Hapka v. CareCentrix, Inc., No. 2:2016cv02372 - Document 31 (D. Kan. 2016)

Court Description: MEMORANDUM AND ORDER denying 10 Motion to Dismiss. Signed by District Judge Carlos Murguia on 12/19/2016. (ydm)
Download PDF
Hapka v. CareCentrix, Inc. Doc. 31 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS SARAH HAPKA, individually and on behalf of all others similarly situated, Plaintiff, v. CARECENTRIX, INC., Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) Case No. 16-2372-CM MEMORANDUM AND ORDER Plaintiff Sarah Hapka brings this putative class action, claiming that defendant CareCentrix, Inc. negligently permitted a data breach of around two thousand former and current employees’ personal information. Plaintiff claims that shortly after the data breach, someone filed a fraudulent tax return in her name. She seeks to hold defendant responsible for her damages because she believes that defendant failed to implement adequate and reasonable cyber-security procedures. This matter is before the court on defendant’s motion to dismiss (Doc. 10). Defendant moves to dismiss plaintiff’s complaint under Federal Rule of Civil Procedure 12(b)(1) because plaintiff lacks Article III standing, and under 12(b)(6) because plaintiff fails to state a claim upon which relief can be granted. For the following reasons, the court denies defendant’s motion. I. Factual Background Plaintiff, individually and on behalf of all others similarly situated, alleges a claim for common law negligence. Plaintiff claims that on February 24, 2016, an unauthorized person posed as one of defendant’s employees and emailed a request for current and former employees’ 2015 Internal Revenue Service (“IRS”) Wage and Tax Statements (“W-2 Forms”). One of defendant’s employees complied with -1Dockets.Justia.com the request. These forms included information such as names, addresses, birth dates, wages, and Social Security numbers. Plaintiff alleges that the data breach compromised her own information, as well as that of up to two thousand people. Defendant notified plaintiff of the data breach on March 27, 2016. On April 18, 2016, plaintiff received a letter from the IRS indicating that someone had filed a fraudulent tax return in plaintiff’s name. Plaintiff claims that since April 18, 2016, she has “spent multiple hours on telephone conferences with IRS representatives,” experienced delay, expended “costs related to postage and mileage in countering the tax fraud,” and “will continue to be at heightened risk for tax fraud and identity theft.” (Doc. 1 at 10– 11.) She also claims that she faces a continuing, real, immediate risk of identity theft and tax fraud. II. Legal Standards Defendant moves to dismiss plaintiff’s complaint under both Fed. R. Civ. P. 12(b)(1) and 12(b)(6). Dismissal pursuant to Rule 12(b)(1) is appropriate when the court lacks subject matter jurisdiction over a claim for relief. The party asserting jurisdiction has the burden of establishing subject matter jurisdiction. Port City Props. v. Union Pac. R.R. Co., 518 F.3d 1186, 1189 (10th Cir. 2008). A motion under this rule attacks the existence of jurisdiction rather than the allegations of the complaint and, therefore, dismissal under this rule is not a judgment on the merits of the claims. Brereton v. Bountiful City Corp., 434 F.3d 1213, 1218 (10th Cir. 2006). Fed. R. Civ. P. 12(b)(6) governs motions to dismiss for failure to state a claim for which relief can be granted. To survive a Rule 12(b)(6) motion, a complaint must present “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). In reviewing the motion, the court assumes all well-pleaded factual allegations are true and views the facts in the light most favorable to the nonmoving party. Smith v. United States, 561 F.3d 1090, 1098 (10th Cir. 2009). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” -2- Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Ultimately, the issue is “not whether the plaintiff will prevail, but whether the plaintiff is entitled to offer evidence to support [the plaintiff’s] claims.” Beedle v. Wilson, 422 F.3d 1059, 1063 (10th Cir. 2005). III. Analysis A. Standing and Rule 12(b)(1) Defendant first argues that plaintiff lacks standing to bring her negligence claim. Under Article III of the United States Constitution, the jurisdiction of federal courts is limited to actual cases or controversies. Summers v. Earth Island Inst., 555 U.S. 488, 492–93 (2009); Dias v. City & Cnty. of Denver, 567 F.3d 1169, 1176 (10th Cir. 2009). A party seeking relief in federal court must have standing to sue. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). To have standing, a plaintiff bears the burden of showing that (1) she suffered an injury in fact that is (a) concrete and particularized and (b) actual and imminent—not merely conjectural or hypothetical; (2) the injury is fairly traceable to the defendant’s conduct; and (3) a favorable decision is likely to redress her alleged injuries. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180–81 (2000) (citing Lujan, 504 U.S. at 560–61). “[S]tanding is not dispensed in gross.” Lewis v. Casey, 518 U.S. 343, 358 n.6 (1996). Rather, “a plaintiff must demonstrate standing for each claim [s]he seeks to press” and “‘for each form of relief’” that she seeks. DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 352 (2006) (citation omitted); see also Davis v. Fed. Election Comm’n, 554 U.S. 724, 733–34 (2008). To analyze standing, the court considers the facts existing at the time plaintiff filed the complaint. Tandy v. City of Wichita, 380 F.3d 1277, 1283–84 (10th Cir. 2004). -3- 1. Injury in Fact The first question the court addresses is whether plaintiff has shown that she suffered an injury in fact. “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016) (quoting Lujan, 504 U.S. at 560). The threatened injury must be “certainly impending”—not merely speculative. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013); Tandy, 380 F.3d at 1283. At times, the Supreme Court has found standing based on a “‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Clapper, 133 S. Ct. at 1150 n.5 (citations omitted). “A claimed injury that is contingent upon speculation or conjecture is beyond the bounds of a federal court’s jurisdiction.” Tandy, 380 F.3d at 1283–84 (citing Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). There is one key fact in this case: plaintiff’s personal information has been fraudulently used to file a false tax return. Plaintiff has therefore suffered some form of actual, concrete injury. Defendant concedes this fact, although it maintains that any such injury is de minimus. But defendant asks the court to consider plaintiff’s other allegations of injury separately, distinct from the tax fraud. Defendant argues that plaintiff’s other allegations of injury are too speculative to provide plaintiff with standing to pursue her claims based on those injuries. Specifically, defendant targets plaintiff’s claims for the following injuries: The imminent and certain impending injury flowing from fraud and identity theft posed by their personal information being placed in the hands of hackers; . . . [d]amages to and diminution in value of their personal information entrusted to CareCentrix for purpose of maintaining employment; and . . . [c]ontinued risk to affected individuals’ personal information, which remains in the possession of CareCentrix and which is subject to further breaches so long as CareCentrix fails to undertake appropriate and adequate measures to protect the personal information that affected individuals entrusted to CareCentrix. -4- (Doc. 1 at 15–16.) The problem with defendant’s approach is that defendant wants the court to look at each of plaintiff’s alleged injuries in a vacuum. While standing is an individualized inquiry, DaimlerChrysler Corp., 547 U.S. at 352, the allegation that plaintiff is the victim of tax fraud impacts plaintiff’s other allegations of injury. The fact that her stolen information has been used once has a direct impact on the plausibility of future harm. The court therefore considers plaintiff’s allegations of future harm in light of her allegations that her personal information was used for tax fraud shortly after the data breach. As noted by the parties, in dealing with similar “loss of data” cases, federal courts have split on the issue of whether an alleged increased risk of identity theft and fraud is an injury in fact sufficient to support standing. Courts have discussed this issue at length, and this court will not repeat that discussion here. For ease of reference, however, the court cites below a number of the cases it has reviewed in evaluating whether plaintiff has shown injury in fact. First, the cases finding no injury in fact: Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (affirming dismissal for lack of standing based on an increased risk of harm when unaccompanied by misuse of the information); In re Zappos.com, Inc., 108 F. Supp. 3d 949, 958–59 (D. Nev. 2015) (finding no injury in fact for future threat of fraud when over three years had passed since data breach with no reports of fraud); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 26–27 (D.D.C. 2014) (finding no standing