NOT FOR PUBLICATION
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY
PENN, LLC, d/b/a PULSETV.COM, Plaintiff, Civil Action No. 22-6760 (SDW) (ESK) v. OPINION FREESTYLE SOFTWARE INC., f/k/a September 15, 2023 DYDACOMP DEVELOPMENT CORP., INC., Defendant.
WIGENTON, District Judge. Before this Court is Defendant Freestyle Software, Inc.’s (“Defendant” or “Freestyle”) Motion to Dismiss (D.E. 18 (“Motion”)) Plaintiff Penn, LLC, d/b/a PulseTV.com’s (“Plaintiff” or “PulseTV”) Complaint (D.E. 1 (“Complaint”)) for failure to state a claim upon which relief can be granted pursuant to Federal Rule of Civil Procedure (“Rule”) 12(b)(6). Jurisdiction is proper pursuant to 28 U.S.C. §§ 1331 and 1367. Venue is proper pursuant to 28 U.S.C. § 1391(b). This opinion is issued without oral argument pursuant to Rule 78. For the reasons stated herein, Defendant’s Motion is GRANTED IN PART AND DENIED IN PART. I. FACTUAL AND PROCEDURAL HISTORY This case arises from a data breach. Plaintiff, a business-to-consumer e-commerce company, sells products to its customers through its website, PulseTV.com. (D.E. 1 ¶¶ 15–16.) Defendant provides e-commerce software and hosting services for hundreds of online stores. (Id. ¶ 2.) A. The Services Agreements Since March 2001, Plaintiff has used Defendant’s online shopping cart technology, SiteLINK Toolkit. (Id. ¶ 21.) Among other things, SiteLINK provides its users with payment- processing services related to bank-card and credit-card transactions. (Id.) In or about 2005, Defendant notified Plaintiff that it would no longer offer SiteLINK outside of Defendant’s hosting
environment—i.e., its web servers. (Id. ¶ 24.) To convince Plaintiff to transition PulseTV.com’s e-commerce store to Defendant’s web servers, Defendant and its agents misrepresented the servers’ safety, security, and compliance with the Payment Card Industry Data Security Standard (“PCI DSS”).1 (Id. ¶ 26.) As a result of those misrepresentations, Plaintiff entered into a new services contract with Defendant. (Id. ¶¶ 26, 29, 32–33.) Defendant’s false assurances allegedly continued throughout the parties’ years-long business relationship. (Id. ¶¶ 32–33.) For instance, the Complaint alleges that “Freestyle’s President[] falsely stated to PulseTV that Freestyle had a plan to become PCI DSS compliant in 2005,” (id. ¶ 27); that “Freestyle’s current President, Jim Cahill, later noted that Freestyle had
retained a PCI Compliance Officer,” (id.); that “[b]etween 2005 and 2012, Freestyle made numerous misrepresentations to PulseTV that SiteLINK and Freestyle’s hosting environment were safe, secure, and PCI DSS compliant,” (id. ¶ 29); and that around March 2012, “Freestyle represented to PulseTV that Freestyle had a plan to maintain PCI compliance,” (id. ¶ 36). Plaintiff asserts that, because of these repeated misrepresentations, it continued to accept updated terms and conditions from Defendant,2 and Defendant, in turn, became solely responsible for hosting and
1 According to the Complaint, “[t]he PCI DSS are technical and operational requirements that apply to all organizations that store, process, or transmit cardholder data—with guidance for software developers and manufacturers of applications and devices used in those transactions.” (Id. ¶ 23.) These requirements are created and imposed by “credit card industry leaders.” (Id. at 22.)
