AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âïžLegal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.10â$0.50 per brief, depending on opinion length and retries
Full Opinion
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA CRYSTAL MALVITZ AND CHRISTOPHER FREDRICKSON, Plaintiffs, Civil Action No. 24-cv-238 (TSC) v. FINCANTIERI MARINE GROUP, LLC. Defendant. MEMORANDUM OPINION Plaintiffs Crystal Malvitz and Christopher Fredrickson bring this class action, as individuals and on behalf of all others similarly situated, against Defendant Fincantieri Marine Group, LLC (âDefendantâ), a company that builds and repairs maritime vessels. Plaintiffs assert claims for negligence, breach of implied contract, and unjust enrichment. Am. Compl., ECF No. 8. Defendant moves to dismiss for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). Def.âs Mot. to Dismiss Am. Compl., ECF No. 9-1 (âMTDâ). For the reasons set forth below, the court will GRANT in part and DENY in part Defendantâs motion. I. BACKGROUND A. Defendantâs Cybersecurity Practices and Data Breach Plaintiffs are Defendantâs former employees or benefit recipients. Am. Compl. ¶ 25. They provided personally identifiable information (âPIIâ) to Defendant as a condition of employment and/or employment-related benefits. Id. ¶ 2. Defendant allegedly made âpromises and representationsâ that PII would be âkept safe, confidential, and that the privacy of that information Page 1 of 22 would be maintained, and that Defendant would delete any sensitive information after it was no longer required to maintain it.â Id. ¶ 28. Defendantâs website stated that it stored PII âbehind secured networks,â only provided access to âa limited number of persons,â and âencryptedâ PII âvia Secure Socket Layer (âSSLâ) technology.â Id. ¶ 29. Defendant also represented that it âuse[d] regular Malware Scanningâ to identify âsecurity holes and known vulnerabilities.â Id. On or about April 12, 2023, however, Defendant became âaware of a cyberattackâ on its computer systems. Id. ¶ 36. It determined that âthere was unauthorized access to certain systems . . . between April 6, 2023, and April 12, 2023,â resulting in âunauthorized acquisitionâ of more than sixteen thousand individualsâ PII. Id. ¶¶ 36, 46. The data stolen during the attack included Plaintiffsâ âname[s] . . . date[s] of birth, Social Security number[s], date[s] of service, [insurance] participant ID[s], and member number[s].â Id. ¶ 36. Defendant sent a âNotice of Security Incident letterâ (the âNotice Letterâ) to Plaintiffs on January 5, 2024, which offered â24 months of identity monitoring services.â Id. ¶¶ 36â37, 63, 139, 149. Plaintiffs allege that, despite Defendantâs âpromises and representations,â id. ¶ 28, it failed to implement âreasonable security procedures and practicesâ to prevent or promptly detect the cyberattack and stored data in unencrypted files, id. ¶¶ 37â40, 67. Plaintiffs contend that Defendantâs practices did not comply with the Federal Trade Commissionâs (âFTCâ) guidelines for protecting personal information, such as using âan intrusion detection systemâ to promptly identify a breach, monitoring suspicious activity or large data transmissions, developing a data- breach response plan, âproperly dispos[ing] of [PII] that is no longer needed,â limiting âaccess to sensitive data[,]â using âindustry-tested methods for security[,]â and verifying the security measures used by third-party service providers. Id. ¶¶ 81â83, 86. Plaintiffs also allege that Defendant âfailed to follow [] industry best practices,â such as âstrong passwords;â âfirewalls, Page 2 of 22 antivirus, and anti-malware software; encryption, making data unreadable without a key; multifactor authentication; backup data and limiting which employees can access sensitive data.â Id. ¶ 90. According to Plaintiffs, Defendant knew or should have known that their PII âwould be targeted by cybercriminalsâ because data breaches are âwidespreadâ and a dark web marketplace exists for PII, particularly social security numbers. Id. ¶¶ 41, 56â60, 69â73. Plaintiffs also challenge Defendantâs response to the cyberattack because the Notice Letter failed to disclose the âroot causeâ of the breach or âthe remedial measuresâ taken to prevent another breach. Id. ¶¶ 37â 39. B. Plaintiffsâ Alleged Injuries Plaintiffs claim that, as a result of Defendantâs insufficient cybersecurity practices and the data breach, they suffered âactual injuries and damages.â Id. ¶ 94. Specifically, â(i) invasion of privacy; (ii) theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (v) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vi) statutory damages; [and] (vii) nominal damages.â Id. Malvitz and Fredrickson each identify their own harms. Malvitz receives benefits from Defendant because her spouse is a current employee. Id. ¶ 135. In general, she is âvery careful about sharing her sensitiveâ information and ânever knowinglyâ provides her unencrypted PII over the internet. Id. ¶ 137. Defendant obtained and retained her PII in connection with âemployment- related benefits.â Id. ¶ 135. After receiving the Notice Letter, she experienced âan increase in spam calls, texts, and/or emails.â Id. ¶¶ 139, 142. She took steps to mitigate the harms from the data breach, such as monitoring her accounts and purchasing mitigation tools. Id. ¶¶ 139â40. She claims she has suffered âfear, anxiety, and stress . . .