LINDQUIST v. NCB MANAGEMENT SERVICES, INC.

• Court: District Court, E.D. Pennsylvania
• Decided: September 11, 2024
• Docket: 2:23-cv-01236
• Status: Unknown

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA

IN RE NCB MANAGEMENT SERVICES, : CIVIL NO. 23-1236 INC. DATA BREACH LITIGATION : : This Document Applies To: : : ALL ACTIONS :

MEMORANDUM OPINION

Scott, J. September 11, 2024 In this putative class action arising out of a data breach of the computer systems of defendant NCB Management Services (“NCB”), a debt collection and accounts receivable management company, the plaintiffs allege that NCB failed to adequately safeguard their personal data, which was compromised as a result of the data breach. The plaintiffs are former banking and credit services customers of defendants Bank of America Corporation (“BOA”) and/or Pathward, N.A. (“Pathward”) (collectively, the “Bank Defendants”),1 which were financial institution customers of NCB, and NCB acquired plaintiffs’ personally identifiable information (“PII”) from the Bank Defendants when they hired it to service, manage and collect outstanding balances on their customers’ accounts. The named plaintiffs assert claims on their own behalf and on behalf of a proposed nationwide class against NCB for negligence, as well as statutory, contractual and other common law causes of action, contending that NCB failed to properly secure and safeguard the plaintiffs’ PII against unauthorized access, disclosure and exfiltration. They claim that as a

1 While the motions to dismiss were pending, the plaintiffs voluntarily dismissed the bank defendants from the case. See Not. of Dismissal With Prejudice (ECF No. 103). Because there are numerous allegations in the complaint about the bank defendants, this opinion will refer to BOA and Pathward as defendants to keep the references to those parties consistent. result of the data breach, they suffered a variety of unauthorized activity on their accounts and other damages. NCB moves to dismiss eight of the sixteen named plaintiffs for lack of standing because they failed to allege a concrete injury. It also moves to dismiss fifteen of the seventeen claims that

plaintiffs have asserted against it pursuant to Rule 12(b)(6) for failure to state a claim for which relief can be granted. For the reasons that follow, the Court will grant NCB’s motion in its entirety. BACKGROUND NCB is a debt collection and accounts receivable management company based in Trevose, Pennsylvania, that provides account services to financial institutions and lenders, such as BOA and Pathward. See Plaintiffs’ Consolidated Class Action Complaint (“Compl.”) (ECF No. 24) ¶ 1. Plaintiffs allege that NCB developed its policies and made its decisions regarding its data security systems and management in Pennsylvania, where its principal business operations are located. Id. ¶ 28. BOA, which is based in North Carolina, and Pathward, which is based in South Dakota, provide banking and credit products to consumers. Id. ¶¶ 47-48. BOA and Pathward

hired NCB to service, manage, and collect outstanding and overdue balances on their customer accounts, which included accounts of the sixteen named plaintiffs and other similarly situated putative class members.2 As part of that contract, the Bank Defendants provided NCB with their customers’ personally identifiable information (“PII”), which included first and last names, addresses, phone numbers, email addresses, dates of birth, employment positions, pay amounts, driver’s license numbers, Social Security numbers, account numbers, credit card numbers, routing numbers, account balances, and/or account statuses. Id. ¶¶ 2, 70–71.

2 For ease of reference, when the court refers to the “plaintiffs,” it is assumed that it is referring to the putative class members as well. The plaintiffs allege that on February 4, 2023, NCB discovered that an unauthorized third party had gained access to its systems on February 1, 2023, where NCB stored plaintiffs’ PII (the “Data Breach”). NCB first publicly announced the Data Breach on or around March 24, 2023. Id. ¶ 7. It turns out that the Data Breach was much larger than NCB initially disclosed and was a part

of a companywide ransomware attack affecting NCB’s systems and servers. On or around May 23, 2023, NCB issued an additional public announcement that the number of people affected by the Data Breach was approximately 1,087,842 – more than double the initial estimate. Id. ¶ 8. The plaintiffs allege that as a result of the Data Breach, substantial amounts of their PII were compromised, exfiltrated and stolen. Id. ¶¶ 14-15. The crux of the plaintiffs’ claims is that NCB failed to properly secure and safeguard the plaintiffs’ PII against unauthorized access, disclosure and exfiltration, despite its legal duties, obligations and promises to do so. Id. ¶¶ 3-5. They allege that NCB is responsible for allowing the Data Breach to occur because of multiple acts of negligence, including in the design and implementation of reasonable data security systems and safeguards; in the hiring, supervision and

training of its employees and vendors; and in its failure to comply with industry-standard data security practices and federal and state laws and regulations that govern data security and privacy practices. Had NCB not committed these negligent acts, they claim that it would have prevented the Data Breach, and/or detected that its systems had been accessed by an unauthorized third party sooner. Id. ¶¶ 12-14. They claim that NCB acquired, collected, stored, utilized, and derived a benefit from their PII, and assumed statutory, regulatory, contractual, and common law duties and obligations to keep it confidential, safe, secure, and protected from the type of reasonably foreseeable unauthorized access, disclosure, and theft that occurred in this case. The plaintiffs assert claims on their own behalf and on behalf of a nationwide class against NCB3 for negligence; negligence per se based on violations of the Federal Trade Commission Act and the Driver’s Privacy Protection Act (“DPPA”); willful and negligent violations of the Fair Credit Reporting Act; breach of implied contract; breach of a contract to which plaintiffs were

intended third-party beneficiaries; invasion of privacy; unjust enrichment; violation of the DPPA; and for relief under the Declaratory Judgment Act. A subset of the named plaintiffs assert claims on behalf of proposed sub-classes for violations of various state consumer protection laws: the California-based plaintiffs assert state law statutory claims under the California Customer Records Act; the California Unfair Competition Law, the California Consumers Legal Remedies Act; and the California Consumer Privacy Act on behalf of themselves and on behalf of a proposed state sub-class. The New York-based plaintiff, on behalf of a proposed sub-class, brings a claim under the New York General Business Law. The Florida-based plaintiff asserts a claim under the Florida Deceptive and Unfair Trade Practices Act on behalf of a proposed sub-class. Finally, two Massachusetts-based plaintiffs assert a claim on behalf of a proposed sub-class under the

Massachusetts Consumer Protection Act. NCB’s motion seeks the dismissal of fifteen of the seventeen claims plaintiffs have asserted against it,4 and to dismiss eight of the named plaintiffs for lack of standing for failure to plead actual injury. BOA and Pathward moved to dismiss all of the claims asserted against them.

3 Specifically, the plaintiffs bring this case as a class action pursuant to Fed. R. Civ. P. 23(a), 23(b)(2), and (b)(3) on behalf of the following Nationwide Class: “All persons in the United States whose PII was compromised in the Data Breach first made public by NCB in March 2023, and as supplemented by NCB in May 2023.” Compl. ¶ 283. 4 The claims that it does not seek to dismiss are for negligence and for declaratory and injunctive relief. While the motions to dismiss were pending, the plaintiffs voluntarily dismissed the Bank Defendants from the case.5 Consequently, those motions have been denied as moot.6 In response to NCB’s motion, the plaintiffs withdrew their claims for violations of the Fair Credit Reporting Act, the California Customer Records Act, and for invasion of privacy. Consequently, these claims

will not be addressed in this opinion and will be dismissed. Because eight plaintiffs failed to allege a concrete injury, they will be dismissed from this action. Because the plaintiffs failed to state a claim for which relief can be granted on the remaining causes of action, these claims will be dismissed pursuant to Rule 12(b)(6). DISCUSSION Standing NCB moves to dismiss eight of the sixteen named plaintiffs for lack of standing.7 In the absence of Article III standing, a plaintiff has no “case” or “controversy” empowering the federal court to exercise jurisdiction. U.S. Const. art. III, § 2. Thus, a motion to dismiss predicated on a lack of standing presents a jurisdictional question and is “properly brought pursuant to Rule 12(b)(1).” Ballentine v. United States, 486 F.3d 806, 810 (3d Cir. 2007).8

A movant may assert a Rule 12(b)(1) challenge to subject matter jurisdiction as a facial or factual attack. Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 2016). A facial attack does not dispute the facts alleged in the complaint, and therefore the court applies essentially the same

5 See Not. of Dismissal With Prejudice (ECF No. 103). 6 See Orders dated Aug. 29, 2024 (ECF Nos. 104 and 105). 7 Specifically, NCB moves to dismiss plaintiffs Joseph Lindquist, Ernesto Medina, Benedict Lozada, Edward Del Hierro, Michael Teixeira, Jacqueline O’Brien, Kelly Matts, and Micael Martin. 8 For this reason, NCB should have moved to dismiss the eight plaintiffs for lack of standing pursuant to Rule 12(b)(1), not Rule 12(b)(6). Therefore, the Court will treat the portion of NCB’s motion to dismiss for lack of standing as having been brought under Rule 12(b)(1). standard as that in a motion to dismiss under Rule 12(b)(6). Const. Party of Pa. v. Aichele, 757 F.3d 347, 358 (3d Cir. 2014). The court reviewing a facial attack considers only “the allegations of the complaint and documents referenced therein and attached thereto, in the light most favorable to the plaintiff.” Id. (internal quotations omitted). Here, NCB’s motion presents a facial attack

because it argues that the eight plaintiffs lack Article III standing based solely on the allegations in the complaint. To establish Article III standing, the plaintiff must demonstrate “(1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.” Clemens v. ExecuPharm Inc., 48 F.4th 146, 152 (3d Cir. 2022) (quoting Thole v. U.S. Bank N.A., 590 U.S. 538, 540 (2020)). NCB challenges only the “concreteness” prong of the standing inquiry, contending that the eight plaintiffs have failed to adequately allege that they suffered concrete harms caused by the data breach. A concrete injury means it is real, not abstract. TransUnion LLC v. Ramirez, 594 U.S. 413,

424 (2021) (citation omitted). Intangible injuries, as well as harms that are difficult to prove or measure, can be concrete. Spokeo, Inc. v. Robins, 578 U.S. 330, 340–341 (2016). As the Third Circuit held in Clemens, in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms.

