Toretto v. Donnelley Financial Solutions, Inc., 583 F.Supp.3d 570

Case Information

USDC SDNY DOCUMENT ELECTRONICALLY FILED UNITED STATES DISTRICT COURT DOC #: _________________ SOUTHERN DISTRICT OF NEW YORK DATE FILED: 2/4/2022 ------------------------------------------------------------------ X PHILLIP TORETTO, DANIEL C. KING, and :

SHERI BRAUN, individually and on behalf of :

others similarly situated, :

: 1:20-cv-2667-GHW Plaintiffs, : -against- : MEMORANDUM OPINION : AND ORDER

DONNELLEY FINANCIAL SOLUTIONS, INC. : and MEDIANT COMMUNICATIONS, INC., :

:

Defendants. :

------------------------------------------------------------------ X

GREGORY H. WOODS, United States District Judge:

Plaintiffs bring this putative class action against Defendants Donnelley Financial Solutions, Inc. (“Donnelley”) and Mediant Communications, Inc. (“Mediant”), alleging claims for negligence, negligence per se , breach of contracts to which Plaintiffs are third-party beneficiaries, unjust enrichment, violation of the California Customer Records Act (the “CRA”), violation of the California Unfair Competition Law (the “UCL”), violation of the Florida Deceptive and Unfair Trade Practices Act (the “FDUTPA”), and declaratory judgment. Plaintiffs’ claims stem from a data breach of one of Mediant’s email servers, in which hackers stole the personal information of over 200,000 individuals. Mediant obtained Plaintiffs’ personal information while working with Donnelley to provide proxy services to public companies and mutual funds in which Plaintiffs had invested. Defendants moved to dismiss Plaintiffs’ complaint. Because Plaintiffs plausibly allege that Mediant breached its duty to exercise reasonable care safeguarding Plaintiffs’ personal information, Plaintiffs’ negligence and declaratory judgment claims against Mediant can proceed. However, Mediant’s motion to dismiss is granted as to the remainder of Plaintiffs’ claims and Donnelley’s motion to dismiss is granted in full.

I. BACKGROUND

Facts ^[1]

1. The Hack On April 1, 2019, hackers gained unauthorized access to Mediant’s business email accounts. Second Amended Complaint (the “SAC”), Dkt. No. 57, ¶ 16. The hackers stole the personal information of a number of individuals, including the named Plaintiffs in this case. Id. ¶¶ 6–8, 29– 30, 36–38, 42–43. Mediant had received the personal information as part of its business providing investor communication services to financial institutions. ¶ 20. Mediant discovered the hack the day of the intrusion, and promptly disconnected the affected server from its system. Id. ¶ 16. Mediant began an investigation into the breach, but the company did not immediately notify the impacted customers. Id. It was not until the end of May 2019, nearly two months after the breach, that Mediant notified the affected customers. Id. ¶ 17. The breach was truly massive: notices went out to “over 200,000 individuals in all fifty states and the District of Columbia and Puerto Rico.” Id .

Plaintiffs allege that the hack was enabled by Mediant’s poor network security. “The criminal hackers would not have been able to gain access to four email accounts simultaneously but for Mediant maintaining deficient controls to prevent and monitor for unauthorized access.” Id. ¶ 23. And Mediant did not encrypt personal information stored in the company’s system. Id. ¶ 18. Plaintiffs also allege that Mediant failed to adequately notify its customers regarding the breach. Id. ¶¶ 26–27.

2. The “Partnership” Donnelley and Mediant work together to provide proxy services. Id. ¶ 15. Donnelley describes itself as “a leader in risk and compliance solutions, providing insightful technology, industry expertise and data insights to clients across the globe.” Id. ¶ 13. Donnelley offers a broad range of products and services, including in technology, initial public offerings, mergers and acquisitions, proxy services, and other global filings. Id. Mediant “holds itself out as a leader in investor communications, offering ‘game-changing new technologies for banks, brokers, fund companies, and issuers.’” Id. ¶ 14. Together, the pair describe themselves as “the perfect partnership to power [their clients’] fund proxies.” Id . ¶ 15. Defendants’ marketing materials describe the pair as the “industry’s only single-source solution for start-to-finish fund proxy services.” Id. Mediant received the personal information of the named Plaintiffs in this case through its working relationship with Donnelley. Id. ¶¶ 30, 37, 43.

Partially in reliance on Donnelley and Mediant’s description of themselves as a partnership, the SAC alleges that the pair formed a legal partnership and refers to them collectively as the “Partnership.” The SAC alleges that Donnelley “had equal rights in the management and conduct of the Partnership.” Id. ¶ 26. It also states that Donnelley had the “right as a partner in the Partnership” to “exercise appropriate managerial oversight of Mediant’s data security.” Id .

The SAC alleges that the companies and investment funds that used the pair’s services hired Donnelley and Mediant together—not just one or the other, but instead, the touted “perfect partnership.” Id. ¶ 1. The SAC alleges that “[p]ublic companies and mutual funds hire Donnelley and Mediant as their proxy agent to distribute materials to shareholders, coordinate shareholder votes, and tabulate voting results.” Id. The allegation is that the pair are hired jointly as the singular “proxy agent” for the companies and funds.

Donnelley is alleged to be liable for the security breach at Mediant for two reasons. First, Plaintiffs assert that Donnelley is vicariously liable for the hack at Mediant and its consequences because the pair were partners. Id. ¶ 130 (“[B]y entering into a partnership with Mediant for the provision of proxy services, Donnelley is vicariously liable for Mediant’s failures as alleged herein.”); see also id. ¶¶ 4, 26, 130. The SAC attributes many of the asserted deficiencies that led to the breach, and in the response to the breach, to the “Partnership.”

Second, Plaintiffs assert that Donnelley was directly liable for Plaintiffs’ injuries because of its alleged “failure to exercise appropriate managerial oversight of Mediant’s data security.” Id. ¶¶ 4, 26. Donnelley is alleged to have failed “to ensure its agent and partner Mediant implemented security systems, protocols and practices sufficient to protect Plaintiffs’ and Class Members’ Personal Information” and failed “to supervise its agent and partner Mediant regarding Mediant’s data security systems, protocols and practices when it knew or should have known those systems, protocols and practices were inadequate.” Id. ¶ 129. Donnelley is also alleged to have been directly liable as a result of its conduct after the breach because it failed “to timely disclose that Plaintiffs’ and Class Members’ Personal Information had been improperly acquired or accessed.” Id. Donnelley is also alleged to have violated contracts of which Plaintiffs were third party beneficiaries. Id. ¶¶ 145–49.

3. Plaintiffs’ Claims to be Third Party Beneficiaries of Donnelley and Mediant’s Contracts with Their Customers Plaintiffs assert that they are third party beneficiaries of contracts entered into between Donnelley and its customers—the funds and companies to whom it provides proxy and other financial services. Donnelley “entered into contracts with public companies and mutual funds to provide and perform proxy services.” Id. ¶ 145. The personal information of each of the named Plaintiffs was stolen as a result of their investment in identified funds. In the case of each named Plaintiff, the relevant fund had entered into a direct contractual relationship with Donnelley for the provision of proxy services. See, e.g. , id. ¶ 30 (“Donnelley had the direct contractual relationship with Blackstone Real Estate Income Trust, Inc. or its agents for the performance of the Partnership’s proxy services.”); see also id. ¶¶ 37, 43 (alleging the same with respect to funds in which the other named Plaintiffs invested). The SAC also alleges that “[i]n some instances, acting in the ordinary course of the Partnership, Mediant also directly contracted with public companies and mutual funds to provide and perform proxy services.” Id. ¶ 145.

The SAC alleges that Donnelley acted “in the ordinary course of the business of the Partnership” when it entered into contracts with customers to provide proxy services. As a result of Donnelley’s agreement with the funds in which the named Plaintiffs invested, Mediant was provided their personal data, which was later stolen in the hack.

Plaintiffs allege “[o]n information and belief” that “each of those respective contracts contained provisions requiring Donnelley and/or Mediant to protect the investor information that

Donnelley and/or Mediant received in order to provide such proxy services in carrying out the business of the Partnership.” Id. ¶ 146. Also “[o]n information and belief” Plaintiffs allege that “these provisions requiring Donnelley and/or Mediant acting in the ordinary course of the business of the Partnership to protect the personal information of the company/mutual fund’s investors was intentionally included for the direct benefit of Plaintiffs and Class Members, such that Plaintiffs and Class Members are intended third party beneficiaries of these contracts, and therefore are entitled to enforce them.” Id. ¶ 147.

Procedural History Plaintiffs previously brought actions against Mediant in the Northern District of California and the Southern District of Florida. Both of those actions were dismissed for lack of personal jurisdiction. Toretto v. Mediant Commc’ns, Inc. , No. 19-cv-52980, 2020 WL 1288478 (N.D. Cal. Mar. 18, 2020); Braun v. Mediant Commc’ns, Inc. , No. 19-62563-CIV, 2020 WL 5038780 (S.D. Fla. Apr. 14, 2020). Presumably, those failed attempts led Plaintiffs to the Southern District of New York, given that Mediant is headquartered in New York City. SAC ¶ 10.

Plaintiffs filed this action on March 30, 2020, naming both Mediant and Donnelley as defendants. Dkt No. 1. On May 19, 2020, Plaintiffs filed their first amended complaint. Dkt No. 23. On July 17, 2020, Mediant moved to dismiss several counts of the first amended complaint; Donnelley moved to dismiss that complaint in its entirety. Dkt Nos. 46, 50.

On August 5, 2020, Plaintiffs filed the second amended complaint. Dkt No. 57. Each defendant filed a motion to dismiss the SAC pursuant to Fed. R. Civ. P. 12(b)(1), asserting that the SAC did not adequately plead that Plaintiffs have standing to assert their claims against Defendants. The Court denied those motions. See generally Toretto v. Donnelley Fin. Sols., Inc. , No. 1:20-cv-2667, 2021 WL 861138 (S.D.N.Y. Mar. 5, 2021). Following that decision, Defendants moved to dismiss the SAC under Fed. R. Civ. P. 12(b)(6) for failure to state a claim. Dkt. Nos. 94, 96. Plaintiffs filed a consolidated opposition in response to Defendants’ motions to dismiss. Dkt. No. 108. Each Defendant filed a reply shortly thereafter. Dkt. Nos. 114, 117.

II. LEGAL STANDARDS Rule 12(b)(6) “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal , 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” (citing Twombly , 550 U.S. at 556). It is not enough for a plaintiff to allege facts that are consistent with liability; the complaint must “nudge[ ]” claims “across the line from conceivable to plausible.” Twombly , 550 U.S. at 570. “To survive dismissal, the plaintiff must provide the grounds upon which his claim rests through factual allegations sufficient ‘to raise a right to relief above the speculative level.’” ATSI Commc’ns, Inc. v. Shaar Fund, Ltd. , 493 F.3d 87, 98 (2d Cir. 2007) (quoting Twombly , 550 U.S. at 555).

Determining whether a complaint states a plausible claim is a “context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Iqbal , 556 U.S. at 679. The court must accept all facts alleged in the complaint as true and draw all reasonable inferences in the plaintiff’s favor. Burch v. Pioneer Credit Recovery, Inc. , 551 F.3d 122, 124 (2d Cir. 2008) (per curiam). However,

“[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” A complaint must therefore contain more than “naked assertion[s] devoid of further factual enhancement.” Pleadings that contain “no more than conclusions . . . are not entitled to the assumption of truth” otherwise applicable to complaints in the context of motions to dismiss.

DeJesus v. HF Mgmt. Servs., LLC , 726 F.3d 85, 87–88 (2d Cir. 2013) (alterations in original) (quoting Iqbal , 556 U.S. at 678–79). Thus, a complaint that offers “labels and conclusions” or “naked assertion[s]” without “further factual enhancement” will not survive a motion to dismiss. Iqbal , 556 U.S. at 678 (alteration in original) (citing Twombly , 550 U.S. at 555, 557).

