518 F.Supp.3d 43

D.D.C.

2021

MEMORANDUM OPINION

I. Background

A. Factual Background

B. Procedural Background

1. The complaint

2. Dismissal for lack of jurisdiction

3. Dismissal for failure to state a claim

4. Subsequent proceedings

II. Legal Standard

III. Analysis

A. Whether Plaintiffs' Contract Claims Require an Allegation of Actual Damages.

B. Whether Plaintiffs Alleged Actual Damages in Light of Intervening Precedent.

1. The OPM decision

2. Application of OPM to plaintiffs' claims

a. D.C. claims

b. Virginia and Maryland claims

C. Whether Reconsideration of Plaintiffs' D.C. CPPA Claims is Warranted.

IV. Conclusion

Notes

Chantal ATTIAS, et al. v. CAREFIRST, INC., et al.

Case No. 15-cv-00882 (CRC)

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

January 29, 2021

MEMORANDUM OPINION

Plaintiffs brought this putative class action against D.C.-area health insurer CareFirst and various of its affiliates after CareFirst suffered a data breach in 2014. The breach compromised the names, birthdates, email addresses, and subscriber identification numbers of over one million of CareFirst‘s insureds. The named plaintiffs are seven of those insureds, and they lodge a host of contract, tort, and state-specific statutory claims against the company stemming from the breach.

CareFirst has now twice moved to dismiss the complaint. On the first occasion, the Court granted the motion on standing grounds and dismissed the complaint in its entirety. That decision was reversed by the D.C. Circuit, which concluded that plaintiffs’ heightened risk of future identity theft satisfied the injury-in-fact requirement of Article III standing. On remand, CareFirst renewed its motion to dismiss the complaint for failure to state a claim, which the Court granted in substantial part. All told, the Court dismissed all the claims in the complaint save two claims advanced by the two named plaintiffs who alleged actual misuse of their exposed data. The Court then issued a final order as to the dismissed claims under Federal Rule of Civil Procedure 54(b), thereby permitting plaintiffs to appeal. However, the D.C. Circuit concluded that the requirements of Rule 54(b) had not been met and thus dismissed the appeal for lack of jurisdiction.

Following remand, plaintiffs filed the present motion for reconsideration of the Court‘s dismissal of their claims under Rule 12(b)(6). Reconsideration is warranted, plaintiffs argue, to clarify that D.C. law does not require actual damages to sustain a breach of contract claim; to address intervening D.C. Circuit precedent that, in plaintiffs’ view, widens the scope of “actual damages” stemming from the data breach; and to correct the Court‘s prior analysis of the relationship between plaintiffs’ claims under the District of Columbia Consumer Protection Procedures Act and their breach of contract claims. For the following reasons, the Court will grant the motion in part and deny it in part.

I. Background

A. Factual Background

The Court presumes familiarity with its two prior opinions, Attias v. CareFirst, Inc., 199 F. Supp. 3d 193 (D.D.C. 2016) (“Attias I“), and Attias v. CareFirst, Inc., 365 F. Supp. 3d 1 (D.D.C. 2019) (“Attias II“), which fully recount the background facts. The Court will only briefly summarize them here.

CareFirst, Inc. and certain of its affiliates (collectively, “CareFirst“) operate a group of health insurance companies that provide coverage to over one million people in the District of Columbia, Maryland, and Virginia. See Second Am. Class Action Compl., ¶¶ 23 (“SAC“) ECF No. 9. To receive CareFirst insurance, customers provide the company with personal information including their names, addresses, and social security numbers. Id. 26-27. In June 2014, this information (with the exception, according to CareFirst, of the insureds’ social security numbers) was compromised when the company suffered a data breach. Id. 33. CareFirst discovered the breach in April 2015 and notified the public the following month. Id. 15, 35-36. Shortly thereafter, plaintiffs filed this putative class action.

B. Procedural Background

1. The complaint

The operative complaint names seven plaintiffs: Chantal Attias and Andreas Kotzur of the District of Columbia, Richard and Latanya Bailey of Virginia, and Curt and Connie Tringler and Lisa Huber of Maryland. Id. ¶¶ 1-4. They each allege that CareFirst‘s carelessness in handling their personal information violated D.C. tort and contract laws, as well as the consumer protection statutes of each plaintiffs home state. All told, the complaint contains eleven claims: breach of contract (Count I), negligence (Count II), violation of the District of Columbia Consumer Protection Procedures Act (“CPPA“) (Count III), violation of the District of Columbia Data Breach Notification Act (Count IV), violation of the Maryland Consumer Protection Act (“MCPA“) (Count V), violation of the Virginia Consumer Protection Act (“VCPA“) (Count VI), fraud (Count VII), negligence per se (Count VIII), unjust enrichment (Count IX), breach of the duty of confidentiality (Count X), and constructive fraud (Count XI).

