UNITED STATES DISTRICT COURT EASTERN DISTRICT OF KENTUCKY NORTHERN DIVISION (at Covington)
CHARLES VIVIALI, et al., individually ) and purportedly on behalf of all others ) similarly situated, ) ) Plaintiffs, ) Civil Action No. 2: 24-185-DCR ) V. ) ) ONE POINT HR SOLUTIONS, LLC, ) MEMORANDUM OPINION ) AND ORDER Defendant. ) *** *** *** *** Plaintiffs Charles Viviali, Lisa Alicea, and Kayla Lofton initiated this action after cybercriminals pilfered their data from Defendant One Point HR Solutions LLC (“One Point”). The matter is pending for consideration of One Point’s motion to dismiss. [Record No. 21] It argues the plaintiffs’ claims should be dismissed due to lack of Article III standing or, alternatively, for failure to state a claim under Rule 12(b)(6) of the Federal Rules of Procedure. One Point’s motion will be granted in part and denied in part for the reasons that follow. I. Background On July 3, 2023, cybercriminals infiltrated One Point’s network, gaining access to the plaintiffs’ personal identifiable information (“PII”) and protected health information (“PHI”) including (but not limited to) their full names, social security numbers, dates of birth, driver’s license numbers, state and federal identification numbers, medical and health insurance information, passport numbers, usernames and passwords, and payment card information.1 [Record No. 11, p. 5] The breach continued until February 14, 2024. [Id.] But rather than promptly notifying victims that their data was compromised, One Point allegedly “kept the
[plaintiffs] in the dark” and “waited … until September 6, 2024, before it began notifying the class—a full 431 days after the Data Breach began.” [Id.] Plaintiff Lisa Alicea was notified of the breach on October 11, 2024, and subsequently received alerts from Experian that her information was found on the Dark Web. [Id., p. 9] She also “received a flood of emails from banks and lenders notifying her of loan applications made under her name.” [Id., pp. 9-10] In addition, Alicea asserts that she has suffered mental distress and incurred an onslaught of spam and scam phone calls. [Id., p. 11]
Plaintiff Charles Viviali, a former employee of One Point, also received notice of the breach on October 11, 2024. [Id., p. 12] After the breach, Viviali obtained legal counsel and spent numerous hours monitoring his credit online. [Id., p. 13] He also has allegedly suffered from “anxiety, sleep disruption, stress, fear, and frustration” because of the breach. [Id.] Plaintiff Kayla Lofton is unsure how One Point obtained her personal data, but she asserts that she was informed of the breach on October 11, 2024. [Id., p. 15] Following the
notice, Lofton signed up for credit monitoring offered by One Point. [Id.] Lofton’s bank account faced a fraudulent charge, and she was issued a new debit card thereafter. Lofton alleges she now suffers from anxiety, sleep disruption, stress, fear, and frustration, and
1 In resolving the Rule 12 motion, the Court takes the facts as alleged in the complaint as true and draws all reasonable inferences in favor of the nonmoving party. Directv, Inc. v. Treesh, 487 F.3d 471, 476 (6th Cir. 2007). numerous spam and scam calls because of the breach. [Id.] All three named plaintiffs claim to have suffered a diminution in the value of their personal information due to the breach. II. Standing
To overcome dismissal under Rule 12(b)(1) of the Federal Rules of Civil Procedure, the plaintiffs must demonstrate that this Court has jurisdiction. Madison-Hughes v. Shalala, 80 F.3d 1121, 1130 (6th Cir. 1996). Under this rule, a motion “may either attack the claim of jurisdiction on its face or . . . attack the factual basis of jurisdiction.” Golden v. Gorno Bros., Inc., 410 F.3d 879, 881 (6th Cir. 2005). “A facial attack on the subject-matter jurisdiction alleged in the complaint questions merely the sufficiency of the pleading. When reviewing a facial attack, a district court takes the allegations in the complaint as true, which is a similar
safeguard employed under 12(b)(6) motions to dismiss.” Gentek Bldg. Prods., Inc. v. Sherwin- Williams Co., 491 F.3d 320, 330 (6th Cir. 2007) (citing Ohio Nat’l Life Ins. Co. v. United States, 922 F.2d 320, 325 (6th Cir. 1990)) (internal citations omitted). Further, “[a] facial attack questions the sufficiency of the complaint itself, without delving into matters outside the pleadings.” Morrow v. TransUnion LLC, 730 F. Supp. 3d 671, 675–76 (E.D. Mich. 2024); see also Ohio Nat’l Life, 922 F.2d at 325.
