UNITED STATES DISTRICT COURT DISTRICT OF CONNECTICUT
JAMES MT MURRAY, individually and on behalf of all others similarly situated, Plaintiff, No. 3:24-cv-01099-MPS v. CONNECTICUT COLLEGE, Defendant.
RULING ON DEFENDANT’S MOTION TO DISMISS In this data breach case, James MT Murray brings a putative class action against Connecticut College (“CTC”), asserting claims of negligence, implied breach of contract, and unjust enrichment, and seeking damages and injunctive relief. Murray alleges that, after CTC suffered a data-security breach, cybercriminals gained access to his personal identifying information (“PII”) and personal health information (“PHI”), along with the PII and PHI of similarly situated individuals. He further alleges that the breach resulted from CTC’s failure to adopt reasonable security measures, and that, because of the breach, he and other members of the putative class suffered and continue to suffer economic and non-economic harm. CTC has moved to dismiss the complaint for lack of Article III standing and for failure to state a claim under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). ECF No. 20. For the reasons set forth below, I GRANT in part CTC’s motion. Murray’s negligence claim is DISMISSED. He may proceed on the remainder of his claims. I. BACKGROUND The factual allegations below are taken from Murray’s complaint, ECF No. 1, and I accept them as true for the purposes of this ruling. A. Factual Background CTC is a private liberal arts college located in New London, Connecticut. Id. ¶ 18. Murray and the putative class are “members of the [CTC] community,” id. ¶ 67, and CTC required them “to submit [their] non-public PII and PHI to receive [CTC]’s services.” Id. ¶ 136. CTC stored this information on its computer systems. Id. ¶ 19. When CTC “collects this sensitive information, it promises to use reasonable measures to safeguard the PII and PHI from theft and misuse.” Id. ¶
22. It also “represented in written contracts, marketing materials, and otherwise that it would properly protect all PII and PHI it obtained.” Id. ¶ 25. On February 7, 2024, CTC sent notice letters “to [Murray] and other Class Members,” informing them “that a security incident had resulted in the exfiltration of their PII and PHI.” Id. ¶¶ 20, 40. Specifically, CTC informed recipients that “an unauthorized party [had] accessed and acquired certain files maintained on [its] computer systems,” and that “one or more of the files accessed by the unauthorized party contained [the recipient’s] full name, Social Security number, and potentially one or more of the following elements of [the recipient’s] information: student identification number, education records information, financial aid information, taxpayer
identification number, driver’s license number, government-issued identification numbers(s), financial account information and/or access code, health benefits/enrollment information, and medical record number and/or treatment information provided by [the recipient] to [its] Student Health Services.” Id. ¶ 40. CTC “advised impacted individuals to remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring [their] credit report[s] for unauthorized activity.” Id. ¶ 46. It also recommended that impacted individuals do the following: (1) enroll in Experian Identity Works; (2) place a fraud alert on their credit files; (3) place a security freeze on their credit files; (4) obtain a free credit report; and (5) protect their medical information. Id. CTC also “offered complimentary access to Experian Identity Works (SM) Credit 3B service for 24 months.” Id. ¶ 41 (internal quotations omitted). “Although [this] Data Breach began prior to March, 2023, and was detected on or about March 3, 2023, it was not until February 2024 that [CTC] notified [Murray] and Class Members
of the Data Breach.” Id. ¶ 44. As a consequence of the breach, “[Murray] and Class Members are now subject to the present and continuing risk of fraud, identity theft, and misuse [of their PII and PHI],” id. ¶ 45, as that information “may end up for sale on the dark web, or simply fall into the hands of companies that will use the detailed PII and PHI for targeted marketing without the approval of [Murray] and/or Class Members.” Id. ¶ 55. Murray alleges that he and the class “suffered and will continue to suffer . . . monetary losses, lost time, anxiety, and emotional distress.” Id. ¶ 87. He also alleges that “they have suffered or are at an increased risk of suffering” the following injuries: [1.] The loss of the opportunity to control how their PII and PHI is used; [2.] The diminution in value of their PII and PHI; [3.] The compromise and continuing publication of their PII and PHI; [4.] Out-of-pocket costs associated with the prevention, detection, recovery, and remediation from identity theft or fraud; [5.] Lost opportunity costs and lost wages associated with the time and effort expended addressing and attempting to mitigate the actual and future consequences of the Data Breach, including, but not limited to, efforts spent researching how to prevent, detect, contest, and recover from identity theft and fraud; [6.] Delay in receipt of tax refund monies; [7.] Unauthorized use of stolen PII and PHI; and [8.] The continued risk to their