On a motion to dismiss, a court must generally “limit itself to the facts stated in the complaint.” Field Day, LLC v. Cnty. of Suffolk , 463 F.3d 167, 192 (2d Cir. 2006) (quoting Hayden v. Cnty. of Nassau , 180 F.3d 42, 54 (2d Cir. 1999)). In that context, “[a] court’s task is to assess the legal feasibility of the complaint; it is not to assess the weight of the evidence that might be offered on either side.” Lynch v. City of New York , 952 F.3d 67, 75 (2d Cir. 2020). “The purpose of Rule 12(b)(6) is to test, in a streamlined fashion, the formal sufficiency of the plaintiff’s statement of a claim for relief without resolving a contest regarding its substantive merits. The Rule thus assesses the legal feasibility of the complaint, but does not weigh the evidence that might be offered to support it.” Glob. Network Commc’ns, Inc. v. City of New York , 458 F.3d 150, 155 (2d Cir. 2006).

“In considering a motion to dismiss for failure to state a claim pursuant to Rule 12(b)(6), a district court may consider the facts alleged in the complaint, documents attached to the complaint as exhibits, and documents incorporated by reference in the complaint.” DiFolco v. MSNBC Cable L.L.C. , 622 F.3d 104, 111 (2d Cir. 2010). As the Second Circuit recently reaffirmed in Lynch , “[i]t is well established that a pleading is deemed to include any ‘written instrument’ that is attached to it as ‘an exhibit,’ or is incorporated in it by reference.” Lynch , 952 F.3d at 79 (citations omitted). Courts may also consider “matters of which judicial notice may be taken.” Goel v. Bunge, Ltd. , 820 F.3d 554, 559 (2d Cir. 2016) (quoting Concord Assocs., L.P. v. Entm’t Props. Tr. , 817 F.3d 46, 51 n.2 (2d Cir. 2016)).

A court can also consider documents that are “integral to” the complaint. Id. In order for a document to meet this exception to the general principle that a court may not consider documents outside of the pleadings without converting the motion to one for summary judgment, the complaint must rely heavily upon its terms and effects. See DiFolco , 622 F.3d at 111 (“Where a document is not incorporated by reference, the court may nevertheless consider it where the complaint relies heavily upon its terms and effects, thereby rendering the document integral to the complaint.”) (internal quotation marks omitted)). “However, even if a document is integral to the complaint, it must be clear on the record that no dispute exists regarding the authenticity or accuracy of the document.” Id. (internal quotation marks omitted) (quoting Faulkner v. Beer , 463 F.3d 130, 134 (2d Cir. 2006)). “It must also be clear that there exist no material disputed issues of fact regarding the relevance of the document.” “In most instances where this exception is recognized, the incorporated material is a contract or other legal document containing obligations upon which the plaintiff’s complaint stands or falls, but which for some reason—usually because the document, read in its entirety, would undermine the legitimacy of the plaintiff’s claim—was not attached to the complaint.” Glob. Network Commc’ns , 458 F.3d at 157. The Second Circuit has “recognized the applicability of this exception where the documents consisted of emails that were part of a negotiation exchange that the plaintiff identified as the basis for its good faith and fair dealing claim, or consisted of contracts referenced in the complaint which were essential to the claims.” United States ex rel. Foreman v. AECOM , No. 20-2756-CV, 2021 WL 5406437, at *11 (2d Cir. Nov. 19, 2021) (citations omitted) (first citing L-7 Designs, Inc. v. Old Navy, LLC , 647 F.3d 419, 422 (2d Cir. 2011); and then citing Chambers v. Time Warner, Inc. , 282 F.3d 147, 153 n.4 (2d Cir. 2002)).

“Where a district court considers material outside of the pleadings that is not attached to the complaint, incorporated by reference, or integral to the complaint, the district court, to decide the issue on the merits, must convert the motion into one for summary judgment.” Id. “This requirement ‘deters trial courts from engaging in factfinding when ruling on a motion to dismiss and ensures that when a trial judge considers evidence [outside] the complaint, a plaintiff will have an opportunity to contest defendant’s relied-upon evidence by submitting material that controverts it.’” Id. (alteration in original) (quoting Glob. Network Commc’ns , 458 F.3d at 155). “A district court therefore ‘errs when it consider[s] affidavits and exhibits submitted by defendants, or relies on factual allegations contained in legal briefs or memoranda in ruling on a 12(b)(6) motion to dismiss.’” (alteration in original) (quoting Friedl v. City of New York , 210 F.3d 79, 83–84 (2d Cir. 2000)).

Here, Defendants filed a supplier agreement between Donnelley and Mediant in connection with their motions to dismiss. Dkt. No. 97, Ex. A; Dkt. No. 101, Ex. A (the “Supplier Agreement”). Donnelley alleges that the Supplier Agreement governs Donnelley and Mediant’s joint provision of proxy services. The Supplier Agreement was not included, referenced, or relied upon, in the SAC. Nevertheless, Donnelley argues that the Court can consider the Supplier Agreement because the SAC “reference[s] Defendants’ legal relationship and heavily relies on that relationship.” Donnelley’s Reply to Pls.’ Opp’n (“Donnelley Reply”), Dkt. No. 117, at 13. Although the SAC alleges that Donnelley and Mediant are legal partners, the SAC does not allege that the partnership results from any express contract, let alone the specific agreement filed by Defendants. Because the SAC does not rely on the terms and effects of the Supplier Agreement, the Court cannot conclude that it is integral to the complaint. Further, Plaintiffs reasonably challenge the Supplier Agreement’s relevance to Defendants’ alleged partnership to provide proxy services. See Pls.’ Consolidated Opp’n to Defs.’ Motions to Dismiss (“Opp’n”), Dkt. No. 108, at 15–16. Accordingly, the Court has not considered the Supplier Agreement in deciding this motion.

Choice of Law A federal court sitting in diversity must apply the choice of law rules of the forum state, which in this case is New York. See Licci ex rel. Licci v. Lebanese Canadian Bank, SAL , 672 F.3d 155, 157 (2d Cir. 2012). Under New York choice-of-law rules, “the first step in any case presenting a potential choice of law issue is to determine whether there is an actual conflict between the laws of the jurisdictions involved.” GlobalNet Financial.Com, Inc. v. Frank Crystal & Co. , 449 F.3d 377, 382 (2d Cir. 2006) (quoting In re Allstate Ins. Co. (Stolarz) , 81 N.Y.2d 219, 223 (1993)). “If no actual conflict exists, and if New York is among the relevant jurisdictions, the court may simply apply New York law.” Licci , 672 F.3d at 157. If, however, an actual conflict exists, then “[t]he law of the jurisdiction having the greatest interest in the litigation will be applied and the only facts or contacts

which obtain significance in defining State interests are those which relate to the purpose of the particular law in conflict.” Schultz v. Boy Scouts of Am., Inc. , 65 N.Y.2d 189, 197 (1985) (alterations omitted) (quoting Miller v. Miller , 22 N.Y.2d 12, 15–16 (1968)).

Ascertaining State Law “Where the substantive law of the forum state is uncertain or ambiguous, the job of the federal courts is carefully to predict how the highest court of the forum state would resolve the uncertainty or ambiguity.” Phansalkar v. Andersen Weinroth & Co., L.P. , 344 F.3d 184, 199 (2d Cir. 2003) (quoting Travelers Ins. Co. v. 633 Third Assocs. , 14 F.3d 114, 119 (2d Cir. 1994)). “In doing so, we must give ‘fullest weight’ to the decisions of a state’s highest court, and we must give ‘proper regard’ to the decisions of a state’s lower courts.” (quoting Travelers , 14 F.3d at 119). “[W]e consider the language of the state intermediate appellate courts to be helpful indicators of how the state’s highest court would rule. Although we are not strictly bound by state intermediate appellate courts, rulings from such courts are a basis for ‘ascertaining state law which is not to be disregarded

by a federal court unless it is convinced by other persuasive data that the highest court of the state would decide otherwise.’” DiBella v. Hopkins , 403 F.3d 102, 112 (2d Cir. 2005) (citation omitted) (quoting West v. Am. Tel. & Tel. Co. , 311 U.S. 223, 237 (1940)). “We may also consider the decisions of federal courts construing state law.” Phansalkar , 344 F.3d at 199 .

III. DISCUSSION

Partnership Before turning to Plaintiffs’ substantive claims, the Court first addresses Plaintiffs’ allegation that Donnelley and Mediant are in a legal partnership. A number of Plaintiffs’ theories of liability are reliant on the existence of the alleged partnership. Under New York Law, “[t]he indicia of the existence of a joint venture are: acts manifesting the intent of the parties to be associated as joint venturers, mutual contribution to the joint undertaking through a combination of property, financial resources, effort, skill or knowledge, a measure of joint proprietorship and control over the enterprise, and a provision for the sharing of profits and losses.” Brown v. Cara , 420 F.3d 148, 159– 60 (2d Cir. 2005) (quoting Richbell Info. Servs., Inc. v. Jupiter Partners, L.P. , 765 N.Y.S.2d 575, 584 (1st Dep’t 2003)); see also Scholastic, Inc. v. Harris , 259 F.3d 73, 84 (2d Cir. 2001) (“Under New York law joint ventures are governed by the same legal rules as partnerships because a joint venture is essentially a partnership for a limited purpose.” (citations omitted)). ^[2] “The ultimate inquiry is whether the parties have so joined their property, interests, skills and risks that for the purpose of the particular adventure their respective contributions have become as one and the commingled property and interests of the parties have thereby been made subject to each of the associates on the trust and inducement that each would act for their joint benefit.” Steinbeck v. Gerosa , 4 N.Y.2d 302, 317 (1958). “Although none of these factors is determinative, some of them weigh more heavily than others. For example, an agreement to share losses is ‘indispensable’ to partnership formation.” Ardis Health, LLC v. Nankivell , No. 11-cv-5013, 2012 WL 5290326, at *5 (S.D.N.Y. Oct. 23, 2012) (citing Steinbeck , 4 N.Y.2d at 317).

Plaintiffs do not adequately plead the existence of a legal partnership between Donnelley and Mediant. At the outset, the Court observes that the SAC does not specifically plead any of the factors of the existence of a partnership. Instead, the SAC contains the conclusory allegation that “Donnelley and Mediant are partners in their provision of these proxy services” and infers the existence of a partnership based primarily on Defendants’ marketing materials and a declaration submitted by Defendants in this case. In the declaration, a Donnelley executive states that Mediant and Donnelley “first partnered” in 2008 to “jointly provide proxy services to mutual funds and publicly owned companies,” and that “the partnership . . . continues to this day.” Declaration of Bridget Hughes, Dkt No. 51, ¶¶ 2–3. Defendants’ marketing materials state that Donnelley and Mediant are a “perfect partnership,” that they “offer the industry’s only single-source solution for start-to-finish fund proxy services,” and that clients can get everything they need “all in one place. . . from a single, intuitive platform.” See SAC ¶¶ 1 n.2, 15 n.8 (incorporating Donnelley’s website by reference). The materials also refer to customers as “our clients” and state that Defendants’ joint services can be accessed through a “single point of contact backed by an expert team of project managers.”

Plaintiffs assert that Defendants admitted “that a legal partnership exists between Donnelley and Mediant” by referring to the relationship as a partnership. Opp’n at 10. However, “calling an organization a partnership does not make it one.” Brodsky v. Stadlen , 526 N.Y.S.2d 478, 480 (2d Dep’t 1988); see also Kosower v. Gutowitz , No. 00-cv-9011, 2001 WL 1488440, at *6 (S.D.N.Y. Nov. 21, 2001) (concluding that the plaintiff failed to “plead the elements of a valid partnership agreement” despite allegations that defendant “referred to the plaintiff as a partner and that others referred to their arrangement as a partnership”). Plaintiffs are still required to plead the existence of a legal partnership. They have failed to do so.

