

Assessment Fee Litig., 766 F.3d at 46); see also Bloomgarden, 479 F.2d at 210 (noting that this

principle extends to implied contracts). Here, the Court need not consider whether Plaintiffs may

plead unjust enrichment in the alternative to their breach-of-implied-contract claim because they

have failed to plead unjust enrichment as a matter of law.

Plaintiffs assert that they conferred a benefit on SMART in the form of valuable PII and

that the union’s retention of benefits derived from the information is unjust given its failure to

secure that information against breach. Opp’n at 37–38. This argument suffers from three

defects.

First, even assuming Plaintiffs’ data has some intrinsic value, the amended complaint

does not explain how SMART “derived a substantial economic benefit” from receiving or

to require proof of actual damages to state a claim for breach of contract. See Attias v. CareFirst, Inc. (“Attias V”), 518 F. Supp. 3d 43, 52 (D.D.C. 2021). However, as in Attias V, the Court will “defer to the most recent decisions of the state’s highest court” and allow Plaintiffs’ breach-of- contract claims to proceed. Id. (quoting Easaw v. Newport, 253 F. Supp. 3d 22, 34 (D.D.C. 2017)).

30 retaining it beyond “perform[ing] the services it provides.” Am. Compl. ¶ 35. Nor does it say

how performing those services benefitted SMART rather than Plaintiffs as its members. Second,

though Plaintiffs allege that the data breach somehow shows they were “not fully

compensate[d]” for their PII, id. ¶ 247, they do not allege that they provided the union their PII

with an understanding that they would be paid for it. Where, as here, a “plaintiff did not

contemplate a personal fee, or the defendant could not have reasonably supposed that he did,”

restitution is an inappropriate remedy. See Bloomgarden, 479 F.2d at 211–12. And third, under

D.C. law, “unjust enrichment should be limited or denied if ‘the proper measure of recovery

poses insurmountable difficulties of calculation.’” Salem Media Grp., Inc. v. Awan, 301 A.3d

633, 660 (D.C. 2023) (deciding that a defamation plaintiff could not seek disgorgement of profits

from a defamatory book because it would be impossible to determine how much profit came

from the defamatory statements alone). It is unclear from the amended complaint what funds

Plaintiffs request when they ask for “refunds, restitution, and/or damages . . . and/or an order

proportionally disgorging all profits, benefits, and other compensation obtained by Defendant

from its wrongful conduct.” Am. Compl. ¶ 253. Though Plaintiffs restate several harms they

allegedly experienced as a result of the breach, id. ¶ 252, “[w]here there has been an unjust

enrichment, the plaintiff’s remedy is restitution, which is typically measured by reference to the

defendant’s gain rather than the plaintiff’s loss.” Peart, 972 A.2d at 820. Plaintiffs’ failure to

state what exactly SMART gained is therefore fatal to their unjust enrichment claim.

This conclusion does not conflict with Plaintiffs’ cited authorities. In every cited case

upholding a claim of unjust enrichment in the data breach context, the defendant clearly

“profited from [the plaintiff’s] purchase” of goods or services. Rudolph v. Hudson’s Bay Co.,

No. 18-CV-8472 (PKC), 2019 WL 2023713, at *12 (S.D.N.Y. May 7, 2019); see also In re

31 Ambry Genetics Data Breach Litig., 567 F. Supp. 3d at 1145 (“Plaintiffs allege that they paid

Defendants money for Defendants’ services, and expected that a portion of their payments would

go toward ‘data management and security.’”); In re Unite Here, 2024 WL 3413941, at *13 (“If

plaintiffs’ payment of this union dues included a requirement that a portion of the dues would go

to data security . . . and defendant instead shirked that duty (resulting in the data’s theft),

defendant would have arguably been unjustly enriched to the extent of those improper savings.”).

It is unclear whether the D.C. Court of Appeals would allow unjust enrichment claims to proceed

on such a theory. But even if it did, the amended complaint does not identify any profit reaped

by SMART that is attributable to use of Plaintiffs’ data, nor does it allege that Plaintiffs gave

SMART any money that should have been used for data security. The Court will therefore grant

SMART’s motion to dismiss Count 4.

