Toretto v. Donnelley Financial Solutions, Inc.

• Court: District Court, S.D. New York
• Decided: March 5, 2021
• Docket: 1:20-cv-02667
• Status: Unknown

Opinion

UNITED STATES DISTRICT COURT DOC #: _________________ SOUTHERN DISTRICT OF NEW YORK DATE FILED: 3/5/2021 ------------------------------------------------------------------X PHILLIP TORETTO, DANIEL C. KING, and : SHERI BRAUN, individually and on behalf of : others similarly situated, : : 1:20-cv-2667-GHW Plaintiffs, : -against- : MEMORANDUM OPINION : AND ORDER DONNELLEY FINANCIAL SOLUTIONS, INC. : and MEDIANT COMMUNICATIONS, INC., : : Defendants. : ------------------------------------------------------------------X

GREGORY H. WOODS, United States District Judge: Defendants Donnelley Financial Solutions (“Donnelley”) and Mediant Communications, Inc. (“Mediant”) work together to provide proxy services for public companies and mutual funds. In 2019, hackers breached one of Mediant’s servers. The hackers stole the personal information of over 200,000 people, including Plaintiffs. Plaintiffs brought this action against Mediant alleging, among other things, that Mediant was negligent in the implementation of its cyber security policies. Although the breach itself occurred at Mediant, Plaintiffs allege that Donnelley too was negligent because it failed to adequately supervise Mediant’s cyber security practices. In this set of motions, Defendants challenge Plaintiffs’ standing to bring the claims against them. Defendants’ arguments focus on the sufficiency of the complaints’ allegations regarding whether Donnelley and Mediant are partners—Donnelley contends that unless it is demonstrated to have been Mediant’s partner, Plaintiffs’ injuries cannot be “fairly traceable” to it. And Mediant contends that it cannot be held liable for breaches of contracts entered into by Donnelley unless it is shown to have been Donnelley’s partner. But the motion disregards the complaint’s allegations that each of the Defendants directly caused Plaintiffs’ alleged injuries, and confuses the standard for pleading the merits of a claim and that for standing. Because the complaint makes the modest showing required to plead standing, Defendants’ motions to dismiss are denied. I. BACKGROUND Facts 1. The Hack On April 1, 2019, hackers accessed the business email accounts of Mediant. Second Am. Compl. (“SAC”), Dkt. No. 57, ¶¶ 16. The hackers stole the personal information of a number of individuals, including the named plaintiffs in this case. Id. ¶¶ 6–8, 29–30, 36–38, 42–43. Mediant had received the stolen information as part of its business providing investor communication services to financial institutions. ¶ 20. Mediant discovered the hack the day of the intrusion, and promptly disconnected the affected server from its system. Id. ¶ 16. Mediant began an investigation into the breach, but the company did not immediately notify the impacted customers. Id. It was not

until the end of May 2019, nearly two months after the breach that Mediant notified the affected customers. Id. ¶ 17. The breach was truly massive: notices went out to “over 200,000 individuals in all fifty states and the District of Columbia and Puerto Rico.” Id. Plaintiffs allege that the hack was enabled by Mediant’s poor network security. “The criminal hackers would not have been able to gain access to four email accounts simultaneously but for Mediant maintaining deficient controls to prevent and monitor for unauthorized access.” Id. ¶ 23. And Mediant did not encrypt personal information stored in the company’s system. Id. ¶ 18. Plaintiffs also allege that Mediant failed to adequately notify its customers regarding the breach. Id. ¶¶ 26–27. 2. The “Partnership” The hackers attacked Mediant, but Mediant is not the only target of this lawsuit. That is because Mediant worked together with Donnelley to provide investor communication services. It was through Mediant’s working relationship with Donnelley that Mediant received the personal information of the named plaintiffs in this case. Id. ¶¶ 30, 37, 43. The Defendants’ motions focus on the nature of the relationship between Mediant and Donnelley. In particular, the motions challenge whether Donnelley’s involvement in Mediant’s business was sufficient for Donnelley to be sued for the alleged deficiencies in Mediant’s cybersecurity, and whether the two companies are adequately alleged to have been “partners,” such that Mediant can be bound by contracts signed by Donnelley. Donnelley describes itself as “a leader in risk and compliance solutions, providing insightful technology, industry expertise and data insights to clients across the globe.” Id. ¶ 13. Donnelley offers a broad range of products and services, significantly here in technology, initial public

