Jones v. Sturm, Ruger & Co., Inc., No. 3:2022cv01233 - Document 74 (D. Conn. 2024)

Court Description: ORDER granting in part and denying in part 52 Motion to Dismiss; granting in part and denying in part 53 Motion to Dismiss. See attached Memorandum of Decision. Signed by Judge Kari A. Dooley on 3/27/2024. (Chambers, J.)

Download PDF
Jones v. Sturm, Ruger & Co., Inc. Doc. 74 UNITED STATES DISTRICT COURT DISTRICT OF CONNECTICUT MARK JONES, et al., Plaintiffs, v. STURM, RUGER & COMPANY, INC., and FREESTYLE SOFTWARE, INC., Defendants. ) ) ) ) ) ) ) ) CASE NO. 3:22-cv-1233 (KAD) MARCH 27, 2024 MEMORANDUM OF DECISION RE: DEFENDANTS’ MOTIONS TO DISMISS (ECF NOS. 52 & 53) Kari A. Dooley, United States District Judge: This putative class action arises out of data breach of a server which hosted several ecommerce sites and allegedly resulted in the compromise of personal identifying information (“PII”) belonging to Plaintiffs Mark Jones, Michelle Gould, Dicky Warren, Carl Jung, Lauren Copeland, and Lee Woods and those similarly situated. In a three-count Complaint, Plaintiffs assert state law claims for negligence, breach of contract, and unjust enrichment against Defendants Freestyle Software, Inc. (“Freestyle”) and Sturm, Ruger & Company, Inc. (“Sturm, Ruger”) (collectively, “Defendants”), alleging that the data breach of Freestyle’s server, which hosted Sturm, Ruger’s e-commerce site, provided cybercriminals with access to their sensitive PII and payment card data (“PCD”) which could be used to perpetrate theft, identity crimes, and fraud. Pending before the Court are Defendants’ motions to dismiss the Amended Complaint pursuant to Fed. R. Civ. P. 12(b)(1) for lack of Article III standing and Fed. R. Civ. P. 12(b)(6) for failure to state a claim. For the reasons set forth below, both Defendants’ motions to dismiss are GRANTED in part and DENIED in part. (ECF Nos. 52 & 53) Standard of Review Article III limits the subject-matter jurisdiction of the federal courts to “Cases” and “Controversies.” SM Kids, LLC v. Google LLC, 963 F.3d 206, 211 (2d Cir. 2020). The standing doctrine, which emerges from Article III, is designed “to ensure that federal courts do not exceed their authority as it has been traditionally understood.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). A plaintiff has Article III standing when the plaintiff has “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. In a class action, federal courts lack jurisdiction if no named plaintiff has standing. Frank v. Gaos, 586 U.S.––, 139 S. Ct. 1041, 1046 (2019). A motion to dismiss for lack of Article III standing is properly brought under Fed. R. Civ. P. 12(b)(1). SM Kids, 963 F.3d at 210. When a motion under Rule 12(b)(1) is based solely on the complaint and the attached exhibits, as here, the plaintiff bears no evidentiary burden. Id. In addressing such a “facial” challenge, the task of the district court is to determine whether, after accepting as true all material factual allegations of the complaint and drawing all reasonable inferences in favor of the plaintiff, the alleged facts affirmatively and plausibly suggest that the court has subject matter jurisdiction. Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56–57 (2d Cir. 2016). To survive a motion to dismiss filed pursuant to Rule 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. “The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting Twombly, 2 550 U.S. at 557). Legal conclusions and “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements,” are not entitled to a presumption of truth. Iqbal, 556 U.S. at 678. Nevertheless, when reviewing a motion to dismiss, the court must accept well-pleaded factual allegations as true and draw “all reasonable inferences in the non-movant’s favor.” Interworks Sys. Inc. v. Merch. Fin. Corp., 604 F.3d 692, 699 (2d Cir. 2010). Factual Allegations Sturm, Ruger is a Connecticut corporation that manufactures firearms and firearm accessories and sells such accessories on Am. Compl. 