Most notably, the SAC lacks any allegation that Donnelley and Mediant agreed to share profits and losses. “[T]he crucial element of a joint venture is the existence of ‘a mutual promise or undertaking of the parties to share in the profits . . . and submit to the burden of making good the losses.’” Mallis v. Bankers Tr. Co. , 717 F.2d 683, 690 (2d Cir. 1983) (quoting Steinbeck , 4 N.Y.2d at 317); see also Chanler v. Roberts , 606 N.Y.S.2d 649, 651 (1st Dep’t 1994) (“It is axiomatic that the essential elements of a partnership must include an agreement between the principals to share losses as well as profits.”). Plaintiffs argue that the shared-profits element can be established if the parties share the same revenue stream and that “[i]t is certainly plausible that Mediant and Donnelley shared in the same revenue stream in jointly providing their ‘single-source’ proxy services.” Opp’n at 11. Yet, the SAC contains no factual allegations regarding how Donnelley and Mediant are compensated for their services. Without any indication of how Defendants are paid, the Court cannot infer that Defendants share the same revenue stream. And while Defendants clearly have a shared economic objective by providing a joint service, “it is not enough that two parties have agreed together to act in concert to achieve some stated economic objective. Such agreement, by itself, creates no more than a contractual obligation, otherwise every stockholders’ agreement would give rise to a joint venture.” Steinbeck , 4 N.Y.2d at 317–18. Moreover, the SAC lacks any allegation that the parties agreed to share losses and Plaintiffs do not address this factor in their briefing. Accordingly, Plaintiffs have not adequately pleaded the existence of a partnership between Donnelley and Mediant. See Ardis Health , 2012 WL 5290326, at *6 (“Here, the pleadings are bereft of any allegation that the parties agreed to share losses. Without this ‘indispensable’ ingredient, [Plaintiff] cannot plead the existence of a partnership in fact.”).

In an attempt to explain away the lack of factual allegations in the SAC, Plaintiffs argue that they “are not privy to the details of the partnership agreement between Donnelley and Mediant and thus cannot be expected to allege these details.” Opp’n at 12. This fact does not obviate Plaintiffs’ pleading burden. Instead, when information is particularly within a defendant’s knowledge, courts generally permit a plaintiff to plead upon information and belief. See Boykin v. KeyCorp , 521 F.3d 202, 215 (2d Cir. 2008). While Plaintiffs could have made factual allegations regarding the partnership upon information and belief, they have not done so here. Considering the facts that have been alleged in the SAC, the Court cannot reasonably infer that Defendants entered a legal partnership.

Negligence The Court now turns to Plaintiffs’ substantive claims against Defendants. First, Plaintiffs allege that Mediant was negligent in implementing its data security systems and that Donnelley was negligent for failing to supervise Mediant. For the reasons described below, the Court concludes that Plaintiffs have plausibly alleged that Mediant was negligent but that Plaintiffs’ negligence claim against Donnelley is not pleaded adequately.

1. Choice of Law The Court must first determine which law applies to Plaintiffs’ negligence claims. “The New York Court of Appeals has held that ‘the relevant analytical approach to choice of law in tort actions in New York’ is the ‘interest analysis.’” GlobalNet , 449 F.3d at 384 (alteration omitted) (quoting Schultz , 65 N.Y.2d at 197). The “interest analysis” requires that “the law of the jurisdiction having the greatest interest in the litigation will be applied and the only facts or contacts which obtain significance in defining State interests are those which relate to the purpose of the particular law in conflict. Under this formulation, significant contacts are, almost exclusively, the parties’ domiciles and the locus of the tort.” Id. In tort-law disputes, the “interest analysis distinguishes between two

sets of rules: conduct-regulating rules and loss-allocating rules.” Licci , 672 F.3d at 158. “If conflicting conduct-regulating laws are at issue, the law of the jurisdiction where the tort occurred will generally apply because that jurisdiction has the greatest interest in regulating behavior within its borders.” Cooney v. Osgood Mach., Inc. , 81 N.Y.2d 66, 72 (1993). Even where the injury and the wrongful conduct do not take place in the same jurisdiction, “it is the place of the allegedly wrongful conduct that generally has superior ‘interests in protecting the reasonable expectations of the parties who relied on [the laws of that place] to govern their primary conduct and in the admonitory effect that applying its law will have on similar conduct in the future.’” Licci ex rel. Licci v. Lebanese Canadian Bank, SAL , 739 F.3d 45, 50–51 (2d Cir. 2013) (alteration in original) (quoting Schultz , 65 N.Y.2d at 198). Negligence is a “conduct regulating” cause of action. Rose v. Arthur J. Gallagher & Co. , 928 N.Y.S.2d 783, 784 (2d Dep’t 2011).

New York has the greatest interest in Plaintiffs’ negligence claims against Mediant. The tortious conduct alleged in the complaint—namely, that Mediant “fail[ed] to implement security systems, protocols and practices sufficient to protect” Plaintiffs’ personal information—occurred in New York. See SAC ¶ 128. As Plaintiffs observe, Mediant’s decisions regarding its data security “likely occurred at the corporate level from Mediant’s corporate headquarters in New York.” Opp’n at 33. Further, the SAC has no factual allegations linking Mediant’s data security practices with any other state. Because the alleged tortious conduct occurred in New York, the Court applies New York law to Plaintiffs’ negligence claims against Mediant.

Similarly, the Court concludes that Illinois has the greatest interest in Plaintiffs’ negligence claims against Donnelley. The complaint alleges that Donnelley failed to supervise Mediant’s data security and ensure that Mediant implemented sufficient security systems. Plaintiffs argue that these failures “occurred where Mediant’s data security systems, protocols, and practices were located or carried out.” Opp’n at 33. Plaintiffs state that this “location was very likely not Illinois” but do not specifically allege the location. See id. Nevertheless, Plaintiffs argue that New York law “is [the] most likely to apply to . . . Donnelley based on the facts currently known and alleged.” at 34.

Plaintiffs fail to plausible allege that Donnelley’s failure to oversee Mediant occurred in New York. Plaintiffs do not allege that Donnelley took any action in New York. In fact, Plaintiffs’ claims are premised on Donnelley’s failure to act. Yet, the SAC is devoid of any factual allegations connecting Donnelley’s omissions with New York. Without any support that these omissions occurred in New York, the Court concludes that Donnelley’s alleged tortious conduct occurred in Illinois, where it is headquartered. See Holborn Corp. v. Sawgrass Mut. Ins. Co. , 304 F. Supp. 3d 392, 402 (S.D.N.Y. 2018) (holding that a reinsurance intermediary’s failure to recommend particular insurance to a corporation in Florida occurred in New York because the intermediary was licensed and has its principal place of business in New York); GlobalNet , 449 F.3d at 385 (applying New York law rather than Florida law to a professional negligence claim where an insurance broker allegedly failed to notify its client of important information in Florida because the broker was licensed and had its principle place of business in New York). The Court thus concludes that Illinois law applies to Plaintiffs’ negligence claims against Donnelley.

2. Economic Loss Doctrine As a threshold issue, Defendants argue that Plaintiffs’ negligence claims are barred by the economic loss doctrine under both Illinois and New York law. For the reasons below, the Court concludes that New York’s economic loss doctrine does not bar Plaintiffs’ claims and declines to address whether the doctrine bars Plaintiffs’ claims under Illinois law.

i. New York “New York applies the economic loss doctrine to negligence claims. This doctrine prevents a plaintiff from recovering purely economic losses in a negligence action.” Cruz v. TD Bank, N.A. , 855 F. Supp. 2d 157, 178 (S.D.N.Y. 2012), aff’d and remanded , 742 F.3d 520 (2d Cir. 2013). “A defendant is not liable to a plaintiff for economic loss unless there exists ‘a special relationship that requires the defendant to protect against the risk of harm to plaintiff.’” (quoting 532 Madison Ave. Gourmet Foods, Inc. v. Finlandia Ctr., Inc. , 96 N.Y.2d 280, 289 (2001)). “[C]ourts have applied the economic loss rule to prevent the recovery of damages that are inappropriate because they actually lie in the nature of breach of contract as opposed to tort.” Hydro Invs., Inc. v. Trafalgar Power Inc. , 227 F.3d 8, 16 (2d Cir. 2000). However, “the applicability of the economic loss rule outside the product- liability context from which it originated is doubtful.” Ambac Assurance Corp. v. U.S. Bank Nat’l Ass’n , 328 F. Supp. 3d 141, 159 (S.D.N.Y. 2018); see also Sackin v. TransPerfect Glob., Inc. , 278 F. Supp. 3d 739, 749 (S.D.N.Y. 2017) (concluding that the economic loss doctrine was “inapplicable” to claims in a data breach case “because the Complaint does not allege a products liability claim”).

The parties dispute whether the economic loss doctrine applies to data breach cases. The New York Court of Appeals has not addressed this issue, but numerous federal courts applying New York law have concluded that the economic loss doctrine does not bar negligence claims in data breach cases. See Cohen v. Ne. Radiology, P.C. , No. 20-cv-1202, 2021 WL 293123, at *7 (S.D.N.Y. Jan. 28, 2021) (holding that the economic loss doctrine did not bar the plaintiff’s negligence claim in a data breach case); Rudolph v. Hudson’s Bay Co. , No. 18-cv-8472, 2019 WL 2023713, at *9 (S.D.N.Y. May 7, 2019) (same); Sackin , 278 F. Supp. 3d at 749 (same); In re Cap. One Consumer Data Sec. Breach Litig. , 488 F. Supp. 3d 374, 396 (E.D. Va. 2020) (same). The Court similarly concludes that the economic loss doctrine does not bar Plaintiffs’ negligence claims.

ii. Illinois Under Illinois law, “[t]he economic loss doctrine bars a plaintiff from recovering for purely economic losses under a tort theory of negligence.” Perdue v. Hy-Vee, Inc. , 455 F. Supp. 3d 749, 761 (C.D. Ill. 2020) (citing Moorman Mfg. Co. v. Nat’l Tank Co. , 435 N.E.2d 443, 453 (Ill. 1982)). “Illinois law recognizes three exceptions to the economic loss doctrine: (1) where a plaintiff sustains personal injury or property damage resulting from a sudden or dangerous occurrence; (2) where plaintiff’s damages were proximately caused by defendant’s intentional, false representation; and (3) where plaintiff’s damages were proximately caused by the negligent misrepresentation of a defendant in the business of supplying information for the guidance of others in business transactions.” (citing Moorman , 435 N.E.2d 450–52).

The Illinois Supreme Court and Court of Appeals have not addressed whether the economic loss doctrine bars negligence claims in data breach cases. See In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig. , 440 F. Supp. 3d 447, 474 (D. Md. 2020) (observing that there were no “appellate decision[s] by either the Court of Appeals or Supreme Court of Illinois that evaluated the applicability of the economic loss rule for a negligence claim in a data security breach”). Although a number of federal courts applying Illinois law have applied the economic loss doctrine to data breach cases, see, e.g. , Cmty. Bank of Trenton v. Schnuck Markets, Inc. , 887 F.3d 803, 817 (7th Cir. 2018); Perdue , 455 F. Supp. 3d at 761, other federal courts have thoughtfully challenged whether the principles underlying the economic loss doctrine are applicable to data breach cases. See In re Marriott , 440 F. Supp. 3d at 468–75 (declining to decide whether the economic loss rule barred the plaintiff’s claims and questioning “whether a sufficiently full consideration has been given to the policies that justified the adoption of the economic loss rule, their continued application to modern digital commercial transactions, and the true nature of the injuries suffered by victims of data security breaches”); McGlenn v. Driveline Retail Merch., Inc. , No. 18-CV-2097, 2021 WL 4301476, at *9 (C.D. Ill. Sept. 21, 2021) (declining to determine whether Illinois’ economic loss rule barred the plaintiff’s claims in a data breach case). The Court need not decide this issue because the Court concludes that Donnelley did not owe Plaintiffs a duty to protect their personal information under Illinois law.

