DECISION AND ORDER
INTRODUCTION
Thоse who are entrusted with details about an individual’s health care should guard against even the inadvertent disclosure of that confidential information. Those duties were allegedly breached in this case when hackers secured access to confidential health care information through a cyberattack. Nonetheless, while legal remedies may be pursued by those who were injured, the law only allows for the pursuit of plausible claims — and only by those who have standing based on an alleged legally compensable injury. Not all parties or all claims in this case meet that standard.
This case arises out of a data breach involving Excellus Health Plan, Inc. (“Ex-cellus”), a healthcare provider. Plaintiffs, who allege various claims and injuries arising from the data breach, bring this putative class action against the following eight defendants: Excellus, Lifetime Healthcare, Inc. (“Lifetime”), Lifetime Benefit Solutions, Inc., Genesee Region Home Care Association, Inc. d/b/a Lifetime Care,
Presently before the Court are two motions to dismiss Plaintiffs’ CMC. (Dkt. 107; Dkt. 111). The Exeellus Defendants and BCBSA — i.e., all Defendants — move to dismiss the CMC pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6), on the basis that the Court lacks jurisdiction because Plaintiffs lack standing to sue, , and that Plaintiffs have failed to state a claim. (Dkt. 107-1 (“Exeellus Mot.”)); (Dkt. 111-1 (“BCBSA Mot.)). For the reasons that follow, the Court grants'in part and denies in part both motions.
BACKGROUND
I. Factual Background
The following factual allegations are drawn from Plaintiffs’ CMC.
A. The Parties
Exeellus is “the primary healthcare provider in Upstate New York” and a licensee of BCBSA. (CMC at ¶ 37). Exeellus is a subsidiary of Lifetime and a parent company to all other defendants, except Lifetime and BCBSA. (Id. at ¶ 40). Lifetime is “the parent and/or holding company of a $6.6 billion family of companies, known as the Lifetime Healthcare Companies, that finances and delivers health care in New York State, as well as long-term care nationwide.” (Id. at ¶ 42). The following five defendants are affiliate companies of the Lifetime Healthcare Companies, and they are owned and controlled by Lifetime and Exeellus: (1) Lifetime Benefit Solutions, Inc.; (2) Genesee Region Home Care Association, Inc. d/b/a Lifetime Care; (3) Genesee Valley Group Health Association d/b/a Lifetime Health Medical Group; (4) MedAmerica, Inc.; and (5) Univera Healthcare. (Id. at ¶¶ 45-49). The final defendant, BCBSA, “is a federation of 36 health insurance organizations and companies that provides health insurance to over 106 million individuals.” (Id. at ¶ 50). Ex-сellus “cooperates with BCBSA and other independent Blue Cross Blue Shield ... licensees to participate in the BlueCard program. Under the BlueCard program, members of one BCBS licensee may access another BCBS licensee’s provider networks and discounts.” (Id. at ¶ 55). .
Plaintiffs allege three different types of classes. First, Plaintiffs allege “separate statewide classes for the states of California, Florida, Indiana, North Carolina, New Jersey, New York, and Pennsylvania,” defined as “[a]ll citizens of [name of state] whose [personally identifiable information (“PII”)] or [protected health information (“PHI”) ] was compromised by the Excel-lus data breach” (“Statewide Classes”). (Id. at 64). Second, Plaintiffs allege a federal employee class, defined as “[a]ll en-rollees in the Federal Employee Health Benefits Plan whose Personal Information was compromised by the Exeellus data breach” (“Federal Employee Class”). (Id. at 65). Third, Plaintiffs allege a healthcare provider class, defined as “[a]ll healthcare providers and/or medical professionals who submitted PII directly or indirectly to Defendants and whose PII was compromised by the Exeellus data breach” (“Healthcare Provider Class”). (Id. at 66).
On December 23; 2013, hackers gained access to Excellus’s computer network systems, which stored the personal information belonging to millions of individuals. (Id. at ¶¶ 52, 131, 133). During this data breach, the hackers had access to individuals’ names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification numbers, financial payment information (including credit card numbers), and medical insurance claims information. (Id, at ¶¶ 1-3, 52, 134). The hackers also had access to healthcare providers’ personal information, including medical licenses. (Id. at ¶ 135). The breach continued for 20 months, until at least August 18, 2014; however, the hackers may have had access to the'systems more recently, on May 11, 2015. (Id. at ¶ 133). :
“In the wake of- other high-profile healthcare data breaches ..., Defendants hired cyberseeurity company Mandiant to forensically assess their systems.” (Id. at ¶ 132). On August-4, 2015, Mandiant’s analysis revealed malware on Defendants’ systems. (Id.) On September 9, 2015, Defendants publicly announced that the breach-had occurred and that it affected 10 to 10.5 million people, including past and current Excellus policyholders, - as well as. those who are insured by or receive healthcare services from' Defendants’ affiliates. (Id. at ¶ 138), According to that announcement, Mandiant’s investigation did hot determine that any personal information was removed from Excellus’s systems, and Excel-lus had no evidence that the personal information was used inappropriately.- (Dkt. 107-3, Ex. A). Defendants offered two years of free credit monitoring to adult victims of the breach. (CMC at ¶ 138).
Plaintiffs allege that Defendants hаd reason to know that their data security was inadequate both before the data breach started and after it was discovered by Defendants. (Id. at ¶¶ 114, 120). For example, in May 2012, the Department of Health and Human Services’ Office for Civil Rights hired KPMG to conduct an audit of Univera (a Defendant and Lifetime affiliate company) in order to review its compliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)- (Id. at ¶ 115). The audit revealed, inter alia, that Univera’s “Risk Assessment Policies & Procedures failed to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.” (Id. at ¶ 117). As another example, in April 2014, the FBI Cyber Division “issued a ‘Private Industry Notification’ that explained how ‘the health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs). The health care industry is not as resilient to cyber intrusions compared to-the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.’ ” (Id. at ¶ 123). This information, along with other data breaches in the health care industry, allegedly “put Defendants on notice that healthcare and health insurance companies were a target of cyberattack, and that these companies had an obligation to implement reasonable safeguards to - keep pace. Defendants, quite simply, failed to heed the clear and unequivocal warning.” (Id at 129).'
C. Plaintiffs’ Alleged Injuries
Plaintiffs allege that the data breach caused them various types of injuries, both present and future. The following present injuries from the breach are alleged in the CMC. Four plaintiffs allege that false tax
The Excellus Defendants differentiate the alleged injuries on the basis that four plaintiffs do not allege any specific instances in which their personal informаtion was misused (id. at ¶¶ 17, 30, 33, 36), while the remaining sixteen plaintiffs allege some type of misuse of their personal information (id. at ¶¶ 18-29, 31-32, 34-35),
D. Plaintiffs’ Causes of Action
Based on their factual allegations, Plaintiffs allege ten causes of action, as follows: (1) negligence; (2) negligence per se\ (3) breach of contract; (4) breach of the implied covenant of good faith and fair dealing; (5) third-party beneficiary breach of contract for the Federal Employee Class; (6) negligent misrepresentation;- (7) unjust enrichment; (8) violations of state consumer protection laws; (9) violation of the California Customer Records Act, Cal. Civ. Code § 1798.80;- and- (10) violations of state insurance personal privacy statutes.
II. Procedural History
Following the data breach, several potential victims filed lawsuits alleging various resulting, injuries. (Dkt. 9-2 at 3). The earliest of such lawsuits was filed on September 18, 2015. (Dkt. 1). On November 5, 2015, the Court issued an order consolidating additional lawsuits, pursuant to Federal Rule of Civil Procedure 42(a)(2), and transferred the case to the undersigned. (Dkt. 27 at 4-5). On November 10, 2015, the, Court entered an order directing that any subsequently-filed lawsuit arising out of the same facts or involving the same claims be consolidated into the lead action. (Dkt. 28). On January 25, 2016, the Court appointed interim lead counsel and directed Plaintiffs to file a consolidated master complaint. (Dkt. 80).
On April 15, 2016, Plaintiffs — twenty in all, from seven different states — filed the CMC. (Dkt. 99). On May 3Í, 2016, the Excellus Defendants filed a motion to dismiss. (Dkt. 107). On June 17, 2016, BCBSA filed a motion to dismiss. (Dkt. 111). Plaintiffs responded in opposition to the Excel-lus Defendants’ motion to dismiss on July 7, 2016 (Dkt. 122-3 (“PI. Excellus Opp.”)), and to BCBSA’s motion to dismiss on July 14, 2016 (Dkt. 129 (“PI. BCBSA Opp.”)). On’ August 8, 2016, the Excellus Defend dants and BCBSA each filed a reply in further support of their respective motions to dismiss. (Dkt. 133 (“Excellus Reply”); Dkt. 134 (“BCBSA Reply”)). Oral argument was held before the undersigned on September 8, 2016, at which time the Court reserved decision. (Dkt. 139).
MOTION TO DISMISS FOR LACK OF STANDING
The Court first considers the issue of standing. The Excellus Defendants raise
I. Fed. R. Civ. P. 12(b)(1)
“A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it.” Makarova v. United States,
II. General Principles of Article III Standing
“Article III of the Constitution limits federal courts’ jurisdiction to certain ‘Cases’ and ‘Controversies.’” Clapper v. Amnesty Int’l USA,
[T]he irreducible constitutional minimum of standing contains three elements. First, the plaintiff must have suffered an “injury in fact” — an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) actual or imminent, not conjectural or hypothetical .... Second, there must be a causal connection between the injury and the conduct complained of — the injury has to be fairly ... traceable to the challenged action of the defendant, and riot ... the result of the independent action of some third party not before the court .... Third, it must be likely, as opposed to merely speculative, that the injury will be' redressed by a favorable decision.