PII and PHI, which remains in the possession of [CTC] and is subject to further breaches so long as [CTC] fails to undertake the appropriate measures to protect the PII and PHI in [its] possession. Id. B. Procedural Background Invoking this Court’s jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d)(2), ECF No. 1 ¶ 15, Murray seeks class certification, damages, and injunctive relief— including “directing [CTC] to adequately safeguard the PII and PHI of [Murray] and the Class . . . by implementing improved security procedures and measures.” Id. at 38-41. CTC filed a motion to dismiss the complaint for lack of standing and failure to state a claim under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). ECF No. 20. While Murray’s complaint initially asserted claims of negligence, breach of contract, breach of implied contract, and unjust
enrichment, id. ¶¶ 135-187, in his brief in opposition to CTC’s motion, Murray informed the Court that he would “no longer pursue his claim in express contract.” ECF No. 26 at 23. I therefore DISMISS Count Two. II. LEGAL STANDARD “A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it.” Makarova v. United States, 201 F.3d 110, 113 (2d Cir. 2000). “A plaintiff asserting subject matter jurisdiction has the burden of proving by a preponderance of the evidence that it exists.” Id. In adjudicating a motion to dismiss under Rule 12(b)(1) on the pleadings, the court “must accept as true all material facts alleged in the complaint and draw all reasonable inferences in the plaintiff’s favor” except for “argumentative inferences favorable to the party asserting jurisdiction.” Buday v. New York
Yankees P’ship, 486 F. App’x 894, 895 (2d Cir. 2012). To avoid dismissal under Rule 12(b)(6), a plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). I accept as true all of the complaint’s factual allegations when evaluating a motion to dismiss, id., and must “draw all reasonable inferences in favor of the non- moving party,” Vietnam Ass’n for Victims of Agent Orange v. Dow Chem. Co., 517 F.3d 104, 115 (2d Cir. 2008). However, “threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice” to survive a motion to dismiss. Mastafa v. Chevron Corp., 770 F.3d 170, 177 (2d Cir. 2014) (citation omitted). III. DISCUSSION Prior to class certification, “the jurisdiction of the district court depends upon its having jurisdiction over the claim[s] of the named plaintiffs . . . because until certification there is no class action . . . the only action is the suit by the named plaintiffs.” Police and Fire Retirement Sys. of
City of Detroit v. IndyMac MBS, Inc., 721 F.3d 95, 112 n.22 (2d Cir. 2013) (quoting and citing with approval Morlan v. Universal Guar. Life Ins. Co., 298 F.3d 609, 616 (7th Cir. 2002)). In evaluating the sufficiency of Murray’s complaint, I therefore address the complaint’s allegations only as they relate to Murray—the named plaintiff. A. Standing “Article III of the Constitution confines the judicial power of federal courts to deciding actual ‘cases’ or ‘controversies.’ One essential aspect of this requirement is that any person invoking the power of a federal court must demonstrate standing to do so.” Hollingsworth v. Perry, 570 U.S. 693, 704 (2013) (internal citations omitted). “[F]ederal courts lack jurisdiction [over class actions] if no named plaintiff has standing.” Frank v. Gaos, 586 U.S. 485, 492 (2019). “To establish standing under Article III . . . a plaintiff must demonstrate (1) that he or she suffered an
injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.” Thole v. U.S. Bank N.A., 590 U.S. 538, 540 (2020). At the motion to dismiss stage, a plaintiff need only plausibly allege the existence of each element. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992) (“[E]ach element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.”). Here, only the first element is in dispute. CTC argues that Murray “has entirely failed to allege an injury-in-fact that is connected to conduct by CTC sufficient to establish Article III standing.” ECF No. 20-1 at 4. I disagree. Because Murray alleges that CTC caused the disclosure of his private information to third parties—a concrete injury with a common-law analogue—and because Murray alleges future harms that appear sufficiently
imminent, Murray has alleged an injury-in-fact that gives him standing. Murray does not allege that, after the breach, criminals misused his PII and PHI to his detriment. Instead, Murray alleges a litany of potential harms arising from “the present and continuing risk of fraud, identity theft, and misuse” of his PII and PHI. See ECF No. 1 ¶¶ 45, 87 (emphasis added). These potential harms include: (1) the compromise and continuing publication of his PII and PHI; (2) out-of-pocket costs associated with the prevention, detection, recovery, and remediation of identity theft or fraud; (3) lost opportunity costs and lost wages associated with the time and effort expended addressing and attempting to mitigate the actual and future consequences of the data breach; (4) delay in receipt of tax refund monies1; and (5) unauthorized use of stolen PII and PHI.2 Id. ¶ 87. CTC argues that Murray “cannot establish standing based on a risk of future
theft,” ECF No. 20 at 7-10, but CTC is mistaken.
