In re Target Corp. Customer Data Security Breach Litigation

MEMORANDUM AND ORDER

PAUL A. MAGNUSON, District Judge.

Target Corporation’s Motion to Dismiss the Consumer Plaintiffs’ First Amended Consolidated Class Action Complaint (Docket No. 258) in the Consumer Cases. For the reasons that follow, the Motion is granted in part and denied in part.

BACKGROUND

This case arises out of one of the largest breaches of payment-card security in United States retail history: over a period of more than three weeks during the 2013 holiday shopping season, computer hackers stole credit- and debit-card information and other personal information for approximately 110 million customers of Target’s retail stores. Plaintiffs are a putative class¹ of consumers who used their credit or debit cards at Target stores during the period of the security breach, and whose personal financial information was compromised as a result of the breach. Indeed, many of the 114 naméd Plaintiffs allege that they actually incurred unauthorized charges; lost access to their accounts; and/or were forced to pay sums such as late fees, card-replacement fees, and credit monitoring costs because the hackers misused their personal financial information.

The Judicial Panel on Multidistrict Litigation consolidated all federal litigation into this case, which is divided into two tracks: one for cases brought by financial institutions and one for cases brought by .consumers. In this Motion, Target asks the Court to dismiss the First Amended Consolidated Class Action Comрlaint² filed in the consumer cases.

Plaintiffs’ Complaint raises seven claims. Count One contends that Target violated the consumer protection laws of 49 states (all states save Alaska) and the District of Columbia. Count Two alleges a similar violation with respect to the data breach statutes of 38 states. Count III asserts that Target was negligent in failing to safeguard its customers’ data. Count IV raises a claim for breach of an implied contract as to Plaintiffs who were not Target REDcard cardholders, and Count V claims a breach of contract as to Plaintiffs who were Target REDcard cardholders. Count VI claims a bailment, and Count VII claims unjust enrichment. Target seeks dismissal of all claims, contending that the 121-page, 356-paragraph Complaint lacks sufficient detail to support Plaintiffs’ allegations. Cf. Fed.R.Civ.P. 8(a)(2) (requiring a “short and plain statement of the claim”).

DISCUSSION

When evaluating a motion to dismiss under Rule 12(b)(6), the Court assumes the facts in the Complaint to be true and construes all reasonable inferences from those facts in the light most favorable to Plaintiffs. Morton v. Becker, 793 F.2d 185, 187 (8th Cir.1986). However, the Court need not accept as true wholly con-clusory allegations, Hanten v. Sch. Disk of Riverview Gardens, 183 F.3d 799, 805 (8th Cir.1999), or legal conclusions that Plaintiffs draw from the facts pled. Westcott v. City of Omaha, 901 F.2d 1486, 1488 (8th Cir.1990).

To survive a motion to dismiss, a complaint must contain “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 545, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). Although a complaint need not contain “detailed factual allegations,” it must contain facts with enough spеcificity “to raise a right to relief above the speculative level.” Id. at 555, 127 S.Ct. 1955. “Threadbare recitals of the elements of a cause of action, supported by mere conclu-sory statements,” will not pass muster under Twombly. Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citing Twombly, 550 U.S. at 555, 127 S.Ct.1955). In sum, this standard “calls for enough fact[s] to raise a reasonable expectation that discovery will reveal evidence 'of [the claim].” Twombly, 550 U.S. at 556, 127 S.Ct. 1955.

A. Standing

1. Injury

Target’s primary argument is that Plaintiffs do not have standing to raise any of their claims because Plaintiffs cannot establish injury. A plaintiff invoking the Article III jurisdiction of the federal courts must establish that he or she has standing to do so. That is, the plaintiff “must have suffered an ‘injury in fact’ — an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) actual or imminent, not conjectural or hypothetical.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (internal citations and quotation marks omitted). Target contends that Plaintiffs’ claimed injuries are not actual or imminent, and as such do not suffice to give them standing to sue.

But Plaintiffs have alleged injury. Indeed, paragraphs l.a through l.g and 8 through 94 of the Complaint are a recitation of many of the individual named Plaintiffs’ injuries, including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees. Target ignores much of what is pled, instead contending that because some Plaintiffs do not allege that their expenses were un-reimbursed or say whether they or their bank closed their accounts, Plaintiffs have insufficiently alleged injury. These arguments gloss over the actual allegations made and set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage. Plaintiffs’ allegations plausibly allege that they suffered injuries that are “fairly traceable” to Target’s conduct. Allen v. Wright, 468 U.S. 737, 753, 104 S.Ct. 3315, 82 L.Ed.2d 556 (1984), abrogated on other grounds, Lexmark Int’l, Inc. v. Static Control Components, Inc., — U.S. -, 134 S.Ct. 1377, 188 L.Ed.2d 392 (2014). This is sufficient at this stage to plead standing. Should discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.

2. State Claims

Target also argues that because none of the 114 named Plaintiffs hails from five ' jurisdictions — Delaware, Maine, Rhode Island, Wyoming, or the District of Columbia — claims under the laws of those jurisdictions should be dismissed for lack of standing. Plaintiffs contend that this determination is premature, but ask in the alternative that the Court permit them to amend to add Plaintiffs from these jurisdictions if the Court is inclined to agree with Target.

There is a significant split of authority as to whether a court should address the standing of named plaintiffs at the motion-to-dismiss stage or at the class-certification stage. Another Judge in this District recently decided that the issue is best addressed at the motion-to-dismiss stage, and she dismissed for lack of standing state-law claims for states in which no named plaintiff resided. Insulate SB, Inc. v. Advanced Finishing Sys., Inc., Civ. No. 13-2664, 2014 WL 943224 (D.Minn. Mar. 11, 2014) (Montgomery, J.). Target urges the Court to follow this opinion and dismiss the claims from jurisdictions in which there is currently no named Plaintiff.

Insulate was an antitrust putative class action with a single named plaintiff, a California-resident corporation. Insulate’s complaint raised claims for violations of other state’s laws, .and the defendants moved to dismiss contending that Insulate lacked standing to assert state-law claims for states other than California. Id. at *10. Insulate argued, as Plaintiffs do here, that the standing issue was not ripe for decision until after the class-certification stage. Id.

Judge Montgomery noted that the split among courts regarding the proper time to evaluate a named plaintiffs standing

stems from the two Supreme Court cases of Amchem Prods., Inc. v. Windsor, 521 U.S. 591 [117 S.Ct. 2231, 138 L.Ed.2d 689] (1997), and Ortiz v. Fibreboard Corp., 527 U.S. 815 [119 S.Ct. 2295, 144 L.Ed.2d 715] (1999). Both cases concern global settlements of class actions, address the standing of absent class members (rather than named plaintiffs) and involve situations in which the court was simultaneously presented with class certification issues and Article III issues. In each case, the Supreme Court resolved class certification issues prior to resolving Article III standing, because the class certification issues were dispositive in those cases and thus were “logically antecedent to the existence of Article III issues.”

Id. (quoting Amchem, 521 U.S. at 591-92, 117 S.Ct. 2231) (internal citations omitted). Although some courts interpreted these decisions to require deferral of the Article III standing determination until after class certification, Judge Montgomery found more persuasive the decisions that interpreted the Supreme Court precedent to allow consideration of the named plaintiffs Article III standing at an earlier stage, thus requiring “a named plaintiff to establish standing for each claim set forth in a class action when the issue is presented prior to class certification.” Id. at *11.

Although standing is a “threshold issue” usually considered at the outset of the case, Arkansas Right to Life State Political Action Comm. v. Butler, 146 F.3d 558, 560 (8th Cir.1998), the Supreme Court’s Amchem and Ortiz decisions make clear that there are situations in which a court may defer that issue to later in the case. Moreover, at the motion-to-dismiss stage, Plaintiffs need only plausibly allege that they can establish the elements of standing. See Lujan, 504 U.S. at 561, 112 S.Ct. 2130 (noting that the elements of standing must. be supported “with the manner and degree of evidence required at the successive stages of the litigation”). Plaintiffs have plausibly alleged that they have standing to represent a class of individuals in every state and the District of Columbia, and thus that they have standing to raise state-law claims in those jurisdictions.