Lujan v. Defs. of Wildlife,
In a class action, the Court considers the injuries of the named plaintiffs, not unnamed class members. That is, class action plaintiffs “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Warth v. Seldin,
III. Injury in Fact
As discussed, the first standing element is injury in fact. An injury in fact is “an invasion of a legally protected interest which is- (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.” Lujan,
The Excellus Defendants argue that Plaintiffs who have not alleged any actual misuse of their data — the so-called “non-misuse” Plaintiffs: Matthew Fero, Dwayne Church, Therese Boomershine, and Brenda Caltagarone — have not alleged an injury in fact.
Plaintiffs argue that they each have alleged an injury-in-fact sufficient to support Article III standing. (PI. Excellus Opp. at 4-13). Without differentiating, as the Ex-cellus Defendants do, between those who have suffered misuse and those who have not, Plaintiffs claim that they have standing based on alleged present injuries caused by the breach: they have suffered from fraudulent tax returns; unauthorized access to tax information; identity theft; and fraudulent credit or debit charges. (Id. at 7). Some Plaintiffs allege “monetary impacts,” such as spending money to remediate or protect from fraudulent activity and experiencing delays in receipt of federal tax returns; Plaintiffs contend that those monetary, impacts constitute injury-in-fact. (Id.). And, Plaintiffs argue that spending time to deal with the consequences of the breach — including acts such as freezing or monitoring credit and bank statements, reporting identity theft; and completing police reports — also constitutes injury in fact. (Id. at 7-8). All Plaintiffs allege that the breach caused them to suffer anxiety and fear, which, according to them, constitutes injury-in-fact. (Id. at 8).
A. CMC’s Allegations Regarding The Non-Misuse Plaintiffs
The CMC alleges that Fero, a citizen of New York, received a letter from Excellus notifying him that his PII and PHI, along with the PII and PHI of his wife and two children, may have been compromised in the data breach. (CMC at ¶ 17). He subsequently enrolled himself and his wife in the two-year credit monitoring service offered through Kroll, although he could not enroll his minor children. (Id.). The CMC further alleges that, “[a]s a result of the data breach, the Personal Information of Mr. Fero arid his family has been compromised, and he has spent time attempting to ensure that his family is protected from future acts of identity theft or fraud stemming from this data breach.” (Id.).
The CMC alleges that Church, a citizen of California, received a letter from Excel-lus notifying him that his PII and PHI may have been compromised in the data breach. (Id. at ¶30). He then enrolled in Kroll’s two-year credit monitoring service
The CMC alleges that Boomershine, a citizen of Indiana, received a letter from Lifetime Healthcare Companies notifying her that her PII and PHI may have been compromised in the data breach. (Id. at ¶33). She subsequently (1) enrolled in Kroll’s two-year credit monitoring service; (2) implemented credit freézes • with the three major reporting bureaus; (3) ordered copies of her most recent credit report; (4) filed a police report with the Roanoke Police Department; (5) filed an identity theft report with the FTC; and (6) purchased additional credit monitoring services through Credit Karma. (Id.). The CMC further alleges that her “Personal Information has been compromised, and she has spent significant time attempting to protect herself from identity theft and fraud.” (Id.).
The CMC alleges that Caltagarone, a citizen of Pennsylvania, “is unsure how or why her information was compromised in the Excellus data breach, but she believes her employer, Cenclear, obtains services from one of the Defendants.” (Id. at ¶ 36). She received a letter from Lifetime Healthcare Companies notifying her that her PII and PHI may have been compromised in the data breach. (Id.). The CMC also alleges that her “Personal Information has been compromised” as a result of the data breach. (Id.).
B. Increased Risk of Future Identity Theft
1. Parties’ Arguments
The Excellus Defendants argue that the four non-misuse Plaintiffs’ allegations that they suffer an “imminent and certain impending injury flowing from fraud and identity theft posed by their PII and PHI being placed in the hands of unknown third parties,” (CMC at ¶ 167(e)), is conclu-sory and not “certainly impending,” as required to meet the standard for risk of future harm to support Article III standing. (Excellus Mot; at 5). The Excellus Defendants argue that the fact that other Plaintiffs have alleged misuse of their personal information does not elevate the non-misuse Plaintiffs’ risk of harm to the ■ level of “certainly impending.” (Id. at 6).'
Plaintiffs argue that they ,have standing based on “a real risk,of future, certainly impending harm,. and/or the substantial risk that harm will occur as a result of this breach,” which is sufficient to support Article III standing. (PI. Excellus Opp. at 8). Plaintiffs, point to decisions by “several courts of appeals [that] , have determined the substantial risks of future harm posed by a data breach that compromises PII constitutes injury in fact .’’.(Id. at 9). Plaintiffs further assert that the cases on which Defendants rely in support of their argument that Plaintiffs’ risk of harm is not ■“certainly impending” are distinguishable. (Id. at 11-12).
2. Discussion
In 2013, the Supreme Court considered whether future injury satisfies the injury-in-fact requirement for standing in Clapper, a case in which the plaintiffs— consisting of attorneys and human rights, labor, legal, and media organizations— challenged the constitutionality of government surveillance of suspected terrorists under the Foreign Intelligence Surveillance Act. Clapper,
Before and after Clapper, courts have split over whether increased risk of identity theft is sufficient for standing' in a data breach case. The Second Circuit has hot yet addressed the issue, although it is poised to do so. See Whalen v. Michael Stores, Inc.,
Before Clapper, in Krottner v. Starbucks Corp.,
In another pre-Clapper decision, Reilly v. Ceridian Corp.,
After Clapper, the Fourth Circuit concluded that the plaintiffs’ alleged injury of increased risk of identity theft was too speculative to constitute an injury-in-fact. Beck v. McDonald,
Both before and after Clapper, the Seventh Circuit has concluded that risk of identity theft is sufficient for standing. In a pre-Clapper case, Pisciotta v. Old National Bancorp,
Post-Clapper, the Seventh Circuit found that risk‘of identity theft is sufficient for standing in two data breach cases. The first was Remijas v. Neiman Marcus Group, LLC,
At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.
Id. Thus, the Seventh Circuit found injuries sufficient for standing based on future injuries — the increased risk of fraudulent charges and the increased risk of identity theft — as well as the time and money spent resolving fraudulent charges and in
The séeond postr-Clapper case was Lewert v. P.F. Chang’s China Bistro, Inc.,
In Galaria v. Nationwide Mutual Insurance Co.,
Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent' purposes alleged in [pjlaintiffs’ complaints.
Id. at 388. The Sixth Circuit distinguished the Third Circuit’s decision in Reilly on the grounds that, unlike in that case, the plaintiffs had alleged an “identifiable taking,” that is, the intentional theft of their data. Id.' at 389-90. On that point, the Court stated that at the pleading stage, it was required to “accept as true [pjlaintiffs’ allegations about the nature of the breach and the data stolen, and construe the complaints in [pjlaintiffs’ favor.” Id. at 389-90 n.3.
Like circuit courts, district courts have also reached different conclusions regarding standing based on increased risk of identity theft. One case, on which the Ex-cellus Defendants rely, is In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation,
Like In re SAIC, other district courts have found no standing and “dismiss[edj suits where the plaintiffs, even where they alleged that their personal data had been stolen or accessed, did not allege actual misuse of the data.” Khan v. Children’s Nat’l Health Sys.,
By contrast, in cases where district courts have found standing, the plaintiffs set forth “allegations indicating that some of the stolen data had already been misused, that there was a clear intent to use the plaintiffs’ personal data for fraudulent purposes, or both.” Khan,
In Khan,
In the absence of specific incidents of the use of stolen data for identity fraud purposes, district courts have generally found that the increased risk of identity theft does not confer standing_ In fact, the only post-Clapper cases cited by [Plaintiff] or uncovered by this [c]ourt in which data breach victims were found to have standing all included allegations indicating that some of the stolen, data .had already been misused, that there was a clear intent to use the plaintiffs’ personal data for fraudulent purposes, or both.
Id. at 531. Thus, the Khan court concluded that, “in the data breach context, plaintiffs have properly alleged an injury in fact
In this case, the four non-misuse plaintiffs — Fero, Church, Boomershine, and Caltagarone — have alleged increased risk of harm, unaccompanied by any concrete misuse of their stolen personal information. (CMC at ¶¶ 17, 30, 33, 36). While they all allege that their personal information was compromised as a result of the data breach, (see, e.g., id. at ¶ 17), none allege any;facts indicating that the-hackers have misused their personal information since the data breach occurred, or that any other suspicious activity has occurred in the three years since the data breach began. This undercuts their assertion that the asserted harm of future identity theft is “certainly impending.” These plaintiffs’ claims of injuries do not meet the definition of injury in fact. Their alleged injuries are neither concrete, nor actual and imminent because the alleged injuries rely on a chain of possibilities about the actions of independent actors: these Plaintiffs may suffer some actual harm if the hacker, has the information in a format that is understandable and accessible, and if the hacker intends to commit crimes by misusing it or transmitting it to someone who (joes, and if the hacker (or other party) can successfully misuse the information. See Clapper,
And, as the Excellus Defendants point out, Maridiant’s investigation of the data breach “did not identify evidence of the collection, staging, or exfiltr ation of patidnt data. Although" Mandiant did" not find evidence of the collection, staging or exfiltration of patient data, Mandiant was unable to rule out the possibility the attacker accessed patient data based on the available log data.” (Dkt. 123); see also Makarova,
C. Alternative Bases for Standing
As an initial matter, the Court notes that Plaintiffs have not responded to. the Excellus Defendants’ arguments that the four non-misuse plaintiffs .lack standing based on their alleged mitigation efforts, overpayment for health insurance, diminution in value of personal information, and violations of state statutes. (See generally PI. Excellus Opp.). Some “courts in this circuit have held that a plaintiffs failure to respond to contentions raised, in a motion to dismiss constitutes an abandonment of the applicable claims.” Bond v. City of
1. Mitigation Efforts
The Excellus Defendants argue that alleged mitigation efforts by the non-misuse Plaintiffs — that is, Boomershine’s purchase of additional credit monitoring services (CMC at ¶ 33), and Boomershine, Fero, and Church having “spent time” to protect themselves (id. at-¶¶ 17, 30, 33)— are insufficient to establish standing. (Ex-cellus Mot. At 7). The Court agrees.