1 Murray does not allege that his tax refund has been delayed, and he states no facts describing how or why any tax refund would be delayed. Nonetheless, because the complaint alleges that criminals “armed with PII and PHI stolen in the Data Breach can commit a litany of crimes,” including “fil[ing] fraudulent tax returns,” ECF No. 1 ¶ 8, I will draw a reasonable inference that such a “delay in receipt of tax refund monies” could occur due to fraudulent criminal activity. Whether Murray has plausibly alleged that this and other speculative harms are sufficiently “imminent” as to confer standing is a separate question, which I address further below. 2 Murray also alleges that he has already suffered “damage to and diminution in the value of [his] PII and PHI,” id. ¶ 72, but this injury is insufficiently pled. The complaint has not stated any facts to suggest that the market value of Murray’s PII and PHI has been diminished by the breach. Even if it were the case, as Murray argues, that “the value of consumer personal information is not derived solely . . . by its worth in some imagined market place . . . but rather in the economic benefits the consumer derives from being able to purchase goods and services remotely and without the need to pay in cash or a check,” id. at 8 (quoting In re Marriot Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 462 (D. Md. 2020)), Murray has not alleged that he has lost the ability to access some good or service remotely as a result of the breach. In McMorris v. Carlos Lopez & Assocs., LLC, the Second Circuit held that a plaintiff “may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of [his or her] data.” 995 F.3d 295, 301 (2d Cir. 2021). The McMorris court identified three factors that bore on whether such an increased risk supported standing: (1) “whether the data
at issue has been compromised as the result of a targeted attack intended to obtain the data”; (2) whether the plaintiffs “can show that at least some part of the compromised dataset has been misused”; and (3) “whether the type of data [at issue] is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.” Id. at 301-02. The Court noted that “while none of these factors is alone necessary or sufficient to confer standing, they all bear on whether the risk of identity theft or fraud is sufficiently ‘concrete, particularized, and . . . imminent.’” Id. at 301. Two months after the Second Circuit ruled in McMorris, the Supreme Court decided TransUnion LLC v. Ramirez—a standing decision partially in tension with McMorris. The dispute in TransUnion centered on a U.S. Department of Treasury watchlist containing the names of
“terrorists, drug traffickers, [and] other serious criminals.” 594 U.S. 413, 419 (2021). When TransUnion, a credit reporting agency, found that a consumer’s name matched a name on the watchlist, it would flag that consumer’s credit report. Id. A class of consumer plaintiffs brought suit against TransUnion under the Fair Credit Reporting Act, alleging that TransUnion erroneously flagged their credit reports. Id. at 421. Though every member of the class had a flagged credit report, the reports of only some members had been “disseminated to third-party businesses.” Id. at 432. Addressing the “concrete harm” component of the injury-in-fact requirement, the Court held that “courts should assess whether the alleged injury to the plaintiff has a ‘close relationship’ to a harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.” Id. at 424 (citing Spokeo, Inc. v. Robins, 578 U.S. 330, 341(2016)). Because the class members whose reports were disseminated to third parties “suffered a harm with a ‘close relationship’ to the harm associated with the tort of defamation,” the Court had “no trouble concluding that [those] members
suffered a concrete harm . . . .” Id. at 432. However, as to the other class members, the Court found that they had shown only a “mere risk of future harm,” id. at 436, and that that risk “was too speculative to support Article III standing.” Id. at 438. In Bohnak v. Marsh, the Second Circuit sought to reconcile McMorris and TransUnion in the context of a data breach. The Bohnak Court resolved the apparent tension between the two decisions by holding that TransUnion and McMorris each governed separate portions of the injury- in-fact analysis: We conclude that with respect to the question whether an injury arising from risk of future harm is sufficiently ‘concrete’ to constitute an injury in fact, TransUnion controls; with respect to the question whether the asserted injury is ‘actual or imminent,’ the McMorris framework continues to apply in data breach cases like this. Id. at 280. To have standing, Murray must plausibly allege that CTC’s inadvertent disclosure of his private information caused him an “actual or imminent” injury that is “concrete and particularized.” See Lujan, 504 U.S. at 560. CTC does not dispute that Murray has satisfied the particularity requirement. Instead, it argues that Murray’s allegations “fall short of establishing standing” under McMorris and TransUnion. ECF No. 20-1 at 6; see also id. at 8 (“[Murray] has failed to sufficiently allege a concrete, actual and imminent injury-in-fact . . . .”). I begin with the McMorris analysis. Actual or Imminent The first McMorris factor asks “whether the data at issue has been compromised as the result of a targeted attack intended to obtain the data.” McMorris, 995 F.3d at 301. “[W]here plaintiffs demonstrate that a malicious third party intentionally targeted a defendant’s system and
stole plaintiffs’ data stored on that system, courts have been more willing to find that those plaintiffs have established a likelihood of future identity theft or fraud sufficient to confer standing.” Id. CTC argues that Murray “does not make any allegations that an unauthorized third party purposefully obtained his . . . data.” ECF No. 27 at 6. But Murray plainly does, as his complaint alleges that “the unauthorized third-party cybercriminals gained access to [his] PII and PHI with the intent of engaging in misuse of the PII and PHI, including marketing and selling [his] PII and PHI.” ECF No. 1 ¶ 51. Accepting this fact as true, as I am required to do at the pleadings stage, I find that Murray satisfies the first McMorris factor. CTC makes much of the complaint’s reference to “ransomware.” See, e.g., id. ¶ 54 (“[Murray] remain[s], even today, in the dark regarding . . . the particular ransomware used . . . .”).
