UNITED STATES DISTRICT COURT EASTERN DISTRICT OF NEW YORK ----------------------------------------------------------------------X For Online Publication Only PATRICE WHITFIELD, individually and on behalf of all others similarly situated,
Plaintiff, ORDER 22-CV-5005 (JMA) (LGD) -against- FILED CLERK ATC HEALTHCARE SERVICES, LLC, 11:21 am, Au g 22, 2023
Defendant. U.S. DISTRICT COURT ----------------------------------------------------------------------X EASTERN DISTRICT OF NEW YORK AZRACK, United States District Judge: LONG ISLAND OFFICE Before the Court is a motion filed by Defendant ATC Healthcare Services, LLC (“Defendant”), seeking dismissal of Plaintiff Patrice Whitfield’s (“Plaintiff”) Complaint for lack of subject matter pursuant to Rule 12(b)(1) and for failure to state a claim pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure (“Fed. R. Civ. P.”), or in the alternative, to dismiss or strike certain allegations from the Complaint pursuant to Fed. R. Civ. P. 23(d)(1)(D). (See Defendant’s Motion to Dismiss (“Defendant’s Motion”), ECF No. 17.) For the reasons set forth herein, Defendant’s Motion is granted in part and denied in part. I. BACKGROUND The following facts, set forth in the Complaint and the attached exhibit, are presumed true for purposes of Defendant’s motion to dismiss. A. Defendant’s PII/PHI Collection Defendant is a Georgia-based limited liability healthcare staffing company with its principal place of business in Lake Success, New York. (See Complaint (“Compl.”), ECF No. 1, ¶¶ 15, 19.) Plaintiff is an Illinois citizen who was employed by Defendant from October 2015 through August 2019. (Id. ¶ 14.) According to Plaintiff, Defendant collects and maintains “highly sensitive personal identifying information (‘PII’) and personal health information (‘PHI’)” from employees as a prerequisite to employment. (Id. ¶¶ 1, 25.) Defendant maintains this information even after employees cease their employment and, in doing so, purportedly agreed to “safeguard the data according to its internal policies and state and federal law.” (Id. ¶¶ 26-27.)
B. Defendant’s Post-Breach Investigation and Notification On or about December 22, 2021, Defendant “discovered unusual activity involving employee email accounts.” (Id. ¶ 2.) Defendant investigated and determined that, between February 9, 2021, and December 22, 2021, cybercriminals accessed those email accounts without authorization (the “Data Breach”). (Id. ¶¶ 2, 31.) Defendant identified the information present in the impacted email accounts on or about May 19, 2022. (Id. ¶ 32.) Defendant then “reconcile[d] the information with [its] internal records” and identified the individuals with whom the data was associated; it completed this investigative phase on or about June 2, 2022. (Id. ¶ 33.) On or about July 1, 2022 Defendant issued a “Notice of Data Breach Incident” (the “Notice”) to potentially affected individuals, including Plaintiff. (See id. ¶¶ 3, 33; see also Notice,
ECF No. 1-3.) According to the Notice, Defendant confirmed that the employee information exposed in the Data Breach included “names, Social Security numbers, driver’s licenses, financial account information, usernames, passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures and employer-assigned identification numbers.” (See Compl. ¶ 3; Notice at 1.) C. Plaintiff’s Post-Breach Issues Plaintiff subsequently “spent time dealing with the consequences of the Data Breach, which include[d] time spent verifying the legitimacy of the Breach Notice, [and] self-monitoring her accounts and credit reports to ensure no fraudulent activity has occurred.” (See Compl. ¶ 38.) Plaintiff’s debit card has been compromised three times post-Breach, and her bank account was compromised, forcing her to close the account and open a new one. (Id. ¶ 39.) Accordingly, on or about August 23, 2022, Plaintiff filed the instant Complaint on behalf of herself and on behalf of a class and subclass: (i) the “Nationwide Class” of “[a]ll individuals residing in the United
States whose PII and/or PHI was compromised in the Data Breach”; and (ii) the “Illinois Subclass” of “[a]ll individuals residing in Illinois whose PII and/or PHI was compromised in the Data Breach.” (See id. ¶ 72.) The Complaint asserts common law claims on behalf of Plaintiff and the Nationwide Class for: (1) negligence; (2) negligence per se; (3) breach of an implied contract; (4) unjust enrichment; and (5) declaratory and injunctive1 relief, as well as (6) a claim on behalf of Plaintiff and the Illinois Subclass for violation of the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/15(d). The Court issued a briefing schedule for Defendant’s Motion on December 19, 2022, see December 19, 2022 Electronic Order, which was fully briefed and filed on February 24, 2023. (See generally Defendant’s Motion.) For the following reasons, the Court grants Defendant’s
