Veridian Credit Union v. Eddie Bauer, LLC

295 F. Supp. 3d 1140

• Court: District Court, W.D. Washington
• Decided: November 9, 2017
• Docket: CASE NO. C17–0356JLR
• Status: Published

Opinion

JAMES L. ROBART, United States District Judge

INTRODUCTION

Before the court is Defendant Eddie Bauer, LLC's ("Eddie Bauer") motion to dismiss (2d MTD (Dkt. # 40) ) Plaintiff Veridian Credit Union's ("Veridian") first amended putative class action complaint (FAC (Dkt. # 36) ).¹ The court has considered Eddie Bauer's motion, Veridian's response (Resp. (Dkt. # 53) ), Eddie Bauer's reply (Reply (Dkt. # 57) ), the relevant portions of the record, and the applicable law. Being fully advised,² the court GRANTS in part and DENIES in part Eddie Bauer's motion.

BACKGROUND

Veridian alleges the following pertinent facts in its first amended complaint:³

*1148Eddie Bauer is headquartered in Washington but operates approximately 370 stores throughout the United States. (FAC ¶ 12.) Eddie Bauer accepts credit and debit cards for payment from customers at it point-of-sale ("POS") registers. (Id. ¶ 17.) In January 2016, hackers accessed Eddie Bauer's POS systems and installed malicious software (or "malware") that infected every Eddie Bauer store in the United States and Canada ("the Data Breach"). (Id. ¶ 29.) Through this malware, hackers stole credit and debit card data from Eddie Bauer's systems and sold it to other individuals who made fraudulent transactions on those payment cards. (Id. ¶¶ 7, 25, 29, 32, 35-36, 96-97.)

Veridian is an Iowa-chartered credit union with its principal place of business in Iowa. (FAC ¶ 11.) Veridian issued payment cards compromised in the Data Breach and alleges that it suffered significant property damage to the unique data included on the payment cards (including the ruination of the payment card itself) and financial losses in connection with covering its customers' losses due to the Data Breach and in reissuing credit and debit cards to its customers. (Id. ¶¶ 8, 22, 96-98, 135.) Veridian alleges that the Data Breach and Veridian's injury were the foreseeable results of Eddie Bauer's inadequate data security measures, which Eddie Bauer knew were insufficient to protect against recognized threats, and Eddie Bauer's refusal to implement industry-standard security measures due to the cost of such measures. (Id. ¶¶ 39-92.)

Veridian filed a putative class action complaint against Eddie Bauer on March 7, 2017. (Compl. (Dkt. # 1).) Eddie Bauer filed a motion to dismiss on April 21, 2017. (MTD (Dkt. # 28).) On June 5, 2017, instead of responding to Eddie Bauer's motion directly, Veridian filed a first amended putative class action complaint. (See FAC.) On June 15, 2017, Eddie Bauer filed a motion to dismiss Veridian's first amended complaint. (See 2d MTD.)

In its first amended complaint, Veridian alleges claims against Eddie Bauer for (1) negligence (FAC ¶¶ 119-28), (2) negligence per se (id. ¶¶ 129-35), (3) declaratory and injunctive relief (id. ¶¶ 136-43), (4) violation of RCW 19.255.020 (FAC ¶¶ 144-51), and (5) violation of Washington's Consumer Protection Act ("CPA"), RCW ch. 19.86 (FAC ¶¶ 152-65). Veridian alleges that Washington law applies to its claims. (Id. ¶¶ 112-18.) Eddie Bauer, however, asserts that Iowa law applies. (2d MTD at 3-9.)

Veridian also brings its first amended complaint as a putative class action. (Id. ¶¶ 99-111.) Specifically, Veridian brings its action "individually and on behalf of all other financial institutions similarly situated" under Federal Rule of Civil Procedure 23. (Id. ¶ 99.) Veridian defines its putative class as:

All Financial Institutions-including, but not limited to, banks and credit unions-in the United States (including its Territories and the District of Columbia) that issue payment cards, including credit *1149and debit cards, or perform, facilitate, or support card issuing services, whose customers made purchases from Eddie Bauer stores from January 1, 2016 to the present (the "Class").

(Id. )

The court now considers Eddie Bauer's motion to dismiss.

ANALYSIS

A. Legal Standard

Federal Rule of Civil Procedure 12(b)(6) provides for dismissal of a complaint for "failure to state a claim upon which relief can be granted." Fed. R. Civ. P. 12(b)(6). Although "detailed factual allegations" are not required, a complaint must include "more than an unadorned, the-defendant-unlawfully-harmed-me accusation." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). In other words, a complaint must have sufficient factual allegations to "state a claim to relief that is plausible on its face." Id. (quoting Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). A claim is facially plausible "when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Under Rule 12(b)(6), dismissal can be based on "the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." Balistreri v. Pacifica Police Dep't , 901 F.2d 696, 699 (9th Cir. 1990).

When considering a motion to dismiss under Rule 12(b)(6), the court construes the complaint in the light most favorable to the nonmoving party. Livid Holdings Ltd. v. Salomon Smith Barney, Inc. , 416 F.3d 940, 946 (9th Cir. 2005). The court must therefore accept all well-pleaded facts as true and draw all reasonable inferences in the plaintiff's favor. Wyler Summit P'ship v. Turner Broad. Sys., Inc. , 135 F.3d 658, 661 (9th Cir. 1998).

B. Choice of Law

The court first addresses which jurisdiction's law applies to Veridian's claims. Veridian asserts that Washington law governs its claims (FAC ¶¶ 112-18; Resp. at 6-8), while Eddie Bauer argues for the application of Iowa law (2d MTD at 5-9).

A "federal court sitting in diversity ordinarily must follow the choice-of-law rules of the State in which it sits." Atl. Marine Constr. Co. v. U.S. Dist. Court for W. Dist. of Tex. , 571 U.S. 49, 134 S.Ct. 568, 582, 187 L.Ed.2d 487 (2013) (citing Klaxon Co. v. Stentor Elec. Mfg. Co. , 313 U.S. 487, 494-96, 61 S.Ct. 1020, 85 L.Ed. 1477 (1941) ). "This applies to actions brought under the Class Action Fairness Act [ ("CAFA"), 28 U.S.C. § 1332(d)(2),] as well, since CAFA is based upon diversity jurisdiction." In re Facebook Biometric Info. Privacy Litig. , 185 F.Supp.3d 1155, 1167-68 (N.D. Cal. 2016) (quoting In re NVIDIA GPU Litig. , No. C 08-04312, 2009 WL 4020104, at *5 (N.D. Cal. Nov. 19, 2009) ). Here, Veridian asserts that the court has original jurisdiction based on CAFA. (FAC ¶ 13.) Accordingly, the court follows the choice-of-law rules of Washington.