offerings, mergers and acquisitions, proxy services, and other global filings. Id. Mediant “holds itself out as a leader in investor communications, offering ‘game-changing new technologies for banks, brokers, fund companies, and issuers.’” Id. ¶ 14. Donnelley and Mediant work together to provide proxy services. Id. ¶ 15. The pair describe themselves as “the perfect partnership to power [their clients’] fund proxies.” Id. Defendants’ marketing materials describe the pair as “industry’s only single-source solution for start-to-finish fund proxy services.” Id. (quoting The Perfect Partnership to Power Your Fund Proxies, https://www.dfinsolutions.com/insights/fact-sheet/dfin-and-mediant-perfect-partnership-power- you-fund-proxies). Partially in reliance on Donnelley and Mediant’s description of themselves as a partnership, the complaint alleges that the pair formed a legal partnership, and refers to them collectively as the “Partnership.” The complaint alleges that Donnelley “had equal rights in the management and conduct of the Partnership.” Id. ¶ 26. It also states that, in particular, Donnelley had the “right as a

partner in the Partnership” to “exercise appropriate managerial oversight of Mediant’s data security.” Id. The complaint alleges that the companies and investment funds that used the pair’s services hired both of them together—not just one or the other, but instead, the touted “perfect partnership.” Id. ¶ 1. The complaint alleges that “[p]ublic companies and mutual funds hire Donnelley and Mediant as their proxy agent to distribute materials to shareholders, coordinate shareholder votes, and tabulate voting results.” Id. The allegation is that the pair are hired jointly as the singular “proxy agent” for the companies and funds. Id. Donnelley is alleged to be liable for the security breach at Mediant for two reasons. First, Plaintiffs assert that Donnelley is vicariously liable for the hack at Mediant and its consequences because the pair were partners. Id. ¶ 130 (“[B]y entering into a partnership with Mediant for the

provision of proxy services, Donnelley is vicariously liable for Mediant’s failures as alleged herein.”); see also id. ¶¶ 4, 26, 140. The complaint attributes many of the asserted deficiencies that led to the breach, and in the response to the breach, to the “Partnership.” Second, Plaintiffs assert that Donnelley was directly liable for the plaintiffs’ injuries because of its alleged “failure to exercise appropriate managerial oversight of Mediant’s data security.” Id. ¶¶ 4, 26. Donnelley is alleged to have failed “to ensure its agent and partner Mediant implemented security systems, protocols and practices sufficient to protect Plaintiffs’ and Class Members’ Personal Information” and failed “to supervise its agent and partner Mediant regarding Mediant’s data security systems, protocols and practices when it knew or should have known those systems, protocols and practices were inadequate.” Id. ¶ 129. Donnelley is also alleged to have been directly liable as a result of its conduct after the breach because it failed “to timely disclose that Plaintiffs’ and Class Members’ Personal Information had been improperly acquired or accessed.” Id. Donnelley is also alleged to have violated contracts of which Plaintiffs were third party beneficiaries.

Id. ¶¶ 145–49. 3. Plaintiffs’ Claims to be Third Party Beneficiaries of Donnelley and Mediant’s Contracts with Their Customers Plaintiffs assert that they are third party beneficiaries of contracts entered into between Donnelley and its customers—the funds and companies to whom it provides proxy and other financial services. Donnelley “entered into contracts with public companies and mutual funds to provide and perform proxy services.” Id. ¶ 145. The personal information of each of the named Plaintiffs was stolen as a result of their investment in identified funds. In the case of each named Plaintiff, the relevant fund had entered into a direct contractual relationship with Donnelley for the provision of proxy services. See, e.g., id. ¶ 30 (“Donnelley had the direct contractual relationship with Blackstone Real Estate Income Trust, Inc. or its agents for the performance of the Partnership’s proxy services.”); see also id. ¶¶ 37, 43 (alleging the same with respect to funds in which the other named Plaintiffs invested). The complaint also alleges that “[i]n some instances, acting in the ordinary course of the Partnership, Mediant also directly contracted with public companies and mutual funds to provide and perform proxy services. Id. ¶ 145. The complaint alleges that Donnelley acted “in the ordinary course of the business of the Partnership” when it entered into contracts with customers to provide proxy services. Id. ¶ 145. As a result of Donnelley’s agreement with the funds in which the named Plaintiffs invested, Mediant

