1 2 3 4 UNITED STATES DISTRICT COURT 5 DISTRICT OF NEVADA 6 * * *
7 KARIN SMITH, et al., individually and on Case No. 2:24-cv-01226-RFB-EJY behalf of all others similarly situated, 8 ORDER
9 Plaintiffs,
10 v.
11 FINDLAY AUTOMOTIVE, INC.,
12 Defendant.
13 14 Before the Court is Defendant Findlay Automotive, Inc.’s Motion to Dismiss (ECF No. 27) 15 Plaintiffs’ Consolidated Class Complaint (ECF No. 21). For the reasons below, the Motion is 16 granted in part and denied in part. 17 18 I. PROCEDURAL HISTORY 19 The Court summarizes the procedural history relevant to the instant Motion. 20 On June 12, 2024, Plaintiffs Karin Smith and Pholisith Bouphapraseuth, individually and 21 on behalf of others similarly situated, filed their Class Action Complaint in the Eighth Judicial 22 District Court for the State of Nevada (“Smith Action”). (ECF No. 1-1). On July 8, 2024, 23 Defendant Findlay Automotive, Inc. filed a Petition for Removal and a Notice of Related Case 24 Stevens v. Findlay Automotive, Inc., Case No. 2:24-cv-01227-APG-BNW (“Stevens Action”). 25 (ECF Nos. 1-2). On July 12, 2024, Defendant filed a Motion to Consolidate the Smith and Stevens 26 Actions. (ECF No. 7). On July 24, 2024, Defendant filed its Statement Regarding Removal, which 27 identified the basis for removal as federal question jurisdiction, and an alternative basis for removal 28 pursuant to the Class Action Fairness Act. (ECF No. 11). The same day the parties filed a 1 Stipulation to Consolidate the Smith and Stevens Actions. (ECF No. 12). On August 1, 2024, the 2 Court granted the Motion to Consolidate and ordered the Stevens Action consolidated under this 3 Smith Action. (ECF No. 14). 4 On August 9, 2024, Defendant filed its first Motion to Dismiss. (ECF No. 17). On August 5 16, 2024, Plaintiffs filed their operative Amended Consolidated Class Complaint (“Complaint”). 6 (ECF No. 21). The Complaint brings claims under Nevada law for (1) Negligence and Negligence 7 Per Se; (2) Breach of Express Contract; (3) Breach of Implied Contract; (4) Invasion of Privacy; 8 (5) Unjust Enrichment; (6) Declaratory Judgment and Injunctive Relief. Id. On August 27, 9 Defendants filed the instant Motion to Dismiss pursuant to Federal Rule of Civil Procedure 10 12(b)(6). (ECF No. 28). Defendant concurrently filed a Motion to Stay. (ECF No. 32). As of 11 September 23, 2024, the Motion to Stay was fully briefed. (ECF No. 32-33). As of October 17, 12 2024, the Motion to Dismiss was fully briefed. (ECF Nos. 37-38). 13 On October 24, 2024, the Honorable Magistrate Judge Elayna J. Youchah granted in part 14 and denied in part the Motion to Stay. (ECF No. 39). Individual discovery was opened for a period 15 of 90 days, while no class related discovery was allowed to proceed. Id. On February 10, 2025, the 16 parties entered a Joint Status Report regarding discovery and sought an extension of time to submit 17 a case schedule and proposed discovery plan. (ECF No. 47). On February 12, 2025, Judge Youchah 18 granted the parties until seven days after resolution of the instant Motion to Dismiss. (ECF No. 19 48). 20 The Courts Order on the pending Motion to Dismiss follows. 21 22 II. FACTUAL ALLEGATIONS 23 The following allegations are taken from the Amended Consolidated Class Complaint. 24 This action arises out of a targeted ransomware attack on Findlay Automotive, Inc.’s which 25 Plaintiffs allege led to the unauthorized access and acquisition of their personally identifiable 26 information (“PII”) including full names, addresses, driver’s license numbers, social security 27 numbers, insurance policy numbers, credit and debit card numbers, and financial information. 28 Plaintiffs allege that up to and through June 2024, Defendant obtained the PII of Plaintiffs and 1 class members and stored it in an unencrypted, internet-accessible environment on its network 2 from which unauthorized actors used an extraction tool to retrieve Plaintiffs’ PII. On information 3 and belief, Defendant failed to properly monitor its computer network, IT systems and integrated 4 services which housed the PII and failed to timely recognize malicious activity on its information 5 system. 6 Through the attack, a notorious cybercriminal group called “Scattered Spider” obtained 7 Plaintiffs’ PII. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure 8 Security Agency released a joint report identifying Scattered Spider as a cybercriminal group that 9 targets large companies and their contracted information technology help desks. Per the report, 10 Scattered Spider threat actors typically engage in data theft for extortion and publication to the 11 dark web and for subsequently carrying out ransomware attacks to disrupt business operations. 