motion to dismiss in part and denies it in part. II. DISCUSSION A. Legal Standards 1. Rule 12(b)(1) “[F]ederal courts are courts of limited jurisdiction and lack the power to disregard such limits as have been imposed by the Constitution or Congress.” In re USAA Data Sec. Litig., 621 F. Supp. 3d 454, 463 (S.D.N.Y. 2022) (quoting Durant, Nichols, Houston, Hodgson & Cortese-
1 Plaintiff seeks injunctive relief “requiring Defendant to employ adequate security protocols consistent with industry standards to protect its employees’ (i.e., Plaintiff’s and members of the Class’s) data.” (See Compl. ¶¶ 13, 121.) Costa, P.C. v. Dupont, 565 F.3d 56, 62 (2d Cir. 2009)). “A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it.” Nike, Inc. v. Already, LLC, 663 F.3d 89, 94 (2d Cir. 2011), aff’d, 568 U.S. 85 (2013). The party invoking the court’s jurisdiction bears the burden of
establishing jurisdiction exists. Conyers v. Rossides, 558 F.3d 137, 143 (2d Cir. 2009). When a Rule 12(b)(1) motion is based solely on the allegations of the complaint, the court must “determine whether the [complaint] alleges facts that affirmatively and plausibly suggest that the plaintiff has standing to sue.” Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56 (2d Cir. 2016). In deciding a Rule 12(b)(1) motion to dismiss, the court “must accept as true all material facts alleged in the complaint and draw all reasonable inferences in the plaintiff's favor,” Conyers, 558 F.3d at 143, but “argumentative inferences favorable to the party asserting jurisdiction should not be drawn.” Buday v. N.Y. Yankees P’ship, 486 F. App’x 894, 895 (2d Cir. 2012) (summary order). When, as here, a defendant moves to dismiss for lack of subject matter jurisdiction and on other grounds, the court should consider the Rule 12(b)(1) challenge first. Rhulen Agency, Inc. v.
Ala. Ins. Guar. Ass’n, 896 F.2d 674, 678 (2d Cir. 1990). 2. Rule 12(b)(6) To survive a Rule 12(b)(6) motion to dismiss, a plaintiff must allege sufficient facts “to state a claim to relief that is plausible on its face.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible only “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556). Mere labels and legal conclusions will not suffice. Twombly, 550 U.S. at 555. In reviewing a motion to dismiss, the Court must accept the factual allegations set forth in the complaint as true and draw all reasonable inferences in favor of the plaintiff. See Dobroff v. Hempstead Union Free School Dist., No. 21-cv-1567, 2022 WL 4641128, at *4 (E.D.N.Y. Sept. 30, 2022) (citing Cleveland v. Caplaw Enters., 448 F.3d 518, 521 (2d Cir. 2006)). A court may also consider materials attached to the complaint, materials integral to the complaint, and materials incorporated into the complaint by
reference. See Sira v. Morton, 380 F.3d 57, 67 (2d Cir. 2004). 3. Rule 23(d)(1)(D) Rule 23(c)(1)(A) requires courts to “decide whether to certify a class action ‘[a]t an early practicable time’ after a putative class action is brought.” Candelaria v. Conopco, Inc., No. 21-cv- 6760, 2023 WL 2266047, at *5 (E.D.N.Y. Feb. 28, 2023) (quoting Talarico v. Port Auth. of New York & New Jersey, 367 F. Supp. 3d 161, 166 (S.D.N.Y. 2019)). “Because a decision in the negative might be practicable even prior to discovery, Rule 23(d)(1)(D) allows” courts to strike aspects of class claims at early stages of litigation. Talarico, 367 F. Supp. 3d at 166 (quoting Fed. R. Civ. P. 23(d)(1)(D)). However, these motions are typically “disfavored” within this Circuit because they seek to “preemptively terminate” class claims before discovery that plaintiffs “would
otherwise be entitled [to] on questions relevant to class certification.” Candelaria, 2023 WL 2266047, at *5 (quoting Calibuso v. Bank of Am. Corp., 893 F. Supp. 2d 374, 383 (E.D.N.Y. 2012)); -se-e -al-so- -D-u-ro-n- v-. -H-en-k-e-l -of- A-m--.,- In-c-., 450 F. Supp. 3d 337, 357 (S.D.N.Y. 2020) (same). Courts typically only grant motions to strike class allegations where a defendant has demonstrated from the face of the complaint that “it would be impossible to certify the alleged class regardless of the facts [the] [p]laintiffs may be able to obtain during discovery.” Hobbs v. Knight-Swift Transportation Holdings, Inc., No. 21-cv-1421, 2022 WL 118256, at *4 (S.D.N.Y. Jan. 12, 2022) (quoting Mayfield v. Asta Funding, Inc., 95 F. Supp. 3d 685, 696 (S.D.N.Y. 2015)). B. Analysis 1. Defendant’s Rule 12(b)(1) Motion Defendant initially contends that Plaintiff lacks standing based on her failure to establish that Defendant caused her a concrete injury, and that she instead asserts speculative allegations of