In addition, there is an important difference between Insulate and the cases on which Insulate relied and this case. Insulate and the other cases holding that standing should be determined before class certification are antitrust cases, in which “ ‘the constitutional and prudential requirements of standing take on particular significance.’ ” In re Ductile Iron Pipe Fittings Indirect Purchaser Antitrust Litig., Civ. No. 12-169, 2013 WL 5503308, at *9 (D.N.J. Oct. 2, 2013) (quoting City of Pittsburgh v. W. Penn Power Co., 147 F.3d 256, 264 (3d Cir.1998)). The instant case, on the other hand, contains no antitrust allegations, and thus there is no “particular significance” to the standing determination. And unlike Insulate, this is not a case where a single named plaintiff asserts the laws of a multitude of states in which that plaintiff does not reside. Rather, there are 114 named Plaintiffs who reside in every state in the union sаve four and the District of Columbia. The standing concerns present in Insulate and other antitrust cases are simply not present here.

As Target undoubtedly knows, there are consumers in Delaware, Maine, Rhode Island, Wyoming, and the District of Columbia whose personal financial information was stolen in the 2013 breach. To force Plaintiffs’ attorneys to search out those individuals at this stage serves no useful purpose. In this case, and under the specific facts presented here, the Article III standing analysis is best left to after the class-certification stage. Should a class be certified, and should that class as certified contain no members from certain states, Target may renew its arguments regarding standing.³

3. Injunctive Relief

Finally, Target contends that Plaintiffs lack standing to seek injunctive relief because they do not allege that they face a threat of ongoing or future harm that is certainly.impending. The Prayer for Relief seeks “appropriate injunctive relief’ including an order that Target encrypt all customer data from the point of sale through Target’s payment system, comply with federal and Minnesota law regarding data security and the retention of data, adopt EMV chip technology for Target-issued credit and debit cards, and requiring Target to provide extended credit-monitoring services to Plaintiffs and class members. (Compl. at 121-22, ¶ C.)

To establish “injury in fact” for purposes of injunctive relief, a plaintiff must show that he “faces a' threat of ongoing or future harm.” Park v. U.S. Forest Serv., 205 F.3d 1034, 1037 (8th Cir.2000). “[I]t is the plaintiffs burden to estаblish standing by demonstrating that, if unchecked by the litigation, the defendant’s allegedly wrongful behavior will likely occur or continue, and that the threatened injury is certainly impending.” Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, 190, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000) (internal alterations and quotations omitted).

Target’s arguments regarding Plaintiffs’ standing are premature. Plaintiffs have plausibly pled that their injuries will be redressed by the injunctive relief they seek, and at this stage, that is all that is required. The cases on which Target relies determined the injunctive-relief standing issue at the summary-judgment stage, not the motion-to-dismiss stage. As the Supreme Court itself has noted, even

attenuated injuries are sufficient to confer Article III standing at the motion-to-dismiss stage. Whitmore v. Arkansas, 495 U.S. 149, 158, 110 S.Ct. 1717, 109 L.Ed.2d 135 (1990) (discussing United States v. SCRAP, 412 U.S. 669, 93 S.Ct. 2405, 37 L.Ed.2d 254 (1973)). In SCRAP, the plaintiff environmental group alleged that a surcharge on railroad freight rates would cause the group’s members to suffer “economic, recreational and aesthetic harm” because it would increase the use of nonre-eyclable goods, and thereby increase the use of natural resources to produce more goods, resulting in more garbage in Washington-area parks. . SCRAP, 412 U.S. at 678, 93 S.Ct. 2405. The Supreme Court determined that even these thin allegations were “sufficient to survive a motion to dismiss for lack of standing.” Whit-more, 495 U.S. at 159, 110 S.Ct. 1717. The Court indicated, however, that summary judgment on standing might be appropriate if discovery revealed that “the allegations were sham and raised no genuine' issue of fact.” SCRAP, 412 U.S. at 689 & n. 15, 93 S.Ct.'2405.

Plaintiffs’ plausible allegations are certainly more substantial than those in SCRAP. Those allegations, taken as true, establish Plaintiffs’ stаnding to seek in-junctive relief. Whether discovery will bear out those allegations is a matter for another day. Target’s Motion on this point is denied.

B. Consumer Protection Laws

Target first contends that Plaintiffs have failed to state a claim under any jurisdiction’s deceptive trade practices statutes.⁴ As noted, the Complaint raises claims under the laws of 49 states and the District of Columbia. (Compl. ¶ 263.) Plaintiffs contend that Target violated these consumer protection laws in several ways:

• by “fail[ing] to maintain adequate computer systems and data security practices;”

• by “failfing] to disclose the material fact that it did not have adequate computer systems ‍​‌‌​​​‌‌‌​‌​​‌‌‌‌‌‌​​​​​‌​‌‌​​​‌‌​​​​​‌​‌‌‌‌‌‌‌‌‍and safeguards to adequately protect customers’ personal and financial information;”

• by “failing] to provide timely and accurate notice to [Plaintiffs] of the material fact of the Target data breach;” and

• by continuing to “accept[ ] [Plaintiffs’] credit and debit card payments for purchases at Target after Target knew or should have known of that data breach and before it purged its systems of the hackers’ malware.”

(Id.)

1. Injury

Target contends that Plaintiffs have failed to allege economic injury, as the consumer protection laws in 26 of the 50 jurisdictions require. But Plaintiffs have pled economic injury, in the form of unreimbursed late fees, new card fees, and other charges. Regardless whether Plaintiffs have sufficiently pled economic injuries, however, the law is not as clear on this issue as Target argues. Although some states’ statutes provide that a plaintiff may recover only for “ascertainable loss,” that phrase is in general not limited to only purely economic loss, and includes other damages like loss of prospective customers, Serv. Rd. Corp. v. Quinn, 241 Conn. 630, 698 A.2d 258, 265 (1997), or failure to provide exclusivity with regard to an art collection, Feitler v. Animation Celection, Inc., 170 Or.App. 702, 13 P.3d 1044, 1050 (2000).

There are several jurisdictions, such as Wisconsin, in which the consumer protection statutes require “pecuniary loss.” Wis. Stat. § 100.20. Plaintiffs argue that courts in these states have required a “liberal construction” of these statutes, but a court cannot liberally construe a pecuniary-loss requirement to include non-pecuniary losses. Because Plaintiffs have plausibly alleged pecuniary loss, however, they have stated a claim even under state laws that require such loss.

Plaintiffs have plausibly pled injury sufficient to meet the loss requirements in each of the jurisdictions from which their consumer protection claims stem. The determination whether all of the injuries Plaintiffs claim (Compl. ¶ 262) are cognizable under each state’s consumer-protection laws is a matter for summary judgment, not a motion to dismiss.

2. Duty to Disclose

Target next argues that 18 states do not recognize a violation of consumer-protection statutes for omissions unless there was a duty to disclose. According to Target, Plaintiffs have failed to plead a duty to disclose. In addition, Target сontends that Plaintiffs must plead their omission-based consumer-protection claims under Rule 9(b)’s specific pleading requirements. Because of Plaintiffs’ alleged failure to plead with particularity, Target contends that Plaintiffs’ claims under nine states’ statutes — California, Delaware, Kansas, Maryland, Minnesota, New Mexico, Nevada, Pennsylvania, and Texas— should be dismissed, and that portion of Plaintiffs’ claims based on deceptive conduct should be dismissed as to the other nine states’ statutes — Arizona, California,⁵ Connecticut, Hawaii, Idaho, Louisiana, Michigan, Oklahoma, and Washington.

Plaintiffs allege that Target knew that its customers’ data was sensitive and should be protected, knew that its systems were inadequate to protect that data, and continued to accept credit and debit cards after it knew or should have known that the systems were susceptible to breach or had been breached. (Compl. ¶¶ 283-37.) Target argues that these allegations are insufficient to establish a duty.

Neither party has provided the Court with any legal authority regarding the type of allegations that are sufficient to establish a duty to disclose under a state consumer-protection statute. In the absence of such authority, Plaintiffs’ plausible allegations, taken as true, establish with sufficient specificity that Target had a duty to disclose. Target’s Motion on this point is denied.

3. Injunctive Relief

Target contends that several states’ consumer-protection laws authorize only in-junctive relief, and that Plaintiffs do not have standing to seek such relief. Plaintiffs have plausibly alleged their standing to seek injunctive relief, and this portion of Target’s Motion is denied.

4. No Private Right of Action

Plaintiffs concede that their claims under the Delaware Uniform Deceptive Trade Practices Act and the Oklahoma Deceptive Trade Practices Act fail because there is no private right of action under those statutes. However, Plaintiffs have raised consumer-protection claims under other Delaware and Oklahoma statutes (Compl. ¶¶ 263.g, 263.jj) that Target implicitly concedes do provide a private right of action, and so Plaintiffs’ claims under those laws survive this aspect of the Motion.