â from the increased exposure of her PII. Id. ¶ 142â44. Page 3 of 22 Fredrickson worked for Defendant intermittently from 2016 to 2023. Id. ¶ 147. He was very âcautiousâ and âcareful about sharing his PII.â Id. ¶ 153. After he received the Notice Letter, he âsuffered actual fraudulent misuse of his PII.â Id. ¶¶ 149â51. On or around April 18, 2024, âthird party criminal actorsâ used his credit card for a âfraudulent purchase of $1,145.13 . . .â Id. ¶ 151. Fredrickson had to acquire âa new credit cardâ and âanticipates spending considerable time and moneyâ to monitor his accounts and address any future harms. Id. ¶¶ 151â152, 158. Frederickson alleges that, as a result of the data breach, he âsuffered injury from a loss of privacyâ and âfear, anxiety, and stress.â Id. ¶¶ 155â159. C. Procedural History Malvitz filed the Complaint on January 26, 2024, and amended as of right on May 2, 2024. ECF Nos. 2, 8. Fredrickson âvoluntarily dismissedâ a separate class action that he had filed against Defendant and joined as a named Plaintiff in the Amended Complaint. MTD at 3 (citing Fredrickson v. Fincantieri Marine Grp., LLC, Case No. 1:24-cv-0037-TSC (D.D.C. Feb. 7, 2024), ECF No. 1). Plaintiffs sue on behalf of themselves and a nationwide class of individuals, pursuant to Federal Rule of Civil Procedure 23. Am. Compl. ¶ 164. Plaintiffs proposed class definition is: âAll individuals in the United States whose PII was impacted as a result of the Data Breach announced by Defendant in January 2024.â Id. Plaintiffs have not yet moved for class certification. Their Amended Complaint asserts claims for negligence, breach of implied contract, and unjust enrichment stemming from Defendantâs failure to protect Plaintiffsâ PII. Id. ¶¶ 176â 241. Defendant moves to dismiss under Federal Rule of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction and Rule 12(b)(6) for failure to state a claim. MTD at 1. II. LEGAL STANDARD Federal courts are courts of limited jurisdiction. See Gen. Motors Corp. v. EPA, 363 F.3d 442, 448 (D.C. Cir. 2004). The law presumes that âa cause lies outside [the courtâs] limited Page 4 of 22 jurisdictionâ unless the plaintiff establishes otherwise. Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994) (citing Turner v. Bank of N. Am., 4 U.S. 8, 11 (1799)). When deciding a Rule 12(b)(1) motion, the court must âassume the truth of all material factual allegations in the complaint and âconstrue the complaint liberally, granting plaintiff the benefit of all inferences.ââ Am. Natâl Ins. Co. v. FDIC, 642 F. 3d 1137, 1139 (D.C. Cir. 2011) (quoting Thomas v. Principi, 394 F.3d 970, 972 (D.C. Cir. 2005)). Nevertheless, âthe court need not accept factual inferences drawn by plaintiffs if those inferences are not supported by facts alleged in the complaint, nor must the Court accept plaintiff's legal conclusions.â Disner v. United States, 888 F. Supp. 2d 83, 87 (D.D.C. 2012) (quoting Speelman v. United States, 461 F. Supp. 2d 71, 73 (D.D.C. 2006)). A motion under Rule 12(b)(6) âtests the legal sufficiency of a complaint.â Browning v. Clinton, 292 F.3d 235, 242 (D.C. Cir. 2002). To survive, a âcomplaint must contain sufficient factual matter, accepted as true, to âstate a claim to relief that is plausible on its face.ââ Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). In other words, the plaintiff must plead âfactual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.â Id. (citing Twombly, 550 U.S. at 556). âThreadbare recitals of the elements of a cause of action, supported by mere conclusory statementsâ are insufficient. Id. (citing. Twombly, 550 U.S. at 555). While the court must assume that any âwell-pleaded factual allegationsâ in a complaint are accurate, conclusory allegations âare not entitled to the assumption of truth.â Id. at 679. III. ANALYSIS A. Standing Article III of the Constitution confines federal judicial power to the resolution of âCasesâ and âControversies.â TransUnion LLC v. Ramirez, 594 U.S. ---, ---, 141 S.Ct. 2190, 2203 (2021) (citing Raines v. Byrd, 521 U.S. 811, 819â20 (1997)). For there to be a case or controversy under Page 5 of 22 Article III, the plaintiff must have a âpersonal stakeâ in the caseâin other words, standing. Raines, 521 U.S. at 819. Standing is a necessary predicate to any exercise of federal jurisdiction and, without standing, the court lacks jurisdiction. Ariz. Christian Sch. Tuition Org. v. Winn, 563 U.S. 125, 129 (2011); Dominguez v. UAL Corp., 666 F.3d 1359, 1361 (D.C. Cir. 2012). To demonstrate standing at the motion to dismiss stage, a plaintiff must plausibly plead (1) an âinjury in fact,â that is (2) âfairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court,â and that is (3) âlikelyâ to be âredressed by a favorable decision.â Lujan v. Defs. of Wildlife, 504 U.S. 555, 560â61 (1992); see also Jeffries v. Volume Servs. Am., Inc., 982 F.3d 1059, 1063 (D.C. Cir. 2019). Defendant argues that Plaintiffsâ alleged injuriesâthe diminution in PII value, loss of the benefit of the bargain, increased spam, and future risks of harmâare âcommon injuriesâ that do not qualify as a concrete, particularized, and actual or imminent for standing purposes. MTD at 5â8, 10â13. And, even if the fraudulent purchase on Fredricksonâs credit card constitutes an injury in fact, Defendant argues it is not âfairly traceableâ to Defendant. Id. at 9. 1. Injury in Fact An injury in fact is ââan invasion of a legally protected interestâ that is âconcrete and particularized,â and . . . âactual or imminent, not conjectural or hypothetical.