Miller v. Syracuse University

• Court: District Court, N.D. New York
• Decided: March 20, 2023
• Docket: 5:21-cv-01073
• Status: Unknown

Opinion

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF NEW YORK

TREVOR MILLER, individually and on behalf of all others similarly situated,

Plaintiff,

-against- 5:21-CV-1073 (LEK/TWD)

SYRACUSE UNIVERSITY,

Defendant.

MEMORANDUM-DECISION AND ORDER I. INTRODUCTION Plaintiff Trevor Miller, on behalf of himself and others similarly situated, commenced this class action against Defendant Syracuse University, on September 2, 2021, in the New York Supreme Court, County of Onondaga. Dkt. No. 2 (“Complaint”). On September 29, 2021, Defendant removed this action to federal court, asserting federal jurisdiction under the Class Action Fairness Act of 2005 (“CAFA”), codified in pertinent part at 28 U.S.C. § 1332(d). Dkt. No. 1 (“Notice of Removal”) ¶ 1. To date, Plaintiff has not moved the Court to remand this action back to state court, and has not contested federal jurisdiction under the CAFA. See generally Dkt. No. 16 (“Stipulation and Order to Extend Defendant’s Responsive Pleading Deadline”); Dkt. No. 25 (“Plaintiff’s Response to Defendant’s Motion”); Dkt. No. 32 (“Plaintiff’s Supplemental Memorandum”). Now before the Court is Defendant’s Motion to Dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6). Dkt. No. 22 (“Motion”). For the reasons that follow, the Court finds that it has subject matter jurisdiction over the action, and grants, in part, and denies, in part, Defendant’s Motion. II. BACKGROUND A. Plaintiff’s Complaint According to the Complaint, “Plaintiff is a student at [Defendant] Syracuse University.” Compl. ¶ 2. “As a condition of [his] attendance, Plaintiff was required to and did supply

Sensitive Information to Defendant, including, but not limited[] to[,] his Social Security Number, date of birth, financial information, and other personal private data,” all of which “can be used to perpetrate identify theft . . . .” Id. ¶¶ 1–2. Plaintiff provided this Sensitive Information while relying on “Defendant’s representations that Defendant would protect [it].” Id. ¶ 32. For instance, Plaintiff highlights “Defendant’s Privacy Policy” as one of these representations, which “explicitly states that outside of [certain] enumerated circumstances: ‘we will treat your personal data as private and will not disclose it to third parties without your knowledge.’” Id. ¶ 35 (quoting Defendant’s Privacy Policy). “Unbeknownst to Plaintiff,” and contrary to Defendant’s representations, “Defendant did not have sufficient cyber-security procedures and policies in place to safeguard the Sensitive

Information it possessed.” Id. ¶ 3. “As a result, cybercriminals were able to gain access to at least one of Defendant’s employee email accounts between approximately September 24, 2020[,] and September 28, 2020, following a successful ‘phishing’ attempt that Defendant’s employees failed to identify or adequately safeguard against . . . .” Id. Because of this Data Breach, cybercriminals were able to “gain[] access to approximately 9,800 Class Members’ Sensitive Information, including Plaintiff’s, stored in that [employee] email account (the ‘Data Breach’).” Id. Plaintiff defines the “Class” as: “All persons whose Sensitive Information, provided to Defendant as part of their application to or enrollment at Syracuse University, was exposed to unauthorized access by way of the [D]ata [B]reach of Defendant’s computer system on or about September 24, 2020.” Id. ¶ 43. “Despite becoming aware of the Data Breach on or about September 28, 2020, Defendant only notified Plaintiff and members of the Class that its systems had been breached and that their

Sensitive Information was compromised in February 2021—more than four months after Defendant learned that the Data Breach occurred.” Id. ¶ 28. In February 2021, “Defendant [then] sent letters to Plaintiff and other Class members advising them that their Sensitive Information had been subject to unauthorized access and had been compromised or on about September 24, 2020 . . . .” Id. ¶ 29. In the letter, Defendant “offered only a single year of credit monitoring through Experian IdentityWorks, and only for individuals who signed up for such monitoring by April 4, 2021.” Id. According to Plaintiff, this “window of opportunity to claim these services” was “unreasonably short . . . .” Id. ¶ 41. Moreover, the letter did not contain “any offer of compensation for out-of-pocket losses which the Class has and foreseeably will sustain— including, but not limited to, time spent to rectify any and all harms that resulted from the Data

Breach.” Id. ¶ 42. Several months later, “on or about July 13, 2021,” “Plaintiff learned of an unauthorized charge on his Chase Bank checking account . . . .” Id. ¶ 4. This incident “required Plaintiff to suspend and cancel his debit card and to take the time to personally go to a Chase Bank branch location to have a replacement card issued.” Id. As a result, “[f]or over a week, Plaintiff did not have access to a functional debit card . . . .” Id. In order “to redress Defendant’s unlawful disclosure of the Sensitive Information of all persons affected by this Data Breach,” id. ¶ 6, Plaintiff initiated a class action lawsuit against Defendant in the New York Supreme Court, County of Onondaga, on September 2, 2021. See Compl. In his Complaint, Plaintiff raised several causes of action grounded in New York state law. Compl. ¶¶ 59–119. Plaintiff’s first cause of action is for “negligence in the handling of Plaintiff’s and the Class’ sensitive information.” Id. ¶¶ 59–75. Plaintiff alleges that: [A]s a direct and proximate result of [this] negligence . . . Plaintiff and members of the Class have been injured by, among other things; (1) the loss of the opportunity to control how their Sensitive Information is used; (2) diminution of value and the use of their Sensitive Information; (3) compromise, publication and/or theft of [their] Sensitive Information; (4) out-of-pocket costs associated with the prevention, detection and recovery from identity theft and/or unauthorized use of financial and medical accounts; (5) lost opportunity costs associated with their efforts expended and the loss of productivity from addressing as well as attempting to mitigate the actual and future consequences of the breach including, but not limited to, efforts spent researching how to prevent, detect, and recover from identity data misuse; (6) costs associated with the ability to use credit and assets frozen or flagged due to credit misuse, including complete credit denial and/or increased cost of . . . the use of credit, credit scores, credit reports, and assets; (7) unauthorized use of compromised Sensitive Information to open new financial and/or healthcare and/or medical accounts; (8) tax fraud and/or other unauthorized charges to financial, healthcare or medical accounts and associated lack of access to funds while proper information is confirmed and corrected and/or imminent risk of the foregoing; (9) continued risks to their Sensitive Information, which remains in the Defendant’s possession and may be subject to further breaches so long as Defendant fails to undertake appropriate and adequate measures to protect the Sensitive Information in its possession; and (10) future costs in terms of time, effort and money that will be spent trying to prevent, detect, contest and repair the effects of the Sensitive Information compromised as a result of the Data Breach as a remainder of the Plaintiff’s and Class Members’ lives.

Id. ¶ 74. Plaintiff’s second cause of action is for “breach of express contract.” Id. ¶¶ 76–80. Plaintiff asserts that “Defendant’s failure to protect Class Members’ Sensitive Information constitutes a material breach of the terms of the agreement by Defendant as reflected . . . in its Privacy Policy,” id. ¶ 78, and “other written agreements with Defendant as part of, and as a precondition to, application to and enrollment at Syracuse University,” id. ¶ 77. Because of these breaches, “Plaintiff and Class Members have been irreparably harmed.” Id. ¶ 79. Plaintiff’s third cause of action is for “breach of implied contract.” Id. ¶¶ 81–91. Plaintiff states that “Plaintiff and the Class would not have provided and entrusted their Sensitive

Information to Defendant [in exchange for Defendant’s services] in the absence of the implied contract between them and Defendant to keep the information secure.” Id. ¶ 87. “Defendant breached its implied contracts with Plaintiff and the Class by failing to safeguard and protect their Sensitive Information and by failing to provide timely and accurate notice that their personal information was compromised as a result of the Data Breach.” Id. ¶ 89. Because of these breaches, “Plaintiff and the Class sustained actual losses and damages as described [throughout the Complaint].” Id. ¶ 90. Plaintiff’s fourth cause of action is for “violation of New York General Business Law § 899-AA,” id. ¶¶ 92–97, which provides that: Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision four of this section, or any measures necessary to determine the scope of the breach and restore the integrity of the system.

N.Y. Gen. Bus. Law (“GBL”) § 899-aa(2). Plaintiff alleges that “Defendant, in delaying four months to notify the Plaintiff and members of the Class of the Data Breach, violated” this state law, Compl. ¶ 96, and that this “delay in providing notification” resulted in compensable damages, id. ¶ 97. Plaintiff’s fifth cause of action is for “violation of New York General Business Law § 349,” id. ¶¶ 98–105, which prohibits “[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state . . . .” GBL § 349(a). In addition to the negligent practices described above, Plaintiff also claims that “Defendant

knowingly and deceptively misrepresented that it would maintain adequate data privacy and security practices and procedures to safeguard the Sensitive Information from unauthorized disclosure, release, data breaches, and theft . . . .” Compl. ¶ 99(c). Plaintiff adds that “Defendant knowingly and deceptively misrepresented that it would comply with the requirements of relevant federal and state laws pertaining to the privacy and security of Sensitive Information . . . .” Id. ¶ 99(d). As a result, “Plaintiff and other Class Members suffered injury and/or damages, including, but not limited to, time and expenses related to monitoring their financial accounts for fraudulent activity, an increased, imminent risk of fraud and identity theft, and loss of value of their Sensitive Information.” Id. ¶ 100. Plaintiff’s sixth cause of action for intrusion upon seclusion has since been withdrawn,1

and he frames his seventh and final “cause of action” as an “injunction under CPLR Article 63,” which constitutes New York’s rules on the granting of preliminary injunctions. See N.Y. C.P.L.R. § 6301. Specifically, “Plaintiff seeks an injunction from this Court compelling Defendant to implement cyber-security policies and procedures equal to or better than industry standards.” Compl. ¶ 116. With respect to his earlier “First, Second, Third, Fourth, [and] Fifth . . . Causes of Action,” Plaintiff demands, among other things, “actual damages, compensatory damages, and punitive damages . . . .” Id. at 26.

