583 F.Supp.3d 570
S.D.N.Y.2022Background
- In April 2019 hackers accessed four business email accounts at Mediant, exposing sensitive investor data (names, SSNs, bank/tax info, securities holdings) for ~200,000+ individuals; Mediant discovered the intrusion the same day but delayed customer notice until late May 2019.
- Mediant provided investor communication and proxy services and obtained Plaintiffs’ data while performing services for funds/issuers; Donnelley and Mediant marketed themselves as a joint, single-source proxy solution.
- Plaintiffs brought a putative class action asserting negligence, negligence per se (FTC Act / GLBA), breach of contract as third-party beneficiaries, unjust enrichment, violations of California CRA and UCL, Florida FDUTPA, and declaratory relief; both defendants moved to dismiss.
- The court held New York law governs Mediant’s negligence claims (tort occurred in NY); Illinois law governs negligence claims as to Donnelley (Donnelley headquartered in Illinois).
- Key rulings: Court denied Mediant’s motion to dismiss the negligence claim and denied dismissal of declaratory relief as to Mediant; court granted dismissal of Mediant on negligence per se, contract third-party beneficiary, unjust enrichment, CRA, UCL, FDUTPA claims; court granted Donnelley’s motion in full (including dismissal of vicarious liability) because Plaintiffs failed to plead a partnership or duty by Donnelley under Illinois law.
- Court granted Plaintiffs leave to amend dismissed claims and granted narrowly tailored sealing/redaction of a confidential Supplier Agreement.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Partnership / vicarious liability (Donnelley v. Mediant) | Donnelley and Mediant operated as a legal partnership (joint provision of proxy services), so Donnelley is vicariously liable for Mediant’s breach. | No factual pleading of partnership elements (esp. profit/loss sharing); marketing language alone insufficient to create a partnership. | Dismissed — Plaintiffs did not plausibly plead a legal partnership (no allegations of profit/loss sharing or other required indicia). |
| Negligence — Mediant (duty, breach, damages) | Mediant owed a duty to safeguard investor PII, touted its security, failed to implement reasonable safeguards (unencrypted data, deficient controls), delayed notice; mitigation expenses and increased risk suffice as damages. | Mediant argued no duty to non-customers (invoking bank-noncustomer precedent) and contested injury for mitigation costs. | Denied dismissal — Plaintiffs plausibly alleged Mediant owed a duty, breached it, and suffered cognizable damages (substantial risk of identity theft and mitigation expenses). |
| Negligence — Donnelley (duty/choice-of-law/economic loss) | Donnelley failed to supervise Mediant and breached duty to protect investor data; New York law likely applies. | Illinois (Donnelley’s HQ) applies; Illinois courts decline to recognize common-law duty to safeguard PII (Cooney); economic loss doctrine bars purely economic negligence. | Granted dismissal — Illinois law applies and, under existing Illinois authority, Donnelley owed no common-law duty to protect Plaintiffs’ PII; negligence claim dismissed. |
| Statutory / consumer claims (negligence per se under FTCA/GLBA; CRA, UCL, FDUTPA) | Plaintiffs invoke FTC Section 5 (negligence per se), GLBA duties, CRA (customer-based), UCL (unfair business practices), FDUTPA. | Defendants: FTCA has no private right of action; GLBA/FTC/other statutes do not create negligence-per-se or strict-liability torts here; CRA requires plaintiff to be a business ‘customer’; UCL/FDUTPA not applicable extraterritorially or without in-state conduct. | Mostly granted dismissal — negligence per se claims dismissed (no private right/strict-liability basis); CRA claim dismissed (plaintiff not a statutory ‘customer’); UCL dismissed for extraterritoriality (no California conduct by defendants); FDUTPA dismissed (no Florida-based wrongful acts alleged). Declaratory relief survives as to Mediant (because negligence survives) but not as to Donnelley. |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading-rule standard: legal conclusions vs. factual allegations)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for surviving Rule 12(b)(6))
- Brown v. Cara, 420 F.3d 148 (2d Cir. 2005) (partnership/joint venture indicia and analysis)
- Steinbeck v. Gerosa, 4 N.Y.2d 302 (N.Y. 1958) (requirement that parties agree to share profits/losses for partnership/joint venture)
- McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021) (substantial risk of identity theft: mitigation costs can constitute injury)
- In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42 (D.C. Cir. 2019) (data-breach injuries and remediation costs as cognizable harms)
- Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739 (S.D.N.Y. 2017) (denying dismissal of negligence claim in data-breach context; mitigation expenses as damages)