ââ Spokeo, Inc., v. Robins, 578 U.S. 330, 339 (2016) (quoting Lujan, 504 U.S. at 560). Tangible harm, such as a physical or monetary injury, readily qualifies as concrete under Article III. TransUnion, 141 S.Ct. at 2204. When evaluating intangible harm, courts âshould assess whether the alleged injury to the plaintiff has a âclose relationshipâ to a harm âtraditionallyâ recognized as providing a basis for a lawsuit in American Courts,â such as âreputational harms, disclosure of private information, and intrusion upon seclusion.â Id. (citing Spokeo, 578 U.S. at 341). Because Plaintiffs seek Page 6 of 22 prospective, injunctive relief, they must also establish âmaterial risk of future harmâ that is âsufficiently imminent and substantial.â Id. at 2210 (citations omitted). Defendant argues that Plaintiffsâ âmere increased risk of identity theft and mitigation efforts are insufficient.â MTD at 10. The court disagrees. The D.C. Circuit has determined that âidentity theft . . . constitute[s] a concrete and particularized injury.â In re U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 55 (D.C. Cir. 2019) (quoting Attias v. Carefirst Inc., 865 F.3d 620, 627 (D.C. Cir. 2017) (âAttias Iâ)). Spending financial resources or time on mitigation efforts in âresponse to a data breach . . . may create a concrete Article III injury when paired with a risk of future identity theft.â Attias v. Carefirst Inc., 344 F.R.D. 38, 47 (D.D.C. 2023) (âAttias IIIâ). Both Plaintiffs adequately allege such mitigation measures. For instance, Malvitz spent time âmonitoring her financial accounts for any indication of fraudulent activity,â and Fredrickson pursued similar âmitigation measures.â Am Compl. ¶¶ 134â162; see Keown v. Intâl Assân of Sheet Metal Air Rail Trans. Workers, No. 23-cv-3570 (CRC), 2024 WL 4239936, at *3 (D.D.C. Sept. 19, 2024). The court further agrees that Plaintiffs have shown that âtheir harm has a close relationship to the harm to privacy vindicated by the common-law tort of intrusion upon seclusion.â All. for Retired Ams. v. Bessent, --- F. Supp. 3d ----, 2025 WL 740401, at *15â16 (D.D.C. Mar. 7, 2025). Intrusion upon seclusion at common law requires that the âdefendant intentionally intruded âupon the solitude or seclusion of another or [their] private affairs or concerns,ââ and that the intrusion would be âhighly offensiveâ to a reasonable person. Id. at *16 (quoting Restatement (Second) of Torts § 652B). Publicity is not required. Pileggi v. Washington Newspaper Publ'g Co., LLC, No. CV 23-345 (BAH), 2024 WL 324121, at *6 (D.D.C. Jan. 29, 2024); see Restatement (Second) of Torts § 652B. The harm need not perfectly align with the common law action. Courts âlook for a Page 7 of 22 close relationshipâ to a traditional harm, ânot an exact duplicate.â All. for Retired Ams., 2025 WL 740401, at *17 (internal quotation marks and citations omitted). At the pleading stage, Plaintiffs have set forth sufficient facts for the court to infer that a reasonable person would find it offensive that a third party obtained Plaintiffsâ âprivate and personal details,â, such as social security numbers. Pileggi, 2024 WL 324121, at *8 (internal quotation marks and citation omitted). Therefore, Plaintiffs satisfy the injury in fact requirement for standing. 2. Causation Causation or traceability requires that Defendant is responsible for Plaintiffsâ injury. See Lujan, 504 U.S. at 560â61. The injury must be fairly traceable âto the challenged action of the defendant, and not . . . th[e] result [of] the independent action of some third party not before the court.â Citizens for Resp. and Ethics in Wash. v. U.S. Depât of Treasury, 21 F.Supp.3d 25, 34 (D.D.C. 2014) (quoting Lujan, 504 U.S. at 560). Defendant argues that Plaintiffsâ injuries âare not plausibly connectedâ to the data breach, MTD at 4, and any injuries suffered by Plaintiffs stem from âunknown cybercriminal[s],â which breaks the causal chain, Def.âs Reply in Support of MTD at 2, ECF No. 11 (âDef.âs Replyâ). This argument is unavailing. At the motion to dismiss stage, Plaintiffs need only âshow that injuries claimedâ substantial risk of identity theft and Plaintiffâs [] mitigation measuresâare âfairly traceableâ to the data breach.â Keown, 2024 WL 4239936, at *3 (citing Attias I, 865 F.3d at 629). Plaintiffs allege that Defendant failed to âimplement adequate and reasonable security procedures and protocols.â Am Compl. ¶ 7. They claim that because Defendant lacked sufficient cybersecurity protections, third parties accessed Defendantâs systems, accessing Plaintiffâs PII, during the data breach. Id. ¶ 36. As a result of the data breach, Plaintiffs spent time and money on mitigation efforts and face increased risks of financial fraud or identity theft. Id. ¶¶ 139â44, 149â59. The allegations Page 8 of 22 sufficiently establish that Plaintiffsâ harms are fairly traceable to Defendantâs inadequate security measures. See Keown, 2024 WL 4239936, at *3. 3. Redressability To satisfy redressability, Plaintiffs must allege that it is âsubstantially likelyâ they will âobtain relief that directly redresses the injury suffered.â Reed v. Goertz, 598 U.S. ---, ---, 143 S. Ct. 955, 960 (2023). Courts may award damages for mitigation costs incurred because of a âsubstantial risk that a harm will occur.â Attias I, 865 F.3d at 629 (quoting Clapper v. Amnesty Intâl, USA, 568 U.S. 398, 414 n.5 (2013)). Plaintiffs assert that they âanticipate[] spending considerable time and money on an ongoing basis to try to mitigate and address harms caused by the Data Breach.