a risk of non-imminent, future harm. Plaintiff maintains that Defendant’s failure to prevent the Data Breach caused concrete injuries, including a “disclosure of private information,” identity theft, lost time and expenses, emotional damages, and the “lost benefit of the bargain.” Those injuries, alleges Plaintiff, establish her standing. The Court agrees. a. Applicable Law To satisfy the “irreducible constitutional minimum of standing… [t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Rand v. Travelers Indem. Co., 637 F. Supp. 3d 55, 55 (S.D.N.Y. 2022) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)). Instantly relevant, an injury-in-fact is “an invasion of a legally protected interest that is
concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, 578 U.S. at 339. To be concrete, an injury “must actually exist,” Spokeo, 578 U.S. at 340, and must bear a “close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts—such as physical harm, monetary harm, or various intangible harms.” TransUnion LLC v. Ramirez, , U.S. , 141 S. Ct. 2190, 2200 (2021). A plaintiff seeking injunctive relief may plausibly allege an injury-in-fact if she demonstrates that “the risk of [future] harm is sufficiently imminent and substantial,” while “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210-11. In the data-breach context, courts within this Circuit have found that time and money spent responding to a data breach may satisfy the injury-in-fact requirement. See, e.g., In re USAA Data Sec. Litig., 621 F. Supp. 3d at 464-65; Rudolph v. Hudson’s Bay Co., No. 18-cv-8472, 2019 WL 2023713, at *6-7 (S.D.N.Y. May 7, 2019); -se-e -al-so- -C-ar-te-r- v-. -H-ea-l-th-P-o-rt- T-e-ch-.,- L-L-C-, 822 F.3d 47,
54 (2d Cir. 2016) (“Any monetary loss suffered by the plaintiff satisfies [the injury-in-fact] element; even a small financial loss suffices.”). Additionally, the Second Circuit has recognized that expenses “reasonably incurred to mitigate [the] risk” of identity theft in the future may qualify as an injury-in-fact, assuming the plaintiff plausibly alleges a substantial risk of the future identity theft. McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303 (2d Cir. 2021). In McMorris, the Second Circuit applied the following three-factor test to determine whether a plaintiff plausibly alleges a substantial risk of identity theft as part of the injury-in-fact analysis: (1) the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) the type of data that has been exposed is sensitive such that there is
a high risk of identity theft or fraud. Id. at 303. Conversely, where a plaintiff fails to allege a “substantial risk of future identity theft” under the McMorris factors, “the time they spent protecting themselves against this speculative threat cannot create an injury.” See id.2 Traceability requires “a causal connection between the injury and the conduct complained of.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). While a plaintiff’s injury must be “fairly traceable” to a defendant’s actions, the causal connection element of standing creates “a
2 The Rand court observed that while McMorris “suggested that a sufficiently imminent risk of identity theft, standing alone, could constitute injury-in-fact, even in a suit for damages[,]” TransUnion “appears to have ‘abrogated this holding in suits for damages by requiring both an imminent risk of future harm and a concrete injury related to the risk.’” Rand, 2022 WL 15523722, at *4 n.2. Notwithstanding, the Rand court still found the McMorris factors “instructive for determining whether the risk of injury is imminent, which remains part of the requirement for standing in suits for both damages and injunctive relief, pursuant to TransUnion.” See id. Accordingly, the Court declines Defendant’s invitation to entirely disregard McMorris—binding Second Circuit precedent—in light of TransUnion. standard lower than that of proximate causation.” Carter, 822 F.3d at 55. “A defendant’s conduct that injures a plaintiff but does so only indirectly, after intervening conduct by another person, may suffice for Article III standing.” Id. at 55–56. Redressability is the “non-speculative likelihood that the injury can be remedied by the
requested relief.” Guan v. Mayorkas, 530 F. Supp. 3d 237, 262-63 (E.D.N.Y. 2021) (quoting W.R. Huff Asset Mgmt. Co., LLC v. Deloitte & Touche LLP, 549 F.3d 100, 106-07 (2d Cir. 2008)). A plaintiff’s injuries are redressable if the requested relief can compensate her for losses, or eliminate the effects caused by the challenged conduct. Guan, 530 F. Supp. 3d at 263. b. Analysis For the below reasons, the Court finds that Plaintiff has plausibly alleged facts that establish standing to prosecute her instant claims.3 Plaintiff first contends that Defendant’s disclosure of her PII and PHI, and the related damage, confers Article III standing under TransUnion. In TransUnion, the Supreme Court applied Article III’s standing principles to claims involving a “risk of future harm.” TransUnion,
