Leonard v. McMenamins Inc

W.D. Wash.9/13/2024
View on CourtListener

AI Case Brief

Generate an AI-powered case brief with:

📋Key Facts
⚖Legal Issues
📚Court Holding
💡Reasoning
🎯Significance

Estimated cost: $0.10–$0.50 per brief, depending on opinion length and retries

Full Opinion

1 2 3 4 5 UNITED STATES DISTRICT COURT 6 WESTERN DISTRICT OF WASHINGTON AT SEATTLE 7 ANDREW LEONARD et al., CASE NO. C22-0094-KKE 8 Plaintiffs, ORDER GRANTING DEFENDANT’S 9 v. MOTION FOR SUMMARY JUDGMENT 10 MCMENAMINS INC, 11 Defendant. 12 This is a data breach putative class action. Defendant McMenamins Inc. (“McMenamins”) 13 moves for summary judgment arguing Plaintiffs have failed to put forth evidence sufficient to raise 14 an issue of material fact on the required elements of their claims. The Court agrees. Plaintiffs fail 15 to identify evidence sufficient to raise a triable issue as to whether they have suffered any 16 actionable harms caused by the breach. Several of Plaintiffs’ claims fail for other reasons as well. 17 Defendant’s motion for summary judgment is therefore granted and Plaintiffs’ motion for 18 summary judgment is denied. The parties’ motions in limine and Plaintiffs’ motion for class 19 certification are denied as moot. 20 I. BACKGROUND 21 A. Undisputed Material Facts 22 McMenamins “owns and operates a collection of restaurants, brew pubs, hotels, and 23 entertainment venues throughout Oregon and Washington.” Dkt. No. 93-1 at 2. Plaintiffs are 24 1 former McMenamins employees who were required to provide certain personally identifiable 2 information (“PII”) to McMenamins in connection with their employment. Dkt. No. 87 at 32. 3 Around December 4, 2021, Conti, a cybercriminal hacker group, exploited a software 4 vulnerability in a tool used by McMenamins to unlawfully gain access to McMenamins’ systems. 5 Dkt. No. 110 at 11, Dkt. No. 92 at 7. On December 12, 2021, Conti launched a ransomware attack 6 that rendered nearly all of McMenamins’ technology unusable (“Breach”). Dkt. No. 93-1 at 2, 30. 7 A ransom note was left on most computer screens. Dkt. No. 87 at 8, Dkt. No. 93-1 at 111. In that 8 note, Conti stated, “We’ve downloaded a pack of your internal data and are ready to publish it on 9 out [sic] news website if you do not respond.” Dkt. No. 93-1 at 111. McMenamins received “a 10 list of the files that [Conti] claimed they stole[.]” Dkt. No. 87 at 26. McMenamins confirmed that 11 “the listing of files, the listing of directories, [] were correct files and correct directories” and that 12 some of the listed files “contained personal information, HR files, accounting files, things like 13 that.” Dkt. No. 87 at 17–18. 14 On December 30, 2021, McMenamins sent a notice to affected employees which stated, 15 “hackers stole certain business records, including human resources/payroll data files for previous 16 employees” and that the stolen files contained 17 the following categories of employee information: name, address, telephone number, email address, date of birth, race, ethnicity, gender, disability 18 status, medical notes, performance and disciplinary notes, Social Security number, health insurance plan election, income amount, and retirement 19 contribution amounts. It is possible that the hackers accessed or took records with direct-deposit bank account information, but we do not have any 20 indication that they did, in fact, do so.1 Dkt. No. 93-1 at 5, Dkt. No. 18 ¶ 29. McMenamins never paid the ransom to Conti. Dkt. No. 87 21 at 25. 22 23 1 McMenamins now states “[t]here is no indication that the hackers accessed direct-deposit bank account information.” Dkt. No. 86 at 3. But the deposition testimony they cite for this proposition does not discuss direct-deposit 24 information. Id. (citing Dkt. No. 87 at 28). 1 B. Disputed Material Facts 2 The parties present conflicting evidence via their experts on several aspects of the cause 3 and impact of the Breach. The parties dispute whether the security measures McMenamins had in 4 place to protect employees’ PII were reasonable. See generally Dkt. No. 110 at 8–12, Dkt. No. 5 93-1 at 57–60. They also dispute whether McMenamins could or should have taken certain steps 6 to prevent this intrusion or to identify and stop the intrusion sooner. See generally Dkt. No. 110 7 at 11–12, Dkt. No. 93-1 at 60. 8 McMenamins now also disputes whether Conti actually “exfiltrated” this information, 9 arguing that the evidence only shows Conti could have taken this information, not that they actually 10 did. Dkt. No. 86 at 3, Dkt. No. 105 at 2. Plaintiffs point to other testimony in the record to argue 11 the data was in fact taken by Conti. Dkt. No. 92 at 9 (citing Dkt. No. 93-1 at 5, 108). 12 The parties also dispute whether the PII, assuming Conti took it, was then made available 13 on the dark web. Dkt. No. 86 at 4, Dkt. No. 92 at 9. From December 28, 2021, to May 2024, 14 McMenamins’ data breach consultants “conducted threat intelligence monitoring and dark web 15 scans[.]” Dkt. No. 86 at 4, Dkt. No. 110 at 12, Dkt. No. 93-1 at 113–36 (reports from February 16 2022 to October 2022). The weekly scan reports in the record show the consultants “monitor[ed] 17 deep/dark web forums, marketplaces, paste sites, and threat actor chatrooms for 68 keywords 18 enumerated for McMenamins. Keywords include 31 domains, 33 IP addresses, three free text 19 strings, and one URL.” Dkt. No. 93-1 at 133. Plaintiffs point to two of these notices as evidence 20 that the PII from the Breach was on the dark web. Dkt. No. 92 at 9. Specifically, Plaintiffs rely 21 on the notices stating: 22 On September 25, 2022, an offer for McMenamins’ server information was posted on the online market “market_jmia” for $11 USD.