3. Donnelley’s Alleged Negligence Plaintiffs fail to establish that Donnelley owed them a duty to protect their personal information under Illinois law. To establish negligence under Illinois law, a plaintiff must prove “that the defendant owed a duty to the plaintiff, that defendant breached that duty, and that the breach was the proximate cause of the plaintiff’s injuries.” Blood v. VH-1 Music First , 668 F.3d 543, 546 (7th Cir. 2012) (quoting First Springfield Bank & Trust v. Galman , 720 N.E.2d 1068, 1071 (Ill. 1999)).

Donnelley argues that Illinois law does not recognize a common-law duty to protect personal information. “Although the Illinois Supreme Court has not opined on the issue, the Illinois Appellate Court has refused to create ‘a new legal duty beyond legislative requirements’ to safeguard an individual’s personal information or protect it from disclosure.” USAA Fed. Sav. Bank v. PLS Fin. Servs., Inc. , 260 F. Supp. 3d 965, 969 (N.D. Ill. 2017) (quoting Cooney v. Chicago Pub. Schs. , 943 N.E.2d 23, 28–29 (Ill. App. Ct. 2010)). Numerous federal courts have relied on Cooney to dismiss Illinois negligence claims in data breach cases for lack of duty. See, e.g. , Cmty. Bank of Trenton , 887 F.3d at 816 (“In the absence of some other reason why the Illinois Supreme Court would likely disagree with the Cooney analysis on this issue of duty under the common law . . . we predict that the state court would not impose the common law data security duty the plaintiff banks call for here.”); In re SuperValu, Inc ., 925 F.3d 955, 963 (8th Cir. 2019) (dismissing Illinois negligence claim for lack of duty, explaining, “We agree with the Seventh Circuit’s reading of Cooney and accordingly adopt its conclusion.”); McGlenn v. Driveline Retail Merch., Inc. , No. 18-CV-2097, 2021 WL 4301476, at *6 (C.D. Ill. Sept. 21, 2021) (relying on Cooney and Cmty. Bank of Trenton to conclude that “Illinois does not impose a common law duty to safeguard PII”); In re Marriott , 440 F. Supp. 3d at 478 (“Without further authority, I cannot conclude that the Illinois Supreme Court would disagree with the analysis in Cooney . For that reason, Plaintiffs’ Illinois negligence claims are dismissed.”); USAA Fed. Sav. Bank , 260 F. Supp. 3d at 970 (“[B]ecause Illinois does not recognize a common law duty to safeguard personal information, USAA cannot establish its claim for negligence against PLS and so the Court dismisses that claim with prejudice.”).

Plaintiffs acknowledge that “several Illinois courts have refused to recognize a duty of care in the context of a data breach” by relying on Cooney . Opp’n at 34 n.22. Plaintiffs do not challenge Cooney and instead argue that they do not seek the creation of a “new duty,” but rather that “[a] duty exists under traditional negligence principles and the general duty analysis applied by Illinois courts.” Opp’n at 34 n.22. To determine whether a duty exists, Illinois courts consider “(1) the reasonable foreseeability of the injury, (2) the likelihood of the injury, (3) the magnitude of the burden of guarding against the injury, and (4) the consequences of placing that burden on the defendant.” Bruns v. City of Centralia , 21 N.E.3d 684, 689 (Ill. 2014). However, if the Court were to recognize a duty in this case, that finding would necessary “establish a ‘new duty’ regarding data security in Illinois that Cooney declined to establish.” In re Marriott , 440 F. Supp. 3d at 478. Because Plaintiffs offer no reason to believe that the Illinois Supreme Court would disagree with the holding in Cooney , the Court dismisses Plaintiffs’ negligence claim against Donnelley. ^[3]

4. Mediant’s Alleged Negligence Plaintiffs have adequately pleaded that Mediant was negligent by failing to exercise reasonable care in safeguarding Plaintiffs’ personal information. “To show negligence under New York state law, a plaintiff must demonstrate ‘(1) the defendant owed the plaintiff a cognizable duty of care; (2) the defendant breached that duty; and (3) the plaintiff suffered damage as a proximate result.’” Ferreira v. City of Binghamton , 975 F.3d 255, 266 (2d Cir. 2020) (quoting Williams v. Utica Coll. of Syracuse Univ. , 453 F.3d 112, 116 (2d Cir. 2006)). The Court will address each element in turn.

i. Duty “The existence and scope of an alleged tortfeasor’s duty is, in the first instance, a legal question for determination by the court.” Arango v. Vasquez , 933 N.Y.S.2d 82, 83 (2d Dep’t 2011) (quoting Demshick v. Cmty. Hous. Mgmt. Corp. , 824 N.Y.S.2d 166, 168 (2d Dep’t 2006)). “Courts traditionally ‘fix the duty point by balancing factors, including the reasonable expectations of parties and society generally, the proliferation of claims, the likelihood of unlimited or insurer-like liability, disproportionate risk and reparation allocation, and public policies affecting the expansion or limitation of new channels of liability.’” Hamilton v. Beretta U.S.A. Corp. , 96 N.Y.2d 222, 232 (2001) (quoting Palka v. Servicemaster Mgmt. Servs. Corp. , 83 N.Y.2d 579, 586 (1994)). “[I]n determining whether a duty exists, ‘courts must be mindful of the precedential, and consequential, future effects of their rulings, and limit the legal consequences of wrongs to a controllable degree.’” (internal quotation marks omitted) (quoting Lauer v. City of New York , 95 N.Y.2d 95, 100 (2000)). “Foreseeability, alone, does not define duty—it merely determines the scope of the duty once it is determined to exist.” Id.

“The injured party must show that a defendant owed not merely a general duty to society but a specific duty to him or her, for ‘[w]ithout a duty running directly to the injured person there can be no liability in damages, however careless the conduct or foreseeable the harm.’ That is required in order to avoid subjecting an actor ‘to limitless liability to an indeterminate class of persons conceivably injured by any negligence in that act.’” Id. (citations omitted) (first quoting Lauer , 95 N.Y.2d at 96; and then quoting Eiseman v. State , 70 N.Y.2d 175, 188 (1987)). “Moreover, any extension of the scope of duty must be tailored to reflect accurately the extent that its social benefits outweigh its costs.” Id. at 1060–61. “A defendant generally has no duty to control the conduct of third persons so as to prevent them from harming others, even where as a practical matter defendant can exercise such control.” Id. at 1061 (quoting D’Amico v. Christie , 71 N.Y.2d 76, 88 (1987)).

This judicial resistance to the expansion of duty grows out of practical concerns both about potentially limitless liability and about the unfairness of imposing liability for the acts of another.

A duty may arise, however, where there is a relationship either between defendant and a third-person tortfeasor that encompasses defendant’s actual control of the third person’s actions, or between defendant and plaintiff that requires defendant to protect plaintiff from the conduct of others. Examples of these relationships include master and servant, parent and child, and common carriers and their passengers. The key in each is that the defendant’s relationship with either the tortfeasor or the plaintiff places the defendant in the best position to protect against the risk of harm. In addition, the specter of limitless liability is not present because the class of potential plaintiffs to whom the duty is owed is circumscribed by the relationship. Plaintiffs have plausibly alleged that Mediant owed them a duty to exercise reasonable care safeguarding their personal information. Plaintiffs allege that Mediant is “well-aware of the importance of data security” to its business. SAC ¶ 56. To obtain Mediant’s services, Mediant’s customers are required to share sensitive shareholder information. SAC ¶ 1. The SAC alleges that on its website, Mediant “touts its ‘web-based technology’ and ‘industry-leading security,’ and states that it maintains a ‘[c]omprehensive cybersecurity program with highly robust, redundant infrastructure platform that provides reliability and security you need.’” Id. ¶ 56. “Mediant’s Privacy Policy . . . states that it is committed to maintaining the privacy of shareholders’ Personal Information” and “promises that personally identifiable data ‘provided to Mediant by you or by third parties will be kept confidential.’” Id. ¶ 59. “Further, Mediant represents that it ‘maintains physical, electronic and procedural safeguards in accordance with laws and regulations governing confidentiality and security of information. Access to personal information is limited to only those workers and third parties who need access to the information to perform necessary activities for Mediant. We also provide security for your information by maintaining servers that are secure and dedicated solely to the services that we provide to protect against loss, misuse, or alteration of your information.’” Id. ¶ 60.

The SAC also alleges that Mediant is particularly aware that it is a target of cyber-attacks. Mediant’s CTO wrote an article “specifically addressing the severe threat cyber-attacks pose to the financial industry and companies like Mediant.” Id. ¶ 63. The article states that it is “certainly possible—and these days, essential—to develop and implement a robust security framework that accounts for all vulnerabilities.” Id. ¶ 67. Additionally, Plaintiffs allege that “[b]ut for Defendants’ willingness and commitment to maintain its privacy and confidentiality, [Plaintiffs’ personal information] would not have been transferred to and entrusted with Defendants.” ¶ 155.

These facts, accepted as true, are sufficient to plausibly allege that Mediant owed a duty to reasonably safeguard Plaintiffs’ personal information. Mediant received Plaintiffs’ personal information while providing its services and stored that information on its servers. Mediant is in the best position to protect information on its own servers from data breach. Further, the SAC alleges that Mediant understood the importance of data security to its business, knew it was the target of cyber-attacks, and touted its data security to current and potential customers. Finally, the imposition of a duty does not open Mediant up to limitless liability. Mediant’s potential liability is limited to the individuals whose personal information it obtained while providing its services. Thus, under the facts alleged in the SAC, Mediant owed Plaintiffs a duty to exercise reasonable care safeguarding their personal information.

Mediant refutes that it owed a duty to Plaintiffs and argues that Hammond v. The Bank of New York Mellon Corp. , No. 08-cv-6060, 2010 WL 2643307 (S.D.N.Y. June 25, 2010), controls the outcome of this case. In Hammond , the court held that the defendant bank was entitled to summary judgment because the plaintiffs failed to establish that the bank owed them a duty since “[n]one of the named Plaintiffs had any direct dealings with Defendant,” because “banks owe no duty of care to their non-customers,” and because “Plaintiffs gave their personal data over to [institutional clients of Defendant], which, in turn, forwarded the data to Defendant (which stored the data on the tapes that ultimately were lost or stolen).” Id. at *9.

Hammond is distinguishable from this case. First, the Court observes that Hammond was decided in 2010. At that time, as the court in Hammond noted, “every court” to consider data breach claims ultimately dismissed the claims, and many of those decisions determined “that loss of identity information is not a legally cognizable claim.” at *1–2. Data breach jurisprudence has developed significantly in the last twelve years. Numerous courts applying New York law have denied motions to dismiss negligence claims in data breach cases. See, e.g. , In re GE/CBPS Data Breach Litig. , No. 20- cv-2903, 2021 WL 3406374, at *9 (S.D.N.Y. Aug. 4, 2021); Wallace v. Health Quest Sys., Inc. , No. 20- cv-545, 2021 WL 1109727, at *9 (S.D.N.Y. Mar. 23, 2021); Sackin , 278 F. Supp. 3d at 747; In re Experian Data Breach Litig. , No. SACV151592, 2016 WL 7973595, at *3 (C.D. Cal. Dec. 29, 2016).

