Court: District Court, E.D. Kentucky; March 28, 2019; Federal District Court
An employee of Allconnect, Inc. fell victim to a phishing scam, leading to the unauthorized release of W-2 tax forms containing sensitive personal information of former employees, who are the named Plaintiffs in the lawsuit. These Plaintiffs allege harm from the breach of their personally identifiable information (PII). The Defendant, Allconnect, asserts that the Plaintiffs lack standing due to failure to demonstrate actual injury and claims the Plaintiffs have not adequately pleaded their allegations. Additionally, Allconnect seeks to strike the class allegations from the complaint.
The court ruled that Allconnect's motion to dismiss based on lack of standing is denied, as Plaintiffs sufficiently illustrated financial loss, lost time, and emotional distress resulting from the breach. Claims for negligence, invasion of privacy via intrusion upon seclusion, and breach of implied contract were also upheld. However, claims for invasion of privacy based on unreasonable publicity and breach of fiduciary duty were dismissed due to insufficient pleading under Rule 12(b)(6). The court noted a lack of information regarding class certification and allowed for limited discovery on this matter, to be revisited when Plaintiffs file a proper motion for class certification.
The factual background indicates that Allconnect, which connects consumers with various services, faced a phishing attack on February 14, 2018, where an impersonator of its president requested employee W-2 information. An employee, believing the email was legitimate, unwittingly provided sensitive data to cybercriminals. The Plaintiffs, McKenzie and Combs, are former employees who worked at Allconnect's call centers in Utah and Kentucky, respectively.
On March 28, 2018, Allconnect identified an unauthorized disclosure of data. In response, Allconnect informed both current and former employees via email and mailed letters on April 2, 2018, detailing the incident. Additionally, Allconnect offered affected employees two years of free identity protection services through Allclear ID. Plaintiffs, representing similarly affected employees, allege damages due to the breach, asserting they must undertake preventative measures against identity theft, which detracts from their personal and professional activities. They cite specific actions taken, such as placing freezes and alerts on credit reports and modifying financial accounts, leading to lost time and damages. Subsequently, the Plaintiffs filed a lawsuit in Fayette Circuit Court, which was removed to federal court by Allconnect under the Class Action Fairness Act (CAFA). Allconnect moved to dismiss the complaint, arguing lack of standing, insufficient claims, and alternatively, requested to strike class allegations. The Plaintiffs contend four causes of action: negligence, invasion of privacy, breach of implied contract, and breach of fiduciary duty. Allconnect asserts that the Plaintiffs cannot demonstrate a cognizable injury necessary for Article III standing, claiming that fear of future harm alone is inadequate for legal standing. Article III restricts federal court jurisdiction to actual cases and controversies, and standing helps define such disputes appropriate for judicial resolution.
To establish Article III standing, a plaintiff must demonstrate three elements: (1) an 'injury in fact,' (2) a sufficient 'causal connection' between the injury and the complained conduct, and (3) a 'likelihood' that the injury will be redressed by a favorable decision. In a relevant case, Galaria, the Sixth Circuit found that standing existed after a data breach involving Nationwide, where employees claimed unauthorized release of personal data. The court acknowledged a split among jurisdictions regarding whether a cognizable injury was present in data breach cases but concluded that allegations of a substantial risk of harm and incurred mitigation costs were sufficient to establish a cognizable injury at the pleading stage. The majority held that while it may not be certain that the data would be misused, the risk of harm made mitigation costs a concrete injury, satisfying the standing requirement. However, a dissenting judge contended that the plaintiffs failed to establish causation between Nationwide's actions and the hackers' conduct. Although Galaria is not binding as it is an unpublished opinion, Allconnect acknowledges its persuasive value while arguing it conflicts with the standard set by Clapper. Nonetheless, Allconnect has not meaningfully distinguished its case from Galaria. The plaintiffs in the current case have shown that they incurred time and costs to mitigate damages from the unauthorized release of their personal information, thus demonstrating a cognizable injury directly linked to Allconnect's actions.
Plaintiffs have sufficiently alleged injury from mitigation costs incurred to prevent misuse of their stolen personal information, establishing Article III standing. The Court acknowledges Allconnect's arguments against the Galaria decision but notes that they fail to differentiate it from the current case, indicating that such arguments should be presented to the Sixth Circuit. At the pleading stage, Plaintiffs have demonstrated a cognizable injury through lost time, financial costs, and emotional distress due to the unauthorized data release.