It cites In re Practicefirst Data Breach Litigation for the proposition that ransomware attacks are not the kind of “targeted attempt to expose or copy plaintiffs’ confidential data for purposes of identity theft or . . . fraud” contemplated by the first McMorris factor. ECF No. 27 at 5 (citing No. 1:21-cv-00790, 2022 WL 354544, at *5 (W.D.N.Y. Feb. 2, 2022)). Instead, “the primary purpose of a ransomware attack is the exchange of money for access to data . . . .” In re Practicefirst, 2022 WL 354544, at *5. First, unlike the complaint in In re Practicefirst—which specifically alleged and defined a ransomware attack, id. at *1—Murray’s complaint alleges only that Murray remains “in the dark regarding what particular data was stolen, the particular ransomware used, and what steps are being taken, if any, to secure [his] PII and PHI going forward. ECF No. 1 ¶ 54 (emphasis added). In the face of Murray’s express allegation that the cyber criminals “intended to misuse” his data, id. ¶ 51, I cannot draw a contrary inference, from this allegation of “ransomware,” that Murray has alleged a ransomware attack. The second McMorris factor asks whether the plaintiff “can show that at least some part of
the compromised dataset has been misused . . . .” McMorris, 995 F.3d at 301. Here, Murray loses. The complaint contains no allegations that Murray’s data, or the data of others affected by the breach, has been misused. See id. (clarifying that the plaintiffs can satisfy the second factor “even if plaintiffs’ particular data subject to the [ ] disclosure incident has not yet been affected”) (emphasis in original). Nor does Murray argue otherwise. The third McMorris factor asks “whether the type of data [at issue] is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.” Id. at 302. “Naturally, the dissemination of high-risk information such as Social Security numbers and dates of birth – especially when accompanied by victim’s names – makes it more likely that those victims will be subject to future identity theft or fraud.” Id. Murray satisfies this factor. He alleges
that “on or about March 3, 2023,” a breach occurred that caused his “personal information . . . to be exfiltrated . . . by cybercriminals.” ECF No. 1 ¶ 1. In response to the breach, he alleges, CTC “notified the public . . . that data in its possession had been compromised in a Data Breach.” Id. ¶ 39. He also alleges that CTC sent him a notice letter stating that the “information involved” included his “full name [and] Social Security number.” Id. ¶ 40. Further, Murray’s other allegations likewise suggest that the cybercriminals stole additional “high-risk information” of the type contemplated by McMorris’s third factor—i.e., information susceptible to misuse that cannot be easily rendered useless. See McMorris, 995 F.3d at 302. He alleges that the breach involved “financial aid information, taxpayer identification number[s], driver’s license number[s], government-issued identification number[s], financial account information . . . health benefits/enrollment information[,] and medical record number[s].” Id. ¶ 2. Moreover, he alleges that “armed with the PII and PHI stolen in the Data Breach, criminals can . . . open new financial accounts in Class Members’ names, take out loans using Class
Members’ identities, use Class Members’ identities to obtain government benefits, [and] file fraudulent tax returns using Class Members’ names . . . .” Id. ¶ 8. Fraudulent schemes like these can only be carried out with the most sensitive of personal information. These allegations are easily sufficient to satisfy the third factor. Because Murray satisfies two of the three McMorris factors, I find that he has plausibly alleged an imminent injury. This result accords with the result in Bohnak, where the Court also found that the plaintiff satisfied two of the three factors and therefore “sufficiently alleged that she faces an imminent risk of injury . . . .” Bohnak, 79 F.4th at 288. Bohnak is instructive not only because Bohnak and Murray share the same McMorris score, but also because the two cases share relevant facts. Like Murray, Bohnak alleged “that her PII was exposed as a result of a targeted
attempt by a third party to access the data set,” id. at 288, and “that the PII taken by the hackers include[d] her name and SSN.” Id. at 289. Bohnak likewise did not allege “any known misuse of the information in the dataset accessed in the hack.” Id. Taking these factual allegations into account, the Bohnak court concluded that: [While] Bohnak has not pulled off a hat trick with respect to the factors identified in McMorris . . . the allegations of a targeted hack that exposed Bohnak’s name and SSN to an unauthorized actor are sufficient to suggest a substantial likelihood of future harm, satisfying the ‘actual or imminent harm’ component of an injury in fact. Id. Bohnak’s authority is binding, and so the same result follows here. Concrete Injuries are concrete if they have “a close relationship to harm traditionally recognized as providing a basis for a lawsuit in American courts.” TransUnion, 594 U.S. at 424. Murray alleges that CTC “disclosed [Murray’s] PII and PHI . . . for criminals to use in the conduct of criminal