Washington employs a two-step approach to choice of law questions. Under Washington's choice-of-law rules, the court first determines whether an actual conflict exists between Washington and other applicable state law. See Burnside v. Simpson Paper Co. , 123 Wash.2d 93, 864 P.2d 937, 941 (1994). In the absence of a conflict, Washington law applies. See id. ; DP Aviation v. Smiths Indus. Aerospace & Def. Sys. Ltd. , 268 F.3d 829, 845 (9th Cir. 2001) (applying Washington law where *1150no conflict was shown). If an actual conflict exists, the court then determines the forum that has the "most significant relationship" to the action to determine the applicable law. See Johnson v. Spider Staging Corp. , 87 Wash.2d 577, 555 P.2d 997, 1000-01 (1976).

1. An Actual Conflict

"An 'actual conflict' exists 'between the laws or interests of Washington and the laws or interests of another state' when the ... states' laws could produce different outcomes on the same legal issue." Kelley v. Microsoft Corp. , 251 F.R.D. 544, 550 (W.D. Wash. 2008) (quoting Erwin v. Cotter Health Ctrs. , 161 Wash.2d 676, 167 P.3d 1112, 1120 (2007) ). Veridian asserts in a summary fashion that only a false conflict exists between the laws or interests of Washington and those of Iowa. (See Resp. at 7.) However, as discussed below, the court is persuaded by Eddie Bauer's detailed analysis that an actual conflict exists. (See 2d MTD at 4-5.) The court discusses each of Veridian's claims in turn.

a. Negligence

The court first considers Veridian's negligence claim. (FAC ¶¶ 119-28.) In Iowa, "[a]s a general proposition, the economic loss rule bars recovery in negligence when the plaintiff has suffered only economic loss." Annett Holdings, Inc. v. Kum & Go, L.C. , 801 N.W.2d 499, 503 (Iowa 2011) (citing Neb. Innkeepers, Inc. v. Pittsburgh-Des Moines Corp. , 345 N.W.2d 124, 126 (Iowa 1984) ). Indeed, in Iowa, "[t]he well-established general rule is that a plaintiff who has suffered only economic loss due to another's negligence has not been injured in a manner which is legally cognizable or compensable." Id. Further, in Iowa, the economic loss rule "is by no means limited to the situation where the plaintiff and the defendant are in direct contractual privity." Id. at 504.

The Washington Supreme Court, however, no longer applies the economic loss rule but rather the "independent duty doctrine." See Affiliated FM Ins. Co. v. LTK Consulting Servs., Inc. , 170 Wash.2d 442, 243 P.3d 521, 526 (2010). In Washington, "[t]he independent duty doctrine ... maintain[s] the boundary between torts and contract in the place of the economic loss rule." Donatelli v. D.R. Strong Consulting Eng'rs, Inc. , 179 Wash.2d 84, 312 P.3d 620, 623 (2013) (internal quotation marks omitted) (citing Elcon Constr., Inc. v. E. Wash. Univ. , 174 Wash.2d 157, 273 P.3d 965, 969 (2012) ). For example, under Washington's independent duty doctrine, a plaintiff can bring a tort claim for conduct arising out of a contractual relationship if the defendant owed him or her a duty of care independent of the contract. Eastwood v. Horse Harbor Found., Inc. , 170 Wash.2d 380, 241 P.3d 1256, 1262 (2010).

In addition, unlike Iowa, the independent duty doctrine is not a rule of general application in Washington. Elcon Constr. , 273 P.3d at 969. The Washington Supreme Court has taken "great pains to limit" the doctrine and to "clarify that it does not bar tort remedies except in fairly unusual circumstances." Reading Hosp. v. Anglepoint Grp., Inc. , No. C15-0251-JCC, 2015 WL 13145347 at *3 (W.D. Wash. May 26, 2015). Indeed, the Washington Supreme Court has applied the doctrine only "to a narrow class of cases, primarily limiting its application to claims arising out of construction on real property and real property sales," Elcon Constr. , 273 P.3d at 969, and specifically directs that the doctrine should not apply " 'unless and until [the Washington Supreme Court] has ... decided otherwise,' " id. at 969-70 (quoting Eastwood , 241 P.3d at 1276 ). Due to the *1151marked distinctions between the economic loss rule in Iowa and the independent duty doctrine in Washington, as well as the scope of the application of these rules in each state, the court concludes that there is an actual conflict between the law or interests of Iowa and Washington with respect to Veridian's negligence claim.⁴

b. Negligence Per Se

Veridian asserts a separate claim for negligence per se . (FAC ¶¶ 129-35.) Under Iowa law, the violation of a statute may give rise to a claim for negligence per se . See Winger v. CM Holdings, LLC , 881 N.W.2d 433, 448 (Iowa 2016) (quoting Wiersgalla v. Garrett , 486 N.W.2d 290, 292 (Iowa 1992) ) ("[I]f a statute or regulation ... provides a rule of conduct specifically designed for the safety and protection of a certain class of persons, and a person within that class receives injuries as a proximate result of a violation of the statute or regulation, the injuries would be actionable, as ... negligence per se .") (internal quotation marks and citations omitted). In Washington, however, the violation of a statute or the breach of a statutory duty is not considered negligence per se , but may be considered by the trier of fact only as evidence of negligence. RCW 5.40.050. Thus, assuming Veridian can establish that Eddie Bauer violated a statute that fell within Iowa's negligence per se rule, it might be able to pursue such a claim under Iowa law, but not under Washington law. Thus, an actual conflict exists between the law of Iowa and Washington on this claim.

c. Declaratory and Injunctive Relief

Veridian also asserts a claim for declaratory and injunctive relief. (FAC ¶¶ 136-43.) Iowa law recognizes that an "injunction may be obtained as an independent remedy by an action in equity, or as an auxiliary remedy in any action." Iowa R. Civ. P. 1.1501. Indeed, "[u]nder Iowa law, a request for permanent injunctive relief alone can serve as the underlying claim for a request for a temporary injunction in an equitable action." Johnson v. Moody , No. 416CV00449RGESBJ, 2016 WL 8839427, at *4 (S.D. Iowa Nov. 14, 2016) ; see also Lewis Invs., Inc. v. City of Iowa City , 703 N.W.2d 180, 184 (Iowa 2005) (stating that "the plaintiff's underlying claim is an equitable action for permanent injunctive relief"). In contrast to Iowa's law, Washington does not recognize a standalone claim for injunctive relief, but rather views an injunction as a form of relief available for some causes of action. See, e.g. , Hockley v. Hargitt , 82 Wash.2d 337, 510 P.2d 1123, 1132 (1973) (distinguishing between a cause of action based on the CPA and the forms of relief that are potentially available, including damages and an injunction); see also Robinson v. Wells Fargo Bank Nat'l Ass'n , No. C17-0061JLR, 2017 WL 2311662, at *5 (W.D. Wash. May 25, 2017) ("Injunctive relief is available only if [the plaintiff] is entitled to such a remedy on an independent cause of action."). Indeed, Veridian acknowledges that Iowa recognizes a "standalone" claim for injunctive relief while Washington does not. (Resp. at 6 n.7.) Thus, there is an actual conflict between the laws of Iowa *1152and Washington with respect to this claim.⁵

