Case Information
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION
PHILIP ANGUS, et al. ,
Plaintiffs, Case No. 21-cv-10657 Hon. Matthew F. Leitman v.
FLAGSTAR BANK, FSB,
Defendant. __________________________________________________________________/
ORDER (1) GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO DISMISS THE FOURTH CONSOLIDATED CLASS ACTION COMPLAINT (ECF No. 94) AND (2) GRANTING DEFENDANT LEAVE TO FILE A RENEWED MOTION TO DISMISS PLAINTIFFS’ CALIFORNIA STATUTORY CLAIMS
This putative class action arises out of a data breach of Defendant Flagstar Bank, N.A.’s [1] file sharing platform on January 21, 2021. ( See Fourth Am. Compl., ECF No. 88.) Plaintiffs are customers and employees of Flagstar who reside in various states. They allege, generally, that as a result of the breach, “cyber criminals” “exfiltrated a massive number of unencrypted documents from Flagstar’s system reflecting the [personally identifiable information] of over 1.4 million people,” including Plaintiffs. ( Id. at ¶ 50, PageID.1514.) Personally identifiable information (“PII”) of Flagstar employees and consumers was then posted on the “dark web.” ( Id. at ¶¶ 53-60, PageID.1515-1520.)
Plaintiffs claim that the data breach was due to Flagstar’s continued use of “a near-obsolete file sharing platform” licensed by Accellion, Inc. (the “FTA platform”). ( Id. at ¶ 3, ECF No. 88, PageID.1490.) They further claim that at the time of the data breach, Flagstar knew or should have known that “continued use of the FTA [platform] was highly dangerous for its customers’ data” and that Flagstar had been advised to discontinue use of that platform. ( Id. at ¶ 4, PageID.1490-1491.) They say that the data breach was a “foreseeable consequence of Flagstar’s reckless treatment of Plaintiffs’ PII[.]” ( Id. at ¶ 5, PageID.1491.)
The currently operative Complaint is Plaintiffs’ Fourth Amended Complaint. In that pleading, Plaintiffs bring claims on behalf of themselves and putative class members under Michigan common law and under the consumer protection statutes of their respective states. ( See generally id. )
Now before the Court is Flagstar’s motion to dismiss Plaintiffs’ Fourth Amended Complaint. ( See Mot. to Dismiss, ECF No. 94.) The Court held a hearing on Flagstar’s motion on February 12, 2025. During that hearing, the Court announced oral rulings with respect to some portions of the motion to dismiss and took other aspects of the motion under advisement. This order memorializes the rulings announced on the record during the hearing and provides rulings on the remaining portions of the motion that the Court took under advisement at the hearing.
I
The Court begins with the portions of Flagstar’s motion that it ruled on orally at the motion hearing. For the reasons explained on the record during that hearing, those motions are resolved as follows:
Flagstar’s motion to dismiss Plaintiffs’ claim for negligence (Count I of the Fourth Amended Complaint) is GRANTED . That claim is DISMISSED .
Flagstar’s motion to dismiss Plaintiffs’ claims for breach of implied-in- fact contract (Counts II, III) is DENIED .
Flagstar’s motion to dismiss Plaintiffs’ claim for invasion of privacy (Count IV) is GRANTED IN PART . There are two components of Plaintiffs’ invasion of privacy claim: one alleging an intrusion upon Plaintiffs’ seclusion and one alleging public disclosure of private facts. Flagstar’s motion to dismiss the component of the claim based on an intrusion upon seclusion theory is GRANTED and that component of the claim is DISMISSED . At the conclusion of the hearing, the Court took under advisement Flagstar’s motion to dismiss the public disclosure of private facts component of this claim. The Court addresses that component below.
Flagstar’s motion to dismiss Plaintiffs’ claim for breach of confidence (Count V) is DENIED .
Flagstar’s motion to dismiss Plaintiffs’ claim for unjust enrichment (Count VI) is GRANTED . That claim is DISMISSED .