was provided their personal data, which was later stolen in the hack. Plaintiffs allege “[o]n information and belief” that “each of those respective contracts contained provisions requiring Donnelley and/or Mediant to protect the investor information that Donnelley and/or Mediant received in order to provide such proxy services in carrying out the business of the Partnership.” Id. ¶ 146. Also “[o]n information and belief” Plaintiffs allege that “these provisions requiring Donnelley and/or Mediant acting in the ordinary course of the business of the Partnership to protect the personal information of the company/mutual fund’s investors was intentionally included for the direct benefit of Plaintiffs and Class Members, such that Plaintiffs and Class Members are intended third party beneficiaries of these contracts, and therefore are entitled to enforce them.” Id. ¶ 147. Procedural History This is not the first attempt by Plaintiffs to sue Mediant as a result of the hack and its consequences. Plaintiffs previously brought actions against Mediant in both the Northern District of California and the Southern District of Florida. Both of those actions were dismissed for lack of personal jurisdiction. Toretto v. Mediant Commc’ns, Inc., No. 19-cv-52980-EMC, 2020 WL 1288478 (N.D. Cal. Mar. 18, 2020); Braun v. Mediant Commc’ns, Inc., No. 19-62563-CIV-SMITH, 2020 WL 5038780 (S.D. Fla. Apr. 14, 2020). Presumably those failed attempts led Plaintiffs to the Southern District of New York, given that Mediant is headquartered in New York City. SAC ¶ 10.

Plaintiffs filed this action on March 30, 2020, naming both Mediant and Donnelley as defendants. Dkt No. 1. On May 19, 2020, Plaintiffs filed their first amended complaint. Dkt No. 19. On July 17, 2020, Mediant moved to dismiss several counts of the first amended complaint; Donnelley moved to dismiss that complaint in its entirety. Dkt Nos. 46, 50. On August 5, 2020, Plaintiffs filed the second amended complaint. Dkt No. 57. The second amended complaint asserts several causes of action against each of the defendants: negligence (Count I), negligence per se (Count II), breach of contracts to which Plaintiffs allege that they are third-party beneficiaries (Count III), unjust enrichment (Count IV), declaratory judgment (Count V), and violation of various California and Florida state statutes (Counts VI–VIII). Each of the defendants filed a separate motion to dismiss the second amended complaint pursuant to Fed. R. Civ. P. 12(b)(1), asserting that the complaint does not adequately plead that Plaintiffs have standing to assert all of their claims against Defendants. In its motion, Donnelley has moved to dismiss all of the claims against it. Dkt. No. 64. Donnelley asserts that Plaintiffs’ claims

against it rely on the complaint’s allegations regarding the existence of a partnership relationship between it and Mediant. Donnelley argues that because all of the elements of a legal partnership are not adequately pleaded in the complaint, Plaintiffs have not adequately demonstrated that Donnelley caused their injury. Mediant moved only to dismiss the breach of contract claim against it. Dkt. No. 67. Because the complaint does not allege that Mediant signed the contracts with Plaintiffs, it asserts that Plaintiffs cannot sue it, a non-signatory, for breach of contract. Each of these arguments is discussed in detail below. II. DISCUSSION A. Legal Standard 1. Fed. R. Civ. P. 12(b)(1) “A district court properly dismisses an action under Fed R. Civ. P. 12(b)(1) for lack of subject-matter jurisdiction if the court ‘lacks the statutory or constitutional power to adjudicate it,’ such as when . . . the plaintiff lacks constitutional standing to bring the action.” Courtland St. Recovery Corp. v. Hellas Telcomms., S.a.r.l., 790 F.3d 411, 416–17 (2d Cir. 2015) (quoting Makarova v. United

States, 201 F.3d 110, 113 (2d Cir. 2000)). Where, as here, “the Rule 12(b)(1) motion is facial, i.e., based solely on the allegations of the complaint . . . [t]he task of the district court is to determine whether the [complaint] allege[s] facts that affirmatively and plausibly suggest that [the plaintiff] has standing to sue.” Carter v. Healthport Techs, LLC, 822 F.3d 47, 56 (2d Cir. 2016) (third and fourth alterations in original) (internal quotations and citations omitted). “At the pleading stage, general factual allegations of injury resulting from the defendant’s conduct may suffice, for on a motion to dismiss [the Court] presume[s] that general allegations embrace those specific facts that are necessary to support the claim.” Id. (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992)). The Court must “accept[] as true all material factual allegations of the complaint, and draw[] all reasonable inferences in favor of the plaintiff.” Id. at 57. 2. Article III Standing “Article III restricts federal courts to the resolution of cases and controversies . . . . That restriction requires that the party invoking federal jurisdiction have standing—the personal interest that must exist at the commencement of the litigation.” Carter, 822 F.3d at 55 (omission in original). “This is the threshold question in every federal case, determining the power of the court to entertain the suit.” Warth v. Seldin, 422 U.S. 490, 498 (1975). “The ‘“irreducible constitutional minimum” of standing consists of three elements’: the individual initiating the suit ‘must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.’” Dhinsa v. Krueger, 917 F.3d 70, 77 (2d Cir. 2019) (quoting Spokeo, Inc. v. Robbins, 136 S. Ct. 1540, 1547 (2016)). The party seeking to invoke federal jurisdiction bears the burden of establishing each of these elements. See Spokeo, 136 S. Ct. at 1547.

