IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Richmond Division ALI MGARESH, et al., on behalf ) of themselves and all others ) similarly situated, ) Plaintiffs, Vv. Civil Action No. 3:24-cv-337-HEH VIRGINIA UNION UNIVERSITY, Defendant. MEMORANDUM OPINION (Resolving Motions to Dismiss) THIS MATTER is before the Court on Defendant Virginia Union University’s (“Defendant” or “VUU”) Motion to Dismiss under Rule 12(b)(6) (“Rule 12(b)(6) Motion,” ECF No. 18) and Motion to Dismiss for Lack of Subject Matter Jurisdiction Under Rule 12(b)(1) (“Jurisdiction Motion,” ECF No. 20). The parties filed memoranda supporting their respective positions, and the Court heard oral argument on October 29, 2024. For the following reasons, the Jurisdiction Motion will be denied, and the Rule 12(b)(6) Motion will be granted in part and denied in part. I. BACKGROUND Defendant is a university located in Richmond that enrolls over 1,600 students and has a revenue of approximately $51 million. (Am. Compl. ff 2-5, 18-19, ECF No. 17.) According to the Amended Complaint, Defendant receives and maintains personally identifying information (“PII”) for its current, former, and prospective students. (Am.
Compl. § 20-22.) One way Defendant obtains this information is online applications by prospective students who pay a fee to apply. (/d. J 20-25.) The PII students provide in
these applications may include full names, Social Security numbers, dates of birth, and driver’s license numbers or State ID information. (/d. 95.) Defendant maintains this PII for years, including after the students’ official relationship with Defendant is terminated. (Id. FJ 20-21.) Plaintiffs, former student applicants to VUU, allege that Defendant “agreed it would safeguard the data [PII] in accordance with its internal policies, state law, and federal law.” (Am. Compl. § 26.) Defendant’s Privacy Policy advises its students and applicants that “we care about providing you with information to manage and protect your online privacy.” (Jd. 27.) Further, Defendant promises its students and applicants that “Virginia Union University’s Information Technology Services Department incorporates many security features for such as (sic) encryption, and secure logon for any page that a faculty, staff, student, or friend of the University logs into... .” (Ud. { 28.) According to Plaintiffs, a Russian computer-hacking gang called “LockBit” infiltrated Defendant’s computer systems on or before February 13, 2023. (Am. Compl. 36, 52, 56-57.) Plaintiffs refer to this computer system infiltration as the “Data Breach.” (/d. f] 4-5.) The Data Breach allegedly resulted in the theft of the Social Security numbers, dates of birth, and other PII of at least 1,768 VUU students, including prospective students and former students. (/d. 4-5, 39.) Although Defendant detected the Data Breach on February 13, 2023, for fourteen (14) months Defendant delayed notifying the students that hackers had gained access to their information. (/d. {J 6-7,
yy
36, 43.) Plaintiffs allege that the hackers were able to breach Defendant’s computer systems because Defendant failed to adequately train its employees on cybersecurity and failed to maintain reasonable security safeguards or protocols to protect Plaintiffs’ PII. FF 9, 31, 48.) Plaintiffs allege that their injuries include “lost time, unauthorized purchases, □ unauthorized credit inquiries, increases in spam and scam text messages, anxiety, sleep disruption, stress, fear, and frustration.” (Mem. in Opp’n Rule 12(b)(6) Mot. at 4, ECF No. 24 (citing Am. Compl. § 71-77, 90-105).) Plaintiffs also allege that they bear “increased risks of future harms such as loss of opportunity to control how their PII is . used, diminution of value of their PII, out-of-pocket costs from trying to prevent, detect and recover from identity theft and fraud, and lost opportunity costs and wages from spending time trying to mitigate the fallout of the Data Breach, to name a few.” (d.) The Amended Complaint further alleges examples such as an unauthorized person’s purchase of an Audi vehicle in one of the Plaintiff's name; the delivery of unknown packages delivered to a Plaintiff's house; the unauthorized registration of a Geico insurance policy under a Plaintiff's name, and the fact that one of the Plaintiffs “suffered from a dramatic spike in spam and scam text messages, calls, and emails, some related to payday loans” and others related to student loans. (Jd. {{] 71, 91-97.) On July 24, 2024, Plaintiffs filed an Amended Complaint seeking damages and seeking declaratory, equitable, injunctive, and other relief. (Am. Compl. at 42.) Plaintiffs raised six (6) claims based on their alleged injuries: Negligence (Count I); Negligence per se (Count II); Breach of Implied Contract (Count III); Breach of