activity.” ECF No. 1 ¶ 107. Bohnak makes clear that such an injury is concrete. In Bohnak, the Court found that “the core injury” in that case—“exposure of Bohnak’s private PII to unauthorized third parties”—bore “some relationship to a well-established common-law analog: public disclosure of private facts.” Bohnak, 79 F.4th at 285. The Court noted that “[i]n TransUnion itself, the Supreme Court specifically recognized that ‘disclosure of private information’ was an intangible harm ‘traditionally recognized as providing a basis for lawsuits in American courts.’” Id. at 286. Furthermore, as the Court in Bohnak recognized, TransUnion leaves open the possibility that “a risk of future harm could itself cause a separate and concrete harm, in which case the plaintiff would have standing to pursue damages premised on that separate concrete harm.” Id. at
285 (internal quotations and alterations omitted); see also TransUnion, 594 U.S. at 437 (finding persuasive the argument that “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm”) (emphasis in original). Like Murray, Bohnak alleged “out-of- pocket expenses associated with the prevention, detection, and recovery from identity theft and lost time and other opportunity costs associated with attempting to mitigate the consequences of the breach.” Bohnak, 79 F.4th at 285 (internal quotations omitted); ECF No. 1 ¶ 185 (“As a direct and proximate result of [CTC]’s conduct, [Murray] ha[s] suffered . . . out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft and/or unauthorized use of [his] PII . . . [and] lost opportunity costs associated with effort expended . . . addressing and attempting to mitigate the actual and future consequences of the Data Breach . . . .”). The Bohnak Court concluded that such injuries constitute “separate concrete harm[s]” that “independently support standing.” Bohnak, 79 F.4th at 286.
CTC argues that Murray “cannot create standing merely by inflicting harm on himself based on fears of hypothetical future harm that is not certainly impending – especially when the self-inflicted mitigation costs were offered by CTC at no cost.” ECF No. 27 at 6. But Murray has alleged costs beyond the 24 months of credit monitoring services CTC offered, including the “lost wages associated with the time and effort expended addressing and attempting to mitigate the actual and future consequences of the Data Breach . . . .” Id. ¶ 87. Furthermore, these alleged injuries do not arise from a risk that is “speculative” or de minimis but rather a risk I found to be “substantial” and “imminent” under McMorris. See Bohnak, 79 F.4th at 286 (“Our conclusion on this point is consistent with McMorris, in which we explained . . . that where plaintiffs have shown a substantial risk of future identity theft or fraud, any expenses they have reasonably incurred to
mitigate that risk likewise qualify as injury in fact.”) (internal quotations omitted). Perhaps aware that Bohnak compels the result here, CTC attacks the Bohnak decision itself—arguing that the decision was “misguided.” ECF No. 20-1 at 7-8. Even if it is, however, it is binding on me. And CTC’s argument on this point is not persuasive. CTC argues that the Bohnak Court, in finding a common-law analogue to Bohnak’s injury in the tort of public disclosure of private facts, “disregard[ed] a fundamental element of the common law tort of public disclosure of private facts: publicity.” ECF No. 20-1 at 7. CTC contends that “[n]either the defendant in Bohnak nor CTC in this case were alleged to have communicated private information to the public at large.” Id. But CTC overlooks that both TransUnion and Bohnak expressly caveat that a common-law analogue need not be “an exact duplicate in American history and tradition.” TransUnion, 594 U.S. at 424; Bohnak, 79 F.4th at 286 (“For the purposes of the ‘concreteness’ analysis under TransUnion, what matters is that the intangible harm arising from the disclosure of one’s PII bears a relationship to an injury with a ‘close historical or common-law analogue.’ And