1 Plaintiff initially brought a cause of action for “Intrusion Upon Seclusion,” but Plaintiff “mislabeled [the claim] as Injunctive Relief” in his Complaint. Pl.’s Resp. to Def.’s Mot. at 1 n.2. Plaintiff has since indicated to the Court that he “is withdrawing” that claim. Id. B. Procedural History After Plaintiff initiated suit in state court, Defendant removed the action to this Court, and then moved to dismiss the Complaint for failure to state a claim upon which relief may be granted under Rule 12(b)(6). See Mot. In its opening memorandum of law in support of the

Motion, Defendant claimed it was “not challenging Plaintiff’s Article III standing[,]” and that “it [was only] challenging whether Plaintiff has sufficiently alleged cognizable injury as an element of his causes of action.” Dkt. No. 22-1 (“Defendant’s Memorandum”) at 7. But in its Reply, Defendant appeared to suggest that Plaintiff’s claims should be dismissed for lack of standing. See Dkt. No. 26 (“Defendant’s Reply”) at 2–3. For instance, in its Reply, Defendant relied extensively on Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 367–68 (M.D. Pa. 2015), to advocate for dismissal of Plaintiff’s claims. In that case, various plaintiffs brought suit against their employers’ payroll provider and sought “to recover damages allegedly sustained after [the] provider was subjected to a cyber-attack in which [their] confidential information was allegedly accessed by a third-party.” Id. at 359. The district court in Storm found that the plaintiffs lacked

Article III standing and dismissed their suit. Id. at 367–69. After excerpting more than 250 words from the court’s opinion in Storm that explained why plaintiffs’ claims in that case must be dismissed for lack of standing, Defendant asserted: “This Court should reach the same conclusion and similarly dismiss Plaintiff’s claims here.” Def.’s Reply at 3. Defendant also filed a Notice of Supplemental Authority that raised doubts about Plaintiff’s standing. Dkt. No. 27. In this supplemental filing, Defendant “inform[ed] the Court of a recent decision by the U.S. District Court for the Southern District of New York, Aponte v. Northeast Radiology, P.C., No. 21-CV-5883, 2022 WL 1556043 (S.D.N.Y. May 16, 2022).” Notice of Suppl. Authority at 1. Defendant represented that the court in Aponte “dismissed the action in its entirety” “‘because plaintiffs d[id] not allege that they ha[d] suffered, or w[ould] imminently suffer, an injury-in-fact[.]’” Id. at 2 (quoting Aponte, 2022 WL 1556043, at *5). Defendant then argued that “[b]ecause Plaintiff . . . makes substantially similar arguments and [Defendant] has stated substantially similar defenses in this case as plaintiffs and defendants in

Aponte,” this Court should “consider [Aponte as] supplemental authority in further support of [Defendant’s] Motion to Dismiss.” Notice of Suppl. Authority at 3. Defendant’s arguments presented a problem for the Court, because “[a] party seeking removal bears the burden of showing that federal jurisdiction is proper.” Montefiore Med. Ctr. v. Teamsters Local 272, 642 F.3d 321, 327 (2d Cir. 2011). Here, by “cast[ing] doubt on Plaintiff’s standing in its papers,” Dkt. No. 28 (“October 2022 Order”) at 6, Defendant necessarily suggested that this Court did not have subject matter jurisdiction over the action that Defendant removed to this Court. See generally Lujan v. Defs. of Wildlife, 504 U.S. 555, 559–60 (1992) (noting that standing “is an essential and unchanging part of the case-or-controversy requirement of Article III”).

Given the above, the Court “reserve[d] judgment on the Motion until further notice, and order[ed] Defendant to file a memorandum of law . . . addressing whether Plaintiff has standing for each claim he seeks to press in federal court . . . .” October 2022 Order at 1–2; see also id. at 5–6 (observing that “there is little guidance from the Second Circuit on how to address a removing defendant who merely casts doubt on a court’s jurisdiction without expressly challenging it through a Rule 12(b)(1) motion to dismiss”). The Court also requested Defendant to “address whether dismissal or partial remand [would be] warranted if this Court [were] ultimately [to] find[] that Plaintiff has standing to pursue some of his claims, but not others, in federal court.” Id. at 2. The Court added: “If Defendant does not wish to take a definitive position on Plaintiff’s standing [and thus the Court’s jurisdiction] in this memorandum, then Defendant should brief the Court on whether this burden failure, alone, warrants remand under 28 U.S.C. § 1447(c).” Id.; cf. Zhirovetskiy v. Zayo Group, LLC, No. 17-CV-5876, 2018 WL 11195494, at *2 (N.D. Ill. Mar. 7, 2018) (remanding an action after the removing defendant

“undermine[d] standing” in its Rule 12(b)(6) papers); Dixon v. Washington & Jane Smith Cmty.- Beverly, No. 17-CV-8033, 2018 WL 2445292, *7–10 (N.D. Ill. May 31, 2018) (declining to adopt Zhirovetskiy’s burden-failure approach in response to a similar set of procedural facts, then proceeding to find that the plaintiff had Article III standing sufficient to confer jurisdiction). Defendant filed its Supplemental Memorandum of Law on November 10, 2022. In the filing, Defendant has clarified that “Plaintiff . . . has standing to assert his claims,” but adds that Plaintiff’s “allegations that are sufficient to confer Article III standing do not meet the higher threshold necessary to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6).” Def.’s Suppl. Mem. at 1 (emphasis in original). In the same filing, Defendant also states that “[i]t was not [Defendant’s] intention to conflate the two standards when relying on Article III standing

cases as persuasive authority in support of its arguments to dismiss for failure to state damages . . . .” Def.’s Suppl. Mem. at 1. To support Plaintiff’s standing, and in turn, this Court’s jurisdiction over the matter, Defendant primarily points to the Second Circuit’s decision in McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021), which, according to Defendant, “created a ‘non- exhaustive’ three-part test to determine whether a plaintiff has alleged an injury-in-fact sufficient for standing in a data breach case.” Def.’s Suppl. Mem. at 3. According to Defendant, Plaintiff’s “allegations in the Complaint satisfy the Second Circuit’s McMorris factors.” Id. at 4. In the supplemental filing, Defendant also asserts that “[i]f . . . the Court is certain Plaintiff’s allegations do not suffice to meet the standing requirements for some or all of his claims, remand of the entire action is warranted under 28 U.S.C. § 1447(c).” Def.’s Suppl. Mem. at 12 (citing Zanotti v. Invention Submission Corp., No. 18-CV-5893, 2020 WL 2857304, at *9

(S.D.N.Y. June 2, 2020)). Defendant argues that partial remand is only appropriate “where standing is lacking as to claims asserted by some parties but not others, or when a separate, independent claim (such as a claim evoking federal question jurisdiction) provides the Court with another basis for subject matter jurisdiction,” Def.’s Suppl. Mem. at 12 (citations omitted), and that “[n]one of those unique situations is presented here,” id. at 13. “Accordingly, partial remand in this instance is unwarranted and could result in piecemeal, parallel litigation which could lead to conflicting judgments and a ‘further waste of judicial resources.’” Id. (citing Zanotti, 2020 WL 2857304, at *12–13). The rest of Defendant’s Supplemental Memorandum of Law further argues in support of its initial Motion to Dismiss for failure to state a claim under Rule 12(b)(6). See Def.’s Suppl. Mem. at 6–11.

In his Supplemental Response, Plaintiff agrees with Defendant that Plaintiff has adequately “allege[d] an injury-in-fact sufficient to confer Article III standing,” Pl.’s Suppl. Resp. at 1, and does not address “whether dismissal or partial remand [would be] warranted if this Court ultimately finds that Plaintiff has standing to pursue some of his claims, but not others, in federal court.” October 2022 Order at 2. Instead, Plaintiff devotes nearly all of his Supplemental Response opposing the arguments Defendant has advanced in further support of its Motion to Dismiss for failure to state a claim under Rule 12(b)(6). See generally Pl.’s Suppl. Resp. In its Supplemental Reply, Defendant asserts that Plaintiff in Reply plainly “ignore[d] the Court’s specific questions for supplemental briefing,” and “[i]nstead . . . merely reargues his opposition to [Defendant’s] Motion to Dismiss on the merits.” Def.’s Suppl. Reply at 1. Here, now that Defendant has clarified its position on the jurisdictional issue of standing, and both parties have been given the opportunity to “ma[k]e known [their] position[s] on

whether partial remand or dismissal is appropriate in the event that this Court ultimately finds that Plaintiff lacks standing to pursue some, but not all, of his claims in federal court,” October 2022 Order at 10, the Court proceeds to the threshold question of Plaintiff’s standing, and whether the Court has subject matter jurisdiction over the action. See In re World Trade Ctr. Lower Manhattan Disaster Site Litig., 892 F.3d 108, 111 (2d Cir. 2018) (finding that an issue was ripe for decision only after supplemental briefing); Robinson v. Wentzell, No. 18-CV-0274, 2019 WL 1207858, at *3 (D. Conn. Mar. 14, 2019) (recounting how the court previously “requested supplemental briefing” on standing). III. SUBJECT MATTER JURISDICTION A. Standing

1. Legal Standard “Article III, Section 2 of the [United States] Constitution limits the subject-matter jurisdiction of the federal courts to ‘Cases’ and ‘Controversies.’” SM Kids, LLC v. Google LLC, 963 F.3d 206, 211 (2d Cir. 2020) (citing Dhinsa v. Krueger, 917 F.3d 70, 77 (2d Cir. 2019)). “The standing doctrine, which emerges from Article III, is designed ‘to ensure that federal courts do not exceed their authority as it has been traditionally understood.’” SM Kids, 963 F.3d at 211 (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)). Given that standing is an essential element of federal subject matter jurisdiction, see Lujan, 504 U.S. at 559–60, it follows that if “a plaintiff lacks standing to bring suit, a court has no subject matter jurisdiction over the case.” In re U.S. Catholic Conf., 885 F.2d 1020, 1023 (2d Cir. 1989). “Demonstrating that the defendant’s allegedly unlawful conduct caused injury to the plaintiff herself is . . . generally an essential component of Article III standing.” Mahon v. Ticor Title Ins. Co., 683 F.3d 59, 62 (2d Cir. 2012).2 Furthermore, “a plaintiff must demonstrate

standing for each claim he seeks to press.” DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 335 (2006). “Thus, with respect to each asserted claim, ‘[a] plaintiff must always have suffered a distinct and palpable injury to [her]self.’” Mahon, 683 F.3d at 64 (alterations and emphasis in original) (quoting Gladstone Realtors v. Vill. of Bellwood, 441 U.S. 91, 100 (1979)). “That a suit may be a class action . . . adds nothing to the [threshold] question of standing, for even named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.”