Clemens, 48 F.4th at 155–56 (emphasis added). The court explained: For example, if the plaintiff’s knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury. Id. at 156. Other examples of additional, concrete harms include actual identity theft, tax fraud and an increase in receipt of spam calls. Rauhala v. Greater New York Mut. Ins., Inc., No. CV 22- 1788, 2022 WL 16553382, at *3 (E.D. Pa. Oct. 31, 2022) (plaintiff’s allegations of actual identity theft, out-of-pocket expenses to prevent, detect, and recover from identity theft and tax fraud, an increase in spam calls, and suffering anxiety and emotional distress from fear of public disclosure of her PII, constituted a concrete injury). NCB argues that plaintiffs Lindquist, Medina, Lozada, Del Hierro, Teixeira, O’Brien, Matts, and Martin have failed to adequately allege that their exposure to the risk of future harm has caused them a separate concrete harm to meet the “concreteness” requirement. According to

the complaint, the only damages these plaintiffs allege they have suffered was “spen[ding] time[, ranging from two to fifteen hours,] and effort researching the Data Breach and reviewing and monitoring [their] accounts for . . . suspicious activity and otherwise addressing the Data Breach.” See Compl. ¶¶ 208, 224, 228, 232, 256, 266, 270, 275. Noting that these eight plaintiffs allege only time spent monitoring their respective accounts for suspicious activity, with no associated out-of-pocket expenditures or impact on their health alone, NCB contends that this does not meet the standard of a “separate concrete harm” as required by Clemens. The plaintiffs acknowledge that when seeking damages, they must allege that “the exposure to the risk of future harm itself causes a separate concrete harm.” See Pls.’ Memo of Law in Opp’n

to Def. NCB’s Mot. to Dismiss (ECF No. 72) (“Pls.’ Br.”) at 5–6. They contend that they have met the “concreteness” requirement because the complaint alleges injuries of “invasion of privacy, out of pocket costs, loss of time, increased spam, [and] diminution of value of their PII.” Id. at 6 (citing Compl. ¶ 155). The eight plaintiffs at issue have failed to meet their burden of pleading that their exposure to the risk of future harm has caused them separate, concrete harms. While all of the alleged injuries listed in paragraph 155 of the complaint-- except for the loss of time spent-- constitute separate concrete harms, this paragraph lists all of the injuries claimed by all of the plaintiffs.

None of these eight plaintiffs have alleged that they specifically suffered any of these injuries. Only the other eight named plaintiffs allege these additional injuries.9 Thus, the eight plaintiffs that NCB contends lack standing fail to meet the “concreteness” requirement of the standing inquiry. Therefore, because the plaintiffs Lindquist, Medina, Lozada, Del Hierro, Teixeira, O’Brien, Matts, and Martin have not alleged a concrete injury, they lack standing to bring this action, and their claims will be dismissed pursuant to Federal Rule of Civil Procedure 12(b)(1).

Claims Raised in NCB’s Motion to Dismiss Pursuant to Rule 12(b)(6) Standard of Review

To survive a Rule 12(b)(6) motion, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (citing Twombly, 550 U.S. at 556).

9 Specifically, the eight other plaintiffs allege that they spent money on credit monitoring (Mardikian); suffered actual fraud and/or identity theft (Suh, Meyer, Patterson, Bliss, and Ross); spent money to address fraud (Patterson); and received an increased number of spam calls (Palmer, Beeker). In considering a Rule 12(b)(6) motion to dismiss under Rule 12(b)(6), all well-pleaded allegations in the complaint are accepted as true and interpreted in the light most favorable to the plaintiff, and all inferences are drawn in the plaintiff’s favor. See McTernan v. City of York, 577 F.3d 521, 526 (3d Cir. 2009) (quoting Schrob v. Catterson, 948 F.2d 1402, 1408 (3d Cir. 1991)).

However, the plaintiff must allege facts necessary to make out each element of each claim he asserts. Mala v. Crown Bay Marina, Inc., 704 F.3d 239, 245 (3d Cir. 2013); Phillips v. County of Allegheny, 515 F.3d 224, 233 (3d Cir. 2008) (quoting Twombly, 550 U.S. at 563 n.8). “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements,” are not sufficient. Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 556).

Breach of Implied Contract In Count VI, plaintiffs plead a breach of implied contract claim against NCB. In support of this claim, plaintiffs allege that they were required to provide NCB with their PII in exchange for use of NCB’s services. Compl. ¶ 366. When NCB accepted their PII, the parties mutually

assented to implied contracts with each other. Id. ¶ 367. As part of these contracts, plaintiffs reasonably understood that NCB implicitly agreed to adequately safeguard plaintiffs’ PII from foreseeable threats and to notify plaintiffs of a data breach within a reasonable amount of time. Id. Plaintiffs further allege that NCB made express and implied assurances that their PII would be safe in NCB’s custody by stating on its website that it applies “the highest in security standards,” and that plaintiffs reasonably expected NCB’s security practices to comply with government and industry standards. Id. ¶¶ 88-89, 368. Plaintiffs claim that NCB provided consideration by performing its services, while plaintiffs provided consideration by providing their valuable PII to NCB. Id. ¶ 369. NCB purportedly breached its implied contracts with plaintiffs by failing to implement reasonable data security measures, which caused them to sustain damages. Id. ¶¶ 372- 73. To plead a breach of contract, a plaintiff must plead “(1) the existence of a contract, including its essential terms, (2) a breach of a duty imposed by the contract and (3) resultant

damages.” Meyer, Darragh, Buckler, Bebenk & Eck, P.L.L.C. v. Law Firm of Malone Middleman, P.C., 137 A.3d 1247, 1258 (Pa. 2016). “A contract is formed when the parties to it 1) reach a mutual understanding, 2) exchange consideration, and 3) delineate the terms of their bargain with sufficient clarity.” Weavertown Transp. Leasing, Inc. v. Moran, 834 A.2d 1169, 1172 (Pa. Super. 2003). Mutual understanding, or a meeting of the minds, “requires the concurrence of both parties to the agreement.” Fabian v. Shenkan, 443 F. Supp. 3d 590, 595 (W.D. Pa. 2020). “Consideration consists of a benefit to the promisor or a detriment to the promisee.” Weavertown, 834 A.2d at 1172. An implied contract is formed in the same way as an express contract, except that courts infer the formation from the conduct of the parties:

A contract implied in fact is an actual contract which arises where the parties agree upon the obligations to be incurred, but their intention, instead of being expressed in words, is inferred from [their] acts in the light of the surrounding circumstances.

Liss & Marion, P.C. v. Recordex Acquisition Corp., 983 A.2d 652, 659 (Pa. 2009) (citation omitted). Intent to enter into an implied contract can be “gleaned from the parties’ ordinary course of dealing.” Longenecker-Wells v. Benecard Services Inc., 658 F. App’x 659, 662 (3d Cir. 2016) (quoting Liss & Marion, 983 A.2d at 659). However, unelaborated allegations do not support the elements of an implied breach of contract claim. Longenecker-Wells, 658 F. App’x at 662. NCB argues that plaintiffs have failed to allege that a contract existed between plaintiffs and NCB because the complaint lacks factual allegations supporting a meeting of the minds or an exchange of consideration. It contends there was no meeting of the minds because plaintiffs are customers of NCB’s clients - the Bank Defendants - not NCB. They provided their PII to either BOA or Pathward, and when plaintiffs developed overdue balances on their accounts, the banks provided that PII to NCB to collect on those outstanding balances. NCB notes that plaintiffs did

not plead any awareness of NCB’s existence or saw its website before they entered into their contracts with the banks. NCB contends that there was no exchange of consideration between the parties because plaintiffs provided their PII to the banks, not to NCB. Similarly, it provided its services to the banks, not the plaintiffs. The Court agrees with NCB that the complaint lacks factual allegations of a meeting of the minds or an exchange of consideration. The plaintiffs provided their PII to the Bank Defendants - not to NCB, and NCB provides debt collection services to the banks - not to plaintiffs. There was no direct interaction or communication between plaintiffs and NCB evidencing a meeting of the minds with the intent to enter into a contract for data security. As NCB points out, plaintiffs did not even know that NCB existed before they entered into their contracts with the banks.

