671 F. Supp. 2d 1046 | E.D. Mo. | 2009
John AMBURGY, Plaintiff,
v.
EXPRESS SCRIPTS, INC.,[1] Defendant.
United States District Court, E.D. Missouri, Eastern Division.
*1048 Burton H. Finkelstein, Duvall Foundry, Karen J. Marcus, Mila F. Bartos, Shiva Sharifahmadian, Finkelstein and Thompson, Washington, DC, Gary A. Growe, Growe and Eisen, St. Louis, MO, for Plaintiff.
Joseph P. Conran, James F. Monafo, Thomas M. Dee, Husch Blackwell Sanders, LLP, St. Louis, MO, for Defendant.
MEMORANDUM AND ORDER
FREDERICK R. BUCKLES, United States Magistrate Judge.
Presently pending before the Court is defendant Express Scripts, Inc.'s Motion to Dismiss (Doc. # 12). All matters are pending before the undersigned United States Magistrate Judge, with consent of the parties, pursuant to 28 U.S.C. § 636(c).
Plaintiff John Amburgy brings this action on behalf of himself, and all others *1049 similarly situated,[2] alleging that defendant Express Scripts, Inc.'s (Express Scripts') inadequate security measures in relation to its computerized database system allowed unauthorized persons to gain access to confidential information of Express Scripts members contained in the database, with such information including names, dates of birth, Social Security numbers, and prescription information. Plaintiff claims that the unauthorized persons who committed the act informed Express Scripts in October 2008 of their breach of the system and threatened that they would make public the confidential information obtained through the breach if Express Scripts did not pay a certain amount of money to them. Plaintiff claims that Express Scripts notified its members of this security breach in November 2008 with a notice posted on its website, and that Express Scripts notified by personal letter those persons whose confidential information had been identified in the extortion letter.[3] Plaintiff claims that as a result of Express Scripts' failure to maintain adequate security measures to protect against the theft of such confidential information, plaintiff and other Express Scripts members have been placed "at an increased risk of becoming victims of identity theft crimes, fraud, abuse, and extortion." (Pltf.'s Compl. at para. 3.) Plaintiff also claims that he and other members "have spent (or will need to spend) considerable time and money to protect themselves" as a result of Express Scripts' conduct. (Id.) Finally, plaintiff contends that millions of Express Scripts members, including plaintiff,
have had their Confidential Information compromised, their privacy invaded, have been deprived of the exclusive use and control of their proprietary prescription information, have incurred costs of time and money to consistently monitor their credit card accounts, credit reports, prescription accounts, and other financial information in order to protect their Confidential Information, and have otherwise suffered economic damages.
(Id. at para. 4.)
In his five-count Complaint brought under the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d), plaintiff claims Express Scripts' actions constituted negligence, breach of contract with respect to third-party beneficiaries, breach of implied contract, violations of "data breach notification laws" of various States, and violations of Missouri's Merchandising Practices Act.
Defendant Express Scripts seeks to dismiss plaintiff's action, arguing that this Court lacks subject matter jurisdiction over the cause inasmuch as plaintiff does not have standing to pursue the claims, and, further, that the Complaint fails to state a claim upon which relief can be granted. Plaintiff has responded to the motion to which defendant has replied. The Court will address each of defendant's arguments in turn.
A. Subject Matter Jurisdiction
Article III, § 2 of the United States Constitution limits federal jurisdiction to actual cases and controversies. The "threshold requirement" imposed by Article III is that those who seek to invoke the power of federal courts must allege an actual case or controversy. O'Shea v. Littleton, 414 U.S. 488, 494, 94 S. Ct. 669, 38 *1050 L.Ed.2d 674 (1974) (citing Flast v. Cohen, 392 U.S. 83, 94-101, 88 S. Ct. 1942, 20 L. Ed. 2d 947 (1968); Jenkins v. McKeithen, 395 U.S. 411, 421-425, 89 S. Ct. 1843, 23 L. Ed. 2d 404 (1969) (opinion of Marshall, J.)). As such, a plaintiff in federal court must "`allege some threatened or actual injury resulting from the putatively illegal action before a federal court may assume jurisdiction.'" Id. (quoting Linda R.S. v. Richard D., 410 U.S. 614, 617, 93 S. Ct. 1146, 35 L. Ed. 2d 536 (1973)). In class action litigation, the named plaintiff purporting to represent a class must establish that he, personally, has standing to bring the cause of action. If the named plaintiff cannot maintain the action on his own behalf, he may not seek such relief on behalf of the class. Id.; Hall v. Lhaco, Inc., 140 F.3d 1190, 1196-97 (8th Cir.1998).