No sensitive 23 information related to McMenamins was found in the post. Dkt. No. 93-1 at 116. 24 1 On February 8, [2022,] the email generalinfo@mcmenamins[.]com was listed in a market for leaked databases via Telegram. The same email was 2 listed in a market of leaked databases via DB Leaks, a channel that provides compromised databases, on February 28. There were no associated 3 passwords present. Id. at 135. In contrast, McMenamins cites the same scans to argue that, despite more than three 4 years of monitoring, none of Plaintiffs’ PII was ever detected on the dark web. Dkt. No. 105 at 2. 5 Finally, the parties dispute whether Plaintiffs’ PII was ever actually misused in a manner 6 that resulted in cognizable harms. Plaintiffs allege that since the Breach, they each suffered the 7 following “actual misuse of their PII”: 8 9 ‱ Plaintiff Leonard “suffered a $400 fraudulent credit card charge” 10 ‱ Plaintiff Frazier “suffered a fraudulent address change with his automobile creditor, as well as an unauthorized attempt to access his email account” 11 ‱ Plaintiff Frye “suffered a drop in his credit score, as well as an increase in robocalls and spam texts” 12 Dkt. No. 92 at 10 (internal quotations omitted). In a notice of supplemental facts filed on 13 September 6, 2024, Plaintiff Frazier submitted two emails purporting to show that “loan 14 applications had been submitted in his name, one of which was approved.” Dkt. No. 112 ¶ 2 (citing 15 Dkt. No. 113). Plaintiffs also allege the value of their PII has been diminished, they have had to 16 mitigate the risk of future harm, and that they have suffered emotional distress. Dkt. No. 92 at 18– 17 23. 18 C. Procedural History 19 On January 28, 2022, Plaintiffs sued McMenamins. Dkt. No. 1. On May 13, 2022, 20 Plaintiffs filed the operative amended class action complaint. Dkt. No. 18. Plaintiffs’ claims seek 21 two types of relief: “(1) retrospective damages resulting from the theft of their PII, and 22 23 24 1 (2) prospective injunctive relief requiring McMenamins to strengthen its data security systems and 2 procedures.”2 Dkt. No. 24 at 4. 3 McMenamins moved to dismiss under Federal Rule of Civil Procedure 12(b)(1) for lack of 4 subject matter jurisdiction, arguing that Plaintiffs lacked standing to assert their damages claims 5 because their alleged harms were too speculative. Dkt. No. 24 at 4. In response, Plaintiffs argued 6 that they suffered three harms that constituted injuries-in-fact: (1) the “increased risk” of identity 7 theft caused by the Breach, “requiring them to take mitigatory action they otherwise would not 8 have to take”; (2) “the diminution in value of the Private Information belonging to Plaintiffs and 9 the Class that remains in the possession and control of Defendant”; and (3) the “actual misuse” of 10 former Plaintiff deGrasse’s PII by cybercriminals.3 Id. 11 United States District Judge Barbara J. Rothstein denied the motion to dismiss. Dkt. No. 12 24. Judge Rothstein found that Plaintiffs had standing to allege “actual harm resulting from the 13 theft of Plaintiffs’ PII itself.” Id. at 9. Judge Rothstein also concluded that Plaintiffs had standing 14 to seek injunctive relief. Id. at 11. But, relying on TransUnion LLC v. Ramirez, 594 U.S. 413 15 (2021), Judge Rothstein rejected Plaintiffs’ claim for “increased risk” of identity theft and any 16 monitoring or emotional distress arising from this risk, ruling that such a risk was insufficiently 17 concrete to satisfy the injury-in-fact requirement for Article III standing. Id. at 7–8. The case was 18 then transferred to this Court. 19 The parties conducted discovery and this Court adjudicated multiple discovery disputes. 20 21 2 Plaintiffs seek damages as part of their claims for unjust enrichment, breach of fiduciary duty, breach of confidence, and bailment (Dkt. No. 18 ¶¶ 187, 195, 206, 214); injunctive relief as part of their claim for declaratory relief (id. ¶ 227); and both damages and injunctive relief as part of their claims for negligence, breach of contract, breach of 22 implied contract, and violation of the Washington Consumer Protection Act (“CPA”) (id. ¶¶ 147–48, 158, 178–79, 223). 23 3 Before voluntarily dismissing his claims under Federal Rule of Civil Procedure 41 (Dkt. No. 56), deGrasse had alleged “unauthorized individuals charged Mr. deGrasse’s Visa credit card account for more than $1000 under 24 multiple merchant names[.]” Dkt. No. 18 ¶ 14. 1 Dkt. Nos. 60, 62, 64. McMenamins now moves for summary judgment. Dkt. No. 86. Plaintiffs 2 move for partial summary judgment on liability (Dkt. No. 84), and for class certification under 3 Federal Rule of Civil Procedure 23(b)(2) and (3). Dkt. No. 81. On August 7, 2024, the Court 4 heard oral argument on all three motions. Dkt. No. 111. 5 II. ANALYSIS 6 The Court has subject matter jurisdiction under the Class Action Fairness Act, 28 U.S.C. 7 § 1332(d), which means the Court is sitting in diversity and will apply substantive Washington 8 state law. Eiess v. USAA Fed. Sav. Bank, 404 F. Supp. 3d 1240, 1249 (N.D. Cal. 2019). 9 A. Legal Standard on Motions for Summary Judgment 10 Summary judgment is appropriate only when “the movant shows that there is no genuine 11 dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed. R. 12 Civ. P. 56(a). The Court does not make credibility determinations or weigh the evidence at this 13 stage. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255 (1986). The sole inquiry is “whether 14 the evidence presents a sufficient disagreement to require submission to a jury or whether it is so 15 one-sided that one party must prevail as a matter of law.” Id. at 251–52. 16 The Court will, however, enter summary judgment “against a party who fails to make a 17 showing sufficient to establish the existence of an element essential to that party’s case, and on 18 which that party will bear the burden of proof at trial.” Celotex Corp. v. Catrett, 477 U.S. 317, 19 322 (1986). Once the moving party has carried its burden under Rule 56, “the nonmoving party 20 must come forward with specific facts showing that there is a genuine issue for trial.” Matsushita 21 Elec. Indus. Co., Ltd. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986) (cleaned up). “An issue is 22 ‘genuine’ only if there is sufficient evidence for a reasonable fact finder to find for the non-moving 23 party.” Far Out Prods., Inc. v. Oskar, 247 F.3d 986, 992 (9th Cir. 2001) (citing Anderson, 477 24 1 U.S. at 248–49). Metaphysical doubt is insufficient, Matsushita, 475 U.S. at 586, as are 2 conclusory, non-specific allegations, Lujan v. Nat’l Wildlife Fed’n, 497 U.S. 871, 888–89 (1990). 3 While tempting to skip the legal standard for summary judgment due to its familiarity and 4 rote recitation in opinions and briefs, this standard is what distinguishes nearly all cases cited by 5 Plaintiffs in opposition to McMenamins’ motion and is the through-line in the Court’s analysis 6 below. Recognizing that the law concerning cybersecurity is rapidly expanding, the authority 7 relied on by Plaintiffs to establish the sufficiency of their claims is nearly all in the context of 8 motions to dismiss. While Plaintiffs’ alleged injuries may have been (in part) sufficiently pleaded 9 for standing purposes (see Dkt. No. 24), at this stage of the case, specific evidence is required to 10 establish disputed issues for trial. Because Plaintiffs have failed to offer such evidence, and for 11 the other reasons identified below, Federal Rule of Civil Procedure 56 requires dismissal of their 12 claims. 13 B. The Breach of Confidence Claim Is Dismissed. McMenamins is correct that Washington does not recognize a cause of action for “breach 14 of confidence.” Nienaber v. Overlake Hosp. Med. Ctr., No. 2:23-CV-01159-TL, 2024 WL 15 2133709, at *11 (W.D. Wash. May 13, 2024). Plaintiffs do not respond to this argument raised in 16 McMenamins’ motion. See generally Dkt. No. 92 at 2. Accordingly, the breach of confidence 17 claim is dismissed. 18 19 C. The Unjust Enrichment Claim Is Dismissed. McMenamins argues that Plaintiffs’ unjust enrichment claim is precluded by Plaintiffs’ 20 employment contracts and that Plaintiffs have failed to show a benefit conferred by Plaintiffs that 21 McMenamins unjustly retained. The Court agrees. 22 An unjust enrichment claim requires three elements: 23 24 1 a benefit conferred upon the defendant by the plaintiff; an appreciation or knowledge by the defendant of the benefit; and the acceptance or retention 2 by the defendant of the benefit under such circumstances as to make it inequitable for the defendant to retain the benefit without the payment of its 3 value. Young v. Young, 191 P.3d 1258, 1262 (Wash. 2008). Plaintiffs correctly note that some courts 4 have recognized that an unjust enrichment claim could arise out of a data breach case at the 5 pleading stage. See, e.g., In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1145 6 (C.D. Cal. 2021) (unjust enrichment claim survived motion to dismiss where “Plaintiffs alleged 7 that they paid Defendants money for Defendants’ services and expected that a portion of their 8 payments would go toward ‘data management and security’”). But Plaintiffs make no such 9 allegations here. 10 Rather, Plaintiffs’ complaint does not define the benefit allegedly conferred upon 11 McMenamins via the provision of their PII, or how McMenamins has retained it unjustly. The 12 complaint cryptically alleges, “Defendant profited from Plaintiffs’ purchases and used Plaintiffs’ 13 and Class member’s Private Information for business purposes.” Dkt. No. 18 ¶ 181. This 14 boilerplate allegation has no apparent connection to the facts of this case. In their opposition to 15 McMenamins’ motion, Plaintiffs reframe the argument as: McMenamins “‘received the benefits 16 of Plaintiffs’ labor[,]’ and it would be ‘inequitable’ to allow the employer to ‘retain the money it 17 saved by shirking data-security.’” Dkt. No. 92 at 15 (quoting Sackin v. Transperfect Glob., Inc., 18 278 F. Supp. 3d 739, 751 (S.D.N.Y. 2017)). 19 Even accepting Plaintiffs’ claim that McMenamins “shirk[ed] data-security” (Dkt. No. 93- 20 1 at 57–60), Plaintiffs point to no evidence in the record establishing that McMenamins saved 21 money from insufficient cybersecurity policies or that any such hypothetical savings relates to or 22 was derived from Plaintiffs’ labor. Pengbo Xiao v. Feast Buffet, Inc., 387 F. Supp. 3d 1181, 1191 23 (W.D. Wash. 2019) (“[U]njust enrichment requires that a defendant received a right of benefit that 24 1 belonged to the plaintiff.”). To the contrary, Plaintiffs do not cite the record in response to 2 Defendant’s motion on this claim at all. See Dkt. No. 92 at 15. As the nonmoving party, Plaintiffs 3 bear the burden of identifying “with reasonable particularity the evidence that precludes summary 4 judgment.” Keenan v. Allan, 91 F.3d 1275, 1279 (9th Cir. 1996) (quoting Richards v. Combined 5 Ins. Co., 55 F.3d 247, 251 (7th Cir. 1995)). Because Plaintiffs have failed to do so, their unjust 6 enrichment claim is dismissed. 