While the plaintiffs argue that an implied contract “can be gleaned from the parties’ ordinary course of dealing” or “by looking to the surrounding facts of the parties’ dealings,” they fail to plead facts evidencing any such conduct or actions between the parties. Pleading just the disclosure of confidential information is not enough to create an implied contract to safeguard that data. See Barletti v. Connexin Software, Inc., No. 2:22-CV-04676-JDW, 2023 WL 6065884, at *2 (E.D. Pa. Aug. 17, 2023) (where defendant software provider of electronic medical records and other practice management services to pediatric physician practices suffered data breach of PII of plaintiff patients of the pediatric practices, and plaintiffs did not know they were giving their personal data to the defendant, and the only “surrounding circumstance” plead by plaintiffs evidencing an implied contract between them and defendant was the provision of their PII to the pediatric practices on the assumption that the data would be secure, court held there was no implied contract because they could not have had an agreement with the defendant when they did not know they were giving the data to it); Maude v. City of Philadelphia, Civ. A. No. 18-4080, 2018 WL

11306950, at *1 (E.D. Pa. Oct. 25, 2018) (dismissing breach of implied contract claim because it was based solely on the unsupported allegation that “the implied contract arose from the course of conduct between the Plaintiff and the Defendant.”); Longenecker-Wells, 658 F. App’x at 662 (affirming dismissal of breach of implied contract claim in case where employer required the plaintiffs to supply their PII as a prerequisite to employment because “naked assertions” that an agreement to safeguard the confidential data could be inferred from the parties’ “ordinary course of dealing” were not enough to state a claim). Nor do plaintiffs plead facts of any conduct or actions evidencing an exchange of consideration between the parties. The plaintiffs provided their PII to the banks, not to NCB, and NCB provided its services to the banks, not the plaintiffs. Consequently, there was no exchange

of consideration between the parties. Therefore, because the complaint lacks factual allegations supporting a meeting of the minds or an exchange of consideration, the claim for breach of implied contract against NCB will be dismissed.

Breach of Contracts to Which Plaintiffs Were Intended Third-Party Beneficiaries In Count XIX, the plaintiffs allege that NCB had valid contracts with the bank defendants, the “principal purpose” of which was to securely store, transmit, and safeguard the plaintiffs’ PII from the banks to NCB. Compl. ¶ 514. Plaintiffs argue that they were “clearly beneficiaries of those services,” as it was their PII being transmitted from the Bank Defendants to NCB, and they “had a reasonable expectation that NCB – who was entrusted with that information – would keep their PII safe and secure.” See Pls.’ Br. at 16. Plaintiffs also argue that they are third-party beneficiaries because the handling of their PII falls within the provisions of the contract between

NCB and BOA pertaining to the handling and collection of consumer information. Id. Had they known that the banks had retained a vendor who would not reasonably secure their PII, plaintiffs allege they would never have agreed to provide their PII to the banks. They claim that they suffered harm as a result of the conduct of the Bank Defendants and NCB. Compl. ¶¶ 515-516. Pennsylvania follows section 302 of the Restatement (Second) of Contracts to determine who can recover as a third-party beneficiary. Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 168 (3d Cir. 2008) (citing Scarpitti v. Weborg, 609 A.2d 147, 149 (1992)). Section 302 provides as follows: Intended and Incidental Beneficiaries

(1) Unless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intentions of the parties and either

(a) the performance of the promise will satisfy an obligation of the promisee to pay money to the beneficiary; or

(b) the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.

(2) An incidental beneficiary is a beneficiary who is not an intended beneficiary.

Restatement (Second) of Contracts § 302 (emphasis added). To attain third-party beneficiary status under this test, both parties to the contract [must have] express[ed] an intention to benefit the third party in the contract itself, . . . unless the circumstances are so compelling that recognition of the beneficiary’s right is appropriate to effectuate the intention of the parties, and the performance satisfies an obligation of the promisee to pay money to the beneficiary or the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.

Scarpitti, 609 A.2d at 150-51 (emphasis in original). Numerous courts in the Third Circuit and across the nation have interpreted the “Unless otherwise agreed” language in the opening to Section 302 to mean that parties to a contract are permitted to expressly disclaim the existence of intended third-party beneficiaries. See, e.g., Pennsylvania State Employees Credit Union (“PSECU”) v. Fifth Third Bank, 398 F. Supp. 2d 317, 324 (M.D. Pa. 2005) (“While section 302 recognizes that a nonsignatory to a contract can be an intended beneficiary of the contract if certain conditions are met, it recognizes the right of the contracting parties to exclude third parties from invoking the benefits of their agreement.”); In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., No. CIV.A. H-10-171, 2011 WL 1232352, at *17 (S.D. Tex. Mar. 31, 2011) (collecting data breach cases where the contract included language that it was “for the benefit of, and may be enforced by, the parties . . . and not for the benefit of, and may not be enforced by, any third party,” and observing that courts interpreting § 302 of the Restatement have enforced these explicit statements to mean that no third- party rights are created); In re TJX Companies Retail Sec. Breach Litig., 564 F.3d 489, 499 (1st Cir. 2009) (affirming district court’s dismissal of third-party beneficiary claim because the parties to the contracts at issue “otherwise agreed,” where their agreement provided “for the benefit of, and may be enforced only by, [the parties to the contract] . . . and is not for the benefit of, and may not be enforced by any third party.”). NCB argues that the plaintiffs should not be permitted to assert third-party beneficiary status. First, it contends that plaintiffs have not plausibly alleged that NCB and the Bank Defendants expressly intended the plaintiffs to be beneficiaries of the contracts between them. It notes that plaintiffs’ allegation in paragraph 514 of the complaint that the “principal purpose” of NCB’s contracts with the Bank Defendants was to securely store, transmit, and safeguard plaintiffs’ PII from the banks to NCB is contradicted by the allegation in paragraph 71 that BOA

and Pathward hired NCB to “service, manage, and collect outstanding and overdue balances on their customer accounts.” Compl. ¶¶ 71, 514. On that basis, NCB argues that plaintiffs have failed to plead any facts supporting the contention that the “principal purpose” of its contracts with the bank defendants was to securely store, transmit, and safeguard plaintiffs’ PII from the banks to NCB. See Brief in Support of the Motion of Def. NCB to Dismiss Pls.’ Consolidated Class Action Complaint (ECF No. 48) (“NCB’s Br.”) at 44. Second, NCB argues that contracts between NCB and the Bank Defendants expressly disclaim any intent to bestow third-party beneficiary status on any third party, which includes plaintiffs. Because the parties to the contract have “otherwise agreed” for purposes of Section 302, it contends that their intent should be given effect. NCB’s Br. at 44–45.

The Court agrees with NCB that the contract language clearly disclaims any party from attaining third-party beneficiary status. Thus, under section 302 of the Restatement, the contracting parties have “otherwise agreed” that there are no third-party beneficiaries to the contract, and this court will enforce the express statements in the contract that no third-party rights are created. Plaintiffs’ argument that they were beneficiaries of the services NCB contracted to perform for the banks because they had a reasonable expectation that NCB would keep their PII safe and secure in rendering those services is not the proper focus. Section 302 requires the court to examine the intent of the contracting parties, not the intent or expectation of the third party seeking to claim beneficiary status. See Scarpitti, 609 A.2d at 150-51 (citing Restatement (Second) of Contracts § 302). Nor does plaintiffs’ argument that they are entitled to third-party beneficiary status because the handling of their PII falls within the scope of the contract between NCB and BOA hold water.

In PSECU, the plaintiffs made a similar claim, pointing to provisions in contracts between the defendant merchant and the bank issuing credit cards to the merchant’s customers (plaintiffs) that required the defendant to follow the bank’s rules and standards governing the handling of the plaintiffs’ financial information. PSECU, 398 F. Supp. 2d at 324–25. The plaintiffs in that case argued that it was important to the bank that the defendant merchant follow the procedures set forth in the contract because the merchant’s careless handling of the bank’s customers’ financial information put at risk the disclosure of their financial information, and as a result, they were third- party beneficiaries to the contract. However, because the contracting parties had agreed that third parties would have no rights under the contract, the court stated that “the exclusion ma[de] the difference.” Id. at 325. It held that it was required to enforce the expressed intent of the contracting

parties to deny a third party who may benefit from the contract any right to enforce the contract. Id. Therefore, because the contracting parties have “otherwise agreed” that there are no third- party beneficiaries to the contract, the Court will enforce the express statements in the contract that no third-party rights are created, and the claim for third-party beneficiary status against NCB will be dismissed. Unjust Enrichment In Count IX, the plaintiffs assert a claim for unjust enrichment, alleging that NCB was unjustly enriched by its receipt of and failure to secure plaintiffs’ PII. They contend that they conferred a monetary benefit on NCB by providing it with their valuable PII. NCB purportedly benefited from the receipt of plaintiffs’ PII by utilizing it to provide account services to the Bank Defendants. Plaintiffs claim that NCB unjustly enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiffs’ PII. Because NCB failed to

implement appropriate data management and security measures, plaintiffs claim that it would not be equitable to permit NCB to retain the monetary value of the benefit belonging to the plaintiffs. Compl. ¶¶ 399–402. To state a claim for unjust enrichment, a plaintiff must prove: (1) [the] benefits conferred on defendant by plaintiff; (2) appreciation of such benefits by defendant; and (3) acceptance and retention of such benefits under such circumstances that it would be inequitable for defendant to retain the benefit without payment of value.

