Quaife v. Brady Martz & Associates, P.C., 3:23-cv-00176

Case Information

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NORTH DAKOTA EASTERN DIVISION

Jason Quaife, John Hoffer, Amanda )

Koffler, and Alec R. Kiesow, on behalf of )

themselves individually and all others )

similarly situated, ) ORDER

)

Plaintiffs, )

) Case No. 3:23-cv-176 vs. )

)

Brady, Martz & Associates, P.C., )

)

Defendant. )

Defendant Brady Martz & Associates, P.C. (“Brady Martz”) moves to dismiss the consolidated class action complaint for lack of jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and failure to state a claim upon which relief may be granted under Federal Rule of Civil Procedure 12(b)(6). Doc. 20. The class Plaintiffs oppose the motion. Doc. 21. For the reasons below, the motion is granted in part and denied in part.

I. FACTUAL BACKGROUND

The factual background, which is accepted as true for the purposes of this motion, is taken from the Plaintiffs’ first amended complaint. Doc. 15. This is a class action case brought by several individuals against Brady Martz that alleges various tort and statutory claims arising from a data breach in November 2022. Id.

Brady Martz is an “accounting, tax, and audit services firm . . . based in Grand Forks, North Dakota, and operating throughout North Dakota and in northwestern Minnesota.” Doc. 15 at 1. Its clients include individuals, companies, and businesses, that provide Brady Martz personal information of individuals (including employees and owners) so Brady Martz can provide tax and accounting services. Id. at 7. Some examples of the personal information include full names, social security numbers, driver’s license numbers, and dates of birth, as well as financial account information and medical records. Id. The class Plaintiffs were not clients of Brady Matz; their personal information was provided to Brady Martz from their employers or other organizations that were clients of Brady Martz. Id. at 5-6.

As alleged, in November 2022, Brady Martz noticed some unusual activity on its networks.

Id. at 2. It retained cybersecurity specialists and discovered that cybercriminals accessed its information systems and databases and allegedly “stole vast quantities of [personal information] belonging to Plaintiffs[.]” Id. at 3.

The Plaintiffs’ claims arise from the data breach—they seek relief from, among other things, “the consequences of [Brady Martz’s] failure to reasonably safeguard” their personal information. Id. at 5. They allege six claims: negligence, negligence per se, unjust enrichment, declaratory judgment, violation of the Massachusetts Consumer Protection Act, and violation of North Dakota Century Code section 51-22-02.

II. LAW AND ANALYSIS

Brady Martz moves to dismiss the amended complaint for failure to state a claim upon which relief can be granted pursuant to Federal Rule of Civil Procedure 12(b)(6). Federal Rule of Civil Procedure 8(a) requires a pleading to contain only “a short and plain statement of the claim showing that the pleader is entitled to relief.” But a complaint may be dismissed for “failure to state a claim upon which relief can be granted,” and a party may raise that defense by motion. Fed. R. Civ. P. 12(b)(6). In reviewing a motion to dismiss for failure to state a claim under Rule 12(b)(6), the court accepts as true the factual allegations in the complaint and draws all reasonable inferences in the plaintiff’s favor. Gorog v. Best Buy Co., 760 F.3d 787, 792 (8th Cir. 2014)

(citation omitted). Although the factual allegations need not be detailed, they must be sufficient to “raise a right to relief above the speculative level.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (citation omitted). The complaint must “state a claim to relief that is plausible on its face.” Id. at 570.

Because this is a class action case, with class Plaintiffs in many states, “an individualized choice-of-law analysis must be applied to each plaintiff's claim in a class action.” In re St. Jude Med., Inc., 425 F.3d 1116, 1120 (8th Cir. 2005). But courts generally decline to conduct a choice- of-law analysis prior to discovery. See Cantonis v. Stryker Corp., 2011 WL 1084971, at *3 (D. Minn. Mar. 21, 2011) (explaining that “it would be inappropriate to engage in an analysis of what state’s laws are to be used throughout the remainder of the litigation”). So, for this motion to dismiss, the Plaintiffs’ negligence, negligence per se, and unjust enrichment claims are reviewed under North Dakota, Minnesota, and Massachusetts law. See In re Netgain Tech., LLC, No. 21- CV-1210 (SRN/LIB), 2022 WL 1810606, at *7 (D. Minn. June 2, 2022).

