UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
CRYSTAL MALVITZ AND CHRISTOPHER FREDRICKSON,
Plaintiffs, Civil Action No. 24-cv-238 (TSC) v.
FINCANTIERI MARINE GROUP, LLC.
Defendant.
MEMORANDUM OPINION
Plaintiffs Crystal Malvitz and Christopher Fredrickson bring this class action, as
individuals and on behalf of all others similarly situated, against Defendant Fincantieri Marine
Group, LLC (“Defendant”), a company that builds and repairs maritime vessels. Plaintiffs assert
claims for negligence, breach of implied contract, and unjust enrichment. Am. Compl., ECF No.
8. Defendant moves to dismiss for lack of subject matter jurisdiction under Federal Rule of Civil
Procedure 12(b)(1) and failure to state a claim under Federal Rule of Civil Procedure 12(b)(6).
Def.’s Mot. to Dismiss Am. Compl., ECF No. 9-1 (“MTD”). For the reasons set forth below, the
court will GRANT in part and DENY in part Defendant’s motion.
I. BACKGROUND
A. Defendant’s Cybersecurity Practices and Data Breach
Plaintiffs are Defendant’s former employees or benefit recipients. Am. Compl. ¶ 25. They
provided personally identifiable information (“PII”) to Defendant as a condition of employment
and/or employment-related benefits. Id. ¶ 2. Defendant allegedly made “promises and
representations” that PII would be “kept safe, confidential, and that the privacy of that information
Page 1 of 22 would be maintained, and that Defendant would delete any sensitive information after it was no
longer required to maintain it.” Id. ¶ 28. Defendant’s website stated that it stored PII “behind
secured networks,” only provided access to “a limited number of persons,” and “encrypted” PII
“via Secure Socket Layer (‘SSL’) technology.” Id. ¶ 29. Defendant also represented that it “use[d]
regular Malware Scanning” to identify “security holes and known vulnerabilities.” Id.
On or about April 12, 2023, however, Defendant became “aware of a cyberattack” on its
computer systems. Id. ¶ 36. It determined that “there was unauthorized access to certain systems
. . . between April 6, 2023, and April 12, 2023,” resulting in “unauthorized acquisition” of more
than sixteen thousand individuals’ PII. Id. ¶¶ 36, 46. The data stolen during the attack included
Plaintiffs’ “name[s] . . . date[s] of birth, Social Security number[s], date[s] of service, [insurance]
participant ID[s], and member number[s].” Id. ¶ 36. Defendant sent a “Notice of Security Incident
letter” (the “Notice Letter”) to Plaintiffs on January 5, 2024, which offered “24 months of identity
monitoring services.” Id. ¶¶ 36–37, 63, 139, 149.
Plaintiffs allege that, despite Defendant’s “promises and representations,” id. ¶ 28, it failed
to implement “reasonable security procedures and practices” to prevent or promptly detect the
cyberattack and stored data in unencrypted files, id. ¶¶ 37–40, 67. Plaintiffs contend that
Defendant’s practices did not comply with the Federal Trade Commission’s (“FTC”) guidelines
for protecting personal information, such as using “an intrusion detection system” to promptly
identify a breach, monitoring suspicious activity or large data transmissions, developing a data-
breach response plan, “properly dispos[ing] of [PII] that is no longer needed,” limiting “access to
sensitive data[,]” using “industry-tested methods for security[,]” and verifying the security
measures used by third-party service providers. Id. ¶¶ 81–83, 86. Plaintiffs also allege that
Defendant “failed to follow [] industry best practices,” such as “strong passwords;” “firewalls,
Page 2 of 22 antivirus, and anti-malware software; encryption, making data unreadable without a key;
multifactor authentication; backup data and limiting which employees can access sensitive data.”
Id. ¶ 90. According to Plaintiffs, Defendant knew or should have known that their PII “would be
targeted by cybercriminals” because data breaches are “widespread” and a dark web marketplace
exists for PII, particularly social security numbers. Id. ¶¶ 41, 56–60, 69–73. Plaintiffs also
challenge Defendant’s response to the cyberattack because the Notice Letter failed to disclose the
“root cause” of the breach or “the remedial measures” taken to prevent another breach. Id. ¶¶ 37–
39.
B. Plaintiffs’ Alleged Injuries
Plaintiffs claim that, as a result of Defendant’s insufficient cybersecurity practices and the
data breach, they suffered “actual injuries and damages.” Id. ¶ 94. Specifically, “(i) invasion of
privacy; (ii) theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity
costs associated with attempting to mitigate the actual consequences of the Data Breach; (v) lost
opportunity costs associated with attempting to mitigate the actual consequences of the Data
Breach; (vi) statutory damages; [and] (vii) nominal damages.” Id.
Malvitz and Fredrickson each identify their own harms. Malvitz receives benefits from
Defendant because her spouse is a current employee. Id. ¶ 135. In general, she is “very careful
about sharing her sensitive” information and “never knowingly” provides her unencrypted PII over
the internet. Id. ¶ 137. Defendant obtained and retained her PII in connection with “employment-
related benefits.” Id. ¶ 135. After receiving the Notice Letter, she experienced “an increase in
spam calls, texts, and/or emails.” Id. ¶¶ 139, 142. She took steps to mitigate the harms from the
data breach, such as monitoring her accounts and purchasing mitigation tools. Id. ¶¶ 139–40. She
claims she has suffered “fear, anxiety, and stress . . .” from the increased exposure of her PII. Id.