Fiduciary Duty (Count IV); Unjust Enrichment (Count VI); and Declaratory Judgment | (Count VII).! Ud. ff 148-204, 219-37.) II. LEGAL STANDARD A motion made pursuant to Fed. R. Civ. P. 12(b)(1) challenges the Court’s jurisdiction over the subject matter of the case. A plaintiff bears the burden to establish such jurisdiction throughout the proceeding. Kerns v. United States, 585 F.3d 187, 194 (4th Cir. 2009); see also Richmond, Fredericksburg & Potomac R.R. Co. v. United States, 945 F.2d 765, 768 (4th Cir. 1991). “If the court determines at any time that it lacks subject-matter jurisdiction, the court must dismiss the action.” Fed. R. Civ. P. 12(h)(3). A critical element of federal subject matter jurisdiction is standing. To establish standing, a plaintiff must demonstrate three irreducible constitutional components: an injury-in-fact that is concrete and particularized, and actual or imminent, not conjectural or hypothetical; an injury that is fairly traceable to the challenged action of the defendant; and an injury that it is likely, as opposed to merely speculative, to be redressed by a favorable decision. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992). To prevail on a 12(b)(1) motion, a defendant must show that the facts recited in the complaint do not create subject matter jurisdiction, or that the jurisdictional allegations are not true. Kerns, 585 F.3d at 192. Where, as here, a defendant makes a challenge to the face of the complaint, the question is whether “the complaint fails to allege facts upon which the court can base jurisdiction.” Kuntze v. Josh Enterprises, Inc.,
! In their Memorandum in Opposition to the Rule 12(b)(6) Motion, Plaintiffs agreed to voluntarily withdraw their claim for Invasion of Privacy (Count V).
365 F. Supp. 3d 630, 635-36 (E.D. Va. 2019). Under that standard, a court is “required to accept all of the complaint’s factual allegations as true, ‘and the plaintiff, in effect, is afforded the same procedural protection as he would receive under a 12(b)(6) consideration.’” Jd. (quoting Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982)). “A motion to dismiss under Rule 12(b)(6) tests the sufficiency of a complaint; importantly, it does not resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses.” Megaro v. McCollum, 66 F.4th 151, 157 (4th Cir. 2023) (internal quotation marks omitted). For a complaint to be sufficient under Rule 12(b)(6), a plaintiff must assert “[flactual allegations” that are “enough to raise a right to relief above the speculative level” to one that is “plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 570 (2007). The facts alleged must be sufficient to “state all the elements of [any] claim[s].” Bass v. EJ. Dupont de Nemours & Co., 324 F.3d 761, 765 (4th Cir. 2003). When considering a Rule 12(b)(6) motion to dismiss, a court
must accept as true all well-pleaded allegations. Vitol, S.A. v. Primerose Shipping Co., 708 F.3d 527, 539 (4th Cir. 2013). Legal conclusions enjoy no such deference. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). IY. ANALYSIS A. Motion to Dismiss for Lack of Subject Matter Jurisdiction Defendant argues that Plaintiffs do not have standing because they have not alleged any concrete harms that they can trace to the VUU Data Breach. (Mem. in Supp. Jurisdiction Mot. at 4, ECF No. 21.) The United States Court of Appeals for the Fourth Circuit has concluded, Defendant contends, that neither being the victim of a data breach
nor facing the risk of future identity theft are concrete injuries that create standing. (/d. at 5-6 (first citing Beck v. McDonald, 848 F.3d 262, 273-75 (4th Cir. 2017), then citing Hutton v. Nat’! Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 621 (4th Cir. 2018)).) Defendant acknowledges Plaintiffs’ allegations that they received more spam text -
messages and phone calls after the Data Breach occurred. (/d. at 6-7.) But even if the. Court considers this harm to be a concrete injury, Defendant argues, Plaintiffs have failed
to allege facts that show the VUU Data Breach caused this uptick in spam messages. (Id.) Plaintiffs argue that they suffered a number of concrete injuries that would each