â Am. Compl. ¶¶ 144, 158. Engaging in such mitigation efforts was reasonable following the data breach. See Attias I, 865 F.3d at 629. âThe fact that plaintiffs have reasonably spent money to protect themselves against a substantial risk creates the potential for them to be made whole by monetary damages.â Id. In addition to compensatory damages, Plaintiffs seek âinjunctive relief, including improvements to Defendantâs data security systems, future annual audits, and adequate credit monitoring services funded by Defendant.â Am. Compl. ¶ 16. Defendant argues the court cannot redress Plaintiffâs âpurported future risk of harmâ because it âcannot control the actions of unknown cybercriminals or compel [Defendant] to modify its cybersecurity defenses to address a data breach that has already occurred.â Def.âs Reply at 1. But that is not the injunctive relief Plaintiffs seek; rather, they ask for injunctive relief to prevent a future data breach and to address ongoing harms from the past data breach. See Am. Compl. ¶¶ 16, 134. They allege that their PII âremain[s] in Defendantâs possessionâ and âsubject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII.â Id. ¶ 208. The Page 9 of 22 court may redress the ââsubstantial riskâ that their personal information will be stolen from [Defendant] again in the future.â Keown, 2024 WL 4239936, at *4. Courts also recognize that ânominal damages suffice for redressability purposes because American courts always have recognized that plaintiffs may pursue constitutional or common-law causes of action even when their only redress is the symbolic award of nominal relief.â Attias v. CareFirst, Inc., 346 F.R.D. 1, 9â10 (D.D.C. 2024) (âAttias Vâ) (citing Uzuebunam v. Preczewski, 592 U.S. ---, ---, 141 S.Ct. 792, 801 (2021)). Because Plaintiffs request nominal damages, and other forms of relief, redressability is satisfied. For the above reasons, Plaintiffs sufficiently allege an injury in fact caused by the Defendant and redressable by the court, and therefore have standing. B. Choice of Law In addition to the constitutional limitations imposed by Article III, Congress further limits the types of cases or controversies that district courts may hear. Federal district courts typically derive jurisdiction from two statutory grants: federal question jurisdiction, 28 U.S.C. § 1331, and diversity jurisdiction, id. § 1332. Here, Plaintiffs bring common-law claims based on diversity jurisdiction over actions where the amount in controversy exceeds $5,000,000 and there is minimal diversity between the named parties pursuant to the Class Action Fairness Act of 2005. Am. Compl. ¶¶ 18â21; 28 U.S.C. § 1332(d). When exercising diversity jurisdiction, the court must determine the law that applies to common-law claims. Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496 (1941). Courts âmust apply the choice-of-law rules of the jurisdiction in which [it] sit[s]. . .â Wu v. Stomber, 750 F.3d 944, 949 (D.C. Cir. 2014). âD.C. choice-of-law rules require thatâ the court applies âthe tort law of the jurisdiction that has the âmost significant relationshipâ to the dispute.â Id. (citing Washkoviak v. Student Loan Mktg. Ass'n, 900 A.2d 168, 180 (D.C. 2006)). In determining which law applies, the court considers (1) âwhere the injury occurred,â (2) Page 10 of 22 âwhere the conduct causing the injury occurred,â (3) âthe domicile . . . of the parties,â and (4) âthe place where the relationship is centered.â Id. (quoting Washkoviak, 900 A.2d at 180) (internal quotation marks omitted). Federal courts in this district must âfirst determine whether a âtrue conflictâ exists between the laws of the competing jurisdictions.â Jones v. Lattimer, 29 F. Supp. 3d 5, 10 (D.D.C 2014) (quoting Margolis v. U-Haul Intâl, Inc., 818 F. Supp 2d 91, 100 (D.D.C. 2011)). A âtrue conflict existsâ when âmore than one jurisdiction has a potential interest in having its law appliedâ and âthe law of the competing jurisdictions is different.â In re APA Assessment Fee Litig., 766 F.3d 39, 51â52 (D.C. Cir. 2014) (citation omitted). In such a situation, D.C. law applies âunless the foreign state has a greater interest in the controversy.â Jones, 29 F. Supp. 3d at 10. Because Plaintiffs are Wisconsin citizens and Defendant is a D.C. citizen, Am. Compl. ¶¶ 18â21, Wisconsin and D.C. may have an interest in the matter. âWisconsin has a powerful interest in protecting its residents from fraud and misrepresentation, while the District of Columbia has an equally strong interest in ensuring that its corporate citizens refrain from fraudulent activities.â Pls.â Resp. to Def.âs MTD at 14, ECF No. 10 (âOppânâ) (quoting Washkoviak, 900 A.2d at 180â81). The parties agree, however, that the court cannot conduct an adequate choice- of-law analysis at the motion to dismiss stage, and neither party fully briefed the choice-of-law issues. MTD at 13; Oppân at 13â14. Defendant argues that Plaintiffsâ claims fail under either jurisdictionâs standards, but urges the court to consider and âafford[] significant weightâ to Wisconsin law. Def.âs Reply at 5â9 & n.2. In general, choice-of-law issues are ââbetter suited to resolution on motions for summary judgment,â after an opportunity for discovery.