Shafer Elec. & Const. v. Mantia, 96 A.3d 989, 993 (Pa. 2014) (quoting Durst v. Milroy General Contracting, Inc., 52 A.3d 357, 360 (Pa. Super. 2012)). Whether the doctrine of unjust enrichment applies “depends on the particular factual circumstances of the case at issue.” Id. The court’s “focus is not on the intention of the parties, but rather on whether the defendant has been unjustly enriched.” Id. Courts have found PII valuable to a business that commoditizes it or receives an independent pecuniary benefit from holding the PII. See, e.g., In re Am. Fin. Res., Inc. Data Breach Litig., No. 222CV01757MCAJSA, 2023 WL 3963804, at *8 (D.N.J. Mar. 29, 2023) (where plaintiffs alleged that defendant had a policy that it would use their PII for “the marketing of [its] other financial products” to them, this was an “indicat[ion of] enrichment specific to the PII,” which was sufficient to support an allegation that the plaintiffs’ personal information was valuable to the defendant and that it profited from the plaintiffs’ PII); In re Yahoo! Inc. Customer Sec. Data Breach Litig., No. 16-2752, 2017 WL 3727318, at *14 (N.D. Cal. Aug. 30, 2017) (holding that the plaintiffs’ PII was valuable to the defendant where it allegedly used the information for targeted advertising); In re Marriott Int’l, Inc. Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447 (D. Md. 2020) (where plaintiffs alleged that the defendant collected plaintiffs’ PII in order to better

target customers and increase profits, court held that the plaintiffs’ personal information was valuable to the defendant). In contrast, where the complaint lacks factual allegations showing how a defendant “reaped monetary benefits or otherwise profited” from holding plaintiffs’ PII, “vague allegations that [the defendant] collected information for ‘commercial gain’” are not sufficient to state a claim for unjust enrichment. In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742, at *18 (D.N.J. Dec. 16, 2021) (where defendant labs that provided diagnostic services to plaintiffs gave plaintiffs’ PII to defendant collections vendor to ensure payment for diagnostic services rendered, the court held that the defendants did not receive an independent benefit from holding their PII because the plaintiffs were required to make these

payments as a result of the services rendered by the defendants). NCB argues that the plaintiffs have failed to state a claim for unjust enrichment on two grounds. First, because plaintiffs were not NCB’s customers, and did not supply their PII directly to it, NCB contends that they failed to plead that they conferred a benefit directly on NCB. It further argues that even if an indirectly conferred benefit is permitted, the plaintiffs have failed to plead how they conferred an indirect benefit that is traceable from the plaintiffs to NCB. Second, it argues that plaintiffs have not shown that their PII was valuable to NCB in a way that it actually benefitted from possessing their personal information. Because the complaint lacks allegations that NCB commoditized their PII or otherwise received an independent pecuniary benefit from holding it, it contends that plaintiffs have failed to plead that their PII was valuable to NCB. In response, the plaintiffs contend that they are not required to directly confer a benefit on a defendant in order to state a claim for unjust enrichment. They argue that they have adequately

plead an indirect conferral of a benefit on NCB that is traceable to them by directly providing the Bank Defendants with their PII in exchange for credit services, and the Bank Defendants having given their PII directly to NCB. The plaintiffs are correct they are not required to plead that they directly conferred a benefit on NCB. Additionally, they have adequately plead an indirect conferral of their PII on NCB that is traceable to them. However, the plaintiffs have failed to plead how NCB actually benefitted from possessing their PII. They have not plead that NCB became enriched “specific to the PII” such that it “reaped monetary benefits or otherwise profited” from holding plaintiffs’ PII. See In re Am. Fin. Res., Inc. Data Breach Litig., 2023 WL 3963804, at *8. Because “vague allegations that [the defendant] collected information for ‘commercial gain’” are not sufficient to state a claim

for unjust enrichment, see In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *18, plaintiffs’ unjust enrichment claim against NCB will be dismissed. Driver’s Privacy Protection Act In Count XIV, the plaintiffs assert a claim against NCB for violating the Driver’s Privacy Protection Act (“DPPA”), 18 U.S.C. § 2721, et seq. The DPPA prohibits the knowing disclosure of certain personal information from state motor vehicle records for an impermissible use, and creates civil liability for any individual, entity or business who “knowingly obtains, discloses, or uses [such] personal information. . . .” 18 U.S.C. §§ 2722(a), 2724(a). The plaintiffs allege that NCB violated this statute by “intentionally configuring and designing its servers and systems” in a way “that allowed it to be susceptible to cyber-attack,” “install[ing] no protections or security measures to protect this exposed information,” and thereby “willfully disclosed” plaintiffs’ PII, including their driver’s license numbers, to cyber criminals. Id. ¶¶ 15, 74, 152, 328, 468–70. In

the alternative, they plead that “NCB was willfully ignorant” or “should have been aware” that its servers and systems “were configured without any protections to store” plaintiffs’ PII and would cause its disclosure to cyber criminals. Compl. ¶¶ 329–330, 470–472. They claim that the data breach was caused by “NCB’s flawed configuration and design of its servers and systems and its failure to implement and follow even basic security procedures.” Id. ¶ 153. A prerequisite to liability under the DPPA is the defendant’s “knowing disclosure” of a person’s personal information. Enslin v. The Coca-Cola Co., 136 F. Supp. 3d 654, 670 (E.D. Pa. 2015) (quoting 18 U.S.C. § 2724(a)). A “knowing disclosure” requires some “voluntary action” by the defendant to disclose the information. Enslin, 136 F. Supp. 3d at 670 (citing Senne v. Vill. of Palatine, Ill., 695 F.3d 597, 603 (7th Cir. 2012)). However, a plaintiff is not required to show

that the disclosing party knew that the disclosure of the private information was unlawful. Id. (citing Pichler v. UNITE, 542 F.3d 380, 396–97 (3d Cir. 2008)) (“This double-knowledge requirement simply does not fit into the DPPA’s statutory scheme.”). In Enslin, the court held that where a defendant stored a plaintiff’s PII on its private servers, “even in an unsecured manner, [this did] not constitute a ‘voluntary disclosure’ under the DPPA.” Id. at 671. It also held that the “theft of [a] plaintiff’s PII cannot be characterized as a ‘voluntary action’ taken by [a defendant] to disclose that information.” Id. (stating that “no coherent understanding of the word ‘disclose’ or ‘voluntary action’ would include theft.”). NCB argues that the plaintiffs have failed to plead a “knowing” or “voluntary disclosure” under the DPPA. Noting that the complaint alleges that “an unauthorized third party gained access” to NCB’s servers and systems that stored plaintiffs’ PII and launched a “companywide ransomware attack” involving “sophisticated and malicious criminal activity,” see Compl. ¶¶ 7–8,

15, it contends that the data breach occurred as a result of theft, not due to any voluntary action on NCB’s part. Additionally, plaintiffs’ allegations that NCB failed to configure its servers to securely hold plaintiffs’ PII does not amount to a voluntary disclosure under the DPPA. Plaintiffs contend that to meet the DPPA’s knowledge requirement, they need only allege that the conduct leading to the disclosure of the PII was done voluntarily. See Pls.’ Br. at 20–21. They argue that the complaint meets this pleading standard by alleging that NCB “intentionally configur[ed] and design[ed] its servers and systems” without adequate data security protections and making it susceptible to cyber-attack, and thereby “willfully disclosed” plaintiffs’ PII to cyber criminals. Id. at 21–22. In support of their position, they cite to cases finding “voluntary action” constituting “knowing disclosure” by the defendant, all of which are distinguishable from the case

at bar. See, e.g., Senne, 695 F.3d at 603 (defendant municipality’s police officer placed tickets containing non-permissible driver’s license information on drivers’ windshields “in plain view on a public way”); In re USAA, 621 F. Supp. 3d 454, 471 (S.D.N.Y. 2022) (defendant insurance company provided an online quote form prefilled with PII drawn from the plaintiffs’ state department of motor vehicles); Rand v. Travelers Indem. Co., 637 F. Supp. 3d 55, 62–63 (S.D.N.Y. 2022) (same); Dahlstrom v. Sunt-Times Media, LLC, 346 F. Supp. 3d. 1162, 1170 (N.D. Ill. 2018) (defendant newspaper published police officers’ PII as part of their coverage of a politically charged homicide investigation). The Court agrees with NCB that the plaintiffs have failed to plead a “knowing” or “voluntary disclosure” under the DPPA. The crux of plaintiffs’ allegations against NCB is that it failed to install adequate security measures to protect against theft of plaintiffs’ PII, leaving its servers vulnerable to cyber criminals stealing the PII and causing the data breach. There are no

allegations that NCB intentionally disclosed plaintiffs’ PII to the public, much less to cyber criminals. The claims against NCB sound in negligence, not intentional conduct. Therefore, plaintiffs’ DPPA claim against NCB will be dismissed.

Negligence Per Se In Count III, the plaintiffs assert a claim for negligence per se against NCB based on the violation of two statutes: the Federal Trade Commission Act, 15 U.S.C. § 45, et seq. (“FTC Act”), and the DPPA, 18 U.S.C. § 2721.10 The FTC Act prohibits individuals and companies from engaging in “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). Plaintiffs allege that NCB violated this provision of the FTC Act by “failing to use reasonable

measures to protect PII.” Compl. ¶ 318. They claim that NCB’s violation of this statute constitutes negligence per se. Id. ¶ 321. To state a claim for negligence, a plaintiff must demonstrate that: (1) the defendant owed a duty to the plaintiff; (2) the defendant breached that duty; (3) there is a causal relationship between the breach and the resulting injury suffered by the plaintiff; and (4) there is actual loss suffered by the plaintiff. Schemberg v. Smicherko, 85 A.3d 1071, 1073–74 (Pa. Super. 2014)

10 As addressed supra, the Court is dismissing plaintiffs’ DPPA claim in Count XIV of the Complaint. For the same reasons, plaintiffs’ claim for negligence per se against NCB based on a violation of the DPPA will be dismissed. (citation omitted). “The concept of negligence per se establishes the elements of duty and breach of duty where an individual violates an applicable statute, ordinance, or regulation designed to prevent a public harm.” Id. at 1074. Thus, negligence per se is conduct treated as negligent without requiring “any argument or proof as to the particular surrounding circumstances.” Id.