In addition, Plaintiffs’ claim under Wisconsin’s Deceptive Trade Practices Act, Wis. Stat. § 100.20, must be dismissed. This statute provides a private right of action only for violations of orders issued by the Wisconsin Department of Agriculture. See Emergency One, Inc. v. Waterous Co., 23 F.Supp.2d 959, 971 (E.D.Wis.1998) (citing Wis. Stat. § 100.20(5), which allows suits by a “person suffering pecuniary loss because of a violation by any other person of any order issued” by the Department of Agriculture, Trade, and Consumer Protection). Plaintiffs do not respond to Target’s argument in this regard and thus apparently concede that their Wisconsin consumer-protection claim must be dismissed.

5.Class Action

The consumer-protection statutes in eight states — Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, and Tennessee — prohibit class-action treatment of claims under those statutes. An additional two states — Ohio and Utah — allow class pursuit of consumer-protection claims only if the challenged act has been declared deceptive by a final court judgment or by the state’s attorney general.

The parties dispute whether a state statute prohibiting class actions applies to bar such class actions in federal court. The dispute centers on a recent Supreme Court decision. Shady Grove Orthopedic Assoc., P.A. v. Allstate Ins. Co., 559 U.S. 393, 130 S.Ct. 1431, 176 L.Ed.2d 311 (2010). According to Target, the controlling opinion in Shady Grove found that federal class treatment of a state law that prohibits class actions is prohibited if the state law is substantive, rather than procedural. Target urges the Court to find that the statutes prohibiting class treatment under these states’ consumer-protection laws here are substantive and thus that class actions raising claims under those laws must be dismissed.

In Shady Grove, a patient assigned her rights to insurance benefits arising out of a car accident in which she was injured to the clinic that treated her injuries. Id. at 397, 130 S.Ct. 1431. Allstate paid the clinic the benefits due but allegedly paid them late and then refused to pay the statutory interest on the overdue payments. The clinic then brought a lawsuit in federal court to recover that interest, and sought to represent a class of others to whom Allstate had failed to pay statutory interest. The District Court dismissed the case because New York law “precludes a suit to recover a pеnalty from proceeding as a class action.” Id. The Second Circuit affirmed, finding that the New Yojk statute at issue, N.Y. Civ. Prac. Law Ann. § 901, did not conflict with Rule 23, and that § 901 was “substantive” within the meaning of Erie and must therefore be applied by federal courts sitting in diversity.

There is no majority opinion in Shady Grove. Rather, Justice Scalia wrote the opinion of the Court for a plurality of himself and three other Justices. He set forth the “familiar framework” for resolving conflicts between federal rules and state laws: the federal rule governs unless application of the federal rule “exceeds statutory authority or Congress’s rulemaking power” under the Rules Enabling Act, 559 U.S. at 398, 130 S.Ct. 1431, which limits rulemaking authority to rules that do “not abridge, enlarge or modify any substantive right.” 28 U.S.C. § 2072(b). Justice Scalia found that the substantive nature of the state law at issue was immaterial to the conflicts analysis. 559 U.S. at 409, 130 S.Ct. 1431. Rather, the federal courts should look to the federal rule to determine whether it was substantive or procedural. Id. at 410, 130 S.Ct. 1431. If the federal rule is procedural, it governs regardless of its effect on any state right. Id. And according to Justice Scalia, Rule 23 is procedural and therefore trumps any state laws prohibiting class-action treatment of certain claims. Id. at 408, 130 S.Ct. 1431.

Justice Stevens, writing alone, concurred in this judgment, but for a different reason than Justice Scalia and the three Justices joining his opinion. Justice Stevens found that New York’s class-action prohibition was procedural in nature, and thus that the application of the federаl rule would not alter any substantive rights. Id. at 432, 130 S.Ct. 1431. Accordingly, the Rules Enabling Act does not prevent the application of Rule 23 to cases raising claims that in New York state court would be exempt from class treatment. Justice Stevens noted, however, that if the federal rule “would displace a state law that is procedural in the ordinary use of the term but is so intertwined with a state right or remedy that it functions to define the scope of the state-created right,” the federal rule could not trump the state law. Id. at 423, 130 S.Ct. 1431. In other words, Justice Stevens disagreed with the plurality’s conclusion that it is the nature of the federal rule, not the state law, that governs the application of the federal rule to state claims. In that narrow statement of the issue, Justice Stevens’s concurrence aligned with the dissenting opinion of Justice Ginsburg, who was writing on behalf of three other Justices.

Target argues that Justice Stevens’s opinion controls because it is the narrowest opinion on which five Justices agreed. And the majority of courts to have addressed the issue have determined that Justice Stevens’s concurrence is the controlling opinion in Shady Grove. See Davenport v. Charter Comm’cns, LLC, 35 F.Supp.3d 1040, 1050-51 (E.D.Mo.2014) (surveying cases). Accordingly, if the state law “define[s] the scope of [a] state-created right,” federal class-action treatment is inappropriate.

Most courts that have evaluated state consumer-protection laws that conflict with Rule 23 have determined that Rule 23 cаnnot be applied to otherwise prohibited class actions, because the class-action prohibition defines the scope of the state-created right, namely the right to bring a lawsuit for violations of the state’s consumer-protection law. Davenport, 35 F.Supp.3d at 1051-52 (Kentucky’s consumer-protection statute); Lisk v. Lumber One Wood Preserving, LLC, 993 F.Supp.2d 1376, 1383-85 (N.D.Ala.2014) (Alabama Deceptive Trade Practices Act); Stalvey v. Am. Bank Holdings, Inc., No. 4:13cv714, 2013 WL 6019320, at *4 (D.S.C. Nov. 13, 2013) (South Carolina Unfair Trade Practices Act); Bearden v. Honeywell Int’l, No. 3:09-1035, 2010 WL 3239285, at *10 (M.D.Tennessee Aug. 16, 2010) (Tennessee Consumer Protection Act). 'Plaintiffs point to a single case that disagreed with this analysis and found that claims under the consumer-protection statutes of Georgia, Louisiana, and South Carolina could be pursued as a class action. In re Hydroxycut Mktg. & Sales Practices Litig., 299 F.R.D. 648, 651 (S.D.Cal.2014). At least one other decision has explicitly refused to follow Hydroxycut, however, finding that a class action could not be maintained for violations of South Carolina’s consumer-protection statute. In re Auto. Parts Antitrust Litig., 29 F.Supp.3d 982, 1012-13 (E.D.Mich.2014).

Although it is perhaps oversimplification to call Justice Stevens’s concurrence the holding of the Court in Shady Grove, it is clear that five Justices believe that it is the nature of the state statute at issue— whether the statute is substantive or procedural — that governs whether the state law can trump Rule 23’s federal class-action mechanism. This Court agrees with the decisions cited above that when a state legislature creates a private right of action to enforce a state statute’s requirements, the state’s definition of that private right of action to prohibit сlass actions “define[s] the scope of the state-created right,” Shady Grove, 559 U.S. at 423, 130 S.Ct. 1431, and is therefore substantive. Accordingly, Plaintiffs cannot maintain a class action as to the alleged consumer-protection statutory violations in Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, and Tennessee.

Plaintiffs do not address Target’s argument that a class action is prohibited under Utah’s consumer-protection statute, and thus concede that issue. Plaintiffs assert that a class action is appropriate for violations of Ohio’s statute, and the Complaint catalogs cases holding allegedly similar conduct to be deceptive in violation of Ohio’s statute. (Compl. ¶ 263.Ü.) Plaintiffs contend that this is sufficient to establish entitlement to class-action status under Ohio law. Target responds that none of these cases discusses an “act substantially similar to Target’s alleged conduct.” (Def.’s Reply Mem. at 19.) Target does not further elucidate the alleged substantial differences between the conduct in the Ohio cases and Target’s conduct here.

The Court therefore has insufficient information as to whether any Ohio case has held similar conduct to violate Ohio’s consumer-protection statute. At this stage of the proceeding, the Court must view the allegations in the Complaint in favor of Plaintiffs, and those allegations at least plausibly allege that there is Ohio caselaw on point. Thе Motion as to Ohio consumer-protection claims is denied.

6. Conclusion

In sum, Plaintiffs’ consumer-protection claims under the Delaware Uniform Deceptive Trade Practices Act, the Oklahoma Deceptive Trade Practices Act, and the Wisconsin Deceptive Trade Practices Act must be dismissed. In addition, Plaintiffs may not maintain a class action as to their claims under the consumer-protection statutes in Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, Tennessee, and Utah. The remainder of Target’s Motion on this point is denied.