141 S. Ct. at 2210. While the TransUnion plaintiffs alleged that TransUnion violated the Fair Credit Reporting Act by mislabeling them as “terrorists, drug traffickers, or other serious criminals” in their credit reports, the Supreme Court noted that TransUnion had only shared some, but not all, of those credit reports with third parties, and separated the plaintiffs into two groups for standing purposes. Id. at 2201, 2209. The Court had “no trouble” affording standing to the first group—those whose “misleading” credit reports had been disclosed by TransUnion to third
3 Defendant is mistaken to the extent it suggests that the Court must determine, at this stage, the standing of both the Nationwide Class and the Illinois Subclass, separately from Plaintiff’s standing. In re Propranolol Antitrust Litig., 249 F. Supp. 3d 712, 727 (S.D.N.Y. 2017) (In “a class action, a court must analyze the injuries allegedly suffered by the named plaintiffs, not unnamed members of the potential class, to determine whether the plaintiffs have Article III standing.”) Accordingly, the Court need not address the standing of these putative classes at this time. parties, as those plaintiffs “suffered a harm with a ‘close relationship’ to the harm associated with the tort of defamation”. Id. at 2209. The second group – for whom the Court declined to afford standing – did not allege that any third party viewed their reports, and the Court concluded that any “risk of dissemination to third parties” was “too speculative to support Article III standing.”
Id. at 2212. Moreover, the second group of plaintiffs had neither alleged a “disclosure of private information” nor an “emotional injury,” meaning they suffered no harm and had no “material risk of concrete harm.” Id. Plaintiff’s instant allegations are analogous to those of the first group of TransUnion plaintiffs. Specifically, she alleges that criminals stole her PII and PHI, misused it, and that she spent resources remediating and mitigating that misuse. (See generally Compl.) These allegations not only meet TransUnion’s standard but are similar to the allegations of data breach plaintiffs whom other post-TransUnion courts have found plausibly alleged standing because their alleged injuries had a “close relationship” to the “disclosure of private information,” a “traditional” harm that establishes standing. See Bohnak v. Marsh & McLennan Cos., Inc., 580 F. Supp. 3d 21, 30 (S.D.N.Y. Jan. 17, 2022) (“[I]n light of the TransUnion Court’s admonition that
common-law analogs need not provide ‘an exact duplicate,’… I find the fit sufficiently close.”); -se-e -al-so- -In- r-e -U-S-A-A- D--at-a -S-ec-.- L-it-ig-., 621 F. Supp. 3d at 466 ( (“To be clear, it is debatable whether USAA’s disclosure to even a group of cybercriminals is sufficiently ‘public’ under the tort, and whether the type of disclosure here is sufficiently ‘offensive,’ but the Supreme Court is equally clear that the common-law analogue need not be an ‘exact duplicate.’” (quoting TransUnion, 141 S. Ct. at 2209)); Rand, 2022 WL 15523722, at *4 (affording plaintiff standing “because the loss of privacy arising out of the data breach[...] bears a sufficiently ‘close relationship’ to the tort of public disclosure of private information, recognized at common law.”). Plaintiff has thus plausibly pled facts to establish standing on this first point. Plaintiff has similarly established standing by pleading that she has suffered, and remains at an “increased risk” of, Data Breach-linked identity theft. She asserts that, since the Data Breach, her debit card and bank account have been compromised. (Compl. ¶ 39.) Courts across the country have found that such harm, by itself, confers standing. See, e.g., In re USAA Data Sec. Litig., 621
F. Supp. 3d at 466 (“Because these alleged losses implicate monetary harm directly caused by the data breach, they are sufficiently concrete to constitute an injury-in-fact”); In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247, 1263 (11th Cir.), cert. denied sub nom. Huang v. Spector, 142 S. Ct. 431 (2021), and cert. denied sub nom. Watkins v. Spector, 142 S. Ct. 765 (2022) (same). Plaintiff’s increased risk of further identity theft confers standing under the McMorris factors. Plaintiff first alleges that: (1) criminals targeted her PII and PHI in the Data Breach; (2) those criminals stole “sensitive” PII and PHI, including her Social Security and financial account numbers; and (3) those criminals “accessed” and “misused” her PII and PHI, leading her to suffer identity theft four times following the breach. (See generally Compl.) Taken together, these factors establish Plaintiff’s standing. See McMorris, 995 F.3d 295, 302.