Lewis v. Casey, 518 U.S. 343, 357 (1979) (quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 40 n.20 (1976)). To satisfy standing, “[t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 578 U.S at 338. An injury-in-fact is “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Id. at 339. This is “a low threshold which helps to ensure that the plaintiff has a personal stake in the outcome of the controversy.” John v. Whole Foods Mkt. Grp., Inc., 858 F.3d 732, 736 (2d Cir. 2017).

2 As the Mahon court noted, “[t]here are various exceptions to this general principle,” 683 F.3d at 62 (citing Powers v. Ohio, 499 U.S. 400, 410–11 (1991) (discussing third-party standing)), but such exceptions are not directly relevant to this case. To be concrete, an injury “must actually exist.” Spokeo, 578 U.S. at 340. Further, an injury-in-fact must bear a “close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts—such as physical harm, monetary harm, or various intangible harms.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2200 (2021). “Regarding

statutory harms, it is not enough to allege a defendant violated the statute; ‘[o]nly those plaintiffs who have been concretely harmed by a defendant’s statutory violation’ will have standing.” Rand v. Travelers Indemnity Co., No. 21-CV-10744, 2022 WL 15523722, at *3 (S.D.N.Y. Oct. 27, 2022) (emphasis in original) (quoting TransUnion, 141 S. Ct. at 2205). “Any monetary loss suffered by the plaintiff satisfies [the injury-in-fact] element; even a small financial loss suffices.” Carter v. HealthPort Techs., LLC, 822 F.3d 47, 55 (2d Cir. 2016). “In the data breach context, the time and money spent to respond to a data breach may satisfy the injury-in-fact requirement.” Rand, 2022 WL 15523722, at *3 (citing Rudolph v. Hudson’s Bay Co., No. 18-CV-8472, 2019 WL 2023713, at *6–7 (S.D.N.Y. May 7, 2019)). Some courts have even held that the very “exposure to the risk of identity theft causes concrete injury,” because “a

data breach exposing and disclosing [personal] information to third parties without authorization or consent could plausibly be offensive to a reasonable person,” which is “analogous to [the harm] with the common-law tort of public disclosure of private information.” Bohnak v. Marsh & McLennan Cos., Inc., 580 F. Supp. 3d 21, 29–30 (S.D.N.Y. 2022); see also Rand, 2022 WL 15523722, at *4 (citing positively to Bohank on this point but adding that that the exposure must be “sufficiently ‘public’” and “offensive” (citing TransUnion LLC, 141 S. Ct. at 2209)); but see In re Practicefirst Data Breach Litigation, No. 21-CV-0790, 2022 WL 354544 (W.D.N.Y. Feb. 2, 2022), at *7 n.10 (declining to follow Bohnak on this point, in part because the common-law tort typically requires willful disclosure and publication of a plaintiff’s confidential information). In addition, the “expenses ‘reasonably incurred to mitigate [the] risk’ of identity theft in the future may also qualify as an injury-in-fact, but only if the plaintiff plausible alleges a substantial risk of the future identify theft.” Rand, 2022 WL 15523722, at *3 (alterations and emphasis in original) (quoting McMorris, 995 F.3d at 303). To determine whether a plaintiff

plausibly alleges a substantial risk of future identity theft, the Second Circuit has endorsed several factors to consider: (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

McMorris, 995 F.3d at 303. “Conversely, when plaintiffs ‘[do] not allege[] a substantial risk of future identity theft,’ based on the factors discussed above, ‘the time they spent protecting themselves against this speculative threat cannot create an injury.’” Rand, 2022 WL 15523722, at *3 (alterations in original) (quoting McMorris, 995 F.3d at 303). The Rand court observed that “McMorris, decided before TransUnion, suggested that a sufficiently imminent risk of identity theft, standing alone, could constitute injury-in-fact, even in a suit for damages.” Rand, 2022 WL 15523722, at *4 n.2 (citation omitted). But “TransUnion appears to have ‘abrogated this holding in suits for damages by requiring both an imminent risk of future harm and a concrete injury related to the risk.’” Rand, 2022 WL 15523722, at *4 n.2 (citation omitted). “Nevertheless,” the Rand court still found that “McMorris’s three-factor test is still instructive for determining whether the risk of injury is imminent, which remains part of the requirement for standing in suits for both damages and injunctive relief, pursuant to TransUnion.” Rand, 2022 WL 15523722, at *4 n.2. As for the traceability prong, standing requires “a causal connection between the injury and the conduct complained of.” Lujan, 504 U.S. at 560. While a plaintiff’s injury must be “fairly traceable” to a defendant’s actions, the causal connection element of standing “does not create an onerous standard. For example, it is a standard lower than that of proximate causation.”

Carter, 822 F.3d at 55 (citing Rothstein v. UBS AG, 708 F.3d 82, 91–92 (2d Cir. 2013)). “A defendant’s conduct that injures a plaintiff but does so only indirectly, after intervening conduct by another person, may suffice for Article III standing.” Carter, 822 F.3d at 55–56 (citing Rothstein, 708 F.3d at 91). The third prong of redressability refers to a “non-speculative likelihood that the injury can be remedied by the requested relief.” Guan v. Mayorkas, 530 F. Supp. 3d 237, 262–63 (E.D.N.Y. 2021) (quoting W.R. Huff Asset Mgmt. Co., LLC v. Deloitte & Touche LLP, 549 F.3d 100, 106–07 (2d Cir. 2008)). “Plaintiffs’ injuries are redressable if their requested relief can compensate them for their losses or eliminate any effects caused by the defendants’ challenged conduct.” Guan, 530 F. Supp. 3d at 263 (cleaned up).

Given that the redressability analysis hinges on a plaintiff’s requested relief, it follows that “a plaintiff must demonstrate standing . . . for each form of relief that is sought.” Town of Chester, N.Y. v. Laroe Estates, Inc., 581 U.S. 433, 439 (2017) (quoting Davis v. Federal Election Comm’n, 554 U.S. 724, 734 (2008)). In the context of a data breach that occurred in the past, a plaintiff seeking injunctive relief to prevent future harm from that breach may plausibly allege an injury-in-fact for standing purposes if she demonstrates “the risk of [future] harm is sufficiently imminent and substantial.” TransUnion, 141 S. Ct. at 2210 (citations omitted). However, “in a suit for [monetary relief], the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210–11 (emphasis in original). 2. Application The Court begins its standing analysis with Plaintiff’s first, second, third, fourth, and fifth

causes of action to the extent they seek relief in the form of monetary damages. Plaintiff claims that Defendant’s unlawful conduct giving rise to these claims caused injury to Plaintiff in several different forms, for which Plaintiff demands “actual damages, compensatory damages, and punitive damages . . . .” Id. at 26. For instance, Plaintiff alleges that because of Defendant’s “inadequate security against unauthorized intrusions . . . cybercriminals breached Defendant’s computer systems . . . [which] resulted in the criminals unlawfully obtaining access to [his] Sensitive Information, including [his] identity and Social Security Number[].” Compl. ¶ 19. As a result, Plaintiff’s Sensitive Information has been “compromise[d],” and Plaintiff has “los[t] . . . the opportunity to control how [his] Sensitive Information is used . . . .” Id. ¶ 74. Given these allegations, the Court finds that for the purposes of Article III standing,

Plaintiff has sufficiently “alleged an intangible concrete injury, analogous to that associated with the common-law tort of public disclosure of private information . . . .” Bohnak, 580 F. Supp. 3d at 30. As the Supreme Court recognized in TransUnion, “[v]arious intangible harms can . . . be concrete. Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” 141 S. Ct. at 2204 (citations omitted). Such injuries “include . . . disclosure of private information . . . .” Id. (citations omitted). At the same time, the “close historical or common-law analogue for the[] asserted injury[]” need not be “an exact duplicate . . . .” Id. Plaintiff’s allegation that Defendant’s conduct resulted in the exposure of Sensitive Information, including his Social Security Number, to cybercriminals is “plausibly . . . offensive to a reasonable person,” which is a key element of the common-law tort of public disclosure of private information. Bohnak, 580 F. Supp. 3d at 29–30. And while one might dispute whether the

disclosure of Plaintiff’s Sensitive Information to cybercriminals is “sufficiently ‘public’ under the tort . . . the common-law analogue need not be an ‘exact duplicate.’” Rand, 2022 WL 15523722, at *4 (quoting Restatement 2d of Torts § 652D and TransUnion, 141 S. Ct. at 2204). According to the Second Restatement of Torts, “publicity” under the common-law tort means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge. The difference is not one of the means of communication, which may be oral, written or by any other means.