d. Statutory Claims

Finally, Eddie Bauer asserts that there is an actual conflict between the law of Iowa and Washington with respect to Veridian's statutory claims. Veridian alleges a claim based on RCW 19.255.020, which is a Washington statute that addresses unauthorized cyber-intrusions on the account information of credit card and debit card holders. (FAC ¶¶ 144-51.) There is no Iowa counterpart to this Washington statute. Veridian also alleges a statutory claim based on Washington's CPA. (FAC ¶¶ 152-65.) Unlike Washington's CPA, however, Iowa's Consumer Fraud Act ("CFA") requires the state attorney general to approve the filing of a class action lawsuit under the statute. Iowa Code § 714H.7. Thus, the court concludes that an actual conflict exists as to the law of the two states regarding Veridian's substantive statutory claims.⁶

2. The State with the Most Significant Relationship

If an actual conflict exists, Washington requires application of the law of the forum that has the "most significant relationship" to the action. See Johnson , 555 P.2d at 1000. Application of the "most significant relationship" test is a two-step process. See id. First, the court determines which state has the most significant relationship to the cause of action. Id. Second, if the relevant contacts to the cause are balanced, the court then considers "the interests and public policies of potentially concerned states and ... the manner and extent of such policies as they relate to the transaction at issue." Id. at 1001 (quoting Potlatch No. 1 Fed. Credit Union v. Kennedy , 76 Wash.2d 806, 459 P.2d 32, 35 (1969) ).

In determining the state with the most significant relationship to the occurrence and the parties, the court considers "(a) the place where the injury occurred, (b) the place where the conduct causing the injury occurred, (c) the domicil, residence, nationality, place of incorporation and place of business of the parties, and (d) the place where the relationship, if any, between the parties is centered." Brewer v. Dodson Aviation , 447 F.Supp.2d 1166, 1175-76 (W.D. Wash. 2006) (discussing Washington law and citing the Restatement (Second) of Conflict of Laws § 145(2) (1971) ). The court's approach is not merely to count contacts, but rather to consider which contacts are the most significant and *1153where those contacts are found. Johnson , 555 P.2d at 1000.

a. The Place of the Injury

Eddie Bauer asserts that the injury at issue occurred in Iowa because that is where Veridian and the majority of its customers are located.⁷ (2d MTD at 6-7.) Veridian, however, alleges that it "has thousands of checking, savings, and deposit customers located in Iowa and throughout the United States, including hundreds of checking, savings, and deposit customers located in Washington State." (FAC ¶ 11.) Further, Eddie Bauer's argument ignores Veridian's class allegations. (See Resp. at 8 n.10.) Veridian alleges that the Data Breach harmed Eddie Bauer's customers throughout the United States and Canada. (FAC ¶ 1, 7, 60.) Veridian further alleges that Eddie Bauer's conduct injured not just Eddie Bauer's customers, but various financial institutions, which are similarly situated to Veridian, and also located throughout the United States. (See FAC ¶¶ 8-9, 99.)

"In the case of personal injuries or of injuries to tangible things, the place where the injury occurred is a contact that, as to most issues, plays an important role in the selection of the state of the applicable law." Restatement (Second) of Conflict of Laws § 145, cmt. e (1971). "Situations do arise, however, where the place of injury will not play an important role in the selection of the state of the applicable law. This will be so, for example, when the place of injury can be said to be fortuitous ... or when ... injury has occurred in two or more states." Id. ; see Kelley , 251 F.R.D. at 552 ("Here, the Defendant's allegedly unfair or deceptive acts caused injury throughout the country. The location of the harm suffered is fortuitous.").

Veridian alleges that Eddie Bauer's conduct with respect to the Data Breach caused injury in a variety of states throughout country (FAC ¶¶ 1, 7-9, 60, 99); thus, the location of the alleged harm was fortuitous, and the place of injury does not play an important role in the court's choice of law analysis here.

b. The Place Where the Conduct Causing the Injury Occurred

Eddie Bauer argues that the location where the alleged conduct causing the injury occurred is unknown because "[t]he location where the [cyber] attack was launched is unknown" and Veridian fails to allege that the computer servers that were attacked are located in Washington. (2d MTD at 7.) Again, Eddie Bauer misconstrues the crux of Veridian's allegations. Veridian is not suing the cyber attacker. Veridian is suing Eddie Bauer for negligence and other misconduct related to its management's decisions concerning Eddie Bauer's internal data security and the Data Breach. (See FAC ¶¶ 113-15.) Veridian alleges that Eddie Bauer "orchestrated and implemented" the decisions that lead to the Data Breach "at its corporate headquarters in Bellevue, Washington," and its failure to employ adequate data security measures "emanated from [its] headquarters." (Id. ¶¶ 113-14.) Based on these allegations, the court concludes that the place where the conduct alleged to have caused the injury occurred was in Washington.

When the injury occurs in two or more states or the location of the injury is fortuitous, the weight the court gives to the place where the alleged conduct causing *1154the injury occurred increases. Restatement (Second) of Conflict of Laws § 145, cmt. e (1971) ("When the injury occurred in two or more states, or when the place of injury cannot be ascertained or is fortuitous and, with respect to the particular issue, bears little relation to the occurrence and the parties, the place where the defendant's conduct occurred will usually be given particular weight in determining the state of the applicable law."); Kelley , 251 F.R.D. at 552 ("[B]ecause the place of injury is fortuitous the Court gives greater weight to Washington, the location of the source of the injury."). Thus, the court places particular weight on this factor in its choice of law analysis.

c. The Domicil, Residence, Nationality, Place of Incorporation and Place of Business of the Parties & the Place Where the Parties' Relationship is Centered

The third factor the court considers is "the domicil, residence, nationality, place of incorporation and place of business of the parties" Brewer , 447 F.Supp.2d at 1175-76. The fourth factor is "the place where the relationship, if any, between the parties is centered." Id. The court considers these factors together.