In Clapper, the Supreme Court held that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
This rule from Clapper has been applied in the data breach context, such that courts have concluded that mitigation efforts following a data breach do not confer standing where the alleged harm is not imminent. See Beck,
Having concluded that the increased risk of identity theft is not imminent for these four plaintiffs, the non-misuse plaintiffs’ mitigation efforts against that future harm cannot confer standing.
2. Overpayment Allegations
The Excellus Defendants ; argue that Plaintiffs cannot establish injury-in-fact based on their alleged overpayment for health insurance. (Excellus Mot. at 7-8). The Court agrees. ,“[A] number of courts have rejected an ‘overpayment’ theory of damages as an injury-in-fact for standing purposes.” In re Cmty. Health Sys., Inc., No. 15-CV-222-KOB,
Here, as the Excellus Defendants rightly point out, the CMC lacks any factual allegations that would support the claim that Plaintiffs paid a specific amount of money for data security. (See CMC at ¶ 167(h) (claiming “overpayment for health insurance ..., in that a portion of the price for insurance or other services paid by Plaintiffs and Class Members to Defendants was for the costs of Defendants to take reasonable and adequate security measures .... ”). Accordingly, Plaintiffs’ alleged overpayment is not a basis for standing.
3. Diminution in Value
The Excellus Defendants argue that Plaintiffs’ allegation that they have suffered a diminution in value of their personal information does not support standing because Plaintiffs have not alleged any facts showing that the breach deprived them of any value. (Excellus Mot. at 8-9). Courts have rejected allegations that the diminution in value of personal information can support standing. See Welborn,
Finally, the Excellus Defendants argue that the asserted violations of various state statutes do not confer standing in federal court. (Excellus Mot. at 9). The Court agrees. See Spokeo,
D. Conclusion
Based on the foregoing, the Court grants the Excellus Defendants’ motion to dismiss the four non-misuse plaintiffs (Fero, Church, Boomershine, and Calta-garone) for lack of standing on the .basis that they have not alleged an injury-in-fact. The Court dismisses these plaintiffs’ claims without prejudice, as the Court’s conclusion would not necessarily bar these plaintiffs from -asserting ,a claim in the event that they suffered an actual misuse. Nonetheless, because there is no information before the Court that these plaintiffs could presently replead their claims, to allege actual misuse, the Court declines to grant leave to replead.
IV. Causation
The second element . of stand: ing — causation—requires “a causal connection between the injury and the conduct complained of,” Lujan,
A. The Parties’ Arguments
The Excellus Defendants argue that the “misuse” Plaintiffs “have not pleaded any facts to tie their particular allegations of misuse to the Excellus cyberattack as opposed to any other possible source.” • (Ex-cellus Mot. at 10). The Excellus Defendants also argue that the alleged forms of misuse — phishing emails, fraudulent charges on credit or debit cards, tax fraud, and identity theft — are fairly common and could have been the result of the actions of some third -party not before the Court or another data breach of recent years. (Id.). To that end, the Excellus Defendants, citing In re SAIC,
Plaintiffs respond to the Excellus Defendants’ argument stating, “[t]raceability does, not require plaintiffs to rule out every
BCBSA argues that Mottern’s injuries cannot be- deemed fairly traceable when she has not alleged that she provided her credit card information to Excellus, or that she paid her premiums to any Defendants directly or by credit card. (BCBSA Mot. at 9). BCBSA also argues that Mottem “alleges no facts demonstrating that the fraudulent charges, or even the cyberat-tack itself, are fairly traceable to any conduct by BCBSA.” (Id.). BCBSA identifies three purported deficiencies in that regard: First, according to BCBSA, Mottern has engaged in impermissible group pleading by lumping BCBSA in with either Ex-cellus or with all Defendants. (Id. at 10). Second, BCBSA argues that Mottern’s allegations are conclusory, as she asserts “ ‘failings’ by Defendants without identifying what limitations, ‘best practices,’ or ‘safeguards’ BCBSA should have employed, and point[s] to no actual misconduct by BCBSA that resulted in injury to Plaintiffs.” (Id.). Third, BCBSA argues that “conclusory statements that BCBSA violated a statute, without more, are insufficient to confer Article III standing.” (Id.).
Plaintiffs respond to BCBSA by arguing that Mottern’s injuries are fairly traceable: the requirement is not onerous and maybe satisfied even when the injury is indirectly traceable due to the intervening conduct by another person. (PL BCBSA Opp. at 4). Plaintiffs maintain- that their allegations concerning BCBSA are sufficient: according to the CMC, BCBSA contracted to ensure that federal employees, like Mot-tern, benefitted from reasonable data security, that BCBSA, as agent .for Excellus, failed to provide that security in certain respects, and .that the failures led to identity theft, fraud, and the imminent risk of future harm. (Id. at 4-5 (citing CMC at ¶¶ 82-95,134,142-45)).
B. “Fairly Traceable” in Data Breach Context
In the data breаch context,' courts have rejected 'the argument that plaintiffs’ injuries are not fairly traceable when their information could have been compromised during a different data breach in recent years. See Remijas,
Other courts have similarly rejected challenges to standing based on traceability in the data breach context, finding the challenge better suited for a later stage-of the litigation. See Lewert,
On the other hand, in In re SAIC,
C. Application
The Court finds Defendants’ arguments unpersuasive. The CMC plausibly alleges that the various forms of misuse are “fairly traceable” to the data breach on the Excellus networks. At this early stage of the litigation, Plaintiffs’ allegations are sufficient. They have alleged that the Defendants failed to safeguard their personal information — including names, dates of birth, social security numbers, member identification numbers, home addresses, telephone numbers, and financial information (CMC at ¶ 56) — and, as a direct result, hackers gained access to their personal information. They have also alleged that BCBSA contracted to ensure that federal employees, like Mottern, benefitted from reasonable data security, that BCBSA, as agent for Excellus, failed to provide that security in certain respects, and that the failures led to identity theft, fraud, and the imminent risk of future harm. (Id. at ¶¶ 82-95, 134, 142-45). These alleged chains of events are plausible, and, given that the causation element of standing is not an onerous hurdle, the Court finds that the Plaintiffs have sufficiently alleged this requirement and need not rule out alternative sources of their injuries. Thus, Defendants’ motion to dismiss the remaining
MOTIONS TO DISMISS FOR FAILURE TO STATE A CLAIM
Defendants further argue that, even if Plaintiffs did have standing, they have failed to state a claim.
I. Rule 12(b)(6) Standard
“To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ ” Ashcroft v. Iqbal,
The plausibility standard “asks for more than a sheer possibility” that a defendant has acted unlawfully. Iqbal,
II. Contract-Based Claims
Defendants seek dismissal of Plaintiffs’ contract-based claims: (1) breach of express contract; (2) breach of the implied covenant of good faith and fair dealing, and (3) third party beneficiary claim for breach of contract under federal law.
A. Breach of Express Contract Claim (Third Claim for Relief)
Plaintiffs’ third claim for relief alleges breach of contract against the Excellus Defendants for breaching an express promise to ensure data security. (CMC at ¶¶ 208-22). According to Plaintiffs, three types of contracts are at issue in this case. (Id. at ¶ 209). First, some Plaintiffs “purchased individual insurance plans from Ex-cellus and/or the Affiliate Defendants.” (Id.). Second, some Plaintiffs “enrolled pursuant to the terms of a group contract with Excellus and/or the Affiliate Defendants.” (Id.). Third, some plaintiffs “entered contracts with Defendants as health
. The Excellus. Defendants argue that this, claim should be dismissed because, even if one assumes that the privacy policy is incorporated into an express contract between Defendants and eaсh plaintiff, those privacy notices do not contain a definite material term promising Plaintiffs a particular level of data security. (Excellus Mot. at 13-14). According to the Excellus Defendants, those privacy notices merely contain disclosures concerning how Excellus may use healthcare information. (Id, at 13). The Excellus Defendants argue that Plaintiffs have not alleged any breach of the privacy notices’two basic statements regarding data security: (1) that Excellus has a security coordinator to detect and prevent data breaches; and (2) that all computer systems that contain personal information have security protections. (Id, at 13-14). ■
In opposition, Plaintiffs argue that the privacy notices identified in the CMC (CMC at ¶¶ 60-81), contain the following definite promises:
• “We are committed to safeguarding your protected health information (PHI),” (Id, ¶ 61 & Ex. A; see also id. ¶ 69 & Exs. B-H.)
• Defendants “will not give out your nonpublic personal information to anyone unless we are permitted to do so by law.” (Id. ¶ 62 & Ex. A; see also id. ¶ 69 & Exs. B-H.)
• “It is our policy to keep all information about you confidential in all settings.” (Id. at Ex. A; see also id. at Exs. B, EH.)
• “[W]e have a security coordinator to detect and prevent security breaches.” (Id. ¶ 64 & Ex. A; see also id. at Exs. B, E-H.)
• “[A]l-1 computer systems that contain personal- information have security protections.” (Id. ¶ 64 & Ex. A; see also id. at Exs. B, E-H.)
• “We will notify you should there be a breach of unsecured information.” (Id. ¶ 65 & Ex. A; see also id. at Exs. B, EH.) .
(PI. Excellus Opp. at 14-15).- According to Plaintiffs, these statements are “simple, unambiguous, explicit promises of data security,” and Defendants breached them by allowing hackers.long-term access to Plaintiffs’ personal information. (Id. at 16).
Under New York law,
Based on the foregoing, the Court finds the Excellus Defendants’ argument unpersuasive. Assuming, as the parties do and as it is alleged in the CMC (CMC at ¶¶ 216-17), that the privacy notices are incorporated by reference in the contracts between the parties, the statements from the privacy policies' identified by Plaintiffs plausibly could be read to reflect a definite promise by Excellus to maintain the security ■ of the personal information. that it collected and stored on its networks. (Id. at ¶ 218). Because Plaintiffs have stated a breach of contract claim that is plausible on its face, the Court denies the Excellus Defendants’ motion to dismiss this claim for relief.
