Savidge et al v. Pharm-Save, Inc. et al, No. 3:2017cv00186 - Document 26 (W.D. Ky. 2017)

Court Description: MEMORANDUM OPINION AND ORDER Signed by Senior Judge Thomas B. Russell on 12/1/2017: Defendants' Motion 5 to Dismiss is GRANTED IN PART AND DENIED INPART; The parties have until 1/31/2018 to conduct limited discovery on the issue of persona l jurisdiction. Thereafter, Defendants have leave to refile their motion to dismiss Neil Medical Group, Inc. under Rule 12(b)(2). Plaintiffs' Joint Motion 8 for Extension of Time to File Response as to Defendants' Motion to Dismiss is GRANTED; Plaintiffs' Joint Motion 11 to Remand is DENIED AS MOOT; Plaintiffs' Motion 7 for Leave to File First Amended Class Action Complaint is GRANTED. Defendants will hereafter be permitted to file another motion to dismiss addressing Plaintiffs' new claims; Plaintiffs' Joint Motion 18 to Stay is DENIED; Defendants' Motion 23 for Leave to File Sur-Reply is GRANTED. cc: Counsel (JBM)
Download PDF
Savidge et al v. Pharm-Save, Inc. et al Doc. 26 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF KENTUCKY LOUISVILLE DIVISION CIVIL ACTION NO. 3:17-CV-00186-TBR ANDREA K. SAVIDGE, et al., PLAINTIFFS v. PHARM-SAVE, INC., et al., DEFENDANTS MEMORANDUM OPINION AND ORDER This matter is before the Court on several pending motions. First, Defendants PharmSave Inc. and Neil Medical Group, Inc. filed a motion to dismiss, [DN 5.] Plaintiffs Andrea Savidge and Beth Lynch responded, [DN 13], and Defendants replied, [DN 15.] For the reasons discussed in detail below, Defendants’ motion to dismiss is GRANTED IN PART AND DENIED IN PART. Second, Plaintiffs filed a motion to remand this action back to Kentucky state court, [DN 11.] Defendants responded, [DN 14], and Plaintiffs replied, [DN 16.] However, because the parties no longer dispute that this Court has jurisdiction to hear this case, the motion to remand is DENIED AS MOOT. Third, Plaintiffs filed a motion for leave to file a first amended class action complaint, [DN 17.] Defendants responded, [DN 19], and Plaintiffs replied, [DN 22.] For the reasons discussed below, that motion is GRANTED. Finally, Plaintiffs filed a motion to stay the ruling on Defendants’ motion to dismiss until after Plaintiffs have had an opportunity to conduct limited discovery, [DN 18.] Defendants responded, [DN 20] and Plaintiffs replied, [DN 21.] Defendants then moved to file a sur-reply, [DN 23], to which Plaintiffs responded, [DN 24], and Defendants replied, [DN 25.] The Court will GRANT Defendants’ motion to file a sur-reply and, though it agrees with Plaintiffs that limited discovery is warranted, will DENY Plaintiffs’ motion to stay. Rather, the Court will 1 DENY WITHOUT PREJUDICE Defendants’ 12(b)(2) motion at this time pending further limited discovery. BACKGROUND Plaintiffs Andrea Savidge and Beth Lynch were employees of Defendant Pharm-Save Inc. (“Pharm-Save”) from 2013 to 2015 and 2013 to 2014, respectively. [DN 1-1 at 4 (Complaint).] On March 3, 2016, after the each of the Plaintiffs’ employment with Pharm-Save had ended, a data breach occurred through which “an outside individual or group obtained copies of the W-2 forms which [Pharm-Save] sent to [its employees] and the IRS which would have included [employees’] social security number[s], address[es] and [their] 2015 salary information.” [DN 1-1 at 21, 24 (Letters from Pharm-Save to Plaintiffs).] In letters dated March 26, 2016, Pharm-Save notified all affected employees, including Savidge and Lynch, of the incident. [DN 1-1 at 21–23, 24–26.] Therein, Pharm-Save explained the security breach and told employees that “[i]t is possible that the criminal(s) may have filed or may try to file fraudulent tax refunds in the names of our employees.” [Id. at 21, 24.] Also in the letters, Pharm-Save offered employees “a complimentary two-year membership of Experian’s ProtectMyID Alert. This product helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.” [Id.] The letters also contained instructions on how to activate the ProtectMyID service. [Id.] In a letter dated March 29, 2016, the IRS notified Savidge that it had received a federal income tax return for the 2015 tax year with her name and social security number. [Id. at 28.] However, the IRS stated that, [t]o protect [Savidge] from identity theft, we need to verify your 2 identity before we process your return.” [Id.] Additionally, the IRS wrote “[w]e won’t process this . . . tax return until we hear from you.” [Id.] Indeed, that tax return was fraudulent. [Id. at 9.] On March 2, 2017, Plaintiffs brought suit against Pharm-Save Inc. (d/b/a Neil Medical Group) and Neil Medical Group, Inc. in Kentucky state court, alleging several causes of action related to the theft of their personally identifiable information (“PII”). Defendants removed the action to this Court on March 27, 2017, [DN 1 (Notice of Removal)], and simultaneously filed the instant motion to dismiss, [DN 5.] STANDARD A complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). In order to survive a motion to dismiss under Rule 12(b)(6), a party must “plead enough ‘factual matter’ to raise a ‘plausible’ inference of wrongdoing.” 16630 Southfield Ltd. P'ship v. Flagstar Bank, F.S.B., 727 F.3d 502, 504 (6th Cir. 2013) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). A claim becomes plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007)). When considering a Rule 12(b)(6) motion to dismiss, the court must presume all of the factual allegations in the complaint are true and draw all reasonable inferences in favor of the non-moving party. Total Benefits Planning Agency, Inc. v. Anthem Blue Cross & Blue Shield, 552 F.3d 430, 434 (6th Cir. 2008) (citing Great Lakes Steel v. Deggendorf, 716 F.2d 1101, 1105 (6th Cir. 1983)). “The court need not, however, accept unwarranted factual inferences.” Id. (citing Morgan v. Church’s Fried Chicken, 829 F.2d 10, 12 (6th Cir. 1987)). Should the well-pleaded facts support no “more than the mere possibility of misconduct,” then dismissal is warranted. Iqbal, 556 U.S at 679. The Court may grant a motion 3 to dismiss “only if, after drawing all reasonable inferences from the allegations in the complaint in favor of the plaintiff, the complaint still fails to allege a plausible