Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Attias v. Carefirst, Inc.

United States District Court, District of Columbia

January 30, 2019

CHANTAL ATTIAS, et al., Plaintiffs,
v.
CAREFIRST, INC., et al., Defendants.

          MEMORANDUM OPINION

          CHRISTOPHER R. COOPER UNITED STATES DISTRICT JUDGE.

         I. Background ............................................................................................................................ 3

         II. Standard of Review ................................................................................................................ 6

         III. Jurisdiction ............................................................................................................................. 6

         IV. Analysis .................................................................................................................................. 7

         A. Whether plaintiffs have adequately alleged damages for nine of their eleven claims . 8

         1. Plaintiffs must allege actual damages for nine of their causes of action ......... 10

         2. Four theories of actual damages ...................................................................... 12

         B. Whether the parties' contractual relationship bars plaintiffs' tort claims .................. 24

         C. Whether plaintiffs have pled in the alternative an unjust enrichment claim .............. 37

         D. Whether plaintiffs have alleged an unlawful trade practice under the D.C. Consumer Protection Procedures Act ......................................................................................................... 38

         E. Whether insurance companies are exempt from civil liability for data breaches under the Maryland Consumer Protection Act ................................................................................... 40

         V. Conclusion ........................................................................................................................... 42

         In May 2015, the District of Columbia-area health insurer CareFirst announced that it had suffered a data breach that compromised the personal information of millions of its policyholders. Plaintiffs in this putative class action are among those whose data was accessed. They seek compensation for the breach through both tort- and contract-based claims under District of Columbia law, as well as statutory claims under several D.C., Maryland, and Virginia consumer-protection laws.

         Common to all of plaintiffs' claims is the assertion that they have been injured by CareFirst's failure to protect their personal information from exposure. The alleged injuries do not, for the most part, involve actual misuse of their personal information. Plaintiffs instead claim that the data breach resulted in an increased risk of identity theft and the need for prophylactic expenditures-on credit monitoring services and the like-to reduce that risk. They also contend that CareFirst's failure to protect their personal information resulted in a contractual injury because they did not receive the full value of the policies they purchased. And they say they have suffered emotional distress in dealing with the breach.

         The Court previously dismissed plaintiffs' claims for lack of Article III standing, finding that they had failed to allege a non-speculative injury-in-fact. The D.C. Circuit reversed and remanded. CareFirst now moves to dismiss the operative second amended complaint under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim.

         The Court will grant the motion in large part. After briefly recounting the factual and procedural background, the Court will begin by confirming that it has diversity jurisdiction over the case pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d). It will then explain its conclusion that, while plaintiffs' alleged injuries may be enough to establish standing at the pleading stage of the case, they are largely insufficient to satisfy the “actual damages” element of nine of their state-law causes of action. The Court will then move to the interplay between plaintiffs' tort and contract claims, finding that the parties' non-fiduciary contractual relationship independently forecloses tort liability based on the allegations in the complaint. Finally, the Court will address issues specific to plaintiffs' unjust enrichment claim and their claims under the District of Columbia Consumer Protection Procedures Act and the Maryland Consumer Protection Act.

         At the end of the day, the Court will dismiss all of plaintiffs' claims except for a breach of contract claim and a Maryland Consumer Protection Act claim brought by the only two plaintiffs (Kurt and Connie Tringler of Maryland) who have plausibly alleged actual misuse of personal information resulting from the data breach. In reaching this outcome, the Court acknowledges the difficulty of applying traditional tort and contract principles in the contemporary context of data security. It also recognizes that courts across the country have divided on a number of important legal issues that frequently arise in data breach litigation. The Court has attempted to illuminate some of these divisions in this opinion.