2 The Complaint alleges that, after 2005, Defendant sent—and Plaintiff accepted—several iterations of the services agreement, including in at least 2012 and 2018. (Id. ¶ 34; see also D.E. 1-1, 1-2.) Most recently, on or about August managing Plaintiff’s e-commerce infrastructure. (Id. ¶ 18.) As such, Defendant’s network contained highly sensitive information—including “credit and/or debit number(s), expiration date(s), internal bank codes, personal identifying information and/or other confidential financial information—for tens of thousands of Plaintiff’s customers. (Id. ¶ 4.) B. The Data Breach
In March 2021, Plaintiff received a third-party email notice of a potential Common Point of Purchase (“CPP”).3 (Id. ¶ 52.) At that time, no evidence of a data breach was discovered. (Id.) Months later, in October 2021, Plaintiff again received a notice of additional CPPs and, in turn, hired forensic investigators to uncover the issue. (Id. ¶¶ 53–54.) Because of Defendant’s poor management of its systems, Plaintiff’s first forensic investigator was unable to determine the source of the breach. (Id. ¶ 54.) At the behest of several credit brands, Plaintiff continued to investigate the breach. (Id.) On or around January 11, 2022, Plaintiff engaged Kroll, a global company certified as a PCI Forensic Investigator, to conduct a PCI Forensic Investigation. (Id. ¶ 71.) Kroll determined
that Defendant’s web server was compromised by malicious software (“malware”) as early as September 9, 2020. (Id. ¶¶ 72.) The breach was not contained until in or about February 2022. (Id. ¶ 169.) According to the Complaint, Defendant failed to comply with the PCI standards by neglecting to create and retain backups, failing to implement file integrity monitoring, and lacking a change-detection mechanism to alert personnel to unauthorized access to its network. (Id. ¶¶ 63,
15, 2018, Defendant sent Plaintiff an invoice for its services, which was accompanied by a new set of terms and conditions governing the business relationship (“2018 Contract”). (D.E. 1 ¶ 39; D.E. 1-2 at 2–24.) The Complaint alleges that, at all times relevant to the parties’ business relationship, Defendant reserved the right to unilaterally amend, supplement, or terminate the agreements; Plaintiff lacked a meaningful opportunity to negotiate or revise the standard form service contract; and Defendant imposed terms and conditions that limited its liability in the event of a data breach caused by its own negligence. (D.E. 1 ¶¶ 40–42.)
3 A CCP is a report that suggests the existence of potential payment-card fraud. (Id. ¶ 71.) 65, 73.) Plaintiff alleges that, if Defendant had complied with the PCI standards, it would have been able to detect and timely resolve the data breach. (Id. ¶ 73.) Instead, the data breach was able to persist from September 2020 until February 3, 2022, which allegedly caused Plaintiff and its customers harm in several ways: data belonging to Plaintiff’s customers is now located on the dark web, which means it is available for sale to bad actors with nefarious and illegal purposes,
(id. ¶ 69); since the first quarter of 2021, Plaintiff has experienced a near 50 percent decrease in gross sales volumes, (id. ¶¶ 75, 81); many of Plaintiff’s customers have unsubscribed from its email distribution lists,4 (id. ¶¶ 76, 85, 87–88, 90); and Plaintiff has lost approximately $902 per week in advertising revenue, which equates to $117,360.88 over the next five years, (id. ¶ 90); and Defendant’s inability to assist Plaintiff in concluding the investigation has precluded Plaintiff from mitigating its damages, (id. ¶¶ 64, 77). According to the Complaint, Defendant’s breach compromised the payment card information of over 236,000 of Plaintiff’s customers and caused losses in excess of $30 million. (Id. ¶¶ 83–84.) C. Procedural History
On November 23, 2022, Plaintiff filed the Complaint in this Court, asserting the following claims against Defendant: Declaratory Judgment (Count I); Negligence/Gross Negligence (Count II); Breach of Contract (Count III); Breach of Implied Contract (Count IV); Negligence Per Se (Count V); Negligent Misrepresentation/Fraudulent Inducement (Count VI); Violation of the New Jersey Consumer Fraud Act (“NJCFA”), N.J. Stat. Ann. 56:8-1 et seq. (Count VII); Per Se
4 Plaintiff’s primary business is email-subscription driven and relies on its ability to maintain long-term relationships with repeat customers. (Id. ¶ 6.) According to the Complaint, 95 percent of Plaintiff’s e-commerce sales are generated by sending emails to people on its distribution list. (Id. ¶ 86.) The Complaint alleges that each time Plaintiff sent a notification to its customers regarding the data breach, “it experienced a near immediate loss in email subscriptions and further decreases in sales.” (Id. ¶ 76.) Plaintiff estimates that approximately 55,439 typical buyers have unsubscribed from the distribution list as a result of the data breach. (Id. ¶ 87.) Plaintiff estimates that approximately 11,055 VIP buyers, each with an average lifetime value of $370.19, have unsubscribed from the distribution list. (Id. ¶ 88.) Violation of the NJCFA (Count VIII); Violation of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 (Count IX); Violation of the New Jersey Truth-In-Consumer Contract, Warranty, and Notice Act (“NJTCNA”), N.J. Stat. Ann. 56:12-15 (Count X); Punitive Damages (Count XI); and Indemnification and Contribution (Count XII). On February 21, 2023, Defendant filed the Motion. (D.E. 18.) The parties timely completed briefing.5 (D.E. 26, 33.)
