UNITED STATES DISTRICT COURT U.S. DISTRICT COU FOR THE DISTRICT OF □□□□□ DISTRICT OF VERMONT FILED 1blb FEB -b P 2: MARGARET MALATERRE, ) ee on behalf of herself and all others ) A CLERK similarly situated, ) By DEPUTY CLERK ) Plaintiff, ) ) V. ) Case No. 2:25-cv-00543 ) NATIONAL BATH SYSTEMS LLC, ) ) Defendant. ) OPINION AND ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO DISMISS (Doc. 14) L Procedural Background. Plaintiff Margaret Malaterre (“Plaintiff”) brings this class action against Defendant National Bath Systems LLC (“Defendant”), arising out of a data breach of Defendant’s computer systems that compromised the personally identifiable information (“PII”)! of Defendant’s current and former employees and other individuals. In her Complaint, Plaintiff alleges claims for Negligence (Count I), Breach of Implied Contract (Count IT), Unjust Enrichment (Count III), and Declaratory Judgment (Count IV) on behalf of herself and all others similarly situated. On July 21, 2025, Defendant moved to dismiss Plaintiffs claims. (Doc. 14.) Plaintiff opposed the motion on August 20, 2025, (Doc. 21), and Defendant filed a reply
' PII incorporates “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information[.]” 2 C.F.R. § 200.79. The Federal Trade Commission describes “identifying information” as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,” including, among other things, “[n]ame, [SSN], date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number.” 17 C.F.R. § 248.201 (2013).
on September 3, 2025. (Doc. 22.) The court held a hearing on October 23, 2025, at which time it took the pending motion under advisement. Plaintiff is represented by Patrick A. Barthle, Esq., Ryan D. Maxey, Esq., and Adam P. Bergeron, Esq. Defendant is represented by Elizabeth Ferrick, Esq., Matthew S. Borick, Esq., Ron R. Courtney, Esq., and Todd D. Daubert, Esq. II. Allegations in the Complaint. Defendant is a Vermont limited liability company engaged in remodeling bathrooms with a principal place of business in South Burlington, Vermont. In the course of its business, Defendant acquired, collected, and stored PII of current and former employees “including, but not limited to, names, passport numbers, driver’s licenses, Social Security numbers [(“SSNs”)], birth dates, financial account numbers . . . , health and safety[-]related information, direct pay authorizations, compensation-related information[,] as well as onboarding information such as applications, resumes, and background checks.” (Doc. 1 at 1, □ 1.) Plaintiff is a resident of Omaha, Nebraska, and was employed by Defendant for approximately six months in or around 2019. As a condition of employment, “Defendant required Plaintiff . . . to provide and entrust [her] PII” to Defendant, and Plaintiff did so. Id. at 29, § 127. Effective June 2019 and through December 4, 2024, Defendant had a Privacy Policy that “represented that Defendant had ‘put in place appropriate security measures to prevent . . . personal data from being accidentally lost, used[,] or accessed in an unauthori[z]ed way, altered[,] or disclosed.’” Jd. at 2, 4 4. Between December 4 and December 5, 2024, an unauthorized actor, impersonating an information technology support technician, “gained access to [Defendant’s] network[] and deployed ransomware which . .. potentially exfiltrated [PII] data[]” (the “Data Breach”). Jd. at 7, § 32. Defendant discovered the Data Breach on December 5, 2024, and “promptly isolated the affected local area network to prevent the potential threat from spreading and initiated an investigation of the incident.” Jd.
On or about December 18, 2024, there were reports that it was the BlackBasta ransomware group that had hacked Defendant. Around the same time, BlackBasta “published some of the exfiltrated PII on the [D]ark [W]eb,” including passports, Social Security cards, driver’s licenses, employment eligibility verifications, and spreadsheets containing information about numerous individuals.” Jd. at 2, ] 9. On December 26, 2024, Defendant informed current employees of the Data Breach and offered credit monitoring services. On March 7, 2025, Defendant completed its investigation of the Data Breach and “learned that some former employees may also have been impacted by the incident.” (Doc. | at 7, § 32.) On or about April 23, 2025, Defendant sent Plaintiff a notice of the Data Breach (the “Notice”), explaining how the breach occurred and identifying Plaintiff’s PII as “potentially exfiltrated[.]” Jd. The Notice did not disclose that the BlackBasta group had published some of the exfiltrated PII on the Dark Web. Pursuant to the Notice, Plaintiff was informed that her “name, passport number, driver’s license, [SSN], birth date[], financial account numbers... , health and safety[-]related information, direct pay authorizations, compensation-related information[,] as well as onboarding information such as applications, resumes, and/or background checks were impacted[]’’ in the Data Breach. /d. at 17, 72. Because “Defendant waited more than three months” to report the Data Breach “to the states[’ Attorneys General and affected individuals[,]” Plaintiff “had no idea [her] PII had been compromised{] and that [she was], and continue[s] to be, at significant risk of identity theft and various other forms of personal, social, and financial harm[.]” Jd. at 3-4, F§ 16- 17. The Notice states that, following the Data Breach, Defendant disabled its VPN services and remote access to its network and “built a new, separate network with limited
* “The Dark Web is a general term that describes hidden Internet sites that users cannot access without using special software.” McMorris v. Carlos Lopez & Assocs., 995 F.3d. 295, 302 n.4 (2d Cir. 2021) (internal quotation marks omitted) (quoting Kristin Finklea, Cong. Rsch. Serv., 7- 5700, Dark Web 2 (2017)).