In addition, the decision in Hammond did not substantively address the factors for determining whether a duty exists under New York law as outlined above. Instead, Hammond relied in part on the general rule that banks do not owe a duty of care to their non-customers. Hammond , 2010 WL 2643307, at *9. As Mediant is not a bank, that rule does not apply to this case. Finally, Plaintiffs have alleged facts establishing that data security was vital to Mediant’s business and that Mediant would not have been entrusted with Plaintiffs’ personal information without Mediant’s purported commitment to protecting that information. See In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig. , No. 19-MD-2879, 2020 WL 6290670, at *15 (D. Md. Oct. 27, 2020) (“[ Hammond ] is also distinguishable because the third parties (who the plaintiffs had entrusted with their personal information) did not employ the defendant as a data security contractor for the purposes of protecting the plaintiffs’ data, but merely employed the defendant to process its payments.”). For these reasons, the court cannot conclude that Hammond ’s holding was based solely on the plaintiffs’ lack of direct dealings with the bank. Accordingly, the Court concludes that Plaintiffs have adequately pleaded that Mediant owed them a duty to exercise reasonable care safeguarding their personal information.

ii. Breach Plaintiffs have adequately pleaded that Mediant breached its duty to exercise reasonable care safeguarding their personal information. The SAC alleges that Mediant “fail[ed] to implement security systems, protocols and practices sufficient to protect” Plaintiffs’ personal information, “fail[ed] to comply with industry data security standards,” and “fail[ed] to comply with statutory and regulatory . . . safeguards.” SAC ¶ 128. The SAC further alleges that Mediant “maintain[ed] deficient controls to prevent and monitor for unauthorized access” of its email accounts and failed to encrypt the personal information stored on its servers. ¶¶ 18, 23. Additionally, the SAC contains numerous specific factual allegations detailing Mediant’s awareness that it was a target of cybersecurity threats. See SAC ¶¶ 55–76. These allegations are sufficient to plausibly allege that Mediant breached its duty. See In re GE/CBPS , 2021 WL 3406374, at *8 (finding “allegations sufficient to sustain a negligence claim” where the complaint alleged that the defendants “‘fail[ed] to design, adopt, implement, control, direct, oversee, manage, monitor, and audit appropriate data security processes, controls, policies, procedures, protocols, and software and hardware systems to safeguard and protect the personal and financial information entrusted to [them],’ despite a reasonably foreseeable risk that such failure ‘would result in the unauthorized release, disclosure, and dissemination of [Plaintiff’s] and Class members’ personal and financial information’”); Sackin , 278 F. Supp. 3d at 748 (holding that the plaintiffs sufficiently pleaded breach by alleging that the defendant “was aware of the sensitivity of PII and the need to protect it” but despite this knowledge “failed to take reasonable steps to prevent the wrongful dissemination of Plaintiffs’ PII—including erecting a digital firewall, conducting data security training and adopting retention and destruction policies”).

iii. Damages Plaintiffs have also sufficiently alleged that they suffered damage as a proximate result of the data breach. “[W]here plaintiffs have shown a substantial risk of future identity theft or fraud, ‘any expenses they have reasonably incurred to mitigate that risk likewise qualify as injury in fact.’” McMorris v. Carlos Lopez & Assocs., LLC , 995 F.3d 295, 303 (2d Cir. 2021) (quoting In re U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig. , 928 F.3d 42, 59 (D.C. Cir. 2019)). Similarly, recent federal decisions applying New York law in data breach cases have concluded that expenses incurred to reduce a substantial threat of identity theft are sufficient to plead damages for a negligence claim. See Sackin , 278 F. Supp. 3d at 749 (“[T]he Complaint adequately alleges that Plaintiffs face an imminent threat of identity theft and have purchased preventive services to mitigate the threat. These mitigation expenses satisfy the injury requirements of negligence.”); Wallace , 2021 WL 1109727, at *6 (holding that the plaintiffs “plausibly alleged they suffered monetary damages” by “alleg[ing] they purchased credit monitoring and identity protection services to reduce the risk of future identity theft from the Data Breach”); In re GE/CBPS , 2021 WL 3406374, at *9. “[C]ourts confronted with allegations that plaintiffs are at an increased risk of identity theft or fraud based on an unauthorized data disclosure should consider the following non-exhaustive factors in determining whether those plaintiffs have adequately alleged an Article III injury in fact: (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.” McMorris , 995 F.3d at 303.

Mediant contends that this rule does not comport with New York law. Relying primarily on the decision in Caronia v. Philip Morris USA, Inc. , 22 N.Y.3d 439 (N.Y. 2013), Mediant argues that “where there is no actual loss . . . allegations that Plaintiffs spent time in response to the data incident, or even purchased credit monitoring, are insufficient.” Mediant’s Reply to Pls.’ Opp’n, Dkt. No. 114, at 4. Caronia does not stand for this proposition. In Caronia , the Second Circuit certified to the New York Court of Appeals the question of whether the plaintiffs could “pursue an independent equitable cause of action for medical monitoring.” Caronia , 22 N.Y.3d at 446. The Second Circuit had previously affirmed the dismissal of the plaintiffs’ negligence claim, observing that the parties had agreed that “the injury in this action is the increased risk of developing lung cancer as a result of smoking Marlboro cigarettes for twenty pack-years.” Caronia v. Philip Morris USA, Inc. , 715 F.3d 417, 429 (2d Cir. 2013). The Court of Appeals was not presented with the question of whether mitigation expenses can satisfy the injury requirement of negligence.

In this case, by contrast, Plaintiffs assert that they “face[d] a substantial risk of harm, such that . . . the plaintiff’s mitigation costs to remediate that risk . . . state an injury in fact.” Opp’n at 20. The SAC alleges that the data breach exposed Plaintiffs’ sensitive information, including “names, genders, physical addresses, email addresses, phone numbers, Social Security Numbers, tax identification numbers, and bank account numbers, as well as specific information relating to investors’ securities holdings, including securities units purchased, dates of purchase, and individuals or entities designated to collect investment payments.” ¶ 2. The data breach was “the result of a criminal hack wherein hackers obtained unauthorized access to four Mediant business email accounts exploiting a vulnerability in Mediant’s email system.” Id. ¶ 18. “The most likely and obvious motivation for the hacking is to use Plaintiffs’ [personal information] nefariously or sell it to someone who would.” Sackin , 278 F. Supp. 3d at 746. Further, Plaintiffs allege that that their personal information has been misused following the data breach. Toretto alleges that he “began to receive a significant increase in spam-related telephone calls following the Data Breach.” SAC ¶ 18. King “twice experienced fraudulent charges on a retail credit card” following the data breach. Id. ¶ 40. And Braun suffered a “series of fraudulent attempts to secure credit under her name.” ¶ 48.

These allegations, which the Court must accept as true, are sufficient to plausibly allege that Plaintiffs faced a substantial risk of future identity theft and fraud. In re GE/CBPS , 2021 WL 3406374, at *7; Wallace , 2021 WL 1109727, at *5 (“[Plaintiffs] allege their sensitive Private Information was accessed by unknown third parties and they are thereby exposed to a high degree of risk of identity fraud and future economic harm. Given the potential wealth of information compromised, plaintiffs suffer a substantial risk that harm will occur to their reputations, their identities, their financial accounts, and more at the hands of the unknown hackers who accessed defendant’s systems. At a minimum, plaintiffs have alleged an imminent risk of future identity theft and fraud.” (citation omitted)); Sackin , 278 F. Supp. 3d at 746 (“The allegations that Defendant has provided Plaintiffs’ names, addresses, dates of birth, Social Security numbers and bank account information directly to cyber-criminals creates a risk of identity theft sufficiently acute so as to fall comfortably into the category of ‘certainly impending.’”).

Because Plaintiffs face a substantial risk of identity theft or fraud, Plaintiffs’ costs incurred to mitigate that threat satisfy the damages element of their claim. Sackin , 278 F. Supp. 3d at 749. Here, Plaintiffs allege that they suffered, among other injuries, “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their Personal Information.” SAC ¶ 134. The Plaintiffs allege that they purchased “credit monitoring, credit freezes, and identity theft protection services.” Id. ¶ 99. Further, Toretto specifically alleges that he “purchased a LifeLock service plan” and “security plans for each of his computers.” Id. ¶ 33. Accordingly, Plaintiffs have plausibly alleged that they suffered damages under their negligence claim.

In sum, the Court concludes that Plaintiffs have adequately pleaded the elements of a negligence claim against Mediant. For that reason, Mediant’s motion to dismiss Plaintiffs’ negligence claim is denied.

5. Vicarious Liability Finally, Plaintiffs allege that Donnelley is vicariously liable for Mediant’s negligence because Donnelley is Mediant’s partner. Because Plaintiffs did not adequately plead the existence of a

partnership, Plaintiffs’ vicarious liability claim is dismissed.

Negligence Per Se Next, Defendants move to dismiss Plaintiffs’ negligence per se claims. Plaintiffs allege that Defendants were negligent per se “by failing to use reasonable measures to protect Plaintiffs’ and Class Members’ Personal Information and by failing to comply with applicable industry standards” in violation of Section 5 of the Federal Trade Commission Act (the “FTCA”). SAC ¶ 137. In addition, Plaintiffs allege that Donnelley was negligent per se for violating its “duty to use reasonable security measures” under the Gramm-Leach-Bliley Act (the “GLBA”). Id. ¶ 138. Plaintiffs’ negligence per se claims are not viable under either Illinois or New York law and are therefore dismissed.

1. Donnelley “[A]ctions for negligence per se are allowed” under Illinois law. Test Drilling Serv. Co. v. Hanor Co. , 322 F. Supp. 2d 957, 964 (C.D. Ill. 2003). “However, they are allowed for statutory violations only if the statute provides for strict liability if violated.” ; see also Abbasi ex rel. Abbasi v. Paraskevoulakos , 718 N.E.2d 181, 186 (Ill. 1999) (“[T]he violation of a statute is not negligence per se , which refers to strict liability, but rather only prima facie evidence of negligence, unless the legislature clearly intends to impose strict liability.” (citations omitted)). Neither section 5 of the FTCA nor the GBLA impose strict liability in tort. Because Plaintiff does not allege violation of a statute that imposes strict liability, the Court dismisses Plaintiffs’ negligence per se claim against Donnelley. See Cmty. Bank of Trenton v. Schnuck Markets, Inc. , 210 F. Supp. 3d 1022, 1042 (S.D. Ill. 2016) (dismissing the plaintiffs’ negligence per se claim because they failed to “me[e]t the higher burden of identifying a statute imposing strict liability, as they would be required to do to establish negligence per se under Illinois law”).

2. Mediant “In New York, the ‘unexcused omission’ or violation of a duty imposed by statute for the benefit of a particular class ‘ is negligence itself.’” Chen v. United States , 854 F.2d 622, 627 (2d Cir. 1988) (quoting Martin v. Herzog , 228 N.Y. 164, 168 (1920)). However, “[v]iolation of a statute . . . does not automatically constitute negligence per se .” German by German v. Fed. Home Loan Mortg. Corp. , 896 F. Supp. 1385, 1396 (S.D.N.Y. 1995). “In order to warrant a finding of negligence per se for a statutory violation, the statute must evidence ‘an intention, express or implied, that from disregard of [its] command a liability for resultant damages shall arise ‘which would not exist but for the statute.’” Id. at 1397. “Three factors are of central importance in this inquiry: (1) whether the plaintiff is one of the class for whose particular benefit the statute was enacted, (2) whether a finding of negligence per se for violation of the statute would promote the legislative purpose, and (3) whether creation of such liability would be consistent with the legislative scheme.”