II. LEGAL STANDARD An adequate complaint must be “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). This Rule “requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do. Factual allegations must be enough to raise a right to relief above the speculative level . . . .” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (internal citations omitted); see also Phillips v. Cnty. of Allegheny, 515 F.3d 224, 232 (3d Cir. 2008) (confirming that Rule 8 “requires a ‘showing,’ rather than a blanket assertion, of an entitlement to relief”). In other words, Rule 8(a)(2) “demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Ashcroft v. Iqbal, 556
U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 555). In addition, a plaintiff alleging fraud by a defendant must meet the “stringent pleading restrictions of Rule 9(b)” by pleading with particularity “the circumstances constituting fraud or mistake . . . .” Frederico v. Home Depot, 507 F.3d 188, 200 (3d Cir. 2007) (quoting Fed. R. Civ. P. 9(b)). To satisfy this heightened pleading
5 This Court notes that both parties have failed to comply with Local Civil Rule (“Local Rule”) 7.2(d), which provides:
Each page of a brief shall contain double-spaced text and/or single-spaced footnotes or inserts. Typeface shall be in 12-point non-proportional font (such as Courier New 12) or an equivalent 14-point proportional font (such as Times New Roman 14). If a 12-point proportional font is used instead, the page limits shall be reduced by 25 percent (e.g., the 40 page limit becomes 30 pages in this font and the 15 page limit becomes 11.25 pages). Footnotes shall be printed in the same size of type utilized in the text.
L. Civ. R. 7.2(d). Briefing on any subsequent motions must adhere to the Local Rules. standard, “the plaintiff must plead or allege the date, time and place of the alleged fraud or otherwise inject precision or some measure of substantiation into a fraud allegation.” Id. (citing Lum v. Bank of Am., 361 F.3d 2817, 224 (3d Cir. 2004)).
When considering a motion to dismiss under Rule 12(b)(6), a court must “accept all factual allegations as true, construe the complaint in the light most favorable to the plaintiff, and determine whether, under any reasonable reading of the complaint, the plaintiff may be entitled to relief.” Phillips, 515 F.3d at 231 (quoting Pinker v. Roche Holdings, Ltd., 292 F.3d 361, 374 n.7 (3d Cir. 2002)). However, “the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions. Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 555); see also Fowler v. UPMC Shadyside, 578 F.3d 203, 209–11 (3d Cir.
2009) (discussing the Iqbal standard). “[A] complaint must contain sufficient factual matter, accepted as true, ‘to state a claim to relief that is plausible on its face.’” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 555). Determining whether the allegations in a complaint are “plausible” is “a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Id. at 679. If “the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct,” the complaint should be dismissed for failing to “show[] . . . that the pleader is entitled to relief.” Id. (quoting Fed. R. Civ. P. 8(a)(2)).
III. DISCUSSION
A. Withdrawn Claims
At the outset, this Court notes that Plaintiff has attempted to “withdraw[] without prejudice its First, Fifth, Eighth, Ninth, Tenth, and Twelfth Causes of Action,” (“Withdrawn Claims”). (D.E. 26 at 20.) To withdraw claims without prejudice, however, a plaintiff must amend the complaint pursuant to Rule 15(a). Fed. R. Civ. P. 15(a); see Dirauf v. Berger, 506 F. Supp. 3d 254, 263 (D.N.J. 2020) ("[A] plaintiff wishing to withdraw particular claims without prejudice must [instead] amend the complaint pursuant to [Rule] 15(a).” (quoting Ctr. for Orthopedics & Sports Med. v. Horizon, No. 13-1963, 2015 WL 5770385 at *2 (D.N.J. Sept. 30, 2015))). Therefore, should Plaintiff fail to amend the Complaint within 30 days of this Opinion, the Withdrawn Claims
will be dismissed with prejudice.6 B. Breach of Contract (Count III)7
To state a claim for breach of contract under New Jersey law, a plaintiff must allege that “the parties entered into a valid contract, that the defendant failed to perform his obligations under the contract[,] and that the plaintiff sustained damages as a result.” Fed Cetera, LLC v. Nat’l Credit Servs., Inc., 938 F.3d 466, 469 (3d Cir. 2019) (quoting Murphy v. Implicito, 920 A.2d 678, 689 (N.J. Super. Ct. App. Div. 2007)); Globe Mot. Co. v. Igdalev, 139 A.3d 57, 64 (N.J. 2016). Here, the Complaint alleges that “Plaintiff entered into contracts with Defendant that impose minimum standards that Freestyle must meet with respect to the security and non- disclosure of [Plaintiff’s] Sensitive Financial Information,” and that those “contracts require . . .