B. Breach of Implied Covenant of Good Faith .and Fair Dealing (Fourth Claim for Relief)
Plaintiffs also allege a breach of the implied covenant of good faith and fair dealing against the Excellus Defendants. (Id. at ¶¶ 223-32). Plaintiffs allege that their contracts with the Excellus Defendants were subject to an implied covenant that the Excellus Defendants “would act fairly, reasonably, and in' good faith in carrying out their contractual obligations to protect the confidentiality of Plaintiffs’ and Class Members’ Personal Information and to comply with industry standards and best practices, as well as' federal and state law and applicable regulations for the security of this information.” (Id. at ¶225). Plaintiffs allege that, even if Defendants did not breach an express'promise in the contracts as alleged in the third claim for relief, Excellus Defendants’ breaches of the covenant of good faith and fair dealing included:
failing to implement reasonable and adequate security measures consistent with industry standards and best practices to protect and limit .access to the Personal Information, contained in the Excellus Networks; permitting unrestricted access to the Personal Information in the database; and failing to implement reasonable auditing procedures to detect and halt the unauthorized extraction of Personal Information from the database.
(Id. at ¶ 227).
The- Excellus Defendants contend that this claim should be dismissed, arguing
Plaintiffs argue that they do not seek to add substantive provisions to the contracts; rather, they allege that Defendants “fail[ed] to conform to applicable data security industry standards and best practices. This failure deprived Plaintiffs of the benefits of their agreements with Defendants — namely, confidentiality of their PHI and PII.” (PL Excellus Opp. at 17). In other words, according to Plaintiffs, Defendants’ failure to comply with those standards and best practices, although not expressly forbidden by any contractual provision, deprived Plaintiffs of the right to benefits under their contractual agreement with Defendants. (See id.).
“Under New York law, a covenant of good faith and fair dealing is implied in all contracts.” Fishoff v. Coty Inc.,
Breach of the implied duty of good faith and fair dealing “is merely a breach of the underlying contract.” Nat’l Mkt. Share, Inc. v. Sterling Nat’l Bank,
The Court finds that Plaintiffs’ implied covenant claim must be dismissed as duplicative of their breach of contract claim because both claims arise from the same facts and seek the same damages for each alleged breach. That is, both the breach of contract claim and implied covenant claim arise out of the Excellus Defendants’ failure to protect the confidentiality of Plaintiffs’ personal information and to comply with policies, industry standards, and best practices for data security. (Compare CMC at ¶218 (alleging breach of express contract by “violating the commitment to maintаin the confidentiality and security of Personal Information” and by “failing to comply with their policies and applicable laws, regulations, industry standards, and best practices for data security and protecting the confidentiality of Personal Information”), with id. at ¶227 (alleging breach’ of implied covenant by “failing to implement reasonable and adequate security measures consistent with industry standards and best practices to protect and limit access to the Personal Information contained in the Excellus Networks; permitting unrestricted access to the Personal Information in the database; and failing to implement reasonable auditing procedures to detect and halt the unauthorized extraction of Personal Information from the database”)). Accordingly, the Court grants the Excellus Defendants’ motion to dismiss Plaintiffs’ claim for breach of the implied covenant of good faith and fair dealing, although the dismissal is without prejudice. Plaintiffs may not replead this claim as a separate cause of action because it would be futile. See Jordan,
C. Third-Party Beneficiary Claim for Breach of Contract Under Federal Law (Fifth Claim for Relief)
Plaintiffs also assert a third party beneficiary claim for breach of contract under federal law against Excellus and BCBSA, based on the following allegations. (Id. at ¶¶ 233-46). “BCBSA, acting as agent for, and on behalf of, Excellus, entered into a valid, binding, and enforceable express contract with OPM to provide insurance and other benefits under the Federal BCBS Plan.”. (Id. at ¶ 234). Under this contract (known as Contract No. CS 1039), BCBSA:
promised, among other things: ... to take reasonable measures to protect the security and confidentiality of Federal Plaintiffs’ ... Personal Information, including through the measures described in the Notice of Privacy Practices for the BCBS Plan; and ... to protect Federal Plaintiffs’ ... Personal Information in compliance with federal and state laws, regulations, and industry standards.
(Id. at ¶ 235). Those “Federal Plaintiffs” — who are current and former federal employees and annuitants who obtained coverage under the Federal BCBS Plan, including Mottern — allege that they “are intended third-party beneficiaries of the data security provisions in the contract between BCBSA ... and OPM, and are entitled to directly enforce its terms.” (Id. at ¶ 242; see also id. at ¶ 87). Included in the Federal BCBS Contract are data security provisions that are intended to benefit Plaintiffs. (Id. at ¶ 243). They allege that “BCBSA ... agreed to protect the
1. Background
The Federal Employee Health Benefits Act of 1959 (“FEHBA”), 5 U.S.C. §§ 8901 et seq., “establishes a comprehensive program of health insurance for federal employees” and “authorizes the Office of Personnel Management (OPM) to contract with private carriers to offer federal employees an array of health-care plans.” Empire Healthchoice Assur., Inc. v. McVeigh,
One such plan is the BCBS Government-Wide Service Benefit Plan, also known as the Federal Employee Program (“Federal BCBS Plan”). (CMC at ¶82). The Plan is governed by.Contract No. CS-1039 and its amendments (“Federal BCBS Contract”),
FEHBA requires that the contracts between OPM and the carriers include a “detailed statement of benefits offered and shall include such máximums, limitations, exclusions, and other definitions of benefits as [OPM] considers necessary or desirable.” 5 U.S.C. § 8902(d). Accordingly, the Federal BCBS Contract provides that “[t]he carrier [BCBSA] shall provide the benefits as described in the agreed upon” Statement of Benefits, which is attached to and incorporated into the contract. See Federal BCBS Contract at §. 2.2(a); (Dkts. 111-6 through 111-9 (2013-2015 Statements of Benefits)). The terms of the contract are renegotiated every year.
Federal regulations provide that enroll-ees may seek administrative review of disputed “health benefits” claims. Part of that process involves review by OPM and proceeds as follows. First, “[a]ll health benefits claims [under the Federal BCBSA contract] must be submitted initially to the carrier of the covered individual’s health benefits plan.” 5 C.F.R. § 890.105(a)(1) (emphasis added). “If the carrier denies a [health benefits] claim (or a portion of a claim), the covered individual may ask the carrier to reconsider its denial.” Id. “If the carrier affirms its denial or fails to respond ...., the covered individual may ask OPM to review the claim.” Id. (empha
A. covered individual may seek judicial review of OPM’s final action on the deni.al of .a .health benefits claim. A legal action to review final action by OPM involving such denial of health benefits must be brought against OPM and not against the carrier or carrier’s subcontractors. The recovery in such a suit shall be limited to a court order directing OPM to require the carrier to pay the amount of benefits in dispute.
5 C.F.R. § -890.107 (emphasis added).
In addition to reviewing disputed health benefits claims as described above, OPM has the power to manage the contract and the carriers’ performance under it. OPM “may prescribe reasonable minimum standards for health benefits plans ... and for carriers offering the plans,” 5 U.S.C. § 8902(e), and “may prescribe regulations necessary to carry out” FEHBA, id. § 8913(a). See also 48 C.F.R. Chapter 16. OPM “has the right to inspect or evaluate the work performed or being performed under the contract and the premises where the work is being performed,” Federal BCBSA Contract § 1.11(a), in addition to the right to audit the carrier, id. § 1.11(b). And, OPM has the authority to negotiate the premium rates paid- under FEHBA plans. See 5 U.S.C. § 8902(i) (“Rates under health benefits plans ... shall be determined on a basis which, in the judgment of [OPM], is consistent with the lowest schedule of basic rates generally charged for new group health benefit plans issued to large employers.”):
OPM also has the authority to take remedial action against a carrier. OPM may penalize a carrier for failing to inform OPM within 10 days of any “Significant Event,” that is, an occurrence “that might reasonably be expected to have a material effect upon the [c]arrier’s ability to meet its obligations under this contract, including, but not limited to, any of the following” thirteen listed occurrences, none of which explicitly concern data security.
In addition to the “Significant Events” clause, the Federal Contract includes a
The Federal BCBS Contract includes provisions regarding data security. Section 1.30(a) provides that BCBSA is “required ... to, at a minimum, comply with equivalent privacy and security policies as are required of a ‘covered entity’ under the HIPAA Privacy and Security regulations.” Id. § 1.30(a). Section 1.30(d), which was added to the contract in 2014, states that OPM “may recommend that [BCBSA] adopt” certain data security “best practice[s]” that BCBSA must agree to adopt, explain why it is already in compliance, or explain why an alternative best practice is “equally, if not more, appropriate ,.. than the [recommended] best practice.” Id. § 1.30(d). Section 1.6(b) states that BCBSA “shall ... hold all medical records, and information relating thereto, of Federal subscribers confidential.” Id. § 1.6(b). Moreover, the Statement of Benefits provides that “[w]e will keep your medical and claims information confidential.” (Dkt. 111-7 (2014 Statement of Benefits) at 15).