7 D. The Bailment Claim Is Dismissed. 8 The parties agree that a bailment claim in Washington requires that “personalty is delivered 9 to another for some particular purpose with an express or implied contract to redeliver when the 10 purpose has been fulfilled.” Dkt. No. 86 at 22, Dkt. No. 92 at 17; Gingrich v. Unigard Sec. Ins. 11 Co., 788 P.2d 1096, 1101 (Wash. Ct. App. 1990). Plaintiffs do not show any express or implied 12 contract to redeliver the PII. The only support for Plaintiffs’ claimed expectation of redelivery of 13 the PII is the Employee Benefits Security Administration’s cybersecurity program “best practices” 14 document that recommends a policy for “data disposal.” Dkt. No. 92 at 17 (citing Dkt. No. 93-1 15 at 174). There is no evidence these best practices apply to the PII here, and even if they did, 16 Plaintiffs fail to show how these recommended practices create an actual or implied contract 17 between Plaintiffs and McMenamins for the return of their PII. Thus, the bailment claim is 18 dismissed. 19 E. The Contract Claims Are Dismissed. 20 In Washington, “[a] breach of contract is actionable only if the contract imposes a duty, 21 the duty is breached, and the breach proximately causes damage to the claimant.” Nw. Indep. 22 Forest Mfrs. v. Dep’t of Lab. & Indus., 899 P.2d 6, 9 (Wash. Ct. App. 1995). Plaintiffs argue 23 McMenamins breached the Electronic Access & Usage Policy (“E-Policy”). Dkt. No. 92 at 12. 24 But it is undisputed that the E-Policy includes no promises by McMenamins toward its employees. 1 See Dkt. No. 93-1 at 167–71 (E-Policy). Instead, it is a policy on how employees should handle 2 PII that they may encounter in the course of their employment. See id. There is no express contract 3 regarding McMenamins’ duty to secure Plaintiffs’ PII, thus Plaintiffs’ breach of contract claim is 4 dismissed. 5 Plaintiffs also contend that McMenamins entered an implied contract to protect employees’ 6 PII when it conditioned Plaintiffs’ employment upon the provision of PII for federal work 7 authorization purposes. Dkt. No. 92 at 14. In Washington, “an implied contract exists when parties 8 make ‘an agreement depending for its existence on some act or conduct of party sought to be 9 charged and arising by implication from circumstances which, according to common 10 understanding, show mutual intention on part of parties to contract with each other.’” Pengbo 11 Xiao, 387 F. Supp. 3d at 1192 (quoting Johnson v. Nasi, 309 P.2d 380, 382 (Wash. 1957)). 12 Plaintiffs identify no evidence showing a mutual intent to enter a contract that would obligate 13 McMenamins to prevent a data breach. See Dkt. No. 86 at 21 (compiling deposition testimony 14 where each Plaintiff admits McMenamins never made any representations about protecting their 15 PII); Krottner v. Starbucks Corp., 406 F. App’x 129, 131 (9th Cir. 2010) (finding documents could 16 not lead to an implied contract when plaintiffs “do not allege that they read or even saw the 17 documents”). 18 In response to McMenamins’ motion, Plaintiffs rely on cases in which courts have 19 recognized an implied contract arising out of a data breach, but again, these cases were decided at 20 the pleading stage and under different state law. See Kirsten v. Cal. Pizza Kitchen, Inc., No. 2:21- 21 CV-09578-DOC-KES, 2022 WL 16894503, at *5 (C.D. Cal. July 29, 2022) (finding implied 22 contract claim survived under California law on a motion to dismiss); Castillo v. Seagate Tech., 23 LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) (same). This 24 authority cannot save Plaintiffs’ claim at summary judgment where they have failed to identify 1 evidence of an implied contract. 2 In sum, there is no evidence giving rise to an express or implied contract regarding 3 McMenamins’ treatment of Plaintiffs’ PII. Further, and as explained below (infra Section II(F)), 4 even if there were, Plaintiffs cannot show damages, another required element for any contract 5 claim. The contract claims are therefore dismissed. 6 F. The Negligence, Breach of Fiduciary Duty, and CPA Claims Fail for Lack of Cognizable Injury or Causation. 7 Each of the remaining causes of action requires Plaintiffs to prove injury or harm 8 proximately caused by the Breach. See, e.g., Michaels v. CH2M Hill, Inc., 257 P.3d 532, 542 9 (Wash. 2011) (elements of a negligence claim); Miller v. U.S. Bank of Wash., N.A., 865 P.2d 536, 10 543 (Wash. Ct. App. 1994), as corrected (Feb. 22, 1994) (elements of breach of fiduciary duty 11 claim); Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 719 P.2d 531, 540 (1986) 12 (elements of a CPA claim). “Under Washington law, ‘[a]ctual loss or damage is an essential 13 element in the formulation of the traditional elements necessary for a cause of action in 14 negligence