access to [its] systems.” Jd. at 8, § 35. Defendant articulated its commitment “to further enhancing [its] security measures as necessary to reduce the chances of future incidents.” Id. Plaintiff claims, “[h]owever, [that] the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure a breach does not occur again have not been shared with regulators or Plaintiff [.]”? Id. at 36. Defendant offered Plaintiff one year of credit monitoring and identity protection through Experian.* (Doc. 1 at 17, § 70.) Plaintiff does not allege whether she accepted this offer. PII is of “high value to criminals, as evidenced by the prices they will pay through the [D]ark [W]eb.” Jd. at 15, § 61. It sells for between $40 and $200, and the price of bank account details ranges from $50 to $200. Names and SSNs are particularly valuable PII because, unlike a credit card, they cannot be canceled or closed and are “difficult, if not impossible, to change.” Jd. at § 62. Identity thieves may use this type of PII to “obtain driver’s licenses, government benefits, medical services, and housing or even give false information to police[,]’” and the resulting fraudulent activity may not come to light for years. Id. at 16, J 64. Plaintiff cites a number of articles published in the years preceding the Data Breach warning of cybercrime. Plaintiff contends that, based on these warnings, Defendant knew or should have known it was a target for attacks. Despite the alleged threat and the sensitivity of the data in Defendant’s possession, Plaintiff claims that Defendant did not secure PII from potential unauthorized actors through encryption, store the data in an internet-inaccessible environment, or destroy data _
3 This factual allegation is inconsistent with the Notice explaining that the Data Breach was caused by an unauthorized actor impersonating an information technology support technician and that Defendant isolated and disabled the affected network and built a new, separate network with limited access to address the Data Breach. See Doc. 1 at 8, § 35; Doc. 1-1 at 2. 4 This factual allegation is inconsistent with the free credit monitoring offer made in the “sample notice of Data Breach filed with Maine Attorney Generall[,]” (Doc. 1 at 7, § 32, n.3), attached as Exhibit A to the Complaint, in which Defendant offers two years of free credit monitoring through CyEx. See Doc. 1-1 at 3.
it no longer needed. Plaintiff asserts that Defendant could and should have implemented industry-recommended measures to prevent and detect ransomware attacks. According to Plaintiff, she has been “very careful about sharing her sensitive PII[]” and “has never knowingly transmitted unencrypted sensitive PII over the internet or any other unsecured source.” /d. at 18, 475. She “stores any documents containing □□□ sensitive PII in a safe and secure location or destroys the documents[]” and “diligently chooses unique usernames and passwords for her various online accounts.” Jd. at § 76. Plaintiff alleges Defendant failed to: “(i) adequately protect the PII of Plaintiff... ; (ii) warn Plaintiff... of Defendant’s inadequate information security practices; and (iii) effectively secure hardware containing protected PII using reasonable and effective security procedures free of vulnerabilities and incidents.” (Doc. 1 at 4, q 18.) “As a result of the Data Breach, Plaintiff’s sensitive information was accessed and/or acquired by an unauthorized actor[]” and “[t]he confidentiality of Plaintiff's sensitive information has been irreparably harmed.” Jd. at 17, § 73. Plaintiff claims she has suffered lost time, annoyance, interference, and inconvenience due to the Data Breach, including spending time “verifying the legitimacy of the [Notice] and self- monitoring her accounts.” Jd. at 18, 4 74. She has also experienced anxiety and increased concerns for the loss of her privacy. She alleges an “imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from her PII, especially her [SSN], being placed in the hands of unauthorized third parties and possibly criminals.” Jd. at § 78. Plaintiff alleges that she has suffered the following injuries: (i) lost or diminished value of PII; (ii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of [her] PII; (iii) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach, including but not limited to lost time, (iv) the disclosure of [her] private information, and (v) the continued and certainly increased risk to [her] PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) may remain backed up in Defendant’s
possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII. Id. at 4, 4 19. Plaintiff asks the court to enjoin Defendant from the misuse or disclosure of her PII and to issue prompt, complete, and accurate disclosures to her. She further seeks injunctive relief regarding Defendant’s cybersecurity and data acquisition, collection, and storage practices. She seeks actual, consequential, and nominal damages; attorneys’ fees, costs, and litigation expenses; prejudgment interest on all amounts awarded; and other relief the court may deem just and proper, as well as certification of two proposed classes and appointment of herself and her counsel to represent those classes. III. Conclusions of Law and Analysis. A. Standard of Review. In its motion to dismiss, Defendant asserts a two-pronged challenge to Plaintiff's Complaint. First, Defendant contends that the court lacks subject matter jurisdiction because Plaintiff has failed to established Article III standing. See Fed. R. Civ. P. 12(b)(1). Second, Defendant argues that Plaintiff fails to state a claim for which relief can be granted. See Fed. R. Civ. P. 12(b)(6). “A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it.” Nike, Inc. v. Already, LLC, 663 F.3d 89, 94 (2d Cir. 2011) (internal quotation marks _ and citation omitted), aff’d, 568 U.S. 85 (2013). “‘The party invoking federal jurisdiction bears the burden of establishing’ that jurisdiction exists.” Sharkey v. Quarantillo, 541 F.3d 75, 82-83 (2d Cir. 2008) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992)). In resolving a motion to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), “the district court must take all uncontroverted facts in the complaint... as true[] and draw all reasonable inferences in favor of the party asserting jurisdiction.” Fountain v. Karim, 838 F.3d 129, 134 (2d Cir. 2016) (internal quotation marks and citation omitted). “In a class action, ‘federal courts lack jurisdiction if no named plaintiff
