Ponder v. Pfizer, Inc.

522 F. Supp. 2d 793, 2007 U.S. Dist. LEXIS 83129, 2007 WL 4197319

• Court: District Court, M.D. Louisiana
• Decided: November 7, 2007
• Docket: Civil Action 07-466-JJB-CN
• Status: Published

Opinion

RULING ON MOTION TO DISMISS

JAMES J. BRADY, District Judge.

This matter is before the Court on a. motion by defendant corporation, Pfizer, Inc. (“Pfizer”). Pfizer brings this motion under Fed.R.Civ.P. 12(b)(6). (Doc. 22). The plaintiff, Terry L. Horne, 1 a former employee of Pfizer, has filed an opposition memorandum. (Doc. 27). Pfizer has filed a reply memorandum. (Doc. 43). There is no need for oral argument. Subject matter jurisdiction is based upon 28 U.S.C. § 1332.

Factual Background

Sometime before June 2007, private data on approximately 17,000 former and -current Pfizer employees left the confines of a Pfizer hard drive and ventured into an unauthorized domain. The data were stored on a Pfizer laptop computer which the company provided to one of its employees for home use.- Due to the installation of unauthorized file-sharing software on the laptop, files stored in the laptop containing data on the names, social security numbers, and in some instances, addresses and bonus information of Pfizer employees became exposed to outsiders. According to Pfizer, an investigation revealed “that certain files containing [employee] data were accessed and copied.”

On June 1, 2007, the Pfizer Privacy Office notified effected employees, including Terry Horne, via written letter, of the breach. 2 The letter, signed by Lisa M. Golden, a Pfizer Vice President, included details of the incident and the steps Pfizer had taken to protect the privacy and security of its employees in the wake of the breach. According to the letter, Pfizer had no indication that any unauthorized individual had used personal information contained in the data.

In the wake of the disclosure, Pfizer’s letter advised employees to remain vigilant against the possibility of fraud and/or identity theft by monitoring account statements and credit reports for unusual activity. According to the letter, the company also undertook the following steps:

(1) It contracted with Consumerln-fo.com to provide employees with one year of free credit monitoring.

(2) It purchased a credit monitoring product known as Triple Advantage Delux, designed to identify and notify — via SMS text message — employees of key changes in three national credit reports that may indicate fraudulent activity.

(3) It purchased $25,000 Identity Theft insurance provided by Virgina Surety Company, Inc.

(4) It notified the Attorney General’s offices in each employee’s state of residence about the incident.

(5) It contacted the three major U.S. credit agencies to inform them of the incident.

Plaintiff’s Claims

Mr. Horne brings this action as a class action. 3 The putative class is believed to number approximately 17,000 individuals. Mr. Horne alleges that Pfizer violated Louisiana’s Database Security Breach Notification Law, La. R.S. 51:3071, et seq. (Doc. 21, ¶ 24). Horne also alleges that Pfizer breached its duty to maintain the privacy of information about him and other current and former employees; that Pfizer was in a special fiduciary relationship with the Class by reason of its entrustment with private information; and that Pfizer had a duty of care to use reasonable means to keep the information private and secure. (Doc. 21, ¶¶ 18-21). Next he claims that plaintiffs have suffered or will potentially suffer damages in the form of economic and other losses as a result of Pfizer’s actions. (Doc. 21, ¶ 22). Horne argues that the damages he and plaintiffs suffered included fear and apprehension of fraud, loss of money, and identity theft; the burden and the cost of credit monitoring; the burden and the cost of closing compromised credit accounts and opening new accounts; the burden of scrutinizing credit card statements and other statements for unauthorized transactions; damage to their credit; loss of privacy and other economic damages. Additionally, Horne alleges a constitutional violation. (Doc. 21, ¶ 6).

Standard of Law

A motion to dismiss for failure to state a claim may be granted when the complaint fails to state a legally cognizable claim. Fed.R.Civ.P. 12(b)(6). The complaint must be liberally construed in favor of the plaintiff. In deciding whether to grant a motion to dismiss for failure to state a claim, a district court must accept the facts of the complaint as true and resolve all ambiguities or doubts regarding the sufficiency of the claim in favor of the plaintiff. Fernandez-Montes v. Allied Pilots Ass’n, 987 F.2d 278, 284 (5th Cir.1993).

Until recently, federal courts followed the principle established in Conley v. Gibson, 355 U.S. 41, 45-46, 78 S.Ct. 99, 2 L.Ed.2d 80 (1957) that “a complaint should not be dismissed for failure to state a claim unless it appears beyond a doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief.” In Bell Atlantic Corp. v. Twombly, - U.S. -, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007), the Supreme Court clarified that plausibility was also required. The Court noted that Conley’s “no set of facts” rule was “an incomplete, negative gloss on an accepted pleading standard: once a claim has been stated adequately, it may be supported by showing any set of facts consistent with the allegations in the complaint.” Id. at 1969.

