Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

McDowell v. CGI Federal Inc.

United States District Court, District of Columbia

June 1, 2017

LORI McDOWELL, on behalf of herself and similarly situated, Plaintiffs,
CGI FEDERAL INC., and DOES 1 through 100, inclusive Defendants.


          Gladys Kessler United States District Judge.

         Plaintiff, Lori McDowell, alleges that her personal information was stolen by employees of Defendant, CGI Federal, Inc. ("CGI"), and then used to open accounts and make purchases using her identity. CGI acquired this information pursuant to a contract with the State Department, under which CGI received and processed passport applications on behalf of the State Department, including the application of McDowell. McDowell brings this class action lawsuit on behalf of herself and other similarly situated individuals, alleging that CGI failed to adequately safeguard their personal data and is therefore liable for: (1) violations of the District of Columbia's Consumer Protection Procedures Act, D.C. Code § 28-3901 et seq. ("CPPA"); (2) negligence; (3) breach of contract; (4) breach of bailment; and (5) unjust enrichment.[1]

         CGI filed a Motion to Dismiss McDowell's Amended Complaint, [Dkt. No. 27], arguing that she has failed to state a claim upon which relief can be granted for any Count contained in the Amended Complaint. Upon consideration of the Motion to Dismiss, responsive briefs, and the entire record herein, and for the reasons stated below, Defendant's Motion to Dismiss is granted as to all counts except McDowell's of breach of contract claim, contained in Count 3.

         I. BACKGROUND

         A. Factual Background[2]

         CGI is a Delaware corporation with an office in Washington, D.C., and a principal place of business in Fairfax, Virginia. Amended Complaint ¶ 11. It provides a number of services to the United States Passport Agency, a constituent of the State Department, also located in Washington, D.C. Id. ¶ 11. Pursuant to the contract at issue here, it processes passport applications for the Passport Agency. Id. ¶ 2.

         Passport applicants must submit sensitive and personally identifiable information, including: name, date of birth, city of birth, state of birth, country of birth, social security number, sex, height, hair color, eye color, occupation, and evidence of U.S. Citizenship, such as a previously issued U.S. Passport or U.S. birth certificate. Amended Complaint ¶ 24. Applicants must also submit present identification such as a fully valid driver's license or military Id. Id. Plaintiffs refer to this information collectively as "Personal Information." Id.

         CGI typically stores this Personal Information on its computer systems and transmits it to the Passport Agency in Washington, DC. Id. ¶ 24. Under the terms of CGI's contract, it must '"provide accessible and qualified management, production, and operational support personnel' to perform document preparation, creation of document batches, document imaging (scanning) and reviewing, retrieval of individual application information, data entry, book printing, quality control, generation of mailing labels, and verification of information." Amended Complaint ¶ 2.

         Beginning sometime in 2010, until roughly March 2, 2015, unidentified CGI personnel stole the Personal Information of passport applicants. Amended Complaint ¶ 31. These individuals then used the Personal Information to create counterfeit identity documents, obtain commercial lines of credit, and purchase iPhones, iPads, and other electronic merchandise. Id. ¶ 32.

         McDowell was one of the applicants whose Personal Information was stolen. Amended Complaint ¶ 18. McDowell, a resident and citizen of Carrolton, Georgia, had submitted a passport application from her hometown. Id., ¶¶ 10, 14. Like other applications, hers contained the required Personal Information, which was intended for transmission to Washington, D.C., via CGI's computer systems. Id. ¶ 14. Following the submission of her application,, a credit monitoring service, notified McDowell that someone had opened a T-Mobile Account using her social security number and that someone had also made a $2, 300 retail purchase in Texas using her identity. Id. ¶ 16. Additionally, notified McDowell that someone attempted a "hard inquiry" check of her credit while attempting to open an account in her name at a Sprint Nextel in Colorado. Id. ¶ 18. On June 3, 2015, the U.S. Department of Justice formally notified McDowell that she was a victim of the theft of Personal Information from CGI's computer systems. Id. ¶ 18. As a result of the theft of her Personal Information, McDowell has had to: pay for additional credit monitoring protection; expend time disputing fraudulent charges and accounts with banks, credit card companies, and credit reporting agencies; and take other steps to protect herself from additional harm. Id. ¶ 20.

         B. Procedural Background

         On July 20, 2015, McDowell initiated this class action lawsuit, filing a Complaint against the CGI and the Doe Defendants on behalf of herself and other similarly situated individuals who had Personal Information, contained in passport applications, stolen by CGI employees. [Dkt. No. 1]. On October 9, 2015, McDowell filed an Amended Complaint, alleging that CGI was liable for violations of the CPPA, negligence, breach of contract, breach of bailment, and unjust enrichment. Amended Complaint ¶ 6.