Rest. 2d § 652D. While it may not be “substantially certain” that Plaintiff’s Sensitive Information will “become . . . public knowledge” because of the Data Breach, it is certainly possible. Moreover, it is clear that Plaintiff’s Sensitive Information “is not of legitimate concern to the public”—another element of the common-law tort. Rest. 2d § 652D; see also Bohnak, 580 F. Supp. 3d at 30 (finding that personal identifying information, including Social Security Numbers, are “of not legitimate concern to the public”). To the extent that other courts have criticized analogizing a sensitive data breach with the public disclosure of private information because the tort historically required the showing of a willful disclosure, see, e.g., Practicefirst, 2022 WL 354544, at *7 n.10, this Court also finds that Plaintiff’s allegation that Defendant willfully misrepresented the sufficiency of its data privacy and security practices, despite the well-known risks of cybersecurity threats, is sufficiently analogous to willful disclosure required to state the common-law tort. For instance, Plaintiff alleges that “Defendant clearly knew or should have known of the risks of data breaches and thus should have ensure[d] that adequate protections were in place.” Compl. ¶ 17. Plaintiff adds: “Defendant knowingly and deceptively misrepresented that it would maintain adequate data privacy and security practices and procedures to safeguard the Sensitive Information from

unauthorized disclosure, release, data breaches, and theft . . . .” Compl. ¶ 99(c). The Court recognizes that the above approach—also embraced by the courts in Bohnak and Rand—is a stark departure from the approach of other courts, including the Practicefirst court, which found similar allegations of sensitive data exposure insufficient to establish an injury-in-fact without “demonstrat[ing] any [additional] concrete or particularized injury” arising from the exposure itself. 2022 WL 354544, at *8 (citing Khan v. Children’s National Health System, 188 F. Supp. 3d 524, 533 (D. Md. 2016)). However, the Practicefirst court does not point to any authority within the Second Circuit embracing its narrower view of standing in the context of a mass data breach where cybercriminals access highly sensitive personal identifying information, including Social Security Numbers. See 2022 WL 354544, at *8 (collecting cases

outside the Second Circuit). The Practicefirst court also plainly ignores the Supreme Court’s admonition in TransUnion that the “close historical or common-law analogue for the[] asserted injury[]” need not be “an exact duplicate . . . .” 141 S. Ct. at 2204; see Practicefirst, 2022 WL 354544, at *7–8 (strictly analyzing whether “plaintiffs could plead facts sufficient to allege the tort of public disclosure of private information”). The courts in Bohnak and Rand, on the other hand, expressly account for the Supreme Court’s directive in TransUnion that the “close historical or common-law analogue for the[] asserted injury[]” need not be “an exact duplicate . . . .” 141 S. Ct. at 2204. And while the Supreme Court cautioned in TransUnion that this “is not an open-ended invitation for federal courts to loosen Article III based on contemporary, evolving beliefs about what kinds of suits should be heard in federal courts,” id., the Court here has found sufficiently close similarities between Plaintiff’s injuries and the traditional elements of the common-law tort of public disclosure of private information. It has not abandoned the elements of the common-law analogue in an attempt “to loosen” the strictures of Article III.

While Plaintiff alleges several other injuries-in-fact traceable to Defendant’s conduct giving rise to Plaintiff’s first five causes of action, see, e.g., Compl ¶¶ 4, 74, the Court need not analyze the sufficiency of those allegations since Plaintiff has already shown a distinct injury-in- fact fairly traceable to the conduct of Defendant. Since the accompanying request for monetary relief may “compensate [Plaintiff] for [his] losses or eliminate any effects caused by . . . [Defendant’s] challenged conduct,” Guan, 530 F. Supp. 3d at 263 (cleaned up), Plaintiff has Article III standing to pursue his first five causes of action in federal court. The Court now proceeds to examine whether Plaintiff has standing to pursue his claim for injunctive relief in federal court. To begin, the Court notes that this is not an independent “cause of action,” as Plaintiff suggests in his Complaint, but rather a specific prayer for relief that seeks

to remedy injuries related to the first five causes of action in the Complaint. See Budhani v. Monster Energy Co., 527 F. Supp. 3d 667, 688 (S.D.N.Y. 2021). Specifically, Plaintiff urges this Court to issue an “injunction under CPLR Article 63 . . . compelling Defendant to implement cyber-security policies and procedures equal to or better than industry standards.” Compl. ¶ 116.3

3 While this Court does not have the specific power to issue an injunction pursuant CPLR Article 63, which governs preliminary injunctions issued by New York State courts, it does have the general “power to issue injunctions in suits over which [it] has jurisdiction.” Califano v. Yamasaki, 442 U.S. 682, 705 (1979). This Court also has the specific power to issue preliminary injunctive relief under Federal Rule of Civil Procedure 65(a). So far in this litigation, Plaintiff has not formally moved this Court for the issuance of a preliminary injunction in accordance with the Federal Rules of Civil Procedure or the Local Rules of Practice for the United States District Court for the Northern District of New York. See Docket. Given that “[P]laintiff must demonstrate standing . . . for each form of relief that is sought,” Town of Chester, 581 U.S. at 439 (2017) (quoting Davis, 554 U.S. at 734), Plaintiff must show that he has standing to pursue his requested injunctive relief. Therefore, Plaintiff must show that “the risk of [future] harm” absent the requested injunctive relief “is sufficiently

imminent and substantial.” TransUnion, 141 S. Ct. at 2210. In its original Memorandum of Law in Support of the Motion to Dismiss, Defendant implicitly argued that Plaintiff lacked standing to pursue his requested injunctive relief because “Plaintiff’s allegations do not demonstrate any realistic danger of further ‘disclosure’ of information.” Def.’s Mem. at 25 (citing Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 16-CV-0014, 2016 WL 6523428, at *8 (S.D. Cal. Nov. 3, 2016)). Defendant pointed out that the Dugas court dismissed a plaintiff’s “claim for injunctive relief” because the plaintiff failed to allege “that he is realistically threatened by a repetition of the” cyber-attack. 2016 WL 6523428, at *8. The plaintiff in Dugas also failed to show how “an order requiring [the] [d]efendants to enhance their cybersecurity in the future . . . [would] provide any relief for past injuries or

injuries incurred in the future because of a data breach that has already occurred.” Id. Notably, the Dugas court dismissed the plaintiff’s request for injunctive relief for lack of redressability, and therefore, lack of Article III standing. See id. at *9. In its Supplemental Memorandum, Defendant withdraws its earlier argument that Plaintiff lacks standing to pursue injunctive relief by pointing to Bohnak. Def.’s Suppl. Mem. at 8. Defendant newly argues that, in Bohnak, the court dismissed the plaintiffs’ “request for injunctive relief” on Rule 12(b)(6) grounds for “their failure to plausibly allege irreparable injury,” id. (quoting Bohnak, 580 F. Supp. 3d at 30), and not on Rule 12(b)(1) standing grounds, see Def.’s Mem. at 8. The implication of Defendant’s argument is that this Court should do the same here—i.e., find that Plaintiff (1) has standing to pursue injunctive relief but (2) fails on the merits for securing such relief. Defendant, however, fails to mention that the court in Bohnak, when analyzing the plaintiff’s theory of future harm, concluded the following: “Given that Plaintiffs do not allege

any misuse of their—or any other class members’—data, I find the [c]omplaint’s allegations of future risk of harm [concerning future fraudulent activity] too speculative to support Article III standing.” 580 F. Supp. 3d at 29. The only reason the Bohank court did not dismiss the suit for lack of Article III standing is because the court held that “exposure to identity theft itself ‘causes a separate concrete harm,’” cognizable as a compensable injury-in-fact for standing purposes under Article III, even if the speculative risk of future harm was not. Id. (emphasis in original) (quoting TransUnion, 141 S. Ct. at 2210). Contrary to Defendant’s assertions, much of the analysis in Bohnak weighs against finding standing when a plaintiff alleges injury-in-fact based on the speculative risk of future harm—which is central to the question of whether Plaintiff has standing to pursue forward-looking relief such as an injunction. As stated above, Plaintiff must

show that “the risk of [future] harm” absent the requested injunctive relief “is sufficiently imminent and substantial.” TransUnion, 141 S. Ct. at 2210. Here, Plaintiff’s case is distinguishable from Bohnak insofar as Plaintiff has alleged at least one potential misuse of his data—the attempted bank fraud. The plaintiffs in Bohnak failed to allege any such misuse. 580 F. Supp. 3d at 29. Assuming that “McMorris’s three-factor test is still instructive for determining whether the risk of injury is imminent, which remains part of the requirement for standing in suits for . . . injunctive relief,” Rand, 2022 WL 15523722, at *4 n.2, the attempted bank fraud is relevant to the first two factors, in that the attempted fraud suggests that (1) Plaintiff’s “data has been exposed,” (2) a “portion of the dataset has already been misused . . . .” McMorris, 995 F.3d at 303. But even if the McMorris factors weigh in favor of establishing an injury-in-fact by showing that further injury stemming from the initial Data Breach is imminent, Plaintiff would

still face a hurdle at the redressability prong. By the very terms of the injunction Plaintiff seeks, Plaintiff urges this Court to “compel[] Defendant to implement cyber-security policies and procedures equal to or better than industry standards,” Compl. ¶ 116, to prevent “another data breach,” id. ¶ 118. The requested injunction, by its terms, seeks to prevent future data breaches, but does nothing to assure that Defendant take steps to prevent future harm stemming from the Data Breach that already occurred. Accordingly, the standing analysis for Plaintiff’s requested injunction—which seeks to prevent future data breaches—depends on whether Plaintiff has sufficiently alleged that he is “realistically threatened by a repetition of” another data breach of Defendant’s systems. City of Los Angeles v. Lyons, 461 U.S. 95, 109 (1983). In Plaintiff’s telling, his Sensitive Information

“remains in the Defendant’s possession and may be subject to further breaches so long as Defendant fails to undertake appropriate and adequate measures to protect the Sensitive Information in its possession . . . .” Compl. ¶ 74. Plaintiff’s allegations concerning Defendant’s misrepresentations further suggest that although Defendant claims to have taken steps to prevent future data breaches, Plaintiff cannot trust Defendant’s representations regarding its security systems. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752, 2017 WL 3727318, at *31 (N.D. Cal. Aug. 30, 2017) (“find[ing] that [p]laintiffs . . . adequately alleged a ‘real and immediate threat of repeated injury’ from [d]efendants[]” partly because “[p]laintiffs cannot trust [d]efendants’ representations regarding their security systems” and “[d]efendants have continued to dispute the scope of their responsibility[]” in preventing future harm); see also Rudolph, 2019 WL 2023713, at *5 (finding that Yahoo’s conclusion regarding “a substantial risk of future harm[]” is “[c]onsistent” with Whalen v. Michaels Stores, Inc., 689 Fed. App’x 89, 90 (2d Cir. 2017) (summary order)). Given these allegations, the Court finds that Plaintiff has

sufficiently alleged that he is realistically threatened by another data breach of Defendant’s systems, and thus has standing to pursue his requested injunctive relief. Accordingly, Plaintiff has satisfied Article III standing for all the claims (and accompanying forms of relief) he seeks to pursue in federal court. B. CAFA Jurisdiction In the October 2022 Order, this Court found that Defendant, as the removing party, bears the “burden of showing that federal jurisdiction is proper.” Oct. 2022 Order at 5 (quoting Montefiore Med. Ctr., 642 F.3d at 327). Now that the Court has ruled that Plaintiff has Article III standing to pursue his claims and requested relief in federal court, see supra Section III.A.2, the Court proceeds to examine (1) whether Defendant has carried its burden of showing that CAFA

jurisdiction exists over Plaintiff’s action, see Blockbuster, Inc. v. Galeno, 472 F.3d 53, 58 (2d Cir. 2006) (holding that “CAFA did not change the traditional rule . . . that defendant bears the burden of establishing federal subject matter jurisdiction” after removal), and (2) whether the Court has a “sua sponte” “obligation” to remand the action under “the so-called ‘mandatory exception’ [to CAFA jurisdiction] . . . outlined in 28 U.S.C. § 1332(d)(4).” Lucker v. Bayside Cemetery, 262 F.R.D. 185, 187–88 (E.D.N.Y. 2009) (emphasis in original).4