support standing, including: (1) receiving spam text messages, (2) facing a risk of future identity theft, (3) lost time and effort to mitigate identity theft, (4) emotional injury, (5) diminution in value of PII, and (6) the fact that Plaintiffs’ PII “has already been published (or will be published imminently) by LockBit on the Dark Web” (Am. Comp. {4 58, 68). (Mem. in Opp’n to Jurisdiction Mot. at 3-11, ECF No. 25.) At this early stage in the proceedings, the bar that Plaintiffs must hurdle to show standing is low, and Plaintiffs have met that standard here. See Kuntze, 365 F. Supp. 3d
at 636-37. The Amended Complaint alleges that, after the Data Breach occurred, Plaintiffs’ PII was fraudulently used by third parties to purchase an Audi automobile, register a Geico insurance policy, and order packages that were delivered to the home of
one of the Plaintiffs. (Am. Compl. { 71-77, 90-105.) Plaintiffs also allege that they experienced a substantial uptick in spam text messages about student loans due to the Data Breach. (/d.) Given the timing and nature of the alleged third-party misuse of
Plaintiffs’ PII, it is at least plausible that Plaintiffs’ alleged harms were caused by the Data Breach of Defendant’s computer systems—and that the Breach was, in turn, caused by Defendant’s failure to implement adequate cybersecurity measures. Collectively, Plaintiffs’ allegations are enough to clear the low bar to show standing at this early stage in the case. See Kuntze, 365 F. Supp. 3d at 636-37. Consequently, Defendant’s Motion
to Dismiss for Lack of Subject Matter Jurisdiction (ECF No. 20) will be denied with leave to refile at the close of discovery. B. Motion to Dismiss under Rule 12(b)(6) i. Negligence (Count I) In support of its Rule 12(b)(6) Motion, Defendant argues that Virginia negligence law does not recognize a general duty to protect confidential information. (Mem. in
Supp. Rule 12(b)(6) Mot. at 4, ECF No. 19 (citing Parker v. Carilion Clinic, 819 S.E.2d 809, 825 (Va. 2018)). Second, Defendant argues that it did not assume a duty to protect Plaintiffs’ PII by its conduct. (/d. at 4-5.) Plaintiffs disagree. They contend that Defendant, by its conduct, voluntarily assumed a duty to protect Plaintiffs’ PII. (Mem. in
Opp’n Rule 12(b)(6) Mot. at 5 (citing Jn re Capital One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 400 (E.D. Va. 2020)).) Specifically, Plaintiffs argue that Defendant’s actions of soliciting student information and using that information to benefit itself were sufficient to voluntarily assume a duty of care. (Jd. at 5-6.) Virginia has not recognized a common law duty for universities or businesses to
protect customer data. See Deutsche Bank Nat’l Tr. Co. as Tr. for Home Equity Mortg. Loan Asset-Backed Tr. Series INABS 2006-A v. Buck, No. 3:17-cv-833, 2019 WL
1440280, at *6 (E.D. Va. Mar. 29, 2019). However, a party can voluntarily assume a duty of care under certain circumstances. For example, in the context of cybersecurity, a
court in the Eastern District of Virginia has previously found that a defendant corporation, by its conduct, had assumed a duty of care to protect the PII of its customers. In re Capital One, 488 F. Supp. 3d at 399-408. The court came to this conclusion by applying Virginia’s voluntary assumption doctrine to the following facts: Here, Capital One solicited customers’ PII as a pre-condition for considering whether to provide credit card services to that customer; it then continued to possess and aggregate that PII with other customer’s PII for its own business purposes, beyond those pertaining to the particular customer whose PII was obtained. Am. Compl. ff 26-34. As a result, Capital One created a massive concentration of PII, a “data lake,” in which Capital One “mines [customers’] data for purposes of product development, targeted solicitation for new products, and target marketing of new partners—all in an effort to boost its profits.” Jd. 4 28. This undertaking was foreseeably vulnerable to a data attack, evidenced most clearly by Capital One’s and Amazon’s joint efforts to develop a security product (Cloud Custodian) whose purpose was to protect against these vulnerable flaws. Id. {| 44-59, 161. Indeed, Capital One acknowledged and anticipated attempts to gain unauthorized access and use of that PII, taking steps to protect against it, albeit inadequately. Jd. J 54-59.