To establish negligence per se, a plaintiff must demonstrate that: “1) the statute or regulation clearly applies to the conduct of the defendant; 2) the defendant violated the statute or regulation; 3) the violation of the statute proximately caused the plaintiff’s injuries; and 4) the statute’s purpose is, at least in part, to protect the interest of the plaintiff individually, as opposed to the public.” Mest v. Cabot Corp., 449 F.3d 502, 518 (3d Cir. 2006) (citing Wagner v. Anzon, Inc., 684 A.2d 570, 574 (Pa. Super. 1996)). For a statute to serve as a proper basis for a negligence per se claim, it must “be so specific as to leave little question that a person or entity found in violation of it deviated from a reasonable standard of care.” Shamnoski v. PG Energy, 858 A.2d 589, 601 (Pa. 2004) (stating that it would be impracticable to base a finding of negligence per se upon section 3361 of the Pennsylvania Motor Vehicle Code, which requires motor vehicle

operators to drive at a “reasonable and prudent” speed, because “[w]hat constitutes a reasonable and prudent speed is unspecified” and the provision “sets forth a traditional reasonable man standard,” but finding that the next section of the Pennsylvania Motor Vehicle Code, which “sets forth the specific numeric limits on vehicle speed which every Pennsylvania driver must obey or be deemed at fault,” to be appropriate for finding negligence per se because that provision allows no room for the flexibility of the reasonable man standard, as “[e]xceeding the designated limit is, by statutory definition, unreasonable.”). Plaintiffs contend that the “FTC deems the failure to employ reasonable and appropriate measures to protect against unauthorized access to sensitive personal information an unfair act or practice prohibited by Section 5 of the FTC Act,” and claim that NCB’s failure to use reasonable measures to protect their PII constitutes such an unfair practice under the FTC Act. See Compl. ¶¶ 104–105, 317–18. Plaintiffs allege that NCB’s “conduct was particularly unreasonable given the nature and amount of PII it obtained and disclosed and the foreseeable consequences of a data

breach.” Id. ¶ 318. They contend that plaintiffs are within the class of consumers that Section 5 of the FTC Act is intended to protect, and the harm they have suffered is the type of harm that the FTC Act was intended to guard against. Id. ¶¶ 319–20. NCB provides two reasons that the plaintiffs may not bring a negligence per se claim against it under the FTC Act. First, it argues that the purpose of the FTC Act is to protect the public generally, not the plaintiffs individually, which is evidenced by the statute failing to provide for a private right of action. Second, it argues that the statute is insufficiently specific to describe conduct from which a violation can be ascertained. It points to the statute’s very broad language, which does not identify the specific acts that should or should not be done. Additionally, it contends that the alleged unfair practice at issue -- the failure to use reasonable measures to protect

plaintiffs’ PII -- is as vague as the “reasonableness” standard rejected in Shamnoski, making it more like a restatement of the general negligence duty to act reasonably, as opposed to a clear, specific standard like a numeric speed limit. Plaintiffs respond by stating that “[w]hat qualifies as unfair conduct under the FTC Act is intentionally ‘a flexible concept with evolving content.’” Pls.’ Br. at 9 (quoting F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 243 (3d Cir. 2015)). They note that Congress intentionally declined to codify a specific list of practices that were prohibited by the statute because of how numerous and variable the possible violations could be. Id. “Congress explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ . . . by enumerating the particular practices to which it was intended to apply.” Wyndham, 799 F.3d at 243 (quoting Fed. Trade Comm’n v. Bunte Bros., 312 U.S. 349, 353 (1941)). Plaintiffs then note that the court in Wyndham held that a hospitality company’s deficient cybersecurity could violate section 5 of the FTC Act. Id. at 247.

The Court agrees with NCB that this provision of the FTC Act, which prohibits parties from engaging in “unfair or deceptive acts or practices in or affecting commerce,” is insufficiently specific to describe conduct from which a violation can be ascertained. NCB was allegedly in violation of this provision of the FTC Act by “failing to use reasonable measures to protect PII.” But the statute fails to enumerate what measures NCB should have implemented to avoid a violation. NCB’s alleged conduct cannot be “declared and treated as negligence without any argument or proof as to the particular surrounding circumstances.” Schemberg, 85 A.3d at 1074. Because the FTC Act is simply too vague “as to leave little question that a person or entity found in violation of it deviated from a reasonable standard of care,” Shamnoski, 858 A.2d at 601, it cannot serve as a basis of a claim for negligence per se.

Plaintiffs’ reliance on Wyndham does not help their position. That case was an enforcement action brought by the FTC, not a private individual. Because it did not involve a negligence per se claim, the court did not address the specificity of the FTC Act and whether it met the requirements to serve as a basis for a negligence per se claim. Therefore, plaintiffs’ claim for negligence per se based on the violation of the FTC Act and the DPPA will be dismissed.11

11 In the alternative, plaintiffs request that the Court dismiss their negligence per se claim as subsumed within the negligence claim itself, and defer deciding the viability of the negligence per se claim until summary judgment. In that event, they request leave to amend their complaint to include their per se liability allegation in their negligence claim in Count I of the complaint. Pls.’ Br. at 7–8 & n.8. Because the Court’s ruling is based on a determination that the FTC Act is insufficiently specific to describe conduct California Unfair Competition Law In Count XI, plaintiffs Mardikian, Suh, Medina, Lozada, Del Hierro, Ross, O’Brien, Matts, and Martin (“California plaintiffs”) assert a claim on behalf of the California subclass against NCB under the California Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code §§17200, et seq.

The UCL is a consumer protection statute that prohibits, and provides civil remedies for, unfair competition, which it defines as ‘any unlawful, unfair or fraudulent business act or practice.’” Kwikset Corp. v. Superior Ct., 246 P.3d 877, 883 (Cal. 2011) (quoting Cal. Bus. & Prof. Code § 17200)). In support of this claim, the California plaintiffs allege that NCB: failed to implement and maintain reasonable data security practices; concealed those allegedly inadequate data security practices; and violated the FTC Act, the CCRA, and the common law. Compl. ¶¶ 426–29. NCB argues that plaintiffs’ claim under the UCL must be dismissed because no relevant conduct occurred in California, and California’s Supreme Court has “made clear that there is a strong presumption against the extra-territorial application of California Law.” NCB’s Br. at 29 (quoting Ehret v. Uber Techs., Inc., 68 F. Supp. 3d 1121, 1130 (N.D. Cal. 2014)).

Under California’s presumption against extraterritoriality, courts “presume the Legislature did not intend a statute to be operative, with respect to occurrences outside the state, . . . unless such intention is clearly expressed or reasonably to be inferred from the language of the act or from its purpose, subject matter or history.” Sullivan v. Oracle Corp., 254 P.3d 237, 248 (Cal. 2011) (alteration in original) (internal quotation marks omitted) (citation omitted). This presumption applies to the UCL. See id. (“Neither the language of the UCL nor its legislative

from which a violation can be ascertained, no discovery is necessary to rule on the viability of the negligence per se claim. Therefore, the Court declines to grant their alternative request. history provides any basis for concluding the Legislature intended the UCL to operate extraterritorially. Accordingly, the presumption against extraterritoriality applies to the UCL in full force.”). “[T]he determinative factor in California’s presumption against extraterritoriality is the

location of the conduct.” Thunder Studios, Inc. v. Kazal, 13 F. 4th 736, 743 (9th Cir. 2021) (citation omitted). “If the conduct that ‘creates liability” occurs in California, [then] California law properly governs that conduct.” Oman v. Delta Air Lines, Inc., 889 F.3d 1075, 1079 (9th Cir. 2018) (citing Sullivan, 254 P.3d at 248). But “if the liability-creating conduct occurs outside of California, California law generally should not govern that conduct.” Id. See also In Re Tobacco II Cases, 207 P.3d 20, 30 (2009) (the UCL’s focus is “on the defendant’s conduct, rather than the plaintiff’s damages, in service of the statute’s larger purpose of protecting the general public against unscrupulous business practices.”). In all data breach cases of which the Court is aware, application of the UCL has been allowed only when the liability-causing conduct emanated from California. See, e.g., Toretto v.

Donnelley Fin. Sols., Inc., 583 F. Supp. 3d 570, 605 (S.D.N.Y. 2022) (where California plaintiff alleged that a data breach of defendant’s email server -- which was located in New York -- occurred due to defendant’s poor network security, court rejected argument that plaintiff could bring a claim under the UCL based on the injury defendant’s conduct allegedly caused him in California, instead dismissing UCL claim because its “conduct giving rise to liability” occurred outside of California); In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 596 (N.D. Ill. 2022) (where plaintiffs alleged a data breach was caused by defendants’ failure to implement adequate security measures, which stemmed from a ransomware attack to their internal servers located at their headquarters in Illinois, court held that the “conduct allegedly creating liability in this case occurred wholly outside of California,” and dismissed UCL claim); Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 60 (D. Ariz. 2021) (in data breach case where California plaintiffs alleged defendant’s data security infrastructure, which was located in Arizona, was inadequate to prevent the cyber-attack, court dismissed UCL claim because plaintiffs failed to “plead any facts

describing liability-creating conduct that occurred in California.”). Here, the California plaintiffs allege that NCB engaged in liability-creating conduct when it failed to implement reasonable security and privacy measures to protect their PII, which caused the Data Breach. Compl. ¶¶ 494-96. All of this alleged conduct took place at NCB’s headquarters in Pennsylvania. Because the misconduct occurred outside of California, the UCL does not apply. Plaintiffs argue that even when the defendant’s wrongful conduct occurs outside California, the UCL applies if the defendant’s conduct caused plaintiff to suffer an injury while in California. See Pl.’s Br. at 23–24 (citing Speyer v. Avis Rent a Car Sys., Inc., 415 F. Supp. 2d 1090, 1099 (S.D. Cal. 2005); Norwest Mortgage, Inc. v. Superior Court, 72 Cal. App.4th 214, 224–25 (1999); and Yu v. Signet Bank/Virginia, 69 Cal. App. 4th 1377, 1391 (1999)). In the