To show Article III standing, a plaintiff has the burden of proving: (1) that he suffered an "injury-in-fact," (2) that a causal relationship exists between the injury and the challenged conduct, and (3) that the injury likely will be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S. Ct. 2130, 119 L. Ed. 2d 351 (1992); Steger v. Franco, Inc., 228 F.3d 889, 892 (8th Cir. 2000). Abstract injury is not enough to demonstrate injury-in-fact. Plaintiff must allege that he has sustained or is in immediate danger of sustaining some direct injury as a result of the challenged conduct. O'Shea, 414 U.S. at 494, 94 S. Ct. 669 (citing Massachusetts v. Mellon, 262 U.S. 447, 488, 43 S. Ct. 597, 67 L. Ed. 1078 (1923)). The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical. Id. (citing Golden v. Zwickler, 394 U.S. 103, 109-10, 89 S. Ct. 956, 22 L. Ed. 2d 113 (1969); Maryland Cas. Co. v. Pacific Coal & Oil Co., 312 U.S. 270, 273, 61 S. Ct. 510, 85 L. Ed. 826 (1941); United Pub. Workers v. Mitchell, 330 U.S. 75, 89-91, 67 S. Ct. 556, 91 L. Ed. 754 (1947)). See also Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81, 120 S. Ct. 693, 145 L. Ed. 2d 610 (2000).
Here, defendant argues that plaintiff cannot demonstrate injury-in-fact inasmuch as he alleges only a possibility of having had his confidential information stolen and thus does not allege that his information has in fact been stolen, published or used in such a way so as to cause him damage either presently or in the future. Defendant also contends that plaintiff's claim of an "increased risk of harm" fails to meet the threshold requirement that the injury be actual or imminent, concrete and not hypothetical. For the following reasons, defendant's argument is well taken.
Database breaches appear to provide the basis for a new breed of lawsuits, and especially class action lawsuits, in which plaintiffs allege, as here, that the database handlers' negligence in developing and maintaining security measures have resulted in otherwise personal and confidential information being compromised, thereby increasing the risk of identity theft for those individuals whose information was so compromised. The remedies sought in these actions vary, but generally include costs for credit monitoring, costs for closing and opening financial accounts, and damages for emotional distress. Whether individuals have Article III standing to bring these lawsuits in federal court is a question that has been raised in many venues, to which divergent answers have been given. Indeed, the various district courts that have addressed this issue are nearly split in their decisions.[4]
*1051 Although the Eighth Circuit Court of Appeals has not yet spoken on this precise issue, one circuit court has addressed the matter and found standing to be present in such circumstances. In Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir.2007), the Seventh Circuit addressed its jurisdiction sua sponte, and determined that the plaintiffs' allegation of increased risk of identity theft was sufficient to confer standing, despite plaintiffs' failure to allege any completed financial loss to their accounts or that they had in fact been the victim of identity theft as a result of the security breach. The court stated that standing was nevertheless present in the circumstances, finding that "the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions." Id. at 634. In reaching this conclusion, the court relied on cases from the Second and Sixth Circuits, which addressed increased risk of future medical injury; and from the Fourth and Ninth Circuits, which addressed increased risk of future environmental injury. See id. at 634 n. 3. Other than citing these cases, the court engaged in no discussion applying the Supreme Court's recognized standard for determining whether the plaintiffs in the database breach case had standing under Article III of the United States Constitution.