During the hearing, counsel for Plaintiffs indicated to the Court that there was not a basis to proceed on their claim for violations of the Florida Deceptive and Unfair Trade Practices Act, Fla. Stat. § 501.201, et seq. (Count VII), and withdrew that claim. That claim is DISMISSED .
II
Flagstar moves to dismiss Plaintiffs’ claims under Federal Rule of Civil Procedure 12(b)(6). “To survive a motion to dismiss” under Rule 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal , 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 570 (2007)). A claim is facially plausible when a plaintiff pleads factual content that permits a court to reasonably infer that the defendant is liable for the alleged misconduct. See id. When assessing the sufficiency of a plaintiff’s claim, a district court must accept all of a complaint’s factual allegations as true. See Ziegler v. IBP Hog Mkt., Inc. , 249 F.3d 509, 512 (6th Cir. 2001). Mere “conclusions,” however, “are not entitled to the assumption of truth. While legal conclusions can provide the framework of a complaint, they must be supported by factual allegations.” Iqbal , 556 U.S. at 679. A plaintiff must therefore provide “more than labels and conclusions,” or “a formulaic recitation of the elements of a cause of action” to survive a motion to dismiss. Twombly , 550 U.S. at 555. “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal , 556 U.S. at 678.
III
The Court now turns to the portions of Flagstar’s motion that it took under advisement at the motion hearing. It starts with Flagstar’s motion to dismiss the component of Plaintiffs’ invasion of privacy claim that is brought under a theory of public disclosure of private facts (the “Public Disclosure of Private Facts” claim). Flagstar argues this claim fails because Plaintiffs “do not, and cannot, allege that Flagstar intentionally disclosed their PII to a third party, nor that their PII has been disseminated to the public at large.” (Mot., ECF No. 94, PageID.1766.) The Court is not yet persuaded to dismiss the claim on either basis.
A
While Flagstar is correct that public disclosure of private facts is an intentional tort under Michigan law, see Doe v. Henry Ford Health Sys. , 865 N.W.2d 915, 920 (Mich. Ct. App. 2014), Flagstar has not yet demonstrated that Plaintiffs’ allegations of intent are insufficient as a matter of law. Plaintiffs, at a minimum, plausibly allege that Flagstar’s conduct at the time of the data breach was reckless in light of the information available to Flagstar at that time. [2] And Flagstar has not yet persuaded the Court that these allegations of reckless conduct are insufficient to satisfy the intent element of this tort. A leading treatise suggests that, for purposes of this tort, “[r]eckless conduct is often considered the functional equivalent of intentional action.” 1 J. Thomas McCarthy & Roger E. Schechter, The Rights of Publicity and Privacy § 5:82 (2d ed. 2024). Moreover, at least some courts have suggested that recklessness is sufficient to establish the intent requirement in the context of the related privacy tort of intrusion upon seclusion. [3] See McKenzie v. Allconnect, Inc. , 369 F.Supp.3d 810, 819 (E.D. Ky. 2019) (holding, under Kentucky and Utah law, that “[a] defendant’s actions may be intentional when the Defendant acts with such reckless disregard for the privacy of the plaintiff that the actions rise to the level of being an intentional tort.”); Bowen v. Paxton Media Grp., LLC , No. 21-cv-00143, 2022 WL 4110319, at *8 (W.D. Ky. Sept. 8, 2022) (same). Finally, for at least some Michigan intentional torts, recklessness can satisfy the intent element. See , e.g. , Roberts v. Auto-Owners Ins. Co. , 374 N.W.2d 905, 908 (finding “intent or recklessness” sufficient to establish the intent elements for the tort of intentional infliction of emotional distress). For all of these reasons, the Court declines to dismiss Plaintiffs’ Public Disclosure of Private Facts claim on this basis. The Court believes the viability of this claim is best resolved at summary judgment.