Defendants’ motions here focus on the second of these three elements—traceability, or causation. “The traceability requirement for Article III standing means that the plaintiff must ‘demonstrate a causal nexus between the defendant’s conduct and the injury.’” Rothstein v. UBS AG, 708 F.3d 82, 91 (2d Cir. 2013) (quoting Heldman v. Sobol, 962 F.2d 148, 156 (2d Cir. 1992)). Such a nexus is most easily shown if there is a direct relationship between the plaintiff and the defendant with respect to the conduct at issue. However, while the “indirectness” of an injury “‘may make it substantially more difficult’” to show the “fairly traceable” element of Article III standing, i.e., “‘to establish that, in fact, the asserted injury was the consequence of the defendants’ actions,” indirectness is “not necessarily fatal to standing,” because the “fairly traceable” standard is lower than that of proximate cause. Central to the notion of proximate cause is the idea that a person is not liable to all those who may have been injured by his conduct, but only to those with respect to whom his acts were a substantial factor in the sequence of responsible causation and whose injury was reasonably foreseeable or anticipated as a natural consequence.

Id. (citations omitted).

“The requirement that a complaint allege[] an injury that is fairly traceable to defendants’ conduct ... for [purposes of] constitutional standing is a lesser burden than the requirement that it show proximate cause.” Id. at 92. (alterations in original) (internal quotation marks and citation omitted). The fact that there is an intervening cause of a plaintiff’s injury is not necessarily a basis to find that the injury is not “fairly traceable” to a defendant’s conduct, even if that intervening cause would foreclose a finding of proximate cause. Id. As a result, the Second Circuit has noted that “particularly at the pleading stage, the ‘fairly traceable’ standard is not equivalent to a requirement of tort causation’ and that ‘for purposes of satisfying Article III’s causation requirement, we are concerned with something less than the concept of proximate cause.” Id. (quoting Connecticut v. Am. Elec. Power Co., 582 F.3d 309, 346 (2d Cir. 2009), rev’d on other grounds, 564 U.S. 410 (2011)). At the pleading stage of an action, as here, “the plaintiff’s burden . . . of alleging that their injury is ‘fairly traceable’ to the challenged act is relatively modest.” Id. (internal quotations and citation omitted). “In sum, the test for whether a complaint shows the “fairly traceable” element of Article III standing imposes a standard lower than proximate cause.” Id. Rather than a showing of

proximate cause, “Article III ‘requires no more than de facto causality.’” U.S. Dep’t of Com. v. New York, 139 S. Ct. 2551, 2566 (2019) (quoting Block v. Meese, 793 F.2d 1303, 1309 (D.C. Cir. 1986) (Scalia, J.) (distinguishing between the “legal cause” of an injury and traceability, “which requires no more than de facto causality”)). A plaintiff’s pleading burden to establish the elements of standing is lower than that for pleading the merits of a claim. To successfully plead the elements of Article III standing, “[i]t is the responsibility of the complainant clearly to allege facts demonstrating that he is a proper party to invoke judicial resolution of the dispute . . . .” Warth, 422 U.S. at 518. The requirement that one “clearly allege” facts demonstrating standing “is a low[er] threshold than that for sustaining a valid cause of action.” Harry v. Total Gas & Power N. Am., Inc., 889 F.3d 104, 110 (2d Cir. 2018) (alteration in original) (quoting Ross v. Bank of Am., N.A., 524 F.3d 217, 222 (2d Cir. 2008)). “While the pleading of a cause of action must possess enough heft to show that the pleader is entitled to relief, to plead standing, the pleader need only show that allowing her to raise her claim in federal court would