Id. at 399. Somewhat similar to the facts in In re Capital One, here: Defendant required prospective students to submit their PII as a pre-condition to apply to the university (Am. Compl. □ 60, 64, 80, 85, 182); Defendant retained the PII of students who applied as far
back as 14 years ago (/d. □□□ 21, 59); Defendant used the students’ PII to provide students educational services (Jd. { 64); and finally, Defendant retained prospective student PII for
over a decade which left that data more vulnerable to cyberattack. (/d. J] 9, 21, 59). Granted, from the record in the case thus far, it does not appear that Defendant
Qo
aggregated student PII into a “data lake” as was done in Jn re Capital One. However, the
difference is simply one of degree, and that difference is not dispositive here. The Court
finds the similarities persuasive. The Court notes that in cases where the Supreme Court of Virginia has applied the
voluntary assumption doctrine physical harm has been present—such as injuries resulting from a car accident. See Fruiterman v. Granata, 668 S.E.2d 127, 136 (Va. 2008); Didato
v. Strehler, 554 S.E.2d 42, 48 (Va. 2001); Ring v. Poelman, 397 S.E.2d 824, 826 (1990). However, Defendant has not argued to the Court that lack of physical harm is a reason to
forgo applying the voluntary assumption doctrine here. Considering all the circumstances, the Court finds that Plaintiffs have sufficiently pled a claim for relief based on a breach of Defendant’s assumed duty of due care to the Plaintiffs. Consequently, the Court will deny Defendant’s Motion to Dismiss as to Plaintiffs’ negligence claim at this point in the case. ii. Negligence per se To prevail on a claim for negligence per se in Virginia, a plaintiff must show that (1) “the defendant violated a statute enacted for public safety,” (2) that the plaintiff “belong[s] to the class of persons for whose benefit the statute was enacted,” (3) “that the harm that occurred was of the type against which the statute was designed to protect,” and (4) that “the statutory violation [was] a proximate cause of” his injury. Collett v. Cordovana, 772 S.E.2d 584, 589 (Va. 2015); In re Capital One, 488 F. Supp. 3d at 408. A public safety statute is one that was enacted with the dominant purpose of protecting health, safety, and welfare. See Virginia Elec. & Power Co. v. Savoy Const. Co., 294
S.E.2d 811, 817 (Va. 1982); Gilstrap v. Huntington Ingalls Inc., No. 4:19-cv-68, 2019 WL 8890001, at *7 (E.D. Va. Dec. 9, 2019). Defendant argues that Plaintiffs’ negligence per se claim fails because the statute that Plaintiffs rely on, the Federal Trade Commission Act (“FTC Act”), was not enacted for public health or public safety reasons.” (Mem. in Supp. Rule 12(b)(6) Mot. at 6-7.) Defendant also emphasizes that Plaintiffs cited no Virginia law to support their claim that the FTC Act is a proper predicate statute for a negligence per se claim. (Reply Rule 12(b)(6) Mot., ECF No. 27 at 3-4; see In re Capital One, 488 F. Supp. 3d at 408.) In contrast, Plaintiffs argue that the FTC Act is a public safety statute because it “imposes a specific duty on businesses to avoid ‘unfair or deceptive acts or practices in commerce.’” (Mem. in Opp’n Rule 12(b)(6) Mot. at 8 (quoting 15 U.S.C. §45(a)(1)).) The students here were engaging in commerce, Plaintiffs argue, because they provided their PII and payment to Defendant in exchange for services. (/d.) The Court finds no sound basis to permit a plaintiff to bring a negligence per se claim in Virginia predicated on the FTC Act. Under Virginia law, a “statute enacted for public safety” is generally one that is “designed to afford protection to the public against careless or reckless acts which may result in bodily injury or property damage.” Tidewater Marina Holdings, LC v. Premier Bank, Inc., No. CL12-89, 2015 WL 13801664, at *2 (Va. Cir. Ct. Aug. 7, 2015). A statute is not considered a public safety
2 In the Amended Complaint, Plaintiffs cite “Section 5 of the FTCA, 15 U.S.C. § 45.” (Am. Compl. {J 124-29, 169-180). Plaintiffs also claimed that “Defendant Violated HIPAA,” but they later withdrew that allegation. (Mem. in Opp’n Rule 12(b)(6) Mot. at 7,n.3.)