B
Flagstar has also not yet convinced the Court that Plaintiffs’ public disclosure of private facts claim fails because Plaintiffs do not allege that Flagstar disclosed their PII to the public at large. The Michigan Supreme Court has rejected the contention that this tort always requires such broad disclosure. See Beaumont v. Brown , 257 N.W.2d 522, 531–32 (Mich. 1977), overruled in part on other grounds , Bradley v. Saranac Cmty. Schs. Bd. of Educ. , 565 N.W.3d 650, 658 (Mich. 1997). In some instances, disclosure to a “particular public,” rather than to the “general public,” may be sufficient if the “particular public[’s] . . . knowledge of the private facts would be embarrassing to the plaintiff[.]” Id . Here, whether the disclosure Plaintiffs allege was to a “particular public” whose knowledge of those facts would embarrass and injure the Plaintiffs is best resolved at summary judgment.
C
For all of these reasons, the Court DENIES Flagstar’s motion to dismiss Plaintiffs’ Public Disclosure of Private Facts claim.
IV
The Court now turns to Plaintiffs’ claims under the consumer protection statutes of their respective states. Plaintiffs’ remaining state statutory claims arise under the consumer protection statutes in Indiana, Michigan, New Jersey, Pennsylvania, and California. The Court will address Flagstar’s arguments with respect to each individual statutory claim in turn. [4]
A
The Court begins with Plaintiff Tania Garcia’s claim in Count VIII of the Fourth Amended Complaint that Flagstar violated the New Jersey Consumer Fraud Act, N.J. Stat. Ann. § 56:8-2, et seq. (the “NJCFA”). Garcia’s claim is expressly based upon the portion of the NJCFA that prohibits using “any commercial practice that is unconscionable or abusive, deception, fraud, false pretense, false promise, misrepresentation, or the knowing concealment, suppression, or omission of any material fact with intent that others rely upon such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise [.]” (Fourth Am. Compl. at ¶ 441, ECF No. 88, PageID.1633-1634, quoting N.J. Stat. Ann. § 56:8-2 (emphasis added).) Garcia alleges that Flagstar violated these terms of the NJCFA in two ways: (1) by committing the “unconscionable commercial practice” of “failing to use reasonable measures . . . to protect” her PII and (2) committing “deception” and “fraud” that induced her to “choose [Flagstar] when making a decision about who to entrust [her] PII to.” ( Id. at ¶¶ 443, 447, PageID.1634-1635.) The Court concludes that neither of these allegations plausibly states a violation of the portion of the NJCFA under which Garcia brings her claim.
1
Garcia first claims that Flagstar’s failure to take reasonable steps to protect her PII amounted to an actionable “unconscionable commercial practice.” This claim fails because Flagstar’s alleged failure to safeguard Garcia’s PII did not occur in connection with any advertising or sale by Flagstar to Garcia.
While the NJCFA is to be “construed liberally,” Cox v. Sears Roebuck & Co. , 647 A.2d 454, 461 (N.J. 1994), the New Jersey Supreme Court has been “careful to constrain the [language from the NJCFA on which Garcia bases her claim] to ‘fraudulent, deceptive, or other similar kind of selling or advertising practices .’” D’Agostino v. Maldonado , 78 A.3d 527, 540 (N.J. 2013) (emphasis added) (quoting Daaleman v. Elizabethtown Gas Co. , 77 390 A.2d 566 (N.J. 1978)). That is because that portion of the NJCFA “was enacted to protect the public from sharp practices and dealings in the marketing of merchandise . . . which could victimize the public by luring the consumer into a purchase through fraudulent, deceptive, or similar kinds of selling or advertising practices.” Gennari v. Weichert Co. Realtors , 672 A.2d 1190, 1205 (N.J. Super. Ct. App. Div. 1996) (emphasis added).