By way of damages, plaintiffs allege that the data breach heightened their risk of future identity theft, resulting in “economic and non-economic loss in the form of mental and emotional pain and suffering,” id. ¶ 38, as well as “years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” id. ¶ 56. Two plaintiffs, the Baileys of Virginia, also allege that “they were not given the benefit of the services for which they bargained[.]” Id. ¶ 114. Two more plaintiffs, the Tringlers of Maryland, allege that they suffered “tax-refund fraud” because, at least at the time of the complaint, they had not received an expected federal tax refund. Id. ¶ 57.

2. Dismissal for lack of jurisdiction

In September 2015, CareFirst moved to dismiss the complaint for lack of subject matter jurisdiction under Rule 12(b)(1) and for failure to state a claim under Rule 12(b)(6). See Mot. to Dismiss, ECF No. 13. The Court granted the Rule 12(b)(1) motion, finding that it lacked subject matter jurisdiction because plaintiffs failed to satisfy the injury-in-fact requirement of Article III standing. See Attias I, 199 F. Supp. 3d at 203. Five of the seven plaintiffs (all but the Tringlers) failed to allege any actual misuse of their information. In accord with several other district court decisions nationwide—including one dismissing a Maryland federal class action brought by another group of CareFirst customers affected by the same breach—the Court concluded that “merely having one‘s personal information stolen in a data breach is insufficient to establish standing to sue the entity from wh[ich] the information was taken.” Id. at 197. As to the Tringlers, the Court found that they failed to plausibly allege either (i) that their social security numbers were stolen as part of the breach, or (ii) that tax refund fraud could occur without the perpetrators having access to such numbers. Id. at 201. The Court therefore concluded that the Tringlers’ injury was not “fairly traceable” to the breach and that they, too, lacked standing. Id. (citing Clapper v. Amnesty Int‘l, 568 U.S. 398, 409 (2013)).

The D.C. Circuit reversed. See Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017). The court reasoned that the complaint contained specific allegations that CareFirst “collected and stored” personal information that could be combined to commit identity theft and fraud—even if the compromised information did not include plaintiffs’ social security numbers. Id. at 628. The resulting “risk of future injury” was alone “substantial enough to create Article III standing.” Id.

3. Dismissal for failure to state a claim

On remand, CareFirst filed a renewed Rule 12(b)(6) motion to dismiss for failure to state a claim. See Mot. to Dismiss, ECF No. 44. The Court granted the motion in substantial part, permitting only two claims brought by the Tringlers to proceed. See Attias II, 365 F. Supp. 3d 1 (D.D.C. 2019). As that opinion is the basis of the present motion for reconsideration, the Court will describe it in some detail.

In resolving CareFirst‘s renewed motion, the Court began by addressing the company‘s argument that plaintiffs failed to plead actual damages as required by nine of the eleven claims—specifically, those for (1) breach of contract, (2) negligence, (3) negligence per se, (4) fraud, (5) constructive fraud, (6) breach of duty of confidentiality, (7) violation of the MCPA, (8) violation of the VCPA, and (9) violation of the D.C. Data Breach Notification Act. The Court addressed each claim under the relevant governing law (for the most part, D.C. common law) and concluded that each required an allegation of actual damages.

Turning to the operative complaint, the Court observed four potential theories of damages: (1) actual misuse of personal information, (2) benefit of the bargain struck in the underlying insurance contracts, (3) mitigation costs, and (4) emotional distress. Starting from the top, the Court concluded that “actual misuse” of exposed information clearly qualified as “actual damages.” Attias II, 365 F. Supp. 3d at 11-12. It stressed, however, that under the D.C. Court of Appeals’ decision in Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702, 708 (D.C. 2009), actual misuse of personal data under D.C law requires more than a mere threat of future misuse. Rather, to sufficiently plead actual damages under that theory, D.C. common law requires the plaintiff to allege an instance of present (or actual) misuse of her personal data. See id. Only the Tringlers, who alleged that they suffered tax refund fraud as a result of the breach, plausibly alleged such misuse. See SAC ¶ 57. The Court thus concluded that the first theory of damages had been inadequately alleged by the other plaintiffs. Attias II, 365 F. Supp. 3d at 12.

Plaintiffs’ alternative theories of damages were less convincing. As to the second theory—benefit of the bargain—plaintiffs “broadly allege[d] that some indeterminate amount of their health insurance premiums went towards providing data security” that they did not receive. Id. at 13. Observing that the D.C. Court of Appeals had not spoken on the issue, the Court ruled in accord with fellow courts in this District that found the theory too amorphous to plausibly allege injury-in-fact. Id. (citing In re Sci. Applications Int‘l Corp. Backup Tape Data Theft Litig., 45 F. Supp. 3d 14 (D.D.C. 2014) and Austin-Spearman v. AARP & AARP Servs. Inc., 119 F. Supp. 3d 1, 13-14 (D.D.C. 2015)). As to the third theory—mitigation damages the Court looked again to Randolph, where the D.C. Court of Appeals squarely held that costs associated with “credit monitoring or other security measures to guard against possible misuse of [plaintiffs‘] data” was “not the result of any present injury, but rather the result of the anticipation of future injury that has not materialized.” 973 A.2d at 708 (cleaned up). See Attias II, 365 F. Supp. 3d at 14.