that analog need not be an ‘exact duplicate.’”) (internal citations omitted). Like the defendant in Bohnak, CTC is alleged to have caused the disclosure of Murray’s private information to strangers. I find its alleged conduct sufficiently analogous to the conduct of “one who gives publicity to a matter concerning the private life of another . . . .” See Publicity Given to Private Life, RESTATEMENT (SECOND) OF TORTS § 652D. The injury created by that conduct is therefore concrete. Because Murray seeks both damages and injunctive relief, he “must demonstrate standing separately for each form of relief sought.” TransUnion, 594 U.S. at 436. CTC appears to have limited its argument to Murray’s standing on his claims for damages. See, e.g., ECF No. 27 at 2 (“[Murray] cannot base his claim for damages on the fear of potential and speculative future
harm.”); id. at 3 (“Critically, in a suit for damages, the mere risk of future harm, without more, is insufficient to demonstrate Article III standing.”). Because I have found that Murray’s alleged injuries are imminent, I find that he also has standing to sue for injunctive relief. See TransUnion, 594 U.S. at 436 (“[A] person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.”). As to both forms of relief, Murray has alleged an injury- in-fact that is concrete, particularized, actual or imminent. I therefore deny CTC’s motion under Rule 12(b)(1) and turn to whether Murray has stated a claim under Rule 12(b)(6). B. Negligence “A cause of action in negligence is comprised of four elements: duty; breach of that duty; causation; and actual injury.” Ruiz v. Victory Properties, LLC, 315 Conn. 320, 328 (2015). CTC argues that Murray has failed to adequately plead duty. ECF No. 20-1 at 13. I agree. “Duty is a legal conclusion about relationships between individuals, made after the fact, and imperative to a negligence cause of action.” Jaworski v. Kiernan, 241 Conn. 399, 404 (1997).
In Connecticut, duty is a function of two variables: foreseeability and public policy. Id. Harm is foreseeable if an “ordinary person in the defendant’s position, knowing what he knew or should have known, [would have] anticipate[d] that harm of the general nature of that suffered was likely to result” Id. (alterations omitted). But because many harms are foreseeable, Connecticut courts must also determine whether, as a matter of public policy, the defendant should be held liable for the foreseeable harm at issue. Id. (“The final step in the duty inquiry, then, is to make a determination of ‘the fundamental policy of the law, as to whether the defendant’s responsibility should extend to such results.’”). In determining whether a contemplated legal duty accords with public policy, courts consider four factors: “(1) the normal expectations of the participants in the
activity under review.; (2) the public policy of encouraging participation in the activity, while weighing the safety of the participants; (3) the avoidance of increased litigation; and (4) the decisions of other jurisdictions.” Murillo v. Seymour Ambulance Ass’n, Inc., 264 Conn. 474, 480 (2003). Murray argues that he has adequately pled duty, yet in the three pages of his brief devoted to the topic, he does not cite a single Connecticut case. See ECF No. 26 at 15-17. Instead, he cites out-of-circuit cases and two cases from federal district courts in New York, none of which apply Connecticut law. He has failed to provide any analysis of the duty question under the framework used by Connecticut courts. Moreover, I could find no Connecticut case recognizing the particular duty Murray posits here. In any event, “[i]t is not this Court’s role to recognize new or expanded causes of action under state law.” Kenneson v. Johnson & Johnson, Inc., No. 3:14-cv-01184, 2015 WL 1867768, at *6 (D. Conn. Apr. 23, 2015). Because Murray has failed to offer any relevant analysis and because the existence of a duty is a matter of judicial policy best left to Connecticut
courts to determine in the first instance, I DISMISS Murray’s negligence claim. C. Breach of Implied Contract The elements of a breach of contract are the formation of an agreement, performance by one party, breach of the agreement by the other party and damages.” Sullivan v. Thorndike, 104 Conn. App. 297, 303 (2007). “[T]o prove the formation of an [ ] agreement, a plaintiff must establish the existence of a mutual assent, or a meeting of the minds . . . .” Platt, Trustee of the Virginia D’Addario Spray Trusts v. Tilcon Connecticut, Inc., 196 Conn. App. 564, 577 (2020). An implied contract “is the same as an express contract, expect that assent is not expressed in words, but is implied from the conduct of the parties.” Auto Glass Exp., Inc. v. Hanover Ins. Co., 293 Conn. 218, 224 (2009). CTC denies the formation of any agreement: “Murray does not identify from where CTC’s alleged promises that form the basis of this purported implicit agreement arose.