.The mere danger of future harm, unaccompanied by present damage, will not support 15 a negligence action.’” Krottner, 406 F. App’x at 131 (citing Gazija v. Nicholas Jerns Co., 543 P.2d 16 338, 341 (Wash. 1975)). 17 Plaintiffs do not allege they have suffered direct financial losses because of the Breach, nor 18 does any Plaintiff allege their identity has been stolen. As such, and consistent with Judge 19 Rothstein’s order (Dkt. No. 24), Plaintiffs rely on instances of alleged “actual misuse” of their PII 20 as the anchor for their injury theories. Because these allegations are the lynchpin of their alleged 21 harms, the Court will first consider whether Plaintiffs have raised a disputed fact as to whether any 22 actual misuse of their PII was proximately caused by the Breach. The Court will then turn to 23 Plaintiffs’ four injury theories: (1) diminution in value of PII; (2) mitigating imminent and 24 1 substantial risk of data misuse; (3) breach of contract; and (4) emotional distress.4 Dkt. No. 92 at 2 18. 3 1. Plaintiffs do not show any “actual misuse” of their PII caused by the Breach. 4 “Washington recognizes two elements to proximate cause: cause in fact and legal 5 causation.” Wuthrich v. King Cnty., 366 P.3d 926, 930 (Wash. 2016) (cleaned up). Cause in fact, 6 the element at issue, “refers to the ‘but for’ consequences of an act—the physical connection 7 between an act and an injury.” Id. “While the question of cause in fact is generally for the jury, 8 when the facts are undisputed and the inferences therefrom are plain and incapable of reasonable 9 doubt or difference of opinion, factual causation may become a question of law for the court.” 10 Baughn v. Honda Motor Co., 727 P.2d 655, 664 (Wash. 1986). 11 As the party with the burden of proof at trial for each element, Plaintiffs must “go beyond 12 the pleadings and by [their] own affidavits, or by the depositions, answers to interrogatories, and 13 admissions on file, designate specific facts showing that” a reasonable jury could find their PII 14 was misused because of the Breach. Celotex, 477 U.S. at 324 (cleaned up). “[Plaintiffs] must 15 produce at least some significant probative evidence tending to support the complaint.” Smolen v. 16 Deloitte, Haskins & Sells, 921 F.2d 959, 963 (9th Cir.1990) (quotations omitted). While both 17 parties primarily rely on cases considering injuries in data breach cases at the motion-to-dismiss 18 stage, Plaintiffs cannot rest on the allegations in the pleadings to overcome a motion for summary 19 judgment. See Ghebreselassie v. Coleman Sec. Serv., 829 F.2d 892, 898 (9th Cir.1987), cert. 20 denied, 487 U.S. 1234 (1988). 21 Construing the facts in Plaintiffs’ favor,5 the Court finds Plaintiffs have failed to raise a 22 4 Plaintiffs do not identify emotional distress injury as one of their enumerated injury theories (Dkt. No. 92 at 18), but 23 include it in their opposition (id. at 23). 5 The Court construes all the disputed facts in Plaintiffs’ favor, including that McMenamins had inadequate security measures in place, that Plaintiffs’ PII was in fact exfiltrated, and that it was posted on the dark web. 24 1 genuine issue of fact as to whether Plaintiffs’ PII was misused as a result of the Breach. 2 Beginning with Plaintiff Leonard, the only misuse of PII he claims is a fraudulent $400 3 credit card charge. Dkt. No. 92 at 19. Dispositively, the parties agree that Leonard’s credit card 4 information was not revealed in the Breach. Id. at 19 n.2. It is also undisputed that the fraudulent 5 charge was fully refunded. Dkt. No. 93-1 at 156. Further, as Plaintiffs acknowledged at oral 6 argument, Judge Rothstein rejected a similar claim from former Plaintiff deGrasse as 7 “implausibly” related to the Breach. Dkt. No. 24 at 7. Plaintiffs argue that they “have since 8 provided evidence regarding how the PII stolen in the Data Breach can be ‘merged with other data’ 9 to propagate identify theft schemes.” Dkt. No. 92 at 19 n.2 (citing Dkt. No. 93-1 at 55–56). But 10 the cited portion of Plaintiffs’ expert report merely explains that stolen data may be merged over 11 time and resold. Dkt. No. 93-1 at 56. There is nothing in this portion of the report, or any other 12 part of the report,6 that explains how a hacker could have used any of the PII here to obtain 13 Leonard’s credit card information. Moreover, McMenamins’ expert showed each piece of PII 14 from the Breach, except Leonard’s social security number, is publicly available and that “he had 15 personal data exposed in three (3) other data breaches potentially predating the [Breach].” Dkt. 16 No. 110 at 15–20. Plaintiffs do not rebut this evidence. In sum, there is no evidence that this 17 fraudulent credit card charge was related to the Breach at all, let alone caused by the Breach. 18 Plaintiff Frazier’s claims of actual misuse fare no better. First, he alleges his address was 19 improperly changed with his auto lender (Dkt. No. 92 at 19), but there is no dispute that Frazier’s 20 auto loan information was not compromised in the Breach. Second, Frazier claims he received a 21 notification to his Gmail account that “one of [his] tablets was trying to be accessed by an unknown 22 6 Plaintiffs’ expert’s declaration that “full name, SSN, DOB, and at least one recent address is frequently used to create 23 and file fraudulent business entities, open bank accounts and be used for fraudulent wire transfers” does not connect the PII here with credit card fraud. Dkt. No. 93-1 at 62. Similarly, the expert’s example of how a stolen identity may first appear online (id. at 63), fails to explain how a bad actor could make a fraudulent credit card charge without the 24 credit card information. 