â Jones, 29 F. Supp. 3d at 10 n.3 (quoting La Reunion Aerienne v. Socialist People's Libyan Arab Jamahiriya, 477 F. Supp. 2d 131, 137 (D.D.C. Page 11 of 22 2007)). The court will benefit from fulsome briefing before resolving whether Wisconsin or D.C. law applies. See id.; In re McCormick & Co., 215 F. Supp. 3d 51, 62 (D.D.C. 2016). Because it âcannot determine from the pleadings which jurisdiction has a greater interest in the controversyââas the parties concedeââin ruling on a motion to dismiss [the court] must apply the law of the forum state, which in this case is the District of Columbia.â Washkoviak, 900 A.2d at 182; see also Wu, 750 F.3d at 949; In re APA Assessment Fee Litig., 766 F.3d at 54â55. Therefore, at this juncture, the court will assess Plaintiffsâ claims under D.C. law. C. Negligence Defendant moves to dismiss all counts in Plaintiffsâ Amended Complaint for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). Starting with the negligence claim, to survive a motion to dismiss, Plaintiffs must allege â(1) the existence of a duty owed by the defendant to the plaintiff, (2) a negligent breach of that duty by the defendant, and (3) an injury to the plaintiff (4) proximately caused by the defendantâs breach.â Hawkins v. Wash. Metro. Area Transit Auth., 311 F. Supp. 3d 94, 105 (D.D.C. 2018) (quoting Powell v. District of Columbia, 602 A.2d 1123, 1133 (D.C. 1992)). 1. Duty and Breach âThe foundation of modern negligence law is the existence of a duty owed by the defendant to the plaintiff.â N.O.L v. District of Columbia, 674 A.2d 498, 499 n.2 (D.C. 1995) (citing Palsgraf v. Long Island R.R., 248 N.Y. 339 (N.Y. 1928)). Plaintiffs identify several potential duties that Defendant owed them: (1) a common-law duty to use âreasonable care to secure and prevent disclosureâ of Plaintiffâs PII information; (2) a statutory duty under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, to âemploy reasonable security measuresâ; (3) a duty of care arising from the âspecial relationshipâ between Plaintiffs, as employees or recipients of employment-related benefits; and (4) a duty to follow âindustry standards to protect [] PII.â Am Page 12 of 22 Compl. ¶¶ 181â90. Plaintiffs allege sufficient facts for the court to infer that Defendant owed (and breached) a common-law duty of care to secure and prevent disclosure of Plaintiffsâ PII. Plaintiffsâ alternative theoriesâstatutory obligations, special relationship, and industry standardsâsupport their breach allegations, but do not impose an independent duty giving rise to a negligence claim. In general, âone has a duty to guard against only foreseeable risks.â Novak v. Cap. Mgmt. & Dev. Corp., 452 F.3d 902, 911â12 (D.C. Cir. 2006) (citation omitted). Under D.C. law, the relationship between the parties determines âthe foreseeability of the plaintiffâs injury and, ultimately, the scope of the defendantâs duty.â Hedgepeth v. Whitman Walker Clinic, 22 A.3d 789, 794 (D.C. 2011). For âa party who is at armsâ length,â there is âonly a minimal dutyâ of care. Id. Once the parties enter into a relationship, however, a defendant must exercise the degree of care corresponding to the relationship. Id. If the asserted injury results from intervening criminal acts of a third party, a heightened showing of foreseeability is required. See Bd. of Trs. of Univ. of D.C. v. DiSalvo, 974 A.2d 868, 871 (D.C. 2009). And in âsome circumstances under District of Columbia law [] even a failure to act will give rise to a legal duty.â Attias v. Carefirst, 365 F. Supp. 3d 1, 20 (D.D.C. 2019) (âAttias IIâ), on reconsideration in part, 518 F. Supp. 3d 43 (D.D.C. 2021). Plaintiffs sufficiently allege that Defendant owed and breached a common-law duty of care owed to Plaintiffs. Defendant acquired Plaintiffsâ PII as a condition of employment and receiving employment-related benefits. Am Compl. ¶ 48. In doing so, Defendant assumed a duty to take reasonable care with Plaintiffsâ PII. See Collier v. District of Columbia, 46 F. Supp. 3d 6, 15 (D.D.C. 2014) (referencing heightened duty for âemployer and employeeâ relationship); Keown, 2024 WL 4239936, at *8. Defendant allegedly breached this duty by failing to implement reasonable safeguards to âprotect their [] PII from reasonably foreseeable threat of a cyberattack Page 13 of 22 and data breach.â Am Compl. ¶ 182. Plaintiffs allege that Defendant knew or should have known that âunprotected or exposed PIIâ is âvaluable and highly sought after by nefarious third parties seeking to illegally monetizeâ stolen PII. Id. ¶ 57. Based on the âknown high frequency of [] data breaches targeting employers in possession of PII,â a cyberattack was foreseeable. Id. ¶¶ 196. Plaintiffs claim Defendant failed to guard against this reasonably foreseeable risk by not taking adequate security measures, including following the âindustry standards for an employerâs obligations to its employees and their beneficiaries with respect to data privacy,â FTC guidelines for data security practices, and Microsoft Protection Intelligence to prevent and detect data breaches. Id. ¶¶ 42â45, 80, 93. Accepting these allegations as true, the court finds that Plaintiffs have sufficiently established that a cyberattack was foreseeable based on Defendantâs inadequate security practices, the value of Plaintiffsâ PII, and the prominence of identity thefts and data breaches. See In re U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d at 55â56 (citing Attias I, 865 F.3d at 622, 628â29). To the extent Defendantâs security measures would violate the FTC Act or fall short of industry standards, such allegations support Plaintiffsâ claim of breach. Keown, 2024 WL 4239936 at *9. Thus, Plaintiffs have plausibly alleged Defendant owed and breached a duty. 2. Causation and Injury Plaintiffs must identify âmore than speculative harm from defendantâs allegedly negligent conduct.â Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702, 708 (D.C. 2009) (quoting In re Estate of Curseen v. Buchanan Ingersoll, P.C., 890 A.2d 191, 194 (D.C. 2006)). âThreat[s] of future harm,â which have not materialized, âdo[] not suffice to create a cause of action for negligence.â Hillbroom v. PricewaterhouseCoopers LLP, 17 A.3d 566, 573 (D.C. 2011) (quoting Knight v. Furlow, 553 A.2d 1232, 1235 (D.C. 1989)). In the data breach context, a plaintiff may Page 14 of 22 satisfy injury in fact for Article III standing but fail to meet the injury threshold to state a negligence claim. See Attias II, 365 F. Supp. 3d at 9. Here, Plaintiffs allege several harms: (1) mitigation costs and heightened risk of PII misuse, (2) lost or diminished value of PII, (3) invasion of privacy, (4) emotional distress, and (5) statutory or nominal damages. Am Compl. ¶¶ 6, 141, 206â07. i. Mitigation Costs and Heightened Risk of Misuse âThe District of Columbia Court of Appeals has expressly declined to treat an increased risk of future identity theftâ and âtime and money spent protecting against future identity theftâ as damages for negligence claims based on data breaches. See Attias II, 365 F. Supp. 3d at 11, 14 (quoting Randolph, 973 A.2d at 708â09); Keown, 2024 WL 4239936, at *9. Allegations of actual misuse or economic injury, not speculations as to future misuse or economic harms, are sufficient, however. Attias II, 365 F. Supp. 3d at 11, 14 (âOnly the [plaintiffs]âwho. . . have alleged actual misuse in the form of tax-refund fraudâwould be able to recover consequential damages like the money spent monitoring their credit.â); Keown, 2024 WL 4239936, at *9. Applying that rule here, the court finds that Fredrickson alleges âactual fraudulent misuse of his PII.â Am. Compl. ¶ 151. He claims that after the data breach, âthird party criminal actors used [his] PII to initiate a fraudulent purchase of $1,145.13 [] on his credit card.â Id. As a result, Fredrickson had to obtain a new credit card and spent âconsiderable time and moneyâ to mitigate the ensuing harms. Id. ¶¶ 152, 158. The fraudulent charge on his card and costs associated with remedying the misuse of his PII qualify as damages. Attias II, 365 F. Supp. 3d at 11, 14. The court may also plausibly infer a causal connection between Defendantâs negligence and Fredricksonâs injury. Fredrickson alleges that he is âvery careful about sharing his sensitive PIIâ and âhas never knowingly transmitted unencrypted sensitive PII over the internet or any other Page 15 of 22 unsecured source.â Am. Compl. ¶ 153. After his PIIâincluding his social security numberâwas stolen during the data breach, he received fraudulent credit card charges. Id. ¶¶ 152â58. At the motion to dismiss stage, these facts permit a plausible inference that Defendantâs inadequate security measures caused the data breach, which then caused Fredricksonâs injury. Attias II, 365 F. Supp. 3d at 11 n.4 (Even without âspecific facts connecting the two events,â court âplausibly inferredâ causation âwhen considering a motion under Rule 12(b)(6).â). Malvitzâs allegations present a closer question. She does not allege any specific fraudulent charges, but claims she suffered âan increase in spam calls, texts, and/or emailsâ and spent âvaluable timeâ on mitigation activities. Am Compl. ¶¶ 140â43. The question is whether âspam calls, texts, and/or emails,â id. ¶ 142, constitute a âpresent injury,â rather than âanticipation of future injury that has not materialized,â Randolph, 973 A.2d at 708. At least one court in this district has answered yes. In Keown, the court concluded that âan increase in spam, calls, texts, and/or emailsâ and time âdealing with these effects . . . is much closer to [a] present injury to [Plaintiffâs] PII than to efforts to mitigate potential future harm.â 2024 WL 4239936, at *10. Therefore, the plaintiff alleged an actual injury sufficient to support a negligence claim under D.C. law. Id. (citing Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30, 37 (D.D.C. 2020)); see also Attias II, 365 F. Supp. 3d at 11 (Allegations âlisting what âidentify thievesâ âcanâ or âmayâ doâ with PII are insufficient, but actual misuse permits recovery for mitigation efforts). Although it is a close question, the court reaches the same conclusion at this stage. Because Malvitz alleges actual misuse through âincreased spam calls, texts, and/or emails,â Am. Compl. ¶ 142, she alleges an actual injury sufficient to state a negligence claim. Page 16 of 22 ii. Lost or diminished value of PII Plaintiffsâ allegations that they suffered damages for lost or diminished value of their PII cannot sustain a negligence claim. When addressing injury in fact for Article III standing, courts have âroutinely rejected the proposition that an individualâs personal identifying information has an independent monetary value.