statute merely because it targets wrongdoing and has an impact on public life. For example, courts in this District have rejected the view that statutes aimed at protecting society from fraud and other dishonest conduct, while having a facial impact on the public, qualify as the type of regulation that can support a negligence per se claim. Zuberi v. Hirezi, No. 116-cv-1077, 2017 WL 436278, at *6 (E.D. Va. Jan. 30, 2017) (“Therefore, plaintiffs’ negligence per se claim based on the real estate licensing laws is also deficient.”); see also Evans v. Evans, 695 §.E.2d 173, 177 (Va. 2010) (finding a claim of negligence per se based on a violation of a state statute requiring child restraint devices in automobiles to be impermissible.); cf Schlimmer v. Poverty Hunt Club, 597 S.E.2d 43, 46 (2004) (finding that firearm regulations qualify as public safety laws). Most notably, on similar facts to those presented here, the court in Jn re Capital One found that the FTC Act did not support a negligence per se claim for stolen PII. 488 F. Supp. 3d at 408. That court explained that “no Virginia court has held that a state negligence per se claim can be based on. . . the FTC [Act]... ., and based on current Virginia law, the Court concludes that the Supreme Court of Virginia would not recognize such a claim.” Jd. This Court agrees and concludes that Plaintiffs have failed
to state a claim for negligence per se under Virginia law. iii. Breach of Fiduciary Duty The Supreme Court of Virginia has stated that a fiduciary relationship arises “when special confidence has been reposed in one who in equity and good conscience is bound to act in good faith and with due regard for the interests of the one reposing the confidence.” H-B Ltd. P’ship v. Wimmer, 257 S.E.2d 770, 773 (Va. 1979). However,
not all agreements contain the special confidence necessary to establish fiduciary duties.
Virginia courts recognize fiduciary relationships between an attorney and client, an agent and principal, a trustee and cestui que trust, parent and child, siblings, and caretaker and
invalid. Clemens v. Home Savers, LLC, No. 2:07-cv-244, 2007 WL 2815213, at *2 (E.D. Va. Sept. 21, 2007). Plaintiffs do not contend that the circumstances here qualify as one of those specific relationships that Virginia caselaw typically recognizes as giving rise to a fiduciary duty. Plaintiffs argue, however, that the relationship between the students and VUU here involved the sort of special confidence that defines a fiduciary relationship. (Mem. in Opp’n Rule 12(b)(6) Mot. at 11-12.) Specifically, Plaintiffs argue that Defendant assumed a fiduciary duty because it required Plaintiffs to provide PII in exchange for the Defendant’s services. (/d.) Although this exchange might supply consideration for a contract, the Court finds it falls short of establishing a fiduciary relationship. Other courts have found there is no fiduciary duty present in situations where one party provides PII to the other as part of a standard arms-length arrangement. Brooks v. Peoples Bank, 732 F. Supp. 3d 765, 781-82 (S.D. Ohio 2024) (finding that no fiduciary duty was created by a bank accepting and maintaining a customer’s PII); Jn re Waste Memt. Data Breach Litig., No. 21-6147, 2022 WL 561734 at *6 (S.D.N.Y. Feb. 24, 2022) (finding no fiduciary duty where an employer required its employees to share their personal information); Clemens vy. ExecuPharm, Inc., CV No. 20-3383, 2024 WL 199554, at *3 (E.D. Pa. Jan. 18, 2024) (same). In this District, courts have held that