1– 2 ¶¶ 1–2; 7–8 ¶ 22. Freestyle is a New Jersey software developer that services e-commerce platforms such as ShopRuger. Id. at ¶ 1–2. Plaintiff class members consist of Ohio, Arizona, Tennessee, Missouri, Texas, and Michigan residents who made an account or a purchase on ShopRuger. Am. Compl. at 6 ¶¶ 10–15. Defendants required Plaintiffs to provide their names, shipping addresses, email addresses, credit or debit card numbers, card security or access codes, card expiration dates, and billing addresses as a condition of Plaintiffs making an account on or purchasing items from ShopRuger. Am. Compl. at 2 ¶ 2. On August 18, 2022, Sturm, Ruger notified Plaintiffs and others that Freestyle was a victim of malware that infected its servers between September 18, 2020, and February 3, 2022. Am. Compl. at 3 ¶ 6. Cybercriminals had access to Plaintiffs’ PII. Id. Freestyle allegedly removed the malware from the servers in February 2022. Am. Compl. at 12 ¶ 42. Plaintiffs and other affected customers were offered twelve months of free identity protection and a $1,000,000 insurance reimbursement policy. Am. Compl. at 23 ¶ 86; Ex. A, ECF No. 52-2 at 2–3. Plaintiffs allege that there is a strong possibility that their stolen payment card information is available on the black market, thereby making them at an increased risk of fraud. Am. Compl. 3 at 17 ¶ 64. Plaintiffs and others have spent and will spend substantial time and expense finding fraudulent charges, cancelling and reissuing cards, purchasing credit monitoring and identity theft prevention, spending time addressing compromised accounts, and paying late and declined payment fees a result of failed automatic payments. Am. Comp at 17 ¶ 65; 19 ¶ 74. Plaintiff Jones suffered five fraudulent charges on the credit card he used to make purchases on ShopRuger. Am. Compl. at 24 ¶ 90. Plaintiff Gould suffered multiple fraudulent transactions on her bank account that was connected to the debit card she used to make purchases on ShopRuger. Am. Compl. at 27 ¶ 113. Plaintiff Gould also spent time disputing the unauthorized charges and paid out-of-pocket for identity theft monitoring services. Am. Compl. at 27 ¶¶ 117– 18; 29–30 ¶¶ 126–27. Plaintiff Copeland found unauthorized transactions on her bank account and had to twice cancel her debit card. Am. Compl. at 35 ¶¶ 165–66. Plaintiffs generally allege that, as a direct result of Defendants’ failure to maintain the security and confidentiality of their PII, they and other similarly situated face imminent and impending injury arising from the substantially increased risk of future fraud, identity theft, burglary, 1 and misuse. Am. Compl. 26 ¶ 102; 29 ¶ 123; 32 ¶ 142; 34 ¶ 156; 36 ¶ 172; 38 ¶ 186. Discussion Both Defendants contend that this Court lacks subject matter jurisdiction because Plaintiffs have failed to establish that they suffered an injury in fact, a prerequisite to Article III standing. Defendants further contend that even if Plaintiffs have standing, they fail to plausibly allege claims for negligence, breach of contract, and unjust enrichment. Standing – 12(b)(1) 1 Plaintiffs also allege that there is an increase in risk of burglary insofar as the cybercriminals, knowing the location to which Sturm, Ruger products were shipped, can sell this information to those looking for such products but who are unable to legally purchase them. 4 To establish Article III standing, a plaintiff must allege an injury in fact that satisfies three criteria. The injury must be “concrete, particularized, and actual or imminent.” Thole v. U.S. Bank N.A., 140 S. Ct. 1615, 1618 (2020). Whether an injury in fact is concrete and actual or imminent are related, but separate and distinct inquiries. 2 The Supreme Court’s decision in TransUnion v. Ramirez, 594 U.S. 413 (2021) controls as to whether Plaintiffs have alleged a concrete injury. See Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276 (2d Cir. 2023). In TransUnion, the Supreme Court recognized that concrete harm may be both tangible—invoking traditional notions of injury, such as physical or monetary harms—as well as intangible. TransUnion 594 U.S. at 425. As to intangible harms, the Supreme Court held that “disclosure of private information” was an intangible harm “traditionally recognized as providing a basis for lawsuits in American courts.” Id. at 424. Therefore, the injury arising from such disclosure was concrete for the purposes of the Article III standing analysis. Id. The Second Circuit has concluded that a plaintiff may also establish concrete harm based on expenses “reasonably incurred” to mitigate “a substantial risk of future identity theft or fraud” as a result of a data breach, and that this separate harm independently supports standing. Bohnak, 79 F.4th at 286 (quoting McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303 (2d Cir. 2021)). For such an expense to be reasonable, however, the plaintiff must also show that the risk of misuse is “actual and imminent.” Id. at 288. In Bohnak, another data breach case, the Second Circuit linked the determination of whether a harm is concrete to the determination of whether it is also actual or imminent. A future injury constitutes an Article III injury in fact “if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (internal quotation marks omitted). In 2 Courts addressing Article III standing do not always distinguish between these separate components when discussing the injury in fact requirement of standing. 