Court: District Court, S.D. Indiana; April 14, 2016; Federal District Court
The Court addressed a Motion to Dismiss filed by Defendants Blue Sky Resorts, LLC, and Blue Sky Casinos, LLC, in response to a consumer lawsuit brought by Plaintiffs Annie Alonso and Natalie Hardt. The lawsuit alleges Breach of Implied Contract, Unjust Enrichment, and Breach of Duty of Good Faith and Fair Dealing following a data breach that compromised personal information stored on Blue Sky's servers. Blue Sky operates the French Lick Resort in Indiana, where both plaintiffs stayed and used credit cards for payment.
In January 2015, Blue Sky discovered that hackers had installed malware on its point-of-sale system, allowing them to access customers' credit card information, including names, card numbers, and expiration dates. Upon detection, Blue Sky promptly notified law enforcement, engaged a technology team for remediation, and initiated customer notifications starting January 26, 2015. They also informed state Attorneys General and the media, set up a call center, offered free credit monitoring through Experian, and provided identity theft insurance coverage.
Both Alonso and Hardt experienced damages due to the breach. Alonso faced issues with her AT&T payment after her card was canceled, requiring time to update automatic payments. Hardt incurred expenses for credit monitoring services following the breach. Ultimately, the Court granted Blue Sky’s Motion to Dismiss the case.
Alonso and Hardt have not provided evidence that their credit card information was used fraudulently, although they claim a class of individuals experienced similar data breaches. This class includes all U.S. residents whose personal or financial information was compromised in a data breach identified by the Defendants in January 2015. The plaintiffs assert that they and class members were overcharged for products and services at the French Lick Resort due to an allocation of costs aimed at data protection.
The legal context involves a motion to dismiss under Rule 12(b)(1), which challenges subject matter jurisdiction. The plaintiff bears the burden of proving jurisdictional claims with competent evidence, and the court must assess the situation as it was at the time of filing. All well-pleaded allegations are accepted as true unless standing is factually contested. The court may also review evidence beyond the complaint to determine jurisdiction.
Additionally, Rule 12(b)(6) allows a defendant to dismiss complaints lacking a valid claim. The court accepts factual allegations as true and requires a complaint to present a clear claim for relief, avoiding mere conclusions or insufficiently supported assertions. The allegations must provide fair notice to the defendant regarding the claim and its basis, establishing a plausible right to relief that enables reasonable inferences of defendant liability.
Blue Sky seeks dismissal of the Third Amended Complaint under Rule 12(b)(1) and Rule 12(b)(6). The first argument asserts that plaintiffs Alonso and Hardt lack standing, as they do not allege a concrete or actual injury that is traceable to Blue Sky's conduct. To establish Article III standing, three criteria must be met: (1) a concrete and particularized injury that is actual or imminent; (2) a causal connection between the injury and the defendant’s conduct; and (3) a likelihood that the injury will be redressed by a favorable court decision. The plaintiffs bear the burden of proving these elements.
Blue Sky contends that the plaintiffs failed to allege any actual injury or a certainly impending future injury. They argue that Alonso and Hardt do not claim any fraudulent charges on their credit cards and have not shown that their credit card information was compromised by hackers. Furthermore, only certain transactions, specifically those not related to hotel room charges, could potentially be at risk, and even then, only a subset of those transactions was targeted by the malware. Blue Sky notes the absence of allegations that either plaintiff's identity has been stolen for various purposes, and emphasizes that Social Security numbers were not stored on the resort's server, making it impossible for hackers to obtain such information. The claims are deemed speculative without concrete allegations of harm.
Blue Sky argues that claims of identity theft or impersonation stemming solely from a credit card number theft are implausible. Alonso states her credit card was replaced in January 2015 due to a data breach, which led to a delinquent payment on her AT&T account set for automatic deductions. She suggests this delinquency may have negatively impacted her credit report, although she provides no evidence of actual damage or fees from AT&T. Alonso also spent over an hour updating her credit card information for various payments. Hardt claims her card was replaced in late June 2014 after a stay at the French Lick Resort, and she has incurred monthly charges for a credit monitoring service due to concerns over her stolen information. Plaintiffs assert they could face costs related to lost wages, time spent mitigating breach effects, credit monitoring fees, and emotional distress. In response, Blue Sky highlights that plaintiffs have not demonstrated actual wage losses, reduced credit limits, or any fraudulent transactions, nor have they shown that their credit scores were adversely affected. It points out that no social security numbers were compromised, diminishing identity theft risks. Blue Sky contends that since Hardt's card was replaced shortly after the breach, ongoing credit monitoring is unnecessary.