A. Negligence

Brady Martz argues the amended complaint fails to state a negligence claim because the Plaintiffs failed to plausibly allege a duty. Doc. 19 at 9. The elements of a negligence claim are “(1) duty; (2) breach of that duty; (3) causation; and (4) damages.” Barbie v. Minko Constr., Inc., 2009 ND 99, ¶ 8, 766 N.W.2d 458. ^[1] “When a duty does not exist, there is no negligence.” Devore v. Am. Eagle Energy Corp., 2020 ND 23, ¶ 18, 937 N.W.2d 503, 507. The existence of a duty is typically a question of law. Twogood v. Wentz, 2001 ND 167, ¶ 12, 634 N.W.2d 514, 518; Bjerke v. Johnson, 742 N.W.2d 660, 664 (Minn. 2007); Jupin v. Kask, 447 Mass. at 143.

The amended complaint generally alleges Brady Martz owed the Plaintiffs a duty to exercise reasonable care in obtaining and safeguarding their personal information. Doc. 15 at 35- 36. The Plaintiffs also allege that Brady Martz’s failure to comply with Section 5 of the Federal Trade Commission Act (“FTC Act”) is evidence of a duty that was breached. Id. at 36. When determining if a duty exists in North Dakota:

The court must balance the following factors when determining the existence of duty in each particular case: (1) foreseeability of harm to plaintiff; (2) degree of certainty that plaintiff suffered injury; (3) closeness of connection between defendant’s conduct and injury suffered; (4) moral blame attached to defendant’s conduct; (5) policy of preventing future harm; (6) extent of burden to defendant and the consequences to the community of imposing a duty to exercise care with resulting liability for breach; and (7) availability, cost, and prevalence of insurance for the risk involved.

Hurt v. Freeland, 1999 ND 12, ¶ 13, 589 N.W.2d 551, 555 (citing W. Page Keeton et al., Prosser and Keeton on the Law of Torts § 53, at 359 n. 24 (5th ed. 1984)). Minnesota considers five of these seven factors when deciding if a duty exists. See Domagala v. Rolland, 805 N.W.2d 14, 23 (Minn. 2011). And Massachusetts does not weigh factors but recognizes tha t every actor has a duty to exercise reasonable care to avoid foreseeable harm to others. Jupin, 447 Mass. at 147. Here, the amended complaint contains sufficient factual allegations as to foreseeability, the connection between Brady Martz’s inaction and the stolen personal information, and the certainty that the Plaintiffs suffered injuries as a result of their personal information being stolen. Said another way, on the specific factual allegations here, the Plaintiffs have plausibly alleged that Brady Martz had a duty of reasonable care to safeguard their personal information under North Dakota, Minnesota, and Massachusetts law.

That is not the end of the analysis though. In North Dakota, Minnesota, and Massachusetts, there is no duty to control the conduct of a third person as to prevent him from causing harm to another unless a “special relationship” exists that imposes a duty to control the third person’s conduct, or a special relationship exists requiring the actor to protect the other. Saltsman v. Sharp, 2011 ND 172, ¶ 8, 803 N.W.2d 553, 557; Domagala v. Rolland, 805 N.W.2d 14, 23 (Minn. 1936); Jupin, 447 Mass. at 148. Brady Martz argues the requirements for a “special relationship” have not been alleged, so it is not responsible for the bad acts of a third party.

But the allegation in the complaint is not that Brady Martz should have controlled the cyber criminals. Instead, the accusation is that Brady Martz should have had better data security measures in place because a data breach was foreseeable. It is Brady Martz’s security practices which constitute potential negligence, not the conduct of the cyber criminals. See In re Netgain Tech., LLC, at *11. And, in any event, “[a] defendant who assumes custody or assumes responsibility of something may be held to have a special relationship with the plaintiff. Jay P. Kesan & Carol M. Hayes, Liability for Data Injuries, 2019 U. Ill. L. Rev. 295, 321 (2019). At this early stage, the Plaintiffs have pleaded sufficient facts to support a plausible negligence claim.