5 McMorris, the Second Circuit set forth “three non-exhaustive factors” that bear on whether an injury is actual or imminent in a data breach case: (1) “whether the data was compromised as the result of a targeted attack intended to get” PII; (2) whether “some part of the compromised dataset has been misused—even if a plaintiff’s own data has not”; and (3) “whether the exposed PII is of the type ‘more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.’” Bohnak, 79 F.4th at 288 (quoting McMorris, 995 F.3d at 301–303). As the Second Circuit explained: [T]he dissemination of high-risk information such as [Social Security numbers] especially when accompanied by victims’ names[ ] makes it more likely that those victims will be subject to future identity theft or fraud. On the other hand, . . . the exposure of data that is publicly available, or that can be rendered useless (like a credit card number unaccompanied by other PII), is less likely to subject plaintiffs to a perpetual risk of identity theft. Id. (cleaned up). Defendants principally argue that Plaintiffs Jones, Copeland, and Gould cannot establish an injury in fact because they were not held responsible for any fraudulent charges and payment card information is easily cancelled, replaced, or changed. Defendants also argue that all named Plaintiffs cannot establish an injury in fact based on a risk of future harm. The Court addresses each argument in turn. First, TransUnion and Bohnak foreclose Defendants’ arguments as to whether Plaintiffs have sufficiently alleged a concrete injury. The exposure of Plaintiffs’ PII to unauthorized third parties “bears some relationship” to the “well-establish common-law analog: public disclosure of private facts.” Bohnak, 79 F.4th at 285–86. Moreover, Plaintiff Gould alleged that she incurred “out of pocket costs by paying a monthly fee for credit and identity protection services,” Am. Compl. at 30 ¶ 127, and Plaintiffs generally allege lost time and other opportunity costs associated with “attempting to mitigate the consequences of the data breach,” which is a separate basis to 6 conclude that Plaintiffs have plausibly alleged a concrete injury. Bohnak, 79 F.4th at 286; see also McMorris, 995 F.3d at 303 (“[W]here plaintiffs have shown a substantial risk of future identity theft or fraud, any expenses they have reasonably incurred to mitigate that risk likewise qualify as injury in fact.”); Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 376–77 (1st Cir. 2023) (concluding that plaintiff plausibly alleged standing after TransUnion because “time spent responding to a data breach can constitute a concrete injury sufficient to confer standing” even when there was no allegation that plaintiff’s PII had been actually misused but other PII in the same data set had been). Second, the Court concludes that Plaintiffs have sufficiently alleged that their additional claimed injury—risk of future harm—is actual or imminent. Defendants concede that Plaintiffs satisfy the first McMorris factor, which asks whether the PII “was comprised as a result of a targeted attack intended to get PII.” 995 F.3d at 301. Sturm, Ruger argues that as to the second factor, whether “some part of compromised dataset has been misused,” even though Plaintiffs Jones, Copeland, and Gould experienced fraudulent charges, such charges were inconsequential because they were not held responsible for the charges and did not incur any expense in having the charges reversed. See ECF No. 52-1 at 20. This argument misses the point—the second factor in McMorris asks only whether the data has been misused. The answer to that question is unequivocally yes and satisfies this factor as to Plaintiffs who allege actual misuse as well as Plaintiffs who allege only that they face a substantial risk of identity theft of fraud. See Bohnak, 79 F.4th at 288 (concluding that “fraudulent charges to the credit cards of other customers impacted by the same data breach . . . can support a finding that a plaintiff is at a substantial risk of identity theft or fraud”); Pena v. British Airways, PLC (UK), 849 F. Appx. 13, 14 (2d Cir. 2021) (citing McMorris and concluding that plaintiff adequately alleged an injury in fact where “hackers 7 stole information regarding two of his credits cards,” “his credit card information was misused,” and “after he incurred the fraudulent charges on his card, he had to call his bank to deduce the nature of the charges, have the charges reversed, and cancel his card” and that the call took 10 to 20 minutes and had to pay “international rates because he was abroad at the time”). As to the third McMorris factor, the Court concludes that the exposed PII is the type more “likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.” Bohnak, 79 F.4th at 288. 