theory of relief.” Garceau v. City of Flint, 572 F. App’x. 369, 371 (6th Cir. 2014) (citing Iqbal, 556 U.S. at 677–79). DISCUSSION Defendants seek dismissal of Plaintiffs’ claims of negligence, negligence per se, invasion of privacy, breach of implied contract, and intentional and negligent infliction of emotional distress. [DN 5 at 12–28; see DN 1-1.] Defendants make three primary arguments in their motion regarding why dismissal is proper. First, Defendants argue that Neil Medical Group, Inc. is not an appropriately named Defendant because it “was not in operation at the time of the alleged conduct.” [DN 5-1 at 4.] Second, Defendants argue that Plaintiffs lack Article III standing to bring their claims in this Court. [Id. at 6.] Third, Defendants argue that Plaintiffs fail to state a claim upon which relief can be granted under Federal Rule of Civil Procedure 12(b)(6). [Id. at 12.] However, Defendants have withdrawn their standing argument, [DN 12 (Notice of Withdrawal)],1 and therefore only Defendants’ first and third arguments for dismissal remain for the Court to address. 1 Specifically, Defendant now concedes that Plaintiffs have standing to maintain this suit resulting from the theft of their personally identifying information. [DN 12 (Notice of Withdrawal of Article III Standing Argument from Motion to Dismiss).] Moreover, the Sixth Circuit recently held that victims of a data security breach have Article III standing to bring suit. Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016) (“Plaintiffs' allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation. Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of “possible future injury” or “objectively reasonable likelihood” of injury that the Supreme Court has explained are insufficient . . . There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints.”). Accordingly, the Court is likewise satisfied that Plaintiffs have Article III standing. 4 A. Whether Plaintiffs’ Claims State a Claim Upon Which Relief Can Be Granted The Court will first address whether the claims made in Plaintiffs’ Complaint are cognizable under Rule 12(b)(6). These include negligence, negligence per se, invasion of privacy, breach of implied contract, intentional infliction of emotional distress, and negligent infliction of emotional distress. [See DN 1-1.] 1. Negligence The parties agree that Kentucky law governs this action. [See DN 5 at 13; DN 13 at 3– 12.] Under Kentucky law, “[a] common law negligence claim requires proof of (1) a duty owed by the defendant to the plaintiff, (2) breach of that duty, (3) injury to the plaintiff, and (4) legal causation between the defendant's breach and the plaintiff's injury.” Wright v. House of Imports, Inc., 381 S.W.3d 209, 213 (Ky. 2012) (citing Pathways, Inc. v. Hammons, 113 S.W.3d 85, 88–89 (Ky. 2003)). “The standard of care applicable to a common-law negligence action is that of ordinary care—that is, ‘such care as a reasonably prudent person would exercise under the circumstances.’” Id. (quoting Slusher v. Brown, 323 S.W.2d 870, 872 (Ky. 1959)). a. Duty and Breach With regard to the first two elements of common law negligence, Defendants argue that Plaintiffs have failed to plausibly allege that Defendants breached a duty they owed to Plaintiffs. Specifically, Defendants argue that Plaintiffs “allege, without any support, that [Defendants’] security measures must have been inadequate.” [DN 5-1.] In their complaint, Plaintiffs assert that “the Defendants’ duty to the Plaintiffs and other class members included, inter alia, establishing processes and procedures to protect the personal and sensitive information from wrongful disclosure and training employees who had access to that information as to those processes and 5 procedures.” [DN 1-1 at 10.] Plaintiffs further assert that, because Plaintiffs’ information was ultimately disclosed, “the Defendants clearly breached those duties.” [Id. at 11.] True, Plaintiffs’ allegations are scant. However, at the motion to dismiss stage, the Court is required to construe the allegations in the light most favorable to Plaintiffs “and reasonable inferences must be made in favor of the non-moving party.” Total Benefits Planning Agency, 552 F.3d at 434. See also Keenan v. Marker, 23 F. App'x 405, 406 (6th Cir. 2001) (“In determining whether a complaint fails to state a claim, the court must construe the complaint in a light most favorable to the plaintiff, accept all the factual allegations as true, and determine whether the plaintiff undoubtedly can prove no set of facts . . . that would entitle him to relief.”) Here, the Court can draw the reasonable inference that, because Plaintiffs’ information was released to unauthorized individuals, Defendants breached their duties to safeguard that information. Whether Plaintiffs can prove such a breach is matter reserved for summary judgment or trial. However, at this early stage, it is enough that Plaintiffs have plausibly alleged a breach of Defendants’ duties. b. Injury With regard to the third element of common law negligence, Defendants argue that Plaintiffs have failed to plead any cognizable injury. [DN 5-1 at 16–19.] In detail, Defendants argue that Plaintiffs have pointed only to speculative damages and the risk of future harm, which are insufficient. Indeed, Plaintiffs spend much of their complaint alleging that the cybercriminals who obtained their information may misuse that information in the future. For instance, Plaintiffs allege that the cybercriminals “may continue to exploit the data . . . or sell the data in the socalled ‘dark markets.’” [DN 1-1 at 9.] Next, Plaintiffs allege that the cybercriminals now have the ability “to commit a broad range of fraud . . . including but not limited to” “ obtaining 6 employment,” “obtaining a loan,” “applying for credit cards or spending money,” “obtaining medical care,” “stealing Social Security and other governmental benefits,” or “applying for a driver’s license, birth certificate, or other public document.” [Id.] In addition, Plaintiffs allege that, “if a Plaintiff’s Social Security number is used to create a false identification for someone who commits a crime, that individual may become entangled in the criminal justice system, impairing his or her ability