Here, Flagstar’s alleged failure to safeguard Garcia’s PII did not occur in connection with Flagstar’s efforts to secure Garcia’s business. On the contrary, it occurred after Garcia chose to enter into a transaction with Flagstar and after she entrusted her PII to Flagstar. Given the timing of Flagstar’s alleged failure to protect Garcia’s PII, that failure is insufficient to support her claim under the NJCFA. See DepoLink Court Reporting & Litigation Support Servs. v. Rochman , 64 A.3d 579, 587–88 (N.J. Super. Ct. App. Div. 2013) (finding the provision of the NJCFA under which Garcia brings her claim to be inapplicable to alleged unconscionable practices that occurred after the completion of the transaction between the parties).
2
Garcia’s NJCFA claim also fails to the extent that it rests upon her contention that Flagstar fraudulently induced her to provide her PII. The claim fails because Garcia does not plausibly allege that Flagstar acted with a fraudulent intent when she provided her PII to Flagstar. She alleges that she provided her PII to Flagstar in 2016 when she “obtained a residential mortgage loan” and “set[] up online bill-pay.” (Fourth Am. Compl. at ¶¶ 189-190, ECF No. 88, PageID.1568.) But she does not plead sufficient facts showing that Flagstar acted with a culpable state of mind at that time. Indeed, essentially all of the allegations in the Fourth Amended Complaint that could potentially support an inference that Flagstar acted with a culpable state of mind relate to matters that occurred after 2016 . ( See, e.g., id. at ¶¶ 30, 34, 38, 44- 45, PageID.1502-1503, 1506, 1508-1509, 1511.) Because Garcia has failed to sufficiently plead that Flagstar harbored any fraudulent or dishonest intent at the time she entered into a transaction with Flagstar and provided her PII to Flagstar, she may not proceed with her NJCFA claim to the extent that it rests upon alleged fraud by Flagstar.
3
For all of these reasons, the Court GRANTS Flagstar’s motion to dismiss Garcia’s NJCFA claim.
B
The Court next turns to Plaintiff Edward Burdick’s claim in Count IX of the Fourth Amended Complaint that Flagstar violated the Indiana Deceptive Consumer Sales Act, Ind. Code § 24-5-0.5 (the “IDCSA”). The IDCSA allows a consumer to seek damages where a “supplier” (here, Flagstar) commits an “incurable deceptive act.” Ind. Code § 24-5-0.5-4(a). An “incurable deceptive act” is “a deceptive act done by a supplier as part of a scheme, artifice, or device with intent to defraud or mislead.” Ind. Code § 24-5-0.5-2(a)(8). A claim under the IDCSA requires, among other things, (1) intent to defraud and (2) reliance on the alleged deception. See Shea v. Gen. Motors LLC , 567 F.Supp.3d 1011, 1024 (N.D. Ind. 2021) (“An intent to defraud or mislead is a required element of an incurable deceptive act.”); Crum v. SN Serv. Corp. , No. 19-cv-02045, 2021 WL 3514153, at *4 (S.D. Ind. Aug. 10, 2021) (“[A]n IDCSA claimant must show that he relied on the alleged deception.”). Burdick does not plausibly allege either element. [5]
Burdick claims that he provided his PII to Flagstar when he “obtained a residential mortgage loan” from Flagstar in 2018. (Fourth Am. Compl. at ¶¶ 200- 201, ECF No. 88, PageID.1571.) But Burdick does not plausibly allege that, as of 2018, Flagstar acted with fraudulent intent or with recklessness that could be deemed tantamount to fraudulent intent. Though Burdick alleges that there were some known vulnerabilities in the FTA platform between 2016 and 2020 ( see id. at ¶ 30, PageID.1502-1503), other allegations undercut any plausible claim that Flagstar had sufficient notice of vulnerabilities by 2018 such that it could be deemed to have acted with a culpable state of mind in its dealings with him at that time. For instance, Burdick acknowledges that Accellion was still releasing “security update[s]” for the FTA platform as late as February 2019 ( id. at ¶ 34, PageID.1506) and the FTA platform did not reach “end of life” until November of 2020 ( id. at ¶ 38, PageID.1508-1509) – long after Burdick had already entered into a relationship with Flagstar and provided his PII to Flagstar. And he alleges that “for the year leading up to November 30, 2020 , Flagstar knew or should have known that the already- vulnerable FTA [platform] was going to be operating on an unsupported and highly- vulnerable system as of November 30, 2020[.]” ( Id. ; emphasis added.) Thus, on balance, Burdick’s allegations concerning the known vulnerabilities as of the time he closed on his mortgage loan in 2018 are not sufficient to support a reasonable inference that Flagstar acted with an intent to defraud (or with recklessness tantamount to fraudulent intent) at that time. Simply put, Burdick does not plausibly allege that Flagstar fraudulently induced him to do business with, or provide his PII to, Flagstar.