         I. Background

         Seven plaintiffs bring this putative class action against CareFirst and certain of its affiliates doing business in the District of Columbia, Maryland, and Virginia. Second Am. Class Action Compl. (“SAC”), ECF No. 9.[1] CareFirst operates a group of health insurance companies providing coverage to more than one million individuals in the District of Columbia, Maryland, and Virginia. Id. ¶¶ 5-8, 23. Plaintiffs are residents of the District of Columbia, Maryland, and Virginia, and customers and insureds of CareFirst. Id. ¶¶ 1-4, 25. When customers purchase health insurance through CareFirst, they provide the company certain personal information, including their names, credit card numbers, addresses, and social security numbers. Id. ¶¶ 26- 27. CareFirst promises, explicitly or implicitly, to keep this information protected. Id. ¶¶ 28-29. CareFirst allegedly failed to properly encrypt some of the data entrusted to its care, id. ¶ 31, and in June 2014, CareFirst suffered a cyberattack, id. ¶ 33. It learned of the attack in April 2015 and notified its customers, including plaintiffs, the following month. Id. ¶¶ 35-36.

         Plaintiffs initiated this action shortly after learning of the data breach and filed the operative second amended complaint in July 2015. They bring eleven claims: breach of contract (Count I), negligence (Count II), violation of the District of Columbia Consumer Protection Procedures Act (Count III), violation of the District of Columbia Data Breach Notification Statute (Count IV), violation of the Maryland Consumer Protection Act (Count V), violation of the Virginia Consumer Protection Act (Count VI), fraud (Count VII), negligence per se (Count VIII), unjust enrichment (Count IX), breach of the duty of confidentiality (Count X), and constructive fraud (Count XI). They allege that they “have suffered economic and non-economic loss in the form of mental and emotional pain and suffering and aguish [sic] as a result of Defendants' failures” to secure plaintiffs' confidential information. SAC ¶ 38. The Tringlers specifically allege that they have experienced “tax-refund fraud” as a result of the data breach. Id. ¶ 57. And all plaintiffs allege that they “face years of constant surveillance of their financial and personal records, monitoring, and loss of rights.” Id. ¶ 56.

         CareFirst moved to dismiss the complaint for lack of subject matter jurisdiction under Rule 12(b)(1) and failure to state a claim under Rule 12(b)(6). The Court granted the 12(b)(1) motion on the ground that plaintiffs had not identified an “actual or imminent” injury as is necessary to satisfy the injury-in-fact requirement of constitutional standing. In so doing, the Court observed that most of the plaintiffs had not alleged that their personal information had actually been misused in any way. Nor had they explained how the information taken (which CareFirst averred did not include financial information or social security numbers) could readily be used to assume their identities. Based on these factors, the Court adopted the principle that most other courts have followed in similar cases, including a Maryland federal class action brought by another set of CareFirst customers stemming from the same breach: “Absent facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner, merely having one's personal information stolen in a data breach is insufficient to establish standing to sue the entity from wh[ich] the information was taken.” Attias v. CareFirst, Inc., 199 F.Supp.3d 193, 197 (D.D.C. 2016). The Court further held that plaintiffs' other asserted injuries were also insufficient to meet the injury-in-fact requirement of standing. Those harms included (1) expenditures on credit-monitoring services to prevent future identity theft; (2) some indeterminate overpayment for their insurance coverage; (3) loss of the intrinsic value of the stolen personal information; and (4) violation of their statutory rights under various consumer protection laws. Id. at 202-03.

         The D.C. Circuit reversed and remanded, finding that plaintiffs had plausibly alleged a substantial risk of identity theft flowing from the data breach, which was enough to meet “the light burden of proof the plaintiffs bear at the pleading stage” of the case. Attias v. CareFirst, Inc., 865 F.3d 620, 627-28 (D.C. Cir. 2017). The Circuit declined to reach CareFirst's alternative argument that plaintiffs had failed to state a claim under Rule 12(b)(6). Id. at 629-30. It did so because this Court had reserved judgment on a second threshold jurisdictional question-whether diversity jurisdiction exists under the Class Action Fairness Act, 28 U.S.C. § 1332(d)-which the Circuit could not answer on the record before it. Attias, 865 F.3d at 629- 30.