“[T]he ‘irreducible constitutional minimum’ of standing consists of three elements. The plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-561 (1992)). To prove injury in fact, a plaintiff must demonstrate “a concrete and particularized, actual or imminent invasion of a legally protected interest.” Lujan, 504 U.S. at 555. One Point argues the plaintiffs lack standing because they do not plead “out of pocket expenses or monetary damages as a result of the data breach.” [Record No. 21-1, p. 3] But earlier in its motion to dismiss, One Point appears to concede the plaintiffs “plead that as a
result of the data breach, they have suffered actual identity theft, out of pocket expenses, lost time associated with mitigation, and future costs expended to repair and prevent future harm.” [Id., p. 2 (citing Record No. 11, p. 37) (emphasis added)] The plaintiffs did not incorporate the “out of pocket damages” allegation into the “Background” section of the Complaint, but “out of pocket damages” are alleged under Counts One, Three, Six, and Seven. [Record No. 11, pp. 37, 42, 46 and 48] Normally, “assessment of the facial sufficiency of the complaint must ordinarily be undertaken without resort to matters outside the pleadings.” Rondigo, L.L.C. v.
Twp. of Richmond, 641 F.3d 673, 680 (6th Cir. 2011) (citing Wysocki v. Int’l Bus. Mach. Corp., 607 F.3d 1102, 1104 (6th Cir. 2010)). And because One Point challenges standing on its face, the Court will accept the Complaint’s allegations that the plaintiffs incurred “out of pocket” costs. Ohio Nat’l Life, 922 F.2d at 325. The United States Court of Appeals for the Sixth Circuit addressed standing in the context of a data breach in Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir.
2016). In Galaria, hackers broke into Nationwide Insurance’s data stores and exfiltrated personal information from over one million customers and potential customers. The district court concluded the plaintiffs lacked standing, but the Sixth Circuit reversed that determination, holding that “allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage.” Id. at 388. Five years later, the United States Supreme Court decided TransUnion LLC v. Ramirez, 594 U.S. 413 (2021). There, the Court faced a similar question of whether consumers with misleading alerts on their credit report had standing to sue the offending credit bureau. The
alerts were based on false information indicating the plaintiffs were potentially included in a list of individuals who posed a national security threat. The Supreme Court held that “[t]he risk of future harm on its own [wa]s not enough to support Article III standing for their damages claim.” Id. at 415 (emphasis added). However, it also concluded that the release of the false information sufficiently resembled the harm “traditionally recognized as providing a basis for a lawsuit in American courts—namely, the reputational harm associated with the tort of defamation.” Id. at 432. Thus, members of the class who faced the dissemination of that
information to third parties had standing, while consumers who merely received the misleading alerts did not. Several districts within this circuit have grappled with the relationship between those two opinions and their impact on establishing standing. Specifically, going forward, what constitutes a concrete and particularized injury? See, e.g., Brickman v. Maximus, Inc., No. 2:21-CV-3822, 2022 WL 16836186, (S.D. Ohio May 2, 2022); Bowen v. Paxton Media Grp.,
LLC, No. 5:21-CV-00143-GNS, 2022 WL 4110319, (W.D. Ky. Sept. 8, 2022); Kingen v. Warner Norcross + Judd LLP, No. 1:22-CV-01126, 2023 WL 11965363, (W.D. Mich. Oct. 5, 2023); Doe v. Mission Essential Grp., LLC, No. 2:23-CV-3365, 2024 WL 3877530, (S.D. Ohio Aug. 20, 2024); Savidge v. Pharm-Save, Inc., 727 F. Supp. 3d 661, 675 (W.D. Ky. 2024). Following TransUnion, these district courts went their separate ways. Some modified the standard set in Galaria, some outright ignored TransUnion, and others either created a hybrid standard that incorporated both tests or decided to apply each test separately. The facts presented here closely resemble those of Galaria. The plaintiffs experienced an illicit breach and exfiltration of their data and now claim to suffer (among other things) misuse of their information, emotional distress, lost time and out of pocket costs attempting to
mitigate the breach, and a diminution in the value of their personal data. [Record No. 11, p. 37] The breach involved significant private personal data, and it was definitively alleged. Contra Doe v. Mission Essential Grp., LLC, 2024 WL 3877530 (holding the plaintiff lacked Article III standing when a breach was unconfirmed). The Sixth Circuit refers to mitigation costs in its Article III standing analysis in Galaria. See id., 663 F. App’x at 388 (“[A]llegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.”). Further, in
addressing the mitigation costs, the Galaria Court mentioned that “members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts.” Id. (emphasis added). Here, the plaintiffs allege a notable loss of time and “out of pocket” expense. Beyond that, in a footnote, the Galaria Court reasoned that “three unauthorized attempts to open credit cards in [a plaintiff’s] name further supports standing.” Id., 663 F. App’x at 389 n.1. While
that statement is likely dictum because that plaintiff’s harm was not utilized to support standing, it remains instructive in addition to the plaintiffs’ monetary costs. Next, most can agree that spam and/or scam calls are painfully obnoxious. But on their own, they may not surmount Lujan’s “concrete and particularized” hurdle. 504 U.S. at 555. Further, “speculation about the decisions of independent actors” alone will not establish standing. Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 (2013). However, the facts here exceed the mere speculative harm of a potential breach, or of irritating spam calls, in addition to monetary credit monitoring or fraud prevention costs. The plaintiffs sufficiently allege an illicit breach involving a meaningful assortment of their private and intimate data. [Record No. 11, pp. 5-6] They allege they have expended substantial time and effort to protect
themselves and prevent identity theft. [Id., pp. 10, 13 and 15] All three named plaintiffs allege a dramatic uptick in spam and scam calls. Plaintiff Alicea has already faced attempted fraudulent loan applications, Plaintiff Lofton has attempted fraudulent charges to her bank account, and Plaintiff Viviali separately obtained legal counsel in the breach’s aftermath. [Id., pp. 9-11, 13, and 15-16] Additionally, all three have adequately alleged consequential emotional harm. [Id., p. 38] These facts evidence more than a “substantial risk of harm.” Galaria, 663 F. App’x at 388.