12 Defendant was unprepared for such an attack, which resulted in delays in customers being 13 paid money Defendant owed to them, who were told the delay was due to a cyberattack. As a 14 result, Defendant failed to timely remit payment of $2,500 owed to Plaintiff Farrell as 15 compensation for a vehicle trade-in and failed to properly and timely register Plaintiff Sax’s 16 vehicle, which cost him money, including his income as an Uber driver, and time. Defendants 17 further failed to meet statutory requirements to provide affected persons with timely notice of the 18 data breach. 19 Plaintiffs allege they have suffered harms including lost time in responding to the data 20 breach, in the form of valuable hours spent calling Defendant to investigate the harm and 21 attempting to mitigate its effects and seeking payment of monies owed to them by Defendant 22 (Plaintiffs Sax and Farrell). They also allege they “may” incur out-of-pocket expenses purchasing 23 credit monitoring services, credit freezes, credit reports, and other protective measures to deter and 24 detect identity theft. They further allege they suffered damage to and diminution in the value of 25 their PII; violation of their privacy rights; and present, imminent, and impending injury arising 26 from the theft of their PII. As a result of the data breach, Plaintiffs allege they suffered emotional 27 distress, including anxiety about unauthorized parties viewing, selling, and/or using their PII for 28 the purposes of identity theft and fraud. 1 III. LEGAL STANDARD 2 An initial pleading must contain “a short and plain statement of the claim showing that the 3 pleader is entitled to relief.” Fed. R. Civ. P. 8(a). The court may dismiss a complaint for “failure 4 to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). In ruling on a motion 5 to dismiss, “[a]ll well-pleaded allegations of material fact in the complaint are accepted as true and 6 are construed in the light most favorable to the non-moving party.” Faulkner v. ADT Sec. Servs., 7 Inc., 706 F.3d 1017, 1019 (9th Cir. 2013) (citations omitted). 8 To survive a motion to dismiss, a complaint need not contain “detailed factual allegations,” 9 but it must do more than assert “labels and conclusions” or “a formulaic recitation of the elements 10 of a cause of action . . . .” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl.Corp. v. 11 Twombly, 550 U.S. 544, 555 (2007)).
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 3 4 UNITED STATES DISTRICT COURT 5 DISTRICT OF NEVADA 6 * * *
7 KARIN SMITH, et al., individually and on Case No. 2:24-cv-01226-RFB-EJY behalf of all others similarly situated, 8 ORDER
9 Plaintiffs,
10 v.
11 FINDLAY AUTOMOTIVE, INC.,
12 Defendant.
13 14 Before the Court is Defendant Findlay Automotive, Inc.’s Motion to Dismiss (ECF No. 27) 15 Plaintiffs’ Consolidated Class Complaint (ECF No. 21). For the reasons below, the Motion is 16 granted in part and denied in part. 17 18 I. PROCEDURAL HISTORY 19 The Court summarizes the procedural history relevant to the instant Motion. 20 On June 12, 2024, Plaintiffs Karin Smith and Pholisith Bouphapraseuth, individually and 21 on behalf of others similarly situated, filed their Class Action Complaint in the Eighth Judicial 22 District Court for the State of Nevada (“Smith Action”). (ECF No. 1-1). On July 8, 2024, 23 Defendant Findlay Automotive, Inc. filed a Petition for Removal and a Notice of Related Case 24 Stevens v. Findlay Automotive, Inc., Case No. 2:24-cv-01227-APG-BNW (“Stevens Action”). 25 (ECF Nos. 1-2). On July 12, 2024, Defendant filed a Motion to Consolidate the Smith and Stevens 26 Actions. (ECF No. 7). On July 24, 2024, Defendant filed its Statement Regarding Removal, which 27 identified the basis for removal as federal question jurisdiction, and an alternative basis for removal 28 pursuant to the Class Action Fairness Act. (ECF No. 11). The same day the parties filed a 1 Stipulation to Consolidate the Smith and Stevens Actions. (ECF No. 12). On August 1, 2024, the 2 Court granted the Motion to Consolidate and ordered the Stevens Action consolidated under this 3 Smith Action. (ECF No. 14). 4 On August 9, 2024, Defendant filed its first Motion to Dismiss. (ECF No. 17). On August 5 16, 2024, Plaintiffs filed their operative Amended Consolidated Class Complaint (“Complaint”). 