C. Statutory Claims

Finally, Angus brings claims under the California Unfair Competition Law (“UCL”) and

California Consumer Privacy Act (“CCPA”) on behalf of a putative California subclass. The

UCL prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive,

untrue or misleading advertising[.]” Cal. Bus. & Prof. Code § 17200. The CCPA requires

“business[es] that collect[] a consumer’s personal information [to] implement reasonable security

procedures and practices appropriate to the nature of the personal information to protect the

personal information from unauthorized or illegal access, destruction, use, modification, or

disclosure[.]” Cal. Civ. Code § 1798.100. SMART moves to dismiss both claims on the ground

that these statutes, largely created for consumer protection, do not apply to it as a labor union.

Mot. Dismiss at 31–32, 35–36. Angus responds that discovery is needed to determine whether

SMART is engaged in commercial business practices as alleged in the amended complaint.

32 Opp’n at 38–39, 41–42. Again, the Court must begin with a choice-of-law analysis. See In re

APA Assessment Fee Litig., 766 F.3d at 51 (applying choice-of-law analysis to statutory

consumer protection claim); Pietrangelo v. Wilmer Cutler Pickering Hale & Dorr, LLP, 68 A.3d

697, 713–14 (D.C. 2013) (same). It concludes that there is no true conflict, so D.C. law applies,

under which Angus does not have a cause of action.

The Court first finds that both California and the District of Columbia have an interest in

having their laws applied. California has an interest in applying the UCL, which “manifest[s]

California’s obvious interest in protecting its residents from fraud.” In re APA Assessment Fee

Litigation, 766 F.3d at 52 (internal quotation marks omitted). The District of Columbia has a

similar interest manifested in its Consumer Protection Procedures Act (“DCPPA”), D.C. Code

§§ 28–3901 et seq., which “prohibits a wide variety of deceptive trade practices perpetrated

against consumers,” In re APA Assessment Fee Litigation, 766 F.3d at 52 (quoting Busby v.

Capital One, N.A., 772 F. Supp. 2d 268, 279 (D.D.C. 2011)).

Both jurisdictions also have an interest in applying their data security laws—for

California, the CCPA, and for the District of Columbia, the Consumer Security Breach

Notification Act (“CSBA”), codified as amended at D.C. Code § 28–3851, et seq. As relevant

here, the CSBA requires entities that “possess personal information of an individual residing in

the District” to implement “reasonable security safeguards.” D.C. Code. §§ 28–3852.01. These

jurisdictions maintain these interests regardless of whether their substantive laws provide or

withhold liability in this particular situation. See In re APA Assessment Fee Litig., 766 F.3d at

52 (“A ‘rule which exempts the actor from liability for harmful conduct’ may embody an interest

in protecting ‘defendants against being harassed by such actions.’” (quoting Restatement

33 (Second) of Conflict of Laws § 145 cmt. c (1971)). As a result, because more than one

jurisdiction has an interest in the dispute, the next issue is whether their laws are in true conflict.

All the relevant statutes appear to foreclose Angus’s suit because SMART is a labor

union, not a commercial business. The DCPPA reads:

An action brought by a person under this subsection against a nonprofit organization shall not be based on membership in such organization, membership services, training or credentialing activities, sale of publications of the nonprofit organization, medical or legal malpractice, or any other transaction, interaction, or dispute not arising from the purchase or sale of consumer goods or services in the ordinary course of business.

D.C. Code § 28–3905(k)(5). This provision also applies to enforcement of the CSBA. See D.C.

Code § 28–3853 (providing that a violation of the CSBA is enforceable as an “unfair or

deceptive trade practice” pursuant to the DCPPA). The DCPPA defines a “nonprofit

organization” as an entity that “[i]s neither organized nor operating, in whole or in significant

part, for profit.” Id. § 28-3901(a)(14). Similarly, the CCPA applies only to “business[es],” Cal.