C. Data Breach Notice Statutes In Count II, Plaintiffs contend that Target violated the data-breach notice statutes of 38 jurisdictions.

1. Damages

Plaintiffs allege that Target violated the data-breach notice statutes of these jurisdictions by failing “to provide timely and accurate notice of the Target data breach.” (Compl. ¶ 286.) Target contends that all of Plaintiffs’ data-breach-statute claims fail because Plaintiffs, cannot show any damages flowing from the alleged violation of the statutes. In the main, Plaintiffs’ delayed-notice damages are “would not have shopped at Target” damages. Target maintains that because Plaintiffs have not alleged when they shopped at Target, they cannot establish any damages from allegedly delayed notice. In other words, because no Plaintiff alleges that he or she shopped at Tаrget on a specific date after Target knew or should have known about the breach but before Target notified consumers about the breach, no Plaintiff can establish “would not have shopped” damages.

This argument is premature. Plaintiffs have pled a “short and plain statement” of their claims, Fed.R.Civ.P. 8(a)(2); discovery will be required to flesh out which Plaintiffs are entitled to claim “would not have shopped” damages. In addition, Plaintiffs allege that Target should have found out about the breach immediately, so that notice potentially could have gone out mere days after the breach. If that is true, then nearly every putative class member may be able to claim “would not have shopped” damages. Target’s Motion on this point is denied.

2. Private Right of Action

According to Target, 29 of the 38 data-breach notice statutes on which Plaintiffs base their claims provide no private right of action. Plaintiffs concede this point as to the claims under Florida, Oklahoma, and Utah law, and have withdrawn those claims. Plaintiffs contend, however, that they are entitled to maintain their claims under the remaining 26 states’ laws either through eight⁶ of the states’ consumer-protection statutes or by determining that there should be a private right of action despite the statute not explicitly providing one.

Target responds that, of the eight data-breach notice statutes that reference consumer-protection laws, only six of those are potentially enforceable through the state’s consumer-protection law, because ‍​‌‌​​​‌‌‌​‌​​‌‌‌‌‌‌​​​​​‌​‌‌​​​‌‌​​​​​‌​‌‌‌‌‌‌‌‌‍North Dakota and Oregon give enforcement authority for the data-breach notice statute to government officials. See N.D. CentCode § 51-30-07 (giving enforcement authority to the state attorney general); Or.Rev.Stat. § 646A.624(3) (giving enforcement authority to director of Department of Consumer and Business Services).

But again, the statutes are not as cut- and-dried as Target contends. North Dakota’s statute states that the “attorney general may enforce this chapter.” N.D. CentCode § 51-30-07. But the section also states that “[a] violation of this chapter is deemed a violation of [the consumer-protection statute],” and that the “remedies .... of this chapter are not exclusive and are in addition to all other causes of action, remedies, and penalties under [the consumer-protection statute]....” Id. Target does not dispute that North Dakota’s consumer-protection statute contains a private right of action. Thus, absent a case construing North Dakota law to preclude private enforcement of the data-breach notice statute, Plaintiffs have plausibly claimed that there is a private right of action under that statute.

Similarly, the Oregon statute provides that the director may enforce the data-breach notice statute, but the same section states that “the director may order compensation to consumers only upon a finding that enforcement of the rights of the consumers by private civil action would be so burdensome or expensive as to be impractical.” Or.Rev.Stat. § 646A.624(3). This section implies that private civil actions are available, and without any contrary authority, Plaintiffs have plausibly alleged that they are entitled to private enforcement of Oregon’s data-breach notice statute.

As to the six states that explicitly allow enforcement of the data-breach notice statute through the consumer-protection statute, Target contends that Plaintiffs have not sufficiently pled that the data-breach violation is a violation of the state’s consumer-protection law. But Plaintiffs have pled both a violation of each state’s consumer-protection law and a violation of the state’s data-breach notice statute. Such pleading puts Target on notice of the claims against them. Plaintiffs’ data-breach claims under these states — Alaska, Illinois, Maryland, Montana, New. Jersey, North Carolina, North Dakota, and Oregon — survive Target’s Motion.

Finally, there are 14 states that either provide for attorney general enforcement in what Plaintiffs contend is “permissive, non-exclusive language” and four states that are silent as to the enforcement of the data-breach notice statute. Aside from Minnesota’s data-breach notice statute, the parties do not discuss any of the remaining 17 states’ statutes specifically in their briefs, instead relying on the summary of each state’s law provided in their respective appendices. The appendices are intended to assist the Court, but instead serve to obfuscate the issues and make determining each parties’ arguments and each state’s law difficult. The Court understands that the parties operate under Court-imposed word-count limitations, but in the future they would be better served by requesting an extension of those limits, rather than attempting to reference legal principles buried in lengthy appendices.

There are two types of enforcement provisions typically found in state data-breach notice statutes: Attorney General or government enforcement only, or states in which the enforcement provision is either ambiguous or explicitly non-exclusive. And as noted, four states’ laws are silent as to enforcement. To simplify the following discussion, the Court categorizes each of the remaining states as either Attorney General/government enforcement only, ambiguous/non-exclusive enforcement, or no enforcement provision.

3. Attorney General enforcement only

The Arkansas data-breach notice statute, Ark.Code § 4-110-101 et seq., provides that a “violation of this chapter is punishable by action of the Attorney General under the provisions of § 4-88-101 et seq.” Ark.Code § 4-110-108. This is clear — only the Arkansas attorney general may enforce the Arkansas data-breach notice statute. Merely because the statute references the broader Arkansas consumer-protection statute does not mean that all of the remedies from the consumer-protection statute are available under the data-breach notice statute. There is no private right of action for violations of the Arkansas data-breach notice statute and Plaintiffs’ Arkansas claim is dismissed.

Connecticut’s data-breach notice statute provides that violations of the statute “shall be enforced by the Attorney General.” Conn. Gen.Stat. § 36a-701b(g). As with Arkansas, this language clearly limits enforcement power to the state’s attorney general and Plaintiffs’ Connecticut claim is dismissed.

Idaho’s law provides that “the primary regulator may bring a civil action to enforce compliance” with the state’s data-breach notice statute. Idaho Code Ann. § 28-51-107. There is no provision for any other enforcement action, and Plaintiffs’ Idaho claim is dismissed.

Massachusetts’s data-breach notice statute provides similarly that the “attorney general may bring an action ... to remedy violations of this chapter.” Mass. Gen. Laws Ch. 93H, § 6. Plaintiffs’ Massachusetts claim is dismissed.

Minnesota’s data-breach notice statute provides that the “attorney general shall enforce this section ... under section 8.31.” Minn.Stat. § 325E.61, subd. 6. Plaintiffs argue that the reference to § 8.31 gives individuals private-enforcement rights, because § 8.31 gives the attorney general non-exclusive authority to prosecute violations of certain statutes, and because subdivision 3a of § 8.31 allows private individuals to sue under the statutes referenced in § 8.31. Plaintiffs’ interpretation stretches the language of the statute beyond the breaking point, however. Minnesota’s data-breach notice statute provides that the “attorney general shall” enforce the statute; that language is unambiguous. Plaintiffs’ Minnesota claim is dismissed.

Similarly, Nebraska law provides that “the Attorney General may issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of the” data-breach notice statute. Neb.Rev.Stat. § 87-806. There is no provision for any other enforcement of the statute. Plaintiffs’ Nebraska claim is dismissed.

Nevada’s enforcement provision limits enforcement to a temporary or permanent injunction, and provides that “the Attorney General or district attorney may bring an action” to obtain that injunction. Nev. Rev.Stat. § 603A.920. Nevada law also provides that a data collector may bring a civil action against a person who steals personal information from the data collector’s records, id. § 603A.900, but that situation is not present here. Plaintiffs’ Nevada clаim is dismissed.

Texas’s data-breach notice statute provides only for attorney general enforcement, stating repeatedly that “[t]he attorney general may bring an action to recover the civil penalt[-y,-ies] imposed under this subsection,” Tex. Bus. & Com.Code Ann. § 521.151(a), (a-1), and that “the attorney general may bring an action ... to restrain the violation by a temporary restraining order or by a permanent or temporary injunction.” Id. § 521.151(b). Plaintiffs’ Texas claim is dismissed.