6 (ECF No. 21). The Complaint brings claims under Nevada law for (1) Negligence and Negligence 7 Per Se; (2) Breach of Express Contract; (3) Breach of Implied Contract; (4) Invasion of Privacy; 8 (5) Unjust Enrichment; (6) Declaratory Judgment and Injunctive Relief. Id. On August 27, 9 Defendants filed the instant Motion to Dismiss pursuant to Federal Rule of Civil Procedure 10 12(b)(6). (ECF No. 28). Defendant concurrently filed a Motion to Stay. (ECF No. 32). As of 11 September 23, 2024, the Motion to Stay was fully briefed. (ECF No. 32-33). As of October 17, 12 2024, the Motion to Dismiss was fully briefed. (ECF Nos. 37-38). 13 On October 24, 2024, the Honorable Magistrate Judge Elayna J. Youchah granted in part 14 and denied in part the Motion to Stay. (ECF No. 39). Individual discovery was opened for a period 15 of 90 days, while no class related discovery was allowed to proceed. Id. On February 10, 2025, the 16 parties entered a Joint Status Report regarding discovery and sought an extension of time to submit 17 a case schedule and proposed discovery plan. (ECF No. 47). On February 12, 2025, Judge Youchah 18 granted the parties until seven days after resolution of the instant Motion to Dismiss. (ECF No. 19 48). 20 The Courts Order on the pending Motion to Dismiss follows. 21 22 II. FACTUAL ALLEGATIONS 23 The following allegations are taken from the Amended Consolidated Class Complaint. 24 This action arises out of a targeted ransomware attack on Findlay Automotive, Inc.’s which 25 Plaintiffs allege led to the unauthorized access and acquisition of their personally identifiable 26 information (“PII”) including full names, addresses, driver’s license numbers, social security 27 numbers, insurance policy numbers, credit and debit card numbers, and financial information. 28 Plaintiffs allege that up to and through June 2024, Defendant obtained the PII of Plaintiffs and 1 class members and stored it in an unencrypted, internet-accessible environment on its network 2 from which unauthorized actors used an extraction tool to retrieve Plaintiffs’ PII. On information 3 and belief, Defendant failed to properly monitor its computer network, IT systems and integrated 4 services which housed the PII and failed to timely recognize malicious activity on its information 5 system. 6 Through the attack, a notorious cybercriminal group called “Scattered Spider” obtained 7 Plaintiffs’ PII. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure 8 Security Agency released a joint report identifying Scattered Spider as a cybercriminal group that 9 targets large companies and their contracted information technology help desks. Per the report, 10 Scattered Spider threat actors typically engage in data theft for extortion and publication to the 11 dark web and for subsequently carrying out ransomware attacks to disrupt business operations. 12 Defendant was unprepared for such an attack, which resulted in delays in customers being 13 paid money Defendant owed to them, who were told the delay was due to a cyberattack. As a 14 result, Defendant failed to timely remit payment of $2,500 owed to Plaintiff Farrell as 15 compensation for a vehicle trade-in and failed to properly and timely register Plaintiff Sax’s 16 vehicle, which cost him money, including his income as an Uber driver, and time. Defendants 17 further failed to meet statutory requirements to provide affected persons with timely notice of the 18 data breach. 19 Plaintiffs allege they have suffered harms including lost time in responding to the data 20 breach, in the form of valuable hours spent calling Defendant to investigate the harm and 21 attempting to mitigate its effects and seeking payment of monies owed to them by Defendant 22 (Plaintiffs Sax and Farrell). They also allege they “may” incur out-of-pocket expenses purchasing 23 credit monitoring services, credit freezes, credit reports, and other protective measures to deter and 24 detect identity theft. They further allege they suffered damage to and diminution in the value of 25 their PII; violation of their privacy rights; and present, imminent, and impending injury arising 26 from the theft of their PII. As a result of the data breach, Plaintiffs allege they suffered emotional 27 distress, including anxiety about unauthorized parties viewing, selling, and/or using their PII for 28 the purposes of identity theft and fraud. 1 III. LEGAL STANDARD 2 An initial pleading must contain “a short and plain statement of the claim showing that the 3 pleader is entitled to relief.” Fed. R. Civ. P. 8(a). The court may dismiss a complaint for “failure 4 to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). In ruling on a motion 5 to dismiss, “[a]ll well-pleaded allegations of material fact in the complaint are accepted as true and 6 are construed in the light most favorable to the non-moving party.” Faulkner v. ADT Sec. Servs., 7 Inc., 706 F.3d 1017, 1019 (9th Cir. 2013) (citations omitted). 