based on an increased risk of harm alone); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1052–53 (E.D. Mo. 2009) (finding no standing when the plaintiff was unsure whether his own personal information had been stolen); Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 8 (D.D.C. 2007) (“Plaintiffs’ allegation that they have incurred or will incur costs in an attempt to protect themselves -5- against their alleged increased risk of identity theft fails to demonstrate an injury that is sufficiently “concrete and particularized” and “actual or imminent.”) (citation omitted); Key v. DSW, Inc., 454 F. Supp. 2d 684, 690 (S.D. Ohio 2006) (finding no injury in fact when the plaintiff alleged only that she was “subjected to a substantial increased risk of identity theft or other related financial crimes”). Next, the cases finding injury in fact: Galaria v. Nationwide Mut. Ins. Co., Nos. 15-3386/3387, 2016 WL 4728027, at *2–*4 (6th Cir. Sep. 12, 2016) (finding injury in fact based on a “sufficiently substantial risk of harm that incurring mitigation costs is reasonable”); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 966–67 (7th Cir. 2016) (finding injury in fact based on “the increased risk of fraudulent charges and identity theft they face because their data has already been stolen”); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694–95 (7th Cir. 2015) (“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010) (finding standing); McLoughlin v. People’s United Bank, Inc., No. 08-cv-00944 (VLB), 2009 WL 2843269, at *4 (D. Conn. Aug. 31, 2009) (same); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273, 280 (S.D.N.Y. 2008) (same); see also In re Zappos.com, Inc., MAL No. 2357, 2016 WL 2637810, at *4 (D. Nev. May 6, 2016) (holding that plaintiffs’ allegations of “use of their credit, harm to their credit, lost time spent closing fraudulent accounts, and lost funds and business due to fraudulent charges” conferred standing); SAIC, 45 F. Supp. 3d at 25 (“A handful of Plaintiffs claims that they have suffered actual identity theft, and those Plaintiffs have clearly suffered an injury.”). -6- The court has reviewed these cases and others at length. Because plaintiff has alleged that she is a victim of tax fraud, the cases addressing only potential future harm are inapposite. Instead, the court follows the cases finding that plaintiffs had standing when they suffered from an incident of identity theft after a data breach. Plaintiff has standing to bring her claim for negligence. Ultimately, she may not be able to recover for some of her alleged injuries, but that fact does not impact her standing to proceed with her negligence claim at this point. 2. Fairly Traceable From a standing perspective, defendant also challenges whether plaintiff’s alleged injuries are traceable to defendant’s actions. “[T]he traceability component of the standing test contemplates a causal relationship between the injury and the defendants’ challenged acts.” United States v. Ramos, 695 F.3d 1035, 1046 (10th Cir. 2012). A full showing of proximate cause, however, is not necessary. Id. (citation omitted). Here, plaintiff relies heavily on the timing of the fraudulent tax return. It was filed less than two months after the data breach. The return included the use of plaintiff’s name, wages, and Social Security number—all of which were included in the information that was stolen in the data breach. Plaintiff has met her burden of showing traceability. 3. Redressability Redressability merits no more discussion than traceability in this case. “To satisfy the redressability prong of the standing test, the plaintiff must demonstrate that a substantial likelihood exists that the relief requested will redress the injury claimed.” Ash Creek Min. Co. v. Lujan, 969 F.2d 868, 875 (10th Cir. 1992). Plaintiff has alleged that monetary damages will compensate her for her injuries, and no more is required at this stage. -7- 4. Class Allegations: Commonality and Typicality Defendant next argues that plaintiff cannot proceed with her negligence claim because her claim is not common with or typical of the claims of the putative class. This is an argument better left for a class certification motion. At this stage of the litigation, plaintiff need only allege facts that show she has standing to pursue her own claim. 5. Ripeness Similar to its argument about plaintiff’s failure to allege injury in fact, defendant also argues that plaintiff’s claim is not ripe. For the same reasons the court finds that plaintiff has satisfied the injury-in-fact requirement, defendant’s ripeness defense does not bar plaintiff’s claim. 