Subsequent to the Seventh Circuit's decision in Pisciotta, district courts have consistently determined that claims of increased risk of identity theft resulting from security breaches sufficiently allege an injury-in-fact to confer Article III standing to those persons bringing such claims.[5] Indeed, the District of Connecticut noted that "[t]he recent trend, in `lost data cases,' as exemplified by Pisciotta..., seems to be in favor of finding subject matter jurisdiction." McLoughlin v. People's United Bank, Inc., No. 3:08-cv-00944 (VLB), 2009 WL 2843269, at *4 (D.Conn. Aug. 31, 2009) (citing cases). However, because the requirement of standing is firmly rooted in the Constitution and is not subject to whim, the undersigned is reluctant to look to a "recent trend" when analyzing whether or not a party has standing to sue in federal court.
In Whitmore v. Arkansas, 495 U.S. 149, 110 S. Ct. 1717, 109 L. Ed. 2d 135 (1990), the United States Supreme Court addressed a petitioner's plea to relax application of standing principles in his case given the uniqueness of the subject matter (the death penalty) and society's interest therein:
The short answer to this suggestion is that the requirement of an Art. III "case or controversy" is not merely a traditional "rule of practice," but rather is imposed directly by the Constitution. It is not for this Court to employ untethered notions of what might be good public policy to expand our jurisdiction in an appealing case.
Id. at 161, 110 S. Ct. 1717.
The Supreme Court cautioned that restraint in addressing the underlying merits *1052 of the case is necessary "when the matter at issue is the constitutional source of the federal judicial power itself." Id. at 161, 110 S. Ct. 1717; see also id. at 155, 110 S. Ct. 1717 (court must put aside the merits of petitioner's underlying challenge and "consider whether he has established the existence of a `case or controversy.'"). So must this Court exercise such restraint here.
The Supreme Court has unequivocally stated that, to be an injury-in-fact, the asserted injury must be actual or imminent, which has been described by the Supreme Court as certainly impending and immediate not remote, speculative, conjectural, or hypothetical. See Lujan, 504 U.S. at 560, 112 S. Ct. 2130 ("actual or imminent"); DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 345, 126 S. Ct. 1854, 164 L. Ed. 2d 589 (2006) ("certainly impending"); Whitmore, 495 U.S. at 155, 110 S. Ct. 1717 ("not conjectural or hypothetical"); ASARCO Inc. v. Kadish, 490 U.S. 605, 615, 109 S. Ct. 2037, 104 L. Ed. 2d 696 (1989) (opinion of Kennedy, J., joined by Rehnquist, C.J., and Stevens and Scalia, JJ.) (not "remote or speculative"); City of Los Angeles v. Lyons, 461 U.S. 95, 102, 103 S. Ct. 1660, 75 L. Ed. 2d 675 (1983) ("immediate"). The Supreme Court has "emphasized repeatedly" that the alleged injury "must be concrete in both a qualitative and temporal sense. The complainant must allege an injury to himself that is distinct and palpable, as opposed to merely abstract, and the alleged harm must be actual or imminent, not conjectural or hypothetical." Whitmore, 495 U.S. at 155, 110 S. Ct. 1717 (internal quotation marks, citations and alteration omitted).