Accordingly, this Court will apply the Supreme Court’s recent pronouncement that the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Id. at 1974. If the plaintiff has “not nudged. [his] claims across the line from conceivable to plausible, [his] complaint must be dismissed.” Id.

Analysis

1. Claims under La. R.S. 51:3071, et seq.

Pfizer first argues that Horne’s complaint fails to allege a claim for a violation of the Louisiana Database Security Breach Notification Law. La. R.S. 51:3071 et seq. The law provides that “[a]ny person that conducts business in the state ... shall, following discovery of a breach in the security of the system containing ... personal information,” “notify any resident of the state whose personal information was, or reasonably believed to have been, acquired by an unauthorized person.” La. R.S. 51:3074(A). Notification, which “shall be made in the most expedient time possible and without unreasonable delay,” may be made by “written notification.” La. R.S. 51:3074(C), (E)(1). The Louisiana Attorney General has also issued a rule requiring that if notice to Louisiana residents is required under the law, notice must also be provided to the Attorney General’s Office. 32:4 La. Reg. 708 (Apr. 20, 2006).

According to the allegations set forth in the complaint, Pfizer did indeed give written notification of the breach resulting in the disclosure of a person’s personal information to the Attorney General’s office and the effected parties. However, the complaint contains the allegation that nine weeks elapsed between the unauthorized disclosures and the notification of Mr. Horne. Thus, Horne claims that Pfizer did not notify him in a timely fashion. (Doc. 21 ¶¶ 19, 24).

a. Damages under La. R.S. 51:3075

Under the Louisiana Database Security Notification Law, a “civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s personal information.” La. R.S. 51:3075.

In his complaint, Mr. Horne alleges the following damages pursuant to La. R.S. 51:3075: “fear and apprehension of fraud, loss of money, and identity theft; the burden and cost of credit monitoring; the burden and cost of closing compromised credit accounts and opening new accounts; the burden of scrutinizing credit card statements and other statements for unauthorized transactions; damage to [ ] credit; loss of privacy; and other economic damages.” (Doc. 21 ¶ 22). Horne claims that these damages are not speculative future damages; that currently he has the burden and cost of credit monitoring, of closing compromised accounts and opening new accounts of scrutinizing credit card statements, and loss of privacy. Horne argues that these damages will continue indefinitely. However, Mr. Horne’s complaint does not allege that his social security number or other private information was actually used by an unauthorized person, it does not allege that money has been taken unlawfully from any of his accounts, or that his credit card was used by anyone not authorized or that anyone has opened a credit card or other account in his name. It merely alleges that he has the burden of monitoring and bearing the cost if his exposed personal information is used in an illicit manner by an unáuthorized individual.

Pfizer argues that the “various flavors of damages” alleged in the complaint are in herently speculative and not recoverable under Louisiana law, which requires that damages be established to a “legal certainty.” FDIC v. Barton, 233 F.3d 859, 864, 865 (5th Cir.2000)(rejecting damages theory where “we do not know, nor can we ever know, what would have been recovered, and what it would have cost to do so”). See A.N. Goldberg, Inc. v. Delerno, 225 La. 568, 73 So.2d 464, 465 (1954) (“Actual damages cannot be established by remote and conjectural estimates of loss.”); Carderara v. Taranto, 396 So.2d 493, 494-95 (La.App.Ct. 4th Cir.1981)(“A plaintiff must prove with legal certainty every item of damages claimed” and rejecting plaintiffs “speculative” theory of recovery).

Given the rate at which Internet technologies evolve, the ability of computer hackers to stay two-steps ahead of the latest in online security, and the comparatively slow speed at which the law responds to cyber-security threats, neither Louisiana courts nor the Fifth Circuit have confronted the issue before us. Recently, though, the Seventh Circuit rejected plaintiffs’ claims for “compensation for past and future credit monitoring services” and damages for “emotional distress and worry that third parties will use [the plaintiffs’] confidential personal information to cause them economic harm, or sell their confidential information to others who will in turn cause them economic harm.” Pisciotta v. Old Nat’l Bancorp., 499 F.3d 629 (7th Cir.2007). In Pisciotta, the Seventh Circuit upheld the district court’s decision to dismiss the case, and explained that:

[without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy. Plaintiffs have not come forward with a single case or statute, from any jurisdiction, authorizing the kind of action they now seek this federal court, sitting in diversity, to recognize as a valid theory of recovery. Id. at 639-40.

A federal district court in Michigan also dismissed a plaintiffs complaint for identity theft, holding that plaintiffs alleged damages — the “purchase of a credit monitoring product” — were not “actual damages or a cognizable loss.” Hendricks v. DSW Shoe Warehouse, Inc., 444 F.Supp.2d 775 (W.D.Mich.2006). In Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018 (D.Minn.2006), the district court rejected the breach of contract, breach of fiduciary duty and negligence claims, and held that the plaintiffs’ “expenditure of time and money” in “monitoring their credit” does not constitute injury or damages because it “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.” Id. at 1020-21, (holding that plaintiffs’ injuries are solely the result of a perceived risk of future harm, not from actual present injury). In Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705 (S.D.Ohio 2007), the court held that plaintiffs damages — “costs of purchasing a credit monitoring product” and “time and money spent monitoring her credit” — were not recoverable as a matter of law because “no unauthorized use of her personal information has occurred” and, thus, “any injury of Plaintiff is purely speculative.” Id. at 709-12.