3 Although the payment card information is not as sensitive as Social Security Numbers and can be rendered useless to bad actors, the Court concludes that this is not fatal to Plaintiffs’ standing. It was not simply Plaintiffs’ card numbers that were exposed. And where some Plaintiffs allege that they incurred fraudulent charges, and two of the three McMorris factors weigh in favor of a finding that the risk of future harm is actual or imminent, dismissal at this stage is not warranted. 4 See In re, Inc., 888 F.3d 1020, 1027–28 (9th Cir. 2018) (plaintiffs who specifically alleged that they suffered financial losses because of the data breach undermined defendant’s “assertion that the data stolen in the breach cannot be used for fraud or identity theft” and rejecting argument that “too much time has passed since the breach for any harm to be imminent is “one that may be appropriate for summary judgment but not one that may support a facial challenge to standing at the motion to dismiss stage”). Accordingly, accepting as true all allegations, Plaintiffs have demonstrated that the type of data stolen is more likely to subject them to a perpetual risk of identity theft or fraud. 3 Although Plaintiffs further allege increased risk of burglary in light of the nature of the Sturm, Ruger products purchased and the address to which those products were shipped, the Court has not located any case in which a data breach also, potentially, implicated safety concerns. 4 The Court recognizes that these issues will likely recur at the class certification and summary judgment stages. This decision does not preclude a contrary ruling once the parties have engaged in discovery and further developed the record as to Plaintiffs’ alleged injuries. 8 Defendants’ reliance on Whalen v. Michaels Stores, Inc., 689 F. Appx. 89, 90 (2d Cir. 2017) is no longer persuasive after Bohnak. Moreover, Whalen is readily distinguishable on its facts: the plaintiff never alleged that fraudulent charges were actually incurred on her credit card, she never alleged a plausible threat of future fraud “because her stolen credit card was promptly cancelled,” she did not allege that any other information—such as her birth date or Social Security number—was taken in the breach, and she did not allege “any time or effort that she herself has spent monitoring her credit.” Id. Assessing the sum of their allegations in light of Bohnak, Plaintiffs have plausibly alleged an injury in fact and that their injuries could be redressed through money damages. Accordingly, Plaintiffs have adequately alleged Article III standing. Failure to State a Claim — 12(b)(6) Defendants also move to dismiss Plaintiffs’ claims of negligence, breach of contract, and unjust enrichment pursuant to Fed. R. Civ. P. 12(b)(6). Because each Defendant advances separate arguments, and because Defendants are separately situated in their respective relationships to Plaintiffs and the role they allegedly played in the data breach, the Court addresses each Defendant’s motion in turn. Sturm, Ruger First, Sturm, Ruger argues that the limitation of liability clause contained in its Terms of Use bar all of Plaintiffs’ claims. Sturm, Ruger also argues that Plaintiffs’ negligence claims are further barred by the economic loss doctrine, that Plaintiffs’ breach of contract claims fail because they fail to plead a breach or damages, and that Plaintiffs’ unjust enrichment claims are duplicative of their breach of contract claims. Limitation on Liability Clause 9 Sturm, Ruger claims that Plaintiffs waived any claim that Sturm, Ruger is liable when they agreed to the Terms of Use on ShopRuger. Plaintiffs argue that this limitation on liability clause violates public policy or is otherwise unconscionable. Both parties miss the mark. The Court recognizes that in some cases, it may assess a limitation on liability clause and analyze whether such clause violates public policy or is unconscionable on a Rule 12(b)(6) motion to dismiss. See Omni Corp. v. Sonitrol Corp., 476 F. Supp. 2d 125 (D. Conn. 2007); Pierce v. Emigrant Mortg. Co., No. 3:04-cv-1767 (JCH), 2007 WL 480025, at *4 (D. Conn. Dec. 27, 2007). However, making such determinations in this case requires further