not move so beyond the court’s ken as to usurp the power of the political branches.” Id. at 110–11 (internal quotation marks and citation omitted). Unless an allegation “is so insubstantial, implausible, foreclosed by prior decisions of [the Supreme] Court, or otherwise completely devoid of merit as not to involve a federal controversy, the mere fact that it raises a federal question…confers power [on a federal court] to decided that it has no merit, as well as to decide that it has.” Id. at 111 (omission in original) (second alteration in original) (internal quotation marks and citations omitted). Judge Kaplan recently evocatively captured the distinction in the pleading standard for standing as opposed to merits issues: “the standard for Article III standing is not whether the alleged injury is plausibly fairly traceable, but, rather, whether the injury is possibly fairly traceable.” Dennis v. JPMorgan Chase & Co., 343 F. Supp. 3d 122, 156 (S.D.N.Y. 2018). This distinction in the pleading standard for standing and merits issues can result in “a common confusion between the standing and merits inquiries, which—of course—are conceptually

distinct.” New York v. U.S. Dep’t of Commerce, 351 F. Supp. 3d 502, 623–24 (S.D.N.Y. 2019), aff’d in part, rev’d in part and remanded, 139 S. Ct. 2551, appeal dismissed, No. 19-212, 2019 WL 7668098 (2d Cir. Aug. 7, 2019). “[S]tanding in no way depends on the merits of the plaintiff’s contention that particular conduct is illegal . . . .” Warth, 422 U.S. at 500. The issue of standing is distinct from whether a plaintiff has a cause of action. See Carver v. City of New York, 621 F.3d 221, 226 (2d Cir. 2010). Despite this clearly established distinction, as the cases cited above illustrate, litigants frequently conflate standing and merits issues. See Merriam v. Demoulas, No. CIV.A. 11-10577-RWZ, 2013 WL 2422789, at *3–4 (D. Mass. June 3, 2013) (holding that whether a party was vicariously liable for a breach “is a merits question that should not be conflated with the standing issue.”). That is the case here. B. Application 1. Plaintiffs Adequately Plead Donnelley Was A Direct Cause of Plaintiffs’ Injuries Plaintiffs have adequately pleaded that Donnelley was a direct cause of Plaintiffs’ injuries. Donnelley entered into contracts with the funds in which Plaintiffs invested. SAC ¶¶ 30, 37, 43. As a result of Donnelley’s contractual relationships with those funds, Mediant was provided with Plaintiffs’ personal information, which was later disclosed in the hack. Plaintiffs plausibly allege that Donnelley failed to ensure that Mediant implemented appropriate security systems and protocols, and that it failed to supervise Mediant’s security practices “when it knew or should have known” that its security practices were inadequate. Id. ¶ 129. Donnelley is also alleged to be liable as a result of its conduct after the breach because it failed “to timely disclose that Plaintiffs’ and Class Members’ Personal Information had been improperly acquired or accessed.” Id. Moreover, Plaintiffs assert a claim for breach of contract against Donnelley directly, claiming that they are third party beneficiaries of the contracts that Donnelley entered into with its customers. Id. ¶¶ 145–48. These allegations are more than sufficient to clearly allege facts showing that Plaintiffs’

injuries are fairly traceable to Donnelley’s actions. Donnelley contracted to provide proxy services for its clients; the information was provided to Mediant as a result of that contract, and the information was compromised. Donnelley failed to advise its customers of the breach timely. Donnelley is alleged to have contractual obligations to Plaintiffs, which were violated when Plaintiffs’ personal data was exposed. While the ultimate breach occurred at Mediant, “the fact that there is an intervening cause of the plaintiff’s injury may foreclose a finding of proximate cause but is not necessarily a basis for finding that the injury is not ‘fairly traceable’ to the acts of the defendant.” Rothstein, 708 F.3d at 92. Plaintiffs have met the “relatively modest” burden to plead that their injury is fairly traceable to the conduct of Donnelley. Id. Donnelley proposes that the Court hold Plaintiffs to a much higher pleading standard. Donnelley inaccurately asserts that Plaintiffs must plead that “the defendant’s influence [has] been a sufficient cause—not just a but-for or necessary cause—of the third party’s injury-causing actions for the plaintiff’s injuries to be traceable to that defendant.” Donnelley Mem. Law Supp. Mot. to

Dismiss (“Donnelley Mem.”), Dkt. No. 68, at 11–12 (emphasis added). Donnelley proposes that the Court set the pleading standard for standing at a higher bar than even proximate causation—and a substantially higher bar than de facto causality. Donnelley bases its argument on a misapplication of the discussion of a “determinative or coercive” effect of independent third-party acts in relation to standing in the Second Circuit’s unreported decision in National Council of La Raza v. Mukasey, 283 Fed. App’x 848 (2d Cir. 2008). In National Council of La Raza, the Circuit wrote: While the Supreme Court has explained that causation is lacking if the claimed injury is “the result [of] the independent action of some third party not before the court,” a plaintiff need not allege that a defendant’s challenged actions were the very last step in a chain of events leading to an alleged injury to allege causation adequately. It is sufficient for a plaintiff to plead facts indicating that a defendant’s actions had a “determinative or coercive effect upon the action of someone else” who directly caused the alleged injury.