B. Negligence Per Se

Brady Martz next argues the amended complaint fails to state a claim for negligence per se. Doc. 15 at 39. North Dakota and Massachusetts do not recognize negligence per se. See Larson v. Kubisiak, 1997 ND 22, ¶ 8, 558 N.W.2d 852 (“the violation of a statutory duty is evidence of negligence and not negligence per se”); see Juliano v. Simpson, 461 Mass. 527, 532 (2012). But Minnesota does.

“Negligence per se is a form of ordinary negligence that results from violation of a statute.” Seim v. Garavalia , 306 N.W.2d 806, 810 (Minn. 1981). “A per se negligence rule substitutes a statutory standard of care for the ordinary prudent person standard of care, such that a violation of a statute . . . is conclusive evidence of duty and breach.” Gradjelick v. Hance , 646 N.W.2d 225, 231 n. 3 (Minn. 2002). For a statutory violation to satisfy the duty and breach elements, the person harmed by the violation must be among those the legislature intended to protect, and the harm must be of the type the legislature intended to prevent by enacting the statute. Anderson v. Anoka Hennepin Ind. Sch. Dist. 11 , 678 N.W.2d 651, 662-63 (Minn. 2004).

The Plaintiffs claim Brady Martz violated Section 5 of the FTC Act and that that violation constitutes negligence per se under Minnesota law. Doc. 15 at 40. Section 5 of the FTC Act gives the FTC the authority to enforce against “unfair . . . practices in or affecting commerce.” 15 U.S.C. § 45(a). The FTC Act does not create a private right of action. FTC v. Johnson, 800 F.3d 448, 452 (8th Cir. 2015). Multiple courts have found that this bars a negligence per se claim because the FTC enforces the Act. Pica v. Delta Air Lines, Inc., 2018 WL 5861362, at *9 (C.D. Cal. Sept. 18, 2018); In re Netgain Tech., LLC, at *16 (D. Minn. June 2, 2022). In Netgain Tech, a district court applying Minnesota law found that the FTC Act could not be used to proceed with a negligence per se theory because it gives the FTC enforcement authority. 2022 WL 1810606, at *16. The same analysis applies here, and the claim for negligence per se is dismissed. Notably though, this does not preclude the Plaintiffs from using any alleged lack of compliance with the FTC Act as evidence in support of their negligence claim.

C. Unjust Enrichment

Brady Martz next alleges the Plaintiffs have failed to state a claim for unjust enrichment.

In North Dakota:

Unjust enrichment is a broad, equitable doctrine which rests upon quasi or constructive contracts implied by law to prevent a person from unjustly enriching himself at the expense of another. To recover under a theory of unjust enrichment, the plaintiff must prove: (1) an enrichment, (2) an impoverishment, (3) a connection between the enrichment and the impoverishment, (4) the absence of a justification for the enrichment and impoverishment, and (5) the absence of a remedy provided by law. The theory may be invoked when a person has and retains money or benefits which in justice and equity belong to another. For a complainant to recover, it is sufficient if another has, without justification, obtained a benefit at the direct expense of the complainant, who then has no legal means of retrieving it. The essential element in recovering under the theory is the receipt of a benefit by the defendant from the plaintiff which would be inequitable to retain without paying for its value.