4.' Ambiguous language or non-exclusive remedies

Colorado’s data-breach notice statute provides that the “attorney general may bring an action ... to address violations of this section,” but also provides that the “provisions of this section are not exclusive.” Col.Rev.Stat. § 6-1^-716(4). This permissive language is, as Plaintiffs’ argue, at least ambiguous as to whether there is a private right of action under Colorado law. Given the procedural posture of this Motion, which requires the Court to view the law in the light most favorable to Plaintiffs, and absent any authority construing this ambiguity to exclude private rights of action, Plaintiffs’ Colorado claim will not be dismissed.

Delaware’s statute provides that “the Attorney General may bring an action ... to address the violations of this chapter.” 6 Del-Code Ann. § 12B-104. The statute further provides that its provisions “are not exclusive.” As in Colorado, it is at least ambiguous whether there is a private right of action. Plaintiffs’ Delaware claim will not be dismissed.

In Iowa, a violation of the data-breach notice statute

is an unlawful practice [under the consumer-protection statute] and, in addition to the remedies provided to the attorney general [in the consumer-protection statute], the attorney general may seek and obtain an order that a party held to violate this section pay damages to the attorney general on behalf of a person injured by this violation. Iowa Code § 715C.2(9)(a). The statute further provides, however, that the “rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under the law.” Id. § 715C.2(9)(b). This is at least ambiguous as to whether private enforcement is permissible, and Plaintiffs’ Iowa claim will not be dismissed.

Kansas’s data-breach enforcement provision is substantially similar to Delaware’s. It provides that “the attorney general is empowered to bring an action .. .• to address violations of this section” and also states that the enforcement provisions are “not exclusive.” Kan. Stat.' Ann. § 50-7a02(g). Plaintiffs’ claim under Kansas law will not be dismissed.

Michigan law provides for a civil fíne for a violation of the data-breach notice statute, and that the “attorney general or a prosecuting attorney may bring an action to recover” that fíne. Mich. Comp. Laws § 445.72(13). The statute also provides that the quoted subsection 13 does “not affect the availability of any civil remedy for a violation of state or federal law.” Id. § 445.72(15). This implies that consumers may bring a civil action to enforce Michigan’s data-breaсh notice statute through Michigan’s consumer-protection statute or other laws. Plaintiffs Michigan claim will not be dismissed.

Wyoming provides that the “attorney general may bring an action in law or equity to address any violation of’ the data-breach notice statute, and that the “provisions of this section are not exclusive.” Wyo. Stat. Ann. §' 40-12-502(f). Plaintiffs’ Wyoming claim will not be dismissed.

5. No enforcement provision

Georgia’s data-breach-notice statute is silent as to enforcement. Ga.Code Ann. § 10-1-912. Neither party cites any case regarding how a court should interpret silence as to enforcement under Georgia law, and absent any such authority, Plaintiffs have plausibly alleged that private enforcement is possible and their Georgia claim survives.

Kentucky’s statute is likewise silent. Ky.Rev.Stat. Ann. § 365.732(2). But Kentucky law elsewhere provides that a “person injured by the violation of any statute may recover from the offender such damages as he sustained by reason of the violation.” Id. § 446.070. This section gives a private right of action for a violation of Kentucky’s data-breach notice statute. Plaintiffs’ Kentucky claim will not be dismissed.

Rhode Island’s statute provides that “[e]ach violation of this chapter is a civil violation for which a penalty of not more than a hundred dollars ($100) per occurrence and not more than twenty-five thousand dollars ($25,000) may be adjudged against a defendant.” R.I. Gen. Laws Ann. § ll-49.2-6(a). “When a statute does not plainly provide for a private cause оf action [for damages], such a right cannot be inferred.’ ” Stebbins v. Wells, 818 A.2d 711, 716 (R.I.2003). (quotation omitted, alteration in original). Plaintiffs have offered no contrary authority on Rhode Island’s statutory interpretation principles. Plaintiffs’ Rhode Island claim is dismissed.

Wisconsin’s statute, like Georgia’s, is silent on enforcement. Wis. Stat. § 134.98. Plaintiffs’ Wisconsin claim will not be dismissed.

6. Conclusion

Plaintiffs have withdrawn their claims under Florida, Oklahoma, and Utah law. In addition, the data-breach notice statutes of Arkansas, Connecticut, Idaho, Massachusetts, Minnesota, Nebraska, Nevada, and Texas allow for enforcement only by the state’s attorney general or other government official, and the Rhode Island statute’s silence on enforcement is to be construed as prohibiting private rights of action. Plaintiffs’ claims under these states’ laws are therefore dismissed. Plaintiffs have plausibly alleged data-breach notice claims from 26 states.

D. Negligence

Target argues that Plaintiffs’ negligence claim must be dismissed because Plaintiffs have failed to allege any damages that were caused by the breaches of duty they allege. Alternatively, Target contends that many states bar negligence claims for economic losses, and Target seeks the dismissal of the negligence claims brought under those states’ laws.

A claim of negligence requires a plaintiff to allege four elements: duty, breach, causation, and injury. Schmanski v. Church of St. Casimir of Wells, 243 Minn. 289, 67 N.W.2d 644, 646 (1954).⁷ Plaintiffs allege two different duties to support their negligence claims. First, Plaintiffs claim that Target had the duty “to exercise reasonable care in obtaining, retaining, securing, safeguarding, deleting and protecting [Plaintiffs’] personal and financial information in its possession from being compromised, lost, stolen, accessed and misused by unauthorized persons.” (Compl. ¶ 289-) Plaintiffs also allege that “Target owed a duty to timely and accurately disclose ... that [Plaintiffs’] personal and financial information had been or was reasonably believed to have been compromised.” (Id. ¶ 292.) For purposes of this Motion, Target does not dispute that Plaintiffs have plausibly alleged the existence of a duty. Target contends, however, that Plaintiffs have failed to allege any damages caused by the alleged breaches of duty, and that in any event some of Plaintiffs’ negligence claims are barred by the economic loss rule.

1. Damages

Most of Target’s contentions about damages are the same as those discussed previously with respect to standing. Those arguments, as discussed, are premature.

Target raises one new argument: that Plaintiffs have not alleged any damages whatsoever flowing from the alleged delay in notifying. them of the breach. The Complaint contends that timely disclosure of the breach would have allowed Plaintiffs to “take appropriate measures to avoid unauthorized charges ..:, cancel or change usernames and passwords on compromised accounts, monitor their account information and credit reports for fraudulent activity, contact their banks ..., obtain credit monitoring services and * take other steps to mitigate or ameliorate the damages caused by Target’s misconduct.” (Compl. ¶292.) Although Target would like a more detailed explanation of what damages were caused by the delayed breach notification, the allegations in the Complaint are not fatally insufficient. Rather, those allegations are a “short and plain statement,” Fed.R.Civ.P. 8(a)(2), that plausibly alleges that Plaintiffs suffered damage as a result of the delay. Plaintiffs’ negligence claim will not be dismissed on this basis.

2. Economic Loss Rule

The economic loss rule “bars a plaintiff from recovering for purely economic losses under a tort theory of negligence.” In re Michaels Stores Pin Pad Litig., 880 F.Supp.2d 518, 528 (N.D.Ill.2011). It reflects the belief “that tort law affords the proper remedy for loss arising from personal injury or damages to one’s property, whereas contract law and the Uniform Commercial Code provide the appropriate remedy for economic loss stemming from diminished commercial expectations without related injury to person or property.” Id.

. Target’s opening brief contends that the economic loss rule bars Plaintiffs’ negligence claims in 20 states. (Def.’s Supp. Mem. (Docket No. 205) at 29-30.) Target’s reply brief seems to narrow that to 12 states, stating that in eight of those original 20 states “the economic loss rule does not bar plaintiffs’ negligence claims absent some contractual duty.” (Def.’s Reply Mem. (Docket No. 246) at 24 & n. 22.) Thus, Target appears to concede that only 12 states would apply the economic loss rule to bar Plaintiffs’ claims here. However, Target’s reply brief appendix lists only 11 states that it argues would apply the economic loss rule to facts similar to this case, and although the parties did not clarify the issue at the hearing, the Court will assume that only these 11 states are at issue.