¶ 142–44. Page 3 of 22 Fredrickson worked for Defendant intermittently from 2016 to 2023. Id. ¶ 147. He was
very “cautious” and “careful about sharing his PII.” Id. ¶ 153. After he received the Notice Letter,
he “suffered actual fraudulent misuse of his PII.” Id. ¶¶ 149–51. On or around April 18, 2024,
“third party criminal actors” used his credit card for a “fraudulent purchase of $1,145.13 . . .” Id.
¶ 151. Fredrickson had to acquire “a new credit card” and “anticipates spending considerable time
and money” to monitor his accounts and address any future harms. Id. ¶¶ 151–152, 158.
Frederickson alleges that, as a result of the data breach, he “suffered injury from a loss of privacy”
and “fear, anxiety, and stress.” Id. ¶¶ 155–159.
C. Procedural History
Malvitz filed the Complaint on January 26, 2024, and amended as of right on May 2, 2024.
ECF Nos. 2, 8. Fredrickson “voluntarily dismissed” a separate class action that he had filed against
Defendant and joined as a named Plaintiff in the Amended Complaint. MTD at 3 (citing
Fredrickson v. Fincantieri Marine Grp., LLC, Case No. 1:24-cv-0037-TSC (D.D.C. Feb. 7, 2024),
ECF No. 1). Plaintiffs sue on behalf of themselves and a nationwide class of individuals, pursuant
to Federal Rule of Civil Procedure 23. Am. Compl. ¶ 164. Plaintiffs proposed class definition is:
“All individuals in the United States whose PII was impacted as a result of the Data Breach
announced by Defendant in January 2024.” Id. Plaintiffs have not yet moved for class
certification. Their Amended Complaint asserts claims for negligence, breach of implied contract,
and unjust enrichment stemming from Defendant’s failure to protect Plaintiffs’ PII. Id. ¶¶ 176–
241. Defendant moves to dismiss under Federal Rule of Civil Procedure 12(b)(1) for lack of
subject matter jurisdiction and Rule 12(b)(6) for failure to state a claim. MTD at 1.
II. LEGAL STANDARD
Federal courts are courts of limited jurisdiction. See Gen. Motors Corp. v. EPA, 363 F.3d
442, 448 (D.C. Cir. 2004). The law presumes that “a cause lies outside [the court’s] limited Page 4 of 22 jurisdiction” unless the plaintiff establishes otherwise. Kokkonen v. Guardian Life Ins. Co. of Am.,
511 U.S. 375, 377 (1994) (citing Turner v. Bank of N. Am., 4 U.S. 8, 11 (1799)). When deciding
a Rule 12(b)(1) motion, the court must “assume the truth of all material factual allegations in the
complaint and ‘construe the complaint liberally, granting plaintiff the benefit of all inferences.’”
Am. Nat’l Ins. Co. v. FDIC, 642 F. 3d 1137, 1139 (D.C. Cir. 2011) (quoting Thomas v. Principi,
394 F.3d 970, 972 (D.C. Cir. 2005)). Nevertheless, “the court need not accept factual inferences
drawn by plaintiffs if those inferences are not supported by facts alleged in the complaint, nor must
the Court accept plaintiff's legal conclusions.” Disner v. United States, 888 F. Supp. 2d 83, 87
(D.D.C. 2012) (quoting Speelman v. United States, 461 F. Supp. 2d 71, 73 (D.D.C. 2006)).
A motion under Rule 12(b)(6) “tests the legal sufficiency of a complaint.” Browning v.
Clinton, 292 F.3d 235, 242 (D.C. Cir. 2002). To survive, a “complaint must contain sufficient
factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft
v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
In other words, the plaintiff must plead “factual content that allows the court to draw the reasonable
inference that the defendant is liable for the misconduct alleged.” Id. (citing Twombly, 550 U.S.
at 556). “Threadbare recitals of the elements of a cause of action, supported by mere conclusory
statements” are insufficient. Id. (citing. Twombly, 550 U.S. at 555). While the court must assume
that any “well-pleaded factual allegations” in a complaint are accurate, conclusory allegations “are
not entitled to the assumption of truth.” Id. at 679.
III. ANALYSIS
A. Standing
Article III of the Constitution confines federal judicial power to the resolution of “Cases”
and “Controversies.” TransUnion LLC v. Ramirez, 594 U.S. ---, ---, 141 S.Ct. 2190, 2203 (2021)
(citing Raines v. Byrd, 521 U.S. 811, 819–20 (1997)). For there to be a case or controversy under Page 5 of 22 Article III, the plaintiff must have a “personal stake” in the case—in other words, standing. Raines,
521 U.S. at 819. Standing is a necessary predicate to any exercise of federal jurisdiction and,
without standing, the court lacks jurisdiction. Ariz. Christian Sch. Tuition Org. v. Winn, 563 U.S.
125, 129 (2011); Dominguez v. UAL Corp., 666 F.3d 1359, 1361 (D.C. Cir. 2012). To demonstrate
standing at the motion to dismiss stage, a plaintiff must plausibly plead (1) an “injury in fact,” that
is (2) “fairly traceable to the challenged action of the defendant, and not the result of the
independent action of some third party not before the court,” and that is (3) “likely” to be
“redressed by a favorable decision.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992); see
also Jeffries v. Volume Servs. Am., Inc., 982 F.3d 1059, 1063 (D.C. Cir. 2019).
Defendant argues that Plaintiffs’ alleged injuries—the diminution in PII value, loss of the
benefit of the bargain, increased spam, and future risks of harm—are “common injuries” that do
not qualify as a concrete, particularized, and actual or imminent for standing purposes. MTD at
5–8, 10–13. And, even if the fraudulent purchase on Fredrickson’s credit card constitutes an injury
in fact, Defendant argues it is not “fairly traceable” to Defendant. Id. at 9.