4 Notably, Plaintiff has not moved to remand the action on the basis of one of the discretionary exceptions outlined in the CAFA. See Stipulation and Order to Extend Def.’s Resp. Pleading Deadline; Pl.’s Resp. to Def.’s Mot.; Pl.’s Suppl. Mem. See also 28 U.S.C. § 1332(d)(3)(A)–(F); Greenwich Fin. Servs. Distressed Mortg. Fund 3 LLC v. Countrywide Fin. Corp., 603 F.3d 23, 26 (2d Cir. 2010) (noting that “once the general requirements of CAFA jurisdiction are Courts “generally evaluate jurisdictional facts, such as the amount in controversy, on the basis of the pleadings, viewed at the time when defendant files the notice of removal.” Blockbuster, 472 F.3d at 56–57 (citing Vera v. Saks & Co., 335 F.3d 109, 116 n.2 (2d Cir. 2003) (per curiam)). “With this in mind, a court must assess the three prerequisites for CAFA

jurisdiction: no fewer than 100 members of the plaintiff class, minimal diversity, and $5 million in controversy.” Blockbuster, 472 F.3d at 57. “However, ‘the diversity jurisdiction authorized in [CAFA’s] provisions is not absolute,’ . . . .” Lucker, 262 F.R.D. at 187 (quoting 7A Wright, Miller & Kane, Federal Practice and Procedure § 1756.2 (2009)). “[A] district court must decline jurisdiction under CAFA” when the “so-called ‘mandatory exception’ . . . outlined in 28 U.S.C. § 1332(d)(4)[]” is met. Lucker, 262 F.R.D. at 187 (emphasis in original). Wright & Miller summarizes the “mandatory exception” as follows: [T]he court must decline jurisdiction over a class action when greater than two-thirds of the plaintiff class members are citizens of the state where the action was originally filed, when at least one defendant from whom significant relief is sought and whose conduct forms a significant basis for the class claims is a citizen of the filing state and the principal injuries or any related conduct of each defendant occurred in the original filing state, and when no other similar class action against any of the defendants has been filed during the 3-year period prior to the instant class action.

7A Wright, Miller & Kane, Fed. Prac. & Proc. § 1756.2. In its Notice of Removal, Defendant highlights allegations from Plaintiff’s Complaint showing that “the number of putative class members exceeds the statutorily-required minimum of 100 individuals.” Notice of Removal ¶¶ 12–14 (“Plaintiff alleges that ‘approximately 9,800 Class Members’ Sensitive Information, including Plaintiff’s,’ was potentially affected in the

established, plaintiffs [seeking remand] have the burden of demonstrating that remand is warranted on the basis of one of the enumerated exceptions” (collecting cases)). ‘Data Breach.’ . . . Indeed, [Defendant] has sent notifications to approximately 9,865 people that their information may have been potentially impacted in the phishing incident.”). Accordingly, the Court finds that the numerosity prong is satisfied. The Court also agrees with Defendant that at least one “member of [the] [C]lass . . . is a

citizen of a State different from . . . [D]efendant,” 28 U.S.C. § 1332(d)(2)(A), thereby satisfying the minimal diversity requirement. Plaintiff and Defendant are both citizens of New York, see Notice of Removal ¶¶ 16–17, but at least one purported class member is a citizen of a state other than New York, see id. ¶ 18 (stating that “[o]f the individuals notified [about the Data Breach], 53% of putative class members were mailed notifications in . . . states[]” other than New York, and thus “are likely residents . . . and . . . citizens of . . . states[]” other than New York). See Hart v. Rick’s NY Cabaret Int’l, Inc., 967 F. Supp. 2d 955, 960 (S.D.N.Y. 2014) (finding CAFA minimal diversity satisfied where defendant was a citizen of Texas and “at least some class members were and are citizens of New York”). The Court also agrees with Defendant that the mandatory exception to CAFA jurisdiction does not apply here, since only “47%[] of putative

class members had New York mailing addresses” and are presumably New York citizens, Notice of Removal ¶ 20, falling short of the “greater than two-thirds” required to trigger the exception. 7A Wright, Miller & Kane, Fed. Prac. & Proc. § 1756.2. As for the amount in controversy requirement, the removing defendant need only prove “by the preponderance of the evidence,” that the amount in controversy exceeds $5 million dollars. 28 U.S.C. § 1446(c)(2)(B). The Supreme Court has further clarified that “a defendant’s notice of removal need include only a plausible allegation that the amount in controversy exceeds the jurisdictional threshold. Evidence establishing the amount is required by § 1446(c)(2)(B) only when the plaintiff contests, or the court questions, the defendant’s allegation.” Dart Cherokee Basin Operating Co., LLC v. Owens, 574 U.S. 81, 89 (2014). In its Notice of Removal, Defendant explains in detail why the Complaint “make[s] it more likely than not that the amount in controversy under CAFA exceeds $5,000,000.” Notice of

Removal ¶ 22. Plaintiff does not contest Defendant’s explanation, and the Court sees no reason to depart from it after carefully reviewing it. See id. ¶¶ 23–32. The Court thus finds that the amount in controversy required by the CAFA is satisfied as well. In sum, the Court has subject matter jurisdiction over the entire action pursuant to Article III and the CAFA. Accordingly, the Court need not “address whether . . . partial remand is warranted,” October 2022 Order at 2, and proceeds to evaluate the merits of Defendant’s Motion to Dismiss. IV. MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM Defendant has moved to dismiss all of Plaintiff’s claims pursuant to Rule 12(b)(6) for failure to state a claim upon which relief may be granted. First, Defendant argues that Plaintiff

has failed to adequately plead the element of damages with respect to his first, second, third, and fifth causes of action—that is, his claims for negligence, breach of express contract, breach of implied contract, and violation of GBL § 349, respectively. Def.’s Mem. at 6–16. Second, Defendant asserts that Plaintiff’s negligence claim should be dismissed under New York’s economic loss doctrine. Id. at 16–19. Third, Defendant contends that Plaintiff has failed to adequately plead an actionable breach of contract, express or implied. Id. at 19–21. Fourth, Defendant argues that Plaintiff’s fourth cause of action, for violation of GBL § 899-aa, should be dismissed because there is no private right of action under the statute. Id. at 21–22. Fifth, Defendant argues that Plaintiff’s fifth cause of action, for violation of GBL § 349, should be dismissed because Plaintiff has failed to adequately plead any “deceptive or misleading” material act or practice. Id. at 22–23. Finally, Defendant posits that Plaintiff’s claim for injunctive relief should be dismissed because Plaintiff has failed to reasonably allege he is in danger of irreparable injury, and because Plaintiff already has an adequate remedy at law in the form of

monetary damages. Id. at 24–25. A. Legal Standard “[A] judgment of dismissal pursuant to Fed. R. Civ. P. 12(b)(6) can only be entered if a court determines that, as a matter of law, a plaintiff failed to state a claim upon which relief can be granted . . . .” Melendez v. City of New York, 16 F.4th 992, 1010 (2d Cir. 2021). “In determining if a claim is sufficiently ‘plausible’ to withstand dismissal,” id. (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)), a court “accept[s] all factual allegations as true and draw[s] all reasonable inferences in favor of the plaintiff,” Trs. of Upstate N.Y. Eng’rs Pension Fund v. Ivy Asset Mgmt., 843 F.3d 561, 566 (2d Cir. 2016) (citation omitted). A court, however, need not accept “conclusory allegations or legal conclusions couched as factual . . . allegations.” Nielsen

v. Rabin, 746 F.3d 58, 62 (2d Cir. 2014) (quoting Rothstein v. UBS AG, 708 F.3d 82, 94 (2d Cir. 2013)). “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). “[W]here the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged—but it has not ‘show[n]’—‘that the pleader is entitled to relief.’” Iqbal, 556 U.S. at 679 (quoting Fed. R. Civ. P. 8(a)(2)). B. Application 1. Plaintiff’s Claim for Violation of GBL § 899-aa The Court begins by addressing Defendant’s argument that Plaintiff’s fourth cause of action, for violation of GBL § 899-aa, should be dismissed because there is no private right of

action under the statute. Id. at 21–22. In support of this argument, Defendant primarily relies on Abdale v. N. Shore Long Island Jewish Health Sys., Inc., where the New York State Supreme Court, Queens County, found that “no private right of action exists with respect to [GBL] § 899-aa . . . .” 19 N.Y.S.3d 850, 857–58 (N.Y. Sup. Ct. 2015). Def.’s Mem. at 21–22. The court in Abdale arrived at that conclusion after observing that (1) “there is no private right of action expressly authorized pursuant to the statute”; (2) subsection 6 of the “state expressly provides . . . that the attorney general may bring an action for a violation of said statute”; and (3) the same subsection “provides that in such an action [brought by the attorney general] the court may award damages for actual costs or losses incurred by a person entitled to notice” under the statute. Abdale, 19