In the instant case, plaintiff appears to concede in response to defendant's Motion to Dismiss that he does not know whether his personal information was compromised in the alleged breach.[6] Plaintiff also appears to concede that there has been no publication of any information allegedly wrongfully obtained, nor any fraudulent or otherwise harmful use of such information.[7] In short, plaintiff does not claim that his personal information has in fact been stolen and/or his identity compromised. Rather, plaintiff surmises that, as a result of the security breach, he faces an increased risk of identify theft at an unknown point in the future. On the facts as alleged in the Complaint, it cannot be said that the alleged injury to plaintiff is imminent. Plaintiff has not been identified as one of the individuals whose personal information has been compromised and/or obtained. Nor can anyone say if and/or when any confidential information of persons unknown may be fraudulently used. For any particular individual, including plaintiff, the likelihood of such an occurrence is speculative, and the time when any such occurrence would come to pass (if ever) is entirely uncertain. Where the timing and type of injury cannot be determined, such abstract injuries do not provide the injury-in-fact required for Article III standing. Johnson v. State of Mo., 142 F.3d 1087, 1089-90 (8th Cir.1998). "Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes that the injury is certainly impending." Lujan, 504 U.S. at *1053 565 n. 2, 112 S. Ct. 2130 (internal quotation marks omitted) (emphasis in Lujan). In Whitmore, the Supreme Court summarized its case law and unconditionally stated, "[W]e have said many times before and reiterate today: Allegations of possible future injury do not satisfy the requirements of Art. III. A threatened injury must be certainly impending to constitute injury in fact." 495 U.S. at 158, 110 S. Ct. 1717 (internal quotation marks omitted).
For plaintiff to suffer the injury and harm he alleges here, many "if's" would have to come to pass. Assuming plaintiff's allegation of security breach to be true, plaintiff alleges that he would be injured "if" his personal information was compromised, and "if" such information was obtained by an unauthorized third party, and "if" his identity was stolen as a result, and "if" the use of his stolen identity caused him harm. These multiple "if's" squarely place plaintiff's claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court's standing doctrine would be meaningless. "[W]ere all purely speculative increased risks deemed injurious, the entire requirement of actual or imminent injury would be rendered moot, because all hypothesized, nonimminent injuries could be dressed up as increased risk of future injury." National Res. Def. Council v. Environmental Prot. Agency, 464 F.3d 1, 6 (D.C.Cir.2006) (internal quotation marks and citation omitted).
Accordingly, in the circumstances of this case, plaintiff's asserted claim of "increased-risk-of-harm" fails to meet the constitutional requirement that a plaintiff demonstrate harm that is "actual or imminent, not conjectural or hypothetical." Lujan, 504 U.S. at 560, 112 S. Ct. 2130 (internal quotation marks omitted). Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit under Article III, because he cannot show that he has suffered or will immediately suffer a concrete injury-in-fact.
B. Failure to State a Claim
In the alternative, defendant argues that if plaintiff's assertion of increased risk of future injury is sufficient to confer standing to bring the instant cause of action, the Complaint should nevertheless be dismissed under Fed.R.Civ.P. 12(b)(6) for failure to state a claim.
When reviewing a motion to dismiss under Rule 12(b)(6), the Court must accept as true all factual allegations contained in the Complaint, and review the Complaint to determine whether its allegations show the pleader to be entitled to relief. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 127 S. Ct. 1955, 1964-65, 167 L. Ed. 2d 929 (2007); Fed.R.Civ.P. 8(a)(2). The purpose of a motion to dismiss for failure to state a claim is to test the legal sufficiency of the Complaint. A Complaint must be dismissed under Rule 12(b)(6) if it does not plead "enough facts to state a claim to relief that is plausible on its face." Twombly, 127 S.Ct. at 1974 (abrogating the traditional 12(b)(6) "no set of facts" standard set forth in Conley v. Gibson, 355 U.S. 41, 45-46, 78 S. Ct. 99, 2 L. Ed. 2d 80 (1957)). While the Complaint need not provide specific facts in support of the claims contained therein, Erickson v. Pardus, 551 U.S. 89, 127 S. Ct. 2197, 2200, 167 L. Ed. 2d 1081 (2007) (per curiam), it "must include sufficient factual information to provide the `grounds' on which the claim rests, and to raise a right to relief above a speculative level." Schaaf v. Residential Funding Corp., 517 F.3d 544, 549 (8th Cir.2008) (citing Twombly, 127 S.Ct. at 1964-65 & n. 3). This obligation requires a plaintiff to *1054 plead "more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Twombly, 127 S.Ct. at 1965.