Id. at 851 (alteration in original) (internal citations omitted). This statement relies on the Supreme Court’s decision in Bennett v. Spear, 520 U.S. 154 (1997). There, the Court stated that “[w]hile, as we have said, it does not suffice if the injury complained of is ‘th[e] result [of] the independent action of some third party not before the court,’ that does not exclude injury produced by determinative or coercive effect upon the action of someone else.” Id. at 169 (second and third alterations in original) (citations omitted). There are two principal reasons why Donnelley’s reliance on this line of cases is errant. First, each of the cases applying this standard does so in the context in which the claimed injury resulted from “the independent action of some third party not before the court.” See, e.g., Carver, 621 F.3d at 226. This is not the case here. Mediant is before the Court. But more importantly, as alleged, Mediant was not a wholly independent actor. Mediant received Plaintiffs’ personal information as a result of contractual arrangements entered into by Donnelley. Mediant and Donnelley advertised themselves as partners. Mediant’s actions are not those of an independent actor. Second, Donnelley’s argument that to show that a third party’s action had a “determinative and coercive” effect, a plaintiff must plead a higher standard of causation than but-for cause is not supported by the case law. Donnelley Mem. at 11. As the Circuit wrote while applying the test in Carver, “causation turns on the degree to which the defendant’s actions constrained or influenced the decision of the final actor in the chain of causation.” 621 F.3d at 226. To limn the degree of causation required to be shown, the court in Carver compared the Supreme Court’s analysis in Bennett with that in Simon v. Eastern Kentucky Welfare Rights Organization, 426 U.S. 26 (1976). At one end, in Bennett, standing was pleaded sufficiently where the “administrative advisory opinion caused the advisee’s action because it played a ‘central role’ in the advisee’s decision.” Bennett, 520 U.S. at 169; accord Carver, 621 F.3d at 226–27. At the other end, in Simon, the Court found that it was “purely speculative whether the denials . . . fairly can be traced to [the Ruling] or instead result[ed] from decisions made by the hospitals without regard to the tax implications.” Simon, 426 U.S. at 28; accord

Carver, 621 F.3d 227. So a showing that a third party played a central role is sufficient; a relationship based on pure speculation is not. The cases do not support Donnelley’s argument that a plaintiff must demonstrate something more than “just a but-for or necessary cause” to meet the traceability requirement. Donnelley Mem. at 11.1 Donnelley proposes a standard that is substantially higher than the proximate causation standard that the Supreme Court has consistently told us need not be met in order to clearly allege standing. Third, to the extent that the determinative and coercive test applies here, it is satisfied by the facts as pleaded. Donnelley entered into agreements with its customers to provide proxy services. It, in turn, worked with Mediant so that Mediant would provide a portion of the services that Donnelley agreed to provide to its customers. As alleged, Donnelley had the authority to supervise

1 Donnelley’s arguments also contort the case law by arguing that “where the alleged injury was not directly caused by the defendant, but rather by a third party, a plaintiff must ‘plead facts indicating that a defendant’s actions had a ‘determinative or coercive effect upon the action of [the third party]’ who directly caused the alleged injury’” Donnelley Mem. at 10 (quoting Nat’l Council of La Raza, 283 Fed. App’x at 851) (alteration in original) (emphasis added). Note that Donnelley inserts the word “must” before the quoted text from La Raza. What the La Raza court actually said—in line with Bennett—was that “[i]t is sufficient for a plaintiff to plead facts indicating that a defendant’s actions had a ‘determinative or coercive effect.’” Nat’l Council of La Raza, 283 Fed. App’x at 851 (emphasis added). It makes a difference whether it is sufficient to show something to meet a standard, or whether one “must” make that showing: saying that a 4.0 GPA is sufficient to get you into Cornell University does not mean that you must have a 4.0 GPA to do so. Donnelley’s word substitution substantively alters the standard in a misleading way. the cyber security protocols of Mediant. That allegation is far from implausible. Regardless of whether Donnelley and Mediant were legal partners, Donnelley provided its customers’ personal information to Mediant in support of Donnelley’s customer relationships. Donnelley is alleged to have been aware of concerns regarding cyber security. See, e.g., SAC ¶ 81. In the 21st century, it is certainly plausible that Donnelley would not have entrusted its clients’ data to Mediant without some assurances regarding, and control over, Mediant’s cyber security practices. Donnelley’s argument that Plaintiffs must plead all of the elements of a legal partnership in order to have standing to pursue its claims that Donnelley is vicariously liable as Mediant’s partner is largely misplaced. Donnelley has succumbed to the common confusion of conflating a merits issue