fiduciary duties did not arise from arms-length professional relationships between two parties. See Clemens v. Home Savers, LLC, No. 2:07-cv-244, 2007 WL 2815213, at *2 (E.D. Va. Sept. 21, 2007) (finding plaintiff failed to establish that a special relationship existed between a home refinancer and its client); Johnson v. D & D Home Loans Corp., No. 2:07-cv-204, 2008 WL 850870, at *9 (E.D. Va. Jan. 23, 2008), aff'd sub nom. □□
Johnson v. Washington, 559 F.3d 238 (4th Cir. 2009) (finding that no fiduciary duty arose from a sale of real property); see also In re Capital One, 488 F. Supp. 3d at 409 (Furthermore, there is no common law cause of action for such a breach of confidentiality under Virginia law.” (quoting M-CAM v. Richard D’Agostino, No. 3:05- cv-6, 2005 WL 2123400, *2 (W.D. Va. Sep. I, 2005)).) In accord with these cases, this Court finds that no fiduciary relationship was created here. Plaintiffs have not shown that their relationship with Defendant resembled those that Virginia has recognized as creating fiduciary duties, and the Court does not anticipate that the Supreme Court of Virginia would extend the doctrine to fit the facts alleged. Defendant’s acceptance of PII, in the manner alleged here, did not generate a
new fiduciary duty. For all these reasons, the Court concludes that Plaintiffs have failed
to state a plausible claim for breach of a fiduciary duty. iv. Breach of Implied Contract and Unjust Enrichment Two types of implied contracts are recognized in Virginia: implied-in-fact contracts and implied-in-law contracts. Spectra-4, LLP v. Uniwest Com. Realty, Inc., 772 S.E.2d 290, 293 (Va. 2015) (citing City of Norfolk v. Norfolk Cnty., 91 S.E. 820, 822 (Va. 1917)). “Implied-in-fact contracts are no different from express contracts except that,
instead of ‘all of the terms and conditions being expressed between the parties, some of the terms and conditions are implied in law from the conduct of the parties.”” Jd.
(cleaned up) (quoting Hendrickson v. Meredith, 170 S.E. 602, 605 (Va. 1933)). “Like an
express contract, an implied-in-fact contract is created only when the typical requirements to form a contract are present, such as consideration and mutuality of assent.” Id. at 295 (citing City of Norfolk, 91 S.E. at 821-22). Consequently, a plaintiff claiming breach of an implied-in-fact contract must establish “(1) a legally enforceable obligation of a defendant to a plaintiff; (2) the defendant’s violation or breach of that obligation; and (3) injury or damage to the plaintiff caused by the breach of obligation.” See Ramos v. Wells Fargo Bank, NA, 770 S.E.2d 491, 493 (Va. 2015); Ulloa
v. OSP, Inc., 624 S.E.2d 43, 48 (Va. 2006). In contrast, “an implied-in-law contract, also known as a ‘quasi-contract,’ is not a
contract at all in the ordinary sense of the word; it is ‘a remedy imposed by the court.”” Doe v. Washington & Lee Univ., 439 F. Supp. 3d 784, 791 (W.D. Va. 2020) (quoting Jn
re Virginia Block, 16 B.R. 771, 774 (W.D. Va. Bankr. 1982)). This implied-in-law contract is used to rectify an instance of unjust enrichment. James G. Davis Constr. Corp. v. FTJ, Inc., 841 S.E.2d 642, 647 (Va. 2020); T. Musgrove Constr. Co., Ine. v. Young, 840 S.E.2d 337, 341 n.3 (Va. 2020). As Virgina courts have explained, “‘Unjust enrichment is an implied contract action based upon the principle that one person . . .