6 The dismissal of Plaintiff’s federal claims would strip this Court of jurisdiction pursuant to 28 U.S.C. § 1331. Plaintiff, then, would need to amend the Complaint to sufficiently plead diversity jurisdiction pursuant to 28 U.S.C. § 1332. See Lincoln Ben. Life Co. v. AEI Life, LLC, 800 F.3d 99, 106–08 (3d Cir. 2015).
7 This Court must apply the choice-of-law rules of the forum state—here, New Jersey—to determine which states’ substantive laws apply to each state law cause of action. Hammersmith v. TIG Ins. Co., 480 F.3d 220, 226 (3d Cir. 2007). New Jersey courts generally “uphold [a] contractual choice[-of-law] provision if it does not violate New Jersey’s public policy.” Instructional Sys., Inc. v. Comp. Curriculum Corp., 614 A.2d 124, 133 (N.J. 1992) (collecting cases). Here, the several agreements appended to the Complaint contain New Jersey choice-of-law provisions. (See D.E. 1-2 at 18, 44.) Neither party disputes that New Jersey law applies to the tort- and contract-based claims; indeed, both parties have briefed the sufficiency of those claims under New Jersey law. Therefore, this Court will, for purposes of deciding the instant Motion, apply New Jersey law to the tort- and contract-based claims. See Argabright v. Rheem Mfg. Co., 201 F. Supp. 3d 578, 591 n.5 (D.N.J. 2016) (“Since Plaintiffs have made their allegations under New Jersey law and both parties have briefed the sufficiency of the claims under New Jersey law, the Court will, for purposes of deciding the present motion to dismiss, apply New Jersey law to determine whether Plaintiffs have succeeded in stating plausible claims for relief . . . .”); Pet Gifts USA, LLC, v. Imagine This Co., No. 14-3884, 2015 WL 570264, at *3 (D.N.J. Feb. 11, 2015) (“[W]here the analysis is fact intensive and a court finds that it lacks a full factual record to make a choice of law determination, a court may postpone the analysis.”). Freestyle [to] take appropriate steps to safeguard the Sensitive Financial Information of the customers of Plaintiff.” (D.E. 1 ¶ 110–11). Plaintiff appended to the Complaint the relevant services agreements between it and Defendant, each of which contains a provision related to Defendant’s obligation to preserve Plaintiff’s confidential information (“Confidentiality Provision”). The Confidentiality Provision expressly states:
You acknowledge that the Software, Service, the terms of this Agreement, and any other proprietary or confidential information provided to You by US (“Our Confidential Information”) constitutes valuable proprietary information and trade secrets of Ours and/or Our licensors. We acknowledge that the data provided by You or Your Users (“Your Confidential Information”) constitutes valuable proprietary information and trade secrets of Yours or Your Users. Each party agrees to preserve the confidential nature of the other party’s Confidential Information in confidence, solely for its use in furtherance of this Agreement, and by using the same degree of protection that such party uses to protect similar proprietary and confidential information, but in no event less than reasonable care. . . . Each receiving party agrees to promptly report any breaches of this section to the disclosing party.
(D.E. 1-2 at 15 (emphasis added).)8 The Complaint further asserts that Defendant “fail[ed] to adequately safeguard the Sensitive Financial Information[, which] has direct[ly] caused injuries to Plaintiff,” including, inter alia: costs associated with investigating the data breach, loss of business revenues, cash flow restrictions, reputational harms, loss of goodwill, potential liability in class action lawsuits, potential regulatory fines, potential PCI fines, a 50 percent decrease in sales, and loss of subscribers from its mailing lists. Such allegations are sufficient to state a claim for breach of contract. Defendant insists that Count III is deficient. Specifically, Defendant contends that the Complaint has failed to identify a breach of a specific contractual provision; that the actual terms
8 Perplexingly, neither Plaintiff’s Complaint nor the parties’ briefing specifically mentions the Confidentiality Provision. Nevertheless, because the services agreements “are integral to the complaint, [this Court] may consider them.” Weichsel v. JP Morgan Chase Bank, N.A., 65 F.4th 105, 109 n.5 (3d Cir. 2023). of the contract show no breach; that even if there were a breach, the damages sought by Plaintiff are barred under the terms of the contract; and that Defendant’s liability is limited by the contract. Defendant’s arguments are unpersuasive. As an initial matter, the Complaint need not expressly cite a contractual provision; rather, it need only plead facts sufficient to put Defendant on notice of the contractual provision that it allegedly breached. In re Ins. Brokerage Antitrust Litig., 618