The Court then turned to plaintiffs’ fourth and final theory: emotional distress. By this stage in the analysis, the Court had rejected the economic theories of damages (as explained above) for all but the Tringlers. Save for the Tringlers, then, plaintiffs were left with claims for purely emotional distress. Id. at 16-17. This outcome was fatal for plaintiffs’ fraud and MCPA claims, which permit recovery of emotional distress only where there is an accompanying allegation of pecuniary (for the fraud claims) or physical (for the MCPA claims) injury. See id. As to the negligence claims, D.C. law requires plaintiffs pleading purely emotional distress to satisfy either the “zone of physical danger rule,” Williams v. Baker, 572 A.2d 1062 (D.C. 1990) (en banc), or the “special relationship and undertaking rule,” Hedgepeth v. Whitman Walker Clinic, 22 A.3d 789, 795 (D.C. 2011). Plaintiffs, who pleaded emotional distress as ancillary damages, satisfied neither. See Attias II, 365 F. Supp. 3d at 17. The Court thus concluded that the alleged emotional distress did not sustain plaintiffs’ burden to plead actual damages.¹ Id.

Accordingly, the Court dismissed the claims for breach of contract, negligence, negligence per se, fraud, constructive fraud, violation of the D.C. Data Breach Notification Act, violation of the MCPA, violation of the VCPA, and breach of the duty of confidentiality, for all but the Tringlers. Id. In sum, the Court‘s analysis of damages left the Tringlers with all their claims and the D.C. plaintiffs with only their D.C. CPPA claims.² Id.

The Court then addressed CareFirst‘s alternative argument that plaintiffs’ tort claims should be dismissed as duplicative of their contract claims. This argument was premised on the “independent duty rule,” which requires tort claimants to allege that defendants owed them a common-law duty of care independent of any contractual relationship. See id. at 18. The Court determined that plaintiffs ran afoul of this rule because they alleged “no facts separable from the terms of the contract upon which the tort may independently rest.” Id. (cleaned up). The Court thus dismissed the tort claims advanced by all plaintiffs (including the Tringlers) based on the independent duty rule. Id. at 25. It then dismissed the D.C. plaintiffs’ claims under the D.C. CPPA for largely the same reason. Id. at 25-26 (dismissing plaintiffs’ D.C. CPPA claims as “entirely duplicative of their breach of contract claim“).

All said and done, the Court dismissed all but the Tringlers’ claims for breach of contract and violations of the MCPA. The Court then sought the parties’ views as to whether it should enter an order under Federal Rule of Civil Rule 54(b)—which permits certain orders that resolve some, but not all, claims for relief to be certified as “final“—or, alternatively, under 28 U.S.C. § 1292(b). See Feb. 14, 2019, Min. Order. The parties “conferred and agree[d] that the Court should enter an order under Federal Rule of Civil Procedure 54(b) directing a final appealable judgment.” Response at 1, ECF No. 59; see also Response at 1, ECF No. 58. Finding no just reason to delay entry of final judgment on the dismissed claims, the Court entered the requested order on February 26, 2019. See Order, ECF No. 60. Plaintiffs appealed.

4. Subsequent proceedings

On appeal, the D.C. Circuit considered sua sponte whether the Court properly issued a final appealable order under Rule 54(b). See Dec. 6, 2019 Per Curiam Order, Attias v. CareFirst, 969 F.3d 412 (2020) (No. 19-7020). The presiding panel requested supplemental briefing on the issue; both sides responded that Rule 54(b) was satisfied and that the appeal was thus properly before the Circuit. The panel disagreed. For an otherwise interlocutory order to be certified as a final judgment under Rule 54(b), it explained, “the order must resolve a distinct claim for relief.” Attias, 969 F.3d at 417 (cleaned up). The panel reasoned that the Court‘s Rule 54(b) certification failed to satisfy that requirement because the dismissed claims “appear[ed] highly intertwined” with the Tringlers’ two remaining claims. Id. at 418 (cleaned up). And “if a disposition is not ‘final’ under Rule 54(b),” the panel continued, “then it likewise cannot qualify as a ‘final decision’ under [28 U.S.C. §] 1291.” Id. at 417. The Circuit thus dismissed the appeal for lack of jurisdiction. Id. at 418.

So, the case is once again before this Court. Plaintiffs, for their part, request reconsideration of the Court‘s decision to dismiss the bulk of their complaint for failure to plead actual damages and failure to distinguish their contract claims from their D.C. CPPA claims. CareFirst opposes reconsideration, and requests that the case be permitted to proceed to discovery to resolve the narrow question of whether the Tringlers have by now received their tax refund. The Court held a hearing on plaintiffs’ reconsideration motion on October 21, 2020.

II. Legal Standard

The Court begins with a procedural point. Although plaintiffs filed their motion to reconsider “pursuant to Federal Rules of Civil Procedure 59(e) and 60,” Pls. Memo. at 1, ECF No. 65, neither rule permits reconsideration in these circumstances.