1. Injury in Fact
An injury in fact is “‘an invasion of a legally protected interest’ that is ‘concrete and
particularized,’ and . . . ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, Inc., v.
Robins, 578 U.S. 330, 339 (2016) (quoting Lujan, 504 U.S. at 560). Tangible harm, such as a
physical or monetary injury, readily qualifies as concrete under Article III. TransUnion, 141 S.Ct.
at 2204. When evaluating intangible harm, courts “should assess whether the alleged injury to the
plaintiff has a ‘close relationship’ to a harm ‘traditionally’ recognized as providing a basis for a
lawsuit in American Courts,” such as “reputational harms, disclosure of private information, and
intrusion upon seclusion.” Id. (citing Spokeo, 578 U.S. at 341). Because Plaintiffs seek
Page 6 of 22 prospective, injunctive relief, they must also establish “material risk of future harm” that is
“sufficiently imminent and substantial.” Id. at 2210 (citations omitted).
Defendant argues that Plaintiffs’ “mere increased risk of identity theft and mitigation
efforts are insufficient.” MTD at 10. The court disagrees. The D.C. Circuit has determined that
“identity theft . . . constitute[s] a concrete and particularized injury.” In re U.S. Off. of Pers. Mgmt.
Data Sec. Breach Litig., 928 F.3d 42, 55 (D.C. Cir. 2019) (quoting Attias v. Carefirst Inc., 865
F.3d 620, 627 (D.C. Cir. 2017) (“Attias I”)). Spending financial resources or time on mitigation
efforts in “response to a data breach . . . may create a concrete Article III injury when paired with
a risk of future identity theft.” Attias v. Carefirst Inc., 344 F.R.D. 38, 47 (D.D.C. 2023) (“Attias
III”). Both Plaintiffs adequately allege such mitigation measures. For instance, Malvitz spent time
“monitoring her financial accounts for any indication of fraudulent activity,” and Fredrickson
pursued similar “mitigation measures.” Am Compl. ¶¶ 134–162; see Keown v. Int’l Ass’n of Sheet
Metal Air Rail Trans. Workers, No. 23-cv-3570 (CRC), 2024 WL 4239936, at *3 (D.D.C. Sept.
19, 2024).
The court further agrees that Plaintiffs have shown that “their harm has a close relationship
to the harm to privacy vindicated by the common-law tort of intrusion upon seclusion.” All. for
Retired Ams. v. Bessent, --- F. Supp. 3d ----, 2025 WL 740401, at *15–16 (D.D.C. Mar. 7, 2025).
Intrusion upon seclusion at common law requires that the “defendant intentionally intruded ‘upon
the solitude or seclusion of another or [their] private affairs or concerns,’” and that the intrusion
would be “highly offensive” to a reasonable person. Id. at *16 (quoting Restatement (Second) of
Torts § 652B). Publicity is not required. Pileggi v. Washington Newspaper Publ'g Co., LLC, No.
CV 23-345 (BAH), 2024 WL 324121, at *6 (D.D.C. Jan. 29, 2024); see Restatement (Second) of
Torts § 652B. The harm need not perfectly align with the common law action. Courts “look for a
Page 7 of 22 close relationship” to a traditional harm, “not an exact duplicate.” All. for Retired Ams., 2025 WL
740401, at *17 (internal quotation marks and citations omitted). At the pleading stage, Plaintiffs
have set forth sufficient facts for the court to infer that a reasonable person would find it offensive
that a third party obtained Plaintiffs’ “private and personal details,”, such as social security
numbers. Pileggi, 2024 WL 324121, at *8 (internal quotation marks and citation omitted).
Therefore, Plaintiffs satisfy the injury in fact requirement for standing.
2. Causation
Causation or traceability requires that Defendant is responsible for Plaintiffs’ injury. See
Lujan, 504 U.S. at 560–61. The injury must be fairly traceable “to the challenged action of the
defendant, and not . . . th[e] result [of] the independent action of some third party not before the
court.” Citizens for Resp. and Ethics in Wash. v. U.S. Dep’t of Treasury, 21 F.Supp.3d 25, 34
(D.D.C. 2014) (quoting Lujan, 504 U.S. at 560). Defendant argues that Plaintiffs’ injuries “are
not plausibly connected” to the data breach, MTD at 4, and any injuries suffered by Plaintiffs stem
from “unknown cybercriminal[s],” which breaks the causal chain, Def.’s Reply in Support of MTD
at 2, ECF No. 11 (“Def.’s Reply”). This argument is unavailing.
At the motion to dismiss stage, Plaintiffs need only “show that injuries claimed—
substantial risk of identity theft and Plaintiff’s [] mitigation measures—are ‘fairly traceable’ to the
data breach.” Keown, 2024 WL 4239936, at *3 (citing Attias I, 865 F.3d at 629). Plaintiffs allege
that Defendant failed to “implement adequate and reasonable security procedures and protocols.”
Am Compl. ¶ 7. They claim that because Defendant lacked sufficient cybersecurity protections,
third parties accessed Defendant’s systems, accessing Plaintiff’s PII, during the data breach. Id.
¶ 36. As a result of the data breach, Plaintiffs spent time and money on mitigation efforts and face
increased risks of financial fraud or identity theft. Id. ¶¶ 139–44, 149–59. The allegations
Page 8 of 22 sufficiently establish that Plaintiffs’ harms are fairly traceable to Defendant’s inadequate security
measures. See Keown, 2024 WL 4239936, at *3.
3. Redressability
To satisfy redressability, Plaintiffs must allege that it is “substantially likely” they will
“obtain relief that directly redresses the injury suffered.” Reed v. Goertz, 598 U.S. ---, ---, 143 S.