Eddie Bauer is a citizen of Washington, which is also where it maintains its principal place of business. (FAC ¶ 13.) Veridian is an Iowa-chartered credit union with its principal place of business in Iowa (id. ¶ 11), although if a nationwide class is certified there will be plaintiffs domiciled in many states (see id. ¶ 99). "[T]he importance of these contacts depends largely upon the extent to which they are grouped with other contacts." Restatement (Second) of Conflict of Laws § 145, cmt. e (1971). The fact that one of the parties is domiciled in a particular state is of little significance, but gains significance if the domicile or principal place of business for all parties is located in the same state. Id. Because there is no grouping of contacts in this instance, the court finds this factor of minimal significance to its choice of law analysis.

Further, the parties' relationship is not centered in any one place. The parties did not contract with one another.⁸ (Resp. at 20 ("[Veridian] never contracted (directly or indirectly) for any products or services from Eddie Bauer...."); 2d MTD at 10 n.9 ("[T]here is no direct contractual privity alleged between the parties.").) Their headquarters are in different states, and they both have customers throughout the country. (See FAC ¶¶ 11-12.) Thus, the court finds that this factor bears little, if any, weight in the court's choice-of-law analysis.

The parties agree that neither of these factors should play a significant role in the court's choice of law analysis. (See 2d MTD at 8-9; Resp. at 8 ("As to the third and fourth factors, the putative class is domiciled in all states, while Eddie Bauer is domiciled in Washington, and thus 'the parties' relationship is not centered in any particular place because the parties did not contract with one another.' ") (quoting Kelley , 251 F.R.D. at 552 ).) Thus, these factors have little bearing on the court's choice of law analysis.

d. Evaluating the Contacts

The court is mindful that it is not to merely count contacts but to consider which contacts are the most significant and where those contacts are found. Johnson , 555 P.2d at 1000. Relying on this guidance, *1155and summarizing its analysis of the relevant contacts above, the court concludes that the place where the alleged conduct occurred which caused the injury is the most significant contact for purposes of the court's choice of law analysis, and that place is Washington. The court gives greater weight to the location of the alleged wrongful conduct because the location of the alleged injury is in multiple states and is fortuitous. See supra §§ III.B.2.a, .b. As discussed above, the other contacts are of little significance to the court's analysis here. See supra § III.B.2.a, .c. Thus, the state with the most significant relationship to this action is Washington, and its law applies.

e. The Interests and Public Policies of the Most Concerned States

Assuming, arguendo , that the foregoing contacts were evenly balanced, the court would still apply Washington law. "If the contacts are evenly balanced, the second step of the analysis involves an evaluation of the interests and public policies of the concerned states to determine which state has the greater interest in determination of the particular issue." Schmahl v. Macy's Dep't. Stores, Inc., No. CV-09-68-EFS, 2010 WL 3061526, at *6 (E.D. Wash. July 30, 2010) ; Zenaida-Garcia v. Recovery Sys. Tech., Inc. , 128 Wash.App. 256, 115 P.3d 1017, 1020 (2005). This step turns on the purpose of the law and the issues involved. Kelley , 251 F.R.D. at 553. When "the primary purpose of the tort rule involved is to deter or punish misconduct [and not merely to compensate the victim for her injuries] ... the state where the conduct took place may ... [have the] most significant relationship." Id. (quoting Restatement (Second) of Conflict of Laws § 145, cmt. c (1971) ).

Washington has the paramount interest in applying its law to this action. In addition to its negligence claims, Veridian also asserts claims based on RCW 19.255.020, which is designed to fight unauthorized cyber-intrusions into credit card and debit card holders' data, and the CPA. (FAC ¶¶ 144-65.) The CPA targets all unfair trade practices either originating from Washington businesses or harming Washington citizens. Kelley , 251 F.R.D. at 553. Application of the CPA to Veridian's claims effectuates the broad deterrent purpose of CPA, especially as applied to one of Washington's leading corporate citizens. See id. (citing Restatement (Second) of Conflict of Laws § 145, cmt. c (1971); RCW 19.86.920 ). The same is true of RCW 19.255.020, which applies to credit card processors and businesses, rendering them potentially liable to financial institutions if they fail to "take reasonable care to guard against unauthorized access to account information." Id. Thus, the court concludes that Washington law applies to this action and now considers Eddie Bauer's motion to dismiss each of Veridian's claims.⁹

C. Negligence Per Se

As noted above, Washington does not recognize negligence per se as a separate cause of action. See supra § III.B.1.b. Although the violation of a statute or the breach of a statutory duty "may be considered by the trier of fact as evidence of negligence," RCW 5.40.050, Veridian may not assert a separate cause of action for negligence per se in Washington. Accordingly, the court dismisses this cause of action (see FAC ¶¶ 129-35) with prejudice and without leave to amend.

*1156D. Declaratory and Injunctive Relief

As also noted above, Veridian asserts a claim for injunctive and declaratory relief based on the federal Declaratory Judgment Act, 28 U.S.C. §§ 2201 - 02. (See Resp. at 6 n.7); see supra n.4. As the court explained, the Declaratory Judgment Act "only creates a remedy." See Confederated Tribes , 873 F.2d at 1225. Further, "[a] permanent injunction is a form of relief that the court may grant when a plaintiff succeeds on a substantive cause of action that lends itself to this remedy." Dinkins v. Schinzel , No. 217CV01089JADGWF, 2017 WL 4891524, at *2 (D. Nev. Oct. 30, 2017). Although Veridian may continue to request declaratory and injunctive relief in an amended complaint, these items are requests for relief and not separate legal causes of action. See Barton v. Capital One Bank (USA), N.A. , No. 12-cv-05412-JST, 2013 WL 12173918, at *8 (N.D. Cal. Apr. 4, 2013) ; Santos v. Countrywide Home Loans , No. 2:09-02642 WBS DAD, 2009 WL 3756337, at *5 (E.D. Cal. Nov. 6, 2009) ("Declaratory and injunctive relief are not independent claims, rather they are forms of relief."). Thus, the court dismisses Veridian's cause of action for declaratory and injunctive relief, but with leave to amend as described above.¹⁰ (See FAC ¶¶ 136-43.)

E. Negligence

Under Washington law, to state a claim for negligence, Veridian must adequately allege "(1) the existence of a duty to the plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the breach as the proximate cause of the injury." Degel v. Majestic Mobile Manor , 129 Wash.2d 43, 914 P.2d 728, 731 (1996). The existence of a duty "is a question of law and depends on mixed considerations of logic, common sense, justice, policy, and precedent." Snyder v. Med. Serv. Corp. , 145 Wash.2d 233, 35 P.3d 1158, 1164 (2001). "Duty in a negligence action is a threshold question" and "may be predicated 'on violation of statute or of common law principles of negligence.' " Jackson v. City of Seattle , 158 Wash.App. 647, 244 P.3d 425, 428 (2010) (quoting Burg v. Shannon & Wilson, Inc. , 110 Wash.App. 798, 43 P.3d 526, 530 (2002) ); Alhadeff v. Meridian on Bainbridge Island, LLC , 167 Wash.2d 601, 220 P.3d 1214, 1222 (2009) (same).