F.3d 300, 314 (3d Cir. 2010) (“Under Rule 8(a)(2), a complaint need present only a short and plan statement of the claim showing that the pleader is entitled to relief, in order to give the defendant fair notice of what the . . . claim is and the grounds upon which it rests.” (internal quotation marks omitted)). In this case, Plaintiff has appended to the Complaint multiple iterations of the service agreements between it and Defendant. Each contract contains a Confidentiality Provision, which sets forth Defendant’s obligations to safeguard the data of Plaintiff and its customers. Plaintiff’s allegations that the contracts “impose minimum standards that Freestyle must meet with respect to the security and non-disclosure of [Plaintiff’s] Sensitive Financial Information,” and require Defendant to use reasonable care “to safeguard the Sensitive Financial Information of the
customers of Plaintiff,” are sufficient to put Defendant on notice that it breached its duties under the Confidentiality Provision. Defendant’s remaining arguments are premature. First, the allegations in the Complaint, accepted as true, indicate that Defendant breached the Confidentiality Provision by failing to exercise reasonable care in preserving the confidential information of Plaintiff and Plaintiff’s customers. Second, Plaintiff has alleged facts sufficient to suggest at this stage that the contractual limitation on liability and damages is unconscionable and, thus, unenforceable. Under New Jersey law, a contractual provision that limits damages or liability may be unenforceable if it is unconscionable or violative of public policy. Lucier v. Williams, 841 A.2d 907, 911 (N.J. Super. Ct. App. Div. 2004). “There is no hard and fast definition of unconscionability”; rather, it is “‘an amorphous concept obviously designed to establish a broad business ethic.’” Id. (quoting Kugler v. Romain, 279 A.2d 640, 651 (N.J. 1971)). New Jersey courts consider several factors in determining whether the terms of a contract are unconscionable and, thus, unenforceable: [W]e look not only to its adhesive nature, but also to the subject matter of the contract, the parties’ relative bargaining positions, the degree of economic compulsion motivating the adhering party, and the public interests affected by the contract. Where the provision limits a party’s liability, we pay particular attention to any inequality in the bargaining power and status of the parties, as well as the substance of the contract. The first leading principle is that contractual exemption from liability for negligence is rarely allowed to stand where the contracting parties are not on roughly equal bargaining terms. The farther apart the contracting parties are in their relative strength the greater is the probability that the exculpatory clause will be held invalid.
Lucier, 841 A.2d at 911 (internal citation and quotation marks omitted). Here, the Complaint alleges that the contract at issue was one of adhesion—“[t]here were no negotiations leading up to its preparation,” and it “was presented to [Plaintiff] on a standardized pre-printed form, prepared by [Defendant], on a take-it-or-leave-it basis, without any opportunity for him to negotiate or modify any of its terms.” Id. Consequently, this Court will deny Defendant’s motion to dismiss Count III. C. Breach of Implied Contract (Count IV)
The allegations in the Complaint do not make clear whether Plaintiff is pursuing a claim for breach of an implied-in-fact contract or for a breach of the implied covenant of good faith and fair dealing. While the Complaint fails to state a claim under the former theory, it adequately states a claim under the latter. 1. Implied-In-Fact Contract “Like express contracts, contracts implied in fact depend on mutual agreement and intent to promise, and can be established by objective proofs.” Saint Barnabas Med. Ctr. v. Essex Cnty., 543 A.2d 34, 39 (N.J. 1988) (internal citations and quotation marks omitted). The terms of an implied-in-fact contract “must be sufficiently definite [so] ‘that the performance to be rendered by each party can be ascertained with reasonable certainty.” Weichert Co. Realtors v. Ryan, 608 A.2d
280, 284 (N.J. 1992) (quoting West Caldwell v. Caldwell, 138 A.2d 402, 410 (N.J. 1958)). An implied-in-fact contract varies from an express contract “only insofar as the parties’ agreement and assent thereto have been manifested by conduct instead of words.” Id. (citing Saint Paul Fire & Marine Ins. Co. v. Indem. Ins. Co. of N. Am., 158 A.2d 825, 828 (N.J. 1960)); Baer v. Chase, 392 F.3d 609, 616 (3d Cir. 2004) (“The distinction between express and implied contracts rests on alternative methods of contract formation.” (citing In re Penn. Cent. Transp. Co., 831 F.2d 1221, 1228 (3d Cir. 1987))). Express and implied-in-fact contracts are mutually exclusive—that is, “[t]here cannot be an implied-in-fact contract if there is an express contract that covers the same subject matter.” Baer, 392 F.3d at 616–17 (citations omitted). “The existence of an express