Neither does [Murray] identify what those promises were, nor does he describe what conduct on the part of CTC led him to believe they had come to any meeting of the minds.” ECF No. 20-1 at 17. I disagree. The complaint pleads sufficient facts to suggest the formation of a contract. The key ingredients of the exchange, as alleged, are as follows: CTC required Murray to pay money and relinquish his private information as a condition of his enrollment at CTC. ECF No. 1 ¶ 162 (“[Murray] paid money to [CTC] in exchange for goods and services . . . .”); id. ¶ 160 (“[CTC] required [Murray] to provide and entrust [his] PII/PHI as a condition of obtaining services from [CTC].”) In return, CTC promised to provide “educational and other services,” id. ¶ 149, to “protect [Murray]’s [ ] health information and other PII and PHI from unauthorized disclosure,” id. ¶ 161, and to “comply with HIPAA standards.” Id. ¶ 162. Under this mutual exchange of promises, both Murray and CTC enjoined the benefit of the bargain. See Sokaitis v. Bakaysa, 105 Conn. App. 663, 667 (2008) (“An exchange of promises is sufficient consideration to support a contract.”). Moreover, from the complaint’s allegation that Murray was “enrolled,” see id. ¶ 77, I
draw the reasonable inference that Murray was a student, and in Connecticut, “courts have recognized a contractual relationship between students and educational institutions.” McNeil v. Yale Univ., 436 F. Supp. 3d 489, 529 (D. Conn. 2020), vacated on other grounds, 2021 WL 5286647 (2d Cir. Nov. 15, 2021) (collecting cases). I acknowledge that it’s a close call as to whether some of these allegations are sufficiently detailed. While Murray alleges that CTC promised to protect his data, he does not allege who made these promises, when they made them, or what form they took (e.g., verbal, written, or otherwise). Nevertheless, even without allegations that CTC made express promises, Murray’s implied contract claim would survive. As discussed above, the factual circumstances, as alleged, are that Murray enrolled at CTC and, as a condition of that enrollment, CTC required Murray to pay tuition
and surrender his data. Such an arrangement is not unusual. Colleges and universities routinely acquire students’ information for purposes related to registration, health, safety, and financial aid. Murray’s claim that, in doing so, the schools implicitly promise that they will maintain that data in a responsible manner is plausible.3
3 CTC also argues that any promises related to safeguarding Murray’s data were unsupported by consideration as, under the Health Insurance Portability and Accountability Act (“HIPAA”), 42 U.S.C. §§ 1320d et seq., CTC already had a statutory obligation to protect Murray’s data. ECF No. 27 at 8 (“[The implied contract claim] of [Murray]’s complaint fails because CTC owed [Murray] a preexisting statutory duty under HIPAA to protect his personal information . . . CTC provided no consideration.”); see also Hadji v. Snow, 232 Conn. App. 829, 851 (2025) (“To be enforceable, a contract must be supported by consideration.”). But the complaint only alleges that HIPPA requires “business entities” like CTC to protect PHI—not PII, see ECF No. 1 ¶ 110, and CTC cites no provision of HIPAA suggesting that its mandate encompass all forms of sensitive data. Finally, CTC disputes the element of damages. See ECF No. 27 at 9 (“[Murray] fails to allege any cognizable damages for breach of contract.”). CTC makes the point that “speculative risk of future identity theft, is not cognizable injury under negligence, breach of contract, consumer fraud or other related theories.” Id. at 10-11. In support of this claim, CTC cites Shafran v. Harley
Davidson. Id. at 11 (citing No. 07-cv-01365, 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“Courts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff has not presented any case law or statute, from any jurisdiction, indicating otherwise.”)) Importantly, Shafran predates Bohnak—a case that is once again dispositive. In Bohnak, the district court dismissed Bohnak’s claims, in part, because “her alleged loss of time and money responding to the increased harm was not ‘cognizable.’” Bohnak, 79 F.4th at 289. The Second Circuit reversed, ruling that “Bohnak’s alleged injury arising from the increased risk of harm is cognizable for standing purposes, and thus could support a claim for damages.” Id. at 289-90 (emphasis in original). The Court remarked that “[t]o say that the plaintiffs have standing is to say
that they have alleged injury in fact, and if they have suffered an injury then damages are available.” Id. at 290 (quoting Dieffenbach v,. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018)). Likewise here, because Murray has alleged an injury-in-fact, he has alleged damages with respect to his contract claim.4 Accordingly, and for the reasons set forth above, Murray’s breach of implied contract claim may proceed. CTC’s motion to dismiss the claim is DENIED. D. Unjust Enrichment “Plaintiffs seeking recovery for unjust enrichment must prove (1) that the defendants were benefited, (2) that the defendants unjustly did not pay the plaintiffs for the benefits, and (3) that