For starters, motions for reconsideration under Rule 59(e) “must be filed no later than 28 days after the entry of the judgment.” Plaintiffs missed that deadline by nearly two years. Typically, courts elect to consider motions filed after the Rule 59(e) deadline under Rule 60(b), which permits reconsideration of a court‘s “final judgment” in certain circumstances. Fed. R. Civ. P. 60(b); see, e.g., Owen-Williams v. BB & T Inv. Servs., Inc., 797 F. Supp. 2d 118, 121-22 (D.D.C. 2011). Save for the more permissive deadline, however, “in most cases, the bar stands even higher for a party to prevail on a Rule 60(b) motion[.]” Uberoi v. EEOC, 271 F. Supp. 2d 1, 2 (D.D.C. 2002). That‘s because Rule 60(b) motions are granted in very limited circumstances, requiring a showing of “fraud, mistake, extraordinary circumstances, or other enumerated situations.” Id. at 3.

Though plaintiffs neglect to specify which portion of Rule 60(b) they believe permits reconsideration, only the “catchall provision,” Rule 60(b)(6), is arguably applicable. Resort to Rule 60(b)(6) is “appropriate only in extraordinary circumstances,” however. Kramer v. Gates, 481 F.3d 788, 790 (D.C. Cir. 2007) (cleaned up). Here, plaintiffs’ motion is based partly on previously available authority that plaintiffs seemingly overlooked and partly on intervening case law. Typically, neither scenario is considered extraordinary circumstances warranting reconsideration under Rule 60(b)(6). See Walsh v. Hagee, 10 F. Supp. 3d 15, 19 (D.D.C. 2013) (extraordinary circumstances not presented by “theories or arguments that could have been raised previously“) (cleaned up); Kramer v. Gates, 481 F.3d 788, 791-92 (D.C. Cir. 2007) (extraordinary circumstances not presented by “an intervening change in case law“) (cleaned up).

Regardless, reconsideration under Rule 60(b)(6) is barred by a more glaring obstacle—the rule explicitly applies to only final orders. See Fed. R. Civ. P. 60(b) (providing that “the court may relieve a party or its legal representative from a final judgment, order, or proceeding“) (emphasis added). And plaintiffs seek reconsideration of an order that the D.C. Circuit has declared to be non-final and interlocutory. See Attias, 969 F.3d at 417-18.

All is not lost for plaintiffs, however. Because they seek reconsideration of an interlocutory order, the Court may consider it within its discretion under Rule 54(b). See, e.g., Pinson v. DOJ, 321 F.R.D. 1, 3-4 (D.D.C. 2017) (reconsidering motion filed under Rules 59(e) and 60 under Rule 54(b)). Rule 54(b) provides:

When an action presents more than one claim for relief . . . the court may direct entry of a final judgment as to one or more, but fewer than all, claims . . . . Otherwise, any order or other decision . . . does not end the action as to any of the claims or parties and may be revised at any time before the entry of a judgment adjudicating all the claims and all the parties’ rights and liabilities.

Fed. R. Civ. P. 54(b) (emphasis added). The distinction between the various rules is a meaningful one, as the standard for review of interlocutory decisions is more permissive than that applied to motions for reconsideration under Federal Rules of Civil Procedure 59(e) or 60(b). See, e.g., Williams v. Savage, 569 F. Supp. 2d 99, 108 (D.D.C. 2008). As the D.C. Circuit has explained, “Rule 54(b)‘s approach to the interlocutory presentation of new arguments as the case evolves can be more flexible” than under Rule 59(e), “reflecting the inherent power of the rendering district court to afford such relief from interlocutory judgments as justice requires.” Cobell v. Jewell, 802 F.3d 12, 25 (D.C. Cir. 2015) (cleaned up).

The “as justice requires” standard “leave[s] a great deal of room for the court‘s discretion” and, at times, “amounts to determining whether relief upon reconsideration is necessary under the relevant circumstances.” Lewis v. Dist. of Columbia, 736 F. Supp. 2d 98, 102 (D.D.C. 2010) (cleaned up). That being said, the court‘s discretion under Rule 54(b) is not boundless, but rather is “limited by the law of the case doctrine and subject to the caveat that where litigants have once battled for the court‘s decision, they should neither be required, nor without good reason permitted, to battle for it again.” Id. (cleaned up).

III. Analysis

Plaintiffs seek reconsideration of the Court‘s prior opinion for three reasons. First, plaintiffs contend that, contrary to the Court‘s initial conclusion, actual damages are not required to state a claim for breach of contract under D.C. common law. Second, plaintiffs argue that intervening D.C. Circuit caselaw treats data-breach mitigation expenses as “actual damages” and thereby eliminates the Court‘s basis for dismissing nine of their eleven claims. And third, plaintiffs maintain that the Court clearly erred in concluding that CareFirst‘s alleged breach of contract is not actionable under the D.C. CPPA. The Court will address each contention in turn.