Plaintiff expenditure of resources remediating and mitigating caused by the Data Breach also establishes her standing. See, e.g., In re USAA Data Sec. Litig., 621 F. Supp. 3d at 466 (“Even absent a risk of future identity theft, such ‘concrete and particularized loss[es] based on actual time spent responding to’ the already-occurred identity thefts are sufficient to demonstrate [standing].”); Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 747 (S.D.N.Y. 2017). Here, Plaintiff alleges that she: (1) remediated her injuries after criminals used her PII and PHI to steal her identity four times and compromised her debit card and bank account; and (2) has and will “spend considerable time and effort monitoring her accounts to protect herself from additional identity theft.” (Compl. ¶¶ 39-40.) These allegations are again sufficient to establish standing. Plaintiff next establishes standing based on her financial security concerns, a cognizable emotional injury under Article III. See TransUnion, 141 S. Ct. at 2211, n. 7 (“A plaintiff’s knowledge that he or she is exposed to a risk of future physical, monetary or reputational harm could cause its own current emotional or psychological harm.”). Indeed, Plaintiff alleges that her
fear expands beyond “mere worry or inconvenience,” because “criminals have and will misuse her PII and PHI again, causing her “feelings of anxiety, sleep disruption, stress, fear, and frustration[.]” (Compl. ¶ 40.) Plaintiff has also established standing on this ground. Finally, Plaintiff has established standing under a “lost benefit of the bargain” theory, in that she expected Defendant to protect her PII and PHI as part of her employment agreement. Plaintiff alleges that this data security was bargained for, and that she “would not have entrusted [her] PII or PHI to Defendant in the absence of such agreement.” (Compl. ¶ 102.) Multiple Courts within and outside of this Circuit have held that “[l]ost benefit of the bargain” is a viable recovery theory in the breach of contract context. See Wallace v. Health Quest Sys., Inc., No. 20-cv- 545, 2021 WL 1109727, at *6 (S.D.N.Y. Mar. 23, 2021); -se-e -al-so- -In- r-e -A-n-th-e-m-, -In-c-. -D-at-a- B-r-ea-c-h -L-it-ig-.,
162 F. Supp. 3d 953, 985 (N.D. Cal. 2016) (same). As a result, Plaintiff has established standing under this theory, and Defendant’s Rule 12(b)(1) motion is denied in its entirety. 2. Defendant’s Rule 12(b)(6) Motion Defendant next contends that the Complaint should be dismissed based on Plaintiff’s purported failure to state a claim.4 The Court proceeds to analyze Plaintiff’s remaining claims. a. Damages Defendant initially argues that Plaintiff’s claims for negligence, breach of implied contract, and unjust enrichment must be dismissed based on her failure to plausibly plead attendant
4 In her opposition, Plaintiff agrees to dismiss her negligence per se claim. The Court dismisses this claim with prejudice. damages. Defendant’s argument is similar to those advanced against Plaintiff’s standing. See Caronia v. Philip Morris USA, Inc., 22 N.Y.3d 439, 446, 448 (N.Y. 2013) (A “threat of harm is insufficient to impose liability against a defendant in a tort context,” and claims related to time and expenses spent “monitoring” for alleged harms fail as a matter of law.) As noted above, however,
a data breach victim who plausibly alleges a post-breach misuse of her PII/PHI may seek associated damages. See In re GE/CBPS Data Breach Litig., No. 20-cv-2903, 2021 WL 3406374, at *15 (S.D.N.Y. Aug. 4, 2021). Here, Plaintiff alleges actual harm in the form of four instances of identity theft stemming from the Data Breach criminals’ misuse of her PII and PHI, as well as the future increased risk of identity theft. (See Compl. ¶¶ 38-43.) Plaintiff may seek damages for resources spent mitigating the Data Breach’s impact. Defendant’s Motion is denied on this ground. b. Breach of Implied Contract Claim Defendant next argues that Plaintiff has failed to state a claim for breach of an implied contract. Under New York law, an implied contract “may result as an inference from the facts and circumstances of the case, although not formally stated in words, and is derived from the presumed