         CGI then filed a Motion to Dismiss on October 26, 2015, arguing that McDowell failed to state a claim on any of the counts contained in the Amended Complaint. Motion to Dismiss ("MTD") [Dkt. No. 27]. McDowell filed an Opposition on November 23, 2015, [Dkt. No. 30], and CGI filed a Reply on December 21, 2015, [Dkt. No. 31].


         Rule 12(b)(6) of the Federal Rules of Civil Procedure permits dismissal upon the "failure to state a claim upon which relief can be granted." Fed.R.Civ.P. 12(b)(6). "To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Ashcroft v. Iqbal 556 U.S. 662, 678 (2009) (internal quotation marks and citations omitted). A claim is facially plausible when the pleaded facts "allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Plausibility requires "more than a sheer possibility that a defendant has acted unlawfully, " but it is not a "probability requirement." Id.

         At the Rule 12(b)(6) stage, the court accepts all of the complaint's factual allegations as true and draws all reasonable inferences from those facts in plaintiffs favor. Browning v. Clinton, 292 F.3d 235, 242 (D.C. Cir. 2002). However, the court does not accept "inferences drawn by plaintiff if such inferences are unsupported by the facts set out in the complaint." Id. (internal quotation marks and citations omitted). Similarly, the court need not accept plaintiffs legal conclusions simply because they are "cast in the form of factual allegations." Id. (internal quotation marks and citations omitted). "Threadbare recitals of a cause of action's elements, supported by mere conclusory statements, " are insufficient to survive a motion to dismiss. Iqbal 556 U.S. at 678.

         In addition to the complaint, the court may consider other sources, such as "documents incorporated into the complaint by reference and matters of which a court may take judicial notice." Tellabs. Inc. v. Makor Issues & Rights. Ltd.. 551 U.S. 308, 322 (2007).

         III. ANALYSIS

         A. CPPA

         Plaintiff alleges that CGI violated the CPPA, which prohibits a person from misrepresenting the characteristics of consumer goods or services, by representing that it would secure the passport application data when it did not. Amended Complaint ¶¶ 53-64. Defendants argue that this claim should be dismissed because Plaintiff is not a "consumer" under the CPPA. MTD at 17-21.

         Under the CPPA, it is an unlawful trade practice for "any person to: (a) represent that goods or services have ... characteristics ... that they do not have." D.C. Code § 28-3904(a). However, subject to limited exceptions only consumers are authorized to bring suit under the CPPA.[3] D.C. Code § 28-3905(k)(1)(A). Thus, "[t]he D.C. Court of Appeals has repeatedly concluded that the CPPA was designed to police trade practices arising only out of consumer-merchant relationships." Ali v. Tolbert, 636 F.3d 622, 628 (D.C. Cir. 2011) (internal quotation marks omitted); Price v. Indep. F.S.B., 110 A.3d 567, 573 (D.C. 2015) (the CPPA "'was designed to police trade practices arising only out of consumer-merchant relationships, ' and does not apply to commercial dealings outside the consumer sphere" (quoting Ford v. Chartone. Inc., 908 A.2d 72, 81 (D.C. 2006))). "Consumer goods or services' are those that [a] person does or would purchase, lease (as lessee), or receive and normally use for personal, household, or family purposes." Price, 110 A.3d at 574 (emphasis added) (quotation marks omitted).

         McDowell alleges that CGI misrepresented the services it offered. Amended Complaint ¶ 53-64. In a brochure advertising its services, CGI stated that it provides "technology management" services that provide: "secure data center operations;" "around-the-clock monitoring of systems, real-time reporting and immediate action on suspicious activity from CGI's security operations centers;" and "[e]xpert threat anticipation and defense of critical information and infrastructure." Amended Complaint ¶ 58. McDowell argues that these statements misrepresented the security of the services provided by CGI to the Passport Agency, as evidenced by the fact that CGI employees were able to steal Personal Information contained in passport applications. Opp'n at 9.

         The problem with McDowell's argument is that the services she alleges that CGI misrepresented are not consumer services, but business services. The technology management services CGI provides to the Passport Agency are typical of the back-office services that one company provides to another. They are decidedly not for personal, household, or family purposes, and therefore do not fall within the ambit of the CPPA. See Indep. Commun. Network, Inc. v. MCI Telecomm. Corp., 657 F.Supp. 785, 788 (D.D.C. 1987) (transactions between two merchants that are on the "supply side" of the consumer-merchant do not fall within ambit of CPPA); Adam A. Weschler & Son, Inc. v. Klank. 561 A.2d 1003, 1005 (D.C. 1989) ("Transactions along the distribution chain that do not involve the ultimate retail customer are not consumer transactions that the ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.