In Gregory v. Dillard's, Inc., 565 F.3d 464 (8th Cir.2009), the Eighth Circuit recently elaborated on the standard enunciated in Twombly when addressing a motion to dismiss under Rule 12(b)(6):
After Twombly, we have said that a plaintiff "must assert facts that affirmatively and plausibly suggest that the pleader has the right he claims ..., rather than facts that are merely consistent with such a right." Stalley v. Catholic Health Initiatives, 509 F.3d 517, 521 (8th Cir.2007); see Wilkerson v. New Media Tech. Charter Sch., 522 F.3d 315, 321-22 (3d Cir.2008). While a plaintiff need not set forth "detailed factual allegations," Twombly, 127 S.Ct. at 1964, or "specific facts" that describe the evidence to be presented, Erickson v. Pardus, 551 U.S. 89, 127 S. Ct. 2197, 2200, 167 L. Ed. 2d 1081 (2007) (per curiam), the complaint must include sufficient factual allegations to provide the grounds on which the claim rests. Twombly, 127 S.Ct. at 1965 n. 3. A district court, therefore, is not required "to divine the litigant's intent and create claims that are not clearly raised," Bediako [v. Stein Mart, Inc., 354 F.3d 835, 840 (8th Cir.2004)], and it need not "conjure up unpled allegations" to save a complaint. Rios v. City of Del Rio, 444 F.3d 417, 421 (5th Cir.2006) (internal quotation omitted).
Gregory, 565 F.3d at 473.
Against this backdrop, the undersigned turns to each of plaintiff's claims to determine whether they state a claim upon which relief can be granted.
1. Negligence
In Count I of his Complaint, plaintiff alleges that defendant was negligent in its failure to properly secure its computerized database system thereby rendering the system vulnerable to a security breach and, further, was negligent in its failure to timely disclose the alleged breach so that plaintiff and others affected could take appropriate protective measures. Defendant argues that plaintiff's claim fails to state a claim for relief inasmuch as plaintiff fails to allege a compensable injury resulting in damage.
To establish a claim for negligence in Missouri, the plaintiff must demonstrate:
(1) [a] legal duty on the part of the defendant to conform to a certain standard of conduct to protect others against unreasonable risks; (2) a breach of that duty; (3) a proximate cause between the conduct and the resulting injury; and (4) actual damages to the [plaintiff's] person or property.
Hoover's Dairy, Inc. v. Mid-America Dairymen, Inc./Special Prods., Inc., 700 S.W.2d 426, 431 (Mo. banc 1985); see also Horn v. B.A.S.S., 92 F.3d 609, 611 (8th Cir.1996); Sill v. Burlington N. R.R., 87 S.W.3d 386, 391 n. 5 (Mo.Ct.App.2002). Plaintiff claims that the increased risk of identity theft, the time spent to monitor credit and other accounts, the loss and compromise of his personal information, the loss of exclusive control over such information, and the invasion of his privacy constitute injuries from which he has been damaged by spending "significant amounts of time monitoring his credit and medical information." (Pltf.'s Oppos., Doc. # 19 at 19.) As argued by defendant, plaintiff fails to allege a compensable injury.
Tort recovery requires not only wrongful acts plus causation reaching to the *1055 plaintiff, but proof of some harm for which damages can be reasonably assessed. Doe v. Chao, 540 U.S. 614, 621, 124 S. Ct. 1204, 157 L. Ed. 2d 1122 (2004). General damages may be recovered for privacy torts without proof of pecuniary loss or physical harm, id. at 621 & n. 3, 124 S. Ct. 1204, but the plaintiff here brings his claim in negligence. Negligence is a tort separate from the tort of invasion of privacy. Hyde v. City of Columbia, 637 S.W.2d 251, 264 (Mo.Ct.App.1982). "The right of privacy remedy protects personal sensibility from public disclosure of private facts and from the appropriation of the likeness or name. The negligence remedy extends to protect against invasion of bodily security even to life itself." Id. at 267 (internal citations omitted). As discussed supra at Section A, the nature of plaintiff's claimed harm is speculative. Damages cannot reasonably be assessed for a hypothetical harm which may (or may not) come to plaintiff in the future. Nor can plaintiff recover damages for emotional distress inasmuch as he does not allege that he suffers any medically diagnosed condition that resulted from defendant's negligent act. See State ex rel. Dean v. Cunningham, 182 S.W.3d 561, 568 (Mo. banc 2006).