6. Amount in Controversy Finally, defendant’s last 12(b)(1) argument is that the court lacks subject matter jurisdiction because plaintiff failed to allege the requisite amount in controversy. The Class Action Fairness Act (“CAFA”) requires that the amount in controversy exceed $5,000,000 for federal jurisdiction. 28 U.S.C. § 1332(d). This amount represents the aggregated claims of all putative class members. Id. Moreover, the court accepts the plaintiff’s amount-in-controversy allegation if it is made in good faith. Dart Cherokee Basin Operating Co., LLC v. Owens, 135 S. Ct. 547, 553 (2014). To dismiss for lack of jurisdiction on this basis, “[i]t must appear to a legal certainty that the claim is really for less than the jurisdictional amount to justify dismissal.” St. Paul Mercury Indem. Co. v. Red Cab Co., 303 U.S. 283, 288 (1938). Plaintiff has sufficiently alleged the requisite amount in controversy. Plaintiff alleges that the putative class may include two thousand members. She has alleged both past and future injuries for herself, and it is plausible that in aggregation, the value of those injuries exceeds $5,000,000. At this time, the court will not dismiss the case on this basis. -8- B. Plausibility and Rule 12(b)(6) Defendant next challenges whether plaintiff has adequately pleaded the elements of a negligence claim. 1. Duty First, the court considers whether defendant had a duty to plaintiff. Plaintiff alleges that defendant “owed a duty to Plaintiff and the Class to exercise reasonable care in obtaining, securing, safeguarding, deleting and protecting Plaintiff and Class members’ personal and tax information within its control from being compromised, lost, stolen, accessed and misused by unauthorized persons.” (Doc. 1 at 18.) Defendant argues that plaintiff’s allegations are insufficient because employers do not have a statutory duty regarding employee information. Absent a statutory duty, plaintiff must show a common-law duty, and defendant claims that plaintiff has failed to do so. See Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947, at *5–*6 (N.D. Ill. Jan. 21, 2015) (“Because there is no common law duty to protect personal information in Illinois . . . Plaintiff has failed to state a claim for negligence.”) (citations omitted). Plaintiff responds that defendant’s duty is to exercise reasonable care when it collects and stores the personal information of its employees. In this instance, defendant was obligated to implement reasonable data security measures to protect that information from disclosure. See In re Target Corp. Customer Data Sec. Breach Litig., 64 F. Supp. 3d 1304, 1308 (D. Minn. 2014) (“[G]eneral negligence law imposes a general duty of reasonable care when the defendant’s own conduct creates a foreseeable risk of injury to a foreseeable plaintiff.”) (citations omitted). The court agrees with plaintiff that requiring identification of a statutory duty is unnecessary. Given plaintiff’s allegations that the harm was foreseeable, defendant had the duty to exercise -9- reasonable care to prevent that harm. The court will not dismiss plaintiff’s claim for failure to identify a more specific duty. 2. Breach Plaintiff claims that defendant breached its duty to implement adequate cybersecurity precautions. Plaintiff’s allegations regarding this element are sufficient. 3. Causation As for causation, defendant makes the same arguments that it did with respect to traceability. Plaintiff has alleged that the data breach and her identity theft were both foreseeable, given defendant’s previous data security issues, the fact that defendant is a health care company (which are often targeted by hackers), and the prevalence of data breaches. Plaintiff has adequately pleaded causation. 4. Cognizable, Actual Injury Finally, defendant argues that plaintiff has not pleaded compensable injuries. These arguments are similar to those that defendant made in regard to its standing/injury-in-fact arguments. To the extent that defendant’s arguments are repeated, the court finds them unpersuasive for the same reasons discussed above. Defendant also argues that plaintiff’s injuries are de minimus. Defendant fails to show, based on the allegations in plaintiff’s complaint, that plaintiff’s claims are not plausible based on the extent of her injuries. The court determines that plaintiff has adequately stated a claim for negligence. IT IS THEREFORE ORDERED that defendant’s motion to dismiss (Doc. 10) is denied. Dated this 19th day of December, 2016, at Kansas City, Kansas. s/ Carlos Murguia CARLOS MURGUIA United States District Judge -10-