Court’s view, these cases are outliers and distinguishable. In Speyer, the plaintiffs claimed that they may have suffered injury while in California when the defendants gave them unfair concession fee quotes in California for out-of-state car rentals. The court relied exclusively on Norwest and Yu to hold that the “UCL applies to wrongful conduct that occurs out-of-state but results in injury in California.” Id. at 1099. In Norwest, the plaintiff borrowers alleged that the non-resident defendant mortgage broker’s practice of charging them fees for insurance was an unfair business practice under the UCL. Although the court held that California plaintiffs could bring UCL claims against the defendant no matter where the defendant’s conduct occurred, it offered no rationale for its holding. Norwest, 72 Cal. App.4th at 224 & n.12. Additionally, the defendant in Norwest was a company incorporated in California, and the relevant misconduct was directly related to California real estate. In Yu, the plaintiff alleged that he was targeted by a non-resident lender to be subjected to unfair debt collection practices in Virginia. The Yu court held that a California plaintiff could bring a UCL claim against

a non-resident defendant whose out-of-state conduct injured a California resident as long as the defendant was subject to personal jurisdiction in California. Id. at 1391. In contrast, personal jurisdiction has not been addressed in this case. The Court concludes that the California plaintiffs’ allegations that NCB’s conduct in Pennsylvania caused them to suffer an injury is not enough to overcome the presumption against the extraterritorial application of California law. None of the three cases cited by plaintiffs engage in any substantive analysis of the extraterritorial reach of the UCL, and none involve a data breach. All are distinguishable from the case at bar. Therefore, the California plaintiffs’ UCL claim against NCB will be dismissed. California Consumers Legal Remedies Act

In Count XII, the California plaintiffs assert a claim against NCB under the California Consumers Legal Remedies Act (“CLRA”), Cal. Civ. Code §§ 1750, et seq. The CLRA protects consumers against unfair and deceptive business practices “undertaken by any person in a transaction intended to result or that results in the sale or lease of goods or services to any consumer . . .” Id. §§ 1760, 1770. Plaintiffs allege that NCB engaged in unfair and deceptive business practices by misrepresenting the adequacy of its data security. Compl. ¶¶ 435, 438–40. Plaintiffs claim that NCB violated the following unlawful practices set forth in § 1770: Representing that goods or services have characteristics that they do not have; Representing that goods or services are of a particular standard, quality, or grade when they were not;

Advertising goods or services with intent not to sell them as advertised; and

Representing that the subject of a transaction has been supplied in accordance with a previous representation when it has not.

Compl. ¶ 438 (citing § 1770(a)(5), (7), (9) and (16)). NCB gives three reasons why the California plaintiffs’ CLRA claim should be dismissed. First, it argues that the presumption against extraterritoriality, discussed in the previous section with respect to the UCL claim, also applies to CLRA claims because no relevant conduct occurred in California. Second, it argues that because plaintiffs were not its customers, it did not engage in a transaction with them or sell or lease any goods or services to them. Third, it argues that the plaintiffs fail to plausibly plead reliance on any act or omission of NCB. The Court will address only NCB’s second argument -- that NCB did not sell or lease any goods or services to plaintiffs, making this provision of the CLRA inapplicable. NCB contends that the plaintiffs were not customers of NCB, and therefore did not engage in a transaction with it. It notes that the complaint lacks any allegations that NCB sold or leased any goods or services to plaintiffs. See Compl. at ¶ 71 (“Financial institutions and lenders, such as BOA and Pathward, hired NCB to service, manage, and collect outstanding and overdue balances on their customer accounts.”). Pointing to the plain text of the statute, NCB argues that this provision of the CLRA cannot apply to the relationship between plaintiffs and NCB. In response, the California plaintiffs argue that they are not required to have a direct relationship with NCB for it be held liable under the CLRA. They describe themselves as “indirect customers of NCB,” where they purchased banking services from the Bank Defendants “who, in turn, contracted their debt collection services with NCB for the purpose of seeking payment from the plaintiffs.” See Pl.’s Br. at 26. In support, they cite cases where the CLRA applied even when the plaintiff was not the direct customer of the defendant. The Court agrees with NCB that § 1770 of the CLRA is inapplicable to NCB. Under the CLRA, a “transaction” is an agreement between a consumer and a business or individual. Id. §

1770. As discussed supra in the context of the plaintiffs’ breach of implied contract claim, there was no agreement between NCB and the plaintiffs. Thus, there was no “transaction” entered into between NCB and the plaintiffs. Even if there were, NCB did not sell or lease any goods or services to plaintiffs, which is an essential element of § 1770. The five cases plaintiffs cite are distinguishable from the instant action. Three involved claims against the original seller of an allegedly defective product that was subsequently re-sold to the plaintiff by a different party. See Pls.’ Br. at 26 (citing Chamberlan v. Ford Motor Co., 2003 WL 25751413 (N.D. Cal. Aug. 6, 2003) (plaintiff purchasers could sue defendant auto manufacturer, even though the vehicles at issue were purchased used); McAdams v. Monier, Inc., 182 Ca. App. 4th 174, 179, 186 (Cal. Ct. App. 2010) (roof tile manufacturer could be responsible

for misrepresentations regarding products it sold, whether the plaintiff purchased tiles from the manufacturer directly or from a home builder or other third party); Keilholtz v. Superior Fireplace, 2009 WL 839076, *3-4 (N.D. Cal. March 30, 2009) (where defendants sold fireplaces to homebuilders, who then sold homes containing those fireplaces to plaintiffs, plaintiffs could sue defendants under the CLRA despite a lack of direct privity)). Those cases involved sales of a product to the plaintiff through an intermediary. Here, in contrast, NCB was not an intermediary in selling the product sold by the Bank Defendants – credit services. A fourth case, Newton v. Am. Debt Servs., Inc., No. C-11-3228 EMC, 2013 WL 5592620, at *8 (N.D. Cal. Oct. 10, 2013), did not involve an “indirect customer” relationship, as all four defendants in the case had a direct relationship with the plaintiff. Instead, it dealt with “indirect liability” of two defendants, where the court found that they could be held secondarily liable for the misrepresentations of the other defendants as co-conspirators or aiders-and-abettors. In this case, in contrast, there are no claims of a conspiracy between NCB and the Bank Defendants.

Finally, in the fifth case cited by plaintiffs, Makaeff v. Trump Univ., LLC, 145 F. Supp. 3d 962, 980 (S.D. Cal. 2015), the court allowed the plaintiffs to assert a CLRA claim against Donald Trump for alleged misrepresentations he made to promote Trump University, even though the plaintiffs signed enrollment contracts with Trump University and not Mr. Trump himself. However, that case is distinguishable from the case at bar because the plaintiffs alleged that Mr. Trump made misrepresentations that were intended to, and did, result in the sale of Trump University programs to consumers. In this case, in contrast, there are no allegations that NCB was acting “behind the scenes” to try to induce the Bank Defendants to sell their services to plaintiffs. In summary, the California plaintiffs have failed to plead that a consumer transaction between NCB and the California plaintiffs – whether direct or indirect -- that “intended to result”

or “result[ed] in the sale or lease of goods or services to any consumer” has taken place. Therefore, the claim brought under the CLRA will be dismissed. California Consumer Privacy Act In Count XIII, the California plaintiffs assert a claim against NCB under the California Consumer Privacy Act (“CCPA”), Cal. Civ. Code §§ 1798.150, et seq. The CCPA creates a private right of action for any consumer whose PII is disclosed as a result of a business’s violation of the duty to implement and maintain reasonable security procedures. Cal. Civ. Code § 1798.150(a)(1). Specifically, the CPPA provides that: [a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of [a] business’s violation of the duty to implement and maintain reasonable security procedures and practices . . . may institute a civil action . . . . for [injunctive relief, declaratory relief, and damages].

Cal. Civ. Code § 1798.150(a)(1) (emphasis added). NCB contends that it cannot be held liable under the CCPA because it is not a “business” as defined by the statute. Instead, it asserts that it is a “service provider.” It argues that a “business” under the CPPA collects consumers’ personal information from consumers, and a “service provider” receives personal information from the business. The CCPA defines a “business” as a: sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity . . . that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and [meets a revenue or customer base threshold].