Eddie Bauer argues that Veridian's negligence claim must be dismissed because Eddie Bauer owes no duty to Veridian. (2d MTD at 20-25.) Veridian argues that Eddie Bauer owes it a duty predicated on common law principles of negligence and on the violation of two statutes. (Resp. at 2-3, 9-17.) The court analyzes each basis for a duty in turn.

1. Duty Based on Common Principles of Negligence

Eddie Bauer first asserts that under common law principles of negligence in Washington it owes no duty to Veridian as a matter of law. (2d MTD at 20-24.) Eddie Bauer argues that Veridian, as "a sophisticated financial institution," is not within the class of individuals to whom Eddie Bauer owes a duty. (2d MTD at 20-21.) Indeed, Eddie Bauer argues that, by suing *1157for damages allegedly incurred in the Data Breach, Veridian improperly seeks to impose tort liability on Eddie Bauer for the "criminal attack of a third-party." (Id. at 21.)

Eddie Bauer is correct that under Washington law "an actor ordinarily owes no duty to protect an injured party from harm caused by the criminal acts of third parties." Parrilla v. King Cty. , 138 Wash.App. 427, 157 P.3d 879, 884 (2007). Indeed, the Washington Supreme Court has "not yet found a duty to protect a third party from the criminal acts of another absent a special relationship." Robb v. City of Seattle , 176 Wash.2d 427, 295 P.3d 212, 216 (2013). Nevertheless, the Washington Court of Appeals has found that the affirmative act of an alleged tortfeaser combined with the foreseeability and magnitude of the risk created by the alleged tortfeaser may justify imposing such a duty under the Restatement (Second) of Torts § 302B, comment e. Id. (citing Parrilla , 157 P.3d at 884-85 ). The crux of the issue lies in the distinction between an action or "misfeasance," on the one hand, and an omission or "nonfeasance," on the other. Id. As the Washington Supreme Court has explained:

[A]n actor might still have a duty to take action for the aid or protection of the plaintiff in cases involving misfeasance (or affirmative acts), where the actor's prior conduct, whether tortious or innocent, may have created a situation of peril to the other. Liability for nonfeasance (or omissions), on the other hand, is largely confined to situations where a special relationship exists.

Id. at 217. Thus, to impose liability on Eddie Bauer for the criminal actions of a hacker in creating the Data Breach, Veridian must either allege that a "special relationship" exists between Veridian and Eddie Bauer, or that Eddie Bauer's action surrounding the Data Breach constituted malfeasance, rather than merely nonfeasance.

Veridian asserts that a "special relationship" exists between itself and Eddie Bauer because Eddie Bauer "voluntarily assumed the duty to protect [Veridian's] property, i.e. [,] its payment card data, and [Veridian] relied on [Eddie Bauer] to keep its property safe." (Resp. at 14 (citing Merriman v. Am. Guarantee & Liab. Ins. Co. , 198 Wash.App. 594, 396 P.3d 351, 363-64 (2017) ).) Veridian provides scant analysis of Merriman and the court does not view Merriman as analogous. In Merriman , the Washington Court of Appeals found that an insurance adjuster owed a duty to certain insureds based on specific duties that the adjuster had voluntarily assumed. 396 P.3d at 367. The Court of Appeals, however, based its decision in part on "whether providing a legal duty of care would advance or frustrate relevant insurance law." Id. at 366. "Both courts and the legislature have recognized that insurance contracts are imbued with public policy concerns." Nat'l Sur. Corp. v. Immunex Corp. , 176 Wash.2d 872, 297 P.3d 688, 690 (2013). Those same public policy concerns are not at issue here. Veridian cites no other Washington case in support of its assertion that the court should find a "special relationship" between two sophisticated business entities engaged in the type of non-contractual relationship alleged here. (See Resp. at 14.) Given the paucity of Washington legal authority, the court concludes that Veridian's allegations of trust and reliance between two sophisticated business entities are insufficient to establish a special relationship. Concluding otherwise would stretch Washington law beyond its current confines.

Assuming that there is no "special relationship" between Veridian and Eddie Bauer, Eddie Bauer may still have a duty to Veridian if Eddie Bauer engaged in an affirmative act or "misfeasance" such that *1158it "created a situation of peril" for Veridian. See Robb , 295 P.3d at 216. Veridian's alleges myriad failures on Eddie Bauer's part. For example, Veridian alleges that Eddie Bauer failed to "maintain adequate data security measures, implement best practices, upgrade security systems, and comply with industry standards," "implement chip-based card technology, otherwise known as EMV technology,"¹¹ "take reasonable steps to protect its computer systems from being breached," "timely upgrade its POS software to remedy security vulnerabilities," "take reasonable steps to upgrade and protect Payment Card Data," "ensure that its IT systems were adequately secured," "make necessary changes to its security practices and protocols," "take necessary measures to maintain an adequate firewall," "comply with industry standards for data security," and promptly notify its customers or other affected entities concerning the Data Breach. (See FAC ¶¶ 2-3, 5-6, 8, 39, 48, 51, 54, 73, 82.) Indeed, Veridian expressly alleges that "[t]he key wrongdoing at issue in this litigation" is "Eddie Bauer's failure to employ adequate data security measures." (Id. ¶ 114.) These allegations comprise numerous omissions or nonfeasance on the part of Eddie Bauer, but they do not describe misfeasance or any affirmative act "that created a situation of peril" for Veridian. See Robb , 295 P.3d at 216. Because Eddie Bauer can only be held liable for its alleged omissions or nonfeasance in the context of a "special relationship," see id. , the court concludes that Eddie Bauer does not owe a duty to Veridian based on common law principles of negligence in Washington.

2. Duty Predicated upon Violation of a Statute

The court's analysis of whether Veridian has adequately alleged that Eddie Bauer owes it a duty, however, is not yet complete. Veridian also alleges that Eddie Bauer owes it a duty predicated upon two statutes: (1) Section 5 of the Federal Trade Commission Act of 1914 ("FTC Act"), 15 U.S.C. § 45 ; and (2) RCW 19.255.020, a Washington statute designed to address damage to financial institutions from the unauthorized cyber-intrusions of the account information of credit card and debit card holders. The court addresses the existence of a duty predicated upon each of these statutes in turn.