development of the record and factual assessments which cannot be made on the four corners of this complaint. Indeed, most of the decisions cited by both Plaintiffs and Sturm, Ruger involve adjudication at the summary judgment stage of the litigation. See, e.g., Leon’s Bakery, Inc. v. Grinnell Corp., 990 F.2d 44 (2d Cir. 1993) (assessing on appeal limitation of liability clause after summary judgment entered for defendant); Empire Fire & Marine Ins. v. Lang, 655 F. Supp. 2d 150 (D. Conn. 2009) (assessing whether insurance exclusion violates public policy or is an unenforceable contract of adhesion on summary judgment); Reardon v. Windswept Farm, LLC, 280 Conn. 153 (2006) (assessing whether release violates public policy on summary judgment); Hanks v. Powder Ridge Restaurant Corp., 276 Conn. 314 (2005) (same); B & D Associates, Inc. v. Russell, 73 Conn. App. 66 (2002) (assessing whether limitation of liability clause is enforceable on summary judgment). Indeed, whether the limitation on liability clause violates public policy requires the Court to consider “the totality of the circumstances in any given case against the backdrop of current societal expectations,” Reardon, 280 Conn. at 159 (citing Hanks, 276 Conn. at 330), and likewise, whether the limitation on liability clause is unconscionable requires “a fact-intensive examination 10 of the agreement at issue.” Pierce, 2007 WL 4800725, at *4. 5 Accordingly, the Court does not decide this issue at this stage of the litigation. Negligence – Count 1 Sturm, Ruger argues that Plaintiffs’ negligence claim fails because it is barred by the economic loss doctrine. The Court agrees. The economic loss doctrine “reflects the principle that a plaintiff cannot sue in tort for purely monetary loss unaccompanied by physical injury or property damage.” Raspberry Junction Holding, LLC v. Se. Conn. Water Auth., 340 Conn. 200, 202 (2021) (emphasis added). “[T]he economic loss doctrine bars negligence claims that arise out of and are dependent on breach of contract claims that result only in economic loss.” Ulbrich v. Groth, 310 Conn. 375, 410 (2013). Here, Plaintiffs’ allegations as to their negligence claim are identical to the allegations in support of the breach of contract claim. They assert monetary losses (and risk of future monetary losses) but allege no physical or property damage as a result of Sturm, Ruger’s alleged negligence. Although Plaintiff argues that they have suffered non-economic harm from the loss of privacy, emotional distress, and inconvenience and therefore their negligence claim should not be dismissed, they have not cited any Connecticut case to support this proposition, or which carves out such allegations from the application of the economic loss doctrine. “Those contractual lines of protection against economic loss, where available, are considered preferable to judicial assignments of liability in tort.” Raspberry Junction, 340 Conn. at 227 (citing Restatement (Third) of Torts § 7, comment (b)). 5 This issue requires consideration of, inter alia, current policies relating to consumer protection; the impact of the ruling on the online retail space; the relative frequency of the use of such clauses; the intended scope of the clause; and Plaintiffs’ understanding, if any, as to the nature of the clause. 11 Nor are there allegations to support a finding that a special relationship existed between Sturm, Ruger and Plaintiffs such that Sturm, Ruger owed an independent duty to Plaintiffs which would give rise to liability in tort. Although Plaintiffs argue that the Court should find such a duty under Connecticut law, the Plaintiffs cite to no Connecticut authority that such a duty has, in fact, been found to exist under Connecticut law. Absent same, this Court is reluctant to expand the scope of Connecticut law on an issue not yet addressed by any Connecticut appellate court. Kenneson v. Johnson & Johnson, No. 3:14-cv-1184 (MPS), 2015 WL 1867768, at *6 (D. Conn. Apr. 23, 2015) (“It is not this Court’s role to recognize new or expanded causes of action under state law.”). Indeed, similar to the plaintiffs in Raspberry Junction, Plaintiffs are “simply one of thousands of customers” who utilized ShopRuger and there “is nothing to suggest” that a data breach affects plaintiffs “materially differently from any of the defendant’s other customers . . . or that, based on the defendant’s specific knowledge of” Plaintiffs’ data, their “losses, in contrast to those of other customers, were particularly foreseeable and calculable to” Sturm, Ruger. See id. at 230. 