And even assuming arguendo that Burdick does sufficiently allege that Flagstar made a fraudulent omission at some point after he obtained his mortgage – e.g. , by failing to notify him in 2020 that it had learned of allegedly serious vulnerabilities in its data security – his claim under the IDCSA would still fail because he does not plausibly allege that he relied on any such omission. Simply put, he does not plead any facts suggesting what he would have done differently if, after he had already provided his PII to Flagstar in 2018, Flagstar had later informed him of the alleged deficiencies in its data security.
For these reasons, the Court GRANTS Flagstar’s motion to dismiss Burdick’s IDCSA claim.
C
The Court next turns to Plaintiff Ryan Martin’s claim in Count X of the Fourth Amended Complaint that Flagstar violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law, 73 Pa. Stat. and Cons. Stat. § 201-1, et seq. (the “UTPCPL”). The UTPCPL prohibits engaging in “[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce.” 73 Pa. Stat. and Cons. Stat. § 201-3. A claim under any section of the UTPCPL requires a plaintiff to show justifiable reliance. See Santana Prods., Inc. v. Bobrick Washroom Equipment, Inc. , 401 F.3d 123, 136 (3d Cir. 2005); McLean v. Big Lots, Inc. , 542 F.Supp.3d 343, 352 (W.D. Pa. 2021). Flagstar argues that Martin fails to allege that he relied on any acts or omissions of Flagstar. The Court agrees.
Martin, a resident of Pennsylvania, claims he was “forced” to “use [Flagstar] as a mortgage provider” when he “refinanced his home in late October/early November 2020. (Fourth Am. Compl. at ¶¶ 242-43, ECF No. 88, PageID.1580.) Martin’s allegation that he was “forced” to use Flagstar is incompatible with the notion that Martin had a choice and, in making that choice, relied upon any representation or omission by Flagstar. See McLean , 542 F.Supp.3d at 353 (describing the justifiable reliance requirement as “an essential causation element under the UTPCPL”). Moreover, Martin’s allegations of reliance are like those found insufficient under the UTPCPL in In re Rutter’s Inc. Data Sec. Breach Litig. , 511 F.Supp.3d 514 (M.D. Pa. 2021) (holding that plaintiffs failed to plausibly allege reliance where, like Martin here, they did not allege that they reviewed defendant’s privacy policy, and rejecting argument that reliance on alleged omissions could be presumed because plaintiffs, like Martin here, failed to identify a duty to disclose.)
For all of these reasons, the Court GRANTS Flagstar’s motion to dismiss Martin’s UTPCPL claim.
D
The Court next addresses the claim of Plaintiffs Arthur Dore, Ann Kelly, and Keith Kelly in Count XI of the Fourth Amended Complaint that Flagstar violated the Michigan Consumer Protection Act, Mich. Comp. Laws § 445.901, et seq. (the “MCPA”). The MCPA prohibits “[u]nfair, unconscionable, or deceptive methods, acts, or practices in the conduct of trade or commerce[.]” Mich. Comp. Laws § 445.903(1).