As previously noted, in Washington, the violation of a statute or the breach of a statutory duty is not considered negligence per se , but may be considered by the trier of fact as evidence of negligence. RCW 5.40.050 ; see supra §§ III.B.1.b. In deciding "whether violation of a public law or regulation shall be considered in determining liability," Washington courts turn to the Restatement (Second) of Torts § 286. Barrett v. Lucky Seven Saloon, Inc. , 152 Wash.2d 259, 96 P.3d 386, 390 (2004). Under this provision of the Restatement, "[t]he court may adopt as the standard of conduct of a reasonable [person] the requirements of a legislative enactment ... whose purpose is found to be exclusively or in part (a) to protect a class of persons that includes the person whose interest is invaded, and (b) to protect the particular interest which is invaded, and (c) to protect that interest against the kind of harm which has resulted, and (d) to protect that interest against the particular hazard from which the harm results." Restatement (Second) of Torts § 286 (1965).

3. The FTC Act

In evaluating Section 5 of the FTC Act, the court finds that Veridian *1159may not base Eddie Bauer's alleged standard of conduct on the Act because the Act fails the first and second prongs of the Restatement's test. Those prongs require that the purpose of the statute must be to protect (1) a class of persons that includes the person whose interest is invaded and (2) the particular interest which the plaintiff alleges has been invaded. See Restatement (Second) of Torts § 286(a), (b). The Supreme Court states that "[t]he paramount aim of [the FTC Act] is the protection of the public from the evils likely to result from the destruction of competition or the restriction of it in a substantial degree." FTC v. Raladam Co. , 283 U.S. 643, 647-48, 51 S.Ct. 587, 75 L.Ed. 1324 (1931). "Section 5 in particular seeks to protect 'consumer[s]' and 'competitor[s]' from 'unfair trade practice[s].' " SELCO Cmty. Credit Union v. Noodles & Co. , 267 F.Supp.3d 1288, 1296 (D. Colo. 2017) (quoting FTC v. Sperry & Hutchinson Co. , 405 U.S. 233, 244, 92 S.Ct. 898, 31 L.Ed.2d 170 (1972) ). Veridian alleges no harm from "the destruction of competition," and it alleges neither that it is a customer nor a competitor of Eddie Bauer. (See generally FAC.) The court concludes that Section 5 of the FTC Act is not designed to protect either the class of persons that includes Veridian or the interest that Veridian alleges Eddie Bauer invaded. Thus, Section 5 of the FTC Act fails the test under Section 286 of the Restatement, and Veridian cannot allege that Eddie Bauer owes it a duty predicated on this statute.

4. RCW 19.255.020

Unlike Section 5 of the FTC Act, however, the court finds that, in the context of this lawsuit, RCW 19.255.020 meets the test of Section 286 of the Restatement. RCW 19.255.020 states in pertinent part:

If a processor or business fails to take reasonable care to guard against unauthorized access to account information that is in the possession or under the control of the business or processor, and the failure is found to be the proximate cause of a breach, the processor or business is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders that reside in the state of Washington as a consequence of the breach, even if the financial institution has not suffered a physical injury in connection with the breach.

RCW 19.255.020(3)(a).¹² The "class of persons" that this statute is designed to protect is comprised of "financial institution[s]" that have incurred "actual costs" related to the unauthorized access of their credit card and debit card holders' account information. See id. Veridian and its putative class of similarly situated financial institutions fall within this "class of persons." In addition, the particular interest which the statute seeks to protect-the security of the financial institutions' credit card and debit *1160card holders' account information-is the same interest that would be protected by imposing a duty on Eddie Bauer with respect to Veridian's negligence claim. Finally, the harm or hazard that a violation of RCW 19.255.020 causes-actual costs due to the unauthorized access of account holders' information-is the same as the harm alleged by Veridian in its negligence claim. Accordingly, the court finds that RCW 19.255.020 meets the test set forth in Section 286 of the Restatement.

Based on its application of Section 286 of the Restatement, the court concludes that the "reasonable care" standard found in RCW 19.255.020 defines the minimum standard of conduct under Washington law for processors or businesses whose alleged failure to protect from unauthorized access credit and debit card account information that is in their possession causes damage to financial institutions. See Barrett , 96 P.3d at 393 (concluding based on the application of the four-part test of Section 286 of the Restatement that RCW 66.44.200(1), which forbids the selling of alcohol "to any person apparently under the influence of liquor," defines the minimum standard of conduct for commercial hosts whose alleged overservice causes a drunk driving accident injuring a third party); see also Kappelman v. Lutz , 141 Wash.App. 580, 170 P.3d 1189, 1196 (2007), aff'd , 167 Wash.2d 1, 217 P.3d 286 (2009) ("When a statute meets [the test of Section 286 of the Restatement], evidence of a statutory violation is admissible on the issue of negligence.... And the party offering the evidence is entitled to a jury instruction consistent with RCW 5.40.050.") (citing 6 Wash. Prac., Wash. Pattern Jury Instructions: Civil 60.03, at 481 (2005) (WPI) ).¹³ Accordingly, the court denies Eddie Bauer's motion to dismiss Veridian's negligence claim on the grounds that Eddie Bauer does not owe Veridian a duty as a matter of law.

F. Violation of RCW 19.255.020

Veridian alleges a claim directly based on Eddie Bauer's violation of RCW 19.255.020. (FAC ¶¶ 144-51.) Eddie Bauer argues that Veridian's claim must be dismissed because Veridian fails to specifically allege that it reissued cards to Washington residents. (2d MTD at 25.) The statute states in part that, in the event of certain unauthorized cyber-intrusions, a "business"

*1161or "processor" is liable "to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders that reside in the state of Washington." RCW 19.255.020. The court declines to hold that Veridian's allegations are inadequate here. Veridian brings this action as a putative class action on behalf of a nationwide class of financial institutions. (FAC ¶ 99.) Veridian alleges that Eddie Bauer is Washington company with approximately 370 stores across the United States and Canada. (Id. ¶ 12.) Veridian asserts that it has more than 209,000 customers throughout the United States, including Washington. (Id. ¶ 11.) Veridian alleges that its putative class of similarly-situated financial institutions cancelled and reissued payment cards affected by the alleged data breach in Eddie Bauer stores. (Id. ¶ 8.) Viewing these allegations in the light most favorable to Veridian, the court finds that it is reasonable to infer that financial institutions in the putative nationwide class reissued payment cards to Washington residents. Accordingly, the court denies Eddie Bauer's motion to dismiss this claim.

G. Violation of the CPA

Washington's CPA prohibits "[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce." RCW 19.86.020. "To prevail in a private CPA claim, the plaintiff must prove (1) an unfair or deceptive act or practice, (2) occurring in trade or commerce, (3) affecting the public interest, (4) injury to a person's business or property, and (5) causation." Panag v. Farmers Ins. Co. of Wash. , 166 Wash.2d 27, 204 P.3d 885, 889 (2009). Failure to satisfy even one element is fatal to a CPA claim. Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co. , 105 Wash.2d 778, 719 P.2d 531, 539-40 (1986).