2. Parties’ Arguments
BCBSA moves to dismiss the third party beneficiary claim, arguing that Mottern is not an intended third-party beneficiary and that enrollees do not have independent rights to enforce that contract against carriers. BCBSA contends that Mottern has not identified any contractual provision stating that the parties intended for the contract to create enforceable rights for enrollees. (BCBSA Mot. at 14). BCBSA argues that only OPM has enforcement authority, as' evidenced by the following: (1) the administrative review process for health benefits disputes, which culminates in review by OPM and judicial review of OPM’s decision and which does not allow suit against the carrier; (2) OPM’s broad range of power to remedy poor carrier performance, including, but not limited to, its power under the Significant Events Clause; (3) OPM’s audit rights regarding carrier performance, including a carrier’s data security; and (4) FEHBA’s objective to ensure uniform administration of FEH-BA benefits. (Id. at 14-17). The Excellus Defendants adopt and incorporate by reference BCBSA’s arguments on this point. (Excellus Mot. at 24-25);
Plaintiffs argue that Mottern is an intended third-party beneficiary of the contract and has the right to enforce it. (PI. BCBSA Reply at 6). They argue that the parties’ clear intent to benefit the members of the Federal Employee class is evident in several ways. First, the contract’s language and purpose clearly reflect intent to provide benefits, including data security, to enrollees. (Id. at 8-9). Second, such intent is evident because the contract provides that certain rights and benefits, including “health benefits,” are enforceable by enrollees through an administrative procedure, which must be exhausted before an enrollee may file a lawsuit against OPM. According to Plaintiffs, “[i]f the contract gave enrollees no enforceable rights (as BCBSA suggests), the contract would not expressly acknowledge the right to challenge health benefits determinations via administrative procedures and, once
3. Whether Plaintiffs are Intended Third Party Beneficiaries
Plaintiffs are not parties to the Federal BCBSA contract, and as a result, to assert a claim they must establish that they are intended third party beneficiaries of that contract. “According to federal common law, a third party must be an intended, rather than incidental, beneficiary in order to enforce a contract. Federal common law, in deciding whether a third-party beneficiary may sue, looks to the same considerations as does the Restatement of Contracts.” Caires v. JP Morgan Chase Bank, N.A.,
Unless otherwise agreed between promi-sor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intention of the parties and ..-. (b) the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.
Restatement (Second) of Contracts § 302(1) (1981); see also id. at cmt. a (distinguishing “an ‘intended’ benefíciáry, who acquires a right by virtue of a promise, from an ‘incidental’ beneficiary, who does not”). In explaining federal common law, the 'Second Circuit explained that “[p]roving third-party beneficiary status requires that the contract terms “ ‘clearly evidence[] an intent to permit enforcement by the third party’ in question.” Hillside Metro Assocs., LLC v. JPMorgan Chase Bank, Nat. Ass’n,
The Restatement sets forth a heightened standard for evaluating intended third party beneficiary status where a government agency is a party to the contract. The rationale for this is that “[g]ov-ernment contracts often benefit the public, but individual members of the public are treated as incidental beneficiaries unless a different intention is manifested.” Restatement (Second) of Contracts § 313 cmt. a (emphasis added). Section 313 of the Restatement therefore provides:
[A] promisor who contracts with a ... governmental agency to do an act for or render a service to the public is not subject to contractual .liability to a member of the public for consequential damages resulting from performance or failure to perform unless (a) the terms of the promise provide for such liability; or (b) the promisee is subject to liability to the member of the public for the damages and a direct action against thepromisor is consistent with the. terms of the contract and with the policy of the law. authorizing the contract and prescribing remedies for its breach.
“Thus, under the Restatement of Contracts, a plaintiff claiming to be the intended, third party beneficiary of a government contract must show that he was intended to benefit from the contract and that third-party , beneficiary claims are consistent with the terms of the contract and the policy underlying it.” Rivera v. Bank of Am. Home Loans, No. 09 CV 2450 (LB), 2011. WL 1533474, at *4 (E.D.N.Y. Apr. 21, 2011) (quotations omitted).
Despite Plaintiffs’ reliance on Anthem J, that court did not address whether the federal employee, plaintiffs were intended third party beneficiaries of the Federal BCBSA contract, given that the defendants did not challenge the plaintiffs’ status as such. See Anthem I,
Regarding the first issue, intent to benefit, Plaintiffs argue that “the entire purpose of the [Federal] BCBSA Contract is to bestow benefits on federal employees enrolled in the FEHB.” (PI. BCBSA Opp. at 9). The Court agrees that the general purpose of the contract is to benefit federal employees. This is plainly evident from the terms of the contract itself. Section 2.2(a) of the Federal BCBSA Contract states that “the [c]arrier shall provide the benefits as described in the agreed upon” Statement- of Benefits, which provides that enrollees “are entitled to the benefits described” within it. (Dkt. 111-7 at 6). Thus, despite not being parties to the contract, federal employees are intended to benefit from it. But whether the contract generally benefits those employees does not answer the entire question. As the Second Circuit has instructed, “[p]roving third-party beneficiary status requires that the contract, terms clearly evidence an intent to permit enforcement by the third party in question.” Hillside Metro Assocs.,
Plaintiffs’ allegations do not meet this hurdle. In the CMC, they allege, without elaboration, that “[e]nrollees in the Federal BCBS Plan, including the Federal Employee Plaintiffs and Federal Employee Class Members, are the intended beneficiaries of benefits and services under the Federal BCBS Contract, including terms pertaining to the confidentiality of Enroll-ees’ Personal Information.” (CMC at ¶ 87). In their opposition to BSBCA’s motion, Plaintiffs elaborate on the clear intent requirement. They assert that intent is evi
D. Unjust Enrichment Claim (Seventh Claim for Relief)
In their Seventh Claim, Plaintiffs assert, in the alternative, a claim for unjust enrichment against the Excellus Defendants. (CMC at ¶¶ 254-62). Plaintiffs allege that they “conferred a monetary benefit'on Defendants in the-form of premiums,” that a portion of those fees “should have been used by Defendants ... to pay for the administrative costs of reasonable data privacy and security practices and procedures,” and that, “[a]s a result of Defendants’ conduct ..., Plaintiffs and Class Members suffered actual damages in an amount equal to the difference in value between health insurance and health benefit services associated with the reasonable data privacy and security practices and procedures that Plaintiffs. and Class Members paid for, and the inadequate health insurance and health. benefits services without reasonable data privacy and security practices and procedures that they received.” (Id. at ¶¶ 256-59). According to Plaintiffs, “Defendants should not be permitted to retain money belonging to Plaintiffs and Class Members because Defendants failed to use that money to implement the reasonable. data privacy and security practices and procedures that Plaintiffs and Class Members paid for and that were otherwise mandated by HIPAA regulations,. federal and state law, and industry standards and best practices.” (Id. at ¶ 260).
The Excellus Defendants seek to dismiss Plaintiffs’ unjust enrichment claim, contending that there can be'no unjust enrichment claim where an express agreement governs the same subject matter and théy can obtain relief on their breach of contract claim. (Excellus Mot. at 25). Plaintiffs respond that their unjust enrichment claim is pleaded in the alternative, and as a result, “the Court should defer ruling at least until'the breach of contract claim is resolved on the merits.” (PI. Excellus Opp. at'18). •
Under New York law, “[a] ‘quasi contract’ only applies in the absence of an express agreement, and is' not really a contract at all, but rather a legal obligation- imposed in order to prevent a party’s unjust enrichment.” Clark-Fitzpatrick, Inc. v. Long Island R. Co.,
In In re Anthem, Inc. Data Breach Litigation, No. 15-MD-02617-LHK,
A similar outcome is warranted here. As noted above, the parties dispute whether the parties have an enforceable contract with definite and material terms regarding the provision of data security. Accordingly, Plaintiffs will neither be required to elect their remedy nor barred from proceeding on an unjust enrichment theory. The Court therefore denies the Excellus Defendants’ motion to dismiss the unjust enrichment claim based on their contention that that claim is precluded by the breach of contract claim.
III. Negligent Misrepresentation Claim (Sixth Claim for Relief)
In their Sixth Claim, Plaintiffs assert a claim for negligent misrepresentation against the Excellus Defendants. They allege as follows:
Defendants negligently and recklessly misrepresented material facts pertaining to the sale of insurance and health benefits services by representing ... that they would maintain adequate data privacy and security practices and procedures to safeguard Plaintiffs and Statewide Class Members’ Personal Information from unauthorized disclosure, release, data breaches, and cyber attack ... [and] that they would comply with the requirements of relevant federal and state laws pertaining to the privacy and security of Plaintiffs and Statewide Class Members Personal Information.
(CMC at ¶¶ 248-49). Plaintiffs allege that the Excellus Defendants knew or should have known that their representations were not true because they had received warnings about the inadequacy of their data security. (Id. at ¶ 250), Plaintiffs further allege that they relied on the Excellus Defendants’ misrepresentations when purchasing health insurance, but Plaintiffs would not have done so had they known of the Excellus .Defendants’ inadequate data security and failure to comply with federal and state laws pertaining to data security. (Id. at ¶ 252).
The Excellus Defendants seek dismissal of the negligent misrepresentation ■ claim on two grounds. (Excellus Mot. at 16-19). First, the Excellus Defendants contend that “none of the plaintiffs allege facts
Federal Rule of Civil Procedure 9(b) requires that “[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions of a person’s mind may be alleged generally.” Fed. R. Civ. P. 9(b). Despite a “muddled history in this circuit,” Rule 9(b) applies to negligent misrepresentation claims under New York law. Schwartzco Enters. LLC v. TMH Mgmt., LLC,
In Eternity Global Master Fund Ltd. v. Morgan Guaranty Trust Co. of New York,
In Aetna Casualty & Surety Co. v. Aniero Concrete Co., Inc.,
Under New York law, “[a] claim for negligent misrepresentation requires the plaintiff to demonstrate (1) - the existence of a- special or privity-like relationship imposing a duty: on the defendant to impart correct information to the plaintiff; (2) that the- information was incorrect; and (3) reasonable reliance on the information.” J.A.O. Acquisition Corp. v. Stavitsky,
Reasonable or justifiable reliance is also an element of a negligent misrepresentation claim under' any other potentially applicable law. See Bloch v. Wells Fargo
The Excellus Defendants argue that “no plaintiff has alleged facts supporting the conclusion he оr she relied on or even knew about the alleged misstatements cited in the complaint.” (Excellus Mot., at 17). According to the Excellus Defendants, Plaintiffs’ assertion that they purchased insurance in reliance on.alleged misstatements (CMC. at ¶ 251) is conclusory. (Ex-cellus Mot. at 17-18). Plaintiffs respond that their allegations are sufficient to establish reliance under New York law and the law of any other- applicable state: the CMC alleges that Plaintiffs were informed that Defendants would adhere to privacy policies and practices (e.g., CMC at ¶¶ 60-90), and purchased insurance in reliance on those misrepresentations (id. qt ¶¶251-52). (PL Excellus Opp. at 19)..