has standing.’” McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 299 (2d Cir. 2021) (quoting Frank v. Gaos, 586 U.S. 485, 492 (2019)). To survive a motion to dismiss filed pursuant to Fed. R. Civ. P. 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Parties must allege sufficient facts to “nudge[] their claims across the line from conceivable to plausible[.]” Twombly, 550 USS. at 570. “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Jgbal, 556 U.S. at 678. The sufficiency of a complaint under Rule 12(b)(6) is evaluated using a “two- pronged approach[.]” Hayden v. Paterson, 594 F.3d 150, 161 (2d Cir. 2010) (internal quotation marks omitted) (quoting /gbal, 556 U.S. at 679). First, the court discounts legal conclusions and “[t}hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements[.]” Jgbal, 556 U.S. at 678. The court is also “not bound to accept as true a legal conclusion couched as a factual allegation[.]” Jd. (citation omitted). Second, the court considers whether the factual allegations, taken as true, “plausibly give rise to an entitlement to relief.” Jd. at 679. This second step is fact-bound and context- specific, requiring the court “to draw on its judicial experience and common sense.” Jd. The court does not “weigh the evidence” or “evaluate the likelihood” that a party will prevail. Christiansen v. Omnicom Grp., Inc., 852 F.3d 195, 201 (2d Cir. 2017). B. Whether Plaintiff Has Standing. “Standing is a federal jurisdictional question ‘determining the power of the court to entertain the suit.’” Carver v. City of New York, 621 F.3d 221, 225 (2d Cir. 2010) (quoting Warth v. Seldin, 422 U.S. 490, 498 (1975)). “[T]he irreducible constitutional minimum of standing contains three elements.” Lujan, 504 U.S. at 560. First, the plaintiff must have suffered an injury in fact—an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical[.] Second, there must be a causal connection between the injury and the conduct complained of—the
injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court. Third, it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Id. at 560-61 (internal quotation marks, citations, alterations, and footnote omitted). “The party invoking federal jurisdiction bears the burden of establishing these elements.” Jd. at (internal citation omitted). To satisfy the requirements of subject matter jurisdiction, Plaintiff “must clearly allege facts demonstrating each element[]” of Article III standing. Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (internal quotation marks, citations, alterations, and footnote omitted). “For each form of relief sought, a plaintiff must demonstrate standing separately[,]” and “[a] plaintiff seeking to represent a class must personally have standing.” Nicosia v. Amazon.com, Inc., 834 F.3d 220, 239 (2d Cir. 2016) (citations and internal quotation marks omitted). At the pleading stage, standing is not “‘an onerous standard[,]’’ Carter v. HealthPort Techs., LLC, 822 F.3d 47, 55 (2d Cir. 2016), but rather a “relatively modest” burden. Bennett v. Spear, 520 U.S. 154, 171 (1997). Defendant contends Plaintiff has not plausibly pled an injury in fact because her injuries are neither concrete nor imminent as she does not allege her own PII was exposed on the Dark Web. Plaintiff counters that the alleged targeted nature of the Data Breach, the placement of some of the exfiltrated data on the Dark Web for sale, and the nature of the data stolen create a substantial risk of future misuse of her PII that constitutes an injury in fact. A ‘concrete’ injury must be ‘de facto’; that is, it must actually exist.” Spokeo, 578 _ US. at 340; see also TransUnion LLC v. Ramirez, 594 U.S. 413, 424, (2021) (stating that an Article III injury must be “‘concrete’—that is, ‘real, and not abstract[]’”’) (citation omitted). “‘[T]raditional tangible harms,’ such as physical harms and monetary harms, ‘readily qualify as concrete injuries under Article III.’” Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 284 (2d Cir. 2023) (quoting TransUnion, 594 U.S. at 425). Intangible harms can also support standing including those “with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.
Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion, 594 U.S. at 425 (internal citation omitted). This “qnquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury[,]” but “does not require an exact duplicate[.]” Jd. at 424, “[T]he Supreme Court has made clear that ‘allegations of possible future injury’ or even an ‘objectively reasonable likelihood’ of future injury are insufficient to confer standing.” McMorris, 995 F.3d at 300 (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409-10 (2013)). “Rather, a future injury constitutes an Article III injury in fact only ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’” Jd. (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)). Consequently, “a material risk of future harm can satisfy the concrete-harm requirement” for injunctive relief “so long as the risk of harm is sufficiently imminent and substantial.” TransUnion, 594 U.S. at 435 (citing Clapper, 568 U.S. at 414 n.5). To have standing to pursue damages based on a risk of future harm, plaintiffs must demonstrate “a separate concrete harm[]” caused “by their exposure to the risk itself].]” Id. at 437 (emphasis in original). “‘[W]here plaintiffs have shown a substantial risk of future [harm], any expenses they have reasonably incurred to mitigate that risk likewise qualify as injury in fact.’” Bohnak, 79 F.4th at 286 (quoting McMorris, 995 F.3d at 303). Correspondingly, “where plaintiffs have not alleged a substantial risk of future [harm], the time they spent protecting themselves against this speculative threat cannot create an injury.” McMorris, 995 F.3d at 303 (internal quotation marks and citation omitted). This ensures compliance with “the Supreme Court’s guidance in Clapper . . . that plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’” Jd. (quoting 568 U.S. at 416). In Bohnak, a class action alleging disclosure of the plaintiff's name and SSN to an unauthorized third party after her former employer’s data systems were hacked, the Second Circuit observed that the release of a plaintiff’s PII to an unauthorized third party