6 Accordingly, the Court concludes that the economic loss doctrine bars Plaintiffs’ negligence claim against Sturm, Ruger and this claim is DISMISSED. Breach of Contract – Count 2 Sturm, Ruger next challenges Plaintiffs’ breach of contract claim. Specifically, Sturm, Ruger argues that Plaintiffs fail to allege any facts to suggest that Sturm, Ruger did not take 6 Plaintiffs cite to In re Marriott International, Inc., Customer Data Security Breach Litigation, 2020WL 6290670, at *13–*15 (D. Md. Oct. 27, 2020) for the proposition that Connecticut law would recognize a duty to protect private information despite the economic loss doctrine. The Court finds this case inapposite in light of Raspberry Junction as well as the dearth of any Connecticut court stating that there is in fact a such a duty. In re Marriott is also distinguishable on the grounds that the plaintiffs in that case would have “no Connecticut statutory remedy that [they] could assert to recover for Accenture’s negligence,” see id. at *14, whereas here, Plaintiffs have a cognizable breach of contract claim for their damages. 12 reasonable steps to protect their information and fail to allege damages with any specificity. The Court disagrees. The Court concludes that Plaintiffs have plausibly alleged that Sturm, Ruger breached its contractual obligation to exercise reasonable care in protecting their information. Plaintiffs allege that the Privacy Policy promises that Sturm, Ruger would maintain “commercially reasonable physical, technical, and administrative security measures to protect and limit access to your personal information” and would use “commercially acceptable means to protect your personal information.” Am. Compl. at 9 ¶ 28. Despite this promise, Plaintiffs allege that Sturm, Ruger failed to implement, or failed to require Freestyle to implement, “basic security measures” such as encryption, and failed to “install updates, patches, and malware protection or to install them in a timely manner to protect against a data security breach; and/or failed to provide sufficient control of employee credentials and access to computer systems.” Am. Compl. 12 ¶ 43; 15 ¶ 57. Sturm, Ruger also argues that Plaintiffs fail to allege damages. The Court similarly concludes as the Second Circuit did in Bohnak that increased risk of harm and “the time and money spent trying to mitigate the consequence of the data breach” are damages capable of reasonable proof. 79 F.4th at 289–90. Accordingly, Plaintiffs have also plausibly alleged damages as to their breach of contract claim. Unjust Enrichment – Count 3 Sturm, Ruger last argues that Plaintiffs’ unjust enrichment claim must be dismissed because it cannot stand alongside a breach of contract claim. Although this claim is pled in the alternative to the breach of contract claim, there is no dispute between the parties that there was an express agreement in the form of the Privacy Policy and Terms of Use between Plaintiffs and Sturm, Ruger, and it is therefore appropriate to dismiss Plaintiffs’ unjust enrichment claim. Michel 13 v. Yale Univ., 547 F. Supp. 3d 179, 192–93 (D. Conn. 2021) (noting lack of contract is a precondition to unjust enrichment claim, though claims can be asserted in the alternative if there is a dispute as to the existence of a contract). Accordingly, Plaintiffs’ unjust enrichment claim against Sturm, Ruger is DISMISSED. Freestyle Freestyle argues that Plaintiffs’ negligence claim is barred by the economic loss doctrine, that Plaintiffs’ breach of contract claim fails because they fail to plead a breach or damages, and that Plaintiffs’ unjust enrichment claim is duplicative of their breach of contract claim. Negligence – Count 1 Freestyle argues that the Court should apply New Jersey law to Plaintiffs’ negligence claim. Freestyle further argues that under New Jersey law, it owed Plaintiffs no duty to safeguard their information and that the negligence claim is barred by the economic loss doctrine. The Court agrees. “[A] federal court sitting in diversity must apply the conflict-of-laws rules of the state in which the federal court sits,” here, Connecticut. Cantor Fitzgerald Inc. v. Lutnick, 313 F.3d 704, 710 (2d Cir. 2002) (citation omitted). Connecticut follows the “most significant relationship” approach of the Restatement (Second) of Conflict of Laws for analyzing choice of law issues involving torts. See Western Dermatology Consultants, P.C. v. VitalWorks, Inc., 322 Conn. 541, 557 (2014). In some cases, the choice of law analysis can be undertaken on the allegations in the complaint. However, determining the appropriate choice of law in this case would require further development of the