Because the Complaint fails to plead harm resulting in compensable damage to plaintiff, plaintiff's claim of negligence must be dismissed for failure to state a claim.
To the extent plaintiff claims that defendant was negligent in failing to provide adequate and timely notice of the alleged security breach to its members, the undersigned notes that the Missouri legislature recently enacted a data breach notification law, codified at Mo.Rev.Stat. § 407.1500. A review of the statute, however, shows the Missouri Attorney General to have exclusive authority in bringing claims against data handlers for a violation of the notice requirements. Mo.Rev.Stat. § 407.1500.4. Nevertheless, at the time of the alleged breach, there existed no cause of action for the claim plaintiff now raises, in negligence or otherwise. Nor does there currently exist a private cause of action which may be brought by a person allegedly aggrieved by such a breach. The Court will not create a claim where one does not exist. See Gregory, 565 F.3d at 473.
Accordingly, plaintiff's Complaint fails to state a claim of negligence upon which relief may be granted, and Count I of the Complaint is therefore subject to dismissal pursuant to Fed.R.Civ.P. 12(b)(6).
2. Breach of Contract
In Counts II and III of the Complaint, plaintiff claims that defendant's failure to properly secure its computerized database system, and the subsequent breach in security, constituted a breach of third party beneficiary contract and a breach of implied contract. Defendant contends that the claims fail to state a claim upon which relief may be granted inasmuch as plaintiff has failed to plead the existence of damages arising out of the alleged breach of contract.
The elements of a breach of contract claim under Missouri law are: "`(1) a contract between the plaintiff and the defendant; (2) rights of the plaintiff and obligations of the defendant under the contract; (3) breach of the contract by the defendant; and (4) damages suffered by the plaintiff.'" Teets v. American Family Mut. Ins. Co., 272 S.W.3d 455, 461 (Mo.Ct. App.2008) (quoting Howe v. ALD Servs., Inc., 941 S.W.2d 645, 650 (Mo.Ct.App. 1997)). To state a claim for breach of contract, however, a plaintiff need only plead facts sufficient to demonstrate the existence of a valid contract and its breach. Brion v. Vigilant Ins. Co., 651 S.W.2d 183, *1056 185 (Mo.Ct.App.1983). Such averments are sufficient to state a claim for at least nominal damages. Id.; see also Shirley's Realty, Inc. v. Hunt, 160 S.W.3d 804, 808 (Mo.Ct.App.2005) (inability to prove actual damages does not negate the element of damages on breach of contract claim). But see Scher v. Sindel, 837 S.W.2d 350, 354 (Mo.Ct.App.1992) (A plaintiff's bare assertion that he is entitled to recover damages is "wholly insufficient as pleading the requisite element of damages.").
Here, defendant does not challenge the existence of valid contract(s) or the alleged breach thereof. Instead, defendant challenges only plaintiff's claim of damages, arguing only that such averred damages are not recoverable in a breach of contract action. Under Missouri law, however, plaintiff's allegations are sufficient at this stage of the proceedings to state a claim for breach of contract. See Brion, 651 S.W.2d at 185. As such, the claims should not be dismissed under Rule 12(b)(6) on the sole basis of lack of recoverable damages as urged by defendant. The claims are subject to dismissal, however, for lack of subject matter jurisdiction under Fed. R.Civ.P. 12(b)(1), inasmuch as plaintiff lacks standing to bring the claims. See discussion supra at Section A.