Ct. 955, 960 (2023). Courts may award damages for mitigation costs incurred because of a
“substantial risk that a harm will occur.” Attias I, 865 F.3d at 629 (quoting Clapper v. Amnesty
Int’l, USA, 568 U.S. 398, 414 n.5 (2013)). Plaintiffs assert that they “anticipate[] spending
considerable time and money on an ongoing basis to try to mitigate and address harms caused by
the Data Breach.” Am. Compl. ¶¶ 144, 158. Engaging in such mitigation efforts was reasonable
following the data breach. See Attias I, 865 F.3d at 629. “The fact that plaintiffs have reasonably
spent money to protect themselves against a substantial risk creates the potential for them to be
made whole by monetary damages.” Id.
In addition to compensatory damages, Plaintiffs seek “injunctive relief, including
improvements to Defendant’s data security systems, future annual audits, and adequate credit
monitoring services funded by Defendant.” Am. Compl. ¶ 16. Defendant argues the court cannot
redress Plaintiff’s “purported future risk of harm” because it “cannot control the actions of
unknown cybercriminals or compel [Defendant] to modify its cybersecurity defenses to address a
data breach that has already occurred.” Def.’s Reply at 1. But that is not the injunctive relief
Plaintiffs seek; rather, they ask for injunctive relief to prevent a future data breach and to address
ongoing harms from the past data breach. See Am. Compl. ¶¶ 16, 134. They allege that their PII
“remain[s] in Defendant’s possession” and “subject to further unauthorized disclosures so long as
Defendant fails to undertake appropriate and adequate measures to protect the PII.” Id. ¶ 208. The
Page 9 of 22 court may redress the “‘substantial risk’ that their personal information will be stolen from
[Defendant] again in the future.” Keown, 2024 WL 4239936, at *4.
Courts also recognize that “nominal damages suffice for redressability purposes because
American courts always have recognized that plaintiffs may pursue constitutional or common-law
causes of action even when their only redress is the symbolic award of nominal relief.” Attias v.
CareFirst, Inc., 346 F.R.D. 1, 9–10 (D.D.C. 2024) (“Attias V”) (citing Uzuebunam v. Preczewski,
592 U.S. ---, ---, 141 S.Ct. 792, 801 (2021)). Because Plaintiffs request nominal damages, and
other forms of relief, redressability is satisfied.
For the above reasons, Plaintiffs sufficiently allege an injury in fact caused by the
Defendant and redressable by the court, and therefore have standing.
B. Choice of Law
In addition to the constitutional limitations imposed by Article III, Congress further limits
the types of cases or controversies that district courts may hear. Federal district courts typically
derive jurisdiction from two statutory grants: federal question jurisdiction, 28 U.S.C. § 1331, and
diversity jurisdiction, id. § 1332. Here, Plaintiffs bring common-law claims based on diversity
jurisdiction over actions where the amount in controversy exceeds $5,000,000 and there is minimal
diversity between the named parties pursuant to the Class Action Fairness Act of 2005. Am.
Compl. ¶¶ 18–21; 28 U.S.C. § 1332(d). When exercising diversity jurisdiction, the court must
determine the law that applies to common-law claims. Klaxon Co. v. Stentor Elec. Mfg. Co., 313
U.S. 487, 496 (1941). Courts “must apply the choice-of-law rules of the jurisdiction in which [it]
sit[s]. . .” Wu v. Stomber, 750 F.3d 944, 949 (D.C. Cir. 2014). “D.C. choice-of-law rules require
that” the court applies “the tort law of the jurisdiction that has the ‘most significant relationship’
to the dispute.” Id. (citing Washkoviak v. Student Loan Mktg. Ass'n, 900 A.2d 168, 180 (D.C.
2006)). In determining which law applies, the court considers (1) “where the injury occurred,” (2) Page 10 of 22 “where the conduct causing the injury occurred,” (3) “the domicile . . . of the parties,” and (4) “the
place where the relationship is centered.” Id. (quoting Washkoviak, 900 A.2d at 180) (internal
quotation marks omitted). Federal courts in this district must “first determine whether a ‘true
conflict’ exists between the laws of the competing jurisdictions.” Jones v. Lattimer, 29 F. Supp.
3d 5, 10 (D.D.C 2014) (quoting Margolis v. U-Haul Int’l, Inc., 818 F. Supp 2d 91, 100 (D.D.C.
2011)). A “true conflict exists” when “more than one jurisdiction has a potential interest in having
its law applied” and “the law of the competing jurisdictions is different.” In re APA Assessment
Fee Litig., 766 F.3d 39, 51–52 (D.C. Cir. 2014) (citation omitted). In such a situation, D.C. law
applies “unless the foreign state has a greater interest in the controversy.” Jones, 29 F. Supp. 3d
at 10.
Because Plaintiffs are Wisconsin citizens and Defendant is a D.C. citizen, Am. Compl.
¶¶ 18–21, Wisconsin and D.C. may have an interest in the matter. “Wisconsin has a powerful
interest in protecting its residents from fraud and misrepresentation, while the District of Columbia
has an equally strong interest in ensuring that its corporate citizens refrain from fraudulent
activities.” Pls.’ Resp. to Def.’s MTD at 14, ECF No. 10 (“Opp’n”) (quoting Washkoviak, 900
A.2d at 180–81). The parties agree, however, that the court cannot conduct an adequate choice-
of-law analysis at the motion to dismiss stage, and neither party fully briefed the choice-of-law
issues. MTD at 13; Opp’n at 13–14. Defendant argues that Plaintiffs’ claims fail under either
jurisdiction’s standards, but urges the court to consider and “afford[] significant weight” to
Wisconsin law. Def.’s Reply at 5–9 & n.2.