contract, however, does not preclude the existence of an implied contract if the implied contract is distinct from the express contract.” Id. at 617 (collecting cases). Here, the Complaint does not allege any facts to support Plaintiff’s contention that the parties, by conduct instead of words, entered into an implied-in-fact contract distinct from the express contracts. Accordingly, to the extent Plaintiff is asserting a claim for breach of an implied- in-fact contract, that claim will be dismissed without prejudice. 2. Good Faith and Fair Dealing “[E]very contract in New Jersey contains an implied covenant of good faith and fair dealing,” under which “neither party shall do anything [that] will have the effect of destroying or injuring the right of the party to receive the fruits of the contract[.]” Kalogeras v. 239 Broad Ave., LLC, 997 A.2d 943, 953 (N.J. 2010) (second alteration in original) (citations and quotation marks omitted). Courts in New Jersey generally recognize a breach of the implied covenant of good faith and fair dealing in three circumstances: “(1) when the contract does not provide a term necessary to fulfill the parties’ expectations; (2) when bad faith served as a pretext for the exercise of a
contractual right to terminate; and (3) when the contract expressly provides a party with discretion regarding its performance.” Seidenberg v. Summit Bank, 791 A.2d 1068, 1078 (N.J. Super. Ct. App. Div. 2002) (internal citations omitted). “Central to th[e] inquiry of ascertaining what, if any, terms are implied is the intent of the parties. Intent may be determined by examination of the contract and in particular the setting in which it was executed.” Onderdonk v. Presbyterian Homes of N.J., 425 A.2d 1057, 1063 (N.J. 1981). Here, the Complaint alleges that the express contract lacks a term necessary to fulfill the parties’ expectations under the contract—namely, a term imposing on an obligation to take appropriate measures to safeguard the sensitive and personal information of Plaintiff’s customers.
Although this claim seemingly overlaps with Plaintiff’s breach-of-contract claim, this Court will allow both claims to proceed at this juncture.9 Therefore, this Court will deny Defendant’s motion to dismiss Count IV. D. Negligence and Gross Negligence (Count II)
9 Rule 8(d) permits a plaintiff to set out multiple claims “alternatively or hypothetically,” and to “state as many separate claims or defenses as it has, regardless of consistency.” Fed. R. Civ. P. 8(d). “Where it is undisputed that a valid . . . contract governs the conduct at issue, breach of implied duty claims can be dismissed at the motion to dismiss stage.” Spellman v. Exp. Dynamics, LLC, 150 F. Supp. 3d 378, 390 (D.N.J. 2015) (citing T.J. McDermott Transp. Co. v. Cummins, Inc., No. 14-4209, 2015 WL 1119475, at *10–13 (D.N.J. Dec. 15, 2015)). But where, as here, “a contract’s . . . specific terms are disputed, a court may allow breach of contract claims to proceed through discovery or trial alongside alternative causes of action.” Id. (citing Kuzian v. Electrolux Home Prods., Inc., 937 F. Supp. 2d 599, 600 (D.N.J. 2013)). Because Plaintiff has failed to allege that it was owed a duty independent from the contractual relationship, its claims based in negligence must be dismissed. Under New Jersey law, a plaintiff asserting claims for negligence and gross negligence must allege the same “four elements: (1) a duty of care, (2) a breach of that duty, (3) actual and proximate causation, and (4) damages.” Jersey Cent. Power & Light Co. v. Melcar Util. Co., 59
A.3d 561, 571 (N.J. 2013). A gross negligence claim must be supported by an additional allegation of “a higher degree of negligence”—i.e., that the defendant’s “act or failure to act create[d] an unreasonable risk of harm to another because of the person’s failure to exercise slight care or diligence.” Steinberg v. Sahara Sam’s Oasis, LLC, 142 A.3d 742, 754 (N.J. 2016). “Whether a person owes a duty of reasonable care toward another turns on whether the imposition of such duty satisfies an abiding sense of basic fairness under all of the circumstances in light of considerations of public policy.” Holm v. Purdy, 285 A.3d 857, 867 (N.J. 2022) (quoting Hopkins v. Fox & Lazo Realtors, 625 A.2d 1110, 1116 (N.J. 1993)). In determining whether a defendant owes a duty of reasonable care to a plaintiff, “[t]he ‘court must first consider the foreseeability of harm to a
potential plaintiff and then analyze whether accepted fairness and policy considerations support the imposition of a duty.”10 Id. (quoting Coleman v. Martinez, 254 A.3d 632, 642 (N.J. 2021)). Courts may weigh “the (1) relationship of the parties, (2) nature of the risk, (3) opportunity and ability to exercise care, and (4) public interest.” Id. (quoting Martinez, 254 A.3d at 645). A negligence claim, however, generally “does not arise from a contractual relationship unless the breaching party owes an independent duty imposed by law.” Saltiel v. GSI Consultants, Inc., 788 A.2d 268, 280 (N.J. 2002) (citations omitted).