3. Other States' Database Breach Statutes
In Count IV of his Complaint, plaintiff claims that the defendant's failure to timely disclose the database breach violated relevant statutes from the States of California, Delaware, District of Columbia, Hawaii, Illinois, Louisiana, Maryland, North Carolina, Rhode Island, Tennessee, and Washington. Plaintiff avers that the laws of these States provide for affected consumers to recover from organizations who fail to promptly notify them of a data breach. Defendant argues that plaintiff is unable to bring such a claim inasmuch as the claim brought by himself, a Missouri resident, against another Missouri resident is governed by Missouri law. In response, plaintiff contends that because other putative class members may be residents of these other States, the claim survives as to the class.
Since a class representative must be part of the class, a named plaintiff cannot represent the class if his claim is properly dismissed. Alpern v. UtiliCorp United, Inc., 84 F.3d 1525, 1540 n. 8 (8th Cir.1996); see also Hall, 140 F.3d at 1197. As such, the Court must examine whether plaintiff, himself, can pursue the claim upon which he seeks relief for the proposed class. Hall, 140 F.3d at 1197, 1198; Great Rivers Co-op. of Southeastern Iowa v. Farmland Indus., Inc., 120 F.3d 893, 899 (8th Cir.1997) (proper to dismiss claim as to entire class where claim fails as to the only named plaintiff). Whether the question is first determined on a motion for class certification or other motion for dispositive relief is of no instance. See Hall, 140 F.3d at 1197.
As discussed supra at Section B.1, at the time of the alleged breach, and at the institution of this lawsuit, Missouri law provided no cause of action upon which a person could recover against an organization for its failure to timely disclose a database security breach. To the extent the Missouri legislature has subsequently enacted a data breach notification law, Mo. Rev.Stat. § 407.1500, such legislation nevertheless did not create a private cause of action. Instead, the Missouri Attorney General has exclusive authority in bringing claims against data handlers for a violation of the notice requirements. Mo.Rev.Stat. § 407.1500.4. As such, to the extent plaintiff may seek to invoke § 407.1500 in bringing the instant claim, such a private cause of action is not available. To the *1057 extent plaintiff seeks to invoke similar statutes enacted in other States to bring this claim, plaintiff cites no authority, and the Court is aware of none, which permits a Missouri resident to bring a state law claim against another Missouri resident through the invocation of another State's statutes, where such a cause of action does not exist under Missouri law.
Accordingly, Count IV of the Complaint fails to state a claim upon which plaintiff may obtain relief, and, as such, is subject to dismissal pursuant to Fed.R.Civ.P. 12(b)(6).
4. Missouri Merchandising Practices Act
Missouri's Merchandising Practices Act (MMPA), Mo.Rev.Stat. §§ 407.010 et seq., serves as a supplement to the common-law definition of fraud. Zmuda v. Chesterfield Valley Power Sports, Inc., 267 S.W.3d 712, 716 (Mo.Ct. App.2008). Its purpose is to "preserve fundamental honesty, fair play and right dealings in public transactions." Id. As such, under the MMPA, the "act, use or employment by any person of any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise in trade or commerce ... is declared to be an unlawful practice." Mo.Rev.Stat. § 407.020.1.
Under § 407.025.1, any person "who purchases or leases merchandise" and who "suffers an ascertainable loss of money or property" as the result of an unlawful practice under § 407.020 may bring a private cause of action to recover actual and punitive damages, as well as attorney fees, from any person who has engaged in such an unlawful practice. Huch v. Charter Communications, Inc., 290 S.W.3d 721, 725 (Mo. banc 2009) (quoting Mo.Rev.Stat. § 407.025.1) (emphasis added); see also Walsh v. Al West Chrysler, Inc., 211 S.W.3d 673, 675 (Mo.Ct.App. 2007). A claim of damages for time expended is not sufficiently definite or certain to support a monetary award for an "ascertainable loss" under the MMPA. Walsh, 211 S.W.3d at 675.