In general, choice-of-law issues are “‘better suited to resolution on motions for summary
judgment,’ after an opportunity for discovery.” Jones, 29 F. Supp. 3d at 10 n.3 (quoting La
Reunion Aerienne v. Socialist People's Libyan Arab Jamahiriya, 477 F. Supp. 2d 131, 137 (D.D.C.
Page 11 of 22 2007)). The court will benefit from fulsome briefing before resolving whether Wisconsin or D.C.
law applies. See id.; In re McCormick & Co., 215 F. Supp. 3d 51, 62 (D.D.C. 2016). Because it
“cannot determine from the pleadings which jurisdiction has a greater interest in the
controversy”—as the parties concede—“in ruling on a motion to dismiss [the court] must apply
the law of the forum state, which in this case is the District of Columbia.” Washkoviak, 900 A.2d
at 182; see also Wu, 750 F.3d at 949; In re APA Assessment Fee Litig., 766 F.3d at 54–55.
Therefore, at this juncture, the court will assess Plaintiffs’ claims under D.C. law.
C. Negligence
Defendant moves to dismiss all counts in Plaintiffs’ Amended Complaint for failure to state
a claim under Federal Rule of Civil Procedure 12(b)(6). Starting with the negligence claim, to
survive a motion to dismiss, Plaintiffs must allege “(1) the existence of a duty owed by the
defendant to the plaintiff, (2) a negligent breach of that duty by the defendant, and (3) an injury to
the plaintiff (4) proximately caused by the defendant’s breach.” Hawkins v. Wash. Metro. Area
Transit Auth., 311 F. Supp. 3d 94, 105 (D.D.C. 2018) (quoting Powell v. District of Columbia, 602
A.2d 1123, 1133 (D.C. 1992)).
1. Duty and Breach
“The foundation of modern negligence law is the existence of a duty owed by the defendant
to the plaintiff.” N.O.L v. District of Columbia, 674 A.2d 498, 499 n.2 (D.C. 1995) (citing Palsgraf
v. Long Island R.R., 248 N.Y. 339 (N.Y. 1928)). Plaintiffs identify several potential duties that
Defendant owed them: (1) a common-law duty to use “reasonable care to secure and prevent
disclosure” of Plaintiff’s PII information; (2) a statutory duty under Section 5 of the Federal Trade
Commission Act, 15 U.S.C. § 45, to “employ reasonable security measures”; (3) a duty of care
arising from the “special relationship” between Plaintiffs, as employees or recipients of
employment-related benefits; and (4) a duty to follow “industry standards to protect [] PII.” Am Page 12 of 22 Compl. ¶¶ 181–90. Plaintiffs allege sufficient facts for the court to infer that Defendant owed (and
breached) a common-law duty of care to secure and prevent disclosure of Plaintiffs’ PII. Plaintiffs’
alternative theories—statutory obligations, special relationship, and industry standards—support
their breach allegations, but do not impose an independent duty giving rise to a negligence claim.
In general, “one has a duty to guard against only foreseeable risks.” Novak v. Cap. Mgmt.
& Dev. Corp., 452 F.3d 902, 911–12 (D.C. Cir. 2006) (citation omitted). Under D.C. law, the
relationship between the parties determines “the foreseeability of the plaintiff’s injury and,
ultimately, the scope of the defendant’s duty.” Hedgepeth v. Whitman Walker Clinic, 22 A.3d 789,
794 (D.C. 2011). For “a party who is at arms’ length,” there is “only a minimal duty” of care. Id.
Once the parties enter into a relationship, however, a defendant must exercise the degree of care
corresponding to the relationship. Id. If the asserted injury results from intervening criminal acts
of a third party, a heightened showing of foreseeability is required. See Bd. of Trs. of Univ. of D.C.
v. DiSalvo, 974 A.2d 868, 871 (D.C. 2009). And in “some circumstances under District of
Columbia law [] even a failure to act will give rise to a legal duty.” Attias v. Carefirst, 365 F.
Supp. 3d 1, 20 (D.D.C. 2019) (“Attias II”), on reconsideration in part, 518 F. Supp. 3d 43 (D.D.C.
2021).
Plaintiffs sufficiently allege that Defendant owed and breached a common-law duty of care
owed to Plaintiffs. Defendant acquired Plaintiffs’ PII as a condition of employment and receiving
employment-related benefits. Am Compl. ¶ 48. In doing so, Defendant assumed a duty to take
reasonable care with Plaintiffs’ PII. See Collier v. District of Columbia, 46 F. Supp. 3d 6, 15
(D.D.C. 2014) (referencing heightened duty for “employer and employee” relationship); Keown,
2024 WL 4239936, at *8. Defendant allegedly breached this duty by failing to implement
reasonable safeguards to “protect their [] PII from reasonably foreseeable threat of a cyberattack
Page 13 of 22 and data breach.” Am Compl. ¶ 182. Plaintiffs allege that Defendant knew or should have known
that “unprotected or exposed PII” is “valuable and highly sought after by nefarious third parties
seeking to illegally monetize” stolen PII. Id. ¶ 57. Based on the “known high frequency of [] data
breaches targeting employers in possession of PII,” a cyberattack was foreseeable. Id. ¶¶ 196.
Plaintiffs claim Defendant failed to guard against this reasonably foreseeable risk by not taking
adequate security measures, including following the “industry standards for an employer’s
obligations to its employees and their beneficiaries with respect to data privacy,” FTC guidelines
for data security practices, and Microsoft Protection Intelligence to prevent and detect data
breaches. Id. ¶¶ 42–45, 80, 93.
Accepting these allegations as true, the court finds that Plaintiffs have sufficiently
established that a cyberattack was foreseeable based on Defendant’s inadequate security practices,
the value of Plaintiffs’ PII, and the prominence of identity thefts and data breaches. See In re U.S.