Civ. Code § 1798.150, and defines a business as “[a] sole proprietorship, partnership, limited

liability company, corporation, association, or other legal entity that is organized or operated for

the profit or financial benefit of its shareholders or other owners.” Cal. Civ. Code

§ 1798.140(d)(1). As for the UCL, both state and federal courts in California have found it

inapplicable to voluntary member associations unless the dispute arises from the sale of goods.

See That v. Alders Maint. Ass’n, 142 Cal. Rptr. 3d 458, 464 (Cal. Ct. App. 2012) (finding that a

homeowners’ association was not subject to the UCL because the association “d[id] not

participate as a business in the commercial market, much less compete in it”); Babb v. California

Tchrs. Ass’n, 378 F. Supp. 3d 857, 882 n.13 (C.D. Cal. 2019), aff’d sub nom. Martin v.

California Tchrs. Ass’n, No. 19-55761, 2022 WL 256360 (9th Cir. Jan. 26, 2022) (“[T]he UCL

claim fails because the Union Defendants are not a ‘business’ and collecting agency fees in

34 compliance with state law is not a ‘business act or practice.’”); Bermudez v. Serv. Emps. Int’l

Union, Loc. 521, No. 18-CV-04312 (VC), 2019 WL 1615414, at *1, n.1 (N.D. Cal. Apr. 16,

2019). Because SMART’s purported failures to “implement and maintain reasonable security

and privacy measures” is not alleged to have arisen from the sale of goods, Angus’s UCL claim

would similarly fail. See Am. Compl. ¶¶ 258, 261. Therefore, application of any of these laws

would “produce the identical result as D.C. law,” so there is no true conflict and D.C. law applies

by default. Pietrangelo, 68 A.3d at 714.

Angus’s primary response is that discovery is necessary to determine whether SMART is

“organized or operated for the profit or financial benefit of its owners,” Am. Compl. ¶ 269, as

she alleges in the complaint. See Opp’n at 38–39, 41–42. But the Court need not “accept as true

the complaint’s factual allegations insofar as they contradict exhibits to the complaint or matters

subject to judicial notice.” Kaempe v. Myers, 367 F.3d 958, 963 (D.C. Cir. 2004). SMART’s

public filings with the Internal Revenue Service, of which the Court may take judicial notice,

confirm that it is tax exempt organization pursuant to 26 U.S.C. § 501(c)(5). See International

Association of Sheet Metal Air Rail and Transportation Workers, Internal Revenue Serv.,

https://perma.cc/79L6-8AHB (EIN: XX-XXXXXXX); Arab v. Blinken, 600 F. Supp. 3d 59, 63 n.1

(D.D.C. 2022) (“The Court may take judicial notice of information posted on official public

websites of government agencies.” (citing Cannon v. District of Columbia, 717 F.3d 200, 205 n.2

(D.C. Cir. 2013))). And a 501(c)(5) organization must, by law, “[h]ave no net earnings inuring

to the benefit of any member.” 26 C.F.R. § 1.501(c)(5)–1(a). Because SMART is a nonprofit

and Angus’s claim does not “aris[e] from the purchase or sale of consumer goods or services,”

the DCCPA, like the CCPA and UCL, does not provide a cause of action. D.C. Code § 28–

3905(k)(5). Accordingly, the Court will dismiss Counts 5 and 6 of the amended complaint.

35 ***

In conclusion, Keown has plausibly alleged a common-law negligence claim (Count 1),

and both Plaintiffs have alleged a breach-of-implied-contract claim (Count 3) against SMART.

The Court will dismiss all other counts for failure to state a claim.

IV. Conclusion

For these reasons, it is hereby

ORDERED that [ECF No. 13] Defendant’s Motion to Dismiss is GRANTED in part and

DENIED in part. The Court hereby dismisses Counts 2, 4, 5, and 6 as they apply to both

plaintiffs and dismisses Count 1 as it applies to Plaintiff Angus. It is further

ORDERED that SMART shall file an Answer to the remaining claims by October 3,

2024.

SO ORDERED.

CHRISTOPHER R. COOPER United States District Judge

Date: September 19, 2024