â See, e.g., Welborn v. IRS, 218 F. Supp. 3d 64, 78 (D.D.C. 2016) (collecting cases). Plaintiffs allege that âan active and robust legitimate marketplace for PII exists,â but fail to plead facts showing how the unauthorized access to their PII diminishes its value. Am. Compl. ¶¶ 116â19, 120. To the contrary, Plaintiffs allege the information compromised in the data breach remains particularly valuable. Id. ¶ 121. Moreover, they do not assert that they intended to sell their PII or participate in the marketplace. Without allegations that âtheir personal information became less valuable as a result of the [data] breach or that they attempted to sell their information and were rebuffed because of a lower price-point attributable to the breach,â Plaintiffs fail to allege damages based on a change in value. Welborn, 218 F. Supp. 3d at 78; see also Keown, 2024 WL 4239936, at *10 (Even though Plaintiffâs PII âdecreased in ârarity,ââ they did not claim that they intended to âsell [the] information on the black market in the first place, so it is uncertain how they were injured by this alleged loss.â). iii. Invasion of Privacy Invasion of privacy is a distinct intentional tort, which Plaintiffs do not assert, but a loss of privacy âmay constitute âdamage to the interests of the plaintiffâ sufficient to support a claim of negligence if the defendant has a duty to prevent such damage.â Keown, 2024 WL 4239936, at *10 (citing District of Columbia v. Cooper, 483 A.2d 317, 321 (D.C. 1984)). PII must be disclosed to a third party to establish an invasion of privacy, however. In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 29 (D.D.C. 2014). â[C]onduct giving Page 17 of 22 rise to the unauthorized viewing of [PII] such as plaintiffâs Social Security number . . . can constitute an intrusion . . .â Randolph, 973 A.2d at 710; see also Vassiliades v. Garfinckelâs, Brooks Bros., 492 A.2d 580, 587 (D.C. 1985) (â[I]nvasion of privacy ârepresents a vindication of the right to private personality and emotional security.â (citation omitted)). Here, Plaintiffs plausibly allege that third parties obtained unauthorized access to their PII, which Defendant had a duty to safeguard. See supra Section III.C.1. The third parties âaccessed and obtainedâ Plaintiffsâ PII, including their names, dates of birth, Social Security numbers, dates of service, insurance participant IDs, and member numbers. Am. Compl. ¶¶ 4, 139, 149. Disclosure of such information constitutes an âactual harm to [Plaintiffsâ] interest in privacy. . . both judicially cognizable and recognized at common law.â Keown, 2024 WL 4239936, at *11. iv. Emotional Distress Plaintiffsâ emotional distress allegations also support their negligence claim. Plaintiffs may ârecover for pain and suffering as âparasiticâ damages as a result of or incident to the âinvasion of another legally protected interest.ââ Attias II, 365 F. Supp. 3d at 16 (quoting Hedgepeth, 22 A.3d at 809). If a plaintiff seeks only damages for mental pain and suffering, they must satisfy either the zone of physical danger rule or âthe special relationship and undertaking rule.â Id. (citations omitted). Here, Plaintiffs allege an increase in âfear, anxiety, and stressâ because of the data breach. Am Compl. ¶¶ 142, 157. Their distress âstems from the invasion of another legally protected interest,â privacy, so they may seek âparasiticâ damages. Keown, 2024 WL 4239936, at *11 (citation omitted). Because Plaintiffsâ injuries are âneither purely economic nor purely emotional,â they need not satisfy the alternative paths to recover emotional distress damages. Id. Page 18 of 22 v. Economic Loss Doctrine Defendant argues that the economic loss doctrine bars Plaintiffsâ recovery in negligence. MTD at 14â15. That doctrine precludes recovery for purely economic losses in tort, unless a special relationship exists. Attias II, 365 F. Supp. 3d at 17; see also Aguilar v. RP MRP Wash. Harbour, LLC, 98 A.3d 979, 985â86 (D.C. 2014) (âThe economic loss doctrine in the District of Columbia bars recovery of purely economic losses in negligence, subject to only one limited exception where a special relationship exists.â). Plaintiffs do not seek purely economic losses. As explained, Plaintiffs adequately allege harm to their privacy interests and emotional distress damages, in addition to economic losses from mitigation efforts. For the reasons stated above, Plaintiffs state a negligence claim and the court will deny Defendantâs motion to dismiss Count I. D. Breach of Implied Contract Defendant contends that Plaintiffsâ claim fails because they âfail to plead the necessary elementsââoffer, acceptance, and considerationâfor a valid contract governing Plaintiffsâ PII. MTD at 17â19. The court disagrees. Under D.C. law, âan implied-in-fact contract contains âall necessary elements of a binding agreement,â differing from other contracts âonly in that it has not been committed to writingâ and is instead âinferred from the conduct of the parties.ââ Shaffer v. George Wash. Univ., 27 F.4th 754, 762 (D.C. Cir. 2022) (quoting Camara v. Mastroâs Rests. LLC, 952 F.3d 372, 375 (D.C. Cir. 2020)). âTo prevail on a claim of breach of contract, a party must establish (1) a valid contract between the parties; (2) an obligation or duty arising out of the contract; (3) a breach of that duty; and (4) damages caused by breach.â Molock v. Whole Foods Market, Inc., 297 F. Supp. 3d 114, 131 (D.D.C. 2018) (quoting Francis v. Rehman, 110 A.3d 615, 620 (D.C. 2015)); see also Paul v. Howard Univ., 754 A.2d 297, 311 (D.C. 2000) (citation omitted). To survive a motion to dismiss, however, âit is enough for the plaintiff to describe the Page 19 of 22 terms of the alleged contract and the nature of the defendantâs breach.â Molock, 297 F. Supp. 3d at 131 (quoting Francis, 110 A.3d at 620). Courts have found that where there is no history, course of dealing, or series of statements to support a contractual relationship, there can still be a âcontractual duty to take reasonable measures to secure customer PII.