8 To survive a motion to dismiss, a complaint need not contain “detailed factual allegations,” 9 but it must do more than assert “labels and conclusions” or “a formulaic recitation of the elements 10 of a cause of action . . . .” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl.Corp. v. 11 Twombly, 550 U.S. 544, 555 (2007)). In other words, a claim will not be dismissed if it contains 12 “sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face,” 13 meaning that the court can reasonably infer “that the defendant is liable for the misconduct 14 alleged.” Id. at 678 (internal quotation and citation omitted). The Ninth Circuit, in elaborating on 15 the pleading standard described in Twombly and Iqbal, has held that for a complaint to survive 16 dismissal, the plaintiff must allege non-conclusory facts that, together with reasonable inferences 17 from those facts, are “plausibly suggestive of a claim entitling the plaintiff to relief.” Moss v. U.S. 18 Secret Serv., 572 F.3d 962, 969 (9th Cir. 2009). 19 20 IV. DISCUSSION 21 Defendant moves to dismiss all of Plaintiffs’ claims under Federal Rule of Civil Procedure 22 12(b)(6). 23 A. Cognizable Damages 24 Citing Pruchnicki v. Envision Healthcare Corp., 845 Fed. Appx. 613 (9th Cir. 2021), 25 Defendants argue Plaintiffs fail to allege cognizable damages as elements of all of their tort and 26 contract claims under Nevada law.1 As noted below, each of Plaintiffs’ claims require establishing
27 1 As the Ninth Circuit noted in Pruchnicki, plaintiffs in a data breach litigation may sufficiently allege an injury-in- fact to support standing, but nevertheless fail to sufficiently state a claim for compensable damages as required under 28 Nevada law. Pruchnicki, 845 Fed. Appx. at 614 (citing Doe v. Chao, 540 U.S. 614, 624-25 (2004). Defendant does not move to dismiss Plaintiffs claims for lack of standing pursuant to FRCP 12(b)(1). The Court therefore does not 1 cognizable damages. The Court addresses this general challenge to Plaintiffs’ claims before 2 turning to the challenges specific to each claim. To this general damages argument, Plaintiffs 3 respond that they allege the following compensable damages: (1) direct economic losses; (2) 4 substantially increased risk of identity theft; (3) lost time and mitigation efforts; (4) violation of 5 plaintiffs’ privacy rights; (5) diminution in value of PII; and (5) benefit of the bargain damages. 6 The Court addresses each theory of damages in turn. 7 1. Direct Economic Losses 8 Plaintiffs refer to their allegations that because of the data breach, Plaintiff Ferrell and Sax 9 suffered economic losses as a result of the delay of Defendant remitting payment and registering 10 a car due to “internet problems” from the data breach. The Court agrees with Defendant’s argument 11 that these damages arise from Plaintiffs’ breach of contract claims, based on standard payment and 12 related delivery terms express or implied within every automobile contract. The Court finds they 13 are not sufficiently related to the data breach to permit recovery for these losses under Plaintiffs’ 14 tort claims arising from the data breach. 15 To the extent Defendants argue, citing Garcia v. Equifax Information Services, LLC, No. 16 2:17-cv-93123-JAD-VCF, 2019 WL 9160825, at *5 (D. Nev. March 3, 2020) that the allegations 17 as to these damages arising should be stricken under Fed R. Civ. P. 12(f) and 23(d)(1)(D) because 18 they are specific to only two of the class representative Plaintiffs, and thus do not present 19 predominating common questions of law and fact for the putative class, the Court defers ruling on 20 that argument to the class certification stage. The Court therefore denies dismissal as to Plaintiffs’ 21 breach of express contract claims at this stage. 22 2. Substantially Increased Risk of Data Theft 23 The Court finds that Plaintiffs have stated a compensable injury arising from the loss of 24 control of their identity and the accompanying impairment in value of their PII. Smallman v. MGM 25 Resorts Int'l, 638 F. Supp. 3d 1175, 1188 (D. Nev. 2022) (collecting cases wherein courts within 26 address standing in detail but finds that Plaintiffs have sufficiently pled an injury-in-fact by alleging hackers have 27 obtained their sensitive PII including social security numbers and credit card information. See In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (finding standing based on similar factual allegations). 