Blue Sky contends that Hardt did not justify the reasonableness of her credit monitoring expenses, especially given the free services provided by Blue Sky. Plaintiffs maintain that the data breach during their resort stay, time spent on automatic payments and credit monitoring research, one potential delinquent payment, and incurred credit monitoring costs demonstrate a concrete injury or an impending injury that supports their standing. They reference Remijas v. Neiman Marcus Group, LLC to bolster their claim of standing based on similar circumstances involving actual fraud. However, Blue Sky emphasizes the lack of evidence for any fraudulent transactions or stolen credit card information, noting that the plaintiffs’ cards were canceled before any fraud occurred, rendering future injury speculative. Blue Sky's provision of credit monitoring services further undermines the plaintiffs' claims. Plaintiffs did not report actual losses or credit issues, failing to establish a concrete, particularized injury. The plaintiffs' anticipated future harm does not meet the Supreme Court's standard for standing, which requires that injury be certainly impending and not based on speculative fears. Hardt’s self-imposed costs for credit monitoring do not suffice to create standing, particularly as her credit card was replaced soon after the incident without any fraudulent charges. Lastly, the attempt to establish standing through a class action does not succeed, as a plaintiff cannot gain standing through the injuries of others.
A class action does not, by itself, establish standing; named plaintiffs must demonstrate personal injury rather than relying on injuries suffered by unnamed class members (Simon v. E. Ky. Welfare Rights Org.). The Court finds that the Plaintiffs lack Article III standing, as they have not alleged a concrete, particularized injury nor shown that any feared future injury is certainly impending. They cannot create standing through anticipated costs for non-imminent harm, warranting dismissal under Rule 12(b)(1). Additionally, Blue Sky argues for dismissal under Rule 12(b)(6) due to the absence of cognizable claims. A complaint must state a plausible claim for relief, requiring factual allegations that surpass mere speculation (Iqbal, Twombly). Blue Sky contends that Plaintiffs' claims reflect only trivial annoyance without actual harm or a plausible future injury, failing to meet the required standard for a claim. Furthermore, Plaintiffs’ claims are not recognized under Indiana or Kentucky law, as illustrated in Pisciotta v. Old Nat’l Bancorp, where similar claims after a data breach were dismissed due to novelty and lack of recognized private right of action. The court emphasized that Indiana law does not provide remedies for inconveniences or potential credit harm following data breaches. Consequently, dismissal under Rule 12(b)(6) is deemed appropriate, as Indiana courts are unlikely to acknowledge the Plaintiffs’ novel claims in this context.
Hardt's claims, potentially arising under Kentucky law, are found to be insufficient, similar to Alonso's claims under Indiana law. A federal district court in Kentucky previously ruled in Holmes v. Countrywide Fin. Corp. that Kentucky courts do not recognize claims for future identity theft risks, credit monitoring costs, and time spent on financial account monitoring, dismissing claims of unjust enrichment, breach of contract, and breach of good faith. Both Kentucky and Indiana have Disclosure of Security Breach statutes that require only limited notification duties without imposing broader responsibilities. Consequently, the court concludes that dismissal under Rule 12(b)(6) is warranted due to the improbability of Kentucky courts recognizing these novel claims related to data breaches. Blue Sky's Motion to Dismiss is granted under Rules 12(b)(1) and 12(b)(6), resulting in the dismissal of the Plaintiffs' Third Amended Complaint with prejudice. Additionally, Alonso's Motion for Class Certification was voluntarily withdrawn, and the case has not been certified as a class action. The Seventh Circuit has indicated in dicta that claims in the data breach context, such as unjust enrichment or property rights in personal data, are questionable.