Off. of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d at 55–56 (citing Attias I, 865 F.3d at 622,
628–29). To the extent Defendant’s security measures would violate the FTC Act or fall short of
industry standards, such allegations support Plaintiffs’ claim of breach. Keown, 2024 WL 4239936
at *9. Thus, Plaintiffs have plausibly alleged Defendant owed and breached a duty.
2. Causation and Injury
Plaintiffs must identify “more than speculative harm from defendant’s allegedly negligent
conduct.” Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702, 708 (D.C. 2009) (quoting In
re Estate of Curseen v. Buchanan Ingersoll, P.C., 890 A.2d 191, 194 (D.C. 2006)). “Threat[s] of
future harm,” which have not materialized, “do[] not suffice to create a cause of action for
negligence.” Hillbroom v. PricewaterhouseCoopers LLP, 17 A.3d 566, 573 (D.C. 2011) (quoting
Knight v. Furlow, 553 A.2d 1232, 1235 (D.C. 1989)). In the data breach context, a plaintiff may
Page 14 of 22 satisfy injury in fact for Article III standing but fail to meet the injury threshold to state a
negligence claim. See Attias II, 365 F. Supp. 3d at 9. Here, Plaintiffs allege several harms: (1)
mitigation costs and heightened risk of PII misuse, (2) lost or diminished value of PII, (3) invasion
of privacy, (4) emotional distress, and (5) statutory or nominal damages. Am Compl. ¶¶ 6, 141,
206–07.
i. Mitigation Costs and Heightened Risk of Misuse
“The District of Columbia Court of Appeals has expressly declined to treat an increased
risk of future identity theft” and “time and money spent protecting against future identity theft” as
damages for negligence claims based on data breaches. See Attias II, 365 F. Supp. 3d at 11, 14
(quoting Randolph, 973 A.2d at 708–09); Keown, 2024 WL 4239936, at *9. Allegations of actual
misuse or economic injury, not speculations as to future misuse or economic harms, are sufficient,
however. Attias II, 365 F. Supp. 3d at 11, 14 (“Only the [plaintiffs]—who. . . have alleged actual
misuse in the form of tax-refund fraud—would be able to recover consequential damages like the
money spent monitoring their credit.”); Keown, 2024 WL 4239936, at *9.
Applying that rule here, the court finds that Fredrickson alleges “actual fraudulent misuse
of his PII.” Am. Compl. ¶ 151. He claims that after the data breach, “third party criminal actors
used [his] PII to initiate a fraudulent purchase of $1,145.13 [] on his credit card.” Id. As a result,
Fredrickson had to obtain a new credit card and spent “considerable time and money” to mitigate
the ensuing harms. Id. ¶¶ 152, 158. The fraudulent charge on his card and costs associated with
remedying the misuse of his PII qualify as damages. Attias II, 365 F. Supp. 3d at 11, 14. The
court may also plausibly infer a causal connection between Defendant’s negligence and
Fredrickson’s injury. Fredrickson alleges that he is “very careful about sharing his sensitive PII”
and “has never knowingly transmitted unencrypted sensitive PII over the internet or any other
Page 15 of 22 unsecured source.” Am. Compl. ¶ 153. After his PII—including his social security number—was
stolen during the data breach, he received fraudulent credit card charges. Id. ¶¶ 152–58. At the
motion to dismiss stage, these facts permit a plausible inference that Defendant’s inadequate
security measures caused the data breach, which then caused Fredrickson’s injury. Attias II, 365
F. Supp. 3d at 11 n.4 (Even without “specific facts connecting the two events,” court “plausibly
inferred” causation “when considering a motion under Rule 12(b)(6).”).
Malvitz’s allegations present a closer question. She does not allege any specific fraudulent
charges, but claims she suffered “an increase in spam calls, texts, and/or emails” and spent
“valuable time” on mitigation activities. Am Compl. ¶¶ 140–43. The question is whether “spam
calls, texts, and/or emails,” id. ¶ 142, constitute a “present injury,” rather than “anticipation of
future injury that has not materialized,” Randolph, 973 A.2d at 708. At least one court in this
district has answered yes. In Keown, the court concluded that “an increase in spam, calls, texts,
and/or emails” and time “dealing with these effects . . . is much closer to [a] present injury to
[Plaintiff’s] PII than to efforts to mitigate potential future harm.” 2024 WL 4239936, at *10.
Therefore, the plaintiff alleged an actual injury sufficient to support a negligence claim under D.C.
law. Id. (citing Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30, 37 (D.D.C. 2020)); see also
Attias II, 365 F. Supp. 3d at 11 (Allegations “listing what ‘identify thieves’ ‘can’ or ‘may’ do”
with PII are insufficient, but actual misuse permits recovery for mitigation efforts). Although it is
a close question, the court reaches the same conclusion at this stage. Because Malvitz alleges
actual misuse through “increased spam calls, texts, and/or emails,” Am. Compl. ¶ 142, she alleges
an actual injury sufficient to state a negligence claim.
Page 16 of 22 ii. Lost or diminished value of PII
Plaintiffs’ allegations that they suffered damages for lost or diminished value of their PII
cannot sustain a negligence claim. When addressing injury in fact for Article III standing, courts
have “routinely rejected the proposition that an individual’s personal identifying information has
an independent monetary value.” See, e.g., Welborn v. IRS, 218 F. Supp. 3d 64, 78 (D.D.C. 2016)
(collecting cases). Plaintiffs allege that “an active and robust legitimate marketplace for PII
exists,” but fail to plead facts showing how the unauthorized access to their PII diminishes its
value. Am. Compl. ¶¶ 116–19, 120. To the contrary, Plaintiffs allege the information
compromised in the data breach remains particularly valuable. Id. ¶ 121. Moreover, they do not
assert that they intended to sell their PII or participate in the marketplace. Without allegations that
“their personal information became less valuable as a result of the [data] breach or that they
attempted to sell their information and were rebuffed because of a lower price-point attributable
to the breach,” Plaintiffs fail to allege damages based on a change in value. Welborn, 218 F. Supp.