Dore claims that he provided his PII to Flagstar “in connection with his loan application” when he “obtained a residential mortgage loan from [Flagstar]” in September 2020. (Fourth Am. Compl. at ¶ 254, ECF No. 88, PageID.1582.) Ann Kelly and Keith Kelly say they provided their PII to Flagstar when they “opened personal financial accounts including a checking account and savings account” in 2010. ( Id. at ¶¶ 262, 270, PageID.1584, 1586.) (From this point forward, the Court will refer to Dore, Ann Kelly, and Keith Kelly, collectively, as the “Michigan Plaintiffs”).
The Michigan Plaintiffs’ allegations under the MCPA can be categorized into three types: (1) claims based on misrepresentations, (2) claims based on omissions, and (3) claims based on a violation of Section 12 of the Michigan Identity Theft Protection Act, Mich. Comp. Laws § 445.72(1) and (4) (the “MITPA”). The Court addresses the three categories of allegations, in turn, below.
1
The Court begins with the allegations that Flagstar made misrepresentations in violation of the MCPA. ( See Fourth Am. Compl. at ¶¶ 473-74, ECF No. 88, PageID.1643-1645.) As to the Kellys, this claim fails to the extent that it is based on their allegations that Flagstar made representations that induced them to enter into a transaction with Flagstar and entrust Flagstar with their PII. The Kellys provided their PII to Flagstar in 2010, and as described above, the Fourth Amended Complaint does not contain any allegations that Flagstar acted with fraudulent intent and/or a culpable state of mind in 2010.
The claim further fails as to any other misrepresentations alleged by the Michigan Plaintiffs because they must plausibly plead that they relied on such misrepresentations, see In re Onstar Contract Litig. , 278 F.R.D. 352, 376 (E.D. Mich. 2011) (“To establish a claim for fraud or misrepresentation [under the MCPA], a plaintiff must establish . . . that the plaintiff acted in reliance upon [the misrepresentation].”); In re Porsche Cars North Am., Inc. , 880 F.Supp.2d 801, 854 (S.D. Ohio 2012) (“Plaintiffs bringing MCPA claims must establish that they relied on the defendant’s deceptive conduct to their detriment.”), and they have not done so. While the Michigan Plaintiffs allege that certain representations were made on Flagstar’s website and/or in Flagstar’s Privacy Policy, they do not allege that they saw, let alone relied upon, those representations. Nor do they claim that they relied on any other misrepresentations. The Michigan Plaintiffs’ failure to plead that they actually relied on any particular alleged misrepresentation by Flagstar is fatal to their misrepresentation-based claim under the MCPA. See In re Porsche , 880 F.Supp.2d at 855 (“Michigan Plaintiff does not allege or argue that he heard, saw, had access to, or was aware of any of [the defendant’s] purported misrepresentations. These allegations therefore cannot form the basis of an MCPA claim.”).
The Michigan Plaintiffs counter that under the Michigan Supreme Court’s decision in Dix v. American Bankers Life Assurance Company of Florida , 415 N.W.2d 206, 209 (Mich. 1987), they are not required to allege actual reliance as an element of their misrepresentation-based MPCA claim. The Court disagrees. Dix focused on issues related to the certification of a class for a claim under the MCPA. In the process of analyzing the propriety of class certification, the Michigan Supreme Court held that “members of a class proceeding under the [MCPA] need not individually prove reliance on the alleged misrepresentations. It is sufficient if the class can establish that a reasonable person would have relied on the representations.” Id. at 209. This holding concerning the showing that must be made as to absent class members “does not relieve plaintiffs bringing MCPA claims of their obligation to plead individual reliance.” In re Porsche , 880 F.Supp.2d at 854– 55. Indeed, “cases discussing Dix . . . confirm that although class allegations can be based on what a reasonable person would have relied upon, a named plaintiff bringing a putative class action under the MCPA must still allege actual reliance.” In re Sony Gaming Networks and Customer Data Sec. Breach Litig. , 996 F.Supp.2d 942, 997 (S.D. Cal. 2014) (collecting cases). [6]
2
The Court next turns to the Michigan Plaintiffs’ claim that Flagstar violated the MCPA by omitting “facts that are material to the transaction in light of representations of fact made in a positive manner, in violation of [Mich. Comp. Laws] § 445.903(1)(cc).” As this language makes clear, not every omission is actionable under this section of the MCPA. Instead, this provision of the Act applies only to the omission of a specified class of facts: those that are material to the parties’ transaction based upon positive representations of fact made by a defendant. Thus, to proceed on an omission-based claim, a plaintiff must first identify “representations of fact made [to him] in a positive manner” that would mislead him in connection with the parties’ transaction if not accompanied by the allegedly- omitted representations. Mich. Comp. Laws § 445.903(1)(cc).