The Court concludes that the plaintiffs have standing under Galaria. And because an intentional data breach perpetrated by criminals is distinct from the negligent dissemination of a false credit report by a “legitimate credit reporting company,” the undersigned joins with the courts that conclude the Supreme Court’s decision in TransUnion did not abrogate Galaria. See Brickman, 2022 WL 16836186, at *4 (“In any event, the Sixth Circuit has not yet reconsidered Galaria in light of TransUnion. This Court is bound to follow relevant precedent
from the Sixth Circuit unless and until the Sixth Circuit decides to revisit that precedent.”). III. Choice of Law The parties also differ regarding which state’s laws should apply. “[A] federal court sitting in diversity borrows the forum state’s choice-of-law rule.” Cassirer v. Thyssen- Bornemisza Collection Found., 596 U.S. 107, 115 (2022) (citing Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496 (1941)). Because this action was brought in federal court in Kentucky, the Commonwealth’s choice-of-law rules apply. See State Farm Mut. Auto. Ins. Co. v. Norcold, Inc., 849 F.3d 328, 331 (6th Cir. 2017). The plaintiffs argue this determination would be premature, due to the lack of a developed record and because none are citizens of Kentucky. They cite three comparable cases in which Kentucky federal courts have found “a
choice of law analysis … [wa]s not necessary at this stage of [a] putative class action.” McKenzie v. Allconnect, Inc., 369 F. Supp. 3d 810, 817 (E.D. Ky. 2019); see also Bowen, 2022 WL 4110319, at *6 n.4; Lurry v. PharMerica Corp., No. 3:23-CV-297-RGJ, 2024 WL 2965642, at *3 (W.D. Ky. June 12, 2024). In those cases, each court concluded it lacked “sufficient information at this juncture to engage in a comprehensive choice of law analysis.” McKenzie, 369 F. Supp. 3d at 817. The finding was loosely premised on the suggestion that “courts should evaluate choice of law—
but not delve too deeply when all parties have acquiesced without comment.” Lurry, 2024 WL 2965642, at *2 (quoting GBJ Corp. v. E. Ohio Paving Co., 139 F.3d 1080, 1085 (6th Cir. 1998)) (cleaned up). However, in Lurry, the court analyzed all of the plaintiffs’ common law claims under Kentucky law. Further, the determinations declining to engage in choice of law merely amount to persuasive authority, and do not apply here, a case in which the defendant has not acquiesced, and the parties have provided the Court sufficient information. Finally,
this Court is not the first within this circuit to address choice of law concerns in data breach cases at the motion to dismiss stage. See, e.g., Brooks v. Peoples Bank, 732 F. Supp. 3d 765, 777 (S.D. Ohio 2024); Warner Norcross, 2023 WL 8544231, at *3; Haney v. Charter Foods N., LLC, 747 F. Supp. 3d 1093, 1107 (E.D. Tenn. 2024); Cahill v. Mem’l Heart Inst., LLC, No. 1:23-CV-168, 2024 WL 4311648, at *4 (E.D. Tenn. Sept. 26, 2024); Hummel v. Teijin Auto. Techs., Inc., No. 23-CV-10341, 2023 WL 6149059, at *4 (E.D. Mich. Sept. 20, 2023). “Kentucky courts have an extremely strong and highly unusual preference for applying Kentucky law even in situations where most states would decline to apply their own laws.” Osborn v. Griffin, 865 F.3d 417, 443 (6th Cir. 2017). “Kentucky case law indicates that
different choice of law rules apply to tort actions versus contract disputes[.]” Saleba v. Schrand, 300 S.W.3d 177, 181 (Ky. 2009). Regarding actions sounding in tort, Kentucky courts apply a significant relationship test. As a result, “if there are significant contacts—not necessarily the most significant contacts—with Kentucky, the Kentucky law should be applied.” Foster v. Leggett, 484 S.W.2d 827, 829 (Ky. 1972). “What is more, ‘Kentucky favors the application of its own law whenever it can be justified.’ Mem’l Hall Museum, Inc. v. Cunningham, 455 F. Supp. 3d 347, 358 (W.D. Ky. 2020) (quoting Stavens v. Buridi, No.