The language of the statute is "plain and unambiguous." Ziglin v. Players MH, L.P., 36 S.W.3d 786, 790 (Mo.Ct. App.2001). "A private cause of action is given only to one who purchases and suffers damage. One ... who never ... pays anything of value cannot be said to have suffered damage [under the MMPA] by reason of any unlawful practice." Id. (internal quotation marks and citation omitted). See also In re Geiler, 398 B.R. 661, 671-72 (Bankr.E.D.Mo.2008) (elements of MMPA claim include that alleged unlawful act must occur in connection with sale or advertisement of merchandise in trade or commerce, that unlawful act must result in ascertainable loss of money or property, and loss must occur in relation to purchase or lease of merchandise) (citing Mo.Rev. Stat. §§ 407.020, 407.025).
In Count V of the instant Complaint, plaintiff claims that defendant's failure to employ adequate security measures coupled with its false promises to protect confidential information constituted unlawful and/or unfair practices under the MMPA. Plaintiff does not allege, however, that his loss was in relation to his purchase or lease of any merchandise.[8] Nor does *1058 plaintiff plead an ascertainable loss of money or property which is recoverable under the MMPA. Inasmuch as plaintiff's MMPA claim fails to plead that plaintiff paid anything of value for the purchase or lease of merchandise, and further fails to plead an ascertainable loss of money or property by reason of any unlawful practice, Count V of plaintiff's Complaint fails to state a claim upon which relief may be granted, and is subject to dismissal pursuant to Fed.R.Civ.P. 12(b)(6).
C. Conclusion
For the reasons set out above, Counts I, IV and V of plaintiff's Complaint are subject to dismissal under Fed.R.Civ.P. 12(b)(6) for failure to state a claim upon which plaintiff could obtain relief. However, because plaintiff lacks standing to bring this cause of action, the Complaint is dismissed in its entirety pursuant to Fed. R.Civ.P. 12(b)(1) for lack of subject matter jurisdiction.
Therefore,
IT IS HEREBY ORDERED that defendant Express Scripts, Inc.'s Motion to Dismiss (Doc. # 12) is granted and this cause is dismissed in its entirety pursuant to Fed.R.Civ.P. 12(b)(1) for lack of subject matter jurisdiction.
A separate Judgment shall be entered accordingly.
NOTES
[1] The Complaint also includes nine "Does" as defendants in the cause. Upon plaintiff's motion, these Doe defendants were dismissed from the case without prejudice in accordance with Fed.R.Civ.P. 41(a)(1)(A)(i). (See Order entered Oct. 13, 2009/Doc. # 49.)
[2] The matter of class certification has not yet been determined in this cause.
[3] Plaintiff avers that in the extortion letter, the extortionists included information pertaining to approximately seventy-five individuals, but also claimed that they had similar information on millions of Express Scripts members.
[4] Compare, e.g., Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1 (D.D.C.2007); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D.Ohio 2006); Bell v. Acxiom Corp., No. 4:06CV00485-WRW, 2006 WL 2850042 (E.D.Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, No. 06-476(JBS), 2006 WL 2177036 (D.N.J. July 31, 2006) (no standing), with, e.g., Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D.Cal.2009); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273 (S.D.N.Y.2008); McLoughlin v. People's United Bank, Inc., No. 3:08-cv-00944 (VLB), 2009 WL 2843269 (D.Conn. Aug. 31, 2009) (standing).
[5] Notably, and as relevant infra, such claims have nevertheless been dismissed under Fed. R.Civ.P. 12(b)(6) for failure to state a claim.
[6] See, e.g., Pltf.'s Oppos., Doc. # 19 at p. 15 (whether plaintiff's personal information is in the hands of criminals and may be used unlawfully is a question of fact); at pp. 20-21 (plaintiff "may very well be" one of those whose information was stolen).
[7] See, e.g., Pltf.'s Oppos., Doc. # 19 at p. 3 (plaintiffs "may suffer" irreversible damage "if" their confidential medical information becomes public).
[8] For purposes of the MMPA, "merchandise" includes intangibles and services. Mo.Rev. Stat. § 407.010(4).