Eddie Bauer asserts that the court should dismiss Veridian's CPA claim because Veridian fails to adequately allege the first element of a CPA claim-an unfair or deceptive act or practice. (2d MTD at 27-30). Veridian asserts that its allegations that Eddie Bauer failed to provide reasonable cyber security measures to protect the account information on its customers' credit and debit cards constitutes either an "unfair or deceptive act or practice" under the CPA. (Resp. at 23-25.)

"Because the [CPA] does not define 'unfair' or 'deceptive,' [the Washington Supreme Court] has allowed the definitions to evolve through a gradual process of judicial inclusion and exclusion." Saunders v. Lloyd's of London , 113 Wash.2d 330, 779 P.2d 249, 256 (1989) (internal quotations omitted). Either an unfair or a deceptive act can be the basis for a CPA claim. Klem v. Wash. Mut. Bank , 176 Wash.2d 771, 295 P.3d 1179, 1187 (2013) ("The 'or' between 'unfair' and 'deceptive' is disjunctive."). "An unfair act is established by evidence that it (1) causes or is likely to cause substantial injury, which (2) consumers cannot avoid, and (3) is not 'outweighed by countervailing benefits.' " Merriman , 396 P.3d at 368 (quoting Klem , 295 P.3d at 1187 and 15 U.S.C. § 45(n) ).¹⁴ The Washington Legislature directs that *1162the CPA "shall be liberally construed [so] that its beneficial purposes may be served." RCW 19.86.920 ; see also Thornell v. Seattle Serv. Bureau, Inc. , 184 Wash.2d 793, 363 P.3d 587, 590 (2015) ("The language of the CPA evinces a broad, rather than narrow, lens through which we interpret the statute.")

Based on the Washington courts' definition and the liberal construction the court applies to the CPA, the court finds that Veridian's allegations sufficiently constitute an "unfair act" under the statute. Veridian alleges that Eddie Bauer failed to take proper measures to protect account information of credit and debit card holders with respect to its POS and data security systems. (FAC ¶¶ 5, 39, 40-42, 57-62, 71-76, 81, 82-86, 157.) Indeed, "[t]he key wrongdoing at issue in this litigation" is "Eddie Bauer's [alleged] failure to employ adequate data security measures." (Id. ¶ 114.) In light of known cyber-intrusion risks and breaches, Veridian alleges that it was foreseeable that Eddie Bauer's failure to take reasonable security measures to protect the data of payment card holders would result in harm to thousands of customers and the payment card issuers, and Eddie Bauer's failure did, in fact, result in this harm. (Id. ¶¶ 1, 7-9, 46-56, 83, 93-98.) These allegations constitute "substantial injury" to consumers. See Merriman , 396 P.3d at 368.

Eddie Bauer argues, however, that Veridian nevertheless has failed to adequately allege an "unfair act" because consumers could have avoided the risk of data theft by paying for items at Eddie Bauer stores with cash. (2d MTD at 30.) In light of the ubiquitous use of credit and debit cards in all types of commerce, the court finds this argument disingenuous. See , e.g. , Perfect 10, Inc. v. Visa Int'l Serv. Ass'n , 494 F.3d 788, 817 (9th Cir. 2007) (Kozinski, J. dissenting) ("Credit cards are ubiquitous ...."); Price v. Synapse Grp., Inc. , No. 16-CV-01524-BAS-BLM, 2017 WL 3131700, at *4 (S.D. Cal. July 24, 2017) ("[I]n a modern economy ... credit card transactions are a ubiquitous feature.")

Further, the court agrees with Veridian that customers had no way of knowing that Eddie Bauer's cyber-security measures were allegedly deficient or that Eddie Bauer had allegedly failed to implement appropriate software updates or other reasonable security measures. (See FAC ¶ 159.) Without this knowledge, and given the broad adoption of credit and debit cards as forms of payment in our economy, consumers had scant ability to avoid the harms engendered by Eddie Bauer's alleged security failures.

Eddie Bauer further argues that Veridian has not alleged an act or practice that is "likely to cause substantial harm" because inadequate security practices do not by themselves cause direct harm to consumers, but rather only cause harm when the information is stolen by a third party. (2d MTD at 30.) The court agrees with Veridian that this argument distorts the causation analysis under the CPA. (See Resp. at 25.) Courts apply a "but for" proximate causation standard under the CPA, and the unfair act or practice need not be the sole proximate cause of the harm. Indoor Billboard/Washington Inc. v. Integra Telecom of Wash., Inc., 162 Wash.2d 59, 170 P.3d 10, 22 (2007) ; see also FTC v. Wyndham Worldwide Corp. , 799 F.3d 236, 246 (3d Cir. 2015) (noting that the risk of foreseeable harm from inadequate data security is sufficient under the FTC Act, and an unfair act need not be the most proximate cause of an injury). Here, Eddie Bauer's alleged failure to take reasonable security measures constitutes an unfair act because it knowingly and foreseeably put Eddie Bauer's customers and payment card financial institutions at *1163a risk of harm from data theft and fraudulent payment card activity and this harm allegedly occurred. (See FAC ¶¶ 24, 55, 156.) Because the court concludes that Veridian adequately alleges an "unfair act" under the CPA, the court denies Eddie Bauer's motion to dismiss Veridian's claim on that basis.¹⁵

IV. CONCLUSION

Based on the foregoing analysis, the court GRANTS in part and DENIES in part Eddie Bauer's motion to dismiss (Dkt. # 40). Veridian may file an amended complaint that is consistent with court's rulings herein.

1 Veridian's motion for class certification is not due until April 25, 2018. (10/17/17 Order (Dkt. # 66).)

2 The parties have requested oral argument, but the court has thoroughly reviewed the parties' briefing and considers oral argument to be unnecessary. The court, therefore, denies the parties' requests. See Local Rules W.D. Wash. LCR 7(b)(4) ("Unless otherwise ordered by the court, all motions will be decided by the court without oral argument.").

3 Eddie Bauer asks the court to take judicial notice of portions of Veridian's website. (See RFJN (Dkt. # 41); Nelson Decl. (Dkt. # 42) ¶ 2, Ex. 1 (attaching pages of Veridian's website).) Veridian asks the court to deny Eddie Bauer's request because it "improperly offers facts, which are incomplete." (Resp. at 8 n.10.) In addition, Veridian offers a declaration of its senior legal counsel to counter facts asserted by Eddie Bauer based on the pages Eddie Bauer submits from Veridian's website. (See Resp. at 5, 8 n.10, 28 (citing Slessor Decl. (Dkt. # 54).)