to gain employment or obtain a loan.” [Id. (emphasis added)] Finally, Plaintiffs assert that, “for the rest of their lives . . . [they] will bear a heightened risk of all manners of identity theft.” [Id.] The Court agrees that Plaintiffs’ allegations about heightened risks and the possibility of future harm are insufficient. Kentucky law is clear that “[a] cause of action does not exist until the conduct causes injury that produces loss or damage.” Capital Holding Corp. v. Bailey, 873 S.W.2d 187, 192 (Ky. 1994) (emphasis added). Accordingly, “Kentucky law . . . prohibits the possibility of future harm from constituting an element of damages if that possibility is considered outside the realm of damages for mental anguish.” Gill v. Burress, 382 S.W.3d 57, 64 (Ky. Ct. App. 2012). Indeed, this Court has previously held that “an increased threat of an injury that may never materialize cannot satisfy the injury requirement” for damages under Kentucky law. Holmes v. Countrywide Fin. Corp., No. 5:08-CV-00205-R, 2012 WL 2873892, at *6 (W.D. Ky. July 12, 2012) (Russell, J.). Similarly, federal courts deciding data breach cases have held that a risk of future harm is insufficient to plead cognizable injury. See Krottner v. Starbucks Corp., 406 F. App'x 129, 131 (9th Cir. 2010) (“The alleged injuries here stem from the danger of future harm. Even Shamasa, the only plaintiff who claims his personal information has been misused, alleges no loss related to the attempt to open a bank account in his name.”). Therefore, Plaintiffs’ allegations regarding future harm they may suffer are insufficient. 7 Nor does it appear that the mere filing of a fraudulent tax return in Plaintiff Savidge’s name, by itself, caused her cognizable injury. Rather, the IRS, apparently skeptical of the authenticity of the return, notified Savidge that it had been filed and stated that it would not process it until she verified that it was genuine. [DN 1-1 at 28–29.] See Whalen v. Michaels Stores, Inc., 689 F. App'x 89, 90 (2d Cir. 2017) (“Whalen asserts . . . she has lost time and money resolving the attempted fraudulent charges and monitoring her credit. Whalen does not allege a particularized and concrete injury suffered from the attempted fraudulent purchases, however; she never was either asked to pay, nor did pay, any fraudulent charge.”); Krottner, 406 F. App’x at 131 (“[Plaintiff] alleges no loss related to the attempt to open a bank account in his name.”); Holmes, 2012 WL 2873892, at *8 (“The Beneficial Letter is the only evidence that might show a threat of identity theft. Still, Plaintiffs concede this attempt to secure an automobile loan was unsuccessful and did not result in any actual injury.”). Contrast In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *14 (N.D. Cal. Aug. 30, 2017) (“Dugas alleges that a fraudulent tax return was filed under his Social Security number and that he was not able to timely file his own taxes as a result. Because Dugas could not file his own tax return, Dugas was unable to timely file a financial aid application for his daughters. This resulted in Dugas needing to pay an additional $9,000 in tuition expenses that he would not otherwise have had to pay.” (internal citations omitted)). The Court also does not find persuasive Plaintiffs’ argument, made in response to Defendants’ motion to dismiss, that they can plead a cognizable injury due to the diminished value of their PII itself. “Plaintiffs here posit that their PII (with which Defendants were entrusted as Plaintiffs’ employer) constitutes property,” and argue that they are “entitled to recover for any injury to their PII that they have sustained because of Defendants’ unauthorized 8 disclosure.” [DN 13 at 8.] In detail, Plaintiffs argue that “[a]n intrusion (or encroachment) which is an unreasonable interference with the property owner's possessory use of his/her property is sufficient evidence of an actual injury (or damage to the property) to award actual damages.” [DN 13 at 8 (quoting Smith v. Carbide & Chemicals Corp., 226 S.W.3d 52, 57 (Ky. 2007)).] Further, Plaintiffs contend that their PII has been damaged “by losing the sales value of that information.” [Id. at 10 (quoting In re Facebook Privacy Litig., 572 F. App'x 496 (9th Cir. 2014)).] However, Plaintiffs do not adequately allege how the value of their PII has been diminished, nor that they would have attempted to sell their PII in the future. See Khan v. Children's Nat'l Health Sys., 188 F. Supp. 3d 524, 533–34 (D. Md. 2016) (“Khan alleges that the value of her personally identifiable information has been diminished by the data breach. She does not, however, explain how the hackers’ possession of that information has diminished its value, nor does she assert that she would ever actually sell her own personal information . . . the data breach has not deprived her of the use of her personal information.”); Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1088 (E.D. Cal. 2015) (“Where the plaintiff has not alleged that he ‘attempted to sell his PII [;] that he would to do so in the future[;] or that he was foreclosed from entering into a ... transaction relating to his PII[ ] as a result of [the defendant's] conduct,’ the plaintiff has ‘not alleged facts sufficient to show [an] injury[ ] in [ ]fact based on the purported diminution in value of his PII.’”). Accordingly, Plaintiffs have failed to adequately plead injury to their PII itself as a property interest. Next, Plaintiffs allege in their response to Defendants’ motion to dismiss that “the mental distress that Plaintiffs suffered and continue to suffer because of the increased likelihood of identity theft is an injury that is compensable.” [DN 13 at 10.] Indeed, Kentucky law allows recovery in tort “of damages for mental anguish.” Gill, 382 S.W.3d at 64. However, nowhere in 9 Plaintiffs’ complaint did they allege that they suffer and will continue to suffer from emotional distress related to their fear of identity theft. [See DN 1-1.] The most Plaintiffs allege, for purposes of their intentional and negligent infliction of emotional distress claims, is that Defendants’ conduct “did indeed cause severe emotional distress.” [Id. at 17.] However, as the Court discusses in detail below, this mere