A. Whether Plaintiffs’ Contract Claims Require an Allegation of Actual Damages.

The Court begins with plaintiffs’ request for reconsideration of their contract claims. As explained, the Court previously dismissed all but the Tringlers’ contract claims on the grounds that none of the other plaintiffs pleaded actual damages. See Attias II, 365 F. Supp. 3d at 9-10, 17. For the premise that plaintiffs must allege actual damages to support a breach of contract claim under D.C. law, the Court pointed to Cahn v. Antioch Univ., 482 A.2d 120, 130 (D.C. 1984), where the D.C. Court of Appeals observed that a “[i]t is clear in contract law that a plaintiff is not required to prove the amount of his damages precisely; however, the fact of damage and a reasonable estimate must be established.” (cleaned up).

In hindsight, the Courts’ reliance on Cahn may have been misplaced. As a fellow judge on this Court recently observed, “there is a conflict within the caselaw” as to whether “proof of actual damages is an element of a [D.C.] contract claim.” Moini v. LeBlanc, 456 F. Supp. 3d 34, 51 (D.D.C. 2020). On the one hand, the D.C. Court of Appeals has clearly indicated that damages are required for a prima facie contract claim. See Cahn, 482 A.2d at 130; see also Osbourne v. Capital City Mortg. Corp., 727 A.2d 322, 324-25 (D.C. 1999) (observing that a ”prima facie case for breach of contract . . . required some proof of damages“). On the other hand, the D.C. Court of Appeals has since stated, in Wright v. Allen, that “the absence of specific monetary injury does not prevent the accrual of a cause of action for breach of contract[.]” 60 A.3d 749, 753 (D.C. 2013) (cleaned up). Wright explained that “[e]ven where monetary damages cannot be proved” the prevailing party may be entitled to nominal damages, specific performance, or declaratory relief. Id. at 753 & n.3; see also Francis v. Rehman, 110 A.3d 615, 620 (D.C. 2015) (“to state a claim for breach of contract so as to survive a Rule 12(b)(6) motion to dismiss, it is enough for the plaintiff to describe the terms of the alleged contract and the nature of the defendant‘s breach“).

The D.C. Court of Appeals appears not to have addressed this apparent conflict, and this Court is not poised to resolve it on the present motion. The Court notes, however, that Wright and Francis both post-date Cahn and Osbourne, and in order “[t]o properly discern the content of state law,” it is this Court‘s duty to “defer to the most recent decisions of the state‘s highest court.” Easaw v. Newport, 253 F. Supp. 3d 22, 34 (D.D.C. 2017) (emphasis added) (cleaned up). The more recent cases thus favor permitting plaintiffs’ contract claims to proceed. The Court will, therefore, grant plaintiffs’ motion to reconsider this issue and reinstate their contract claims (Count I).³

B. Whether Plaintiffs Alleged Actual Damages in Light of Intervening Precedent.

Plaintiffs next request reconsideration of whether they did, in fact, plead actual damages in light the D.C. Circuit‘s intervening decision in In re: U.S. Office of Pers. Mgmt. Data Sec. Breach Lit., 928 F.3d 42 (D.C. Cir. 2019) (“OPM“). To address this argument, the Court will first briefly recount the Circuit‘s ruling in OPM before turning to whether it warrants reconsideration of the Court‘s dismissals.

1. The OPM decision

In OPM, plaintiffs filed suit against the Office of Personnel Management (“OPM“) following a series of cyberattacks that exposed multiple OPM databases, including ones containing information drawn from federal employment background investigations. Id. at 50. The attacks allegedly compromised plaintiffs’ social security numbers, home addresses, and fingerprints. Id. The claims included violations of the Privacy Act of 1974, 5 U.S.C. § 552a, a federal statute governing the handling of confidential records by Executive Branch agencies. The Privacy Act permits recovery for certain violations of its terms where, among other things, plaintiffs have suffered “actual damages” due to an agency‘s willful violation. Id. at 64 (cleaned up).

OPM sought dismissal of plaintiffs’ Privacy Act claims on the grounds that they failed to plead the requisite damages. The district court granted the motion for all but two plaintiffs who allegedly had incurred out-of-pocket expenses as a result of actual identity theft. In re OPM Security Breach Lit., 266 F. Supp. 3d 1, 40 (D.D.C. 2017) aff‘d in part, rev‘d in part and remanded, 928 F.3d 42 (D.C. Cir. 2019). In the district court‘s view, “actual damages” excluded allegations of identity theft, lost time, or emotional distress unaccompanied by any attendant out-of-pocket expenses. Id. at 39-40. The court further concluded that the cost of credit monitoring services did not suffice “because expenditures undertaken voluntarily to prevent possible future harm [did] not constitute actual damages attributable to OPM.” Id. at 40.

The D.C. Circuit reversed in relevant part. Specifically, the court found that even those plaintiffs who had not incurred any pecuniary losses because of a past instance of identity theft had adequately alleged actual damages within the meaning of Privacy Act. OPM, 928 F.3d at 64-66. Such plaintiffs included those who “purchased credit protection and/or credit repair services after learning of the breach.” Id. at 65. The court construed these types of prophylactic expenses, despite (in some cases) having accrued wholly apart from any alleged misuse of plaintiffs’ personal data, as the “paradigmatic example of ‘actual damages’ resulting from the violation of privacy protections.” Id.