3d at 78; see also Keown, 2024 WL 4239936, at *10 (Even though Plaintiff’s PII “decreased in
‘rarity,’” they did not claim that they intended to “sell [the] information on the black market in the
first place, so it is uncertain how they were injured by this alleged loss.”).
iii. Invasion of Privacy
Invasion of privacy is a distinct intentional tort, which Plaintiffs do not assert, but a loss of
privacy “may constitute ‘damage to the interests of the plaintiff’ sufficient to support a claim of
negligence if the defendant has a duty to prevent such damage.” Keown, 2024 WL 4239936, at
*10 (citing District of Columbia v. Cooper, 483 A.2d 317, 321 (D.C. 1984)). PII must be disclosed
to a third party to establish an invasion of privacy, however. In re Sci. Applications Int'l Corp.
(SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 29 (D.D.C. 2014). “[C]onduct giving
Page 17 of 22 rise to the unauthorized viewing of [PII] such as plaintiff’s Social Security number . . . can
constitute an intrusion . . .” Randolph, 973 A.2d at 710; see also Vassiliades v. Garfinckel’s,
Brooks Bros., 492 A.2d 580, 587 (D.C. 1985) (“[I]nvasion of privacy ‘represents a vindication of
the right to private personality and emotional security.” (citation omitted)). Here, Plaintiffs
plausibly allege that third parties obtained unauthorized access to their PII, which Defendant had
a duty to safeguard. See supra Section III.C.1. The third parties “accessed and obtained”
Plaintiffs’ PII, including their names, dates of birth, Social Security numbers, dates of service,
insurance participant IDs, and member numbers. Am. Compl. ¶¶ 4, 139, 149. Disclosure of such
information constitutes an “actual harm to [Plaintiffs’] interest in privacy. . . both judicially
cognizable and recognized at common law.” Keown, 2024 WL 4239936, at *11.
iv. Emotional Distress
Plaintiffs’ emotional distress allegations also support their negligence claim. Plaintiffs
may “recover for pain and suffering as ‘parasitic’ damages as a result of or incident to the ‘invasion
of another legally protected interest.’” Attias II, 365 F. Supp. 3d at 16 (quoting Hedgepeth, 22
A.3d at 809). If a plaintiff seeks only damages for mental pain and suffering, they must satisfy
either the zone of physical danger rule or “the special relationship and undertaking rule.” Id.
(citations omitted). Here, Plaintiffs allege an increase in “fear, anxiety, and stress” because of the
data breach. Am Compl. ¶¶ 142, 157. Their distress “stems from the invasion of another legally
protected interest,” privacy, so they may seek “parasitic” damages. Keown, 2024 WL 4239936, at
*11 (citation omitted). Because Plaintiffs’ injuries are “neither purely economic nor purely
emotional,” they need not satisfy the alternative paths to recover emotional distress damages. Id.
Page 18 of 22 v. Economic Loss Doctrine
Defendant argues that the economic loss doctrine bars Plaintiffs’ recovery in negligence.
MTD at 14–15. That doctrine precludes recovery for purely economic losses in tort, unless a
special relationship exists. Attias II, 365 F. Supp. 3d at 17; see also Aguilar v. RP MRP Wash.
Harbour, LLC, 98 A.3d 979, 985–86 (D.C. 2014) (“The economic loss doctrine in the District of
Columbia bars recovery of purely economic losses in negligence, subject to only one limited
exception where a special relationship exists.”). Plaintiffs do not seek purely economic losses. As
explained, Plaintiffs adequately allege harm to their privacy interests and emotional distress
damages, in addition to economic losses from mitigation efforts.
For the reasons stated above, Plaintiffs state a negligence claim and the court will deny
Defendant’s motion to dismiss Count I.
D. Breach of Implied Contract
Defendant contends that Plaintiffs’ claim fails because they “fail to plead the necessary
elements”—offer, acceptance, and consideration—for a valid contract governing Plaintiffs’ PII.
MTD at 17–19. The court disagrees. Under D.C. law, “an implied-in-fact contract contains ‘all
necessary elements of a binding agreement,’ differing from other contracts ‘only in that it has not
been committed to writing’ and is instead ‘inferred from the conduct of the parties.’” Shaffer v.
George Wash. Univ., 27 F.4th 754, 762 (D.C. Cir. 2022) (quoting Camara v. Mastro’s Rests. LLC,
952 F.3d 372, 375 (D.C. Cir. 2020)). “To prevail on a claim of breach of contract, a party must
establish (1) a valid contract between the parties; (2) an obligation or duty arising out of the
contract; (3) a breach of that duty; and (4) damages caused by breach.” Molock v. Whole Foods
Market, Inc., 297 F. Supp. 3d 114, 131 (D.D.C. 2018) (quoting Francis v. Rehman, 110 A.3d 615,
620 (D.C. 2015)); see also Paul v. Howard Univ., 754 A.2d 297, 311 (D.C. 2000) (citation
omitted). To survive a motion to dismiss, however, “it is enough for the plaintiff to describe the Page 19 of 22 terms of the alleged contract and the nature of the defendant’s breach.” Molock, 297 F. Supp. 3d
at 131 (quoting Francis, 110 A.3d at 620).