with standing. Whether Donnelley is vicariously liable for Mediant’s breach “is a merits question that should not be conflated with the standing issue.” See Merriam, 2013 WL 2422789, at *4. As described above, the causal chain linking Donnelley to Mediant does not turn on whether or not the relationship between the two meets the criteria for a legal partnership. Therefore the Court need not determine whether the complaint adequately alleges the existence of a legal partnership between Donnelley and Mediant in order to determine that Plaintiffs have standing to pursue their claims against Donnelley. 2. Plaintiffs Have Clearly Alleged Facts Demonstrating Standing to Assert Breach of Contract Claims Plaintiffs also have standing to bring their breach of contract claim against Defendants. Plaintiffs allege that Donnelley entered into contracts with three specific entities in which the lead Plaintiffs invested. SAC ¶¶ 30, 37, 43. “Donnelley entered into contracts with public companies and mutual funds to provide and perform proxy services.” Id. ¶ 145. But Plaintiffs do not allege that all contracts were with Donnelley: Plaintiffs allege that “[i]n some instances . . . Mediant also directly contracted with public companies and mutual funds to provide and perform proxy services.” Id. Plaintiffs further allege “[o]n information and belief” that “each of those respective contracts contained provisions requiring Donnelley and/or Mediant to protect the investor information that Donnelley and/or Mediant received.” Id. ¶ 146. Plaintiffs allege, again “[o]n information and belief” that these provisions were “intentionally included for the direct benefit” of Plaintiffs. Id. ¶ 147. Plaintiffs allege these contracts were breached when Donnelley and Mediant failed to protect their information. Id. ¶ 148. Mediant’s argument that Plaintiffs’ standing relies on the existence of a partnership between Mediant and Donnelley disregards these pleaded facts. Mediant argues that “[w]ithout their partnership theory, Plaintiffs have failed to allege the existence of a contract between Mediant and any other entity. As it is legally impossibly to be a third party beneficiary to a non-existent contract,

Plaintiffs’ Count III must be dismissed.” Mediant Mem. Supp. Mot. to Dismiss (“Mediant Mem.”) at 6, Dkt. No. 66. The complaint does allege the existence of contracts with Mediant. SAC ¶ 145. And it alleges that those contracts contained provisions requiring Mediant to protect investors’ information, id. ¶ 146, and that they included provisions making Plaintiffs and class members intended third party beneficiaries of the contracts. Id. ¶ 147. These allegations do not rely on the viability of Plaintiffs’ allegations regarding the partnership between Donnelley and Mediant. Accepted as true, they are sufficient to make the modest showing required to plead Plaintiffs’ standing to pursue their breach of contract claims. The remainder of Defendants’ arguments contesting Plaintiffs’ standing to pursue their breach of contract claims attack the sufficiency of the allegations to plead that Plaintiffs’ are the third-party beneficiaries of the contracts at issue. 2 At the outset, by challenging the sufficiency of the allegations to plead a cause of action for breach of contract in the context of a Rule 12(b)(1) challenge to Plaintiffs’ standing, Defendants again tempt the Court to conflate a merits inquiry with

2 Donnelley incorporates Mediant’s arguments by reference. standing. To the extent that Plaintiffs have failed to plead a cause of action, that issue is properly raised in the context of a motion under Rule 12(b)(6). Nonetheless, the Court addresses Defendants’ argument that Plaintiffs have failed to adequately plead that they are the third-party beneficiaries of the contracts at issue. Mediant notes that “third party beneficiary claims are narrow exceptions to the general rule that a non-party has no standing to enforce a contract.” Mediant Mem. at 7 (citing In re Motors Liquidation Co., 580 B.R. 319, 340–42 (Bankr. S.D.N.Y. 2018)).3 As a result, Mediant argues that Plaintiffs must adequately plead that they are third party beneficiaries of the relevant contracts. The complaint clearly alleges that Plaintiffs were intended third-party beneficiaries of the