2. Application of OPM to plaintiffs’ claims

Plaintiffs argue that OPM requires broad reconsideration of the nine claims previously dismissed for failure to plead actual damages. Plaintiffs home in on the Court‘s rejection of their mitigation theory of damages, which in their view closely resembles the theory of damages alleged in OPM.⁴ They argue that OPM‘s acceptance of out-of-pocket expenses resulting from “credit protection and/or credit repair services” as “actual damages” under the Privacy Act, OPM, 928 F.3d at 65, undermines this Court‘s prior finding that mitigation costs “cannot be recovered as consequential damages because there is not an actual injury, only an anticipated one,” Attias II, 365 F. Supp. 3d at 15.

The Court begins with a preliminary point: plaintiffs are mistaken that OPM is “controlling on the issue of damages[.]” Pls. Memo. at 4; see also Reply Mot. at 4, ECF No. 71 (claiming that “OPM is controlling authority“). As this Court sits in diversity, plaintiffs’ claims are governed by the substantive laws of D.C., Virginia, and Maryland. By contrast, OPM construed actual damages in the context of a federal statute that is not at issue in this litigation. And as the Court previously stated, the state law context is “all the more salient in a data breach case” because “federal courts across the country have applied the relevant state law to claims arising out of data breaches to very different effect.” Attias II, 365 F. Supp. 3d at 8. This context is especially important when considering the meaning of “actual damages,” which is a term of art that retains a “chameleon like quality” and resists any “all-purpose definition.” Federal Aviation Admin. v. Cooper, 566 U.S. 284, 294 (2012).

Against this backdrop, the Court turns to plaintiffs’ contention that reconsideration of “actual damages” is warranted in light of OPM. The Court will begin with the claims governed by D.C. law before turning to those governed by Virginia and Maryland law.

a. D.C. claims

Seven claims previously dismissed for failure to plead actual damages are governed by D.C. law—namely, plaintiffs’ claims for breach of contract (Count I), negligence (Count II), negligence per se (Count VIII), fraud (Count VII), constructive fraud (Count XI), breach of duty of confidentiality (Count X), and violation of the D.C. Data Breach Notification statute (Count IV).⁵

As previously explained, plaintiffs argue that the mitigation costs found to be “actual damages” in OPM “share[] many similarities” to those rejected by this Court‘s prior ruling. Pls. Memo. at 6. That may be so.⁶ Regardless, the D.C. Court of Appeals has squarely held that “actual damages” exclude a data-breach plaintiffs mitigation costs absent any actual misuse of the plaintiff‘s data. See Randolph, 973 A.2d at 708. Like plaintiffs here, the plaintiffs in

Randolph sued their insurance company after their personal information was compromised due to the company‘s alleged carelessness. Id. at 705. There, too, plaintiffs claimed to have incurred expenses on credit monitoring services and other mitigation measures taken to abate the increased risk of future identity theft. Id. at 708. The Court of Appeals upheld the dismissal of the complaint, finding that plaintiffs failed to state a claim. The court reasoned that while damages caused by “present injury” suffice to state a claim, mitigation damages incurred by “the anticipation of future injury that has not materialized” do not. Id. Drawing such a distinction, the court noted, was in accord with “other courts that have dismissed similar negligence actions for failure to state a claim, or have entered summary judgment for defendants, in the absence of allegations of present injury to plaintiffs.” Id. at 708 n.9 (collecting cases). The court thus concluded that mitigation damages failed to state a claim for actual harm under D.C. law.

There can be no argument that OPM somehow overturned Randolph. Thus, Randolph remains binding D.C. law and continues to govern plaintiffs’ D.C. law claims. Cf. Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30, 37-38 (D.D.C. 2020) (concluding that plaintiff stated a negligence claim under D.C. law following data breach because, unlike the plaintiffs in Randolph, the plaintiff alleged that his information “ha[d] already been employed” by hackers) (emphasis in original). And Randolph requires data-breach plaintiffs to plead more than mitigation damages to state a claim under D.C. law. Accordingly, OPM provides no basis for the Court to revisit its dismissal of plaintiffs’ D.C. claims.

Moreover, plaintiffs’ motion for reconsideration ignores the Court‘s alternative basis for dismissing their five tort claims: the independent duty rule. See Attias II, 365 F. Supp. 3d at 18-19. As noted above, the Court concluded that plaintiffs’ tort claims ran afoul of that rule because plaintiffs had “failed to allege a duty to reasonably safeguard insureds’ data separate from CareFirst‘s contractual duties.” Id. Plaintiffs do not argue that OPM altered the application of the independent duty rule (nor could they, as the rule was not at issue in OPM). As such, the Court further concludes that plaintiffs’ tort claims were properly dismissed on this independent basis.