recitation of the element of an intentional and negligent infliction of emotional distress claim, without more, is insufficient. Because Plaintiffs did not adequately plead mental anguish damages in their complaint, this, also, does not qualify as a cognizable injury. However, Plaintiffs also allege that they have incurred “additional expense[s] associated with mitigating the risk of identity theft.” [DN 1-1 at 11.] Further, they allege that they “have suffered and will continued to suffer” such injuries as (a) out-of-pocket costs associated with addressing false tax returns filed with the IRS and state tax agencies; . . . (c) out-of-pocket costs associated with procuring identity protection and restoration services; . . . and (c) lost productivity and enjoyment as a result of time spent monitoring, addressing and correcting future consequences of the breach. [Id. at 12.] In recent years, a growing number of Courts have recognized that the purchase of credit monitoring services and the costs expended to deal with fraudulent activity following the theft of PII, when spent with the knowledge that stolen information has already been misused, can constitute cognizable injuries.2 See Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012) (“The Complaint specifically alleges that both Curry and Moore suffered financial injury; monetary loss is cognizable under Florida law for damages in contract, quasi-contract, negligence, and breach of fiduciary duty . . . Plaintiffs have therefore alleged a cognizable injury 2 The Court recognizes, as Defendants point out, that it previously held, in a prior case, that “[t]he legal tenor of future injuries means Kentucky courts would not condone payments for credit monitoring unless Plaintiffs' identities were actually stolen and then used to their financial detriment.” Holmes v. Countrywide Fin. Corp., No. 5:08-CV00205-R, 2012 WL 2873892, at *8 (W.D. Ky. July 12, 2012). However, in light of the cases cited above, and the modern increase in data and security breaches, the Court is no longer convinced of this reasoning. 10 under Florida law.”) (internal citations omitted); Anderson v. Hannaford Bros. Co., 659 F.3d 151, 166 (1st Cir. 2011) (“Knowing her personal data had been breached and misused, and knowing the thieves were sophisticated and had rung up thousands of unauthorized charges, plaintiff Valburn had a reasonable basis for purchasing identity theft insurance to avoid further damage.”); Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *4 (N.D. Cal. Sept. 14, 2016) (“Only some of the plaintiffs have actually incurred out-of-pocket expenses so far . . . Those who have incurred such out-of-pocket expenses have pleaded cognizable injuries, whereas those who claim only that they may incur expenses in the future have not.”); Corona v. Sony Pictures Entm't, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015) (“Upon review of the allegations, the Court finds that the Complaint sufficiently alleges facts to support the reasonableness and necessity of Plaintiffs’ credit monitoring.”). In Castillo, for example, the Court wrote: Plaintiffs claim Seagate’s negligence caused the following injuries: (1) out-ofpocket costs related to the false tax returns filed; (2) increased costs associated with preparing and filing tax returns; (3) out-of-pocket costs connected with procuring additional identity protection and restoration services; (4) out-of-pocket costs associated with credit repair in the event of a future identity theft; and (5) lost productivity and enjoyment as a result of monitoring use of personal identifying information. Compl. ¶ 53. Only some of the plaintiffs have actually incurred out-of-pocket expenses so far. Tran hired an accountant to help her navigate the process of refiling tax returns. Id. ¶ 26. Dattona and Wilk bought a subscription to LifeLock, an identity-protection service, because they wanted greater protection than that offered by Seagate. Id. ¶¶ 31, 33. In contrast, the Castillos are merely considering purchasing such services, id. ¶ 30, and Lang has not incurred any out-of-pocket expenses, id. ¶ 32. Those who have incurred such out-of-pocket expenses have pleaded cognizable injuries, whereas those who claim only that they may incur expenses in the future have not. Castillo, 2016 WL 9280242, at *4 (emphasis added). In that case, the plaintiffs who had already incurred out of pocket expenses specifically identified those expenses in their complaint. Here, Savidge and Lynch only claim that they “have suffered and will continued to suffer” out of 11 pocket costs related to credit monitoring and, with respect to Savidge, the fraudulent tax return filed in her name. [DN 1-1 at 11–12.] To be sure, these allegations are minimal. However, the Court finds that there are sufficient allegations to reasonably infer, at this early stage of the proceedings, that Plaintiffs’ alleged purchase of credit monitoring and/or identity protection services, along with Savidge’s expenses associated with the fraudulent tax return filed in her name, were incurred reasonably, rather than in response to injuries that were overly speculative. Here, Plaintiffs have pled facts showing that cybercriminals did, indeed, file a false tax return in Savidge’s name. True, the IRS intercepted the fraudulent return before it was processed. But the fact that cybercriminals have already misused Savidge’s information may suggest that Plaintiffs’ purchase of identity protection services, with the knowledge that her information had already been misused, was reasonable and necessary. To be clear, the Court cannot decide and is not deciding, at this time, that Plaintiffs’ have demonstrated or proven that they have suffered compensable injuries as a matter of law. This is not the proper stage to determine whether Plaintiffs’ alleged expenses were, in fact, incurred and, if so, were reasonable and therefore recoverable. However, at this time, the Court finds that Plaintiffs have plead sufficient information to allow the Court to draw the reasonable inference that their alleged expenses were incurred justifiably and therefore may be compensable under a negligence theory. Therefore, the Court cannot say that Plaintiffs “can prove no set of facts . . . that would entitle [the]m to relief” on their negligence theory. Keenan, 23 F. App'x at 406. Finally, Defendants argue that, even if Plaintiffs have incurred various expenses, the economic loss rule bars their recovery in tort. The Supreme Court of Kentucky has adopted the economic loss rule and defined it as the rule that “a manufacturer in a commercial relationship has no duty under either a negligence or strict products-liability theory to prevent a product from 12 injuring itself.” Giddings & Lewis, Inc. v. Indus. Risk Insurers, 348 S.W.3d 729, 738 (Ky. 2011) (quoting E. River S.S. Corp. v. Transamerica Delaval, Inc., 476 U.S. 858, 871 (1986)). In other words, the “rule recognizes that economic losses, in essence, deprive the purchaser of the benefit of his bargain and that such losses are best addressed by the parties’ contract and relevant provisions of Article 2 of the Uniform Commercial Code.” Id. “Thus, costs for repair or replacement of the product itself, lost profits and similar economic losses cannot be recovered pursuant to negligence or strict liability theories but are recoverable only under the parties’ contract, including any express or implied warranties.” Id. Based on the Giddings court’s analysis of the economic loss rule, however, it appears that Kentucky courts only apply this rule to products liability actions, in which a plaintiff seeks to recover economic costs relating to a dangerous or malfunctioned product itself. See Sackin v. TransPerfect Glob., Inc., No. 17 CIV. 1469 (LGS), 2017 WL 4444624, at *5 (S.D.N.Y. Oct. 4, 2017) (“The economic loss rule . . . does not bar Plaintiffs’ negligence claim, as Defendant suggests, for two reasons . . . First, the rule is inapplicable because the Complaint does not allege a products liability claim. See Id., 727 N.Y.S.2d 49, 750 N.E.2d at 1101 n.1 (stating that the economic loss rule “stands for the proposition that an end-purchaser of a product is limited to contract remedies and may not seek damages in tort for economic loss against a manufacturer ....”)). The claims in this case do not sound in product liability, however, and no express or implied warranties exist as they would in a product liability case. Accordingly, the Court is not persuaded that the economic loss rule applies to bar their potential recovery in negligence. c. Causation Defendants further argue that, even if Plaintiffs have pled a cognizable injury, they have still failed to adequately plead that Defendants’ alleged breach caused their injury. “A cause of 13 action does not exist until the conduct causes injury that produces loss or damage.” Capital Holding Corp. v. Bailey, 873 S.W.2d 187, 192 (Ky. 1994). According to Defendants, “Plaintiffs fail to allege that they were not the victims of another hack, which may have caused their alleged injury. Because there are multiple possible causes of any alleged harm, Plaintiffs cannot state a negligence claim.” [DN 5-1 at 15.] Courts have explained that “[g]enerally, to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence.” Resnick, 693 F.3d at 1326. For instance, the Eleventh Circuit held that a sufficient nexus existed for causation purposes when “the sensitive information on the stolen laptop was the same sensitive information used to steal Plaintiffs’ identity.” Id. at 1327. Similarly, here, Pharm-Save specifically told the affected individuals that the breach “involved the information provided on [their] W-2” and “[i]t is possible that the criminal(s) may have filed or try to file fraudulent tax refunds in the names of our employees.” [DN 1-1 at 21, 24.] The fact that this is precisely what happened to Savidge indeed suggests a nexus between the data breach and the fraudulent activity that took place. See Resnick, 693 F.3d at 1326 (“Considering the Complaint as a whole and applying common sense to our understanding of this allegation, we find that Plaintiffs allege that the same sensitive information that was stored on the stolen laptops was used to open the Bank of America account. Thus, Plaintiffs' allegations that the data breach caused their identities to be stolen move from the realm of the possible into the plausible.”). Based on these allegations, the Court is satisfied that, at this stage, Plaintiffs have plausibly alleged causation. Therefore, Defendants’ motion to dismiss will be denied with respect to Plaintiffs’ negligence claim. 14 2. Negligence Per Se Under Kentucky law, “[n]egligence per se . . . ‘is ... a negligence claim with a statutory [or regulatory] standard of care substituted for the common law standard of care.’” Wright, 381 S.W.3d at 213 (quoting Real Estate Mktg., Inc. v. Franz, 885 S.W.2d 921, 927 (Ky. 1994)). “KRS 446.070 codifies the doctrine of negligence per se, and provides: ‘A person injured by the violation of any statute may recover from the offender such damages as he sustained by reason of the violation, although a penalty or forfeiture is imposed for such violation.’” Id. (quoting Ky. Rev. Stat. Ann. § 446.070). Here, Plaintiffs allege that Defendants violated KRS § 365.732(2), which states: Any information holder shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (4) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Ky. Rev. Stat. Ann. § 365.732(2). Specifically, Plaintiffs contend that Defendants failed to notify Plaintiffs of the breach of their personal information “in the most expedient time possible and without unreasonable delay.” Id. Even assuming, for argument’s sake only, that Defendants did not notify Plaintiffs in the most expedient time possible, Plaintiffs have identified no injury caused by this alleged delay. The parties agree that the breach occurred on March 3, 2016. [DN 1-1 at 8 (Complaint); DN 1-1 at 21, 24 (Letters from Pharm-Save to Plaintiffs).] Pharm-Save sent letters to the affected individuals dated March 24, 2016 notifying them of the March 3 breach. [DN 1-1 at 21, 24.] Accordingly, less than three weeks elapsed between the breach and Pharm-Save’s notifications to the Plaintiffs. 