Allconnect's motion to dismiss under Rule 12(b)(6) argues that the Plaintiffs' claims do not meet federal pleading standards. While the Court applies the substantive law of the forum state in diversity cases, it adheres to federal pleading standards. A complaint must include a concise statement showing entitlement to relief and sufficient factual support, though it need not detail every trial fact. The Court emphasizes that mere labels or conclusions are inadequate; factual allegations must allow for a plausible claim of relief. The complaint must be construed favorably to the plaintiff.
The case involves class representatives from different states, necessitating a choice of law analysis, which the Court acknowledges will occur but is not required at this stage. The representatives allege harms occurring in Kentucky and Utah, but the Court lacks sufficient information to conduct a detailed choice of law analysis at this time.
For the 12(b)(6) motion to dismiss, the Court will evaluate the claims under Kentucky and Utah law. Allconnect contends that the Plaintiffs failed to adequately plead a negligence claim on two fronts: first, it asserts that it has no legal duty to protect its employees from harm by third parties or cybercriminals; second, it argues that the Plaintiffs have not shown a cognizable injury. The elements of negligence under both states' laws include duty of care, breach, causation, and damages.
While Allconnect may be correct in asserting a lack of duty to protect employees from unknown third parties, this does not fully address the Plaintiffs' claims. The Plaintiffs argue that Allconnect had a duty to safeguard sensitive personal information provided by employees as a condition of their employment. The Court finds that the Plaintiffs have presented sufficient facts to suggest that this duty existed, as they were required to disclose sensitive information to Allconnect. Thus, Allconnect had a duty to prevent foreseeable harm by protecting this information from unauthorized access.
Regarding the second argument about cognizable injury, Allconnect claims the damages are speculative. However, the Court determines that the Plaintiffs have adequately demonstrated a cognizable injury, given the unauthorized release of personal information due to a phishing scam. Therefore, the Plaintiffs have sufficiently pleaded their case to survive the motion to dismiss based on both duty of care and injury.
Plaintiffs allege monetary losses and emotional distress due to a breach of data security, claiming they incurred expenses to protect their personal information following an unauthorized release. The court finds that the Plaintiffs have provided sufficient factual support to potentially establish damages related to negligence, leading to the denial of Allconnect's motion to dismiss this claim.
Regarding the invasion of privacy claim, two torts are relevant: intrusion upon seclusion and unreasonable publicity. The elements of intrusion upon seclusion require an intentional intrusion into a private matter that a reasonable person would find highly offensive. Allconnect argues that Plaintiffs failed to sufficiently allege intentional intrusion. However, Plaintiffs assert that Allconnect recklessly disregarded their privacy by improperly accessing and sending employees' personal information to cybercriminals.
Evidence suggests that an Allconnect employee gathered sensitive tax information and mistakenly responded to a fraudulent email, supporting the claim of intrusion. The court notes that actions taken with reckless disregard for privacy can constitute intentional torts. Plaintiffs have alleged that Allconnect was aware of phishing threats and did not train employees or implement policies to prevent data breaches, providing enough factual basis to plead a claim for intrusion upon seclusion.
The Plaintiffs have adequately pleaded a claim for intrusion upon seclusion, meeting federal pleading standards, leading to the dismissal of Allconnect's motion to dismiss this claim. However, the claim for unreasonable publicity fails as the Plaintiffs did not demonstrate that Allconnect published their private information. The Restatement (Second) of Torts defines 'publicity' as communicating information to the public or a significant number of individuals. The Plaintiffs could not show that Allconnect communicated their private information to such an extent that it would likely become public knowledge. Previous cases have determined that unauthorized disclosures do not equate to publication. Although the Plaintiffs argue that an Allconnect employee's voluntary provision of information to cybercriminals constitutes publication, this interpretation stretches the legal definition of publicity. The complaint lacks details on the number of individuals who accessed the email containing personal information or evidence of widespread dissemination. Thus, any potential future dissemination by unknown scammers does not implicate Allconnect in publishing the information. Consequently, the claim for invasion of privacy based on unreasonable publicity must also be dismissed.