         Venturing once more into the breach, CareFirst has now renewed its 12(b)(6) motion before this Court. Mem. in Supp. of Defs.' Mot. to Dismiss (“MTD”), ECF No. 44-1. Plaintiffs oppose the motion. Pls.' Opp'n to MTD (“Opp'n”), ECF No. 45. The Court held a hearing on November 5, 2018, and the motion is now ripe for resolution.

         II. Standard of Review

         In analyzing a motion to dismiss under Rule 12(b)(6), the Court must determine whether the complaint “contain[s] sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). This requires “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. To make this determination, the Court “must take all of the factual allegations in the complaint as true.” Id. It also must “constru[e] the complaint liberally in the plaintiff's favor with the benefit of all reasonable inferences derived from the facts alleged.” Stewart v. Nat'l Educ. Ass'n, 471 F.3d 169, 173 (D.C. Cir. 2006). Finally, the Court may only “consider the facts alleged in the complaint, documents attached thereto or incorporated therein, and matters of which it may take judicial notice.” Id.

         III. Jurisdiction

         The Court turns first to the jurisdictional question that it previously left unresolved: whether it has diversity jurisdiction over plaintiffs' eleven state-law claims under the Class Action Fairness Act (“CAFA”). It does. “CAFA gives federal courts jurisdiction over certain class actions, . . . if the class has more than 100 members, the parties are minimally diverse, and the amount in controversy exceeds $5 million.” Dart Cherokee Basin Operating Co., LLC v. Owens, 135 S.Ct. 547, 552 (2014) (citing 28 U.S.C. §§ 1332(d)(2), (5)(B)). Beginning with the first requirement, plaintiffs estimate that there are more than one million class and sub-class members, SAC ¶ 63, and CareFirst does not contest that number for purposes of this motion, Hr'g Tr. at 3:2-3:14. Second, the parties are minimally diverse because “any member of a class of plaintiffs is a citizen of a State different from any defendant, ” 28 U.S.C. § 1332(d)(2)(A): The plaintiffs are residents of the District of Columbia, Maryland, and Virginia and have sued CareFirst and its affiliates doing business in those three places. And third, the amount in controversy almost certainly exceeds the $5 million threshold. Under CAFA, the Court aggregates the individual claims of class members. Here, even if individual class members' claims are worth just $5 each, they would satisfy the amount-in-controversy requirement. But it's likely that the value of their claims is much more. For example, plaintiffs have brought claims under the District of Columbia Consumer Protection Procedures Act, D.C. Code Ann. § 28-3901 et seq., which provides statutory damages of $1, 500 per violation, and the Virginia Consumer Protection Act (“VCPA”), Va. Code Ann. § 59.1-196 et seq., which entitles successful plaintiffs to $500 to $1, 000 per violation. SAC ¶¶ 90(d), 115. Although plaintiffs do not provide a breakdown of the numbers in each subclass, it's hard to imagine a distribution that would not satisfy the amount-in-controversy requirement based solely on these statutory claims. In any event, neither party questions that the amount in controversy exceeds $5 million. See SAC ¶ 10; Hr'g Tr. at 3:2-3:4; Dart Cherokee, 135 S.Ct. at 553 (explaining that amount-in-controversy allegation should be accepted where not questioned by either party).

         Accordingly, because the prospective class has more than 100 members, the parties are minimally diverse, and the amount in controversy exceeds $5 million, this Court has diversity jurisdiction under CAFA. See Dart Cherokee, 135 S.Ct. at 552.