2016-CA-001301-MR, 2018 WL 6601879, at *3 (Ky. App. Dec. 14, 2018)). Choice of law “should not be determined on the basis of a weighing of interests, but simply on the basis of whether Kentucky has enough contacts to justify applying Kentucky law. Arnett v. Thompson, 433 S.W.2d 109, 113 (Ky. 1968). Thus, under Kentucky’s “egocentric” choice of law principles, the Court’s inquiry can be adequately conducted at this stage. See Paine v. La Quinta Motor Inns, Inc., 736 S.W.2d 355, 357 (Ky. App. 1987).
Defendant One Point is a “Kentucky limited liability company with a principal place of business in Kentucky.” [Record No. 21-1, p. 7] The plaintiffs allege that the breach resulted from One Point’s “insufficiently protected computer systems” located in Kentucky. [Record No. 11, p. 2; Record No. 28, p. 7] They now argue that, “[w]hile One Point has contacts with Kentucky, One Point is wholly owned by a natural person and citizen of Florida.” [Id., p. 12] They contend that because “One Point is wholly owned by a natural person and citizen of Florida” and “none of the named Plaintiffs are Kentucky citizens … the Court should reject One Point’s contention that the Court should only consider Kentucky law at this stage.” [Record No. 28, p. 11] Ultimately, the defendant is a citizen of Kentucky under the Class Action Fairness Act,
it is organized under the laws of the Commonwealth, and it maintains its principal place of business and headquarters in Kentucky. [Record No. 11, pp. 2-3] A “most significant relationship” choice of law test could lead to varying results under this set of facts. But “if there are significant contacts—not necessarily the most significant contacts—with Kentucky, the Kentucky law should be applied.” Foster, 484 S.W.2d at 829. Because One Point’s headquarters and the purportedly hacked computer network is in Kentucky, and because it was organized and maintains its principal place of business here, the laws of the Commonwealth
will apply. IV. The Sufficiency of the Pleadings The Court may dismiss a complaint for failure to state a claim upon which relief can be granted under Rule 12(b)(6) of the Federal Rules of Civil Procedure. The purpose of this rule is to test the sufficiency of the complaint, not to decide the merits of the case. See Ohio v. United States, 849 F.3d 313, 318 (6th Cir. 2017). To withstand a motion to dismiss under Rule
12(b)(6), a complaint must state facts sufficient “to state a claim for relief that is plausible on its face.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007). In ruling on a motion to dismiss, the Court may consider “exhibits attached to the complaint, public records, items appearing in the record of the case, and exhibits attached to the defendant’s motion to dismiss, so long as they are referred to in the complaint and are central to the claims therein, without converting the motion to one for summary judgment.” Gavitt v. Born, 835 F.3d 623, 640 (6th Cir. 2016). 1. Negligence To state a negligence claim under Kentucky law, a plaintiff must establish “(1) that the defendant owed the plaintiffs a duty of care, (2) that the defendant breached the applicable
duty of care, (3) causation, including both cause in fact and proximate cause, and (4) that the plaintiff was damaged by the breach of the duty of care.” McKenzie, 369 F. Supp. 3d at 817 (cleaned up). One Point contests the damages element. Specifically, it contends that because none of the plaintiffs allege “out of pocket mitigation expenses,” and because criminal attempts to defraud them have been unsuccessful, no compensable damages are alleged. [Record No. 21- 1, p. 8] One Point cites Savidge v. Pharm-Save, Inc., 2017 WL 5986972, *3 (W.D. Ky. 2017),
in support of its position. But in Savidge, the court acknowledged that “Kentucky law allows recovery in tort ‘of damages for mental anguish.’” Id. at *5 (quoting Gill v. Burress, 382 S.W.3d 57, 64 (Ky. Ct. App. 2012)). And One Point concedes “that the Kentucky cases, cited by Plaintiffs, have found that facts like those pled in the Plaintiffs’ Complaint regarding mental anguish or emotional distress of identity fraud were sufficient to survive a motion to dismiss.” [Record No. 29, p. 5] See Bowen, 2022 WL 4110319, at *6 (finding time spent and mental
distress related to the fear of identity theft were sufficient allegations of injury in Kentucky at the motion to dismiss stage). The plaintiffs allege they “have suffered and will continue to suffer … anxiety, emotional distress, loss of privacy, and other economic and non-economic losses” stemming from One Point’s actions. [Record No. 11, p. 37] In addition, the Complaint states that among other harms, the plaintiffs have suffered and will continue to suffer injury, including but not limited to: (i) actual identity theft, (ii) the loss of the opportunity of how their PII/PHI is used, (iii) the compromise, publication, and/or theft of their PII/PHI, (iv) out-of- pocket expenses associated with the prevention, detection and recovery from identity theft, tax fraud, and/or unauthorized use of their PII/PHI, (v) lost opportunity costs associated with … attempting to mitigate the actual and future consequences of the Data Breach[.]