10 “Determining the scope of tort liability has traditionally been the responsibility of the courts.” Hopkins, 625 A.2d at 1116 (citing Kelly v. Gwinnell, 476 A.2d 1219, 1226 (N.J. 1984)). Here, while the parties dispute the scope of the contracts between them, it is undisputed that their relationship has been, at all times relevant to the Complaint, contractual in nature. As such, Plaintiff must allege the existence of an independent duty imposed by law to sustain its cause of action for negligence. Plaintiff has not done so. Although the Complaint asserts that Defendant owed several duties,11 the alleged duties either arise from the parties’ contractual relationship or
would be owed to Plaintiff’s customers—not Plaintiff. In short, Plaintiff has failed to allege that Defendant owed it any duty independent from the obligations under the contract. Therefore, Plaintiff’s claims for negligence and gross negligence will be dismissed without prejudice. E. Fraudulent Inducement and Negligent Misrepresentation (Count VI)
To state a claim for fraudulent inducement, a plaintiff must allege five elements: (1) a material representation of a presently existing or past fact; (2) made with knowledge of its falsity and (3) with the intention that the other party rely thereon; (4) resulting in reliance by that party; (5) to his detriment. Jewish Ctr. of Sussex Cnty. v. Whale, 432 A.2d 521, 524 (N.J. 1981) (citing Foont-Freedenfeld v. Electro-Protective, 314 A.2d 69, 71 (N.J. Super. Ct. App. Div. 1973), aff’d, 314 A.2d 68 (N.J. 1974)). The elements of a claim of negligent misrepresentation are largely the same, however, a plaintiff need not plead scienter. Highlands Ins. Co. v. Hobbs Grp., LLC., 373 F.3d 347, 351 (3d Cir. 2004) (“[U]nder New Jersey law negligent misrepresentation requires a showing that defendant negligently provided false information and that plaintiff incurred damages proximately caused by its reliance on that information. (internal citation omitted)). Because both claims sound in fraud,12 they both must meet the heightened pleading standard under Rule 9(b).
11 Specifically, the Complaint alleges that Defendant owed: (1) a duty to exercise reasonable care in maintaining and protecting sensitive information; (2) a duty to timely disclose to Plaintiff’s customers the data breach; and (3) a duty to have procedures in place to detect and prevent dissemination of Plaintiff’s private information. (D.E. 1 ¶¶ 101– 03.)
12 Indeed, the negligent misrepresentation claim is based on the same exact allegations as the fraudulent inducement claim. Riachi v. Prometheus Grp., 822 F. App’x 138, 142 (3d Cir. 2020). Thus, the Complaint “must state with particularity the circumstances constituting fraud,” by alleging “the who, what, when, where and how of the events at issue,” U.S. ex rel. Moore & Co., P.A. v. Majestic Blue Fisheries, LLC, 812 F.3d 294, 306–07 (3d Cir. 2016) (internal citations omitted), “or otherwise inject precision or some measure of substantiation into a fraud allegation,” Frederico, 507 F.3d at 200
(citing Lum, 361 F.3d at 224). Plaintiff has failed to meet Rule 9(b)’s heightened pleading standard. To be sure, the Complaint alleges the following: “Freestyle’s President, and other Freestyle employees, made affirmative misrepresentations to PulseTV, and its former employee and agent, Thomas Fannernon, . . . regarding the safety and security of Freestyle’s computer networks and its ability to comply with the PCI DSS,” (D.E. 1 ¶ 26); “Freestyle’s President[] falsely stated to PulseTV that Freestyle had a plan to become PCI DSS compliant in 2005,” (id. ¶ 27); “Freestyle’s current President, Jim Cahill, later noted that Freestyle had retained a PCI Compliance Officer,” (id.); and “[b]etween 2005 and 2012, Freestyle made numerous misrepresentations to PulseTV that
SiteLINK and Freestyle’s hosting environment were safe, secure, and PCI DSS compliant,” (id. ¶ 29).13 Though the Complaint, at times, provides the “who,” it plainly fails to put Defendant on