record and factual assessments which cannot be made on the four corners of the complaint. See, e.g., Bristol–Myers Squibb Co. v. Matrix Labs. Ltd., 655 F. Appx. 9, 13 (2d Cir. 2016) (summary order) (“Numerous district courts in this Circuit have concluded that choice- 14 of-law determinations are fact-intensive inquiries that would be premature to resolve at the motionto-dismiss stage.”); N. Am. Tech. Servs., Inc. v. V.J. Techs., Inc., No. 3:10-cv-1384 (AWT), 2011 WL 4538069, at *2 (D. Conn. Sept. 29, 2011) (concluding that, “[b]ecause of the ‘fact-intensive and context specific’ nature of the choice of law analysis and the complexity of the instant case, it is premature to address choice of law at the motion to dismiss stage”). In any event, under either Connecticut or New Jersey law, Plaintiffs’ negligence claim against Freestyle is barred by the economic loss doctrine. “The economic loss doctrine prohibits the recovery in a tort action of economic losses arising out of a breach of contract,” Sun Chemical Corporation v. Fike Corporation, 243 N.J. 319, 328 n.2 (2020), and “bars tort remedies in strict liability or negligence when the only claim is for” economic loss, as opposed to physical injury or property damage. Dean v. Barrett Homes, Inc., 204 N.J. 286, 295 (2010). Like Connecticut, New Jersey law provides that “a tort remedy does not arise from a contractual relationship unless the breaching party owes an independent duty imposed by law.” Saltiel v. GSI Consultants, Inc., 170 N.J. 297, 316, 788 A.2d 268 (2002). If a defendant “owe[s] a duty of care separate and apart from the contract between the parties,” a tort claim such as negligence may lie. Id. at 314. “This exception, however, is seldom allowed when a parties’ relationship is governed by a comprehensive contractual agreement.” Wilson v. RoundPoint Mortg. Servicing Corp., No. 21-cv19072 (CPO), 2022 WL 3913318, at *3 (D.N.J. Aug. 31, 2022). Here, Plaintiffs have alleged an implied contract with Freestyle through Freestyle’s contractual relationship with Sturm, Ruger. Plaintiffs’ allegations as to their negligence claim are identical to those of their breach of contract claim. They seek purely monetary damages but do not allege any physical or property damage as a result of Freestyle’s alleged negligence. The Court also finds Plaintiffs allegations of loss of privacy, emotional distress, and inconvenience are 15 insufficient to sustain their negligence claim. See Skypala v. Mortg. Electronic Registration Systems, Inc., 655 F. Supp. 2d 451, 461 (D.N.J. 2006) (“[I]t is axiomatic that a plaintiff may not recover for emotional distress caused by a defendant’s alleged breach of contract”). Nor have Plaintiffs’ cited authority under New Jersey law that establishes that Freestyle owed an independent duty in tort to protect Plaintiffs’ information. 7 Again, absent such authority, this Court is reluctant to expand the scope of New Jersey law on an issue not yet addressed by the appellate courts of New Jersey. See Kenneson, 2015 WL 1867768, at *6; Spence v. ESAB Group, Inc., 623 F3d 212, 217 (3rd Cir. 2010) (federal courts should be mindful not to “expand state law in ways not foreshadowed by state precedent”). Accordingly, the Court concludes that the economic loss doctrine bars Plaintiffs’ negligence claim against Freestyle and this claim is DISMISSED. Breach of Contract – Count 2 Freestyle argues that Plaintiffs’ breach of contract claim fails because there is a lack of privity between the parties. Although not clear in the Amended Complaint, Plaintiffs clarified in the briefing that they do not claim a breach of the contract between Sturm, Ruger and Freestyle (or any beneficiary status attendant thereto). Plaintiffs instead argue that the contract between Sturm, Ruger and Freestyle, which contemplated Freestyle collecting Plaintiffs’ PII, created an implied contract between Freestyle and Plaintiffs that the aforementioned PII would be protected if Plaintiffs provided it. Am. Compl. at 47–48 ¶¶ 227–29, 233. 7 The Court also finds Plaintiffs’ citation to Lone Star Nat. Bank, N.A. v. Heartland Payment Systems, Inc., 729 F.3d 421, 425–26 (5th Cir. 2013) unpersuasive. Indeed, the Fifth Circuit recognized in rejecting the economic loss doctrine that “in the absence of a tort remedy, the Issuer Banks would be left with no remedy for Heartland’s alleged negligence, defying ‘notions of fairness, common sense and morality.’” Id. at 426 (quoting People Express Airlines, Inc. v. Consolidated Rail Corp., 100 N.J. 246, 264 (1985)); see also In re American Medical Collection Agency, Inc. Customer Data Security Breach Litigation, No. 19-md-2904, 2021 WL 5937742, at *16 n.29 (D.N.J. Dec. 16, 2021) (concluding without discussion that under New Jersey law, the economic loss doctrine would not bar Plaintiffs’ claims and citing Lone Star, but deferring consideration following discovery). Here, Plaintiffs have viable claims against Freestyle for breach of implied contract and unjust enrichment. 