Plaintiffs fail to plead a negligence per se claim. Plaintiffs base their claim against Mediant on Section 5 of the FTCA. However, as Plaintiffs admit, Section 5 does not provide for a private right of action. Alfred Dunhill Ltd. v. Interstate Cigar Co. , 499 F.2d 232, 237 (2d Cir. 1974) (“[T]he provisions of the Federal Trade Commission Act may be enforced only by the Federal Trade Commission. Nowhere does the Act bestow upon either competitors or consumers standing to enforce its provisions.”); see also Opp’n at 42 (acknowledging that “section 5 of the FTC Act . . . do[es] not create an implied federal right of action”). “[I]nstead, the FTCA confers exclusive enforcement authority on the Federal Trade Commission.” In re GE/CBPS , 2021 WL 3406374, at *10. “Thus, allowing [a] negligence per se claim to proceed based on a violation of the FTCA would be inconsistent with the legislative scheme.” ; see also Cohen v. Ne. Radiology, P.C. , No. 20-cv-1202, 2021 WL 293123, at *7 (S.D.N.Y. Jan. 28, 2021) (concluding that the fact that the FTCA does not

create a private right of action “weighs heavily against implying a private right of action necessary to sustain a negligence per se claim based upon . . . the FTC[A]”); Smahaj v. Retrieval-Masters Creditors Bureau, Inc. , 131 N.Y.S.3d 817, 827 (N.Y. Sup. Ct. 2020) (“Plaintiff’s negligence per se claim based on an alleged violation of the FTC Act must also be dismissed because ‘[i]f mere proof of a violation of . . . were to establish negligence per se, plaintiff would effectively be afforded a private right of action that [the statute] does not recognize.’” (alterations in original)); but see In re Cap. One Consumer Data Sec. Breach Litig. , 488 F. Supp. 3d 374, 408 (E.D. Va. 2020) (applying New York law and holding that the plaintiffs plausibly alleged a claim for negligence per se premised on Section 5 of the FTCA). Accordingly, the Court dismisses Plaintiffs’ negligence per se claim against Mediant.

Breach of Contract/Third-Party Beneficiary

1. Choice of Law “Under New York’s choice-of-law rules, the interpretation and validity of a contract is governed by the law of the jurisdiction which is the ‘center of gravity’ of the transaction.” Alderman v. Pan Am World Airways , 169 F.3d 99, 103 (2d Cir. 1999). “To determine the center of gravity, courts generally consider ‘the places of negotiation and performance; the location of the subject matter; and the domicile or place of business of the contracting parties.’” Longo v. KeyBank Nat’l Ass’n , 357 F. Supp. 3d 263, 270 (S.D.N.Y. 2019) (quoting Zurich Ins. Co. v. Shearson Lehman Hutton, Inc. , 84 N.Y.2d 309, 317 (1994)).

Plaintiffs allege that they are third-party beneficiaries to contracts that Donnelley and Mediant separately entered into with “public companies and mutual funds to provide and perform proxy services.” SAC ¶¶ 145–47. Plaintiffs offer no factual allegations regarding where these contracts were negotiated or the place of business of the specific “public companies and mutual funds.” Nor do they plead the existence of relevant governing law provisions in those agreements. Because Defendants were parties to the contracts and the contracts govern services to be provided by Defendants, the Court concludes that the place of business of each Defendant is the “center of gravity” of their respective contracts. Accordingly, Illinois law applies to the third-party beneficiary claim against Donnelley, and New York law applies to the third-party beneficiary claim against Mediant.

2. Donnelley Plaintiffs fail to adequately allege a third-party beneficiary claim against Donnelley. Under Illinois law, “[t]he elements of a breach-of-contract action are: ‘(1) the existence of a valid and enforceable contract; (2) performance by the plaintiff; (3) breach of the contract by the defendant; and (4) resultant injury to the plaintiff.’” Cohn v. Guaranteed Rate Inc ., 130 F. Supp. 3d 1198, 1209 (N.D. Ill. 2015) (quoting Mack Indus., Ltd. v. Vill. of Dolton , 30 N.E.3d 518, 528 (Ill. App. Ct. 2015)). “[A] cause of action based on a contract may be brought . . . by an intended third-party beneficiary of the contract.” Kaplan v. Shure Bros. , 266 F.3d 598, 602 (7th Cir. 2001). “An intended beneficiary is intended by the parties to the contract to directly benefit for the performance of the agreement; under the contract an intended beneficiary has rights and may sue.” Carlson v. Rehab. Inst. of Chicago , 50 N.E.3d 1250, 1256 (Ill. App. Ct. 2016). “There is a strong presumption that the parties to a contract intend that the contract’s provisions apply only to them, and not to third parties.” Martis v. Grinnell Mut. Reinsurance Co. , 905 N.E.2d 920, 924 (Ill. App. Ct. 2009).

Whether someone is a third-party beneficiary depends on the intent of the contracting parties, as evidenced by the contract language. It must appear from the language of the contract that the contract was made for the direct, not merely incidental, benefit of the third person. Such an intention must be shown by an express provision in the contract identifying the third-party beneficiary by name or by description of a class to which the third party belongs. If a contract makes no mention of the plaintiff or the class to which he belongs, he is not a third-party beneficiary of the contract.

Id. (citations omitted).

Here, Plaintiffs allege that Donnelley entered into contracts with three specific entities in which the lead Plaintiffs invested. SAC ¶¶ 30, 37, 43; see also id. ¶ 145. Plaintiffs allege that these contracts “contained provisions requiring Donnelley . . . to protect the investor information that Donnelley . . . received in order to provide such proxy services.” SAC ¶¶ 145–46. Plaintiffs allege that Donnelley “breached these contracts while acting in the course of the business of the Partnership by not protecting Plaintiffs’ and Class Members’ Personal Information.” ¶ 148.

Donnelley argues that Plaintiffs “fail to allege the specific terms in Donnelley’s purported contracts with its clients . . . that Donnelley . . . supposedly breached, much less explain how they were breached.” Donnelley Mem., Dkt. No. 100, at 24. In response, Plaintiffs argue that in the Court’s prior decision, the Court noted that “the terms of the alleged contract are particularly within the possession and control of Defendants.” Opp’n at 47 (quoting Toretto , 2021 WL 861138, at *9). However, while the federal pleading standard “does not prevent a plaintiff from pleading facts alleged ‘upon information and belief’ where the facts are peculiarly within the possession and control of the defendant,” Arista Recs., LLC v. Doe 3 , 604 F.3d 110, 120 (2d Cir. 2010) (internal quotation marks and citation omitted) (emphasis added), Plaintiffs are still required to state a claim for relief that is plausible on its face.

Plaintiffs fail to adequately allege that Donnelley breached the contracts at issue. While Plaintiffs allege that Donnelley was required to protect the personal information it received to provide proxy services, the SAC does not contain any allegations that Donnelley even received Plaintiffs’ information, much less that Donnelley failed to protect it. Instead, the SAC alleges that Mediant failed to adequately protect Plaintiffs’ personal information and that Donnelley “fail[ed] to exercise appropriate managerial control over Mediant’s data security.” As discussed above, Plaintiffs have not adequately alleged a partnership between Donnelley and Mediant and have therefore failed to establish that Donnelley had the duty, or even ability, to control Mediant’s data security. Plaintiffs do not allege that the contracts required Donnelley to exercise control over third parties who received investor information from Donnelley’s clients. Without any factual allegations to support that Donnelley failed to protect any personal information it received, or that the contracts required Donnelley to ensure that Mediant adequately protect Plaintiffs’ personal information, Plaintiffs have not plausibly alleged that Donnelley breached the contracts at issue. Accordingly, Plaintiffs’ third- party beneficiary claim against Donnelley is dismissed.

3. Mediant Plaintiffs’ third-party beneficiary claim against Mediant also fails. “Under New York State law, a party claiming rights as a third-party beneficiary must demonstrate ‘(1) the existence of a valid and binding contract between other parties, (2) that the contract was intended for his benefit and (3) that the benefit to him is sufficiently immediate, rather than incidental, to indicate the assumption by the contracting parties of a duty to compensate him if the benefit is lost.’” Stevens v. Goord , 535 F. Supp. 2d 373, 390–91 (S.D.N.Y. 2008) (quoting State of Cal. Pub. Employees’ Ret. Sys. v. Shearman & Sterling , 95 N.Y.2d 427, 434–35 (2000)). “To show that an enforceable contract existed, the claimant must plead facts surrounding the formation of the contract such as the date the parties entered into the contract, the major terms of the contract, the parties to the contract, and that the party to be bound assented to the contract.” Fuji Photo Film U.S.A., Inc. v. McNulty , 669 F. Supp. 2d 405, 412 (S.D.N.Y. 2009). “Conclusory allegations that a contract existed or that it was breached do not suffice.” Emerald Town Car of Pearl River, LLC v. Philadelphia Indem. Ins. Co. , No. 16-cv-1099, 2017 WL 1383773, at *7 (S.D.N.Y. Apr. 12, 2017).

The SAC contains a sole conclusory allegation that “Mediant . . . directly contracted with public companies and mutual funds to provide and perform proxy services.” SAC ¶ 145. The SAC fails to identify the entities that Mediant allegedly contracted with and provides no other factual enhancement regarding the formation of the contracts. Merely stating the legal conclusion that Mediant “entered contracts” with unspecified “public companies and mutual funds” is insufficient to establish the existence of an enforceable contract between Mediant and any other party. Because Plaintiffs do not sufficiently allege the existence of an enforceable agreement, the Court dismisses Plaintiffs’ third-party beneficiary claim against Mediant.

Unjust Enrichment

1. Choice of Law The parties dispute the proper choice of law rule to apply to Plaintiffs’ unjust enrichment claims. Plaintiffs assert that the unjust enrichment claims are quasi-contract claims and therefore should be governed by the choice of law analysis applicable to contract claims. See Opp’n at 48 n.29. Defendants, on the other hand, contend that “the choice of law analysis applicable to tort claims would apply since the unjust enrichment claim does not relate to an enforceable contract.” Donnelley Reply at 17 n.18. The Court need not resolve this issue because under either approach New York law applies to the claim against Mediant and Illinois law applies to the claim against Donnelley. See supra Sections III(B)(1), III(D)(1). 2. Mediant “To state a claim for unjust enrichment in New York, a plaintiff must allege that (1) defendant was enriched; (2) the enrichment was at plaintiff’s expense; and (3) the circumstances were such that equity and good conscience require defendants to make restitution.” Talon Pro. Servs., LLC v. CenterLight Health Sys. Inc. , No. 20-cv-78, 2021 WL 1199430, at *9 (S.D.N.Y. Mar. 30, 2021) (quoting Kidz Cloz, Inc. v. Officially for Kids, Inc. , 320 F. Supp. 2d 164, 177 (S.D.N.Y. 2004)). “Although privity is not required for an unjust enrichment claim, a claim will not be supported if the connection between the parties is too attenuated.” Mandarin Trading Ltd. v. Wildenstein , 16 N.Y.3d 173, 182 (2011).

Mediant argues that Plaintiffs’ unjust enrichment claim should be dismissed as duplicative. “[U]njust enrichment is not a catchall cause of action to be used when others fail.” Corsello v. Verizon New York, Inc. , 18 N.Y.3d 777, 790 (2012). “An unjust enrichment claim is not available where it simply duplicates, or replaces, a conventional contract or tort claim.” “Where . . . the wrongful conduct alleged with regard to unjust enrichment and tort claims is the very same, courts have dismissed unjust enrichment claims as duplicative.” Trainum v. Rockwell Collins, Inc. , No. 16-cv-7005, 2017 WL 2377988, at *20 (S.D.N.Y. May 31, 2017), aff’d , 765 F. App’x 514 (2d Cir. 2019). Here, Plaintiffs’ unjust enrichment claim is premised on the same wrongful conduct as Plaintiffs’ negligence claim. See SAC ¶ 156 (“As a result of Defendants’ wrongful conduct as alleged herein, Defendants have been unjustly enriched at the expense of, and to the detriment of, Plaintiffs and Class Members.”). Because Plaintiffs expressly rely on the same underlying wrongful conduct for their negligence and unjust enrichment claims, the Court dismisses Plaintiffs’ unjust enrichment claim against Mediant as duplicative.