13 Plaintiff also asserts that “[a]t or around the time of the 2012 agreement, Freestyle represented to PulseTV that Freestyle had a plan to maintain PCI compliance.” (D.E. 1 ¶ 36.) Notwithstanding the lack of specificity in this allegation, the Complaint fails to contend how this representation in 2012 was made with the intention of inducing Plaintiff’s representative, Anisa Ali, to enter the 2018 contract—the purported contract at issue in this case. In addition, Plaintiff points to a 2014 statement on Defendant’s website, which provides: “Of course, PCI-compliant hosting is a must for serious eCommerce companies.” (Id. ¶ 48.) The Complaint does not explain how that 2014 statement was intended to induce Plaintiff to enter into the 2018 contract, and in any event, the statement is not an actionable statement of fact. See Gennari v. Weichert Co. Realtors, 691 A.2d 350, 366 (N.J. 1997) (“The misrepresentation has to be one which is material to the transaction and which is a statement of fact, found to be false, made to induce the buyer to make the purchase.” (emphasis added)). notice of the specific misrepresentations with which it is charged. Therefore, Plaintiff’s claims for fraudulent inducement and negligent misrepresentation will be dismissed without prejudice.14 F. Violation of the NJCFA (Count VII)
The NJCFA permits plaintiffs to bring claims for “any ascertainable loss of money[] . . . as a result of the use or employment by another person of any method, act, or practice declared unlawful under this act.” N.J. Stat. Ann. § 56:8-19. To state a claim under the NJCFA, a plaintiff must plead “1) unlawful conduct by defendant; 2) an ascertainable loss by plaintiff; and 3) a causal relationship between the unlawful conduct and the ascertainable loss.” D’Ogostino v. Maldonado, 78 A.3d 527, 536–37 (N.J. 2013) (quoting Bosland v. Warnock Dodge, Inc., 964 A.2d 741, 749 (N.J. 2009)); see also Frederico, 507 F.3d at 202 (citing Cox v. Sears Roebuck & Co., 647 A.2d 454, 462–65 (N.J. 1994)). The NJCFA defines “unlawful practice” as:
The act, use or employment by any person of any commercial practice that is unconscionable or abusive, deceptive, fraud, false pretense, false promise, misrepresentation, or the knowing, concealment, suppression, or omission of any material fact with intent that others rely upon such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise. N.J. STAT. ANN. § 56:8-2. “Unlawful practices fall into three general categories: affirmative acts, knowing omissions, and regulation violations.” Frederico, 507 F.3d at 202 (quoting Cox, 647 A.2d at 462). A breach of contract “is not per se unfair or unconscionable.” Cox, 647 A.2d at 462 (quoting D’Ercole Sales, Inc. v. Fruehauf Corp., 501 A.2d 990, 998 (N.J. Super. Ct. App. Div. 1985)). As such, to succeed on an NJCFA claim based on a breach of contract, a plaintiff must
14 Even under a more lenient pleading standard, Plaintiff’s negligent misrepresentation claim would fail. As explained earlier in this Opinion, New Jersey law prohibits a party from maintaining a negligence action in addition to a contract action, “unless the plaintiff can establish an independent duty of care.” Saltiel, 788 A.2d at 278. Plaintiff has not done so. allege “a substantial aggravating circumstance,” demonstrating that the defendant’s behavior “stands outside the norm of reasonable business practice in that it will victimize the average customer.” Suber v. Chrysler Corp., 104 F.3d 578, 587 (3d Cir. 1997). Because Plaintiff’s claim under the NJCFA sounds in fraud, the Complaint must meet the stringent pleading requirements of Rule 9(b). Frederico, 507 F.3d at 200. Plaintiff has failed to meet this heightened pleading
standard and thus has not adequately alleged in its Complaint the existence of a substantial aggravating circumstance. Therefore, Count VII will be dismissed without prejudice. G. Punitive Damages (Count XI)
Finally, the Complaint alleges a claim for punitive damages. Punitive damages, however, “are a remedy incidental to [a] cause of action,” Hassoun v. Cimmino, 126 F. Supp. 2d 353, 372 (D.N.J. 2000) (collecting cases), not a standalone claim, Maglioli v. All. HC Holdings, 16 F.4th 393, 411 n.12 (3d Cir. 2021) (“Under New Jersey law, an independent count for punitive damages may not be cognizable.” (citations omitted)). Accordingly, Plaintiff’s independent claim for punitive damages will be dismissed with prejudice.15 IV. CONCLUSION For the reasons set forth above, Defendant’s Motion is GRANTED IN PART AND DENIED IN PART. An appropriate order follows. /s/ Susan D. Wigenton SUSAN D. WIGENTON, U.S.D.J.
Orig: Clerk cc: Parties Edward S. Kiel, U.S.M.J.
15 Defendant asks this Court to bar Plaintiff from recovering punitive damages, because, among other reasons, Plaintiff contractually waived its right to punitive damages. As explained earlier in this Opinion, the Complaint adequately pleads that the contractual limitation on liability and damages may be unconscionable and thus unenforceable. The remainder of Defendant’s arguments are premature.