McDougall v. AgCountry Farm Credit Servs., PCA, 937 N.W.2d 546, 553 (N.D. 2020) (citation omitted). “Claims for relief may be sought under different or alternative theories. Although a party is generally not entitled to an equitable remedy if there is an adequate remedy at law, a party may seek relief and proceed on both types of claims and the legal claims will generally be resolved first.” McColl Farms, LLC v. Pflaum, 837 N.W.2d 359, 367 (N.D. 2013) (citation omitted). “The essential element in recovering under the theory is the receipt of a benefit by the defendant from the plaintiff which would be inequitable to retain without paying for its value.” Thimjon Farms P’ship v. First Int’l Bank & Tr., 837 N.W.2d 327, 336 (N.D. 2013) (emphasis added) (quoting Hayden v. Medcenter One, Inc., 828 N.W.2d 775, 781 (N.D. 2013)). Minnesota also requires a direct relationship between the parties and no other available remedy in a claim for unjust enrichment. See Southtown Plumbing, Inc. v. Har-Ned Lumber Co., 493 N.W.2d 137, 141 (Minn. Ct. App. 1992). Massachusetts also requires a benefit to be conferred by the plaintiff to a defendant. Santagate v. Tower, 64 Mass. App. Ct. 324, 329, 833 N.E.2d 171, 176 (2005).

Here, there is no allegation of a direct relationship between the Plaintiffs and Brady Martz. Nor could there be. There was no benefit conferred to Brady Martz by the Plaintiffs because Brady Martz did not contract with the Plaintiffs for accounting services—it contracted with the Plaintiffs’ employers. There are no allegations that the employers did not receive the benefit of their bargain with Brady Martz. See Flesner v. Bayer AG, 596 F.3d 884, 892 (8th Cir. 2010) (no unjust enrichment where party “received the benefit of his bargain”). So, the amended complaint does not plausibly allege unjust enrichment, and the claim is dismissed.

D. Massachusetts Consumer Protection Act

Brady Martz also asserts the sole Massachusetts Plaintiff failed to state a claim under the Massachusetts Consumer Protection Act (“MCPA”). It claims that the alleged acts did not occur primarily and substantially within Massachusetts, as required by the statute.

The MCPA requires the actions and transactions constituting the unfair or deceptive act or practice to occur “primarily and substantially” within Massachusetts. Kuwaiti Danish Computer Co. v. Digital Equip. Corp., 438 Mass. 459, 781 N.E.2d 787, 798 (Mass. 2003).Whether the misconduct “occurred primarily and substantially within [Massachusetts] is not a determination that can be reduced to any precise formula.” Id. The key question is “whether the center of gravity of the circumstances that give rise to the claim is primarily and substantially within the Commonwealth.” Id. at 799. A defendant bears the burden to show the conduct did not occur primarily and substantially in Massachusetts. Pine Polly, Inc. v. Integrated Packaging Films IPF, Inc., 2014 WL 1203106, at *7 (D. Mass. Mar. 19, 2014).

The amended complaint is silent regarding any action of Brady Matz in Massachusetts. The Plaintiffs concede “[t]he conduct in question likely took place in North Dakota, as Defendant’s employees and decision-makers are (as far as Plaintiffs know) all in North Dakota.” Doc. 21 at 14. In Pine Polly, a federal district court, interpreting Massachusetts law, found that the center of gravity inquiry requires deceptive conduct take place in Massachusetts. 2014 WL 1203106, at *9. The same applies here. The amended complaint does not allege sufficient facts to plausible allege that the conduct at issue occurred in Massachusetts. So, the MCPA claim is dismissed.

E. Illegal Disclosure Under North Dakota Century Code § 51-22-02 Brady Martz next argues that the Plaintiffs have not adequately plead a claim for violation of North Dakota Century Code section 51-22-02. That statute states: No business entity which charges a fee for data processing services performed may disclose in whole or in part the contents of any record . . . without the express written consent of such individual or business entity.

N.D. Cent. Code § 51-22-02(1). Brady Martz argues that disclosure requires an intentional or willful disclosure of information and does not apply to a data breach where a third-party steals information. The Plaintiffs argue that an intentional or willful disclosure is not required.

The statute does not define “disclose.” Under North Dakota law, when a word is undefined as part of a particular statute, the definition from a separate statute can be used to determine the word’s meaning, unless a “contrary intention plainly appears.” N.D. Cent. Code § 1-01-09. Here, the Plaintiffs encourage the Court to use the definition of “disclose” or “disclosure” from North Dakota Century Code section 32-49-01(3), which is the Uniform Civil Remedies for Unauthorized Disclosure of Intimate Images Act. No contrary intention plainly appears, and per that statute, “disclose” means to transfer, publish, or distribute to another person.