The Michigan Plaintiffs fail to do that. The only transactions that they identify with Flagstar are their opening of checking and savings accounts in 2010 (the Kellys) and obtaining a residential mortgage loan in 2020 (Dore). And they do not identify any representations of fact that Flagstar made to them at that time that were misleading because they were unaccompanied by the allegedly-omitted facts. Indeed, the Michigan Plaintiffs do not even allege that they heard or read any representations by Flagstar about its data security policies at the time they entered into their transactions with Flagstar. The Michigan Plaintiffs therefore may not proceed on their omissions-based theory under the MCPA.
3
Finally, the Court turns to the Michigan Plaintiffs’ claim that Flagstar violated the MCPA by failing to comply with Section 12 of the MITPA. ( See Fourth Am. Compl. at ¶ 478, ECF No. 88, PageID.1645.) That section of the MITPA requires “a person or agency that owns or licenses data” and “discovers a security breach” or “receives notice of a security breach” to provide notice to residents whose information was accessed or acquired by an unauthorized person “without unreasonable delay.” Mich. Comp. Laws § 445.72.
The Michigan Plaintiffs do not cite any authority suggesting that a violation of Section 12 of the MITPA can be the basis of a claim under the MCPA. And the Court concludes that it cannot be. The MCPA provides that a plaintiff may pursue a claim based upon violation of Section 11 of the MITPA, Mich. Comp. Laws §445.71 (concerning the denial of credit to a victim of identity theft), see Mich. Comp. Laws § 445.903(1)(jj), but the MCPA does not authorize a plaintiff to bring a claim based upon a violation of Section 12 of the MITPA. By listing a violation of Section 11 of the MITPA and omitting a violation of Section 12, the Michigan Legislature made clear that a violation of Section 12 of the MITPA is not actionable under the MCPA. See Hoerstman Gen. Contracting, Inc. v. Hahn , 711 N.W.2d 340, 346 n.8 (Mich. 2006) (explaining the under the rule of statutory construction known as expressio unius est exclusio alterius , “[t]he expression of one thing is the exclusion of another.”).
4
For all of these reasons, the Court GRANTS Flagstar’s motion to dismiss the Michigan Plaintiffs’ MCPA claim.
E
The Court finally turns to the claims in Counts XII, XIII, and XIV of the Fourth Amended Complaint that Flagstar violated three California consumer protection statutes. Three plaintiffs – Mark Wiedder, Randy Moniz, and Danielle Meis – assert claims for violations of (1) the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, et seq. (the “UCL”); (2) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100, et seq. (the “CCPA”); and (3) the California Customer Records Act, Cal. Civ. Code § 1798.80, et seq. (the “CCRA”).
The Court concludes that it cannot resolve the arguments attacking the California statutory claims on the state of the current briefing. Flagstar seeks dismissal of the claims on many different grounds – for instance, it asserts no less than seven bases for dismissal of the UCL claim alone – and several of the issues Flagstar raises are complex and have evoked sharp disagreement among the federal courts. But through no fault of their own, the parties were not able to present sufficient analysis of the arguments concerning the claims. The page limits imposed by the Court prevented them from performing the required review of the issues. The Court does not believe that it may reasonably resolve the arguments concerning the claims without a much fuller analysis from the parties. [7]
Accordingly, the Court DENIES Flagstar’s motion to dismiss the UCL, CCPA, and CCRA claims WITHOUT PREJUDICE . The Court further GRANTS Flagstar leave to file a renewed motion to dismiss aimed solely at those claims. In that motion, Flagstar is free to make and/or develop any arguments directed at the UCL, CCPA, and CCRA claims (including any arguments related to extraterritoriality), and Plaintiffs may present any arguments they deem appropriate in response. Flagstar’s motion and supporting brief shall be no longer than thirty (30) pages and shall be filed by not later than April 28, 2025 . Plaintiffs’ response shall be no longer than thirty (30) pages and shall be filed by not later than May 28, 2025 . Flagstar may file a reply, not longer than ten (10) pages, by not later than June 11, 2025 .