15 According to Plaintiffs, as a result of this nearly three week period, they “were subject to potentially avoidable harm which could have been mitigated by (i) purchasing identity protection services; (ii) monitoring their bank accounts, credit cards and other financial accounts; and (iii) taking other steps to protect against identity theft and the fraudulent use of their information by third parties.” [Id. at 14.] However, Plaintiffs do not allege what kind of “potentially avoidable harm” they experienced that could have been mitigated had they learned of the breach earlier. This mere allegation of harm, without accompanying factual allegations, is insufficient to warrant an inference that the alleged delay in notifying Plaintiffs of the security breach caused them cognizable injury. See Castillo v. Seagate Tech., LLC, No. 16-CV-01958RS, 2016 WL 9280242, at *5 (N.D. Cal. Sept. 14, 2016) (“No plaintiffs . . . have stated a cognizable injury that resulted from Seagate’s alleged failure to provide adequate and timely notice of the breach. They have not, for example, pleaded any facts suggesting timelier or more adequate notice would have prevented the filing of fraudulent tax returns.”). For these reasons, Plaintiffs’ negligence per se claim will be dismissed for failure to state a claim upon which relief can be granted. 3. Invasion of Privacy Under Kentucky law, “[t]he right of privacy . . . protects against four distinct torts: (1) unreasonable intrusion upon seclusion of another; (2) misappropriation of another's name or likeness; (3) unreasonable publicity given to one’s private life; and (4) publicity that places another in a false light.” Pearce v. Whitenack, 440 S.W.3d 392, 401 (Ky. Ct. App. 2014) (citing McCall v. Courier–Journal & Louisville Times Co., 623 S.W.2d 882, 887 (Ky. 1981) (adopting Restatement (Second) of Torts § 652A (1976))). 16 In their complaint and response to Defendants’ motion to dismiss, Plaintiffs allege the theory of “unreasonable publicity given to one’s private life.” See id. Generally, Kentucky courts have adopted Restatement principles with regard to invasion of privacy claims. See id. (Adopting “the principles of th[e] tort [of invasion of privacy] as enunciated in the Restatement (Second) of Torts (1976).”) With regard to “unreasonable publicity” invasion of privacy, the Restatement provides: One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public. Restatement (Second) of Torts § 652D (1977). Indeed, both parties agree that this test applies to Plaintiffs’ invasion of privacy claim. [See DN 5-1 at 23; DN 13 at 17.] Defendants argue that Plaintiffs cannot state a claim for unreasonable publicity into their private lives because they have failed to allege that Defendants actually published their private information. [DN 5-1 at 23–24.] Specifically, according to the Restatement, “‘[p]ublicity’ . . . means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Restatement (Second) of Torts § 652D cmt. a (1977). Stated differently, publicity is “a communication that reaches, or is sure to reach, the public.” Id. Here, Plaintiffs merely allege in their complaint that “Defendants . . . published private, sensitive and personal facts of or concerning the Plaintiffs and the absent members of the Plaintiff Class;” that “the matters publicized are of a kind that would be highly offensive to a reasonable person, and that “the matters publicized are not of legitimate concern to the public.” [DN 1-1 at 15.] 17 However, Plaintiffs never allege that their information has been communicated to the public at large or to so many people that it is “substantially certain to become . . . public knowledge.” Restatement (Second) of Torts § 652D cmt. a (1977). Rather, Plaintiffs only allege that “their sensitive and personal information is literally in the hands of cybercriminals who intend to use that information for nefarious purposes.” [DN 1-1 at 15.] In their response, Plaintiffs argue that “Defendants communicated Plaintiffs’ PII to one or more cybercriminals” and that “it is more than plausible that the cybercriminals either did or will ‘sell the data in the so-called ‘dark markets.’” [DN 13 at 18 (citing DN 1-1 at 9).] However, Plaintiffs’ mere allegations that the cybercriminals “may . . . sell the data in the so-called ‘dark markets,’” [DN 11 at 9], is not enough to support an inference that Plaintiffs’ information is in the hands of the public. Accordingly, the Court agrees with Defendants that these allegations fall short of alleging that Defendants published Plaintiffs’ information to the public large or in such a way as to make it substantially certain that Plaintiffs’ information would become public knowledge. Because Plaintiffs have failed to plausibly allege publicity, their invasion of privacy claim will be dismissed. 4. Breach of Implied Contract Defendants move to dismiss Plaintiffs’ breach of implied contract claim on grounds that Plaintiffs fail to plead that a meeting of the minds ever took place and, alternatively, that Plaintiffs cannot show damages resulting from an alleged breach. [DN 5-1 at 24–25.] The Supreme Court of Kentucky has explained “[b]asic contract law provides that, as in the case of an express contract, an implied contract requires the agreement of the promisor to be bound.” Furtula v. Univ. of Kentucky, 438 S.W.3d 303, 308 (Ky. 2014), as modified (June 23, 2014). An implied contract 18 may be inferred wholly or partly from such conduct as justifies the promisee in understanding that the promisor intended to make a promise. To constitute such a contract there must, of course, be a mutual assent by the parties–a meeting of minds–and also an intentional manifestation of such assent. Such manifestation may consist wholly or partly of acts, other than written or spoken words. Id. (quoting Kellum v. Browning's Adm'r, 231 Ky. 308, 21 S.W.2d 459, 463 (1929) (internal citations omitted) (emphasis added)). Here, Plaintiffs allege that they provided their W-2 information to Defendants so that Defendants could verify their identities, provide them with compensation, and to provide Defendants with complete records for tax purposes. [DN 1-1 at 16.] According to Plaintiffs, Defendants “implicitly promised . . . that they would take adequate measures to protect their sensitive and personal information,” that “a material term of this contract is a covenant by Defendants that they will take reasonable efforts to safeguard that information,” and that Defendants breached that covenant by improperly