In sum, the Court will deny plaintiffs’ motion to reconsider its dismissal of plaintiffs’ claims for negligence (Count II), negligence per se (Count VIII), fraud (Count VII), constructive fraud (Count XI), breach of duty of confidentiality (Count X), and violation of the D.C. Data Breach Notification statute (Count IV).⁷

b. Virginia and Maryland claims

Plaintiffs also seek reconsideration of their claims under the consumer protection laws of Virginia and Maryland. See Va. Code Ann. § 59.1-204; Md. Code Ann., Com. Law § 14-308. As previously stated, both statutes require allegations of actual damages to state a claim. See Va. Code Ann. § 59.1-204(a); Md. Code Ann., Com. Law § 13-408(a). To the Court‘s knowledge, however, no court in either state has addressed whether expenses incurred to mitigate the risk of future identity theft qualify as “actual damages” absent any actual misuse of the plaintiff‘s exposed data. The Court will thus briefly survey each state‘s consumer protection code in assessing whether reconsideration is warranted.

The Court begins with the claims alleged under the VCPA. Va. Code § 59.1-204(A) states, “Any person who suffers loss as the result of a violation of this chapter shall be entitled to initiate an action to recover actual damages, or $500, whichever is greater.” While it is clear that the VCPA requires “loss” in order for a plaintiff to recover, “Virginia courts have provided little guidance with respect to the meaning of ‘loss’ under the Virginia CPA.” In re Gen. Motors LLC Ignition Switch Litig., 339 F. Supp. 3d 262, 332 (S.D.N.Y. 2018) (“General Motors“). The General Motors court observed that the VCPA‘s text permits recovery of either actual damages or $500. Id. And while Virginia‘s courts appear not to have said so expressly, other courts interpreting analogous provisions have construed the alternative statutory remedy to be “a civil penalty” available “where the consumer‘s actual damages may otherwise be de minimis, speculative, or too difficult to prove, but where the consumer can show that a loss has been suffered[.]” Andreason v. Felsted, 137 P.3d 1, 5 (Utah Ct. App. 2006); see also General Motors, 339 F. Supp. 3d at 332 (construing Virginia and Utah consumer protection codes consistently “[i]n light of the similarities in language between [their] consumer protection statutes“). The court in General Motors thus characterized the VCPA‘s “loss” requirement as “expansive” relative to the “vast majority” of other states’ codes. Id. at 327, 332 (concluding that Virginia was one of only six states that permits recovery for “lost free or personal time” stemming from consumer protection violations).

This expansive interpretation of recoverable damages under the VCPA is bolstered by Supreme Court of Virginia‘s broad view of “actual damages” in other contexts. See News Leader Co. v. Kocen, 3 S.E.2d 385, 391 (Va. 1939). In Kocen, for example, the court defined “actual damages” as “cover[ing] all loss recoverable as a matter of right and includ[ing] all damages other than punitive or exemplary damages.” Id. A number of Virginia circuit courts have applied Kocen to conclude that the VCPA permits plaintiffs to recover for noneconomic damages, see, e.g., Wingate v. Insight Health Corp., 87 Va. Cir. 227, 2013 WL 9564175 at *8 (Va. Cir. Ct. 2013), although that conclusion is not unanimous, see Humphrey v. Leewood Healthcare Ctr., 73 Va. Cir. 346, 2007 WL 6013573 at *2-3 (Va. Cir. Crt. 2007) (summarizing the dispute).

As for plaintiffs’ Maryland claims, the MCPA appears to be more restrictive than its Virginia counterpart with respect to proving actual loss and damages. For instance, there is no statutory award for plaintiffs to recover in lieu of actual damages. To the contrary, the Maryland Court of Appeals has emphasized that the MCPA requires plaintiffs to have suffered an “objectively identifiable” loss, as “measured by the amount the consumer spent or lost as a result of his or her reliance on the sellers’ misrepresentation.” Lloyd v. Gen. Motors Corp., 916 A.2d 257, 277 (Md. 2007); see also Citaramanis v. Hallowell, 613 A.2d 964, 969-71 (Md. 1992).

Nonetheless, the Court concludes that both the VCPA and the MCPA claims warrant reconsideration following OPM. While this result is more clearly warranted in light of Virginia‘s more expansive consumer protection code,⁸ the MCPA‘s somewhat more stringent requirements present a closer question. At bottom, however, absent any biding authority to the contrary from either state, the Court concludes that the D.C. Circuit, consistent with its reasoning in OPM, would be more likely than not to treat mitigation expenses as actual damages under

both statutes. The Court will thus grant reconsideration of plaintiffs’ claims under the VCPA and MCPA and will reinstate Count V and Count VI.⁹