N.Y.S.3d at 857. Because the New York “Court of Appeals has declined to recognize a private right of action in instances where the Legislature specifically considered and expressly provided for enforcement mechanisms in the statute itself,” the Abdale court declined to imply one arising under GBL § 899-aa. Id. at 858. “[P]ermitting a private right of action for a violation of [GBL] § 899-aa would not be consistent with [the] [l]egislative scheme.” Id. To bolster the precedential force of Abdale, Defendant also points to Smahaj v. Retrieval- Masters Creditors Bureau, Inc., which found the same as the Abdale court with respect to GBL § 899-aa, 69 Misc.3d 597, 608 (N.Y. Sup. Ct. 2020), and several federal district court decisions applying Abdale’s conclusion, Def.’s Mem at 21–22 (citing Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 777 (W.D.N.Y. 2017), on reconsideration, 304 F. Supp. 3d 333 (W.D.N.Y. 2018), order clarified, 502 F. Supp. 3d 724 (W.D.N.Y. 2020)) (other citations omitted). In his Response to the Motion to Dismiss, Plaintiff offers examples of other statutes where New York state courts have implied a private right of action alongside a legislative

scheme of administrative enforcement. See Pl.’s Resp. to Def.’s Mot. at 21–22. But Plaintiff fails to respond to any of the authorities provided by Defendant finding that no implied cause of action exists under GBL § 899-aa. See id.; see also Def.’s Reply at 9 (“Plaintiff does not address this clear precedent that dictates the dismissal of Plaintiff’s GBL § 899-aa claim.”). Plaintiff also fails to provide any authorities finding the opposite with respect to GBL § 899-aa. See Pl.’s Resp. to Def.’s Mot. at 21 – 22. Accordingly, the Court agrees with Defendant that no private right of action exists under GBL § 899-aa, and grants the Motion to Dismiss with respect to Plaintiff’s fourth cause of action for violation of GBL § 899-aa. 2. Plaintiff’s Alleged Damages Defendant advocates for dismissal of Plaintiff’s claims for negligence, breach of express

contract, breach of implied contract, and violation of GBL § 349, because Plaintiff has failed to adequately plead cognizable damages. Def.’s Mem. at 6–16. Specifically, Defendant attacks the various theories of damages that Plaintiff advances, including his “(1) Increased-Risk-of-Future- Harm Theory; (2) Lost Time, Money, Opportunity Costs, and Unidentified Out-of-Pocket Losses Theory; (3) Diminished-Value-of-Personal-Information Theory; (4) Loss of Privacy Theory; (5) Benefit of the Bargain Theory; and (6) Unjustified Delay Theory.” Id. at 7. “As an initial matter,” Plaintiff responds that “the Court need not reach Defendant’s generalized challenges to Plaintiff’s damages theories, which are unmoored from the claims pled.” Pl.’s Resp. to Def.’s Mot. at 4. Plaintiff contends that Defendant’s Motion suffers from “the same fatal flaw as the defendant’s motion in Fero,” id., by “challeng[ing] Plaintiff[’s] damage theories wholesale, rather than challeng[ing] Plaintiff[’s] damages theories under each claim that Plaintiff[] ha[s] pleaded,” Fero, 236 F. Supp. at 785. In Fero, the defendants made “no attempt to identify whether [the] [p]laintiffs . . . sufficiently pleaded damages for purposes of

each of their claims.” Id. at 786. “Given that it is the movant’s burden to show why dismissal is warranted on a 12(b)(6) motion,” the Fero court “denie[d] the . . . [d]efendants’ motion, to the extent it [was] predicated on an alleged failure to plead any cognizable damages.” Id. (citations omitted). Plaintiff argues that the same should apply to Defendant’s Motion here. In Reply, Defendant makes no explicit attempt to rebut this threshold argument from Plaintiff. See Def.’s Reply at 1–7. The Court could interpret Defendant’s reliance on Bohnak, which analyzed the pleading sufficiency of “cognizable damages” in the aggregate, 580 F. Supp. 3d at 30–31, as an implicit rebuttal to Plaintiff’s argument, but the Court declines to do so given that Defendant, as the “movant[,] bears the burden of pro[ving no cognizable claim has been stated] on a motion to dismiss under Rule 12(b)(6).” Leon v. Rockland Psychiatric Ctr., 232 F.

Supp. 3d 420, 426–27 (S.D.N.Y. 2017). Defendant has provided the Court with no express reason to depart from the Fero court’s approach, which requires a movant to attack the sufficiency of a Plaintiff’s stated damages with respect to each claim asserted. 236 F. Supp. at 785–86. This approach is particularly appropriate in this context where one particular theory of damages—such as Plaintiff’s “Benefit of the Bargain” theory—may be cognizable under certain causes of action but not others. See Wallace v. Health Quest Sys., Inc., No. 20-CV-0545, 2021 WL 1109727, at *6 (S.D.N.Y. Mar. 23, 2021) (finding that a “benefit of the bargain” theory of injury was sufficient to plead cognizable damages under “claims sounding in contract, and also under New York’s consumer protection laws,” but notably excluding the claims sounding in tort from this finding). Accordingly, the Court denies the Motion “to the extent it is predicated on an alleged failure to plead any cognizable damages[]” in the aggregate. Fero, 236 F. Supp. 3d at 786 (citing In pre Premera Blue Cross Customer Data Sec. Breach Litig., 198 F. Supp. 3d 1183, 1205–06 (D. Or. 2016) (“Whether that particular damage theory is sound or whether that

particular damages theory is state-specific are not issues that need to be resolved at this [motion- to-dismiss] stage of the litigation.”)) (other citation omitted). 3. Plaintiff’s Claim for Negligence Defendant also asserts that Plaintiff’s negligence claim should be dismissed under New York’s economic loss doctrine since “any harm [Plaintiff] allegedly would have suffered is purely economic.” Id. at 16–19. In Reply, Defendant adds that the “negligence claim should . . . be dismissed for failure to allege a plausible breach of a duty of care,” Def.’s Reply at 7, but the Court will not consider that argument because Defendant “made [it] for the first time in a reply brief,” Knipe v. Skinner, 999 F.2d 708, 711 (2d Cir. 1993). Compare Def.’s Reply at 7–8, with Defs.’ Mem. at 16–19.

In products liability cases, “it is well settled that New York law holds that a negligence action seeking recovery for economic loss will not lie.” Colangelo v. Champion Petfoods USA, Inc., No. 18-CV-1228, 2020 WL 777462, at *15 (N.D.N.Y. Feb. 18, 2020) (Kahn, J.) (cleaned up); see also Sackin v. TransPerfect Global, Inc., 278 F. Supp. 3d 739, 749 (S.D.N.Y. 2017) (finding that “the rule is inapplicable” where a complaint “does not allege a products liability claim” (citing 532 Madison Ave. Gourmet Foods, Inc. v. Finlandia Center, Inc., 96 N.Y.2d 280, 288 n.1 (N.Y. 2001) (other citations omitted))). While it appears that the “New York Court of Appeals has not spoken [directly] on whether the economic loss doctrine is specifically applicable in the data breach context,” Def.’s Mem. at 17, several courts in the Second Circuit while applying New York law have found that it is not. See, e.g., Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 749 (S.D.N.Y. 2017) (finding that the economic loss rule does not apply to the data breach context); Rudolph, 2019 WL 2023713, at *9 (declining to apply the economic loss rule to a data breach negligence claim); Toretto v. Donnelley Financial Solutions,

Inc., 583 F. Supp. 3d 570, 590 (S.D.N.Y. 2022) (“similarly conclud[ing] that the economic loss doctrine does not bar . . . negligence claims” concerning a data breach); In re USAA Data Sec. Litig., No. 21-CV-5813, 2022 WL 3348527, at *9 n.6 (S.D.N.Y. Aug. 12, 2022) (same). Defendant submits that Sackin and its progeny are incorrect on this point, and are “not controlling” on this Court. Def.’s Mem. at 16–17. While the latter contention is certainly true, the Court cannot agree with the former contention. In reaching its conclusion that the economic loss rule does not apply in the data breach context, the Sackin court, 278 F. Supp. at 749, cited to the New York Court of Appeals’ admonition that the economic loss rule, as articulated in its earlier cases, barred “damages in tort for economic loss against a manufacturer . . . .” 532 Madison, 96 N.Y.2d at 288 n.1. Since Sackin, federal courts interpreting New York state law have further

cautioned that “the applicability of the economic loss rule outside the product-liability context from which it originated is doubtful.” Ambac Assurance Corp. v. U.S. Bank Nat’l Ass’n, 328 F. Supp. 3d 141, 159 (S.D.N.Y. 2018). Given that Defendant has failed to provide the Court with “a single data breach case under New York law that has applied the doctrine,” Pl.’s Resp. to Def.’s Mot. at 16, the Court sees no reason to depart from the consensus of its sister courts in Sackin, Rudolph, Toretto, and USAA, which found that the doctrine does not apply in the data breach context. Accordingly, the Court denies the Motion to Dismiss with respect to Plaintiff’s first cause of action for negligence. 4. Plaintiff’s Claim for Breach of an Express Contract Defendant moves to dismiss Plaintiff’s claim for breach of an express contract because “Plaintiff Fails to Identify Any Express Promise Ensuring Data Security.” Def.’s Mem. at 19. “Under New York law, a breach of contract claim [whether express or implied] requires

(1) the existence of an agreement, (2) adequate performance of the contract by the plaintiff, (3) breach of contract by the defendant, and (4) damages.” Sackin, 278 F. Supp. 3d at 750 (quoting Balk v. N.Y. Inst. of Tech., 683 Fed. App’x 89, 95 (2d Cir. 2017)). “In adjudicating express contract claims, ‘[a] court cannot supply a specific obligation the parties themselves did not spell out.’” Sackin, 278 F. Supp. 3d at 750 (quoting Wallert v. Atlan, 141 F. Supp. 3d 258, 286 (S.D.N.Y. 2015)). “The plaintiff must identify what provisions of the contract were breached as a result of the acts at issue.” Glob. Packaging Servs., LLC v. Glob. Printing & Packaging, 248 F. Supp. 3d 487, 492 (S.D.N.Y. 2017) (internal quotation marks omitted). Here, Plaintiff alleges that he “and Class Members all entered into written agreements with Defendant as part of, and as a precondition to, application and enrollment at Syracuse

University.” Compl. ¶ 32. “These agreements contained . . . representations that Defendant would protect Class Members’ Sensitive Information.” Id. “The agreements involved a mutual exchange of consideration whereby Defendant provided enrollment at [Defendant] for Class Members in exchange for payment from Class Members.” Id. Central to Plaintiff’s express contract claim is the Defendant’s Privacy Policy. Plaintiff points to at least two provisions that allegedly contain express promises that were ultimately breached by Defendant: [1] [Defendant] is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website or through other mechanisms, you can be assured that it will only be used in accordance with this [P]rivacy [P]olicy.