“bears some relationship to a well-established common-law analog[ue]: public disclosure of private facts[]” and “falls squarely within the scope of an intangible harm the Supreme Court has recognized as ‘concrete[]’” for the purposes of standing. Bohnak, 79 F.4th at 285-86 (citations omitted). It further recognized that separate concrete harms arising from “the risk of future harm occasioned by the exposure of [a plaintiff’s] PII... independently support[s] standing.” Jd. at 286. Such harms include “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft,’ and ‘lost time’ and other ‘opportunity costs’ associated with attempting to mitigate the consequences of the data breach.” /d.> The allegations in this case mirror those at issue in Bohnak. As in that case, Plaintiff alleges the disclosure of PII] accompanied by separate harms including “lost time” and “lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach[.]” (Doc. 1 at 4, § 19.) Plaintiff has therefore satisfied the requirement that her injuries are “concrete.” Establishing a concrete injury, however, “does not fully resolve the standing question because it addresses only one component of injury in fact.” Bohnak, 79 F.Ath at 287. Plaintiff must also establish that the injury is actual or imminent. To determine when the risk of future misuse of PII is actual or imminent, the Second Circuit analyzes three non-exhaustive factors: (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has > See also Clemens y. ExecuPharm Inc., 48 F.4th 146, 155-56 (3d Cir. 2022) (“Following TransUnion [v. Ramirez, 594 U.S. 413, (2021)]’s guidance, we hold that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as [the plaintiff] alleges that the exposure to that substantial risk caused additional, currently felt concrete harms.”); Jn re U.S. OPM Data Sec. Breach Litig., 928 F.3d 42, 59 (D.C. Cir. 2019) (noting that the Supreme Court has recognized standing to sue “on the basis of costs incurred to mitigate or avoid harm when a substantial risk of harm actually exists”) (quoting discussion of Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) in Hutton v. Nat’l Bd. of Exam’rs in Optometry, 892 F.3d 613, 622 (4th Cir. 2018)). 10
been exposed is sensitive such that there is a high risk of identity theft or fraud. McMorris, 995 F.3d. at 303. “[N]one of these factors is alone necessary or sufficient to confer standing[;] they all bear on whether the risk of identity theft or fraud is sufficiently ‘concrete, particularized, and... imminent.’” Jd. at 301 (quoting Thole v. U.S. Bank N.A., 590 U.S. 538, 540 (2020) (third alteration in original)). The first factor is, however, “the most important factor in determining whether a plaintiff whose PII has been exposed has alleged an injury in fact[.]” Bohnak, 79 F.4th at 288 (citing McMorris, 995 F.3d at 301). In Bohnak, the Second Circuit applied the McMorris factors and determined that the first factor was satisfied by the plaintiff's allegation, based on the defendant’s data breach notice, “that an unauthorized actor . . . leveraged a vulnerability in a third party’s software and gained access to her PII.” /d. at 289 (internal quotation marks and citation omitted). The court found that the third factor was satisfied by plaintiff’s allegation, again derived from the defendant’s notice, that the PII involved in the hack included her name and SSN. Although the plaintiff had not alleged any known misuse of information of the data involved in the attack, and thus failed to satisfy the second McMorris factor, the Second Circuit found that “such an allegation is not necessary to establish that an injury is sufficiently imminent to constitute an injury in fact.” Jd. (citing McMorris, 995 F.3d at 301). In applying the McMorris factors, some courts have drawn a distinction between cyberattacks seeking access to data for identity theft or fraud and ransomware attacks. For example, the Western District of New York found that a plaintiff failed to establish standing based on the risk of identity theft when the data was compromised by a ransomware attack because “the primary purpose of a ransomware attack is the exchange of money for access to data, not identity theft.” Jn re Practicefirst Data Breach Litig., 2022 WL 354544, at *5 (W.D.N.Y. Feb. 2, 2022), report and recommendation adopted, 2022 WL 3045319 (W.D.N.Y. Aug. 1, 2022); see also Aponte v. Ne. Radiology, P.C., 2022 WL 1556043, at *4 (S.D.N.Y. May 16, 2022) (finding plaintiffs lacked standing when they failed to allege “facts to support the notion that the breach was a targeted attempt[] 11
to perpetuate identity theft, and plaintiffs have not alleged their or any class members’ data has been misused”’). In this case, Plaintiff alleges that Defendant was the victim of a ransomware attack but that the perpetrator of that attack, “the BlackBasta ransomware group[,] published some of the exfiltrated PII on the [D]ark [W]eb[.]” (Doc. | at 2, 9.) Defendant’s notice acknowledges that the unauthorized actor not only encrypted files, but also “potentially exfiltrated data.” (Doc. 1-1 at 2.) That acknowledgment, coupled with Plaintiff’s allegations regarding data posted to the Dark Web, plausibly asserts that the purpose of this attack was threefold: to negotiate a ransom, to extract PII, and to expose the PII to others who may seek to use it for criminal and fraudulent purposes. As the Second Circuit has observed: ““Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.’” McMorris, 995 F.3d at 301 (quoting Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015)). The first McMorris factor thus weighs in Plaintiff’s favor. The second and third McMorris factors also weigh in Plaintiff’s favor. While in Bohnak the second factor was not satisfied because the plaintiff “ha[d] not alleged any known misuse of information in the dataset accessed in the hack,” in this case, Plaintiff has alleged that the BlackBasta group posted some of the hacked PII data on the Dark Web. Bohnak, 79 F Ath at 289. The Second Circuit has recognized that allegations that “PII is available for sale on the Dark Web[] can support a finding that a plaintiff is at a substantial risk of identity theft or fraud.” Jd. at 288 (citation omitted). Plaintiff has alleged, based on Defendant’s Notice, that the affected PII includes names and SSNs, the type of data both Bohnak and McMorris noted is “exactly the kind of information that gives rise to a high risk of identity theft.” Jd. at 289 (citing McMorris, 995 F.3d at 302). Although Defendant attempts to distinguish Bohnak by noting that the plaintiff there alleged that her PII was actually compromised, while in this case Plaintiff alleges