may not enrich himself unjustly at the expense of another.” Tran v. Indus. Dev. Auth. of Town of Front Royal, No. 0277-23-4, 2024 WL 4439029, at *8 (Va. Ct. App. Oct. 8, 2024) (quoting CGI Fed. Inc. v. FCi Fed., Inc., 814 S.E.2d 183 (Va. 2018)). The
1A
elements of such a claim are “(1) ‘[plaintiff] conferred a benefit on [defendant]; (2) [defendant] knew of the benefit and should reasonably have expected to repay [plaintiff]; and (3) [defendant] accepted or retained the benefit without paying for its value.” T. Musgrove Constr. Co., 840 S.E.2d at 341 (alterations in original) (quoting Schmidt v. Household Fin. Corp., □□□ 661 8.E.2d 834 (Va. 2008)). Here, Plaintiffs have alleged the minimum facts necessary to support an implied- in-fact contract claim. According to the Amended Complaint, Defendant and Plaintiffs
came to an agreement that was supported by consideration. Plaintiffs provided application fees and their PII to VUU, and in exchange, VUU promised to (1) process the Plaintiffs’ applications, (2) protect their PII from unauthorized persons, and (3) provide Plaintiffs with prompt notice if their PII was compromised. (Am. Compl. {fj 181-201.) Plaintiffs allege Defendant breached this contract in two primary ways: first, by failing to provide Plaintiffs prompt notice of the Data Breach, (Jd. {| 193-97); and second, by failing to safeguard their PI]—or to even comply with industry standards and legal obligations that would help protect that information. (/d.) Finally, Plaintiffs allege facts showing Defendant’s breach of this agreement caused their PII to be published to third
parties—or that it will be so published in the imminent future. (Ud. {] 58, 193-97.) Therefore, taking their factual allegations as true, Plaintiffs have sufficiently stated a claim for breach of an implied-in-fact contract. Plaintiffs clarify that their unjust enrichment claim “is pleaded in the alternative to the breach of implied contract claim.” (Am. Compl. § 220.) Under Count VI, “Unjust Enrichment,” the Amended Complaint makes threadbare allegations that “Defendant
benefitted from using their PII to provide services.” (Jd. 221.) Defendant aptly points out, however, that these services (such as processing the prospective students’ applications) are exactly what Plaintiffs sought for themselves when they voluntarily provided their PII to VUU. (Mem. in Supp. Rule 12(b)(6) Mot. at 13-14.) In contrast, Plaintiffs do not explain how their PII allowed Defendant to provide greater or better services—beyond the bare services Plaintiffs themselves requested. See Brooks v. Peoples Bank, 732 F. Supp. 3d 765, 782 (S.D. Ohio 2024) (“Plaintiffs do not explain how Limestone benefited from Plaintiffs’ PII. For example, Plaintiffs do not allege that Limestone used or sold PII for a profit.”). Plaintiffs have also failed to allege what
amount of value their PII contributed to Defendant. See id. These allegations are insufficient to sustain a claim for unjust enrichment or breach of an implied-in-law contract. See e.g., City of Norfolk, 91 S.E. at 825 (“The fiction of an implied promise will
not be indulged in every case, but only where, in equity and good conscience, the duty to make such a promise exists.”). The Amended Complaint does, however, present an alternative theory for how Defendant unjustly benefited. Plaintiffs allege that a portion of the funds they paid Defendant were for adequate security measures for their PII. (/d. J] 25-35, 183.) In addition, the Amended Complaint states, “Defendant enriched itself by saving the costs
. they reasonably should have expended on data security measures.” (Am. Compl. { 224.) Defendant knew about this benefit because, as the Plaintiffs allege, “Defendant agreed to protect and not disclose the PII to unauthorized persons.” (/d. 4 186.) Plaintiffs further allege Defendant failed to repay this benefit because they failed to provide a reasonable
1K
level of security for their PII. (/d. 225.) Under these circumstances, the Court finds that Plaintiffs have pled an adequate claim for unjust enrichment as an alternative to their implied-in-fact contract claim.