Courts in five of these states — -California, Georgia, Illinois, Massachusetts, and Pennsylvania — have faced data-breach claims such as those here; all of these courts dismissed the negligence claims based on the economic loss rule. Plaintiffs contend that these decisions are wrong and do not correctly apply the laws of the states in two ways. First, Plaintiffs assert that each state recognizes an independent-duty exception to the economic loss rule, so the rule does not apply where the duty alleged is an independent duty that does not arise from commercial expectations. (Pl.’s Opp’n Mem. at 56.) Target appears to concede that the duty on which Plaintiffs rely is an independent duty that, in some jurisdictions, takes Plaintiffs’ negligence claims out of the economic loss rule. Plaintiffs also contend that some states recognize a “special relationship” exception to the economic loss rule,⁸ and аgain, Target does not take issue with this premise but contends that this ease does not fit this exception in some of the jurisdictions. According to Target, the 11 states in Target’s reply appendix — including the five from which there are data-breach cases on point — either do not recognize the independent duty exception, are states in which the exception is narrowly drawn to exclude the duty alleged here, or are states in which the special-relationship exception does not include the situation at issue. The Court will discuss these 11 states in alphabetical order.

a.Alaska

Plaintiffs contend that Alaska recognizes an independent-duty exception to the economic loss rule. (Pls.’ App’x Ex. C (citing Mattingly v. Sheldon Jackson College, 743 P.2d 356, 360 (Alaska 1987)).) But the case on which Target relies, St. Denis v. Dep’t of Housing & Urban Dev., 900 F.Supp. 1194 (D.Alaska 1995), exhaustively cataloged all relevant caselaw regarding the independent-duty exception to the economic loss rule, including Mattingly, and determined -that Alaska law recognizes negligence claims “only if the breach of duty created a risk of personal injury or property damage.” Id. at 1203. This authority forecloses Plaintiffs Alaska negligence claim, and that claim is dismissed.

b.California

A court applying California law has dismissed negligence claims ‍​‌‌​​​‌‌‌​‌​​‌‌‌‌‌‌​​​​​‌​‌‌​​​‌‌​​​​​‌​‌‌‌‌‌‌‌‌‍in a data-breach case under the economic loss rule. In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (“Sony II ”), 996 F.Supp.2d 942, 967 (S.D.Cal.2014). Plaintiffs argue that Sony II misapplied the economic loss rule because California law recognizes such claims where there is an independent duty. But Sony II is directly on point and Plaintiffs cite no other аuthority that disagrees with Sony II’s statement of the law. Plaintiffs’ California negligence claims are dismissed on the basis of the economic loss rule.

c.District of Columbia

There is only one decision in the District of Columbia that addresses the economic loss rule and the parties disagree about its import. Aguilar v. RP MRP Washington Harbour, LLC, 98 A.3d 979 (D.C.2014). Aguilar involved workers seeking lost wages caused by the property owner’s alleged failure to raise flood walls around the property, allowing the property to flood and forcing the workers’ employers to close temporarily or, in one case, permanently. Id. at 980-81. The court first determined that the economic loss rule barred recovery in negligence for “a plaintiff who suffers only pecuniary injury.” Id. at 982-83. The court recognized, however, that where a “special relationship” exists that “provide[s] an independent duty of care,” the economic loss rule may not apply. Id. at 984.

Although the Aguilar court affirmed the grant of a motion to dismiss based on the economic loss rule, much of the opinion discussing the “special relationship” exception relied on factual determinations. For example, the court noted that the plaintiffs “were not especially likely to suffer serious economic loss as a result of [defendants’] conduct because too many variables beyond [defendants’] negligence ... could prove determinative.” Id. at 985 n. 4. But this is a factual determination: whether Plaintiffs can establish that, by virtue of giving Target access to their personal financial information, they were “especially likely to suffer serious economic loss as a result of [Target’s] negligence” is a question of fact. The application of the economic loss rule to Plaintiffs District of Columbia negligence claims is premature and must await further record development.

d. Georgia

Target cites to a data-breach case in Georgia that it contends forecloses any argument that Georgia’s economic loss rule does not bar Plaintiffs’ Georgia negligence claims. Willingham v. Global Payments, Inc., No. 1:12cv1157, 2013 WL 440702 (N.D.Ga. Feb. 5, 2013). But this opinion is a Magistrate Judge’s Report and Recommendation; it was not adopted or rejected by a District Court Judge because the parties settled the case during the objection period. Thus, unlike California where there is an opinion directly on point, the existence of this R & R does not by itself mean that Georgia’s economic loss rule bars Plaintiffs’ claims. Plaintiffs argue that Georgia recognizes an independent-duty exception to the economic loss rule.

The court in Willingham faced a negligence claim brought by consumers against the credit-card processor, not the merchant. The court rejected the notion that an independent duty might lie between the plaintiffs and the credit-card processor. Id. at *19. But that is not the situation here. Plaintiffs and Target have a direct relationship, not an attenuated one.

Plaintiffs cite Waithe v. Arrowhead Clinic, Inc., No. CV 409-021, 2012 WL 776916 (S.D.Ga. Mar. 7, 2012). In Waithe, the plaintiffs alleged negligence against a group of lawyers. On summary judgment, the court noted that Georgia’s economic loss rule does not bar a tort claim “where ‘an independent duty exists under the law.’” Id. at *7 (quoting Liberty Mut. Fire Ins. Co. v. Cagle’s, Inc., 2010 WL 5288673, at *3 (N.D.Ga. Dec. 16, 2010)). The Waithe court found no independent duty in that case because Georgia courts had not recognized the duty on which the Waithe plaintiffs relied. Id. at *8.

Neither party cites any authority regarding the duty Plaintiffs here allege: the duty to safeguard information. Absent Georgia authority refusing to recognize such an independent duty, Plaintiffs’ allegations are sufficient to establish that the economic loss rule does not bar their Georgia negligence claims.

e. Idaho

Under Idaho law, the economic loss rule will bar a negligence claim for pecuniary loss unless there is a special relationship between the parties or “where unique circumstances require a reallocation of the risk.” Aardema v. U.S. Dairy Sys., Inc., 147 Idaho 785, 215 P.3d 505, 512 (2009). Plaintiffs do not allege that the special-relationship exception applies because in Idaho that exception is “extremely narrow.” Id. Plaintiffs argue, instead, that there are unique circumstances here that require a reallocation of the risk.

Target points to a case holding that the “sale and purchase of a particular product does not create the type of ‘unique circumstance’ required to justify a different allocation of risk.” Millenkamp v. Davisco Foods Int’l, Inc., 391 F.Supp.2d 872, 879 (D.Idaho 2005). But neither party cites to a case with facts close to this case, and thus it is an open question whether the situation here fits within the “unique circumstances” exception to Idaho’s economic loss rule. Dismissal of Plaintiffs’ Idaho negligence claim is inappropriate at this stage.

f.Illinois

The court in In re Michaels faced a data-breach case similar to the instant matter and determined that Illinois’s economic loss rule barred the plaintiffs’ negligence claims. 830 F.Supp.2d at 530. Plaintiffs argue that the In re Michaels court misapplied Illinois law because Illinois law ostensibly recognizes the independent-duty exception. (Pls.’ Opp’n Mem. App’x Ex. C at 4 (citing Congregation of the Passion v. Touche Ross & Co., 159 Ill.2d 137, 201 Ill.Dec. 71, 636 N.E.2d 503, 515 (1994)).) But In re Michaels exhaustively surveyed the Illinois economic loss rule, including the Congregation of the Passion case. As the court found, Congregation of the Passion merely recognized an exception for professional malpractice cases if the duty breached is independent of contract. Id. at 529. The In re Michaels court concluded that the only exceptions to Illinois’s economic loss rule were (1) when the plaintiff suffered personal injury or property damage; (2) when the damages alleged were caused by an intentional, false representation; or (3) when the damages were caused by a negligent misrepresentation “of a defendant in the business of supplying information for the guidance of others in business transactions.” Id. at 528. None of these exceptions applies here, and thus'Plaintiffs’ Illinois negligence claim is barred by the economic loss rule.

g.Iowa

Plaintiffs contend that Iowa recognizes the independent-duty exception and that this exception saves their Iowa negligence claim. . But a recent decision by the Iowa Supreme Court forecloses Plaintiffs’ argument. See St. Malachy Roman Catholic Congregation of Geneseo v. Ingram, 841 N.W.2d 338 (Iowa 2013). In Ingram, the Iowa Supreme Court recognized three exceptions to the economic loss rule: professional negligence against attorneys and accountants, negligent misrepresentation claims, and when the duty arises out of a principal-agent relationship. Id. at 351-52 (citing Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499, 504 (Iowa 2011)). Plaintiffs cite no case establishing any other independent-duty exception. Rather, the case on which Plaintiffs rely merely states that the “damage for which recovery is sought [must] extend beyond the product itself in order for tort principles to apply,” and does not hold that an independent duty gives rise to an exception to the economic loss rule. Emp’rs Mut. Cas. Co. v. Collins & Aikman Floor Coverings, Inc., No. 4:02cv30467, 2004 WL 840561, at M7 (S.D.Iowa Feb. 13, 2004) (citations and quotations omitted). Plaintiffs’ Iowa negligence claim is barred by the economic loss rule.