Cal. Civ. Code § 1798.140(d). In other words, to be deemed a “business” under the CCPA, it must: (1) collect PII and (2) determine why and how the PII should be processed. In re Accellion, Inc. Data Breach Litig., , ––– F.Supp.3d ––––, No. 5:21-CV-01155-EJD, 2024 WL 333893, at *10 (N.D. Cal. Jan. 29, 2024). Noting that the Bank Defendants -- not the plaintiffs -- provided NCB with the plaintiffs’ PII, NCB contends that it did not “collect” the PII. Without performing that function, it claims that it cannot be deemed a “business” for purposes of bringing a CCPA claim. Instead of a business, NCB asserts that it is a “service provider.” The CCPA defines a “service provider” as an individual or entity that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the [entity] from: . . [s]elling or sharing the personal information. . . [, r]etaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, . . . [or r]etaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business. . . .” Cal. Civ. Code § 1798.140(ag)(1). NCB argues that the distinction between a “business” and a “service provider” is important because consumers are permitted to sue only a “business” for failing to implement and maintain reasonable security procedures, while only the California Attorney General and the California Privacy Protection Agency are authorized to bring an action against “service providers.” NCB’s Br. at 34–35 (citing Karter v. Epiq Sys., Inc., No. SACV2001385CJCKESX, 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021); Cal. Civ. Code § 1798.155)). The California plaintiffs claim that NCB qualifies as a “business” under the CPPA. First, they argue that an entity can qualify as both a “business” and a “service provider” under the CCPA. Pls.’ Br. at 28 (citing Blackbaud, Inc., Customer Data Breach Litig. (“Blackbaud”), No. 3:20-MN- 02972-JMC, 2021 WL 3568394, at *5 (D.S.C. Aug. 12, 2021) (finding that the defendant was not “insulated from liability under the CCPA” when it qualified as both a “service provider” and a “business” under the CCPA). Thus, even assuming NCB is a “service provider,” they contend that this does not preclude a finding that it is also a “business” under the CPPA. Second, they argue that NCB meets both requirements of “collecting” PII and determining why and how the PII should be processed to qualify as a “business” under the CPPA. They claim that the “indirect collection of consumers’ PII by way of a third party falls within the definition of ‘collects’ under the CCPA.” Pls.’ Br. at 28. They also contend that NCB, “jointly with” the Bank Defendants, “determined the purposes and means of the processing of consumers’ personal information” because NCB uses the PII to provide its debt collection services to the Bank Defendants. Id. The Court finds that NCB is a “service provider” under the CPPA. However, the Court agrees with the plaintiffs that a defendant can qualify as both a “business” and a “service provider”

under the CCPA. Therefore, NCB is not insulated from liability even though it qualifies as a “service provider.” The Court also agrees with the plaintiffs that they have adequately plead that NCB meets the first requirement to be deemed a “business” under the CCPA -- that it “collected” plaintiffs’ PII. The CCPA defines “collects” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Cal. Civ. Code § 1798.140(f). The complaint alleges that NCB “obtained” and “received” the plaintiffs’ PII from the Bank Defendants. Compl. ¶¶ 70–71. Because the statute defines the “collection” of PII to include the defendant’s “obtaining” or “receipt” of the PII “by any means,” the plaintiffs have adequately alleged that NCB “collected” their personal information.

However, the California plaintiffs have not adequately plead that NCB meets the second requirement to be deemed a “business” -- that NCB determined why and how their PII should be processed. The CPPA defines “processing” as “any operation or set of operations that are performed on personal information or on sets of personal information . . . .” Cal. Civ. Code § 1798.140(y). The complaint lacks any allegations about “determinations” that NCB made regarding why and how the plaintiffs’ PII was to be processed. The allegation that NCB used their PII to provide its debt collection services to the Bank Defendants is a far cry from alleging it played any role in determining how to process the plaintiffs’ PII. The two cases that the plaintiffs cite -- Blackbaud and Karter -- are distinguishable from the case at bar. In Blackbaud, the defendant allegedly “collect[ed] and stor[ed]” the PII that its customers collected from their clients, who were donors, patients, students, and congregants; “use[d] consumers’ personal data to provide services at customers’ requests, as well as to develop,

improve, and test [its] services;” “develop[ed] software solutions to process its customers’ patrons’ personal information;” and “offer[ed] professional and managed services in which its expert consultants provide[d] data conversion, implementation, and customization services for each of its software solutions.” Blackbaud, 2021 WL 3568394, at *5. Thus, the defendant was alleged to have actively interacted with and analyzed the PII data at issue. In Karter, the plaintiffs alleged that the defendant, a class action settlement administrator, worked with its clients to determine how it would use the consumers’ PII to provide class notice and manage claims and opt-outs. Karter, 2021 WL 4353274, at *2. There, the defendant directly participated in determining how the consumers’ PII would be used. The complaint here, in contrast, lacks any allegations about “determinations” that NCB

made regarding why and how the plaintiffs’ PII was to be processed. Therefore, the plaintiffs have not sufficiently alleged that NCB was a “business” under the CCPA, and this claim will be dismissed. New York General Business Law In Count XV, plaintiff Meyer asserts a claim on behalf of the New York subclass under the New York General Business Law, N.Y. Gen. Bus. Law § 349 (“GBL” or “Section 349”). This statute prohibits “[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state [of New York],” and provides a cause of action to “any person who has been injured” by a violation of the section. Id. § 349(a), (h) (emphasis added). New York plaintiff Meyer alleges that NCB engaged in deceptive acts or practices in the conduct of its business, trade, and commerce or furnishing of services, in violation of this statute by: “[o]mitting, suppressing, and concealing the material fact[s] that they did not comply with common law and statutory duties pertaining to the security and privacy of Plaintiff Meyer’s and

New York Subclass Members’ PII; and . . . that they did not reasonably or adequately secure Plaintiff Meyer’s and New York Subclass Members’ PII by implementing and maintaining reasonable security measures.” Compl. ¶ 476. To state a Section 349 claim, a plaintiff must plead facts capable of establishing that “(1) the defendant’s deceptive acts were directed at consumers, (2) the acts are misleading in a material way, and (3) the plaintiff has been injured as a result.” Lenard v. Design Studio, 889 F. Supp. 2d 518, 530 (S.D.N.Y. 2012) (quoting Maurizio v. Goldsmith, 230 F.3d 518, 521 (2d Cir. 2000)). This statute also contains a territoriality element, requiring that “the transaction in which the consumer is deceived must occur in New York.” MacNaughton v. Young Living Essential Oils, LC, 67 F.4th 89, 99 n.10 (2d Cir. 2023) (quoting Goshen v. Mut. Life Ins. Co., 774 N.E.2d 1190,

1195 (N.Y. Ct. App. 2002)). NCB contends that the GBL requires the plaintiff to allege that the deceptive acts complained of took place within the state of New York. It argues that Meyer’s Section 349 claim is “geographically insufficient” because NCB’s alleged deceptive acts took place at its headquarters in Pennsylvania, not in New York. Plaintiff Meyer argues that her GBL claim is adequately plead because she felt the effects of NCB’s deception while she was within the boundaries of the State of New York. Section 349 “unambiguously evinces a legislative intent to address commercial misconduct occurring within New York[,]” and thus, “to qualify as a prohibited act under the statute, the deception of a consumer must occur in New York.” Goshen, 774 N.E.2d at 1195. The focus of the inquiry under Section 349 is “on the location of the transaction, and in particular the strength of New York’s connection to the allegedly deceptive transaction, rather than on the residency of the parties.” Cruz v. FXDirectDealer, LLC, 720 F.3d 115, 122 (2d Cir. 2013) (citing Goshen, 774

N.E.2d at 1195). “All that matters is where the alleged deceptive conduct occurred.” In re GE/CBPS Data Breach Litig., No. 20 CIV. 2903 (KPF), 2021 WL 3406374, at *13 (S.D.N.Y. Aug. 4, 2021) (citing Cruz, 720 F.3d at 122). A claim “falls within the territorial reach” of the GBL when the plaintiff alleges “a sufficient nexus between [the plaintiff’s] transactions with [the defendant] and New York.” MacNaughton, 67 F.4th at 99 (quoting Cruz, 720 F.3d at 122). In MacNaughton, the plaintiff, a New York resident, alleged that the defendant falsely advertised the benefits of its products, which she purchased online. Because she alleged that she saw the defendant’s deceptive statements about the products before purchasing them, this satisfied the requirement that “the transaction in which the consumer is deceived must occur in New York.” MacNaughton, 67 F.4th at 99 (quoting

Goshen, 774 N.E.2d at 1195). Here, New York plaintiff Meyer fails to allege a sufficient nexus between her transactions with NCB and New York. First, no “transaction” between her and NCB took place. She does not allege that she had any direct interaction with NCB, or was even aware of NCB’s existence before the data breach. She fails to allege that she engaged in any transactions with NCB while she was in New York. For instance, she did not open an account, view any documents, or receive any documents in New York. The only allegation of a connection with New York is that Meyer currently lives there. Compl. ¶ 35. Second, Meyer’s Section 349 claim is premised on NCB’s alleged failure to take adequate actions or implement proper policies and practices to secure plaintiffs’ PII, and for concealing these omissions from the plaintiffs. But Meyer fails to plead any facts showing how these alleged omissions were connected to New York. As plaintiffs allege, NCB developed its policies and

made its decisions regarding its data security systems and management in Pennsylvania. Id. ¶ 28. Thus, it is hard to see how any failure to make known the purported inadequacies in its policies that were developed in Pennsylvania is connected in any way to New York. Meyer’s allegation that she lives in New York is insufficient to establish a New York connection to satisfy the GBL’s territoriality requirement. Therefore, the claim brought under Section 349 will be dismissed.

Florida Deceptive and Unfair Trade Practices Act In Count XVI, plaintiff Lindquist asserts a claim against NCB on behalf of the Florida subclass under the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”), Fla. Stat. §§

501.201, et seq. As a threshold matter, NCB is challenging plaintiff Lindquist’s standing to bring any claim in this matter due to his failure to allege a concrete injury. NCB argues that if the Court dismisses Lindquist for lack of standing, the FDUTPA claim must be dismissed as well for lack of a plaintiff to prosecute it. Because the Court is dismissing Lindquist as a plaintiff for lack of standing, see supra, his claim asserted on behalf of the Florida subclass will be dismissed. Massachusetts Consumer Protection Act Claim In Count XVII, plaintiffs Bliss and Teixeira (“Massachusetts plaintiffs”) assert, on behalf of the Massachusetts subclass, a violation of the Massachusetts Consumer Protection Act, Mass. Gen. Laws Ann. ch. 93A, §§ 2(a), 11 (“Chapter 93A”). This statute prohibits “[u]nfair methods

of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce.” Id. § 2(a). It provides a private cause of action for damages and equitable relief for a plaintiff who engages in . . . trade or commerce and who suffers any loss of money or property, real or personal, as a result of the use or employment by another person who engages in any trade or commerce of an unfair method of competition, or an unfair or deceptive act or practice.