To prove a breach of an implied contract, the Plaintiff must establish the existence of such a contract through mutual assent and demonstrate a failure to comply with its terms. Allconnect contends that the Plaintiffs have not shown a meeting of the minds necessary to create an implied contract. Additionally, Allconnect argues that even if an implied contract existed, the Plaintiffs' claims should be dismissed due to a lack of actual damages. Allconnect asserts that the Plaintiffs' allegations are conclusory and do not sufficiently indicate that Allconnect had a duty to protect employee information from hackers. However, the Plaintiffs argue that their employment agreement with Allconnect implicitly included an obligation to maintain confidentiality and security of their personal information. They claim that providing personal information was a condition of their employment and that Allconnect implicitly agreed to safeguard it. At this early litigation stage, these assertions are deemed sufficient for the implied contract claim to proceed. Federal case law supports the existence of implied contracts in data breach contexts, indicating that employers may have obligations to protect employees' personal information. Allconnect's attempts to dismiss these precedents and challenge the sufficiency of the Plaintiffs’ claims have been found unconvincing, despite citing cases where implied contracts were not recognized.
Allconnect's cited cases serve as only persuasive authority and do not negate the facts of this case, where an employee inadvertently compromised personal data by responding to a phishing email, rather than a third-party hacker's intrusion. This suggests that Allconnect impliedly agreed to take reasonable measures to protect its employees' personal data. Although Allconnect argues for dismissal of the breach of implied contract claim due to lack of alleged actual damages, the Plaintiffs have sufficiently outlined potential damages, including lost time, emotional distress, and financial loss related to the data breach response efforts. Consequently, the motion to dismiss the implied contract claim is denied.
Regarding the claim for breach of fiduciary duty, Allconnect contends that a fiduciary relationship with the Plaintiffs is not present. While there is a general duty for employers to protect employees' private information, this does not necessarily establish a fiduciary relationship. The Plaintiffs allege that Allconnect had a fiduciary duty to safeguard their private information, but these assertions lack supporting evidence and are treated as legal conclusions. The Plaintiffs reference cases from Kentucky and Utah recognizing employer-employee fiduciary relationships; however, the specific allegations in this case do not adequately substantiate that such a relationship exists here.
No fiduciary relationship exists between an employer and employees regarding the protection of employees' private data, as established by case law. Prior cases primarily addressed limited fiduciary duties of employees towards employers, such as loyalty and non-competition. The law recognizes fiduciary duties for agents acting on behalf of another, but mere employment does not establish such a relationship regarding data security. Plaintiffs have not presented sufficient factual allegations to demonstrate that Allconnect undertook a duty to protect employees' personal information. While Allconnect may have a general duty to safeguard this data, it does not rise to the level of a fiduciary relationship, leading to the dismissal of the breach of fiduciary duty claim.
Regarding the class action aspect, Plaintiffs aim to represent all Allconnect employees affected by unauthorized data disclosure. Allconnect argues that the class allegations should be struck due to failure to meet Rule 23 certification requirements. However, it is premature to decide on class certification at this stage, as the Plaintiffs have not yet filed for certification. The court suggests that the determination should be based on more information than just the pleadings and allows for limited discovery to ascertain the maintainability of the class action. The Court will address class certification after this discovery period and upon the Plaintiffs’ motion for certification.
The Court acknowledges the potential burden on the Defendant in continuing to defend against litigation while awaiting class certification. To address this, limited and expedited discovery pertinent to class certification is mandated, with Plaintiffs required to submit a motion for class certification promptly. The Court finds that at the pleading stage, Plaintiffs have established Article III standing and allowed claims for negligence, invasion of privacy based on intrusion upon seclusion, and breach of implied contract to proceed. However, Plaintiffs have not sufficiently alleged claims for invasion of privacy based on unreasonable publicity and breach of fiduciary duty, leading to the dismissal of these claims. The Court's orders are as follows: 1) Allconnect's motion to dismiss and to strike class allegations is granted in part and denied in part; 2) Plaintiffs' claim for invasion of privacy is partially dismissed due to failure to plead unreasonable publicity; 3) The breach of fiduciary duty claim is dismissed for lack of a viable claim; 4) Allconnect's motion to dismiss the first three counts remains denied; and 5) The motion to strike class allegations is denied at this time. The Court references the Clapper case and notes varying expressions of negligence elements in Kentucky law, emphasizing duty, breach, and consequent injury, which includes actual injury and legal causation.