releasing their PII. [DN 1-1 at 16–17.] The court in Castillo, which the Court referenced above, addressed a similar argument. There, the court explained: The upshot of the averments in the plaintiffs’ complaint . . . is quite clear: The employees provided their personal information for tax purposes and to receive employment and benefits, with the understanding that Seagate, while it held the information, would take adequate measures to protect it. Seagate received the personal information so that it could employ the plaintiffs, and provide them with employment and benefits. While Seagate made no explicit promises as to the ongoing protection of personal information, it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently. Castillo, 2016 WL 9280242, at *9. The Court finds this reasoning highly persuasive. Here, Plaintiffs make nearly identical allegations as those in Castillo. Like that court, this Court finds that these facts are sufficient for the Court to draw the reasonable inference that Defendants impliedly assented to protect Plaintiffs’ information. “A factfinder can ultimately determine 19 whether an implied contract to protect adequately plaintiffs' information existed, and whether such a contract for adequate protection required protection beyond an employment term.” Id. However, at this early stage, the Court is satisfied that Plaintiffs have adequately pled the existence of an implied contract. 5. Intentional Infliction of Emotional Distress In order to establish a common-law claim for intentional infliction of emotional distress under Kentucky law, [1] the wrongdoer's conduct must be intentional or reckless; [2] the conduct must be outrageous and intolerable in that it offends against the generally accepted standards of decency and morality; [3] there must be a causal connection between the wrongdoer's conduct and the emotional distress; and [4] the emotional distress must be severe. Stringer v. Wal-Mart Stores, Inc., 151 S.W.3d 781, 788 (Ky. 2004), abrogated on other grounds by Toler v. Süd-Chemie, Inc., 458 S.W.3d 276 (Ky. 2014), as corrected (Ky. Apr. 7, 2015), and reh'g denied (Ky. May 14, 2015); see also Childers v. Geile, 367 S.W.3d 576, 579 (Ky. 2012). The Court must decide, as to the second element, “whether the conduct complained of can reasonably be regarded to be so extreme and outrageous as to permit recovery” unless reasonable minds could differ on the subject. Keaton v. G.C. Williams Funeral Home, Inc., 436 S.W.3d 538, 544 (Ky. Ct. App. 2013) (quoting Goebel v. Arnett, 259 S.W.3d 489, 493 (Ky. Ct. App. 2007)). The bar is set high, for, under Kentucky law, “a claim for the tort of outrage requires the plaintiff to prove conduct which is so outrageous in character, and so extreme in degree, as to go beyond all possible bounds of decency, and to be regarded as atrocious, and utterly intolerable in a civilized community.” Hume v. Quickway Transp., Inc., No. 3:16-cv-00078-JHM, 2016 WL 3349334, at *9 (W.D. Ky. June 15, 2016) (quoting Futrell v. Douglas Autotech Corp., No. 5:09- 20 CV-21, 2010 WL 1417779, at *4 (W.D. Ky. Apr. 2, 2010)); see also Mineer v. Williams, 82 F. Supp. 2d 702, 706 (E.D. Ky. 2000) (“The standards for this tort are strict.”). Even taking all of Plaintiffs’ allegations as true, they have identified no “outrageous and intolerable” conduct approaching this high threshold. Rather, they have merely alleged that “the Defendants engaged in extreme and outrageous conduct.” [DN 1-1 at 17.] The Supreme Court has made clear, however, that “[a] pleading that offers ‘labels and conclusions’ or ‘a formulaic recitation of the elements of a cause of action will not do.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). “Nor does a complaint suffice if it tenders ‘naked assertion[s]’ devoid of ‘further factual enhancement.’” Id. (quoting Twombly, 550 U.S. at 557). Here, Plaintiffs only allege that Defendants’ conduct was extreme and outrageous. This allegation merely recites an element of an intentional infliction of emotional distress claim, but does not offer any factual enhancement to allege how Defendants’ conduct rose to that level. Similarly, Plaintiffs have failed to adequately plead their alleged “severe” emotional distress. Plaintiffs state in their complaint only that Defendants’ conduct “did indeed cause severe emotional distress.” [DN 1-1 at 17.] Once again, however, a mere formulaic recitation of an element of a cause of action is insufficient to state a claim without accompanying factual allegations. See Alioto v. Advantage Assocs., Inc., No. CIV.A. 10-14-C, 2011 WL 4435681, at *3 (W.D. Ky. Sept. 22, 2011) (Coffman, J.) (“Even if this court were to read the plaintiffs’ complaint to assert severe distress, such legal conclusions, without support by factual allegations, are not sufficient to survive a motion to dismiss.”). For these reasons, Plaintiffs’ claim of intentional infliction of emotional distress will be dismissed. 21 6. Negligent Infliction of Emotional Distress To prove negligent infliction of emotions distress, a plaintiff must first prove the elements of a standard negligence claim, meaning 1) duty, 2) breach, 3) causation, and 4) damages, and then, as with an intentional infliction of emotional distress claim, must demonstrate 5) severe emotional injury. Osborne v. Keeney, 399 S.W.3d 1, 17–18 (Ky. 2012). However, as the Court already discussed above, Plaintiffs did not adequately plead their alleged severe emotional distress. Specifically, claiming only that Defendants “cause[d] severe emotional distress” to Plaintiffs is insufficient. Accordingly, this claim, like Plaintiffs’ intentional infliction of emotional distress claim, will be dismissed. B. Proposed Amended Complaint Plaintiffs also seek to file an Amended Complaint to add four new causes of action: violations of the Kentucky Uniform Trade Secrets Act, conversion, trespass to chattels, and bailment. [DN 17 (Motion for Leave to File First Amended Class Action Complaint).] Federal Rule of Civil Procedure 15(a)(2) permits a party to amend a pleading “with the opposing party’s written consent or the court’s leave.” Fed. R. Civ. P. 15(a)(2). The Rule states that “court[s] should freely give leave when justice so requires.” Id. In determining whether the