1 location.” Dkt. No. 93-1 at 163. But again, Plaintiffs make no effort to explain how attempted 2 access to Frazier’s tablet (which he immediately denied (Dkt. No. 87 at 81)) is at all related to any 3 PII potentially taken in the Breach. Finally, Frazier has belatedly proffered two emails claiming 4 that loan applications were submitted in his name. Dkt. No. 112 ¶ 2. But Frazier does not claim 5 that any loan application was in fact submitted, that any loan was approved, or that he suffered any 6 adverse impact because of the two emails. Dkt. No. 113 at 1. Rather, the emails appear to be spam 7 messages trying to entice Frazier to click a link without any apparent connection to the Breach. 8 Dkt. No. 113 at 5–8. Such messages standing alone are not actionable. See e.g., I.C. v. Zynga, 9 Inc., 600 F. Supp. 3d 1034, 1052 (N.D. Cal. 2022) (“phishing attacks” and “various forms of spam” 10 merely present “attempts” of identity theft and “cannot plausibly be considered independent 11 injuries” under TransUnion, 594 U.S. at 436). This is especially true where, as here, there is no 12 evidence that such attempts were successful. Id. (“Even assuming that these acts are fairly 13 traceable to the Zynga data breach, plaintiffs do not allege that any of these attempts succeeded, 14 again something they would presumably know.”); see also Krottner, 406 F. App’x at 131 (finding 15 no cognizable harm from a data breach when plaintiff “alleges no loss related to the attempt to 16 open a bank account in his name”). 17 Nor do Plaintiffs rebut McMenamins’ evidence that Frazier’s address was publicly 18 available or that “he received notice that his personal data had been compromised at least four 19 different times before the [Breach].” Dkt. No. 110 at 15, 16, 28. Frazier has thus failed to raise a 20 triable issue as to whether his PII has been misused because of the Breach. See Triton Energy 21 Corp. v. Square D Co., 68 F.3d 1216, 1221 (9th Cir. 1995) (evidence to establish a genuine issue 22 of material fact must be “of sufficient ‘quantum and quality’” to survive summary judgment). 23 Finally, there is no evidence connecting the Breach with Plaintiff Frye’s alleged drop in 24 credit score or increase in spam calls. In his deposition, Frye admitted the drop in his credit score 1 was likely from his student loans coming due. Dkt. No. 93-1 at 140. And Plaintiffs’ expert offers 2 no testimony about how access to Frye’s PII alone could have impacted his credit score. As to the 3 spam calls, Plaintiffs do not provide any evidence, or even explanation, for how the Breach could 4 have led to increased spam calls. McMenamins’ expert identified many locations where Frye’s 5 phone number was publicly available before the Breach (Dkt. No. 110 at 22–23), which Plaintiffs 6 do not address. Moreover, many courts in this circuit have ruled that “receipt of spam texts, calls, 7 and emails and [a plaintiff’s] time spent ‘sifting through’ this unwanted information does not 8 constitute injury-in-fact for standing.” Black v. IEC Grp., Inc., No. 1:23-CV-00384-AKB, 2024 9 WL 3623361, at *6 (D. Idaho July 30, 2024); Zynga, 600 F. Supp. 3d at 1051 (collecting cases); 10 Jackson v. Loews Hotels, Inc., No. ED CV 18-827-DMG, 2019 WL 6721637, at *4 (C.D. Cal. July 11 24, 2019) (collecting cases). Plaintiffs do not address this authority or provide any reason to depart 12 from it here. 13 Along with the flaws outlined above, the record lacks specifics about when or how each 14 claimed misuse occurred. Plaintiffs’ expert opines on many topics related to cybersecurity 15 generally, but she does not opine specifically about any Plaintiff’s alleged injury or explain how 16 the allegedly stolen PII could be used to carry out any of the claimed misuse. See Dkt. No. 92 at 17 24–25. To survive summary judgment, Plaintiffs need only provide enough evidence “for a 18 reasonable fact finder to find for the non-moving party.” Far Out Prods., 247 F.3d at 992. Yet 19 Plaintiffs have failed to do so. See, e.g., Brit. Airways Bd. v. Boeing Co., 585 F.2d 946, 951–53 20 (9th Cir. 1978) (affirming the trial court’s grant of defendant’s motion for summary judgment 21 when plaintiff’s evidence could not show a product defect could have caused a plane crash); Triton 22 Energy Corp, 68 F.3d at 1221 (affirming summary judgment for defendant when “[a]t best 23 [plaintiff’s] evidence merely suggests [] a weak possibility”). 24 1 2. Without evidence of actual misuse caused by the Breach, Plaintiffs cannot show their PII has diminished in value. 2 The parties dispute whether the diminution in value of PII is a cognizable injury and, if it 3 is, whether Plaintiffs have provided sufficient evidence to support this injury at summary 4 judgment. 5 Multiple courts have recognized this theory of injury for standing purposes at the motion- 6 to-dismiss stage. See Doe v. Microsoft Corp., No. C23-0718-JCC, 2023 WL 8780879, at *4 (W.D. 7 Wash. Dec. 19, 2023) (applying California law and collecting cases). That said, neither party cites 8 any authority substantiating or undermining such a claim on the merits. Assuming, without 9 deciding, that this theory is cognizable under Washington law, the parties agree there are two 10 elements necessary to show PII has diminished in value: (1) the existence of a market for the PII, 11 and (2) an impairment of Plaintiffs’ ability to participate in that market. Griffey v. Magellan Health 12 Inc., 562 F. Supp. 3d 34, 46 (D. Ariz. 2021). 13 First, Plaintiffs must show “a market for their personal information exists[.]” Dkt. No. 105 14 at 5, Dkt. No. 92 at 18. Their expert declaration creates an issue of material fact on whether there 15 is a market for Plaintiffs’ PII. Dkt. No. 93-1 at 26 (“The breached employee data is in consistent 16 high demand and therefore carries a high value in the criminal underworlds.”). 