C. Whether Reconsideration of Plaintiffs’ D.C. CPPA Claims is Warranted.

Finally, the Court turns to plaintiffs’ request for reconsideration of their D.C. CPPA claims based on Velcoff v. Medstar Health, Inc., 186 A.3d 823, 827 (D.C. 2018).¹⁰ The Court dismissed plaintiffs’ D.C. CPPA claims because they were either (i) duplicative of the contract claims, see Jacobson v. Hofgard, 168 F. Supp. 3d 187, 199-200, 206-07 (D.D.C. 2016); or (ii) based on an allegation of intentional breach of contract, see Slinski v. Bank of Am., N.A., 981 F. Supp. 2d 19, 36 (D.D.C. 2013). Attias II, 365 F. Supp. 3d at 26. Plaintiffs argue that Velcoff undermines the Court‘s reasoning. Not so. In Velcoff, the trial court dismissed the plaintiff‘s CPPA claims for failure to specify which provisions of the CPPA were violated by defendant‘s illegal trade practices. 186 A.3d at 827. The D.C. Court of Appeals rejected that reasoning, explaining that “matching allegations of the complaint to the corresponding subsections of the

CPPA is a straightforward task.” Id. Plainly, that decision does not purport to implicate whether a breach of contract, intentional or otherwise, is actionable under the CPPA. The Court therefore declines to reconsider its dismissal of plaintiffs’ claims under the CPPA (Count III).

IV. Conclusion

For the foregoing reasons, the Court will grant in part and deny in part plaintiffs’ Motion for Reconsideration. A separate Order shall accompany this memorandum opinion.

CHRISTOPHER R. COOPER

United States District Judge

Date: January 29, 2021

Notes

Plaintiffs did not seek emotional distress damages for their VCPA, D.C. Data Breach Notification Act, breach of duty of confidentiality, or breach of contract claims.

The Court also granted CareFirst‘s motion to dismiss plaintiffs’ unjust enrichment claims as precluded by the existence of a valid, enforceable contract. See . Plaintiffs have not requested reconsideration of that decision, and the Court finds no reason to disturb it here.

The Court reaches this conclusion despite the fact that plaintiffs failed to cite either or in their briefing on the motion to dismiss.

Plaintiffs also assert that “applying the law of OPM supports that [p]laintiffs have pled damages in this case including both economic and non-economic damage.” Pls. Memo. at 3-4. Plaintiffs are incorrect. In fact, OPM reiterated that “‘[a]ctual damages’ within the meaning of the Privacy Act are limited to proven pecuniary or economic harm.” (emphasis added).

The parties agree (albeit for different reasons) that the Security Breach Protection Amendment Act of 2020, which amended provisions of the D.C. Data Breach Notification Act and CPPA, does not affect the analysis of plaintiffs’ claims under the respective statutes. See Pls. Supp. Memo., ECF No. 73; Defs. Supp. Memo., ECF No. 74.

While both complaints allege something akin to mitigation damages, the OPM complaint includes far more detailed allegations of misuse than the complaint presented to the Court here. See Consolidated Am. Compl., In re OPM Data Security Breach Lit., ECF No. 63. To take but a few examples, several of the OPM plaintiffs were informed that unknown individuals had either used or attempted to use their social security numbers, id. ¶¶ 14, 17, 41, 50, had falsely filed for their tax returns, id. ¶¶ 28, 29, 30, and had created fraudulent financial accounts in their names, id. ¶¶ 13, 28, 29, 30, 41, 45, 49. These claims were presented with extensive details, including when and how plaintiffs discovered the misuse and the steps plaintiffs took in response that caused them pecuniary harm. See id. The present complaint, by contrast, includes only one allegation of misuse with virtually no attendant detail.

Plaintiffs’ contract claims—which were initially dismissed for failure to plead actual damages under D.C. law—have been reinstated on other grounds, see section III.A supra.

The Court notes that there is some disagreement as to whether the class action device is available to plaintiffs alleging consumer protection claims under Virginia law in federal court. Compare (declining to certify class of plaintiffs bringing VCPA claims because “class actions are not generally allowed in Virginia“) (cleaned up) with (certifying class of plaintiffs bringing VCPA claims). However, “[t]he question of whether a class action may be maintained with respect to the [VCPA] is proper to consider at the class certification stage rather than in considering a motion to dismiss[.]” . This is particularly true where, as here, “[d]efendants are not arguing (on this basis) that the [complaint] fails to state a claim as to the named Virginia plaintiffs.”

In reaching this conclusion, the Court notes that neither party presented briefing on whether mitigation expenses are recoverable under the VCPA or MCPA. The research reflected above is the Court‘s own. As a result, the Court could revisit this issue—including defendants’ prior argument that plaintiffs lack a remedy under the VCPA because CareFirst is an insurance company—at summary judgment with the benefit of more comprehensive submissions from the parties. Additionally, the Court notes that this conclusion does not affect its prior treatment of plaintiffs’ claims for emotional damages under the MCPA, which were dismissed for failure to allege any “consequential physical injury.” See (quoting ) (cleaned up).

Plaintiffs erroneously construe Velcoff as intervening authority. See Pls. Memo. at 9 (claiming that the Court‘s prior decision warrants reconsideration due to “newly available controlling authority” including Velcoff). In fact, the ruling was issued prior to plaintiffs filing their reply brief. Plaintiffs thus had the opportunity to raise the case prior to the Court‘s ruling.

Read the detailed case summary