V
For the reasons explained above, Flagstar’s motion to dismiss is GRANTED IN PART and DENIED IN PART .
IT IS SO ORDERED .
s/Matthew F. Leitman MATTHEW F. LEITMAN UNITED STATES DISTRICT JUDGE Dated: March 27, 2025
I hereby certify that a copy of the foregoing document was served upon the parties and/or counsel of record on March 27, 2025, by electronic means and/or ordinary mail.
s/Holly A. Ryan
Case Manager
(313) 234-5126
[1] Flagstar was formerly known as Flagstar Bank, FSB. ( See Fourth Am. Compl. at ¶ 10, ECF No. 88, PageID.1493.)
[2] The allegations in question appear in, for instance, paragraphs 4-5, 21-22, 26, 28- 30, 34, 37-38, 43-45, 77-78, and 83-84 of the Fourth Amended Complaint. (ECF No. 88, PageID.1490-1491, 1499, 1501, 1502-1503, 1506, 1508-1509, 1510-1511, 1528, and 1530-1531.)
[3] The question of whether recklessness is enough to satisfy the intent element seems to be open to serious debate. See, e.g. , Savidge v. Pharm-Save, Inc. , No. 17-CV-186, 2023 WL 2755305, at *11-12 (W.D. Ky. Mar. 31, 2023) (describing split of authority as to the intrusion upon seclusion tort). Moreover, the Restatement (Second) of Torts § 8A (Am. L. Inst. 1965) provides that intent “denote[s] that the actor desires to cause consequences of his act, or that he believes that the consequences are substantially certain to result from it.”
[4] Flagstar makes several arguments as to why it believes Plaintiffs have failed to plead a violation of each statute. Where the Court believes that one of Flagstar’s arguments is dispositive of a particular claim, the Court addresses only that argument and does not consider the merits of the other arguments advanced by Flagstar.
[5] To the extent Burdick’s claim rests on an alleged delay in notification of the data breach, that portion of the claim must fail because that section of the IDCSA is “actionable only by the attorney general.” Ind. Code § 24-4.9-4-1(a).
[6] See also Shain v. Advanced Tech. Grp., LLC , No. 16-10367, 2017 WL 768929, at *11 (E.D. Mich. Feb. 28, 2017); Kussy v. Home Depot U.S.A. Inc. , No. 06-12899, 2006 WL 3447146, at *7 (E.D. Mich. Nov. 28, 2006) (analyzing MCPA claim, and finding “ Dix does not apply because it merely holds that individual reliance did not have to be proven to maintain a class action under the MCPA. Dix does not hold that reliance is not an element of common law fraud claims[.]” (quoting McClain v. Coverdell & Co. , 272 F.Supp.2d 631, 640 n.7 (E.D. Mich. 2003))); Fishon v. Peloton Interactive, Inc. , No. 19-cv-11711, 2022 WL 179771 (S.D.N.Y. Jan. 19, 2022) (“Following Dix , federal district courts considering whether a named plaintiff in a class [action] must plead actual reliance under the MCPA have concluded that they must.”).
[7] The Court did not have similar difficulty deciding the issues raised with respect to the other claims in the Fourth Amended Complaint. While the page limits imposed by the Court restricted the parties’ analysis of the other claims, the Court had enough information and analysis to resolve them.