only that her PII was potentially compromised,° this distinction is not dispositive. This court has found standing at the pleading stage even where a plaintiff alleges, among other things, only a potential exposure of PII. See, e.g., Gaboriault v. Primmer, Piper, Eggleston, & Cramer, P.C., 2024 WL 4476639, at *2 (D. Vt. Oct. 11, 2024) (finding plaintiff's alleged injury of risk of future misuse of her PII after a targeted cyberattack was imminent and conferred standing despite defendant’s notice stating that plaintiff’s PII was only potentially exposed and that defendant was “not aware of any access to the data”). Because Plaintiff's allegations of a targeted attack by an unauthorized party that has misused some of the compromised data are “sufficient to suggest a substantial likelihood of future harm, satisfying the ‘actual or imminent harm’ component of an injury in fact[,]” Bohnak, 79 F.4th 289, “any expenses [she has] reasonably incurred to mitigate that risk likewise qualify as injury in fact.” McMorris, 995 F.3d at 303. Plaintiff therefore has standing to pursue both her injunctive relief and damages for her mitigation costs. To the extent Plaintiff alleges that she was injured by the “lost or diminished value of [her] PI[,]” Doc. 1 at 4, 19, “courts have consistently rejected allegations that the diminution in value of [PII] can support standing, . . . particularly where[, as here,] the plaintiffs have not alleged that they attempted to sell their [PII] or that, if they have, the data breach forced them to accept a decreased price for that information[.]” Cooper v. Bonobos, Inc., 2022 WL 170622, at * 5 (S.D.N.Y. Jan. 19, 2022) (internal quotation marks and citations omitted); see also Chambliss v. Carefirst, Inc., 189 F. Supp. 3d 564,
® Defendant’s Notice states: “As a result of our investigation of the incident, which we recently completed, we learned that some former employees may also have been impacted by the incident.” (Doc. | at 7, § 33) (emphasis supplied). Plaintiff has not alleged that any of her PII has appeared on the Dark Web. Because Plaintiff has only pled that her PII may have been exposed, Plaintiff has not established that the claimed injury from disclosure of her private information is “actual.” See In re Christie's Data Breach Litig., 767 F. Supp. 3d 12, 14 (S.D.N.Y. 2025) (“An injury is actual if it has actually happened . . . while an imminent injury is a future injury that is nonetheless certainly impending, with a substantial risk of occurrence[.]”) (alterations adopted) (internal quotation marks and citations omitted). 13
572 (D. Md. 2016) (finding plaintiffs lacked standing for injury from decreased value of PII because plaintiffs did not allege they attempted to sell the data or had to accept a lower price for data); Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 755 (W.D.N.Y. 2017) (collecting cases). Accordingly, this aspect of Plaintiff’s Complaint does not establish standing. Because Plaintiff has Article III standing to pursue her injunctive relief and damages for mitigation costs, Defendant’s motion to dismiss for lack of subject matter jurisdiction is GRANTED IN PART AND DENIED IN PART. C. Whether Plaintiff Plausibly Alleges a Claim for Negligence (Count I). Under Vermont law, “[c]ommon law negligence has four elements: a legal duty owed by defendant to plaintiff, a breach of that duty, actual injury to the plaintiff, and a causal link between the breach and the injury.” Demag v. Better Power Equip., Inc., 2014 VT 78, 6, 197 Vt. 176, 179, 102 A.3d 1101, 1105 (citation and internal quotation marks omitted). “In determining whether a duty exists, [Vermont courts] consider a variety of public policy considerations and relevant factors. It is a question of fairness that depends on, among other factors, the relationship of the parties, the nature of the risk, the public interest at stake, and the foreseeability of the harm.” Sutton v. Vt. Reg’! Ctr, 2019 VT TIA, J 26, 212 Vt. 612, 238 A.3d 608, 620 (citation and internal quotation marks omitted). Defendant moves to dismiss Plaintiff’s negligence claim, arguing that it owed her no legal duty and that, if it did, it caused Plaintiff no injuries. Courts within the Second Circuit have held that when an entity such as an employer takes possession of PII, that entity owes a duty of reasonable care to safeguard the information. See, e.g., In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *8 (S.D.N.Y. Aug. 4, 2021) (concluding that employer owed employees “a duty to exercise reasonable care in safeguarding their PII’’); Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 748 (S.D.N.Y. 2017) (“[E]mployers have a duty to take reasonable precautions to protect the PII that they require from employees.”); Joretto v. Donnelley Fin. Sols., Inc., 583 F. Supp.
3d 570, 593 (S.D.N.Y. 2022) (concluding that company owed customers “a duty to exercise reasonable care safeguarding their [PII]”). In light of the nature of PII, courts have further found a duty on behalf of the party possessing PII to take reasonable precautions to prevent its wrongful disclosure. See, e.g., In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 966 (S.D. Cal. 2014) (“[T]he [c]ourt finds the legal duty [to protect commercial consumer information] well supported by both common sense and California and Massachusetts law.”); Purvis v. Aveanna Healthcare, LLC, 563 F. Supp. 3d 1360, 1370 (N.D. Ga. 2021) (“It also follows as a matter of common sense that, when patients and employees are required to turn over PII. . . as a condition of medical care and employment, the entity receiving that information has some baseline obligation to adopt reasonable precautions to guard against known or reasonably foreseeable threats to the security of that information.”). The District of Vermont recently held that, “[iJn the data breach context, ‘affirmative conduct associated with an increased risk of harm can yield a special relationship for tort purposes.’” Gaboriault, 2024 WL 4476639, at *6 (citing Jn re Rutter ’s Inc. Data Sec. Breach Litig., 511 F. Supp. 3d 514, 529 (M.D. Pa. 2021); Jay P. Kesan & Carol M. Hayes, Liability for Data Injuries, 2019 U. Ul. L. Rev. 295, 321 (2019) (“A defendant who assumes custody or assumes responsibility of something may be held to have a special relationship with the plaintiff.”)). The Vermont Supreme Court has not recognized a special relationship in the circumstances of this case and recently noted that it has done so in only one case. See PeakCM, LLC v. Mountainview Metal Sys., LLC, 2025 VT 50, § 36, 346 A.3d 444, 457 (“Sutton v. Vermont Regional Center is the sole case where this Court has held that a special relationship existed[.]”). There, the Vermont Supreme Court found a “special relationship” when the defendants “personally solicited” and then “initiated a close relationship with [the] plaintiffs by recruiting them to invest their life savings” in a series of development projects and “promis[ed] exceptional oversight and management of the investment.” Sutton, 2019 VT 71A, § 33, 212 Vt. 612, 238 A.3d at 622-23. “A special relationship requires a close relationship of trust, confidence, or reliance between the 15