â Attias v. CareFirst, Inc., No. 15-CV-882 (CRC), 2023 WL 5952052, at *6 (D.D.C. Sept. 13, 2023) (âAttias IVâ). In both Attias and Keown, courts found implied contract claims where privacy notices or practices were provided or accessible to plaintiffs. See Attias IV, 2023 WL 5952052, at *6â7; Keown, 2024 WL 4239936, at *13. Such notices included assurances that the defendant took steps to protect PII. Attias IV, 2023 WL 5952052 at *6â7. Plaintiffs identify similar assurances by Defendant in this case, specifically, Defendant's âPrivacy Policyâ and website representations. Am Compl. ¶¶ 29, 220; Oppân at 21. Defendantâs website stated that Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible. We use regular Malware Scanning. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all PII/information you supply is encrypted via Secure Socket Layer (SSL) technology. We implement a variety of security measures when a user submits, or accesses their information to maintain the safety of your personal information. All transactions are processed through a gateway provider and are not stored or processed on our servers. Am. Compl. ¶ 29 (formatting modified). Defendantâs website âspeaks to an obligation to take affirmative steps to âprotectâ [Plaintiffs] PII.â Attias IV, 2023 WL 5952052, at *7. Further, Plaintiffs allege that Defendant required them to provide their PII in order to obtain benefits. Am. Compl. ¶ 213. They claim that, in doing so, Defendant implicitly âagreedâ to âreasonably safeguardâ the information from âunauthorized access or disclosure.â Id. ¶ 219. Drawing all inferences in Plaintiffsâ favor, that Page 20 of 22 assumption is reasonable. See Keown, 2024 WL 4239936 at *13 (â[I]t is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security or other sensitive personal information would not imply the recipients assent to protect the information sufficiently.â (citing Attias IV, 2023 WL 5952052 at *6â7)). Therefore, Plaintiffs adequately state the key contract terms. Turning to the second requirementâbreachâPlaintiffs need only identify the nature of the alleged breach. Molock, 297 F. Supp. 3d at 131. They claim that Defendant breached by failing to âtake adequate cybersecurity measuresâ to safeguard their PII and storing the data in unencrypted files. Am. Compl. ¶ 67. Accepting these allegations as true, the court finds that Plaintiffsâ breach of implied contract claim survives, and it will deny Defendantâs motion to dismiss Count II. E. Unjust Enrichment Finally, Defendant moves to dismiss Plaintiffsâ unjust enrichment claim, arguing that Plaintiffs do not plausibly allege that they provided anything in exchange for data security or that Defendant retained any benefit unjustly. MTD at 23â25. Unjust enrichment ârests on a contract implied in law,â which permits recovery âin the absence of any contract, actual or implied in fact.â United States ex rel. Modern Elec., Inc. v. Ideal Elec. Sec. Co., 81 F.3d 240, 247 (D.C. Cir. 1996), (citing Bloomgarden v. Coyer, 479 F.2d 201, 210 (D.C. Cir. 1973)). It requires that â(1) the plaintiff conferred a benefit on the defendant; (2) the defendant retains the benefit; and (3) under the circumstances, the defendantâs retention of the benefit is unjust.â Butler v. Enter. Integration Corp., 459 F. Supp. 3d 78, 101 (D.D.C. 2020) (quoting News World Commcâns, Inc. v. Thompson, 878 A.2d 1218, 1222 (D.C. 2005)). Plaintiffs cannot recover under both unjust enrichment and breach of contract theories, but appropriately plead this claim in the alternative. See Fed. R. Civ. P. 8(a)(3); Shaffer, 27 F.4th at 768. Page 21 of 22 Plaintiffs fail to state a claim for unjust enrichment. They allege that they âconferred monetary benefit on Defendant by providing [] their PII and [] laborâ and that Defendant saved money on security costs and unjustly enriched itself by profiting from Plaintiffsâ work. Am. Compl. ¶¶ 232â235. This falls short of unjust enrichment. First, Plaintiffs fail to allege that Defendant derived any benefit or value from Plaintiffsâ PII. There is no assertion that Defendant ran analytics on Plaintiffsâ PII or used it for an independent business purpose. MTD at 14 n.4. Rather, Defendant required Plaintiffsâ PII as a condition of employment and to provide employment-related benefits. Am. Compl. ¶ 48. Second, Defendant did not unjustly benefit from Plaintiffsâ labor. Malvitz was not Defendantâs employee but received benefits as an employeeâs spouse. Id. ¶ 135. Therefore, she did not provide Defendant with any labor. Although Fredrickson worked for Defendant, id. ¶ 147, he received a salary, and therefore Defendant did not unjustly retain the benefit of his labor. The Complaint âdoes not identify any profit reaped by [Defendant] that is attributable to use of Plaintiffâs data, nor does it allege that Plaintiffs gave [Defendant] any money that should have been used for data security.â See Keown, 2024 WL 4239936, at *14. Therefore, the court will dismiss Plaintiffsâ unjust enrichment claim. IV. CONCLUSION For the foregoing reasons, the court will DENY Defendantâs motion to dismiss Plaintiffsâ negligence and breach of contract claims, but GRANT Defendantâs motion as to Plaintiffsâ unjust enrichment claim. An Order shall accompany this Opinion. Date: June 12, 2025 Tanya S. Chutkan TANYA S. CHUTKAN United States District Judge Page 22 of 22
Case Information
- Court
- D.D.C.
- Decision Date
- June 12, 2025
- Status
- Precedential