Id. § 11. The Massachusetts plaintiffs allege that NCB engaged in unfair methods of competition and unfair and deceptive acts and practices in violation of Chapter 93A when it failed to implement reasonable security and privacy measures to protect their PII, which caused the Data Breach. Compl. ¶¶ 494-96. NCB argues that the claim brought under Chapter 93A must be dismissed because NCB’s alleged unlawful conduct did not “occur[] primarily and substantially within [Massachusetts],” which is required under § 11 of the statute. It contends that other than residing in Massachusetts, the Massachusetts plaintiffs do not plead any facts connecting this case to Massachusetts. It notes that they do not identify any offending conduct by NCB or the Bank Defendants that occurred in or was targeted at Massachusetts. Section 11 of Chapter 93A provides, in pertinent part: No action shall be brought or maintained under this section unless the actions and transactions constituting the alleged unfair method of competition or the unfair or deceptive act or practice occurred primarily and substantially within the [C]ommonwealth [of Massachusetts]. Mass. Gen. Laws Ann. ch. 93A, § 11. As set forth by the Supreme Judicial Court of Massachusetts, this provision “suggests an approach in which a judge should, after making findings of fact, and after considering those findings in the context of the entire § 11 claim, determine whether the center of gravity of the circumstances that give rise to the claim is primarily and substantially

within the Commonwealth.” Kuwaiti Danish Computer Co. v. Digital Equip. Corp., 781 N.E.2d 787, 799 (Mass. 2003) (emphasis added). The court described this approach as “fact intensive” and cautioned that it cannot “be reduced to any precise formula.” Id. at 798. Additionally, emphasis should not be placed on any particular factor because “[s]ignificant factors that can be identified for one case may be nonexistent in another.” Id. Since the “center of gravity” test was announced in Kuwaiti Danish, courts have considered a number of factors in applying the test, including where the defendant committed the alleged deception, where the plaintiff was deceived and acted upon the deception, and where the plaintiff was harmed. See Arabian Support & Servs. Co., Ltd. v. Textron Sys. Corp., 943 F.3d 42, 47 (1st Cir. 2019) (citation omitted).

The Massachusetts plaintiffs argue that because the court must conduct a “fact-intensive” inquiry to apply the “center-of-gravity” test, it is not appropriate to dispose of a Chapter 93A claim on the “primarily and substantively” issue on a motion to dismiss. They contend that in the “rare circumstances” where a motion to dismiss is granted on this issue, the complaint in those cases failed to allege that any conduct transpired in Massachusetts. Applying those standards, the plaintiffs argue that in order to survive a motion to dismiss on a Chapter 93A claim, they “need only allege that the deceptive conduct impacted a plaintiff located in, and the injury can be tied to, Massachusetts.” Pls.’ Br. at 36 (citing Back Bay Farm, LLC. v. Collucio, 230 F. Supp. 2d 176, 188 (D. Mass. 2002); Auto Shine Car Wash Sys., Inc. v. Nice ‘N Clean Car Wash, Inc., 792 N.E.2d 682 (Mass. App. Ct. 2003)). They contend that they have met these requirements by alleging the following connections to Massachusetts: • They reside in Massachusetts and were there when NCB misrepresented the adequacy of its data security measures, which “conduct was targeted at Plaintiffs in Massachusetts.”

• They were in Massachusetts when they “acted on this deception and provided NCB with their personal identifying information.”

• They were directly impacted in Massachusetts when they were forced to take remedial steps to protect themselves within Massachusetts.

Pls’ Br. at 35, 37. The Court disagrees that it is inappropriate to dispose of a Chapter 93A claim on the “primarily and substantively” issue on a motion to dismiss. The court in Kuwaiti Danish noted that this provision in § 11 “suggests“ taking a fact-intensive approach. It did not say that this approach is required. Additionally, “[a]s fact-intensive as the issue may be, whether a defendant’s actions and transactions occurred primarily and substantially in Massachusetts for purposes of Chapter 93A jurisdiction is unquestionably a matter of law.” Evergreen Partnering Grp., Inc. v. Pactiv Corp., No. CIV.A. 11-10807-RGS, 2014 WL 304070, at *5 (D. Mass. Jan. 28, 2014) (citation omitted). In any event, this case is not so fact-intensive to require fact-finding to determine whether the center of gravity of the circumstances giving rise to the claim is in Massachusetts. With respect to whether the plaintiffs alleged sufficient conduct showing that the “center of gravity of the circumstances giving rise to the claim is primarily and substantially within” Massachusetts, the Court disagrees with their characterization of NCB’s alleged misconduct as being directed at Massachusetts. Plaintiffs provided their PII to BOA -- not NCB -- so they could not have been “acting on NCB’s deception” when they provided their PII. When NCB acquired their PII, it was dealing with the Bank Defendants, who were located in North Carolina and South Dakota. Similarly, the complaint does not allege that NCB’s misconduct was targeted at plaintiffs. Instead, it describes NCB as acting unlawfully by failing to implement reasonable security and privacy measures to protect the plaintiffs’ PII. At issue is the adequacy of NCB’s data security policies, allegedly developed in Pennsylvania, as well as a breach of NCB’s computer servers, also

in Pennsylvania. All of this conduct, or failure to act, would have occurred at its headquarters in Pennsylvania. Because the plaintiffs did not interact with NCB at the time it allegedly engaged in these unfair and deceptive acts, where the plaintiffs were deceived and acted upon the deception, is a “nonexistent factor.” See Kuwaiti Danish, 781 N.E.2d at 798 (cautioning that in applying center-of-gravity test, emphasis should not be placed on any particular factor because “[s]ignificant factors that can be identified for one case may be nonexistent in another.”). This case is similar to Evergreen, where the only connection to Massachusetts was that the plaintiff was a Massachusetts company and it suffered financial losses in Massachusetts where its corporate headquarters were located. Evergreen, 2014 WL 304070. There, the court granted the motion to dismiss because of the plaintiff’s failure “to identify a single deceptive act or practice or

‘dominant event’ that is alleged to have occurred in Massachusetts.” Id. at *4. The court stated that “[t]he alleged place of injury or loss does not necessarily determine the question . . . unless some deceptive or unfair conduct also occurred in Massachusetts.” Id. (quoting Welch Foods, Inc. v. Liberty Mut. Fire Ins. Co., 2005 WL 1131747, at *26 (Mass. Super. Apr.6, 2005) (emphasis added)). It went on to explain that “[w]hen ‘virtually all the conduct that can be said to be unfair or deceptive’ occurs outside the Commonwealth, there can be no Chapter 93A liability.” Evergreen, 2014 WL 304070, at *5 (quoting Kenda Corp., Inc. v. Pot O'Gold Money Leagues, Inc., 329 F.3d 216, 236 (1st Cir. 2003)). The only connection to Massachusetts that plaintiffs have plausibly plead is that they suffered harm while in Massachusetts as a result of NCB’s violation of the statute. However, this is not sufficient to show that the “center of gravity of the circumstances giving rise to the claim is primarily and substantially within” Massachusetts. See Zyla v. Wadsworth, Div. of Thomson

Corp., 360 F.3d 243, 255 (1st Cir. 2004) (Chapter 93A claim properly dismissed where plaintiff’s residence was sole connection to Massachusetts); Fishman Transducers, Inc. v. Paul, 684 F.3d 187, 197 (1st Cir. 2012) (“Where wrongdoing is not focused on Massachusetts but has relevant and substantial impact across the country, the ‘primarily’ requirement of section 11 cannot be satisfied.”). The Court concludes that the center of gravity of the circumstances giving rise to the Chapter 93A claim is not primarily and substantially within Massachusetts. Therefore, the Massachusetts plaintiffs’ claim brought under the Massachusetts Consumer Protection Act will be dismissed. CONCLUSION

NCB’s motion to dismiss will be granted in its entirety. Because plaintiffs Joseph Lindquist, Ernesto Medina, Benedict Lozada, Edward Del Hierro, Michael Teixeira, Jacqueline O’Brien, Kelly Matts, and Micael Martin failed to allege a concrete injury, they are dismissed from this action for lack of standing pursuant to Fed. R. Civ. P. 12(b)(1). Because the plaintiffs failed to state a claim for which relief can be granted on their claims for: breach of implied contract, breach of a contract to which plaintiffs were intended third party beneficiaries, unjust enrichment, violation of the DPPA, negligence per se based on violation of the FTC Act and the DPPA, the California Unfair Competition Law, California Consumers Legal Remedies Act, California Consumer Privacy Act, the New York General Business Law, and the Massachusetts Consumer Protection Act, these claims will be dismissed pursuant to Fed. R. Civ. P. 12(b)(6). Because there are no named Florida plaintiffs remaining in this action, the Florida Deceptive and Unfair Trade Practices Act claim will be dismissed. Finally, because the plaintiffs withdrew their claims for violations of the Fair Credit Reporting Act, the California Customer Records Act, and for invasion

of privacy, these claims will be dismissed as well.