parties.” Veljovic v. TD Bank, N.A., 2025 VT 38, § 13, 342 A.3d 941, 946. An employer- employee relationship generally will not suffice, however, at the pleading stage, Plaintiff claims that Defendant affirmatively requested PII from her and thus alleges a relationship of trust and confidence at least with regard to her PII.’ “That relationship gave rise to a duty to reasonably protect Plaintiff’s information from harm.” Gaboriault, 2024 WL 4476639, at *6. The Complaint alleges Defendant breached its duties to Plaintiff by “failing to implement industry protocols and exercise reasonable care in protecting and safeguarding [her] PII[,]” “failing to have appropriate procedures in place to detect and prevent dissemination of [her] PII[,]” “failing to remove . . . PII it was no longer required to retain pursuant to regulations and which Defendant had no reasonable need to maintain[,|” and failing “to adequately and timely disclose to Plaintiff . . . the existence and scope of the Data Breach.” ® (Doc. 1 at 26-27, §§ 113, 116-118.) Defendant characterizes Plaintiff’s allegations as conclusory and speculative, noting that Plaintiff is not privy to Defendant’s information technology practices, does not identify the specific procedure or practice Defendant allegedly failed to employ, and cannot rely on the occurrence of a security incident as per se evidence that a duty was violated. Plaintiff’s allegations that “[t{he occurrence of the Data Breach indicates that Defendant failed to adequately implement one or more of the [identified security] measures to prevent ransomware attacks, resulting in the Data Breach and the exposure of [Plaintiff’s] PII” and that “Defendant failed to take appropriate steps to protect [her] PII... from being compromised” are conclusory. /d. at 13-14, 99 55, 58; see, e.g., Hummel v. Teijin Auto. Techs., Inc., 2023 WL 6149059, at *7 (E.D. Mich. Sept. 20, 2023)
The existence of a special relationship creates an exception to the economic loss rule, which “prohibits recovery in tort for purely economic losses.” Long Trail House Condo. Ass’n v. Engelberth Constr., Inc., 2012 VT 80, § 10, 192 Vt. 322, 327, 59 A.3d 752, 755 (internal quotation marks and citation omitted). Defendant, however, does not challenge Plaintiff's negligence claim on the basis of the economic loss rule. 8 Defendant argues that “any . . . duty to notify Plaintiff of the [Data Breach] seemingly would be governed by” Nebraska law, but neither party has briefed a conflict of law issue. (Doc. 14 at 26.) 16
(characterizing plaintiff’s assertion as conclusory when alleging that because a data breach occurred, defendant must have failed to adequately implement security standards). Although Plaintiff identifies security measures she claims Defendant could and should have implemented, she does not allege which of those measures Defendant failed to adequately implement.’ Some courts, perhaps recognizing the dearth of information available in data breach cases prior to discovery, have granted leeway at the pleading stage.'® See, e.g., Inre Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 586 (N.D. Ill. 2022) (holding that plaintiff adequately pled breach of duty by alleging that defendant “failed to implement one or more of the above measures” recommended by the United States government “to prevent ransomware attacks”) (internal quotation marks and citation omitted); Wallace v. Health Quest Sys., Inc., 2021 WL 1109727, at *9 (S.D.N.Y. Mar. 23, 2021) (finding plaintiffs’ complaint sufficient after alleging defendant failed “to implement certain safeguards and computer security practices that would have prevented disclosure of their [PII]’’). This court need not squarely adopt this approach because the Complaint contains at least two non-conclusory allegations regarding how Defendant allegedly failed to safeguard Plaintiff’s PII.
9 See, e.g., Razuki v. Caliber Home Loans, Inc., 2018 WL 6018361, at *1 (S.D. Cal. Nov. 15, 2018) (concluding that an allegation that defendant “knew of higher-quality security measures” unsupported by “any facts about [defendant’s] protocols or actions it took when choosing appropriate security measures[]” was conclusory); Springmeyer v. Marriott Int'l, Inc., 2021 WL 809894, at *3 (D. Md. Mar. 3, 2021) (holding that the allegation that defendant failed “to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests’ PII[,]” absent any alleged facts about what measures defendant did or did not take to protect PII, was conclusory). 10 “(PD Jata breach cases present unique challenges for plaintiffs at the pleading stage. A plaintiff may know only what the company has disclosed in its notice of a data breach. Even if some plaintiffs can find more information about a specific data breach, there are good reasons for a company to keep the details of its security procedures and vulnerabilities private from the public and other cybercriminal groups. We cannot expect a [party] in [plaintiff’s] position to plead with exacting detail every aspect of [the defendant’s] security history and procedures that might make a data breach foreseeable[.]” Ramirez v. Paradies Shops, LLC, 69 F.4th 1213, 1220 (11th Cir. 2023). 17