Courts have found that where there is no history, course of dealing, or series of statements
to support a contractual relationship, there can still be a “contractual duty to take reasonable
measures to secure customer PII.” Attias v. CareFirst, Inc., No. 15-CV-882 (CRC), 2023 WL
5952052, at *6 (D.D.C. Sept. 13, 2023) (“Attias IV”). In both Attias and Keown, courts found
implied contract claims where privacy notices or practices were provided or accessible to
plaintiffs. See Attias IV, 2023 WL 5952052, at *6–7; Keown, 2024 WL 4239936, at *13. Such
notices included assurances that the defendant took steps to protect PII. Attias IV, 2023 WL
5952052 at *6–7. Plaintiffs identify similar assurances by Defendant in this case, specifically,
Defendant's “Privacy Policy” and website representations. Am Compl. ¶¶ 29, 220; Opp’n at 21.
Defendant’s website stated that
Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible. We use regular Malware Scanning. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all PII/information you supply is encrypted via Secure Socket Layer (SSL) technology. We implement a variety of security measures when a user submits, or accesses their information to maintain the safety of your personal information. All transactions are processed through a gateway provider and are not stored or processed on our servers.
Am. Compl. ¶ 29 (formatting modified).
Defendant’s website “speaks to an obligation to take affirmative steps to ‘protect’
[Plaintiffs] PII.” Attias IV, 2023 WL 5952052, at *7. Further, Plaintiffs allege that Defendant
required them to provide their PII in order to obtain benefits. Am. Compl. ¶ 213. They claim that,
in doing so, Defendant implicitly “agreed” to “reasonably safeguard” the information from
“unauthorized access or disclosure.” Id. ¶ 219. Drawing all inferences in Plaintiffs’ favor, that
Page 20 of 22 assumption is reasonable. See Keown, 2024 WL 4239936 at *13 (“[I]t is difficult to imagine how,
in our day and age of data and identity theft, the mandatory receipt of Social Security or other
sensitive personal information would not imply the recipients assent to protect the information
sufficiently.” (citing Attias IV, 2023 WL 5952052 at *6–7)). Therefore, Plaintiffs adequately state
the key contract terms.
Turning to the second requirement—breach—Plaintiffs need only identify the nature of the
alleged breach. Molock, 297 F. Supp. 3d at 131. They claim that Defendant breached by failing
to “take adequate cybersecurity measures” to safeguard their PII and storing the data in
unencrypted files. Am. Compl. ¶ 67. Accepting these allegations as true, the court finds that
Plaintiffs’ breach of implied contract claim survives, and it will deny Defendant’s motion to
dismiss Count II.
E. Unjust Enrichment
Finally, Defendant moves to dismiss Plaintiffs’ unjust enrichment claim, arguing that
Plaintiffs do not plausibly allege that they provided anything in exchange for data security or that
Defendant retained any benefit unjustly. MTD at 23–25. Unjust enrichment “rests on a contract
implied in law,” which permits recovery “in the absence of any contract, actual or implied in fact.”
United States ex rel. Modern Elec., Inc. v. Ideal Elec. Sec. Co., 81 F.3d 240, 247 (D.C. Cir. 1996),
(citing Bloomgarden v. Coyer, 479 F.2d 201, 210 (D.C. Cir. 1973)). It requires that “(1) the
plaintiff conferred a benefit on the defendant; (2) the defendant retains the benefit; and (3) under
the circumstances, the defendant’s retention of the benefit is unjust.” Butler v. Enter. Integration
Corp., 459 F. Supp. 3d 78, 101 (D.D.C. 2020) (quoting News World Commc’ns, Inc. v. Thompson,
878 A.2d 1218, 1222 (D.C. 2005)). Plaintiffs cannot recover under both unjust enrichment and
breach of contract theories, but appropriately plead this claim in the alternative. See Fed. R. Civ.
P. 8(a)(3); Shaffer, 27 F.4th at 768. Page 21 of 22 Plaintiffs fail to state a claim for unjust enrichment. They allege that they “conferred
monetary benefit on Defendant by providing [] their PII and [] labor” and that Defendant saved
money on security costs and unjustly enriched itself by profiting from Plaintiffs’ work. Am.
Compl. ¶¶ 232–235. This falls short of unjust enrichment. First, Plaintiffs fail to allege that
Defendant derived any benefit or value from Plaintiffs’ PII. There is no assertion that Defendant
ran analytics on Plaintiffs’ PII or used it for an independent business purpose. MTD at 14 n.4.
Rather, Defendant required Plaintiffs’ PII as a condition of employment and to provide
employment-related benefits. Am. Compl. ¶ 48. Second, Defendant did not unjustly benefit from
Plaintiffs’ labor. Malvitz was not Defendant’s employee but received benefits as an employee’s
spouse. Id. ¶ 135. Therefore, she did not provide Defendant with any labor. Although Fredrickson
worked for Defendant, id. ¶ 147, he received a salary, and therefore Defendant did not unjustly
retain the benefit of his labor. The Complaint “does not identify any profit reaped by [Defendant]
that is attributable to use of Plaintiff’s data, nor does it allege that Plaintiffs gave [Defendant] any
money that should have been used for data security.” See Keown, 2024 WL 4239936, at *14.
Therefore, the court will dismiss Plaintiffs’ unjust enrichment claim.
IV. CONCLUSION
For the foregoing reasons, the court will DENY Defendant’s motion to dismiss Plaintiffs’
negligence and breach of contract claims, but GRANT Defendant’s motion as to Plaintiffs’ unjust
enrichment claim. An Order shall accompany this Opinion.
Date: June 12, 2025
Tanya S. Chutkan TANYA S. CHUTKAN United States District Judge
Page 22 of 22