17 Second, Plaintiffs must show their “ability to participate in the economic marketplace is 18 impaired[.]” Dkt. No. 92 at 19, Dkt. No. 86 at 14. Plaintiffs argue impairment can be shown 19 through “actual and potential future misuse of their PII.” Dkt. No. 92 at 19. In contrast, 20 McMenamins asserts that impairment requires proof that Plaintiffs either sold or intended to sell 21 their PII. Dkt. No. 86 at 15, Dkt. No. 105 at 5–7. Courts have evaluated the impairment prong at 22 the pleading stage using various tests. Compare Quinalty v. FocusIT LLC, No. CV-23-00207- 23 PHX-JJT, 2024 WL 342454, at *5 (D. Ariz. Jan. 30, 2024) (“allegation of diminished PII value is 24 1 insufficient to establish damages” when plaintiff “does not allege she can no longer sell her 2 personal data on the market, nor does she allege she ever has, intends to, or intended to sell her 3 personal data”), with Smallman v. MGM Resorts Int’l, 638 F. Supp. 3d 1175, 1191 (D. Nev. 2022) 4 (finding PII is not valued solely by its sale to “the highest bidder, but rather in the economic benefit 5 the consumer derives from being able to purchase goods and services remotely and without the 6 need to pay in cash or a check” (quoting In re Marriott Int’l, Inc., Customer Data Sec. Breach 7 Litig., 440 F. Supp. 3d 447, 462 (D. Md. 2020))). Neither party provides authority applying a test 8 for impairment at summary judgment. 9 At this stage, no matter how impairment is measured, Plaintiffs need to provide more than 10 mere allegations. Lewis, 518 U.S. at 358 (“In response to a summary judgment motion
plaintiff 11 can no longer rest on such mere allegations, but must set forth by affidavit or other evidence 12 specific facts, which for purposes of the summary judgment motion will be taken to be true.”). 13 They fail to do so. Even if Plaintiffs are correct that misuse of PII could establish impairment of 14 Plaintiffs’ ability to participate in the marketplace, as detailed above, Plaintiffs fail to provide 15 evidence of actual misuse caused by the Breach. See Section II(E)(1). 16 In sum, Plaintiffs fail to show their ability to participate in any market for PII, whether it 17 be the black market or the daily use of their PII, has been impaired by the Breach. The diminution 18 of value theory fails. 19 3. Without evidence of actual misuse caused by the Breach, Plaintiffs’ mitigation injury theory fails. 20 Plaintiffs claim they have been harmed by “a material risk of future harm that is imminent 21 and substantial” and “the separate harm of losing time and money mitigating against these 22 actualized risks.” Dkt. No. 92 at 22. The Court previously found these harms were inadequately 23 alleged and that Plaintiffs did not have standing to seek recovery for these injuries. Dkt. No. 24 at 24 1 7–8. Specifically, the Court held “in the absence of any indication that hackers have attempted to 2 misuse Plaintiffs’ PII
Plaintiffs have not adequately alleged that identity theft is ‘certainly 3 impending’” and “the increased risk of identity theft allegedly faced by Plaintiffs cannot constitute 4 concrete harm sufficient for standing.” Id. at 8. Plaintiffs argue that because they now have 5 evidence to show their “PII was actually misused, this creates a disputed fact as to whether the risk 6 of future harm rose to the level of ‘certainly impending’ and whether Plaintiffs’ mitigation efforts 7 were warranted.” Dkt. No. 92 at 21. As explained above, Plaintiffs do not provide any evidence 8 that the Breach caused any actual misuse nor provide evidence that identify theft is certainly 9 impending. See supra Section II(F)(1). Accordingly, their mitigation injury fails. See 10 TransUnion, 594 U.S. at 438 (finding injury too speculative for standing when plaintiffs failed to 11 evidence facts that would make a future injury likely to occur). 12 4. Plaintiffs’ “breach of contract” injury theory fails. 13 Plaintiffs urge the Court to find that the alleged breach of contract by itself satisfies the 14 injury element for each of these causes of action. Dkt. No. 92 at 22–23. The Court already 15 determined there was no express or implied contract between the parties regarding Plaintiffs’ PII. 16 See supra Section II(E). Thus, there is no contract that was breached by McMenamins, and this 17 injury theory fails. 18 Moreover, a breach of contract alone is not enough to establish contract damages, contrary 19 to Plaintiffs’ claims. Promedev, LLC v. Wilson, No. C22-1063JLR, 2024 WL 1606667, at *2 20 (W.D. Wash. Apr. 12, 2024) (“Mere proof that there was a breach of contract without more will 21 not support a verdict in favor of a [claimant], even for nominal damages.”) (quoting DC Farms, 22 LLC v. Conagra Foods Lamb Weston, Inc., 317 P.3d 543, 553 (Wash. Ct. App. 2014)). This is not 23 a viable injury theory. 24 1 5. Plaintiffs’ emotional distress injury theory fails. 2 Plaintiffs argue the injury prong of the negligence, breach of fiduciary duty, and CPA 3 claims is met by the deposition testimony that each Plaintiff has experienced increased anxiety or 4 worry since the Breach. Dkt. No. 92 at 23. There are at least three reasons this theory fails. First, 5 emotional distress damages are not recoverable under the CPA. Wash. St. Physicians Ins. Exch. 6 & Ass’n. v. Fisons Corp., 858 P.2d 1054, 1064–66 (Wash. 1993) (en banc). Second, Plaintiffs’ 7 allegation of emotional harm is one sentence in their complaint (Dkt. No. 18 ¶ 116) and Judge 8 Rothstein already found this allegation insufficient for standing purposes. Dkt. No. 24 at 8. 