16 An implied contract “is not expressed in words, but is implied from the conduct of the parties.” Vertex, Inc. v. City of Waterbury, 278 Conn. 557, 573-74 (2006). An implied contract is formed when one party, “without being requested to do so, renders services under circumstances indicating that he expects” performance of the other party in return and the other party, “knowing such circumstances, avails himself of the benefit of those services.” Metzner v. Quinnipiac Univ., 528 F. Supp. 3d 15, 31–32 (D. Conn. Mar. 25, 2021). Plaintiffs allege that when they provided their private information to Freestyle (as required to purchase from ShopRuger), Freestyle made the implied promise that the information would be protected and kept secure from further disclosure. With the data breach, Freestyle allegedly broke this promise. With these allegations, the Court concludes that Plaintiffs have plausibly alleged an implied contract with Freestyle as well as a breach of that implied contract. 8 Unjust Enrichment – Count 3 Freestyle last argues that Plaintiffs’ unjust enrichment claim against them must be dismissed because they maintain a breach of contract claim, and in any event, Plaintiffs fail to plausibly allege that they conferred a benefit to Freestyle. While the Court agrees that this claim is a factual stretch, it does not dismiss the claim. As observed above, Plaintiffs have confirmed that there is no claim of an express contract with Freestyle or that they are third party beneficiaries to the express contract between Freestyle and Sturm, Ruger. Plaintiffs only bring a claim of breach of an implied contract against Freestyle, the existence of which Freestyle denies. Under these circumstances, an unjust enrichment claim may be pled in the alternative to a breach of an implied contract claim. Metzner, 528 F. Supp. 3d at 34–35. Therefore, dismissal of Plaintiffs’ unjust enrichment claim on this basis is unwarranted. 8 The Court also concludes, for the reasons stated above, that whether the limitation on liability clause precludes a finding of liability against Freestyle cannot be decided at this stage. 17 “A right of recovery under the doctrine of unjust enrichment is essentially equitable, its basis being that in a given situation it is contrary to equity and good conscience for one to retain a benefit which has come to him at the expense of another.” Town of New Hartford v. Connecticut Res. Recovery Auth., 291 Conn. 433, 451, 970 A.2d 592 (2009) (quotation marks and citation omitted). “Plaintiffs seeking recovery for unjust enrichment must prove (1) that the defendants were benefited, (2) that the defendants unjustly did not pay the plaintiffs for the benefits, and (3) that the failure of payment was to the plaintiffs’ detriment.” Id. at 451–52 (quotation marks and citation omitted). It is not obvious, to say the least, the theory under which Plaintiffs assert an unjust enrichment claim in this data breach case. Indeed, it is difficult to see, based upon the allegations in the Amended Complaint, how it is that Freestyle benefitted, at Plaintiffs’ expense, in some fashion by failing to adequately secure Plaintiffs’ information. Equally unclear is how Freestyle unjustly did not pay or compensate Plaintiffs for this nebulous benefit or even what such a payment would have or should have looked like. Are Plaintiffs seeking the value of the savings Freestyle enjoyed by not protecting their information as somehow owing to them under a theory of unjust enrichment? Maybe. But whether this claim might be factually unsupportable after discovery is not a basis upon which this claim should be dismissed at the pleading stage. The elements of an unjust enrichment claim and facts which purport to satisfy those elements are sufficiently alleged. Conclusion For the foregoing reasons, Defendants’ motions to dismiss are GRANTED in part and DENIED in part. (ECF Nos. 52 & 53) Plaintiffs’ negligence and unjust enrichment claims against Sturm, Ruger are dismissed and Plaintiffs’ negligence claim against Freestyle is dismissed. SO ORDERED at Bridgeport, Connecticut, this 27th day of March 2024. 18 /s/ Kari A. Dooley KARI A. DOOLEY UNITED STATES DISTRICT JUDGE 19

Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.