First, Plaintiff alleges that Defendant “should have encrypted the [SSNs] and other sensitive data elements within the PII to protect against their publication and misuse in the event of a cyberattack[]” given the “foreseeable risk that Plaintiff’s .. . PII could be accessed, exfiltrated, and published as the result of a cyberattack.” (Doc. | at 10, 46- 47.) “Defendant’s misconduct . . . included its decisions not to comply with . . . basic encryption techniques freely available to Defendant.” Jd. at 25-26, § 107. And second, the Complaint alleges that Defendant breached its duty by “failing to remove from the Internet-accessible environment any PII it was no longer required to retain[.]” Jd. at 27, 4 117. These allegations are sufficiently specific and plausible at the pleading stage to survive dismissal. For the reasons stated above, the court DENIES Defendant’s motion to dismiss Count I. D. Whether Plaintiff Plausibly Alleges a Claim for Breach of Implied Contract (Count II). In Count II of the Complaint, Plaintiff contends that Defendant required her to provide her PII as a condition of employment with Defendant, creating an implied agreement that Defendant would protect and secure that PII. Defendant argues that Plaintiff failed to plead any facts that demonstrate the requisite mutual intent for an implied-in-fact contract and that Plaintiffs claims of deficient security measures do not plausibly allege a breach. Under Vermont law, There are two kinds of implied contracts, as the term is ordinarily used in the books: (1) Where the minds of the parties meet and their meeting results in an unexpressed agreement; (2) where there is no meeting of minds. The former class embraces true contracts which are implied in the sense that the fact of the meeting of minds is inferred. Such contracts are more accurately defined as resting upon an implied promise in fact. The latter class embraces contractual obligations implied by the law where none in fact exist. Morse v. Kenney, 89 A. 865, 866 (Vt. 1914) (citations omitted). An implied-in-fact □ contract thus requires “‘a mutual intent to contract.” Jd. at 867; see also Mount Snow Lid. V. ALLL, the All. of Action Sports, 2013 WL 4498816, at *8 (D. Vt. Aug. 21, 2013) 18
(determining that to prevail on an implied-in-fact contract claim under Vermont law, “a plaintiff must demonstrate mutual intent to contract and acceptance of the offer{]”). The Vermont Supreme Court has observed that “[a] contract implied in law, or a quasi- contract, is based on an implied promise to pay when a party receives a benefit and the retention of the benefit would be inequitable. Liability in such cases arises from the doctrine of unjust enrichment.” Sweet v. St. Pierre, 2018 VT 122, § 18, 209 Vt. 1, 10, 201 A.3d 978, 985 (internal quotation marks and citations omitted). The Vermont Supreme Court has not addressed the question of implied contracts in the data breach context, but this court recently found a plaintiff plausibly alleged an implied contract to safeguard her PII upon the defendant taking possession of it. See Gaboriault, 2024 WL 4476639, at *9. The court noted that the concept of an implied promise in the context of a data breach has been recognized by at least one other court in the Second Circuit: Plaintiffs allege that when they provided their private information to Freestyle (as required to purchase from ShopRuger), Freestyle made the implied promise that the information would be protected and kept secure from further disclosure. With the data breach, Freestyle allegedly broke this promise. With these allegations, the [c]ourt concludes that Plaintiffs have plausibly alleged an implied contract with Freestyle as well as a breach of that implied contract. Id. at *8 (quoting Jones v. Sturm, Ruger & Co., Inc., 2024 WL 1307148, at *9 (D. Conn. Mar. 27, 2024)). Indeed ““‘it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of [SSNs] or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently.’” Jd. (quoting Attias v. CareFirst, Inc., 2023 WL 5952052, at *6 (D.D.C. Sept. 13, 2023)). In this case, as in Gaboriault, Plaintiff has alleged that a promise to safeguard her PII was implied upon Defendant taking possession of it. See Doc. 1 at 29, § 128 (“Asa condition of [her] employment with Defendant, Plaintiff... provided and entrusted [her] PII. In so doing, Plaintiff... entered into [an] implied contract[] with Defendant by which Defendant agreed to safeguard and protect such PII and to keep such PI secure and confidential.”). These facts, accepted as true at the pleading stage, state a plausible 19
claim of offer and acceptance and the formation of an implied contract. See, e.g., Keown v. Int'l Ass’n of Sheet Metal Air Rail Transp. Workers, 2024 WL 4239936, at *13 (D.D.C. Sept. 19, 2024) (“The [c]ourt then joins numerous other courts in concluding that an obligation to reasonably safeguard the plaintiffs’ PII from unauthorized access or disclosure is sufficiently definite to support an implied contract.’’) (alterations adopted) (internal quotations and citation omitted). Plaintiff also argues that Defendant breached an implied contract based on the Privacy Policy posted on its website. However, these allegations are not reflected in the Complaint. Because Plaintiff’s Complaint cannot be amended by her briefing, the court does not consider this allegation. See Palm Beach Mar. Museum, Inc. v. Hapoalim Sec. USA, Inc., 810 F. App’x 17, 20 (2d Cir. 2020) (“[A] complaint may not be amended by . . . an opposition brief wholly unsupported by factual allegations in the complaint.’’) (citing Wright v. Ernst & Young LLP, 152 F.3d 169, 178 (2d Cir. 1998)); In re Bemis Co. Sec. Litig., 512 F. Supp. 3d 518, 541 (S.D.N.Y. 2021) (“[A] plaintiff may not raise new facts in opposing dismissal and ask the [c]ourt to rely on those facts in determining whether he or she has stated a claim.”) (citing Wright, 152 F.3d at 178). Defendant argues that even if an implied contract existed, Plaintiff has failed to plausibly allege that Defendant breached the contract. Plaintiff, however, has claimed that Defendant failed to encrypt PII and remove PII it no longer needed to retain and that, as a result, Plaintiff’s PII is at risk of being exposed on the Dark Web and used for fraudulent purposes. Plaintiff also alleges that Defendant failed to adequately and timely inform her of the Data Breach. These allegations, accepted as true, state a plausible claim of breach. See, e.g., Cahill v. Mem’l Heart Inst., LLC, 2024 WL 4311648, at *12 (E.D. Tenn. Sept. 26, 2024) (“Additionally, viewing the facts in the light most favorable to [p]laintiffs, the [c]ourt finds they plead facts to support the element of nonperformance of the contract by failing to take specific action such as encrypting data to adequately safeguard information.”). The court therefore DENIES Defendant’s motion to dismiss Count II.