3. Donnelley Under Illinois law, “[t]o state a cause of action based on a theory of unjust enrichment, a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff’s detriment, and that defendant’s retention of the benefit violates the fundamental principles of justice, equity, and good conscience.” HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc. , 545 N.E.2d 672, 679 (Ill. 1989). Plaintiffs’ unjust enrichment claim is premised on the retention and use of Plaintiffs’ personal information. Plaintiffs do not allege that Donnelley received, used, or retains their personal information in its individual capacity. Instead, Plaintiffs allege that the personal information was “conferred upon, collected by, and maintained by Mediant” and that the associated benefits were “conferr[ed] upon the Partnership.” SAC ¶ 151–52. As already noted, Plaintiffs have not adequately pleaded the existence of a partnership between Donnelley and Mediant, and therefore have not sufficiently alleged that any benefit was conferred upon Donnelley as a result. Because Plaintiffs have not alleged that Donnelley “unjustly retained a benefit to the plaintiff’s detriment,” the Court dismisses Plaintiffs’ unjust enrichment claim against Donnelley.

California Customer Records Act Toretto fails to sufficiently plead a claim under the CRA because he does not adequately allege that he is a customer of Defendants as defined by the CRA. The CRA “regulates businesses with regard to treatment and notification procedures relating to their customers’ personal information.” Corona v. Sony Pictures Ent., Inc. , No. 14-cv-09600, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015). The CRA defines a “customer” as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.” Cal. Civ. Code § 1798.80(c).

Toretto seeks both damages and injunctive relief under the CRA. SAC ¶ 179. Section 1798.84(b) provides that “[a]ny customer injured by a violation of this title may institute a civil action to recover damages.” Cal. Civ. Code § 1798.84(b). The section expressly “limits such action to ‘any customer.’” Corona , 2015 WL 3916744, at *7. Section 1798.84(e) provides that “[a]ny business that violates, proposes to violate, or has violated this title may be enjoined.” Cal. Civ. Code § 1798.84(e). “The provision does not specify who may bring an action for injunctive relief.” Patton v. Experian Data Corp. , No. SACV 17-01559, 2018 WL 6190349, at *7 (C.D. Cal. Jan. 23, 2018). “However, section 1798.84(b) is the only section in the CRA’s remedies provision that explicitly contemplates a private right of action.” “Because the right to institute a civil action arises only under subdivision (b), a plaintiff must meet the terms of that section—i.e., he or she must be a ‘customer’ who has been ‘injured by a violation of this title’” to bring an action under the CRA.

Boorstein v. CBS Interactive, Inc. , 165 Cal. Rptr. 3d 669, 675 (Cal. Ct. App. 2013); see also Patton , 2018 WL 6190349, at *8 (C.D. Cal. Jan. 23, 2018).

Toretto argues that he is a “customer” for purposes of the CRA because “Mediant maintained his Personal Information to use that information in transactions with him.” Opp’n at 57. In his attempt to broadly define the meaning of “customer” under the CRA, Toretto cites to a provision outlining the purpose of the CRA. See id. (citing Cal. Civ. Code § 1798.81.5(a)(1)–(2)). However, Toretto does not grapple with the express definition of “customer” in the CRA, which requires an individual to “provide[ ] personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.” Cal. Civ. Code § 1798.80(c). The SAC does not allege that Toretto provided his personal information to Defendants for any reason, let alone for the purpose of purchasing or leasing a product or obtaining a service from Defendants. Instead, the SAC alleges that Mediant obtained Toretto’s personal

information while providing services to an entity in which Toretto had invested. See SAC ¶¶ 29–30. As a result, Toretto has not adequately pleaded that he is a customer of Defendants under the CRA. The Court therefore dismisses his claim for damages and injunctive relief under the CRA. See Patton , 2018 WL 6190349, at *8 (“Plaintiff . . . fails to adequately state a claim for injunctive relief under section 1798.82 because he fails to allege that he was Defendants’ customer.”); Corona , 2015 WL 3916744, at *7 (“[Defendant] argues that Plaintiffs may not sue under the CRA because they are not ‘customers,’ within the meaning of the statute. The Court agrees.”).

California Unfair Competition Law Toretto’s claim under the UCL is not pleaded adequately. “The UCL prohibits, and provides civil remedies for, unfair competition, which it defines as ‘any unlawful, unfair or fraudulent business act or practice.’” Kwikset Corp. v. Superior Ct. , 246 P.3d 877, 883 (Cal. 2011) (quoting Cal. Bus. & Prof. Code § 17200). “By proscribing any unlawful business act or practice, the UCL borrows rules set out in other laws and makes violations of those rules independently actionable.” Zhang v. Superior Ct. , 304 P.3d 163, 167 (Cal. 2013) (internal quotation marks and citation omitted). “In addition, a practice that is unfair or fraudulent may be the basis for a UCL action even if the conduct is ‘not specifically proscribed by some other law.’” Loeffler v. Target Corp. , 324 P.3d 50, 75 (Cal. 2014) (quoting Cel-Tech Commc’ns, Inc. v. L.A. Cellular Tel. Co. , 973 P.2d 527, 540 (Cal. 1999)). “While the scope of conduct covered by the UCL is broad, its remedies are limited.” Korea Supply Co. v. Lockheed Martin Corp ., 63 P.3d 937, 943 (Cal. 2003). “Prevailing plaintiffs are generally limited to injunctive relief and restitution.” Cel-Tech , 973 P.2d at 539.

Under California’s presumption against extraterritoriality, courts “presume the Legislature did not intend a statute to be operative, with respect to occurrences outside the state, . . . unless such intention is clearly expressed or reasonably to be inferred from the language of the act or from its purpose, subject matter or history.” Sullivan v. Oracle Corp. , 254 P.3d 237, 248 (Cal. 2011) (alteration in original) (internal quotation marks omitted). “Neither the language of the UCL nor its legislative history provides any basis for concluding the Legislature intended the UCL to operate extraterritorially. Accordingly, the presumption against extraterritoriality applies to the UCL in full force.” “Even if the presumption against extraterritorial application applies to a particular statute, the court must still consider ‘whether plaintiffs’ proposed application of the [law] would cause it to operate, impermissibly, with respect to occurrences outside the state.’” Bernstein v. Virgin Am., Inc. , 227 F. Supp. 3d 1049, 1062 (N.D. Cal. 2017) (quoting Sullivan , 254 P.3d at 248).

Accordingly, the Court must consider whether Plaintiffs’ proposed application of the UCL would cause the UCL to impermissibly apply to out-of-state conduct. “[T]he relevant inquiry for whether a state law is being applied extraterritorially is . . . whether ‘the conduct which gives rise to liability . . . occurs in California.’” Leibman v. Prupes , No. 2:14-cv-09003, 2015 WL 3823954, at *7 (C.D. Cal. June 18, 2015) (second alteration in original) (quoting Diamond Multimedia Sys., Inc. v. Superior Court , 968 P.2d 539, 554 (Cal. 1999) (emphasis added)); see also Thunder Studios, Inc. v. Kazal , 13 F.4th 736, 743 (9th Cir. 2021) (citing Diamond for the proposition that “the determinative factor in California’s presumption against extraterritoriality is the location of the conduct”); Oman v. Delta Air Lines, Inc. , 889 F.3d 1075, 1079 (9th Cir. 2018) (“To evaluate whether a claim seeks to apply the force of a state statute beyond the state’s boundaries, courts consider where the conduct that ‘creates liability’ under the statute occurs.” (quoting Sullivan , 254 P.3d at 248)). “[I]f the liability-creating conduct occurs outside of California, California law generally should not govern that conduct . . . unless the Legislature explicitly indicates otherwise.” Oman , 889 F.3d at 1079.

Here, it is indisputable that the conduct which allegedly gives rise to liability in this case occurred entirely outside of California. Notwithstanding, Toretto argues that he can bring a claim under the UCL because he is a California resident and because Defendants’ conduct allegedly caused injury in California. See Opp’n at 53–54. In support, Toretto cites the decision Speyer v. Avis Rent a Car Sys., Inc. , 415 F. Supp. 2d 1090, 1099 (S.D. Cal. 2005), aff’d on other grounds , 242 F. App’x 474 (9th Cir. 2007), which reasoned that two California state court decisions “stand for the proposition that the UCL applies to wrongful conduct that occurs out-of-state but results in injury in California.” (first citing Norwest Mortg., Inc. v. Superior Ct. , 85 Cal. Rptr. 2d 18, 22 (Cal. Ct. App. 1999); and then citing Yu v. Signet Bank/Virginia , 82 Cal. Rptr. 2d 304, 313 ( Cal. Ct. App. 1999)). Citing Norwest and Yu , other district courts in California have similarly stated that “courts have held that a UCL claim may be brought by a litigant who is a resident of California, regardless of where the alleged misconduct occurred.” Iskander v. Laugh Factory, Inc. , No. LACV191076, 2020 WL 2114939, at *10 (C.D. Cal. Mar. 17, 2020); Adobe Sys. Inc. v. Blue Source Grp., Inc. , 125 F. Supp. 3d 945, 972 (N.D. Cal. 2015) (same); McKinnon v. Dollar Thrifty Auto. Grp., Inc. , 2013 WL 791457, at *5 (N.D. Cal. Mar. 4, 2013) (“California residents can bring claims against out-of-state defendants if their injuries occurred in California.”).

Given the lack of a decision on this issue by the Supreme Court of California, there is no binding precedent governing whether the UCL applies to a claim by a plaintiff who is a California resident and was allegedly injured in California by out-of-state conduct, but who alleges no connection between the defendant and California. Accordingly, the Court’s job is to determine how the Supreme Court of California would resolve this issue. See Phansalkar , 344 F.3d at 199. Although Norwest and Yu are instructive on this issue, the Court does not read the cases to stand for the proposition that the UCL applies to any out-of-state conduct that results in injury in California regardless of the nature of Defendants’ connection with California. Both cases are distinguishable.

First, in Norwest , the court held that Californian plaintiffs could bring UCL claims against the defendant regardless of where the defendant’s conduct occurred. Norwest , 85 Cal. Rptr. 2d at 23. However, the court offered no rationale for this holding. Id. Further, the defendant was incorporated in California and the alleged unfair business practice involved insurance for California real estate. at 19–20. Given the contacts between the defendant and California in Norwest , and the lack of an explanation for the court’s holding, the Court cannot conclude that Norwest extends to all out-of-state conduct that injures a Californian resident. Here, except for his residency, Toretto has not alleged any contacts linking Defendants with California.

In Yu , the court held that “[i]n the absence of any federal preemption, a defendant who is subject to jurisdiction in California and who engages in out-of-state conduct that injures a California resident may be held liable for such conduct in a California court.” Yu , 82 Cal. Rptr. 2d at 313. Thus, for a defendant to be held liable for out-of-state conduct, Yu requires that the conduct injure a California resident and that the defendant be subject to jurisdiction in California. Toretto has not alleged any facts to support the conclusion that Defendants would be subject to personal jurisdiction in California. Notably, the Plaintiffs’ previous suit against Mediant in California was dismissed for lack of personal jurisdiction. Toretto , 2020 WL 1288478, at *6. Consequently, Norwest and Yu do not resolve the question presented in this case: whether a California resident may bring a claim under the UCL against a defendant for out-of-state conduct without alleging contacts between the defendant and California. See Elzeftawy v. Pernix Grp., Inc. , 477 F. Supp. 3d 734, 785 (N.D. Ill. 2020) (“[N]either Norwest nor Yu stands for the proposition that the UCL automatically applies to any claim brought by a California resident.”).