intention of the parties as indicated by their conduct.” Cohen v. Northeast Radiology, P.C., No. 20-cv-1202, 2021 WL 293123, at *8-9 (S.D.N.Y. Jan. 28, 2021) (quoting Leibowitz v. Cornell Univ., 584 F.3d 487, 506-07 (2d Cir. 2009)). An implied contract requires “consideration, mutual assent, legal capacity and legal subject matter.” McFarlane v. Altice USA, Inc., 524 F. Supp. 3d 264, 281 (S.D.N.Y. 2021) (quoting Leibowitz, 584 F.3d at 507.) Here, Plaintiff alleges that when she provided her PII and PHI as a prerequisite to her employment, Defendant agreed and promised (through its privacy policy) to safeguard that information from unauthorized disclosure. (See Compl. ¶¶ 21-22, 98-99, 100, 105.) Without this implied contract to protect her data, Plaintiff asserts that she would not have entrusted Defendant with her PII or PHI. (Id. ¶ 102.) Moreover, Plaintiff argues that Defendant breached their implied agreement by failing to implement proper security measures to protect her PII and PHI. (Id. ¶¶ 3, 23, 34, 103.) Multiple courts have found that claims of this nature can defeat a Rule 12(b)(6) motion. See, e.g., In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *12 (implied contract
breached by defendant where it failed to “safeguard and protect [employees’] personal and financial information.”); McFarlane, 524 F. Supp. 3d at 282 (implied contract where Plaintiffs alleged that “they were required to provide personal identifying information in exchange for employment” and Defendant “allowed that information to fall into the hands of cyber criminals.”). Accordingly, Defendant’s motion to dismiss Plaintiff’s breach of implied contract claim is denied. c. Unjust Enrichment Claim Defendant next seeks dismissal of Plaintiff’s unjust enrichment claim. To plead unjust enrichment under New York law, “the plaintiff must allege that (1) the other party was enriched, (2) at that party’s expense, and (3) that it is against equity and good conscience to permit the other party to retain what is sought to be recovered.” Georgia Malone & Co., Inc. v. Reider, 19 N.Y.3d
511, 516 (2012). “The essence of such a claim is that one party has received money or a benefit at the expense of another.” Wallace, 2021 WL 1109727, at *11 (quoting Kaye v. Grossman, 202 F.3d 611, 616 (2d Cir. 2000)). While a contract’s existence typically “precludes recovery on quasi- contractual claims such as unjust enrichment,” where there is a “bona fide dispute” as to the existence of [a] contract,” a plaintiff is permitted to proceed on both breach of contract and quasi- contract theories. Wallace, 2021 WL 1109727, at *11 (quoting Nakamura v. Fujii, 253 A.D.2d 387, 390 (1st Dep’t 1998)); see Flatscher v. Manhattan School of Music, 551 F. Supp. 3d 273, 287 (S.D.N.Y. 2021) (declining to dismiss unjust enrichment claim where parties disputed contract existence). Based on the above, the Court finds that Plaintiff has plausibly alleged her unjust enrichment claim. Here, Plaintiff asserts that Defendant benefitted from receiving Plaintiff’s PII and PHI and her subsequent employment yet failed to protect that information. (Compl. ¶¶ 113- 15.) Based on this failure, Plaintiff asserts, Defendant should not be permitted to retain the
monetary benefit of having paid Plaintiff wages that did not reflect the insufficient efforts taken to protect her information. (Id. ¶¶ 115-116.) Multiple courts have found similar allegations to be the “essence” of an unjust enrichment claim, Kaye, 202 F.3d at 616, which Plaintiff may pursue because Defendant disputes whether a contract exists. See Nakamura, 253 A.D.2d at 390; see also Koeller v. Numrich Gun Parts Corp., No. 22-cv-675, 2023 WL 3591176, at *7 (N.D.N.Y. May 23, 2023); Rudolph, 2019 WL 2023713, at *12. Plaintiff’s allegations are sufficient to plead her unjust enrichment claim in the alternative, and the Court denies Defendant’s Motion as to this claim. d. BIPA Claim The Court next finds that Plaintiff has pled facts sufficient to support her claim under BIPA, which prohibits the disclosure or dissemination of a person’s biometric identifiers or information