The Court agrees with the Excel-lus Defendants. Plaintiffs have failed to allege with any particularity that they actually read or saw the notices concerning privacy policies and practices as described in the CMC at ¶¶ 60-94. Instead, Plaintiffs only offer the conclusory assertion that, “[i]n reliance upon Defendants misrepresentations, Plaintiffs and Statewide Class Members purchased insurance or health benefits services from Defendants.” (CMC at ¶ 251). Failure to plead any facts concerning their purported reliance, requires dismissal,of Plaintiffs’ negligent misrepresentation claim. See DeBlasio v. Merrill Lynch & Co., No. 07 Civ 318(RJS),
In addition to challenging the reliance requirement, the Excellus Defendants further argue that Plaintiffs’ negligent misrepresentation claim under New York law should be dismissed because Plaintiffs havfe not adequately alleged that they and the Excellus Defendants are in a special relationship. (Excellus Mot. at 18-19). In the CMC, Plaintiffs allege that a special relationship exists between them and Defendants for two reasons:
Defendants entered into a “special relationship” with the Plaintiffs and Class Members whose Personal Information was requested, collected, and received by Defendants. A “special relationship” also exists between Defendants and Plaintiffs and the Class Members because Defendants are insurers and providers of health plan services and thus stand in a fiduciary or quasi-fiduciary relationship with Plaintiffs and Class Members.
(CMC at ¶ 193).
The Excellus Defendants contend that courts applying New York law “consistently reject negligent misreprеsentation claims brought against insurers absent some specific allegations of interactions between the parties creating a‘ special relationship.” (Id. at 19). Plaintiffs respond that their allegations are sufficient to establish that the Excellus Defendants owed Plaintiffs a duty of care: “Plaintiffs allege they were without.knowledge, received assurances from-Defendants who had exclusive knowledge, and relied on those assurances.” (PI. Excellus Opp. at 21 (citing CMC at 1i1fl67(g), 251-52)).
As stated above, one element of a negligent misrepresentation claim under New York law is “the existence of a special or privity-like relationship imposing a duty on the defendant to impart correct information to the plaintiff.” J.A.O. Acquisition Corp.,
Here, the CMC does not include any facts that would suggest that Plaintiffs have 'a relationship with the Excellus Defendants thát is unique ;or differs from that of a reasonable consumer. Plaintiffs allege that a special relationship existed because the Excellus Defendants had exclusive knowledge about their data security policies, and Plaintiffs provided their personal
Accordingly, the Court grants the Excel-lus Defendants’ motion to dismiss Plaintiffs’ negligent misrepresentation claim on the basis that Plaintiffs have not adequately alleged reliance or a special relationship. Because Plaintiffs could theoretically allege facts to plausibly state a claim for negligent misrepresentation, the dismissal is without prejudice and the Court grants Plaintiffs leave to replead this claim.
IY. Plaintiffs’ State Statutory Claims (Eighth, Ninth, and Tenth Claims for Relief)
In then’ Eighth, Ninth, and Tenth Claims for relief, Plaintiffs assert violations of various state laws agаinst the Ex-cellus Defendants. (CMC at ¶¶ 263-303). One of those state law claims, under New York General Business Law (“GBL”) § 349, is also asserted against BCBSA. (BCBSA Mot. at 3^4 (“Plaintiffs’ counsel have informed BCBSA’s counsel that the only state law violation alleged against BCBSA is under GBL § 349, and that Plaintiffs are dropping the remaining portions of Count VIII, and all of Counts IX and X, as against BCBSA.”)).
A. New York General Business Law § 349 (included in Eighth Claim for Relief)
The Excellus Defendants seek dismissal of Plaintiffs’ claim 'under New York General Business Law (“GBL”) § 349 (Excellus Mot. at 19-24), as does BCBSA (BCBSA Mot. at 22-25). The Court addresses Defendants’ challenges to this claim in turn.
New York Plaintiffs assert a claim under GBL § 349. GBL § 349 prohibits “[deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service.” N.Y. Gen. Bus. § 349(a). To successfully assert a GBL § 349 claim, “‘a plaintiff must allege that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice.’” Orlander v. Staples, Inc.,
New York Plaintiffs allege that, in the course of their business, Defendants collected and stored Plaintiffs’ personal information, and engaged in deceptive practices, as follows. Defendants allegedly:
• misrepresented and advertised that they “would maintain adequate data privacy and security practices and procedures to safeguard New York Class Members’ PII and PHI from unauthorized disclosure, release, data breaches, and cyber attack,” (CMC at ¶ 281(a));
• misrepresented material facts by “representing and advertising that they did and would comply with the requirements of relevant federal and state laws pertaining to the privacyand security of New York Class Members’ PII and PHI,” (id. at ¶ 281(b));
• “omitted, suppressed, and concealed the material fact of the inadequacy of their privacy and security protections for New York Class Members’ PII and PHI,” (id. at ¶ 281(c));
• failed “to maintain the privacy and security of New York Class Members’ PII and PHI, in violation of duties imposed by and public policies reflected in applicable federal and state laws ...,” (id. at ¶ 281(d));
• failed “to disclose the Excellus data breach to New York Class Members in a timely and accurate manner,” (id. at ¶ 281(e)); and
• failed “to take proper action following the Excellus data breach to enact adequate privacy and security measures and protect- New York Class Members’ PII and PHI from further unauthorized disclosure, release, data breaches, and theft,” (id. at ¶ 281(f)).
1. Material Misrepresentation
The Excellus Defendants argue, with respect to the second element of a GBL § 349 claim, that Plaintiffs have not alleged a materially misleading statement attributable to' Defendants. (Excellus Mot. at 20-21). Relying primarily on Abdale v. North Shore-Long Island Jewish Health System, Inc.,
In opposition, Plaintiffs contend that the CMC alleges that the Defendants violated GBL § 349 in two ways, both of which are actionable under that statute: (1) by omission — that is, by “neglecting to disclose their inadequate cybersecurity practices”; and (2) by affirmative misrepresentation of their efforts to safeguard Plaintiffs’ personal information. (PI. Excellus Opp. at 22). Plaintiffs point to Anthem I,
New York courts define “deceptive acts and practices” objectively as “representations or omissions, limited to those likely to mislead a reasonable consumer acting reasonably under the circumstances.” Oswego Laborers’ Local 214 Pension Fund v. Marine Midland Bank, N.A.,
In Anthem I, the court concluded that the plaintiffs adequately pleaded a GBL § 349 claim. See
In Abdale,
the statements allegedly made by defendants .in the .privacy policy and online notices do not constitute, an unlimited guaranty that patient information could not be stolen or that computerized data could not be hacked. [The] [defendants’ alleged failure to safeguard [the] plaintiffs’ protected health information and identifying information from theft did not mislead the plaintiffs in any material way and does not constitute a deceptive practice within the meaning of [GBL § 349];
Id. at 1039,
:In light of the foregoing,' the Court disagrees with the Excellus Defendants. Based on Plaintiffs’ allegations, it is at least plausible that the Excellus Defendants’ representations in their privacy policies and on their websites concerning data security (catalogued above) would lead a reasonable consumer to believe that the Excellus Defendants were providing more adequate data security than they purportedly were, (CMC at 1281). It is also at least plausible that the Excellus Defendants’ failure to disclose the purportedly inadequate data security measures would mislead a reasonable consumer. (See id.). At least at the pleading stage, these allegations are sufficient. Indeed, at least one district court has held, in a data breach case, that the plaintiffs .sufficiently alleged materially misleading conduct based on the allegation, that the defendants misrepresented that they “would.comply with the
2. Whether violations of other statutes support a claim under GBL § 349
The Excellus Defendants also argue that Plaintiffs have used GBL § 349 to allege liability under other statutes that do not provide for a private right of action: the Federal Trade Commission Act (15 U.S.C. § 45), HIPAA (42 U.S.C. § 1302d), the GrammLeach-Bliley Act (15 U.S.C. § 6801), New York’s Protection Mechanisms for Insurance Payment Information (N.Y. Soc. Serv. § 367-a(2)(B)), and N.Y. GBL § 899-aa(2). (Excellus Mot. at 21-22). Plaintiffs respond only briefly in a footnote, arguing that “Plaintiffs allege that Defendants violated § 349 itself by engaging in consumer-oriented conduct that was materially misleading, thereby injuring Plaintiffs.” (PI. Excellus Opp. at 23 n.20).
The Excellus Defendants’ argument primarily relies On Conboy v. AT & T Corp.,
As the Excellus Defendants point out, none of the statutes cited in the CMC at ¶ 281(d) or (e) provide a private right of action. See Alfred Dunhill Ltd. v. Interstate Cigar Co.,
Based on the foregoing, the Court dismisses Plaintiffs’ GBL § 349 claims, to the extent that they rest on ¶¶ 281(d) and (e)
3. GBL § 349 Claim against BCBSA
Plaintiffs’ GBL § 349 claim is asserted against BCBSA in addition to the Excellus Defendants. (See BCBSA Mot. at 3-4). BCBSA argues that the claim against it should be dismissed for three reasons: (1) Plaintiffs allege no conduct by BCBSA specifically that could support a GBL § 349 claim against BCBSA, particularly given that the cyberattack occurred on the Excellus Defendants’ information systems, not BCBSA’s information systems; (2) Plaintiffs’ GBL § 349 claim is conflict preempted as applied to the Service Benefit Plan; and (3) the filed rate doctrine bars these claims. The Court addresses each of these arguments in turn.
i. Allegations Specific to BCBSA
As to BCBSA’s first challenge, Plaintiffs respond that, “when read as a whole, the [CMC] describes how BCBSA violated the GBL in the manner described in Count VIII.”