Even if the Court read Norwest and Yu that broadly, the Court is convinced that the Supreme Court of California would decide otherwise. See DiBella , 403 F.3d at 112 (a federal court should not disregard state intermediate appellate courts “unless it is convinced by other persuasive data that the highest court of the state would decide otherwise”). The Supreme Court of California has made clear that the presumption against extraterritoriality applies to the UCL “in full force.” Sullivan , 254 P.3d at 248. The determinative factor in applying the presumption against extraterritoriality is the location of “the conduct which gives rise to liability.” Diamond , 968 P.2d at 554. As stated, the conduct allegedly creating liability in this case occurred wholly outside of California. Given the clear application of the presumption against extraterritoriality, the Court does not find a compelling reason to conclude that Toretto can bring a claim under the UCL merely because he is a California resident who allegedly suffered injury in California. Toretto’s proposed application of the UCL would cause it to operate impermissibly out of state. Accordingly, Toretto’s claim under the UCL is dismissed. Florida Deceptive and Unfair Trade Practices Act Plaintiff Braun’s claim under FDUTPA is dismissed. “A consumer claim for damages under FDUTPA has three elements: (1) a deceptive act or unfair practice; (2) causation; and (3) actual damages.” Virgilio v. Ryland Grp., Inc. , 680 F.3d 1329, 1338 n.25 (11th Cir. 2012) (quoting Rollins, Inc. v. Butland , 951 So.2d 860, 869 (Fla. Dist. Ct. App. 2006)). Braun alleges that Defendants violated FDUPTA by failing to maintain and implement reasonable security measures to protect his personal information. However, “FDUTPA applies only to action that occurred within the state of Florida.” Hakim-Daccach v. Knauf Int’l GmbH , No. CV 17-20495-CIV, 2017 WL 5634629, at *7 (S.D. Fla. Nov. 22, 2017) (quoting Carnival Corp. v. Rolls-Royce PLC , No. 08-23318-CIV, 2009 WL 3861450, at *6 (S.D. Fla. Nov. 17, 2009)); see also Millennium Commc’ns & Fulfillment, Inc. v. Off. of Att’y Gen., Dep’t of Legal Affs., State of Fla. , 761 So. 2d 1256, 1262 (Fla. Dist. Ct. App. 2000) (stating that FDUTPA “seeks to prohibit unfair, deceptive and/or unconscionable practices which have transpired within the territorial boundaries of this state”).

Braun does not allege that Defendants committed any deceptive acts or practices in Florida. The SAC alleges that all relevant conduct occurred either at Mediant’s headquarters in New York or at Donnelley’s headquarters in Illinois. Braun does not challenge this point. Instead, Braun argues that “it is enough that the conduct generated a sufficient relationship with Florida by injuring Florida investors like Plaintiff Braun.” Opp’n at 52. Yet, Braun does not identify a single case where a court has held that FDUTPA applies to conduct that occurred fully outside of Florida. Although FDUTPA “does not limit its protection to acts occurring exclusively in Florida,” Eli Lilly & Co. v. Tyco Integrated Sec., LLC. , No. 13-80371-CIV, 2015 WL 11251732, at *4 (S.D. Fla. Feb. 10, 2015), Braun must plausibly allege that at least some improper acts occurred in Florida. See Hakim-Daccach , 2017 WL 5634629, at *7 (dismissing a FDUTPA claim where the plaintiff did not “allege any improper acts that actually occurred in Florida at all”). Braun has not done so here, and therefore

his FDUPTA claim is dismissed.

Declaratory Judgment Finally, Defendants argue that if the Court concludes that Plaintiffs failed to state a substantive claim, Plaintiffs’ claim for declaratory judgement also fails. “A plaintiff cannot maintain a claim for a declaratory judgment where the underlying substantive claim has been dismissed since the Declaratory Judgment Act only created a procedural mechanism and not an independent cause of action.” Prignoli v. Bruczynski , No. 20-cv-907, 2021 WL 4443895, at *12 (E.D.N.Y. Sept. 28, 2021) (collecting cases). Plaintiffs have adequately pleaded a substantive claim against Mediant. Thus, Mediant’s motion to dismiss the declaratory judgment claim is denied. But, because Plaintiffs have not adequately pleaded a substantive claim against Donnelley, Plaintiffs’ declaratory judgment claim against Donnelley is dismissed.

IV. LEAVE TO AMEND

The Court grants Plaintiffs leave to replead the dismissed claims. See Cortec Indus., Inc. v. Sum Holding L.P. , 949 F.2d 42, 48 (2d Cir. 1991) (“It is the usual practice upon granting a motion to dismiss to allow leave to replead.”); see also Fed. R. Civ. P. 15(a)(2) (“The court should freely give leave [to amend] when justice so requires.”). While leave may be denied “for good reason, including futility, bad faith, undue delay, or undue prejudice to the opposing party[,]” those circumstances do not apply in this case. TechnoMarine SA v. Giftports, Inc. , 758 F.3d 493, 505 (2d Cir. 2014) (quoting McCarthy v. Dun & Bradstreet Corp. , 482 F.3d 184, 200 (2d Cir. 2007)). Particularly, given the choice- of-law issues, the Court cannot conclude that amendment would be futile for any of Plaintiffs’ claims.

V. MOITIONS TO SEAL

Finally, the Court turns to the parties’ motions to seal. Defendants filed a motion to seal the Supplier Agreement, which Defendants filed in connection with their motions to dismiss. Dkt. No. 93. In connection with that request, Donnelley also sought to redact the portions of its brief in support of its motion to dismiss that contained “corresponding information relating to the confidential terms of the Supplier Agreement.” Id. Plaintiffs filed a motion to redact portions of their opposition brief that “refer to and quote from” the Supplier Agreement. Dkt. No. 106. Finally, Donnelley filed a motion to redact portions of its reply brief containing “substantive descriptions of the content of” the Supplier Agreement. Dkt. No. 115.

“There is a common law presumption in favor of permitting public access to judicial documents, which are those documents ‘relevant to the performance of the judicial function and useful in the judicial process.’” GoSMiLE, Inc. v. Dr. Jonathan Levine, D.M.D. P.C. , 769 F. Supp 2d 630, 649 (S.D.N.Y. 2011) (quoting Lugosch v. Pyramid Co. of Onondaga , 435 F.3d 110, 119 (2d Cir. 2006)). Applications to seal documents must therefore be “carefully and skeptically review[ed] . . . to [e]nsure that there really is an extraordinary circumstance or compelling need” to seal the documents from public inspection. Video Software Dealers Ass’n v. Orion Pictures Corp. , 21 F.3d 24, 27 (2d Cir. 1994).

A court balances this common law presumption of access against competing considerations, including “the privacy interests of those resisting disclosure.” Lugosch , 435 F.3d at 120 (quoting United States v. Amodeo , 71 F.3d 1044, 1050 (2d Cir. 1995)). In Mirlis v. Greer , the Second Circuit summarized the three steps that the Court must follow to determine whether the presumption of public access attaches to a particular document and bars disclosure. See 952 F.3d 51, 59 (2d Cir. 2020). First, the Court determines whether the document is a “judicial document,” namely, “one that has been placed before the court by the parties and that is relevant to the performance of the judicial function and useful in the judicial process.” Id. (quotation omitted). Second, if the materials are “judicial documents,” the Court “proceeds to ‘determine the weight of the presumption of access’ to that document.” Id. (quoting United States v. Erie Cnty. , 763 F.3d 235, 239, 241 (2d Cir. 2014)). “The weight to be accorded is ‘governed by the role of the material at issue in the exercise of Article III judicial power and the resultant value of such information to those monitoring the federal courts.’” (quoting Amodeo , 71 F.3d at 1049). “Finally, the court must identify all of the factors that legitimately counsel against disclosure of the judicial document, and balance those factors against the weight properly accorded the presumption of access.” Id.

The Supplier Agreement, which the Court has not considered in deciding the motions to dismiss, is not a judicial document. See Vasquez v. City of New York , No. 10-cv-6277, 2012 WL 4377774, at *1 (S.D.N.Y. Sept. 24, 2012) (“Generally, because courts usually ‘cannot consider evidence outside the pleadings without giving the parties notice and an opportunity to present additional evidence and converting the motion into one for summary judgment, . . . documents submitted in connection with a Rule 12(b)(6) motion cannot qualify as judicial.’” (quoting Standard Inv. Chartered, Inc. v. Nat’l Assn’ of Sec. Dealers , 621 F. Supp. 2d 55, 66 (S.D.N.Y. 2007)); Weisman Celler Spett & Modlin, P.C. v. Trans-Lux Corp. , No. 12-cv-5141, 2012 WL 5512164, at *3 (S.D.N.Y. Nov. 14, 2012) (concluding that a document was not a judicial document because “the Court did not consider” the document in making its ruling on the motions at issue).

On the other hand, the parties’ briefs in connection with the motions to dismiss are plainly judicial documents. See Raffaele v. City of New York , No. 13-cv-4607, 2014 WL 2573464, at *1 (E.D.N.Y. June 9, 2014). The substantive descriptions of the Supplier Agreement in the parties’ briefs, however, had no bearing on the Court’s decision on the motion to dismiss. Thus, the presumption of public access is low. See KeyBank Nat’l Ass’n v. Element Transp. LLC , No. 16-cv-8958, 2017 WL 384875, at *3 (S.D.N.Y. Jan. 26, 2017) (concluding that a document’s “irrelevance to the issues before the Court . . . places the presumption of public access at the nadir of the continuum of the weight to be given to the presumption”). Further, Defendants contend that the Supplier Agreement “includes highly confidential, commercially sensitive information relating to Donnelley and Mediant’s business operations with each other, which, if publicly disclosed, would cause Donnelley and Mediant significant competitive harm.” Dkt. No. 93. Because release of the information contained in the supplier agreement could cause competitive harm to Defendants, and because the proposed redactions are narrowly tailored to protect only this sensitive business information, the presumption of public access is overcome as to the proposed redactions. Accordingly, the parties’ motions to seal are granted.

VI. CONCLUSION

For the reasons described above, Mediant’s motion to dismiss is GRANTED in part and DENIED in part. Donnelley’s motion to dismiss is GRANTED in full.

The Clerk of Court is directed to terminate the motions pending at Dkt. Nos. 93, 94, 96, 106, 115.

SO ORDERED. Dated: February 4, 2022 _____________________________________ New York, New York GREGORY H. WOODS

United States District Judge

Notes

[1] Unless otherwise noted, the facts are taken from the second amended complaint and are accepted as true for the purposes of these motions. See Chambers v. Time Warner, Inc. , 282 F.3d 147, 152 (2d Cir. 2002). However, “the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions.” Ashcroft v. Iqbal , 556 U.S. 662, 678 (2009).

[2] As stated in Plaintiffs’ opposition brief, “Plaintiffs do not dispute that whether Mediant and Donnelley entered into a partnership should be determined by either Illinois or New York law, where the agreement to enter into the Partnership presumably occurred. Plaintiffs agree there does not appear to be any material differences between Illinois and New York law on the requirements for establishing a partnership.” Opp’n at 8 n.4. Because the court has not identified an actual conflict between the applicable state laws, the Court applies New York law. See Licci , 672 F.3d at 157.

[3] Further, Plaintiffs’ negligence claim relies on Donnelley’s alleged duties as Mediant’s legal partner to ensure that Mediant had adequate data security. However, as discussed, Plaintiffs failed to plead the existence of a legal partnership between Donnelley and Mediant. Even if Illinois recognized a general duty to safeguard personal information, Plaintiffs do not cite any authority to support that Donnelley would owe a duty to ensure that Mediant, a third party, properly safeguarded Plaintiffs’ information.

Case Details

Case Name: Toretto v. Donnelley Financial Solutions, Inc.

Court Name: District Court, S.D. New York

Date Published: Feb 4, 2022

Citations: 583 F.Supp.3d 570; 1:20-cv-02667

Docket Number: 1:20-cv-02667

Court Abbreviation: S.D.N.Y.