h.Massachusetts

Interpreting Massachusetts law, the court in another data-breach case dismissed the plaintiffs’ negligence claim under the economic loss rule. In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498-99 (1st Cir.2009). Plaintiffs contend that In re TJX did not consider the existence of the independent-duty exception, but the case they cite for that exception was applying New Hampshire law, not Massachusetts law. MacDonald v. Old Republic Nat’l Title Ins. Co., 882 F.Supp.2d 236, 246 (D.Mass.2012). Target argues, without opposition, that Massachusetts recognizes no independent-duty exception. Plaintiffs’ Massachusetts negligence claim is dismissed.

i.Néw Hampshire

As noted above, New Hampshire does recognize an independent-duty exception to the economic loss rule. Target contends that this exception does not apply. Wyle v. Lees, 162 N.H. 406, 33 A.3d 1187, 1191 (2011). Wyle held that economic loss recovery is permitted when there is a special relationship between the parties or when there is “a negligent misrepresentation made by a defendant who is in the business of supplying information.” Id. According to Target, the New Hampshire Supreme Court has limited the special-relationship exception to situations involving either attorneys who draft a will and the intended beneficiaries or insurance investigators and the insured. See Plourde Sand & Gravel Co. v. JGI E. Inc., 154 N.H. 791, 917 A.2d 1250, 1254-55 (2007).

But Plourde also recognized that other independent duties may take a case out of the economic loss rule, although the court did not apply the independent-duty exception in that case. Id. at 1253-54; see also Animal Hosp. of Nashua, Inc. v. Antech Diagnostics, No. 11cv448, 2012 WL 1801742, at *2 (D.N.H. May 17, 2012) (citing Plourde for the proposition that independent duty might take case outside economic loss rule). The negligence claims in Antech arose directly from the parties’ contractual relationship and were therefore barred by the economic loss rule. 2012 WL 1801742, at *2. Thus, the court did not examine the contours of any independent-duty exception to the New Hampshire’s economic loss rule.

In the absence of authority as to the application of an indeрendent duty under New Hampshire law, or excluding a situation akin to that here from the application of any independent-duty exception, dismissal of Plaintiffs’ New Hampshire negligence claim at this stage is not warranted.

j.New York

The parties seem to agree that New York recognizes an independent-duty exception to the economic loss rule. Target contends that it does not apply here, but cites no case outlining that exception under New York law. Rather, the case on which Target relies, In re Facebook Inc., IPO Sec. & Derivative Litig., 986 F.Supp.2d 428 (S.D.N.Y.2013) determined that the independent-duty exception could apply if the parties’ “relationship [was] so close as to approach that of privity” or if “the defendant has a created a[sic] duty to protect the plaintiff.” Id. at 460-61. But that is what Plaintiffs allege here: a quasi-contractual, privity-like relationship with respect to their personal financial information. Dismissal of Plaintiffs’ New York negligence claims is not appropriate,

k.Pennsylvania

Finally, Pennsylvania courts have determined in a data-breach case that the economic loss rule bars a negligence claim. Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 177-78 (3d Cir.2008). The situation in Sovereign Bank, however, is more akin to that in the Financial ‍​‌‌​​​‌‌‌​‌​​‌‌‌‌‌‌​​​​​‌​‌‌​​​‌‌​​​​​‌​‌‌‌‌‌‌‌‌‍Institution Cases: as in those cases, Sovereign Bank involved an issuer bank suing a merchant for a data breach. Because of the clear contractual relationship between the parties in Sovereign Bank, the application of the economic loss rule to bar the bank’s negligence claim was more straightforward than application of the rule is in this case. Moreover, Pennsylvania recognizes a “special relationship” exception in situations involving “confidentiality, the repose of special trust or fiduciary responsibilities.” Valley Forge Convention & Visitors Bureau v. Visitor’s Servs., Inc., 28 F.Supp.2d 947, 952 (E.D.Pa.1998). Plaintiffs’ allegations here are that they reposed trust in Target or that Target bore a fiduciary-like responsibility to safeguard their financial information. Plaintiffs have plausibly pled the existence of a special relationship that Pennsylvania courts would recognize as an exception to the economic loss rule. Therefore, Plaintiffs’ Pennsylvania negligence claim will not be dismissed.

1. Conclusion

The economic loss rule in Alaska, California, Illinois, Iowa, and Massachusetts appears to bar Plaintiffs’ negligence claims under the laws of those states. Plaintiffs’ negligence claims in the remaining states may go forward.

E. Breach of Implied Contract

Count IV of the Complaint claims that Plaintiffs and Target had an implied contract in which Plaintiffs agreed to use their credit or debit cards to purchase goods at Target and Target agreed to safeguard Plaintiffs’ personal and financial information. (Compl. ¶¶ 314-15.) Target contends that Plaintiffs have failed to allege any meeting of the minds as to this alleged implied contract and have therefore failed to state a claim. In support, Target cites two decisions dismissing implied-contract claims for failure tо allege a meeting of the minds. Plaintiffs in turn cite two decisions that found dismissal of such claims premature.

The court in another multidistrict litigation case involving a retail data breach found that plaintiffs had failed to allege any express or implied contract under Nevada, Florida, Texas, and Alabama law. In re Zappos.com, Inc., No. 3:12ev325, 2013 WL 4830497, at *3 (D.Nev. Sept. 9, 2013). The' court’s discussion of the issue is short, however, and does not offer any legal authority for its determination that statements about the retailer’s data-security measures “do not create any contractual obligations.” Id. As such, the decision is not persuasive on this issue.

■ Target’s other authority is Krottner v. Starbucks Corp'., 406 Fed.Appx. 129 (9th Cir.2010). That ease involved a stolen laptop that contained unencrypted personal information for nearly 100,000 Starbucks employees. The Ninth Circuit found that the plaintiffs had not adequately alleged the existence of a contract under Washington law because they had failed to allege that they read or saw the documents on which they relied for the contract, or that such documents constituted an offer. Id. at 131. The court of appeals therefore affirmed the district court’s dismissal of the implied-contract claim. Id. at 132.

In contrast, another MDL data-breach case found that whether an implied contract exists is a question of fact under Maine law.⁹ In re Hannaford Bros. Customer Data Sec. Breach Litig., 613 F.Supp.2d 108, 118 (D.Me.2009). The court noted that a jury could reasonably find that a customer’s use of a credit or debit card to pay at a retailer may include the implied contract term that the rеtailer “will take reasonable measures to protect the information” on those cards. Id. at 119. The court therefore denied the motion to dismiss, a denial that was affirmed by the First Circuit. See Anderson v. Hannaford Bros. Co., 659 F.3d 151, 158-59 (1st Cir.2011) (finding that a jury must determine the existence of an implied contract term). The court in In re Michaels followed this reasoning and declined to dismiss implied-contract claims under Illinois law. 830 F.Supp.2d at 531-32.

As the In re Hannaford Bros, court found, a determination of the terms of the alleged implied contract is a factual question that a jury must determine. Plaintiffs have plausibly alleged the existence of an implied contract as well as its terms, and this allegation is sufficient to allow the claim to go forward.

Target also contends that Plaintiffs have failed to establish any damages flowing from the alleged breach of the implied contract. This argument merely restates Target’s contention that Plaintiffs have not alleged any damages here, and as discussed in more detail above, that contention is incorrect.

F.Breach of Contract

The breach of contract claim (Count V) alleges a breach of the REDcard agreement, and is brought only by REDcard debit cardholders. Target’s REDcard debit-card agreement provides that it is governed by South Dakota law. Target argues that Plaintiffs have failed to allege any breach of the agreement or any damages resulting therefrom.

The Complaint specifically alleges that Target breached a provision of the agreement in which Target сlaimed to “use security measures that comply with federal law.” (Compl. ¶ 325.) Target notes that Plaintiffs have not alleged any federal law with which Target failed to comply. Plaintiffs respond that they are not required to plead the law, only sufficient facts to support their claim.