The Court agrees with Plaintiffs that these allegations are sufficiently specific to BCBSA as opposed to any other defendant. As with the GBL § 349 claims against the Excellus Defendants, the various representations by BCBSA that the personal information of Plaintiffs would be protected may plausibly mislead a reasonable consumer. Drawing all reasonable inferences in Plaintiffs’ favor, these allegations are sufficiently specific at least at the pleading stage. Accordingly, the Court declines to dismiss Plaintiffs’ GBL § 349 claim against BCBSA on this basis.
ii. Conflict Preemption
Conflict preemption applies “where local law conflicts with federal law such that it is impossible for a party to comply with both or the local law is an obstacle to the achievement of federal objectives.” New York SMSA Ltd. P’ship v. Town of Clarkstown,
BCBSA’s second challenge is that the GBL § 349 claim is conflict preempted as applied to the Service Benefit Plain. (BCBSA Mot. at 24). BCBSA contends that “the broad enforcement powers that Congress gave to OPM, see, e.g., 5 U.S.C. §§ 8902(e), 8910, 8913(a), conflict with Plaintiffs’ attempt to use state law to regulate the conduct of a FEHBA carrier.” (Id.). BCBSA analogizes this case to Kight v. Kaiser Foundation Health Plan of Mid-Atlantic States, Inc.,
Plaintiffs point to Anthem I, in which the district court rejected a similar conflict preemption-based argument “that the application of certain state laws, including a California consumer protection" statute would ‘interfere with OPM’s exclusive authority to police FEHBA carriers.’ ” (PI. Reply at 22 (quoting Anthem I, 162 F,Supp.3d at 1016)). In reaching that conclusion, the Anthem I court found that “OPM’s exсlusive' authority does not apply to claims over an individual’s data privacy,” given that FEHBA has a unique federal interest in the provision of health benefits, not data security. Anthem I,
A report from the House of Representatives, for instance, “expressed fear that the imposition of state-law requirements on FEHBA contracts would result in ... a lack of uniformity of benefits for enrollees in the same plan.” Helfrich v. Blue Cross and Blue Shield Ass’n,804 F.3d 1090 , 1106 (10th Cir. 2015) (quoting H.R. Rep. No. 95-282 at 4 (1977)) (alteration omitted) (emphasis added). Additional reports from the House and Senate- further confirm the importance of FEHBA in the administration of benefits and medical coverage. See id. at 1106-07 (citing additional reports).
Id.
The Court finds Anthem I to be the more persuasive analogy. Right concerned a health benefits dispute, whereas Anthem 1 concerned the provision of data security and thus is the , more analogous case. Accordingly, as the Anthem I court concluded, the purpose of FEHBA does not, as a matter of law, evidence an intent to preempt state law claims arising out of promises concerning data security, and as a result, the Court declines to dismiss Plaintiffs’ GBL § 349 claims on the basis of preemption.
iii. Filed Rate Doctrine
In their GBL § 349 claim, one form of damages that Plaintiffs seek is benefit of the bargain damages. (CMC at ¶ 284 (“As a direct and proximate result of Defendants’ deceptive trade practices, New York Class Members suffered injury and/or damages, including the loss of their legally protected interest in the confidentiality and privacy of their PII and PHI, and the loss of the benefit of their respective bargains.”)). BCBSA argues that this cause of action violates the filed rate doctrine.
The filed rate doctrine “holds that any ‘filed rate’ — that is, one approved by the governing regulatory agency — is per se reasonable and unassailable in judicial proceedings brought by ratepayers.” Simon v. KeySpan Corp.,
When the.filed rate doctrine applies, it is rigid and unforgiving. Indeed, some have argued that it is unjust. It does not depend on the culpability of the defendant’s conduct or the possibility of inequitable results, nor is it áffected by the nature of the cause of action the plaintiff seeks to bring. It applies whenever ,a claim would implicate its underlying twin principles of preventing carriers from engaging in price discrimination as between ratepayers and preserving the exclusive role of federal agencies in approving rates. And when the doctrine applies, it bars both state and federal claims.
Simon,
This doctrine has been applied in the insurance context. Most relevant to this case, in Anthem II, the district court concluded that the filed-rate doctrine under New Jersey law foreclosed claims for benefit-of-the-bargаin losses in the context of a breach of contract claim.
Here, BCBSA argues that the filed-rate doctrine bars Plaintiffs’ GBL § 349 claim against it because “awarding damages under that statute would implicate the same nonjusticiability ' and nondiscrimination principles” underlying the filed-rate doctrine. (BCBSA Mot. at 20-22, 25). That is, according to BCBSA, awarding benefit-of-the-bargain -losses would invite the Court to second-guess the insurance premium rates set by OPM and determine what rates were reasonable in light of the purportedly inadequate services. (Id. at 21, 25).
The Court agrees. By asking for benefit-of-the-bargain losses, the Court would be in a position of determining the reasonableness of the rates approved by OPM in light of the data breach. Thus, the filed rate doctrine applies such that Plaintiffs may not recover benefit-of-the-bargain damages under their GBL § 349 claim against BCBSA.
Plaintiffs’ arguments to the contrary are unpersuasive. They argue that the filed-rate doctrine does not apply because “there is no ‘filed rate’ at issue. ...” (PI. BCBSA Opp. at 17-19, 23). According to Plaintiffs, “the doctrine applies only to rates filed pursuant to statutory filing requirements,” and the “Second Circuit has recognized that because the rates in FEH-BA' contracts are privately negotiated between OPM and private carriers, they are not tariffs, meaning they are not ‘filed rates,’ and thus the filed rate doctrine does not apply.” (Id. at 17 (citing Empire HealthChoice Assurance, Inc. v. McVeigh,
B. California Customer Records Act Claim (Ninth Claim for Relief)
In the ninth claim for relief, the California Plaintiffs assert a violation of the California Customer Records Act (“CCRA”), Cal Civ. Code §§ 1798.80 et seq., against the Excellus Defendants. (CMC at ¶¶ 304-10). California Plaintiffs allege that “Defendants are businesses that own, maintain, and licensе personal information, within the meaning of [§ ] 1798.81.5, about Plaintiffs and California Class Members,” (id. at ¶ 307), and that “[t]hose Defendants that are not ‘a provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act,’ violated Civil Code section 1798.81.5 by failing to implement reasonable measures to protect Plaintiffs’ and California Class Members’ Personal Information,” (id. at ¶ 308).
The Excellus Defendants seek dismissal of this claim, arguing that the CCRA does not apply to entities, like Excellus, that are covered under HIPAA. (Excellus Mot. at 22-23). Plaintiffs agree that this exception applies and consent to dismissal of this claim against Excellus. (PL Excellus Opp. at 26).
The Excellus Defendants- also seek dismissal of this claim on the grounds that the CCRA “also does not apply to a ‘health care service plan,’ as defined in the Enox-Keene Health Carp Service Plan Act of 1975.” (Excellus Mot. at 22-23). The Excellus Defendants point to those portions of the CMC in which Plaintiffs allege that all defendants are insurance institutions. (Id. at 23 (citing CMC at ¶¶313, 321)). In their opposition papers, California Plaintiffs, note that they “also assert a C.CRA claim against Defendant Lifetime Healthcare, Inc.” (PI. Excellus Opp. at 26). California Plaintiffs contend that “Defendant Lifetime does not fall within the HI-PAA exception to the CCRA, and Defendants do not argue otherwise.” (Id,).
As an initial matter, California Plaintiffs have failed to respond to the Excellus Defendants’ assertion concerning the applicability of the CCRA to “health care service plans.” (See id.', Excellus Reply at 17 n.3). As discussed previously, “courts in this circuit haye held that a plaintiffs failure to respond to contentions raised in a motion to dismiss constitutes an abandonment of the applicable claims.” Bond,
The CCRA does not apply to “[a] provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act.” Cal. Civ. Code § 1798.81.5(e)(1). Under the Confidentiality of Medical Information Act, a “health care service plan” is “any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975.” Id. § 56.05(g). The Knox-Keene Health Care Service Plan Act of 1975, in turn, defines a “health care service plan” in two ways:
(1) Any person who undertakes to arrange for the provision of health care services to subscribers or enrollees, or to pay for or to reimburse any part of the cost for those services, in return for a prepaid or periodic charge paid by or on behalf of the subscribers or enrollees.
(2) Any person, whether located within or outside of this state, who solicits or contracts with a subscriber or enrollee in this state to pay for or reimburse any part of the cost of, or who undertakes to arrange or arranges for, the provision of health care services that are to be provided wholly or in part in a foreign country in return for a prepaid or periodic charge paid by or on behalf of the subscriber or enrollee.
Cal. Health & Safety Code § 1345(f).
California Plaintiffs’ CCRA claim must be dismissed for two reasons. First, Plaintiffs purport to assert this claim against “[t]hose Defendants that are not ‘a provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act,’ ” without specifying which Defendants fall within the exclusions that Plaintiffs identify. (See CMC at ¶380). Defendants should not have to guess whether this claim is alleged against them. Second, even if this claim could be read as being asserted against Lifetime (as Plaintiffs contend in their opposition papers), Plaintiffs’ assertions concerning Lifetime undermine that claim. As alleged in the CMC, Lifetime Healthcare “is the parent and/or holding company of a $6.6 billion family of companies, known as The Lifetime Healthcare Companies, that finances and delivers health care in New York State, as well as long-term care nationwide.” (CMC at ¶ 42). Elsewhere in the CMC, Plaintiffs allege that all Defendants are “insurance institutions” as that term is defined under both New Jersey and North . Carolina law. (Id. at ¶¶ 313, 320). In other words, Plaintiffs’ own allegations define Lifetime as a “health care service plan.” Accordingly, the Court grants the Excellus Defendants’ motion to dismiss the CCRA claim with prejudice, and leave to replead is denied as futile.