[2] We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

Id. ¶ 33 (excerpting Defendant’s Privacy Policy). Plaintiff adds that “[t]he Privacy Policy enumerates specific limited circumstances for which Defendant will disclose Sensitive Information . . . .” Id. These circumstances include for the “purposes of answering Class Members’ questions, internal record keeping, improving [Defendant’s] services, contacting Class Members via promotional emails, contacting Class Members in connection with market research, and as necessary in connection with legal proceedings or where legally required to provide such information to a court or regulator.” Id. (citing archived version of online Privacy Policy as of Sept. 22, 2020). “None of these enumerated circumstances apply to Defendant’s disclosure of Sensitive Information in the Data Breach.” Id. ¶ 34. In the Complaint, Plaintiff also highlights a provision in the Privacy Policy that “explicitly states that outside of these enumerated circumstances: ‘we will treat your personal data as private and will not disclose it to third parties without your knowledge.’” Id. ¶ 35 (quoting archived version of online Privacy Policy as of Sept. 22, 2020). In advocating for dismissal of this breach of express contract claim, Defendant argues that “such allegations do not constitute a specific promise to provide a specific level of data security . . . .” Def.’s Mem. at 20. Defendant relies, in part, on Wallace, 2021 WL 1109727, and Austin-Spearman v. AARP and AARP Servs., Inc., 119 F. Supp. 3d 1 (D.D.C. 2015). See Def.’s Mem. at 20. In Wallace, the court dismissed a breach of express contract claim based on a website’s notice of privacy practices partly because the “terms” were “neither sufficiently certain nor specific enough for the Court to ascertain what—if anything—[defendant] promised.” 2021 WL 1109727, at *10. The stated terms included that defendant was “committed to protecting medical information,” and “will notify you in writing if [it] discover[s] a breach of [plaintiffs’] unsecured health information, unless [it] determine[s], based on a risk assessment, that

notification is not required by applicable law.” Id. (alterations in original). With respect to other specific, express promises the plaintiffs alleged, the Wallace court noted that “the quoted language [from the website’s notice of privacy practices] appears nowhere in the document” cited by the plaintiffs. Id. In Austin-Spearman, the court dismissed a breach of express contract claim based on an online privacy policy because the Plaintiff’s conclusory allegations about what the policy promised were “not even close to what the actual [p]rivacy [p]olicy [provided by the plaintiff] says . . . .” 119 F. Supp. 3d at 10 (emphasis in original). Both, however, are distinguishable from the present case. Defendant does not contest the accuracy of Plaintiff’s excerpts from the relevant Privacy Policy. Cf. Austin-Spearman, 119 F. Supp. 3d at 10 (dismissing breach of express contract claim because the promises plaintiff

alleged appeared nowhere in the actual privacy policy provided by plaintiff). And in that Privacy Policy, Defendant “assured” Plaintiff that his Sensitive Information “will only be used in accordance with this [P]rivacy [P]olicy.” Compl. ¶ 33. Notably, Defendant phrased this alleged promise in the passive voice, plausibly suggesting that Plaintiff’s Sensitive Information would not be used by any person or entity if the use of that information did not fall under one of the enumerated circumstances in the Policy. In addition, Defendant represented to Plaintiff in this Privacy Policy that “[i]n order to prevent unauthorized access . . . we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information we collect online.” Id. These terms are certainly more specific than those in Wallace, which merely stated that defendant was “committed to protecting medical information,” and “will notify you in writing if [it] discover[s] a breach of [plaintiffs’] unsecured health information, unless [it] determine[s], based on a risk assessment, that notification is not required by applicable law.” 2021 WL 1109727, at *10 (alterations in original). Neither Wallace nor Austin-Spearman

support dismissal here. It may ultimately be the case that the terms of the Privacy Policy are not sufficiently definite as to constitute a legally enforceable contract, see 166 Mamaroneck Ave. Corp. v. 151 E. Post Rd. Corp., 78 N.Y.2d 88, 91 (N.Y. 1991), but the Court need not answer that question now. In New York, “the definiteness doctrine is a doctrine of last resort,” Cappelli Enters., Inc. v. F & J Cont’l Food Corp., 792 N.Y.S.2d 553, 554 (N.Y. App. Div. 2005), and Defendant has failed to carry its burden to prove that the Court should opt for that “last resort” in resolving this Motion to Dismiss. See Def.’s Mem. at 20 (Defendant only relying on Wallace and Austin-Spearman in support of its argument that the terms of the Privacy Policy are not sufficiently certain or specific enough to be enforced by a court); see also Leon, 232 F. Supp. 3d at 426–27 (noting that the

“movant bears the burden of pro[ving no cognizable claim has been stated] on a motion to dismiss under Rule 12(b)(6)”). In the alternative, Defendant argues that even if the statements in the Privacy Policy “constitute a specific promise to provide a specific level of data security . . . [defendant] has not breached it based on one employee clicking on a phishing email.” Def.’s Mem. at 20 (citing Abdale, 19 N.Y.S.3d at 860, and Fero, 236 F. Supp. 3d at 783). In Abdale the court dismissed a breach of contract claim partly because the plaintiffs “fail[ed] to allege any specific provision in an agreement that the defendants allegedly breached.” 19 N.Y.S.3d at 860. Notably, the plaintiffs in that case failed to point to “any obligation or promise” in the relevant privacy statement “regarding the theft of personal information by third parties.” Id. However, that is clearly distinguishable from Plaintiff’s case here. Plaintiff has specifically highlighted a provision from the Privacy Policy where Defendant assured Plaintiff that “[i]n order to prevent unauthorized access . . . we have put in place suitable physical, electronic, and managerial procedures to

safeguard and secure the information we collect online.” Compl. ¶ 33 (emphasis added). This term suggests that Defendant was making an assurance regarding the theft of personal information by third parties, unlike the terms at issue in Abdale. As for Defendant’s reliance on Fero, it is unclear to the Court why Defendant has offered that case in support of its argument that Plaintiff has failed to allege a cognizable breach here. In Fero, the court—after reviewing a set of facts similar to Plaintiff’s allegations—found that the plaintiffs in that case “stated a breach of contract claim that is plausible on its face,” and “denie[d] the . . . [d]efendants’ motion to dismiss this claim for relief.” 236 F. Supp. 3d at 761. While Defendant may be relying on Fero for its narrower “finding [that] ‘disclosure’ of personal information require[s] ‘the information holder [to] commit some affirmative voluntary act,’” and

thus the mere theft of data by a third party does not suffice, Def.’s Mem. at 20 (quoting Fero, 236 F. Supp. 3d at 783), that finding was specifically in reference to the meaning of the statutory term “disclosure” under the New Jersey Insurance Information Practices Act and the North Carolina Consumer and Customer Information Privacy Act, Fero, 236 F. Supp. 3d at 782–85. That finding about the meaning of a statutory term does not support Defendant’s argument that its failure to prevent the Data Breach cannot constitute a breach of the express terms of the Privacy Policy. Even if that statutory finding were relevant to the meaning of the word “disclosure” as stated in the Privacy Policy, such a finding still would not preclude Plaintiff from plausibly alleging a breach here, because, as noted above, the Privacy Policy did not just commit Defendant to putting in place sufficient procedures to prevent “disclosure . . . .” Compl. ¶ 33. The terms of the Privacy Policy sought to prevent “unauthorized access” as well. Id. Accordingly, the Court denies the Motion to Dismiss with respect to Plaintiff’s second cause of action for breach of an express contract.

5. Plaintiff’s Claim for Breach of an Implied Contract Defendant moves to dismiss Plaintiff’s claim for breach of an implied contract because “Plaintiff fails to allege facts showing the claim’s essential elements of consideration, mutual assent, and cognizable damages.” Def.’s Mem. at 21 (citing Nadel v. Play-By-Play Toys & Novelties, Inc., 208 F.3d 368, 377 n.5 (2d Cir. 2000)). Under New York law, “[a] contract implied in fact may result as an inference from the facts and circumstances of the case, although not formally stated in words, and is derived from the ‘presumed’ intention of the parties as indicated by their conduct.” Jemzura v. Jemzura, 36 N.Y.2d 496, 503–04 (N.Y. 1975) (internal citations omitted). “An implied contract, like an express contract, requires ‘consideration, mutual assent, legal capacity and legal subject matter.’”

Sackin, 278 F. Supp. 3d at 750 (quoting Leibowitz v. Cornell Univ., 584 F.3d 487, 507 (2d Cir. 2009), superseded by statute on other grounds as stated in Vogel v. CA, Inc., 662 Fed. App’x 72, 75 (2d Cir. 2016)). Defendant first advocates for dismissal of this claim for breach of an implied contract because “Plaintiff does not point to any specific conduct, policies, communications or documents to underpin his implied contract claim.” Def.’s Mem. at 21 (citing Lauria v. Donahue, 438 F. Supp. 2d 131, 144 (E.D.N.Y. 2006)). In his Response to the Motion to Dismiss, Plaintiff suggests that he has, primarily pointing to “the existence and content of Defendant’s Privacy Policy—which can only be read as a promise by Defendant that it intended to securely store and safeguard [his Sensitive Information],” Pl.’s Resp. to Def.’s Mot. at 21, while also arguing that “Plaintiff need not plead the exact terms of an implied contract to survive a motion to dismiss,” id. at 20 (citing Wallace, 2021 WL 1109727, at *10). Plaintiff’s argument in response that “the existence and content of Defendant’s Privacy

Policy” itself is the conduct that underpins his implied contract claim risks collapsing his two distinctly pled contract claims into one. See Murtha Constr., Inc. v. Town of Southampton Hous. Auth., 179 N.Y.S.3d 121, 123 (2022) (“dismissing [a] cause of action to recover damages for breach of an implied contract” on a summary judgment motion because “a valid [written] contract governed the subject matter at issue in this action”); Nadel, 208 F.3d at 377 n.5 (citing Watts v. Columbia Artists Mgmt. Inc., 591 N.Y.S.2d 234, 236 (N.Y. App. Div. 1992)) (“noting that express contract and implied-in-fact contract theories are mutually exclusive”). However, given that Plaintiff’s claim for breach of an express contract survives this Motion, see supra Section IV.B.4, there still remains a “bona fide dispute over the existence of [that] contract,” in this litigation, Flatscher v. Manhattan Sch. of Music, 551 F. Supp. 3d 273,