agreements. As shown by the quoted text above, the complaint states that the contracts contain language to that effect and that the provisions were intentionally included for Plaintiffs’ benefit. These allegations are sufficient, notwithstanding the fact that they are made on information and belief. See Fishbein v. Miranda, 670 F. Supp. 2d 264, 275 (S.D.N.Y. 2009) (finding that plaintiffs had adequately alleged they were intended third-party beneficiaries for purposes of standing even when plaintiffs’ allegation that the contract was intended for plaintiffs’ benefit was made “on information and belief”). Mediant asks that the Court disregard those factual allegations because they were pleaded “on information and belief.” The Court cannot do so. The Court must “accept[] as true all material factual allegations of the complaint,” “draw[] all reasonable inferences in favor of the plaintiff,” and “presume that general allegations embrace those specific facts that are necessary to support the

3 This is a fair statement of the general rule, although the parties do not distinguish between prudential and constitutional standing in their discussion of the issue. “The doctrine of standing asks whether a litigant is entitled to have a federal court resolve his grievance. This inquiry involves ‘both constitutional limitations on federal-court jurisdiction and prudential limitations on its exercise.’” Kowalski v. Tesmer, 543 U.S. 125, 128–29 (2004) (quoting Warth, 422 U.S. at 498). Non-parties to a contract other than third party beneficiaries have been found to lack prudential standing. See, e.g., Hillside Metro Assocs., LLC v. JPMorgan Chase Bank, Nat’l Ass’n, 747 F.3d 44, 48 (2d Cir. 2014). “Non- parties to a contract ordinarily do not have a “concrete and particularized injury.” In re Motors Liquidation Co., 580 B.R. at 342. As a result, such may also lack constitutional standing. claim.” Carter, 822 F.3d at 56, 57. “The Twombly plausibility standard, which applies to all civil actions, does not prevent a plaintiff from pleading facts alleged ‘upon information and belief’ where the facts are peculiarly within the possession and control of the defendant, or where the belief is based on factual information that makes the inference of culpability plausible.” Arista Recs., LLC v. Doe 3, 604 F.3d 110, 120 (2d Cir. 2010) (internal quotations and citations omitted). Here, the terms of the alleged contracts are peculiarly within the possession and control of Defendants, and therefore allegations on information and belief are not inappropriate. The cases that Mediant points to in support of its argument that the Court should disregard these allegations because they are made on information and belief are clearly distinguishable. For

example, Mediant cites to Everlast World’s Boxing Headquarters Corp. v. Trident Brands Inc., No. 19-CV- 503 (JMF), 2020 WL 917058 (S.D.N.Y. Feb. 26, 2020). Mediant describes that case as “finding ‘information and belief’ allegations insufficient [w]here, as here, the complaint could not allege the terms of the agreement, ‘let alone allege that its terms manifested an intent’ to benefit a third party.” Mediant Mem. at 6–7 (quoting Everlast, 2020 WL 917058, at *4). But Mediant’s description of the holding of Everlast is misleading. In Everlast, Judge Furman wrote: “Here, the best Everlast can do is to allege, ‘[u]pon information and belief,’ that Trident and SNPI-NV ‘had an agreement.’ But that does not suffice.” 2020 WL 917058, at *4 (citation omitted). Everlast was not like this case. In Everlast there were no allegations regarding the content of the contract’s specific provisions or the intent behind them, only that there was a contract. Everlast did not fail to credit such allegations simply because they were made “on information and belief” as Mediant represents. There were no such allegations at all. This is true of the other cases that Mediant cites in support of this argument. The allegations regarding the content of the contracts here are sufficiently specific to establish

Plaintiffs’ standing—that they are made “on information and belief” does not permit the Court to discredit them. II. CONCLUSION “While the pleading of a cause of action must possess enough heft to show that the pleader is entitled to relief, to plead standing, the pleader need only show that allowing her to raise her claim in federal court would not move so beyond the court’s ken as to usurp the power of the political branches.” Harry, 889 F.3d at 110 (internal quotation marks and citation omitted). Plaintiffs have met that modest burden here. As a result, Donnelley’s motion to dismiss is DENIED. Mediant’s motion to dismiss Count III is also DENIED. The Clerk of Court is directed to terminate the motions pending at Dkt. Nos. 64 and 67. SO ORDERED. Dated: March 5, 2021 ) { | 2 { New York, New York GRE . WOODS United States District Judge