28 1 the Ninth Circuit have found that an individual's loss of control over PII constitutes a cognizable 2 harm). Defendant attempt to distinguish Smallman because the plaintiffs in that case alleged their 3 hacked information had already been “posted for sale on the dark web” and some plaintiffs alleged 4 “criminals ha[d] attempted to make fraudulent purchases on their accounts.” Id. Here, Plaintiffs 5 have not alleged their PII has been posted on the dark web or that there have been fraudulent 6 purchases attempted, but that their information has been obtained by a cybercriminal group known 7 for identity theft for purposes of extortion and selling PII on the dark web. That is sufficient at the 8 pleading stage; Plaintiffs do “do not have to wait until hackers inevitably use their private 9 information for nefarious purposes . . .” In re Eureka Casino Breach Litig., 2:23-CV-00276-CDS- 10 BNW, 2024 WL 4253198, at *5 (D. Nev. Sept. 19, 2024) (citing Remijas v. Neiman Marcus Grp., 11 LLC, 794 F.3d 688, 693 (7th Cir. 2015) as persuasive authority.) 12 3. Loss of Time 13 Plaintiffs allege that they have lost time investigating and mitigating the harms of the data 14 breach. They also state they “may” suffer out-of-pocket losses for credit monitoring services. This 15 is not sufficient. Lost time alone is not a cognizable injury for the purpose of establishing 16 compensable damages. And several district courts in this Circuit have declined to recognize such 17 damages unless accompanied by out-of-pocket expenses. Pruchnicki v. Envision Healthcare Corp., 18 845 Fed. Appx. 613, 614 (9th Cir. 2021) (holding lost time is not a cognizable injury for the 19 purpose of establishing cognizable damages under Nevada law, where unaccompanied by actual 20 (not speculative) out-of-pocket losses). 21 The Court therefore dismisses Plaintiffs’ theory of damages to the extent it alleges damages 22 based on loss of time. However, because amendment could cure this deficiency if Plaintiffs can 23 show actual out-of-pocket expenses incurred in combination with lost time mitigating the harm 24 caused by the theft of their PII, dismissal is without prejudice and with leave to amend. 25 4. Emotional Distress 26 Plaintiffs allege they suffered and continue to suffer emotional distress in the form of 27 “anxiety about unauthorized parties viewing, selling, and/or using their PII for purposes of identity 28 theft and fraud.” Under Nevada law, “in the absence of physical impact, proof of ‘serious 1 emotional distress’ causing physical injury or illness must be presented.” Pruchnicki, 845 Fed. 2 Appx. at 614 (citing Olivero v. Lowe, 995 P.2d 1023, 1026 (Nev. 2000)). Plaintiffs’ allegations 3 regarding their anxiety do not suggest physical injury or illness. Plaintiffs must ultimately provide 4 objective evidence of emotional distress such as treatment records for such damages to be 5 available. 6 The Court therefore dismisses Plaintiffs’ theory of damages without prejudice and with 7 leave to amend. 8 5. Diminution in Value of PII 9 Diminution in the value of personal information can be a viable theory of damages in a 10 data breach case. Pruchnicki v. Envision Healthcare Corp., 439 F. Supp. 3d 1226, 1234 (D. Nev. 11 2020), aff'd, 845 Fed. Appx. 613 (9th Cir. 2021) (citing In re Facebook Privacy Litig., 572 Fed. 12 App'x 494, 494 (9th Cir. 2014)). The Court finds Plaintiffs have stated a cognizable theory of 13 damages based on the diminution in the value of their PII given the threat that it will be misused 14 by a cybercriminal gang or sold on the dark web by that gang, who is in possession of their PII. 15 Such potential future misuse of Plaintiffs’ PII “interferes with [Plaintiffs’] fiscal autonomy . . . 16 [and] impairs their ability to participate in the economic marketplace.” Smallman, 638 F. Supp. 3d 17 at 1191. 18 Therefore, the court denies Defendant’s motion to the extent it seeks dismissal on the 19 grounds that Plaintiffs’ diminution of value of their PII is not a cognizable harm. 20 6. Benefit of the Bargain 21 Plaintiffs allege that they are entitled to benefit of the bargain damages based on 22 Defendant’s breach of an implied contract. They allege they were required to provide their PII to 23 Defendant as a condition of leasing or purchase a vehicle, or as a condition of receiving 24 maintenance on their vehicles. They allege they reasonably understood that a portion of the funds 25 they paid for their vehicles or other services would be used to ensure adequate cybersecurity would 26 protect their PII, and that Defendant would provide them with prompt and adequate notice of all 27 unauthorized access or theft of their PII, consistent with their duties under state and federal law, 28 and their internal privacy policies. They claim they would not have entrusted their PII to Defendant 1 in the absence of such an agreement. They allege Defendant breached this implied agreement by 2 failing to safeguard their information and promptly notify them of the breach. 