[Id.] At this stage, the damages alleged are sufficient to survive a motion to dismiss. 2. Negligence Per Se One Point next argues that the plaintiffs’ negligence per se claim should be dismissed because in this Commonwealth only Kentucky statutes can serve as the required standard of care to be substituted for the elements of duty and breach. [Record No. 21-1, p. 9] “Under Kentucky law, negligence per se is a negligence claim with a statutory or regulatory standard of care substituted for the common law standard of care.” Savidge, 2017 WL 5986972, at *7 (quoting Wright v. House of Imports, Inc., 381 S.W.3d 209, 213 (Ky. 2012)) (cleaned up). “KRS 446.070 codifies the doctrine of negligence per se, and provides: ‘[a] person injured by the violation of any statute may recover from the offender such damages as he sustained by reason of the violation, although a penalty or forfeiture is imposed for such violation.’” Id. (quoting Wright, 381 S.W.3d at 213). In St. Luke Hosp., Inc. v. Straub, the Kentucky Supreme Court reiterated that “[v]iolations of federal laws and regulations and the laws of other states do not create a cause of action based on KRS 446.070.” 354 S.W.3d 529, 534 (Ky. 2011) (citing T & M Jewelry, Inc. v. Hicks ex rel. Hicks, 189 S.W.3d 526, 529 (Ky. 2006)). Here, the plaintiffs attempt to assert a negligence per se claim by virtue of the Federal Trade Commission (“FTC”) Act and the Health Insurance Portability and Accountability Act (“HIPAA”), both federal statutes. [Record No. 11, pp. 38-39] They argue that Ledford v. UofL Health-Louisville, Inc., No. 2024-CA-0022-MR, 2025 WL 349539, (Ky. Ct. App. Jan. 31, 2025), carves out an exception to the Commonwealth’s rule requiring the use of Kentucky statutes in negligence per se claims. But that contention is misplaced. The Ledford court merely held that a plaintiff’s ordinary negligence claim was not preempted by HIPAA. Id. at
*10. Further, the court clarified that “KRS 446.070 is limited to Kentucky statutes and does not extend to federal statutes” and “there is a difference between using a federal statute to inform the standard of care for purposes of a common law negligence action and bringing a KRS 446.070 negligence per se claim claiming an actual violation of the statute.” Id. Because the plaintiffs attempt the latter, Ledford offers no assistance. Finally, the Court already has determined that Kentucky law will apply, so the plaintiffs’ arguments concerning Missouri and Florida law also fail. Consequently, the plaintiffs’ negligence per se claims will be dismissed.
3. Breach of Confidence One Point next contends that the plaintiffs’ breach of confidence claim should be dismissed because no such cause of action exists for data breach claims in Kentucky. [Record No. 21-1, pp. 9-10] The plaintiffs counter that this assertion alone is insufficient to warrant dismissal and that the court in Bowen declined to dismiss an identical claim. One Point is correct that no common law cause of action for “breach of confidence” exists in Kentucky in
the context of a data breach. Historically, those “claims” were evaluated in the context of a requested constructive trust. See, e.g., Kaplon v. Chase, 690 S.W.2d 761, 763 (Ky. Ct. App. 1985) (“[A] constructive trust is an equitable remedy which provides relief from a fraud or breach of confidence.”) (citing O’Bryan v. Bickett, Ky., 419 S.W.2d 726 (1967)). The Court declines to extend that cause of action to this case. Faced with a parallel scenario in Tennessee, the court in In re Numotion Data Incident Litig. attempted to remedy this problem by instead treating the claim as one for breach of a confidential relationship. No. 3:24-CV-00545, 2025 WL 57712, at *9 (M.D. Tenn. Jan. 9, 2025) (quoting Heflin v. Iberiabank Corp., 571 S.W.3d 727, 736 (Tenn. Ct. App. 2018)) (“No Tennessee court, to this court’s knowledge, has recognized a cause of action for ‘breach of
confidence,’ but ‘Tennessee has long recognized a cause of action for breach of confidential relationship.’”). However, Kentucky common law does not recognize a “breach of confidential relationship” claim in a data breach setting either. Instead, it is recognized in the context of probate or estate law. See Keeney v. Keeney, 223 S.W.3d 843, 849 (Ky. Ct. App. 2007) (“Kentucky courts have required the party seeking the imposition of a trust to establish a ‘confidential relationship’ with the party upon whom the trust is to be imposed.”). And the
Bowen court only allowed a breach of confidence claim to survive “because it [wa]s uncertain which states’ laws would apply.” 2022 WL 4110319, at *7. Applying Kentucky law, the breach of confidence claim will be dismissed. 4. Breach of Implied Contract “To establish breach of an implied contract, a [p]laintiff must prove the existence of an implied contract, created by mutual assent, and the failure of a party to comply with the
contract’s terms.” McKenzie, 369 F. Supp. 3d 810, 820 (quoting Furtula v. University of Kentucky, 438 S.W.3d 303, 308-09 (Ky. 2014)). “Because parties do not expressly agree to the terms of an implied contract, the ‘circumstances must be sufficient to clearly and convincingly manifest or prove a mutual assent of minds to enter into the contract sought to be implied or established.’” BDT Prods., Inc. v. Lexmark Int’l, Inc., 274 F. Supp. 2d 880, 886 (E.D. Ky. 2003), aff’d, 124 F. App’x 329 (6th Cir. 2005) (quoting Kellum v. Browning’s Adm’r, 21 S.W.2d 459, 463 (1929)). One Point contends that the plaintiffs have not pled sufficient allegations to establish the conduct, acts, or relations of the parties necessary in an implied contract claim. It also attempts to distinguish this case from Mckenzie, in which an implied contract claim survived
after an employee fell victim to a phishing scam, leading to a data breach. The plaintiffs allege that One Point “required Representative Plaintiffs and Class Members to provide and entrust their PII/PHI as a condition of obtaining Defendant’s services” and that One Point “solicited and invited Representative Plaintiffs and Class Members to provide their PII/PHI as part of Defendant’s regular business practices. Representative Plaintiffs and Class Members accepted Defendant’s offers and provided their PII/PHI to Defendant.” [Record No. 11, pp. 42-43] The Complaint also states that, “[a]s a condition of