E. Whether Plaintiff Plausibly Alleges a Claim for Unjust Enrichment (Count III). “A claim of unjust enrichment requires three showings: ‘(1) a benefit was conferred on the defendant; (2) the defendant accepted the benefit; and (3) the defendant retained the benefit under such circumstances that it would be inequitable for the defendant not to compensate the plaintiff for its value.’” Hirchak v. Hirchak, 2024 VT 81, 4 26, 331 A.3d 1051, 1064 (alterations adopted) (quoting Beldock v. VWSD, LLC, 2023 VT 35, 4 68, 218 Vt. 144, 176, 307 A.3d 209, 233). Defendant moves to dismiss Plaintiff’s claim for unjust enrichment because Plaintiff failed to identify how Defendant benefited from her PII. Plaintiff merely alleges that she “conferred a benefit on Defendant in providing [her] PII to Defendant for the purposes of obtaining employment{[,]’” relying on Gaboriault, in which this court found a plaintiff had plausibly alleged unjust enrichment following a data breach. (Doc. 21 at 11.) The facts alleged in Gaboriault are distinguishable from the instant case. In Gaboriault, the defendant was a law firm that obtained the plaintiff’s PII while representing a party adverse to the plaintiff in other litigation. In determining that the defendant, and not just the defendant’s client, had received a benefit from the plaintiff's PII, this court reasoned that “[i]n any civil litigation, the interests of the attorney and his or her client are necessarily intertwined to the extent that success is beneficial to both. Accordingly, information that may lead to such success offers a benefit not just to the client, but also to the firm.” Gaboriault, 2024 WL 4476639, at *9. In contrast, Plaintiff alleges no facts that Defendant benefited from her PII beyond the employment relationship for which she was presumably paid, rendering her allegation that she conferred a benefit on Defendant conclusory. See Apothecus Pharm. Corp. v. Hendrickson, 2017 WL 5495818, at *5 (E.D.N.Y. May 9, 2017) (dismissing unjust enrichment claim pursuant to Rule 12(b)(6) because “[p]laintiffs ha[d] not alleged what [dJefendants unjustly gained or how that gain was at their own expense’’). Finally, Plaintiff has failed to plead facts that indicate it would be inequitable for Defendant not to compensate her. Plaintiff alleges that she conferred a benefit on
Defendant “for the purpose of obtaining employment.” (Doc. | at 30, § 135.) Under Vermont law, “[t]he retention of a benefit is not unjust where defendants have paid for it.” Beldock, 2023 VT at § 69, 218 Vt. at 176, 307 A.3d at 233 (quoting Morrisville Lumber Co. v. Okcuoglu, 531 A.2d 887, 889 (Vt. 1987)). Accepting Plaintiff's allegation as true, Defendant compensated Plaintiff for her PII by providing her with employment. The court thus GRANTS Defendant’s motion to dismiss Count III. F. Whether Plaintiff Plausibly Alleges a Claim for Declaratory Judgment (Count IV). Count IV of the Complaint states a claim under the Declaratory Judgment Act, 28 U.S.C. § 2201, et seq (“DJA”). A request for a declaratory judgment is not a separate cause of action. See Nat’l Union Fire Ins. Co. of Pittsburgh v. Karp, 108 F.3d 17, 21 (2d Cir. 1997) (“The DJA is procedural in nature, and merely offers an additional remedy to litigants.”) (emphasis omitted) (citing Wilton v. Seven Falls Co., 515 U.S. 277, 287 (1995)). The court GRANTS Defendant’s motion to dismiss Count IV. This does not preclude Plaintiff from pursuing this remedy. G. Whether Plaintiff May Amend Her Complaint. Pursuant to Fed. R. Civ. P. 15(a)(2), courts “should freely give leave” to amend a complaint “when justice so requires.” ““‘ Where the possibility exists that the defect can be cured and there is no prejudice to the defendant, leave to amend at least once should normally be granted as a matter of course.’” Meyer v. Seidel, 89 F.4th 117, 140 (2d Cir. 2023) (quoting Oliver Schs., Inc., v. Foley, 930 F.2d 248, 253 (2d Cir. 1991)). However, “[ljeave may be denied ‘for good reason, including futility, bad faith, undue delay, or undue prejudice to the opposing party.’” TechnoMarine SA v. Giftports, Inc., 758 F.3d 493, 505 (2d Cir. 2014) (quoting McCarthy v. Dun & Bradstreet Corp., 482 F.3d 184, 200 (2d Cir. 2007)). Defendant objects to granting Plaintiff leave to amend because Plaintiff has not offered, and cannot offer, “anything other than ‘naked assertions’ devoid of ‘further factual enhancement{[]’” to establish injury in fact, making amendment futile. (Doc. 14 at 32.) Because Plaintiff has plausibly pled injury in fact, the court cannot find that the
claims asserted by Plaintiff would be futile. The court further finds that there is no other ground on which to deny leave to amend. CONCLUSION For the reasons set forth above, Defendant’s motion to dismiss is GRANTED IN PART AND DENIED IN PART. (Doc. 14.) The court GRANTS IN PART AND DENIES IN PART Defendant’s motion to dismiss for lack of subject matter jurisdiction. The court GRANTS Defendant’s motion to dismiss Counts III and IV for failure to state a claim and DENIES Defendant’s motion to dismiss Counts I and II. The court GRANTS Plaintiff leave to amend her Complaint within twenty (20) days of the date of this Opinion and Order consistent with the Federal Rules of Civil Procedure and this court’s Local Rules. SO ORDERED. Dated at Burlington, in the District of Vermont, this OO vay of February, 2026. —
United States District Court