287 (S.D.N.Y. 2021). Accordingly, at this stage in the litigation, Plaintiff’s claim for breach of an implied contract “is not yet duplicative” of his breach of express contract claim, and the Court will not dismiss it on that ground. Cf. Flatscher, 551 F. Supp. 3d at 287 (declining to dismiss an unjust enrichment claim on a motion to dismiss because the parties still disputed whether an implied contract governing the same conduct existed). Moreover, Plaintiff has alleged several facts, other than the Privacy Policy itself, that plausibly state a claim for breach of an implied contract. Just like the plaintiffs in Sackin, Plaintiff here has alleged that he “provided Sensitive Information to . . . Defendant in connection with their obtaining educational services from Defendant and were required to provide their Sensitive Information as a condition of receiving services therefrom.” Compl. ¶ 82; see Sackin, 278 F. Supp. 3d at 750 (“[The defendant] required and obtained the [personally identifiable information (‘PII’)] as part of the employment relationship, evincing an implicit promise by [the defendant] to act reasonably to keep its employees’ PII safe.”) Furthermore, while Defendant

“may not have explicitly promised to protect [Plaintiff’s Sensitive Information] from hackers in . . . [express] contracts, ‘it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently.’” Sackin, 278 F. Supp. 3d at 751 (quoting Castillo v. Seagate Tech., LLC, No. 16-CV-1958, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016)). Accordingly, the Court denies the Motion with respect to Plaintiff’s third cause of action for breach of an implied contract. 6. Plaintiff’s Claim for Violation of GBL § 349 Defendant argues that Plaintiff’s fifth cause of action, for violation of GBL § 349, should be dismissed because Plaintiff has failed to adequately plead any “deceptive or misleading”

material act or practice, and instead relies on a “conclusory[]” recitation of the elements under New York law. Id. at 22–23. A prima facie claim for violation of GBL § 349 requires a showing that “(1) the defendant’s conduct was consumer-oriented; (2) the defendant’s act or practice was deceptive or misleading in a material way; and (3) the plaintiff suffered an injury as a result of the deception.” Himmelstein, McConnell, Gribben, Donoghue & Joseph, LLP v. Matthew Bender & Co., Inc., 37 N.Y.3d 169, 176, reargument denied, 37 N.Y.3d 1020 (N.Y. 2021). “Under Section 349(a), the phrase ‘deceptive acts or practices’ is limited to actual misrepresentations (or omissions), made to consumers, in New York.” Lenard v. Design Studio, 889 F. Supp. 2d 518, 530 (S.D.N.Y. 2012) (citing Goshen v. Mut. Life Ins. Co., 98 N.Y.2d 314, 325 (N.Y. 2002)). Defendant’s argument for dismissal primarily rests on the assertion that Plaintiff “does not allege any specific knowing misrepresentations that [Defendant] made regarding data

security, nor does it identify any deceptive practice in which [Defendant] purportedly engaged.” Def.’s Mem. at 22 (emphasis in original); see also Def.’s Reply at 9–10. But Plaintiff points to several misrepresentations, including Defendant’s statement “that it had ‘put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information [it] collect[s.]’” Pl.’s Resp. to Def.’s Mot. at 23 (quoting Compl. ¶ 33). Defendant’s retort that it “did not provide an unlimited guarantee that information could not be stolen, hacked, or ‘phished,’” Def.’s Mem. at 23, is immaterial. Plaintiff does not allege that Defendant made such an “unlimited guarantee” in its Complaint, and does not rely on such a broad guarantee to support its claim for violation of GBL § 349. Defendant does not advance specific arguments attacking the other elements needed to

plausibly state a claim for violation of GBL § 349 in the Motion to Dismiss, see Def.’s Mem. at 22–23, and in his Response, Plaintiff has provided the Court with several factually-similar cases supporting the conclusion that Plaintiff has, at the very least, alleged sufficient facts to plead the required elements, see Pl.’s Resp. to Def.’s Mot. at 23–24 (citing Fero, 236 F. Supp. 3d at 776) (other citations omitted). Given that Defendant, as the “movant[,] bears the burden of pro[ving no cognizable claim has been stated] on a motion to dismiss under Rule 12(b)(6),” Leon, 232 F. Supp. 3d at 426–27, the Court denies the Motion with respect to Plaintiff’s fifth cause of action for violation of GBL § 349. 7. Plaintiff’s Claim for Injunctive Relief Finally, Defendant moves to dismiss Plaintiff’s claim for injunctive relief under CPLR Article 63 on the grounds that (1) “Plaintiff does not reasonably allege that he is in ‘danger of irreparable injury,’ a requisite element for injunctive relief under New York law,” Def.’s Mem.

at 24 (citation omitted), and (2) Plaintiff already “has an adequate remedy in the form of money damages,” id. (citation omitted). As noted earlier, a claim for injunctive relief is not an independent “cause of action,” as Plaintiff suggests in his Complaint, but rather a specific prayer for relief that seeks to remedy injuries related to the other causes of action in the Complaint. See Budhani, 527 F. Supp. 3d at 688. Moreover, this Court does not have the power to issue an injunction pursuant CPLR Article 63, which governs preliminary injunctions issued by New York State courts. See N.Y. C.P.L.R. § 6301. Accordingly, the Court grants the Motion to the extent Plaintiff has brought an independent cause of action for an injunction under CPLR Article 63. However, this Court does have the “power to issue injunctions in suits over which [it] has

jurisdiction,” Califano, 442 U.S. at 705, as well as the more specific power to issue preliminary injunctive relief under Federal Rule of Civil Procedure 65(a). So far in this litigation, Plaintiff has not formally moved this Court for the issuance of a preliminary injunction in accordance with the Federal Rules of Civil Procedure or the Local Rules of Practice for the United States District Court for the Northern District of New York. By seeking dismissal of Plaintiff’s prayer for injunctive relief through a Rule 12(b)(6) motion, Defendant is, in essence, asking this Court for an order that precludes Plaintiff from moving this Court for (1) preliminary injunctive relief as the litigation unfolds, and (2) a final injunction at the time of judgment. The Court is not convinced that this is procedurally proper, given that Rule 8 clearly distinguishes between “a short and plain statement of the claim showing that the pleader is entitled to relief,” Fed. R. Civ. P. 8(a)(2)—which is governed by the Supreme Court’s decision in Iqbal, 556 U.S. 662, 678 (interpreting Rule 8(a)(2))—and “a demand for the relief sought,” Fed. R. Civ. P. 8(a)(3), which the Supreme Court never discusses in that seminal

case. Cf. Farina v. Metropolitan Transp. Auth., 409 F. Supp. 3d 173, 220 (S.D.N.Y. 2019) (denying as premature a motion to dismiss a request for punitive damages because a “motion to dismiss is addressed to a claim—not a form of damages. There is no independent cause of action for punitive damages under New York law.” (cleaned up)). Therefore, the Court will not dismiss Plaintiff’s prayer for injunctive relief on this Rule 12(b)(6) motion. It is also worth reemphasizing that the Court has already found that Plaintiff has sufficiently alleged that he is “realistically threatened by a repetition of” another data breach of Defendant’s systems for the purposes of Article III standing. See supra Section III.A.2. This finding with respect to Article III standing necessarily distinguishes this case from Bohnak, which Defendant relies on in its Reply to advocate for dismissal of Plaintiff’s requested

injunctive relief on Rule 12(b)(6) grounds. Def.’s Reply at 10. In Bohnak, the court found that the only “harm” that the defendants caused that established Article III standing was “the harm of disclosure . . . .” 580 F. Supp. 3d at 31. “[T]he [c]omplaint’s allegations of future risk of harm [were] too speculative to support Article III standing.” Id. at 29. Accordingly, since the only harm that remained at issue in Bohnak was “the harm of disclosure,” the Court found that the plaintiffs already had an adequate remedy available at law “compensable through money damages,” thereby precluding injunctive relief. Id. at 31. That, of course, is not the case here, where Plaintiff has plausibly alleged that he is “realistically threatened by a repetition of” another data breach of Defendant’s systems. See supra Section III.A.2; see also Berni v. Barilla S.p.A., 964 F.3d 141, 146–47 (2d Cir. 2020) (“[I]njunctive relief is only proper when a plaintiff, lacking an adequate remedy at law, is likely to suffer from injury at the hands of the defendant if the court does not act in equity. The prospective-orientation of the analysis is critical: to maintain an action for injunctive relief, a plaintiff ‘cannot rely on past injury . . . but must show a

likelihood that he . . . will be injured in the future.’” (footnotes omitted) (alterations in original)). Accordingly, the Court denies the Motion to the extent that Defendant seeks to dismiss Plaintiff’s prayer for injunctive relief altogether. Nothing in this Memorandum-Decision and Order shall be construed to preclude Plaintiff from seeking injunctive relief during this litigation in accordance with the Federal and Local Rules. V. CONCLUSION Accordingly, it is hereby: ORDERED, that Defendant’s Motion to Dismiss (Dkt. No. 22) is GRANTED in part and DENIED in part; and it is further ORDERED, that Plaintiff’s fourth cause of action for violation of GBL § 899-aa is

DISMISSED; and it is further ORDERED, that Plaintiff’s seventh cause of action for an injunction under N.Y. C.P.L.R. § 6301 is DISMISSED; and it is further ORDERED, that nothing in this Memorandum-Decision and Order shall be construed to preclude Plaintiff from seeking injunctive relief during this litigation in accordance with the Federal Rules of Civil Procedure and the Local Rules of Practice for the United States District Court for the Northern District of New York; and it is further ORDERED, that the Clerk of the Court shall serve a copy of this Memorandum-Decision and Order on all parties in accordance with the Local Rules. IT IS SO ORDERED.

DATED: March 20, 2023 Albany, New York LAWRENCE E. KAHN United States District Judge