4 In any event, a breach of contract claim may proceed under Connecticut law even without proof of damages. See Bruno v. Whipple, 186 Conn. App. 299, 317 (2018). the failure of payment was to the plaintiffs’ detriment.” Town of New Hartford v. Connecticut Res. Recovery Auth., 291 Conn. 433, 451-52 (2009). CTC argues that “[d]espite pleading that he . . . ‘conferred a monetary benefit’ upon CTC, [Murray] fails to explain exactly how CTC benefited from the PII information . . . .” ECF No. 20-1 at 18. This misconstrues the allegations. Murray’s
unjust enrichment claim is straightforward. Murray alleges that he “conferred a monetary benefit on [CTC], by paying money for education and other services, a portion of which funds was intended to be used by [CTC] for data security measures.” ECF No. 1 ¶ 179. He then alleges that CTC “enriched itself by saving the costs it reasonably should have expended on data security measures to secure [Murray]’s PII and PHI.” Id. ¶ 180. Murray’s claim is not predicated solely on the value of his PII but also on the excess profit CTC extracted from his tuition dollars by relying on less expensive and less effective data security. CTC also argues that Murray “does not allege that CTC understood that [Murray] believed he was paying for data privacy in addition to education.” ECF No. 27 at 9. But it does not explain why such an allegation is required to plead an unjust enrichment claim. See Connecticut Nat. Bank
v. Chapman, 153 Conn. 393, 399 (1966) (“It is not necessary, in order to create an obligation to make restitution or to compensate, that the party unjustly enriched should have been guilty of any tortious or fraudulent act.”). Further, it is reasonable to infer that students have an expectation that colleges and universities will allocate their tuition dollars to purposes beyond the classroom— including the various administrative functions that support and enhance a learning environment, i.e., career and academic advising, facilities maintenance, and surely, information security services. Murray’s unjust enrichment claim is pled in the alternative to his breach of contact claim. ECF No. 1 ¶ 178. Because CTC denies the existence of any implied contract, it would not be appropriate to dismiss Murray’s unjust enrichment claim before discovery and before the parties have had an opportunity to prove or disprove whether there was such a contract. See Michel v. Yale Univ., 547 F. Supp. 3d 179, 192-93 (D. Conn. 2021) (“The lack of a remedy under a contract is precondition to recovery based on unjust enrichment. Thus, under Connecticut law, a party may
properly plead an unjust enrichment claim in the alternative to a breach of contract claim . . . .”) (internal quotations, citations, and alterations omitted); Jones, 2024 WL 1307148, at *9 (expressing doubt about plaintiffs’ theory that defendant was unjustly enriched by “the value of the savings [defendant] enjoyed by not protecting [plaintiffs’] information,” but concluding that “whether this claim might be factually supportable after discovery is not a basis upon which this claim should be dismissed at the pleadings stage”). Accordingly, and for the reasons above, Murray may proceed with his unjust enrichment claim. IV. CONCLUSION For the reasons above, I GRANT in part and DENY in part CTC’s motion to dismiss (ECF No. 20). A final note: I have found that most of Murray’s claims survive CTC’s Rule 12(b)(1) and
12(b)(6) motion under Second Circuit standards. But that does not mean that they are strong or well-pled claims. To the contrary, the complaint contains precious few specific facts. It does not even expressly allege that Murray was a student at CTC or, if so, when he attended, although, as I noted above, I can reasonably infer from the references to “enrollment” that he was a student at some point. More troublingly, however, the complaint is basically a cookie-cutter, with lots of filler about FTC regulations and general allegations about steps CTC should have, but “on information and belief” did not, take to protect Murray and the putative class’s data. These are the types of general allegations that anyone who learns his data was stored by a company or organization that has been the victim of a criminal data breach could make. The generic character of this complaint is, perhaps, not surprising in that one of the two lawyers representing Murray reports on his website that he has represented classes in several other data breach cases. See https://www.forthepeople.com/attorneys/john-yanchunis/. Both the complaint and Murray’s response brief in this case—which relies largely on out-of-Circuit case law—appear to have been
repackaged for this case with little effort or attention to detail. As the case progresses, I trust that plaintiff’s counsel will make more of an effort to engage with the specific facts applicable to this case and with the applicable law. IT IS SO ORDERED.
/s/ Michael P. Shea, U.S.D.J.
Dated: Hartford, Connecticut September 23, 2025