3 “A significant body of case law” in the Ninth Circuit supports a benefit-of-the-bargain 4 theory based on an implied contract that a defendant will safeguard PII when it is provided by a 5 customer in exchange for goods and services. In Re Eureka Casino Breach Litig., 2:23-CV-00276- 6 CDS-BNW, 2024 WL 4253198, at *20; (citing Smallman, 638 F. Supp. 3d at 1191 (collecting 7 cases)). The Court is persuaded by this reasoning and finds that allegations that data security was 8 a part of the bargain between Plaintiffs and Defendant, especially given the highly sensitive nature 9 of the PII provided (e.g., social security numbers), are sufficient to state cognizable harm at the 10 pleading stage. See Smallman, 638 F. Supp. 3d at 1190 (finding “the line of cases that accept at 11 the pleading stage more general factual allegations about the plaintiff's expectations for data 12 security and the contours of the parties’ bargain” persuasive and denying dismissal of benefit-of- 13 the-bargain damages). 14 B. Negligence 15 To prevail on a common law negligence claim, a plaintiff must demonstrate that (1) the 16 defendant owed the plaintiff a duty of care, (2) the defendant breached that duty, (3) the breach 17 was the legal cause of the plaintiff’s injuries, and (4) the plaintiff suffered damages. See e.g., Foster 18 v. Costco Wholesale Corp., P.3d 150, 153 (Nev. 2012). Defendant argues that in addition to the 19 failure to allege cognizable damages as discussed above, the economic loss doctrine requires 20 dismissal of Plaintiff’s negligence claim, as well as Plaintiffs’ failure to adequately allege a duty 21 of care. The Court addresses both arguments in turn. 22 1. Economic Loss Doctrine 23 The economic loss doctrine presents recovery for negligence in the absence of a claim of 24 “personal injury or damage to other property.” Hi-Tech Aggregate, LLC v. Pavestone, LLC, 555 25 P.3d 1184, 1190 (Nev. 2024) (citations omitted). “The policy behind the economic loss doctrine 26 is that when there is no personal injury or property damage, remedies are properly addressed 27 through contract law.” Id. However, a plaintiff can recover for the economic consequences of a 28 negligent act if there is accompanying personal injury or property damage. See Terracon 1 Consultants W., Inc. v. Mandalay Resort Group, 206 P.3d 81, 86 (Nev. 2009). 2 The Court finds that Plaintiffs have adequately alleged non-economic harms arising from 3 the loss of control of their identity and the accompanying impairment in value of their PII. 4 Smallman, 638 F. Supp. at 1175 (collecting cases within the Ninth Circuit finding an individual's 5 loss of control over the use of their identity due to a data breach and the accompanying impairment 6 in value of PII constitutes non-economic harm). 7 The Court finds the economic loss doctrine does not require dismissal of Plaintiffs’ 8 negligence claim. 9 C. Duty of Care (Negligence Per Se) 10 Under the doctrine of negligence per se, “a civil statute's violation establishes the duty and 11 breach elements of negligence when the injured party is in the class of persons whom the statute 12 is intended to protect, and the injury is of the type against which the statute is intended to protect.” 13 Sanchez ex rel. Sanchez v. Wal-Mart Stores, Inc., 221 P.3d 1276, 1283 (Nev 2009). Defendants 14 challenge Plaintiffs’ negligence per se claim arguing Plaintiffs cannot establish a duty based on 15 standards set forth in Section 5 of the Federal Trade Commission Act (FTCA), 15 U.S.C. § 45, 16 because there is no private right of action under the FTCA. However, a private right of action is 17 not required, because “it is the tort of negligence, and not the violation of the statute itself, which 18 entitles a plaintiff to recover civil damages.” In re Ambry Genetics Data Breach Litig., 567 F. 19 Supp. 3d 1130, 1142 (C.D. Cal. 2021) (finding Section 5 of FTCA can establish duty and breach 20 under doctrine of negligence per se in a data breach case). 