C. New Jersey Insurance Information Practices Act and North Carolina Consumer and Customer Information Privacy Act Claims (Tenth Claim for Relief)
The New Jersey Insurance Information Practices Act (“NJIIPA”) states that “[a]n insurance institution, agent or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure” falls under one of several enumerated exceptions. N.J. Stat. Ann. § 17:23A-13 (emphasis added). The North Carolina Consumer and Customer Information Privacy Act (“NCCIPA”) mirrors the NJIIPA, stating that “[a]n insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure” falls under one of sev
In their tenth claim for relief, New Jersey Plaintiffs assert claims against the Ex-cellus Defendants under the NJIIPA, alleging that “Defendants disclosed ‘personal information’ regarding Plaintiffs and members of the New Jersey Class that was collected or received in connection with insurance transactions without the Plaintiffs’ and New Jersey Class Members’ written authorization, in violation of N.J. Stat. § 17:23A-13.” (CMC at ¶ 315). Similarly, North Carolina Plaintiffs assert claims against the Excellus Defendants under the NCCIPA, alleging that “Defendants disclosed personal information regarding Plaintiffs and members of the North Carolina Class that was collected or received in connection with insurance transactions without the Plaintiffs’ and North Carolina Class Members’ written authorization, in violation of N.C. Gen. Stat. § 58-39-75.” (Id. at ¶ 323).
The Excellus Defendants seek dismissal of both claims, arguing that neither statute applies because “Excellus did not disclose plaintiffs’ personal information. Rather, cy-berattackers hacked into Excellus’s data network systems and may have stolen this information.” (Excellus Mot. at 23). Plaintiffs disagree, arguing that both the NJII-PA and the NCCIPA “protect Plaintiffs from the unauthorized disclosure of confidential information collected by insurance companies during insurance transactions.” (PI. Excellus Opp. at 24).
Neither the NJIIPA nor the NCCIPA specifically define the tenns “disclose” or “disclosure.” See N.J. Stat. Ann. § 17:23A-2 (setting forth NJIIPA definitions); N.C. Gen. Stat. Ann. § 58-39-15 (setting forth NCCIPA definitions). The parties have not identified cases interpreting those terms under either the NJIIPA or the NCCIPA, and this Court’s research reveals none.
To support their argument, the Excellus Defendants cite to Anthem I,
The Anthem I court’s analysis relied in part on a case cited by the Excellus Defendants: Galaria v. Nationwide Mutual Ins. Co.,
Plaintiffs offer no persuasive reason why this Court should reach a different conclusion than the Anthem court regarding these claims under state privacy statutes. In opposition, Plaintiffs argue that Anthem is distinguishable because the Georgia statute at issue in that case prohibits the willful and knowing disclosure of personal information, see Anthem II,
Plaintiffs further argue that “[t]he term ‘disclose,’ as used in [the NJIIPA and NCCIPA], must include Defendants’ negligent, and even knowing, release of PII and PHI to unauthorized individuals.” (PI. Ex-cellus Opp. at 25). However, the cases cited by Plaintiffs in support of this argument are distinguishable from the facts of this case; Two cases cited by Plaintiffs involve affirmative acts of revealing personal information, See Travelers Indem. Co, of Am. v. Portal Healthcare Sols., LLC,
In the third cited case, Shames-Yeakel v. Citizens Financial Bank,
In sum, for the reasons set forth above, the Court concludes that Plaintiffs have failed to state a claim under eithér the NJIPPA or NCCIPA. Plaintiffs have not plausibly alleged a claim under either statute where they have only alleged that their personal information was stolen from Defendants, not that Defendants disclosed the data to the cyberattackers. Therefore, the Court grants the Excellus Defendants’ motion to dismiss Plaintiffs’ NJIPPA and NCCIPA claims with prejudice, and leave to replead these claims is denied as futile.
V. Damages
The Excellus Defendants argue that, “even assuming [Plaintiffs have standing and have otherwise stated a valid claim, their complaint should be dismissed under Rule 12(b)(6) for failure to allege cognizable damages proximately caused by the Excellus cyberattack.” (Excellus Mot. at 24). Plaintiffs disagree. (PI. Excellus Opp. at 26).
Plaintiffs and the Excellus Defendants dispute whether it is appropriate for the Excelius Defendants to challenge Plaintiffs’ damages theories wholesale, rather than challenge Plaintiffs’ damages theories under each claim that Plaintiffs have pleaded. {See PI. Excellus Opp. at 27; Ex-cellus Reply at 17). The Excellus Defendants contend that “courts do not analyze these damages issues in a claim-specific manner.” (Excellus Reply at 17).
The Court is not convinced by the Ex-сellus Defendants’ reply argument, The cases , on which the Excellus Defendants rely—Pisciotta,
Here, the Excellus Defendants make no attempt to identify whether Plaintiffs have sufficiently pleaded damages for purposes of each of their claims. Given that it is the movant’s burden to show why dismissal is warranted on a 12(b)(6) motion, the Court denies the Excellus Defendants’ motion, to the extent it is predicated on an alleged failure to plead any cognizable damages. See Four K. Grp., Inc. v. NYCTL 2008-A Trust, No. 12-CV-2135 (JG),
CONCLUSION
Based on the foregoing, the Excellus Defendants’ motion to dismiss for lack of standing (Dkt. 107) is granted with respect to the four non-misuse plaintiffs ' (Fero, Church, Boomershine, and Caltagarone). The claims by those plaintiffs are dismissed ■ without prejudice. The Excellus Defendants’ motion to dismiss for lack of standing is in all other respects denied.
The Excellus Defendants’ motion to dismiss for failure to state a claim (Dkt. 107) is granted in part. Specifically, the motion is granted with respect to Plaintiffs’ (1) claim for breach of the implied covenant of good faith and fair dealing; (2) GBL § 349 claims, but only to the extent that those claims rest on paragraphs 281(d) and (e) of the CMC; (3) negligent misrepresentation claim; (4) CCRA claim; and (5) NJIPPA and NCCIPA claims. The Court dismisses those claims with prejudice, with the exception of Plaintiffs’ breach of the implied covenant of good faith and fair dealing claim, which may be pursued as part of Plaintiffs’ breach of contract claim, and Plaintiffs’ negligent misrepresentation claim, which Plaintiffs may attempt to re-plead. The Excellus Defendants’ motion to dismiss is otherwise denied.
BCBSA’s motion to dismiss for lack of standing (Dkt. Ill) is denied. BCBSA’s motion to dismiss for failure to state a claim (Dkt.. Ill) is granted in part. Specifically, the motion is granted with respect to Plaintiffs’ (1) third-party beneficiary claim; and (2) request for benefit-of-the-bargain damages; and those claims are dismissed with prejudice. Thus, the only surviving claim against BCBSA is Plaintiffs’ GBL § 349 claim, to the extent it is not predicated on benefit-of-the-bargain damages.
In the event that Plaintiffs seek to attempt to file an amended complaint curing the deficiencies with respect to their negligent misrepresentation claim, they must do so within 20 days of the.entry of this Decision and Order.
SO ORDERED.
Notes
. The Court will refer to all defendants, including BCBSA, collectively as "Defendants.” The Court will refer to all defendants but BCBSA collectively as the "Exeellus Defendants.”
. BCBSA joins the Excellus Defendants in these arguments, asserting — without elaboration — that Plaintiff Mottern has not pleaded an injury-in-fact. (BCBSA Mot. at 9). The Court rejects this argument: Plaintiff Mottern has alleged some misuse of her data in that she incurred fraudulent charges on her American Express credit card, among other inju-ríes. (CMC at ¶ 23). Thus, the Excellus Defendants' injury-in-fact challenges, which are based on four plaintiffs having failed to allege any misuse of their personal information, plainly do not apply to Plaintiff Mottern. Accordingly, the Court denies BCBSA’s motion to dismiss Plaintiff Mottern for failing to allege an injury-in-fact.
. Both the Excellus Defendants and Plaintiffs make, their arguments under New. York law, (See- Excellus Mot. at 13-14; Pi. Excellus Opp. at 15-16). ■ ...
. Plaintiffs refer to Contract No. CS 1039 in their CMC, and BCBSA has attached the following documents to their motion to dismiss: (1),a copy of that contract; (2) the 2014 and 2015 amendments to the contract; and (3) the contract’s 2013, 2014, and 2015 Statements of Benefits for the Service Benefit Plan. (Dkt. 111-1; Dkt. 111-2 (Contract-No, CS 1039); Dkt. 111-4; Dkt. 111-5 (2014 & 2015 Amendments); Dkt. 111-6;' Dkt. 111 — 7; Dkt. 111-8; Dkt. 111-9 (2013-2015 Statements of Benefits)). Plaintiffs - do not, dispute that these documents are true and accurate copies of Plaintiffs’ contract with BCBSA and the accompanying statement of benefits; in' fact, they also cite to BCBSA’s attachments throughout their opposition. See, e.g., Reply at . 8. Therefore, the Court may consider these extra-pleading documents in resolving the motion to dismiss because they are both integral to and referenced in the CMC. See Goel v. Bunge, Ltd.,
. In its reply, BCBSA has attached a Federal Employees Health Benefits ("FEHB”) Program Carrier Letter from OPM, dated June 22, 2007, stating that “[a]ny breach of security in ... [FEHB] enrolled data is considered a significant event as defined in Section'1.10 Notice of Significant Events (FEHBAR 1652.222-70) of the FEHB Standard Contracts.” (Dkt. 138 at 5). These carrier letters, BCBSA argues, "conclusively demonstrate that the [court in In re Anthem, Inc. Data Breach Litigation,
. As stated above, Plaintiffs’ eighth claim for relief asserts violations of state consumer protection laws, including GBL § 349.
. Given that benefit-of-the-bargain losses are not the only damage theories proffered by Plaintiffs in- support of the GBL § 349 claim (CMC ¶ 287), the Court does not dismiss this claim to its entirety.