         IV. Analysis

         “A federal court sitting in diversity must apply the substantive law of the jurisdiction in which it sits.” Metz v. BAE Sys. Tech. Sol. & Servs. Inc., 774 F.3d 18, 21-22 (D.C. Cir. 2014). Here, that jurisdiction is the District of Columbia.[2] This means that the Court is bound by decisions of the District of Columbia Court of Appeals-the highest court in D.C.-interpreting D.C. law. Id. This requirement is all the more salient in a data-breach case like this because federal courts across the country have applied the relevant state law to claims arising out of data breaches to very different effect. In the absence of a decision by the District of Columbia Court of Appeals, the Court's role in interpreting and applying D.C. law is to achieve the same outcome it believes would result if the District's highest court considered this case. Id.

         As will follow, the Court first concludes that all plaintiffs but the Tringlers have failed to allege, as they must, actual damages for nine of their eleven claims. The Court then finds that plaintiffs' contractual relationship with CareFirst precludes the rest of their claims: their tort claims because they fail to allege an independent duty to safeguard private information; their unjust enrichment claim because they fail to allege that their contract is invalid or unenforceable; and their D.C. Consumer Protection Procedures Act claim because they fail to allege any unlawful trade practice beyond the breach of contract itself. In the end, only the Tringlers remain and they are left only with their breach of contract claim in Count I and their Maryland Consumer Protection Act claim in Count V.

         A. Whether plaintiffs have adequately alleged damages for nine of their eleven claims

         CareFirst moves to dismiss the following nine of plaintiffs' claims for failure to allege actual damages: (1) breach of contract; (2) negligence and (3) negligence per se; (4) fraud and (5) constructive fraud; (6) breach of the duty of confidentiality; violations of the (7) Maryland and (8) Virginia Consumer Protection Acts; and violation of the (9) District of Columbia Breach Notification Statute. MTD at 6-10. Plaintiffs counter that CareFirst simply camouflages the “the exact same argument” regarding speculative harm previously rejected by the D.C. Circuit in deciding that they have adequately pled an injury-in-fact for purposes of standing. Opp'n at 1, 5.

         The D.C. Circuit's standing ruling does not control whether plaintiffs have alleged actual harm for purposes of their state-law claims. See id. at 6. Plaintiffs may satisfy the Article III injury-in-fact requirement and yet fail to adequately plead damages for a particular cause of action. For example, in Krottner v. Starbucks Corp., 406 Fed.Appx. 129 (9th Cir. 2010), the Ninth Circuit explained that its holding in a concurrently published opinion that the plaintiffs “pled an injury-in-fact for purposes of Article III standing does not establish that they adequately pled damages for purposes of their state-law claims” arising out of the theft of a company laptop containing the confidential personal information of thousands of Starbucks employees. Id. at 131.[3] The court concluded that, despite having Article III standing based on the risk of future identity theft, the employees failed to state a negligence claim because, under the relevant state law, “[t]he mere danger of future harm, unaccompanied by present damage, will not support a negligence action.” Id. (citation omitted). So too here. Although plaintiffs have successfully pled an injury-in-fact sufficient to support federal constitutional standing, they must still plead a proper cause of action under the relevant D.C. or state law.

         With that issue aside, the Court now turns to the merits of CareFirst's argument that nine causes of action should be dismissed for failure to plead damages under the applicable state laws.

         1. Plaintiffs must allege actual damages for nine of their causes of action

         All but two of plaintiffs' claims require allegations of actual damages.

         a. Breach of contract

         Under District of Columbia law, actual loss or damage is an essential element for a breach of contract cause of action. See Cahn v. Antioch Univ., 482 A.2d 120, 130 (D.C. 1984) (“It is clear in contract law that a plaintiff is not required to prove the amount of his damages precisely; however, the fact of damage and a reasonable estimate must be established.” (quoting W.G. Cornell Co. of Wash., D.C. v. Ceramic Coating Co., Inc., 626 F.2d 990, 993 (D.C. Cir. 1980))); Sloan v. Urban Title Servs., Inc., 689 F.Supp.2d 123, 133 & 133 n.7 (D.D.C. 2010) (“Both District and Virginia law require proof of injury (i.e., damages) as an element of claims for breach of contract[.]” (citing Osbourne v. Capital City ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.