v. Declaratory Judgment To state a claim for relief under the federal Declaratory Judgment Act, 28 U.S.C. § 2201, Plaintiffs must adequately allege a dispute that is: (1) “definite and concrete, touching the legal relations of parties having adverse legal interests;” (2) “real and substantial;” and (3) “admit[ting] of specific relief through a decree of a conclusive character, as distinguished from an opinion advising what the law would be upon a hypothetical state of facts.” MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 127 (2007) (quoting Aetna Life Ins. Co. of Hartford, Conn. v. Haworth, 300 U.S. 227, 239 (1937)). In that regard, “‘not .. . the brightest of lines’ separates cases that satisfy the statutory jurisdictional requirements and those that do not.” In re Capital One, 488 F. Supp. 3d at 414 (quoting Med/mmune, Inc., 549 U.S. at 127). The central question, however, is whether ““‘the facts alleged, under all the circumstances, show that there is a substantial controversy, between parties having adverse legal interests, of sufficient immediacy and reality to warrant the issuance of a declaratory judgment.’” MedImmune, Inc., 549 U.S. at 127 (quoting Md. Cas. Co. v. Pac. Coal & Oil Co., 312 U.S. 270, 273 (1941)). Here, Plaintiffs argue that, given the facts alleged, it is too early in the case to dismiss their declaratory judgment claim. Plaintiffs contend, first, that their PII was placed at risk due to Defendant’s inadequate cybersecurity measures, and second, that
they face continued and increased harm from misuse of their PII if Defendant does not increase its cybersecurity protections. (Am. Compl. {§ 107-116, 229-37.) To address this concern, Plaintiffs seek “[i]njunctive relief requiring Defendant to use adequate security consistent with industry standards.” (/d. | 233.) Defendant’s position is that all of Plaintiffs’ other claims must be dismissed, and thus, no viable dispute will remain to
support a claim for declaratory judgment. (Mem. in Supp. Rule 12(b)(6) Mot. at 15.) The Court finds that it would be premature to dismiss Plaintiffs’ request for declaratory judgment at this stage. Contrary to Defendant’s argument, some of Plaintiffs’ primary claims are sufficient to overcome the Rule 12(b)(6) Motion (as the Court discussed above). Plaintiffs have plausibly alleged that there remains a dispute over the security of Plaintiffs’ PII, a copy of which remains in Defendant’s possession. (/d. 166, 231, 234-37.) Furthermore, Plaintiffs have plausibly alleged that a continued inadequacy of Defendant’s security measures leaves Plaintiffs with a substantial risk of future harm if these alleged shortcomings are not rectified. (/d.) In short, the dispute between the parties is sufficiently real and immediate. See MedImmune, 549 U.S. at 127; In re Capital One, 488 F. Supp. 3d at 414-15. Therefore, the Court will deny Defendant’s Rule 12(b)(6) motion as to Plaintiffs’ claim for Declaratory Judgment. IV. CONCLUSION For the aforementioned reasons, Defendant’s Motion to Dismiss for Lack of Subject Matter Jurisdiction Under Rule 12(b)(1) (ECF No. 20) will be denied. Defendant’s Motion to Dismiss under Rule 12(b)(6) (ECF No. 18) will be granted in part and denied in part. The Court will dismiss Count II (Negligence per se), Count IV
1Q
(Breach of Fiduciary Duty), and the portion of Count VI (Unjust Enrichment) that relies
on the allegation that Defendant benefited merely from accepting, retaining, and processing Plaintiffs’ PII. The Court will deny the Rule 12(b)(6) Motion as to Count |
(Negligence), Count III (Breach of Implied Contract), Count VII (Declaratory Judgment), and the portion of Count VI that relies on the allegation that a portion of the application fees were paid to ensure reasonable cybersecurity measures for the Plaintiffs’ PI.
An appropriate Order will accompany this Memorandum Opinion.
M+ AHS Henry E. Hudson Senior United States District Judge Date: Febroary 272025 Richmond, Virginia