The court denies Eddie Bauer's request that it take judicial notice of certain pages from Veridian's website. Although a court may consider materials that are properly the subject of judicial notice under Federal Rule of Evidence 201 on a motion to dismiss, see Lee v. City of L.A. , 250 F.3d 668, 689 (9th Cir. 2001), pages from a party's website generally do not meet those standards, see Spy Optic, Inc. v. Alibaba.Com, Inc. , 163 F.Supp.3d 755, 763 (C.D. Cal. 2015) ("[P]rivate corporate websites, particularly when describing their own business, generally are not the sorts of sources whose accuracy cannot reasonably be questioned.") (quoting Victaulic Co. v. Tieman , 499 F.3d 227, 237 (3d Cir. 2007) (internal quotation marks omitted). The court also declines to consider the declaration offered by Veridian. (See Slessor Decl.) "As a general rule, a district court may not consider any material beyond the pleadings in ruling on a Rule 12(b)(6) motion." Lee , 250 F.3d at 688 (internal quotation marks and citations omitted). Veridian offers no exception to this general rule that would permit the court to consider its counsel's declaration (see generally Resp.), and accordingly the court declines to do so.

4 Veridian asserts that there is no actual conflict between the law of Washington and Iowa with respect to its negligence claim because neither the economic loss rule in Iowa nor the independent duty doctrine in Washington bars its claim. (See Resp. at 18-22.) Even assuming that Veridian is correct, however, the result would be the application of Washington law because in the absence of an actual conflict, Washington law applies. See Burnside , 864 P.2d at 941 ; DP Aviation , 268 F.3d at 845. This is the same result the court reached after applying "the most significant relationship" test. See infra § III.B.2.

5 Although Veridian acknowledges that Iowa recognizes a "standalone" claim for injunctive relief while Washington does not, Veridian nevertheless counters that it brings its claim for injunctive and declaratory relief not under state law, but rather under federal law-the Declaratory Judgment Act, 28 U.S.C. §§ 2201 -02. (Resp. at 6 n.7) ("Plaintiff's Declaratory Judgment Act claim plainly is not a standalone injunctive relief claim. And, as a federal cause of action, state law does not apply to this claim."). The federal statute, however, also creates only a remedy and not an independent claim. See Stock West, Inc. v. Confederated Tribes of Colville Reservation , 873 F.2d 1221, 1225 (9th Cir. 1989) ("[The] Declaratory Judgment Act ... only creates a remedy and is not an independent basis for jurisdiction."); see also Ajetunmobi v. Clarion Mortg. Capital, Inc. , 595 Fed.Appx. 680, 684 (9th Cir. 2014) ("Declaratory and injunctive relief are remedies, not causes of action.").

6 Veridian argues that it has not asserted a claim under Iowa's CFA and that as a non-resident it "may sue" under the CPA. (Resp. at 6 n.7.) The question, however, is not whether Veridian "may sue" under the CPA, but rather which law should apply to Veridian's claim based on Washington's choice-of-law rules.

7 Eddie Bauer acknowledges that some of Veridian's customers are located in Nebraska as well. (2d MTD at 7 & n.3.)

8 Veridian alleges that Eddie Bauer has a contractual relationship with payment card networks (like Visa and Mastercard), who, in turn, have relationships with card-issuing financial institutions like Veridian. (FAC ¶¶ 19-20.)

9 Because the court concludes that Washington law applies, it does not consider Eddie Bauer's arguments to dismiss Veridian's claims based on Iowa law. (See 2d MTD at 9-19.)

10 Eddie Bauer also asks the court to dismiss Veridian's request for declaratory and injunctive relief because it owes no duty to Veridian and "[t]here is no real, immediate, and substantial risk of another data breach as required for declaratory or injunctive relief." (Reply at 15; see also 2d MTD at 26-27.) As noted above, Veridian cannot assert these forms of relief as separate legal causes of action. See supra § III.D. But construing Veridian's allegations for declaratory and injunctive relief as forms of relief only, the court declines Eddie Bauer's invitation to dismiss them at this time. The court, however, may reconsider its ruling in the context of a motion for summary judgment if appropriate.

11 "EMV" stands for Europay, MasterCard, and Visa. (FAC ¶ 5.)

12 The statute defines a "business" as "an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington." RCW 19.255.020(1)(c). The statute defines a "processor" as "an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a business as defined under this section, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service." RCW 19.255.020(1)(h). Neither party argues that Eddie Bauer does not fall within one these definitions.

13 Eddie Bauer argues that the Washington Legislature "provided a carefully limited duty on the part of vendors to protect a card issuer only for costs to reissue [cards] to Washington residents." (Reply at 12.) First, the statutory language that Eddie Bauer relies is unclear, and the court is not convinced that RCW 19.255.020 limits damages in the manner Eddie Bauer asserts. Nevertheless, the court need not decide that issue at this juncture because the statute also expressly provides that "[t]he remedies under this section are cumulative and do not restrict any other right or remedy otherwise available under law." RCW 19.255.020(6). Thus, although RCW 19.255.020(3)(a) defines the minimum standard of conduct applicable to Eddie Bauer because it meets the test set forth in Section 286 of the Restatement, the statute expressly does not restrict the remedies that Veridian may otherwise seek in an action based on negligence.

Eddie Bauer also asserts that if a Washington vendor has a duty beyond simply protecting card issuers for the costs of reissuing cards to Washington residents, "then RCW 19.255.020 would be completely unnecessary and meaningless." (Reply at 12-13.) The court disagrees. The remedies that the Legislature provides in the case of violation of RCW 19.255.020 are distinct from common law remedies available in a negligence action. For example, "[i]n any legal action brought pursuant to [RCW 19.255.020(3)(a) ], the prevailing party is entitled to recover its reasonable attorneys' fees and costs incurred in connection with the legal action." Id. The same is not true for a common law negligence action. Accordingly, the court rejects Eddie Bauer's argument.

14 "Washington's CPA is modeled after federal consumer protection laws and incorporates many ... provisions of the federal acts.... The Washington legislature instructed courts to be guided by federal law in the area." Klem , 295 P.3d at 1187 ; see RCW19.86.920 ("It is the intent of the legislature that, in construing this act, the courts be guided by final decisions of the federal courts and final orders of the federal trade commission interpreting the various federal statutes dealing with the same or similar matters.").

15 The court need not determine whether Veridian has adequately alleged a "deceptive act" under the CPA because Veridian need not allege both an "unfair act" and a "deceptive act" to state a CPA claim. See Klem , 295 P.3d at 1187.