21 Moreover, Defendants concede that NRS 603A.210(1) can establish duty and breach, as 22 alleged by Plaintiffs. They also do not contest that they owed Plaintiffs a common law duty of care 23 to safeguard the PII Plaintiffs provided them. Therefore, the Court declines to dismiss Plaintiffs’ 24 negligence and negligence per se claim for failure to plead that Defendant owed Plaintiffs a duty 25 of care. 26 D. Breach of Implied Contract 27 To establish a breach of contract claim, a plaintiff must show: (1) the existence of a valid 28 contract, (2) plaintiff’s performance (3) defendant’s material failure to perform; and (4) damages 1 resulting from the failure to perform. Calloway v. City of Reno, 993 P.2d 1259, 1263 (2000). 2 Although the terms of an implied contract are manifested by conduct rather than written words, 3 both “are founded upon an ascertainable agreement.” Smith v. Recrion Corp., 541 P.2d 663, 664– 4 65 (Nev. 1975). The formation of an enforceable contract requires the following: (1) offer and 5 acceptance, (2) meeting of the minds, and (3) consideration. May v. Anderson, 119 P.3d 1254, 6 1257 (Nev. 2005). As discussed above, the damages element has been sufficiently pled. 7 Defendants argue Plaintiffs have failed to allege that they paid for cybersecurity measures 8 from Defendant, and thus their implied contract claim fails for want of consideration. Plaintiff’s 9 sole allegation is that they “reasonably understood that a portion of the funds they paid Defendant 10 for their vehicles would be used to pay for adequate security measures.” In their Opposition, 11 Plaintiffs cite to other data breach cases where an implied contract between a merchant and 12 consumer was found but fail to directly address the issue of consideration. The Court finds that 13 this theory actually sounds in tort negligence and not implied contract as Plaintiffs can point to 14 nothing more than a vague understanding to establish a meeting of the minds and specific 15 consideration for this ‘understanding.’ Accordingly, Plaintiffs implied contract claim is dismissed 16 without prejudice due to failure to plead consideration and a proper meeting of the minds, without 17 prejudice and with leave to amend. In Re Eureka Casino Breach Litig., 2:23-CV-00276-CDS- 18 BNW, 2024 WL 4253198, at *14-15 (dismissing implied breach of contract claim without 19 prejudice for failure to address the issue of consideration, where Plaintiffs did not allege that they 20 paid for cybersecurity measures when they purchased the defendant’s services and products). 21 1. Breach of Covenant of Good Faith and Fair Dealing 22 Plaintiffs allege Defendant breached the covenants of good faith and fair dealing in acting 23 unreasonably in performing their implied contract to “implement reasonable, industry standard, or 24 legally required safeguards” for their PII. A contractual breach of the covenants, or contractual 25 bad faith claim, exists when “the terms of a contract are literally complied with but one party to 26 the contract deliberately contravenes the intention and spirit of the contact . . .” Hilton Hotels Corp. 27 v. Butch Lewis Prods., Inc., 808 P.2d 919, 923 (1991). Because the Court dismisses Plaintiffs 28 implied contract claim, there can be no claim for a breach of the implied covenant of good faith 1 and fair dealing. 2 E. Invasion of Privacy 3 Plaintiffs allege a claim for invasion of privacy. In their opposition to the Motion to 4 Dismiss, they clarify that their claim is based on an “intrusion upon seclusion theory.” Under 5 Nevada law such a claim requires (1) an intentional intrusion; (2) physically or otherwise; (3) upon 6 the solitude or seclusion of another or his private affairs or concerns; (4) which would be highly 7 offensive to a reasonable person. Hetter v. Eighth Judicial Dist. Court of State In & For Cnty. of 8 Clark, 874 P.2d 762 (Nev. 1994). Defendant’s sole argument in their Motion to Dismiss the 9 “intrusion upon seclusion” claim is that Plaintiffs fail to establish the fourth element because 10 Plaintiffs’ “speculative allegations that their PII likely or will be published on the dark web” are 11 not enough to show a highly offensive intrusion. 12 A court considering whether a particular action is “highly offensive” should consider the 13 following factors: “the degree of intrusion, the context, conduct and circumstances surrounding 14 the intrusion as well as the intruder's motives and objectives, the setting into which he intrudes, 15 and the expectations of those whose privacy is invaded.” People for Ethical Treatment of Animals 16 v. Bobby Berosini, Ltd., 895 P.2d 1269, 1282 (Nev. 1995) holding modified on other grounds by 17 City of Las Vegas Downtown Redevelopment Agency v. Hecht, 940 P.2d 134 (Nev. 1997). 