If the breach of the parties’ contract is Target’s alleged failure to comply with federal law, however, Plaintiffs must plead the federal law or laws with which Target allegedly did not comply. The breach-of-contract claim is dismissed without prejudice, so that Plaintiffs may re-plead and sufficiently allege the elements of their breach-of-contract claim, should they wish to do so.

G. Bailment

A bailment is “the delivery of property for some purpose upon a contract, express or implied, that after the purpose has been fulfilled, the property shall be redelivered to the bailor or otherwise dealt with according to his directions.” Indemnity Ins. Co. of N. Am. v. Hanjin Shipping Co., 348 F.3d 628, 637 (7th Cir.2003) (applying Illinois law). Even if Plaintiffs are correct that intangible property such as their personal financial information can constitute property subject to bailment principles, they have not — and cannot — allege that they and Target agreed that Target would return the property to them. See Richardson v. DSW, Inc., No. 05C4599, 2005 WL 2978755, at *4 (N.D.Ill. Nov. 3, 2005). Moreover, Plaintiffs allege that third parties stole the information, not that Target wrongfully retained that information. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F.Supp.2d 942, 974 (S.D.Cal.2012). Plaintiffs’ allegations do not state a claim for bаilment, and Count VI is dismissed. This dismissal is with prejudice, because there is no indication that Plaintiffs can plausibly allege the existence of a bailment in this case.

H. Unjust Enrichment

The substantive law of unjust enrichment is consistent across all jurisdictions: Plaintiffs must plead that Target “knowingly received or obtained something of value [] which [it] ‘in equity and good conscience’ ” should not have received. ServiceMaster of St. Cloud v. GAB Bus. Servs., Inc., 544 N.W.2d 302, 306 (Minn.1996) (citation omitted).

Two theories support Plaintiffs’ unjust-enrichment claim. First, Plaintiffs allege that the purchase price of the goods Target sold included a premium for adequate data security. By failing to maintain that security, Plaintiffs assert that they were overcharged for the goods they received. The parties call this the “overcharge” theory. Plaintiffs’ second theory is the “would not have shopped” theory discussed previously. This theory contends that, had Target notified its customers about the data breach in a timely manner, Plaintiffs would not have shopped at Target and thus any money Plaintiffs spent at Target after Target knew or should have known about the breach is money to which Target is not entitled.

Plaintiffs’ “overcharge” theory has no merit, and the case on which Plaintiffs rely for this theory is not on point. Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir.2012). In Resnick, a health care plan’s laptops containing the unencrypted personal information of its members were stolen. Two members sued contending that their identities had been stolen as a result of the laptop theft. They raised a claim for unjust enrichmеnt, alleging that part of the premiums they paid to AvMed were used to pay for data security and that AvMed was unjustly enriched because it did not maintain adequate data-security standards. Id. The Eleventh Circuit reversed the district court’s dismissal of the unjust-enrichment claim, finding that the allegations, taken as true, stated a claim for unjust enrichment. Id.

In AvMed, every member of the health care plan paid the allegedly increased charge for data security because every member’s personal information was at risk from insufficient security. But the same is not true at Target. Target charges all shoppers the same price for the goods they buy whether the customer pays with a credit card, debit card, or cash. But cash customers face no risk that a computer hacker will steal their personal financial information. If Target charged credit- and debit-card customers more for their purchases to offset the costs of data security, Plaintiffs might have a plausible allegation in this regard. But the fact that all customers regardless of payment method pay the same price renders Plaintiffs’ overcharge theory implausible. See In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *5 (N.D.Ill. Sept. 3, 2013) (finding no merit to overcharge theory when plaintiffs did not plead that retailer “charged a higher price for goods whether.a customer pays with credit, and therefore, that additional value is expected in the use of a credit card”).

Plaintiffs’ “would not have shоpped” theory, however, is plausible and supports their claim for unjust enrichment. If Plaintiffs can establish that they shopped at Target after Target knew or should have known of the breach, and that Plaintiffs would not have shopped at Target had they known about the breach, a reasonable jury could conclude that the money Plaintiffs spent at Target is money to which Target “in equity and good conscience” should not have received. This portion of Plaintiffs’ unjust enrichment claim is not dismissed.

CONCLUSION

As outlined above, the majority of Plaintiffs’ claims survive Target’s Motion. Accordingly, IT IS HEREBY ORDERED that:

1. Defendant’s Motion to Dismiss the Consolidated First Amended Class Action Complaint in the Consumer Cases (Docket No. 202) is GRANTED in part and DENIED in part.

2. Plaintiffs’ claims under the Delaware Uniform Deceptive Trade Practices Act, the Oklahoma Deceptive Trade Practices Act, and the Wisconsin Deceptive Trade Practices Act in Count I are DISMISSED with prejudice. In addition, Plaintiffs may not maintain a class action as to their claims under the consumer-protection statutes in Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, Tennessee, and Utah.

3. Plaintiffs have withdrawn their Count II data-breach notice statutory claims under Florida, Oklahoma, and Utah law, and their claims under Arkansas, Connecticut, Idaho, Massachusetts, Minnesota, Nebraska, Nevada, Rhode Island, and Texas law are DISMISSED with prejudice.

4. Plaintiffs’ Count III negligence claims undеr Alaska, California, Illinois, Iowa, and Massachusetts law are barred by the economic loss rule and are DISMISSED with prejudice.

5. Count V, alleging breach of contract, is DISMISSED without prejudice. Plaintiffs shall have 30 days from the date of this Order to file an Amended Complaint sufficiently alleging the required elements of their breach-of-contract claim, should they wish to do so.

6. Count VI, alleging bailment, is DISMISSED with prejudice.

7. Count VII, alleging unjust enrichment, is GRANTED as to Plaintiffs’ “overcharge” theory and DENIED as to Plaintiffs’ “would not have shopped” theory.

Notes

1 . The First Amended Consolidated Class Action Complaint seeks the eventual certification of multiple classes of Plaintiffs: statewide consumer law classes (Compl. ¶ 240); statewide data breach statute classes (id. ¶ 241); statewide classes for the negligence, breach of implied contract, bailment and/or unjust enrichment claims (id. ¶ 242); and a nationwide Target REDcard class (id. ¶ 243).

2 . The Court will refer to this pleading as the Complaint.

3 . Of course, if np class is certified and there are no Plaintiffs from certain jurisdictions, Target may also renew its standing arguments.

4 . Target also contends that Plaintiffs cannot raise consumer protection claims under states' laws for states in which no named Plaintiff resides. ■ But that argument, as discussed above, is premature.

5 . Plaintiffs have brought claims under both the California Consumer Legal Remedies Act and the California Unfair Competition Law. According to Target, the Consumer Legal Remedies Act claim should be dismissed in its entirety and the Unfair Competition Law claim should be dismissed as to any claim arising оut of allegedly deceptive conduct. (Def.’s Supp. Mem. at 21-22 & n. 13, 15.)

6 . Plaintiffs’ brief states that nine states that allow private enforcement of their data-breach notice statute through the state's consumer-protection statute, but Plaintiffs’ Appendix lists only eight states in this category. The ninth state may be Tennessee, which provides for a private right of action in the data-breach notice statute and also provides for enforcement of the data-breach notice statute through the consumer-protection statute. Tenn.Code Ann. § 47-18-2105©; id. § 47-18-2106. Target does not contend that Plaintiffs' claim under Tennessee law should be dismissed for lack of a private right of action.

7 . These elements are substantially identical in every jurisdiction ‍​‌‌​​​‌‌‌​‌​​‌‌‌‌‌‌​​​​​‌​‌‌​​​‌‌​​​​​‌​‌‌‌‌‌‌‌‌‍in which Plaintiffs raise a negligence claim.

8 . This "special relationship” exception is not the same as the special relationship doctrine discussed in the Court's ruling on the Motion to Dismiss in the Financial Institution Cases. (Dec. 2, 2014 Mem. & Order (Docket No. 261) at 4-5.) In that case, a special relationship creates a duty of care under Minnesota law. Here, a special relationship may prevent the application of the economic loss doctrine.

9 ., Target argues that the two cases on which Plaintiffs rely should be limited to applying to the state laws discussed therein, but does not acknowledge that their own authority similarly dealt with only a few states’ laws. (Def.’s Supp. Mem. at 32 n. 23.)

Case Details

Case Name: In re Target Corp. Customer Data Security Breach Litigation

Court Name: District Court, D. Minnesota

Date Published: Dec 18, 2014

Citation: 66 F. Supp. 3d 1154

Docket Number: MDL No. 14-2522 (PAM/JJK)

Court Abbreviation: D. Minnesota