without that person’s consent. Plaintiff points to the Notice, where Defendant admits to having possessed the Data Breach victims’ biometric information. (See Notice; Compl. ¶ 127.) Plaintiff next alleges that her biometric information was accessed by criminals in the Data Breach, which was caused by Defendant’s failure to: (1) implement reasonable safeguards to protect her information; and (2) adhere to BIPA’s legal requirements. (Compl. ¶ 128.) These allegations are sufficient to support Plaintiff’s BIPA claim. As multiple Illinois federal courts have found, a BIPA plaintiff may defeat a Rule 12(b)(6) motion without providing detailed factual allegations regarding a defendant’s failure to implement safety measures. See Heard v. Becton, Dickinson & Co., 524 F. Supp. 3d 831, 843 (N.D. Ill. 2021) (denying motion to dismiss BIPA claim where plaintiff alleged that defendant disseminated biometric data to third- party data centers, finding that plaintiff did not need to identify those third parties by name); Wordlaw v. Enter. Leasing Co. of Chicago, LLC, No. 20-cv-3200, 2020 WL 7490414, at *4 (N.D. Ill. Dec. 21, 2020) (same). As Plaintiff has properly pled facts to defeat Defendant’s Motion as to
her BIPA claim, Defendant’s Rule 12(b)(6) motion is granted in part and denied in part. 3. Defendant’s Rule 23(d)(1)(D) Motion Defendant next seeks to strike Plaintiff’s class allegations pursuant to Rule 23(d)(1)(D) and argues that these allegations are defective and must be stricken as pled. Motions to strike class allegations may be granted where the inquiry “would not mirror the class certification inquiry and if the resolution of the motion is clear.” Duran v. Henkel of Am., Inc., 450 F. Supp. 3d 337, 357 (S.D.N.Y. 2020) (quoting Talarico, 367 F. Supp. 3d at 172). Here, Defendant’s arguments are properly resolved at the class certification stage. To the extent Defendant posits that some members of the proposed class and subclass may prove not to have Article III standing, that question is appropriately addressed at the class certification stage, where, with the benefit of
discovery, the Court may better address class-wide Article III concerns. See Gill v. Natl. Football League, No. 21-cv-1032, 2021 WL 5087900, at *8 (S.D.N.Y. Nov. 2, 2021). Any concern that individual issues may predominate is also better suited to be litigated at class certification. See Haley v. Tchrs. Ins. & Annuity Assoc. of Am., 377 F. Supp. 3d 250, 273 (S.D.N.Y. 2019) (denying as premature motion to strike when it challenged typicality and predominance); Greene v. Gerber Prods. Co., 262 F. Supp. 3d 38, 52 (E.D.N.Y. 2017) (The “determination of whether the Rule 23 requirements are met is more properly deferred to the class certification stage, when a more complete factual record can aid the Court in making this determination.”). At this early, pre-discovery stage, it is not clear whether or to what extent Plaintiff’s Rule 23 class or subclass could be certified. Accordingly, Defendant’s motion to strike is denied without prejudice to reassertion, if appropriate, at the class certification stage. III. CONCLUSION For the foregoing reasons, the Court finds that Plaintiff has sufficiently pled facts to support
her claims for: (1) negligence; (2) breach of an implied contract; (3) unjust enrichment; (4) declaratory and injunctive relief; and (5) violation of BIPA. Accordingly, the Court grants Defendant’s Motion in part and denies it in part. Plaintiff’s negligence per se is dismissed with prejudice, but her remaining claims shall be litigated before this Court.
SO ORDERED. Dated: August 22, 2023 Central Islip, New York /s/ (JMA) JOAN M. AZRACK UNITED STATES DISTRICT JUDGE