being Defendant’s direct patients, Representative Plaintiffs and Class Members provided and entrusted their PII/PHI to Defendant … [the plaintiffs] entered into implied contracts … [and One Point] agreed to … keep such information secure and confidential[.]” It further mentions One Point implicitly agreed “to timely and accurately notify Representative Plaintiffs and Class Members if their data had been breached and compromised or stolen.” [Id.] Plaintiffs Alicea and Lofton have sufficiently alleged a relationship with One Point to
state a breach of implied contract claim. Taking the facts as alleged in the Complaint, Alicea and Lofton provided their data to One Point as patients in exchange for its services, and in turn, assented to an agreement that One Point would safeguard their data. Lack of the explicit term “customer” is not fatal at this stage as One Point suggests. Part of this implied promise alleged is the safekeeping of their data. Further, the facts of this case are notably different from McKenzie and many other data breach cases in that here, One Point allegedly waited a significant period before revealing the breach to the plaintiffs, an affirmative withholding of information that could have allowed the plaintiffs to mitigate potential harm. Plaintiff Viviali has also stated a claim as an employee, because One Point’s alleged delay between discovering and disclosing the breach “played a direct role” in the harm caused. See McKenzie, 369 F.
Supp. 3d at 821. 5. Breach of the Implied Covenant of Good Faith and Fair Dealing The plaintiffs make a claim of breach of the implied covenant of good faith and fair dealing. But the “claim for Intentional Breach of the Implied Covenant of Good Faith and Fair Dealing fails as a matter of law … [because] Kentucky law does not recognize an independent tort for breach of good faith and fair dealing outside of insurance contracts.” Crestwood Farm Bloodstock, LLC v. Everest Stables, Inc., 864 F. Supp. 2d 629, 633 (E.D. Ky.
2012), aff’d, 751 F.3d 434 (6th Cir. 2014). Applying Kentucky law, this claim will be dismissed. 6. Breach of Fiduciary Duty “A fiduciary relationship is one ‘founded on trust or confidence reposed by one person in the integrity and fidelity of another and which also necessarily involves an undertaking in which a duty is created in one person to act primarily for another’s benefit in matters connected
with such undertaking.’” McKenzie, 369 F. Supp. 3d at 822 (quoting ATC Distrib. Grp., Inc. v. Whatever It Takes Transmissions & Parts, Inc., 402 F.3d 700, 715 (6th Cir. 2005)). One Point argues that the Court should follow McKenzie and dismiss the plaintiffs’ claims because employers have no duty to secure their employees’ PII in Kentucky. [Record No. 21-1, p. 12] However, as discussed earlier, data protection and prompt disclosure of its theft are not the same. The plaintiffs allege One Point “became a fiduciary by its undertaking and guardianship of the PII/PHI to act primarily for … [the plaintiffs] to timely notify Representative Plaintiffs and Class Members of a data breach and disclosure[.]” [Record No. 11, p. 45] The Complaint also states that One Point “breached its fiduciary duties to Representative Plaintiffs and Class Members by failing to diligently discover, investigate, and give notice of the Data Breach in a
reasonable and practicable period of time.” [Id.] The McKenzie court reasoned that an employer had no fiduciary duty to secure the data of its employees and distinguished from Kentucky cases that established an employee’s fiduciary duty. The plaintiffs cite authority from outside Kentucky and this circuit which supports a fiduciary duty in the context of a data breach. See Resnick v. Avmed, Inc., 693 F.3d 1317, (11th Cir. 2012); Clemens v. ExecuPharm Inc., 48 F.4th 146, 157–58 (3d Cir. 2022). But this claim is governed by Kentucky law and a fiduciary duty involves a party “who has expressly
undertaken to act for the plaintiff’s primary benefit.” Flegles, Inc. v. TruServ Corp., 289 S.W.3d 544, 552 (Ky. 2009) (citing Steelvest, Inc. v. Scansteel Service Center, Inc., 807 S.W.2d 476 (Ky.1991)). Because the plaintiffs cannot meet this burden, their breach of fiduciary duty claims fail as a matter of law. 7. Unjust Enrichment “Under Kentucky law, unjust enrichment is “1) a benefit conferred upon the defendant
at the plaintiff’s expense; 2) a resulting appreciation of the benefit by the defendant; and 3) an inequitable retention of the benefit without payment for its value.” Bowen, 2022 WL 4110319, at *8 (citing Marcus & Millichap Real Est. Inv. Brokerage Co. v. Skeeters, 395 F. Supp. 2d 541, 557 (W.D. Ky. 2005)) (cleaned up). One Point contends that the plaintiffs have not alleged any inequitable retention of a benefit or any services or amounts that should have been incurred to prevent the breach. [Record No. 21-1, p. 13] It also argues that the plaintiffs’ response contains information that contradicts the Complaint. But again, “assessment of the facial sufficiency of the complaint must ordinarily be undertaken without resort to matters outside the pleadings.” Rondigo, 641 F.3d 673, 680 (citing Wysocki., 607 F.3d 1102, 1104). The plaintiffs allege that “they purchased goods and services from Defendant and/or its
agents and provided Defendant with their PII/PHI. In exchange, Representative Plaintiffs and Class Members should have received from Defendant the goods and services that were the subject of the transaction and have their PII/PHI protected with adequate data security.” [Record No. 11, p. 47] Essentially, the Complaint alleges the plaintiffs “conferred a benefit” on One Point and it was unjustly enriched when it profited without any coordinate efforts to protect the plaintiffs’ data in the transaction. [Id.] Following the Bowen court’s determination under similar facts, the unjust enrichment claim will not be dismissed.