9 Third, even if the emotional distress damages survived the motion to dismiss, Plaintiffs fail 10 to provide sufficient evidence to support their claimed damages. In Washington, to recover for 11 emotional distress damages when no physical injury occurred, a plaintiff must show the emotional 12 distress was: “(1) within the scope of foreseeable harm of the negligent conduct, (2) a reasonable 13 reaction given the circumstances, and (3) manifested by objective physical symptomology.” 14 Bylsma v. Burger King Corp., 293 P.3d 1168, 1170 (Wash. 2013); Nord v. Shoreline Sav. Ass’n, 15 805 P.2d 800, 805 (Wash. 1991) (acknowledging objective symptoms are required for non- 16 intentional torts). Plaintiffs’ anemic deposition testimony that they experience “worry” or 17 “anxiety” from certain actions (Dkt. No. 92 at 23), is insufficient to survive summary judgment 18 and any claim for damages from emotional distress are dismissed.7 See, e.g., Nagarajan v. Lian, 19 No. 82644-1-I, 2023 WL 1777237, at *3 (Wash. Ct. App. Feb. 6, 2023) (affirming summary 20 judgment dismissal of negligent infliction of emotional distress claim when the only evidence was 21 22 23 7 Plaintiffs rely on Zhang v. American Gem Seafoods, Inc., 339 F.3d 1020 (9th Cir. 2003) to argue testimony alone on emotional distress damages can create a genuine dispute of material fact. Dkt. No. 92 at 23. But Zhang was decided under federal employment law, not Washington common law. 339 F.3d at 1023. Regardless, Plaintiffs’ testimony is 24 insufficient to raise a triable issue for the reasons stated above. 1 plaintiff’s deposition testimony “where he testified that he suffered nightmares, difficult sleeping, 2 and financial pressure”) (unpublished). 3 In sum, Plaintiffs do not show any evidence that a cognizable injury could have resulted 4 from the Breach. Accordingly, the negligence, breach of fiduciary duty, and CPA claims are 5 dismissed. 6 G. The Declaratory Judgment Claim Is Dismissed. 7 Because the Court dismisses each cause of action, Plaintiffs’ request for declaratory 8 judgment also fails. See Jones v. Ford Motor Co., No. 3:21-CV-05666-DGE, 2022 WL 1423646, 9 at *5 (W.D. Wash. May 5, 2022) (“Without an underlying cause of action, there is no claim for 10 declaratory relief.” (cleaned up)), aff’d, 85 F.4th 570 (9th Cir. 2023). 11 H. The Motion for Class Certification Is Denied as Moot. 12 When dispositive motions and motions for class certification are filed concurrently, 13 “[u]nder the proper circumstances—where it is more practicable to do so and where the parties 14 will not suffer significant prejudice—the district court has discretion to rule on a motion for 15 summary judgment before it decides the certification issue.” Saeger v. Pac. Life Ins. Co., 305 F. 16 App’x 492, 493 (9th Cir. 2008) (quoting Wright v. Schock, 742 F.2d 541, 543–44 (9th Cir. 1984)). 17 During oral argument, the Court asked each party which pending motion, of the three, it should 18 decide first. Unsurprisingly, both parties expressed a preference for any dispositive order in their 19 favor to bind any future class, but neither party identified any prejudice that would be suffered if 20 the Court ruled on a dispositive motion before addressing class certification. 21 By moving for summary judgment while simultaneously opposing class certification, 22 McMenamins risked that a ruling in its favor would only bind the named plaintiffs. Wright, 742 23 F.2d at 544 (“Where the defendant assumes the risk that summary judgment in his favor will have 24 only stare decisis effect on the members of the putative class, it is within the discretion of the 1 district court to rule on the summary judgment motion first.”). McMenamins declined to waive its 2 objection to class certification, which could have allowed a ruling in its favor to bind the class. 3 Because neither party identified any prejudice, the Court found it most efficient to rule on 4 McMenamins’ motion for summary judgment first. See, e.g., Schwarzschild v. Tse, 69 F.3d 293, 5 297 (9th Cir. 1995) (“[W]hen defendants obtain summary judgment before the class has been 6 properly certified or before notice has been sent
the district court’s decision binds only the named 7 plaintiffs.”); Estakhrian v. Obenstine, 859 F. App’x 121, 122 (9th Cir. 2021) (affirming ruling on 8 summary judgment before class certification). Since the motion for summary judgment is granted 9 and this case is dismissed, the pending motion for class certification is denied as moot. 10 III. CONCLUSION 11 For these reasons, the Court GRANTS Defendant’s motion for summary judgment. Dkt. 12 No. 86. The Court will enter judgment in Defendant’s favor. 13 Because this order resolves the case in full, Plaintiffs’ motion for partial summary 14 judgment is denied. Dkt. No. 84. Plaintiffs’ motion for class certification (Dkt. No. 81) and the 15 parties’ pending motions in limine (Dkt. Nos. 114, 115) are DENIED as MOOT. 16 Dated this 13th day of September, 2024. 17 A 18 Kymberly K. Evanson 19 United States District Judge 20 21 22 23 24 

Case Information

Court
W.D. Wash.
Decision Date
September 13, 2024
Status
Precedential
Leonard v. McMenamins Inc | Tortwell