18 At the pleading stage, the Court finds based on the factors set forth under Nevada law that 19 the allegation that Plaintiffs’ sensitive PII is in the hands of a notorious cybercriminal gang, known 20 for identity theft, extortion, and selling PII on the dark web, is sufficient to plead the “highly 21 offensive” element. 22 F. Unjust Enrichment 23 Defendant argues Plaintiff have failed to plead facts sufficient to state an unjust enrichment 24 claim. “Unjust enrichment exists when the plaintiff confers a benefit on the defendant, the 25 defendant appreciates such benefit, and there is acceptance and retention by the defendant of such 26 benefit under circumstances such that it would be inequitable for him to retain the benefit without 27 payment of the value thereof.” Certified Fire Prot. Inc. v. Precision Constr. Inc., 283 P.3d 250, 257 28 (Nev. 2012) (quotation marks and citations omitted). The Court finds that the Plaintiffs have not 1 adequately pled an unjust enrichment claim under Nevada law. The Plaintiffs have not sufficiently 2 pled that the sharing of their information or that their PII itself had a value for which they received 3 no reciprocal consideration. The Court rejects the Plaintiffs’ theory of overpayment as essentially 4 another theory of negligence. This claim is dismissed without prejudice. 5 G. Injunctive Relief and Declaratory Judgment 6 Plaintiffs plead a separate claim for injunctive and declaratory relief. Defendant moves to 7 dismiss both claims. 8 1. Declaratory Judgement 9 Plaintiffs seek a declaratory judgment that Defendant’s breached legal duties to them, 10 including under the FTCA. The Court finds that such a judgment would be duplicative of Plaintiffs’ 11 negligence per se claim, and that the relief sought will be obtained through resolution of that claim. 12 “Where a claim for declaratory relief is merely duplicative of other causes of action asserted by a 13 plaintiff, dismissal is proper.” Tyler v. Travelers Commercial Ins. Co., 499 F.Supp.3d 693, 702 14 (N.D. Cal. 2020) (citing Swartz v. KPMG LLP, 476 F.3d 756, 765–66 (9th Cir. 2007)). The Court 15 therefore dismisses Plaintiffs cause of action for a declaratory judgment. 16 2. Injunctive Relief 17 Plaintiffs allege that Defendant’s security measures regarding their PII, which is still in 18 Defendant’s possession, “remain inadequate and unreasonable” and seek injunctive relief requiring 19 Defendant to implement adequate security protocols consistent with industry standards, including 20 encryption, regular audits, and employee training, to prevent future data breaches that would 21 impact them. Defendant argues this claim should be dismissed because they have failed to establish 22 an imminent or substantial risk. 23 To the extent Plaintiffs seek a preliminary injunction, Plaintiffs must file a separate Motion. 24 The Court finds the allegations “are sufficient to allege that a data breach is sufficiently likely to 25 recur such that injunctive relief will redress Plaintiffs’ injuries” should the Plaintiffs prevail 26 through class certification. In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1141 27 (C.D. Cal. 2021). The Court will allow Plaintiffs’ prayer for relief to proceed on behalf of Plaintiffs 28 and the putative class. 1 V. CONCLUSION 2 For the foregoing reasons, IT IS ORDERED that the Defendant’s Motion to Dismiss (ECF 3 | No. 39) is GRANTED in part and DENIED in part. The individual claims are addressed as 4] follows: 5 (1) Defendant’s Motion to Dismiss Plaintiffs’ first cause of action for negligence is 6 DENIED; 7 (2) Defendant’s Motion to Dismiss Plaintiffs’ second cause of action for breach of express 8 contract is DENIED: 9 (3) Plaintiffs’ third cause of action for breach of implied contract is DISMISSED without 10 prejudice; 11 (4) Defendant’s Motion to Dismiss Plaintiffs’ fourth cause of action for invasion of privacy 12 is DENIED; 13 (5) Plaintiffs’ fifth cause of action for unjust enrichment is DISMISSED without 14 prejudice; 15 (6) Plaintiffs’ sixth cause of action for declaratory judgment and injunctive relief is 16 DISMISSED with prejudice; Plaintiffs’ prayer for injunctive relief may proceed. 17 IT IS FURTHER ORDERED that Plaintiffs are granted leave to amend to address the 18 | deficiencies outlined in this Order. If Plaintiffs intend on filing an amended complaint, it must be 19] titled “Second Amended Class Consolidated Class Complaint” and filed on or before April 18, 20] 2025. 21 IT IS FURTHER ORDERED that, pursuant to the Court’s (ECF No. 48) Order, the 22 | Parties shall file a joint proposed discovery plan and scheduling order by April 15, 2025. 23 DATED: March 31, 2025. 25 4 S 26 RICHARD F. BOULWARE, II UNITED STATES DISTRICT JUDGE 28
-13-