Angus v. Flagstar Bank, FSB
2:21-cv-10657
E.D. Mich.Mar 27, 2025Background
- Plaintiffs, customers and employees of Flagstar Bank, allege a massive data breach occurred due to Flagstar’s use of outdated Accellion file transfer platform, compromising over 1.4 million individuals' PII (personally identifiable information).
- The breach resulted in PII being posted on the dark web.
- Plaintiffs allege the breach was foreseeable given that Flagstar received warnings to discontinue the platform and did not act.
- Plaintiffs assert a variety of state law claims (both statutory and common law) based on the alleged mishandling and insufficient protection of their PII.
- Flagstar moved to dismiss the Fourth Amended Complaint, raising issues under Rule 12(b)(6).
- The District Court ruled on some issues orally and others via this written order, granting some parts of the motion to dismiss and denying others.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Negligence claim | Flagstar acted recklessly in protecting PII | No duty or insufficient allegations supporting negligence | Dismissed |
| Breach of implied-in-fact contract | Reasonable expectation of data security protections | No enforceable contract or no breach | Not dismissed |
| Invasion of privacy (intrusion upon seclusion) | Inadequate security is an intrusion | No intentional intrusion was alleged | Dismissed (intrusion part) |
| Invasion of privacy (public disclosure of facts) | Reckless conduct sufficient for intent | Required intent and public disclosure not adequately alleged | Not dismissed (public disclosure part) |
| Breach of confidence | Mishandling of sensitive data | No claim for breach of confidence under facts alleged | Not dismissed |
| Unjust enrichment | Flagstar improperly benefitted from PII | Plaintiffs did not confer a direct benefit | Dismissed |
| Michigan Consumer Protection Act | Misrepresentation and omission of material fact | Lack of reliance and actionable misrepresentation/omission | Dismissed |
| New Jersey Consumer Fraud Act | Unconscionable commercial practices, deception, fraud | No deceptive or fraudulent act in sale/advertisement context | Dismissed |
| Indiana Deceptive Consumer Sales Act | Omissions and misrepresentations induced PII disclosure | No fraudulent intent at time PII was provided; no reliance | Dismissed |
| Pennsylvania UTPCPL | Unfair/deceptive acts in providing mortgages | Plaintiff was forced to use Flagstar; no reliance | Dismissed |
| California UCL, CCPA, CCRA | Statutory violations stemming from data breach | Multiple, complex, under-briefed arguments | Not resolved; parties may re-brief |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (plausibility standard for pleadings under Rule 12(b)(6))
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (requirements for stating a plausible claim)
- Beaumont v. Brown, 257 N.W.2d 522 (public disclosure to a "particular public" may suffice for privacy tort)
- Cox v. Sears Roebuck & Co., 647 A.2d 454 (NJCFA to be construed liberally, but limited to advertising/sales)
- D’Agostino v. Maldonado, 78 A.3d 527 (NJCFA aimed at deceptive sales practices)
- Dix v. American Bankers Life Assurance Co. of Florida, 415 N.W.2d 206 (actual reliance needed for named plaintiffs under MCPA)
- Gennari v. Weichert Co. Realtors, 672 A.2d 1190 (scope of the NJCFA protection)
- Roberts v. Auto-Owners Ins. Co., 374 N.W.2d 905 (recklessness can establish intent in some intentional torts)
- Bradley v. Saranac Cmty. Schs. Bd. of Educ., 565 N.W.3d 650 (definition of actionable public disclosure)