8. Invasion of Privacy (Intrusion upon Seclusion) To state a claim for an intrusion upon seclusion invasion of privacy claim, a plaintiff must allege “an [intentional] intrusion by the defendant; that is highly offensive to a reasonable person; into some matter in which a person has a legitimate expectation of privacy[.]” Pearce v. Whitenack, 440 S.W.3d 392, 401 (Ky. Ct. App. 2014). Further, “a defendant’s actions may be intentional when the defendant acts with such reckless disregard for the privacy of the
plaintiff that the actions rise to the level of being an intentional tort.” Bowen, 2022 WL 4110319, at *7 (citing McKenzie, 369 F. Supp. 3d at 819). The parties disagree regarding whether One Point’s alleged actions were intentional or sufficiently reckless to constitute an intentional tort. On its own, the allegation that One Point “acted with a knowing state of mind when it permitted the Data Breach because it knew its information security practices were inadequate” is shaky. [Record No. 11, p. 50] And under Bowen, that assertion alone is enough to state a claim. Id., 2022 WL 4110319, at *7 (finding the allegation the defendant acted with a knowing state of mind in failing to prevent a data breach was sufficient). But the plaintiffs also contend that One Point “acted with a knowing state of mind when it failed to notify Plaintiffs and the Class in a timely fashion about the Data
Breach, thereby materially impairing their mitigation efforts.” [Id.] Accepting these assertions as true, even if the allegation the breach was committed with a knowing state of mind is little more than a negligence claim in disguise, the allegation that One Point wantonly covered it up and significantly delayed disclosure can be viewed as an aggravating factor to the breach, which is sufficient at this stage of the litigation. This claim may proceed as a result. 9. Kentucky Consumer Protection Act The Kentucky Consumer Protection Act (“KCPA”) applies, in relevant part, to “[a]ny
person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by KRS 367.170[.]” Craig & Bishop, Inc. v. Piles, 247 S.W.3d 897, 902 (Ky. 2008) (quoting KRS 367.220(1)). Under the Act, “[u]nfair, false, misleading, or deceptive acts or practices in the conduct of any trade or commerce are … unlawful.” KRS 367.170.
The court in Bowen held that employees are ineligible for protection under the act because they do not qualify as consumers. Id., 2022 WL 4110319, at *10 (“Plaintiffs cite no Kentucky law allowing a claim for under KCPA by an employee against an employer. This claim will be dismissed for failure to state a claim under the KCPA.”). In accord with that decision, and in light of Plaintiff Viviali’s status as a former employee, his claim will be dismissed. But regarding Plaintiffs Alicea and Lofton, the sufficiency of the claim is a closer question. One Point argues that Plaintiffs Alicea and Lofton’s claim under the Kentucky Consumer Protection Act should be dismissed because they “have not alleged that One point engaged in trade or commerce with Plaintiffs to make them consumers, nor that Plaintiffs
leased goods or services from [One Point.]” [Record No. 21-1, p. 15] However, the Complaint states, “[a]s a condition of being Defendant’s direct patients, Representative Plaintiffs and Class Members provided and entrusted their PII/PHI to Defendant” and “Defendant required Representative Plaintiffs and Class Members to provide and entrust their PII/PHI as a condition of obtaining Defendant’s services[.]” [Record No. 11, pp. 42-43] In conjunction with facts regarding the delayed notification of the breach incorporated from earlier in the Complaint, these allegations plausibly suggest that the plaintiffs purchased services from One Point as
consumers. In Lurray, the court found that the plaintiffs had not stated a claim under the Act because the defendant’s allegedly insufficient data protection policies “standing alone, did not proximately cause each plaintiff’s injuries: their personal information would not have been disclosed absent the actions of a third party.” Id., 2024 WL 2965642, at *8. But one other allegation makes this scenario unique. Here, the plaintiffs also assert that One Point violated
the KCPA by “omitting, suppressing, and concealing the material fact that it did not comply with common law and statutory duties pertaining to the security and privacy of Plaintiffs’ and Class Members’ PII/PHI[.]” Construing the alleged facts favorably to Alicea and Lofton, One Point’s alleged intentional failure to disclose the breach promptly after it occurred could plausibly create a causal link to increased harm to the plaintiffs. Because of this distinct factual wrinkle, the KCPA claim asserted by Alicea and Lofton will survive; however, Viviali’s claim will be dismissed. 10. Declaratory Judgment and Injunctive Relief Finally, One Point moves to dismiss the plaintiffs’ claim for a declaratory judgment and/or injunctive relief because the plaintiffs “have not alleged any future injury from which
their request for declaratory or injunctive relief would protect them.” [Record No. 21-1, p. 16] Under the Declaratory Judgment Act: [A]ny court of the United States, upon the filing of an appropriate pleading, may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought. Any such declaration shall have the force and effect of a final judgment or decree and shall be reviewable as such.