While these acts do not require intent or willfulness, they do require some type of action.

But what has been alleged is inaction:

Defendant disclosed Plaintiffs and Class Members’ PI to third parties without their consent by failing to take appropriate measures to safeguard and protect that PI amidst a foreseeable risk of a cybersecurity attack, resulting in the Data Breach. Doc. 15 at 47. There is no accusation that Brady Martz transferred, published, or distributed the personal information to a third party. The allegations are that cyber criminals accessed Brady Martz’s computer systems and stole the information. And the primary complaint is about Brady Martz’s alleged inaction in preventing the breach. That supports a claim for negligence, but it is not enough to plausibly allege a claim under North Dakota Century Code section 51-22-02.

F. Declaratory Judgment

Brady Martz argues that Plaintiffs’ claims for declaratory judgment and injunctive relief should be dismissed because the Plaintiffs due not have standing. To establish Article III standing, a plaintiff, among other elements, “must show . . . an injury in fact.” Becker v. N. Dakota Univ. Sys., 2023 WL 130410, at *5 (D.N.D. Jan. 9, 2023). An injury in fact requires “an invasion of a legally-protected interest which is (a) concrete and particularized and (b) actual and imminent, not conjectural or hypothetical.” Id. (quoting Sierra Club v. Robertson, 28 F.3d 753, 758 (8th Cir.

1994).

The Declaratory Judgment Act permits the judiciary to “declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.” 28 U.S.C. § 2201(a). The Plaintiffs allege they are “at risk of harm due to the exposure of their PI and Defendant’s failure to address the security failings that lead to such exposure.” Doc. 15 at 23. At this early stage, there is an alleged risk of harm and injury in fact as to the stole personal information that is sufficient to have standing and to survive a motion to dismiss. See In re Netgain Tech., LLC, at *17 (D. Minn. June 2, 2022) (denying motion to dismiss claim for declaratory judgment in data breach case); In re The Home Depot, Inc., Customer Data Sec. Breach Litig., 2016 WL 2897520, at *4-5 (N.D. Ga. May 18, 2016) (denying motion to dismiss claims for declaratory and injunctive relief in data breach case).

G. Additional Plaintiff

Finally, Brady Martz raises a procedural concern with the addition of class Plaintiff Samantha Stock. When the Plaintiffs filed the amended complaint, they added Stock as a Plaintiff without leave of court. “Under [Federal Rule of Civil Procedure] Rule 42, courts have substantial discretion in questions of consolidation.” Greiner v. Delorme, No. 3:18-cv-247, 2020 WL 12957751, at *2 (D.N.D. Apr. 23, 2020). Claims and issues sharing common aspects of law or fact may be consolidated to avoid unnecessary cost or delay. E.E.O.C. v. HBE Corp., 135 F.3d 543, 550-51 (8th Cir. 1998). Because Brady Martz has not been prejudiced by the addition of Plaintiff Stock, the Court will allow her to be added as a class Plaintiff.

III. CONCLUSION

For the reasons discussed above, Brady Martz’s motion to dismiss the amended complaint (Doc. 20) is GRANTED IN PART AND DENIED IN PART .

IT IS SO ORDERED .

Dated this 22nd day of May, 2024.

/s/ Peter D. Welte Peter D. Welte, Chief Judge United States District Court

Notes

[1] The elements are the same in Minnesota and Massachusetts. Schmanski v. Church of St. Casimir of Wells, 67 N.W.2d 644, 646 (Minn. 1954); Jupin v. Kask, 447 Mass. 141, 146, 849 N.E.2d 829, 834-35 (2006).

Case Details

Case Name: Quaife v. Brady Martz & Associates, P.C.

Court Name: District Court, D. North Dakota

Date Published: May 22, 2024

Citation: 3:23-cv-00176

Docket Number: 3:23-cv-00176

Court Abbreviation: D.N.D.