Generally, under Louisiana law, “if the defendant’s conduct is merely negligent and causes only mental disturbance, without accompanying physical injury, illness or other physical consequences, the defendant is not liable for such emotional disturbance.” Nesom v. Tri Hawk Int’l, 985 F.2d 208, 211 (quoting Moresi v. Dept. of Wildlife and & Fisheries, 567 So.2d 1081, 1095-96 (La.1990)). Furthermore, a Louisiana plaintiff must show a “manifest physical or mental injury or disease” in order to obtain any damage recovery “for future medical treatment, services, surveillance, or procedures of any kind.” Bonnette v. Conoco, Inc., 837 So.2d 1219, 1230 n. 6 (La.2003), quoting La. C.C. art. 2315. 4 Horne argues that he and the other plaintiffs do not merely fear that their information has been disclosed, because there is no question that it has been exposed. He argues that he and the other plaintiffs have the current burden of monitoring their credit, scrutinizing account statements, and closing and opening accounts.

This Court, however, finds that Mr. Horne’s complaint does not allege that he suffered any actual damages — that someone actually used the disclosed information to his detriment. Indeed, the Plaintiff has not come forward with any theory to allege a type of damage the law is prepared to recognize, or a type of damage that is recoverable. 5

2. Constitutional Claims

Mr. Horne’s complaint alleges that he brought this action “to resolve disputes under state and federal statutory and constitutional law.” (Doc. 21 ¶ 6). However, the complaint fails to identify any constitutional provisions. In his opposition memorandum, Horne refers to La. Const. Art. 1 Sec. V, which provides that “[e]very person shall be secure in his person, property, communications, houses, papers, and effects against unreasonable searches, seizures, or invasions of privacy.” (Doc. 43).

While courts have found the above provision applicable to government conduct, Louisiana courts have not applied it to private action. The Casse case on which Mr. Horne relies, states that, “one of the co-authors of the Constitutional Convention’s Declaration of Rights wrote: ‘The Section (Art. I, Sec. 5) is intended to apply solely to government action, in accord with the view of the committee that a bill of rights cannot reach private action.’ ” Casse v. La. Gen. Servs., Inc., 531 So.2d 554, 555 (La.App.Ct. 5th Cir.1988), quoting L. Jenkins, 21 Loyola L. Rev. 9 (1975). See also Brennan v. Bd. of Trustees for Univ. of La. Sys., 691 So.2d 324, 328 (La. App.Ct. 1st Cir.1997)(“The Louisiana Constitution’s protection of privacy provisions contained in Article 1, § 5 does not extend so far as to protect private citizens against the actions of private parties.”).

Thus, Mr. Horne’s complaint fails to state a constitutional claim upon which relief can be granted.

Conclusion

While Plaintiff may have leave to amend the complaint to further articulate his constitutional arguments, we find that such leave would be futile. The Plaintiff has failed to allege actual damages that would warrant a different result from that reached by this Court. He has also not alleged damages from which he could recover.

Thus, for the reasons set forth above, the Defendant’s Motion to Dismiss (doc. 22) is hereby GRANTED and the. Court orders the caption amended in the record to reflect Terry L. Horne as the plaintiff.

1 . For purposes of this ruling, the captioned plaintiff appears as Randall Ponder. Ponder moved to substitute his place as cláss representative, replacing it with Terry L. Horne. (Doc. 12). The magistrate judge granted the order. (Doc. 17). While plaintiff's counsel did not move to amend the caption, this Court, sua sponte, orders the caption amended, hereinafter, to reflect Terry L. Horne as the plaintiff.

2 . Plaintiff refers specifically to the letter in his complaint, as such, Pfizer may rely on the letter in its motion to dismiss under Rule 12(b)(6) without converting its motion into a summary judgment motion. See, e.g., Collins v. Morgan Stanley Dean Witter, 224 F.3d 496, 498-99 (5th Cir.2000).

3 .- The court has not certified the class, and the parties have stipulated that the Court will defer its decision on class certification following a decision on this motion.

4 . La. C.C. art 2315(B) states in relevant part: "Damages do not include costs for future medical treatment, services, surveillance, or procedures of any kind unless such treatment, services, surveillance, or procedures are directly related to a manifest physical or mental injury or disease."

5 . It should be noted that there are two possible inquiries a court can undertake to determine when the injury accrues. The first suggests that the injury accrues when the data are exposed, and becomes obtained by a third party. The other, more persuasive inquiry, and the one adopted by the Seventh Circuit in Pisciotta — and this Court today — finds that the injury accrues when the compromised data are actually used by a third party to steal someone’s identity.