28 U.S.C. § 2201(a). And pursuant to the Act, the Court weighs the following factors outlined in Grand Trunk W. R.R. Co. v. Consol. Rail Corp. in determining whether the exercise of jurisdiction is appropriate: (1) whether the declaratory action would settle the controversy; (2) whether the declaratory action would serve a useful purpose in clarifying the legal relations in issue; (3) whether the declaratory remedy is being used merely for the purpose of “procedural fencing” or “to provide an arena for a race for res judicata;” (4) whether the use of a declaratory action would increase friction between our federal and state courts and im-properly encroach upon state jurisdiction; and (5) whether there is an alternative remedy which is better or more effective.
746 F.2d 323, 326 (6th Cir. 1984). But “[b]efore considering the factors, however, jurisdictional requirements must be met. Bowen, 2022 WL 4110319, at *9 (citing Larry E. Parrish, P.C. v. Bennett, 989 F.3d 452, 457 (6th Cir. 2021)). “Importantly, to establish standing when an alleged injury is a future injury, ‘the plaintiff must demonstrate that the threatened injury is certainly impending or there is a substantial risk that the harm will occur.’” See Lochridge v. Quality Temp. Servs., Inc., No. 22-CV-12086, 2023 WL 4303577, at *8 (E.D. Mich. June 30, 2023) (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)). The plaintiffs attempt to leap this steep hurdle by alleging they “have an ongoing, actionable dispute arising out of Defendant’s inadequate security measures.” [Record No. 11, p. 54] They further contend One Point’s “data security measures remain inadequate,” and they
“continue to suffer injury due to the compromise of their PII/PHI and remain at imminent risk that further compromises of their PII/PHI will occur in the future. It is unknown what specific measures and changes Defendant has undertaken in response to the Data Breach.” [Id.] Other district courts within this circuit have rejected similar arguments. See, e.g., Lochridge, 2023 WL 4303577, at *8 (rejecting declaratory and injunctive claims where the plaintiff had “not alleged any facts tending to show that a second data breach is currently impending or there is a substantial risk that one will occur”); Cahill v. Mem’l Heart Inst., LLC,
No. 1:23-CV-168, 2024 WL 4311648, at *16 (E.D. Tenn. Sept. 26, 2024) (“Plaintiffs do not allege specific facts regarding currently impending or substantial risk of another cyberattack on Defendant[.]”); Hummel v. Teijin Auto. Techs., Inc., No. 23-CV-10341, 2023 WL 6149059, at *14 (E.D. Mich. Sept. 20, 2023) (“By failing to allege any facts, which would suggest Defendant is at risk for a second cyberattack, Plaintiff has failed to meet the jurisdictional requirements of this relief.”). The undersigned agrees.
Other than essentially alleging that it happened previously, and that “[t]he risk of another such breach is real, immediate, and substantial” the plaintiffs do not provide sufficient justification for declaratory or injunctive relief. [Record No. 55] And relief aimed at mitigating the first breach is likely futile, because the genie has already left the bottle. Compelling One Point “to improve its security now would not decrease the risk of the stolen data being mis- used[.]” Bowen, 2022 WL 4110319, at *9. [See also Record No. 11, p. 50 (“Plaintiffs’ PII/PHI has already been published—or will be published imminently—by cybercriminals on the Dark Web.”)| Accordingly, the claim for declaratory and injunctive relief will be dismissed. V. Conclusion Based on the foregoing analysis and discussion, it is hereby ORDERED that Defendant One Point’s Motion to Dismiss [Record No. 21] is GRANTED, in part, and DENIED, in part, consistent with this Memorandum Opinion and Order. Dated: April 21, 2025.
6 h, =] i = Danny C. Reeves, District Judge Ss é I United States District Court i Eastern District of Kentucky
-23-