interests of justice support a grant of leave to amend, courts consider several factors, including “undue delay in filing, lack of notice to the opposing party, bad faith by the moving party, repeated failure to cure deficiencies by previous amendments, undue prejudice to the opposing party, or futility of the amendment.” Brumbalough v. Camelot Care Ctrs., Inc., 427 F.3d 996, 1001 (6th Cir. 2005) (citing Coe v. Bell, 161 F.3d 320, 341–42 (6th Cir. 1998)); see also Foman v. Davis, 371 U.S. 178, 182 (1962). “The grant or denial of leave to amend is within the discretion of the trial court, and review is for abuse of discretion.” Sec. Ins. Co. of Hartford v. Kevin Tucker & Assocs., Inc., 22 64 F.3d 1001, 1008 (6th Cir. 1995) (citing Roth Steel Prods. v. Sharon Steel Corp., 705 F.2d 134, 155 (6th Cir. 1983)). In Defendants’ response to Plaintiffs’ motion for leave to file an amended complaint, Defendants state that they “recognize that the Court has discretion in permitting amended pleadings, particularly at this early stage in the proceedings, and, therefore, leave the determination of Plaintiffs’ motion to the Court’s discretion.” [DN 19 at 1–2.] Due to this lack of opposition from Defendants, and Rule 15(a)(2)’s direction that courts should allow parties to amend pleadings freely as justice requires, the Court will grant Plaintiffs’ motion to amend, [DN 17.] However, as Defendants further point out in their response, due to the filing of this amended complaint, they shall be entitled to file a renewed motion to dismiss addressing the new claims presented in Plaintiffs’ amended complaint. C. Whether Neil Medical Group, Inc. is a Proper Defendant In their complaint, Plaintiffs allege that Neil Medical Group, Inc. constitutes a mere instrumentality and alter ego of Pharm-Save (and/or viseversa), as the two corporate entities share the exact same (1) corporate governance, (2) registered office, (3) principal office, (4) registered agent, (5) mailing address and (6) employees. Moreover, the North Carolina Department of Revenue has suspended Neil Medical as a corporation and, as explained supra , Neil Medical is not registered with the Secretary of State of the Commonwealth of Kentucky, so corporate formalities do not appear to be followed. [DN 1-1 at 4–5.] In their motion to dismiss, Defendants assert that Defendant Neil Medical Group, Inc. is not properly named in this action and should therefore be dismissed. [DN 5-1 at 4– 6.] In detail, Defendants contend that “Neil Medical Group, Inc. was not in operation at the time of the alleged conduct” and that Neil Medical Group, Inc. and Pharm-Save have numerous differences that preclude a finding of alter-ego liability. [Id.] In support of these claims, 23 Defendants attached to their motion the affidavit of Erik P. Lindberg, the corporate representative of Pharm-Save, Inc. and Neil Medical Group, Inc. [DN 5-2.] In Plaintiffs’ view, however, if the Court considers Lindberg’s affidavit, it must convert Defendants’ motion to one for summary judgment. [DN 13 at 25 (citing Fed. R. Civ. P. 12(d)).] Federal Rule of Civil Procedure 12(d) provides that, [i]f on a motion under Rule 12(b)(6) or 12(c), matters outside the pleadings are presented to and not excluded by the court, the motion must be treated as one for summary judgment under Rule 56. All parties must be given a reasonable opportunity to present all the material that is pertinent to the motion. Fed. R. Civ. P. 12(d). Accordingly, Plaintiffs assert that Neil Medical Group, Inc. should not be dismissed from this suit “until the extent of its involvement (and business relationship with the other Defendant) is ascertained” through discovery. [DN 13 at 26.] In their reply, the Defendants respond that Neil Medical Group, Inc. should, then, be granted summary judgment on the basis of the Lindberg affidavit. [DN 15 at 16.] After Defendants filed their reply, Plaintiffs filed a motion asking the Court to deny or stay its ruling on Defendants’ motion to dismiss if the Court considers the Lindberg affidavit. [DN 18.] Specifically, Plaintiffs argue that, “[b]y attaching the Lindberg Affidavit, Defendants have converted their Motion to Dismiss into a Motion for Summary Judgment, so Plaintiffs are entitled to discovery . . . the inclusion of the Lindberg Affidavit compels this Court to deny Defendants’ Motion or stay its ruling so that Plaintiffs can have an opportunity to conduct discovery.” [DN 18-1 at 2.] In response to the motion to stay, Defendants argue that the Court need not convert their motion to one for summary judgment, because “[t]he Lindberg Affidavit, [ ] relates solely to the lack of personal jurisdiction over Neil Medical and completely refutes Plaintiffs’ claims that Neil Medical either (1) employed the Plaintiffs, or (2) is Pharm-Save’s alter-ego.” [DN 20 at 1–2.] Defendants argue that, though they did not label their motion to 24 dismiss with respect to Neil Medical Group, Inc. as a motion to dismiss for lack of personal jurisdiction under Rule 12(b)(2), that was the essence of their motion. And, because courts can consider affidavits when making personal jurisdiction determinations, Defendant argues this Court can properly consider the Lindberg affidavit for that purpose here. In reply, Plaintiffs contend Defendants waived their defense of lack of personal jurisdiction by failing to raise it in their first responsive pleading, their motion to dismiss. [DN 21 at 2.] The Court disagrees. As Defendant argues in its response, it appears that Defendants did raise the issue of lack of personal jurisdiction in their initial motion to dismiss. True, Defendants did not caption their arguments with respect to dismissing Neil Medical Group, Inc. as being made under Rule 12(b)(2). However, Defendants arguments in their motion are indeed directed toward a personal jurisdiction determination. Plaintiffs state in their complaint that Neil Medical Group, Inc. is “a North Carolina corporation.” [DN 1-1 at 4.] In order to exercise personal jurisdiction over an out-of-state company defendant, [f]irst, the defendant must purposefully avail himself of the privilege of acting in the forum state or causing a consequence in the forum state. Second, the cause of action must arise from the defendant's activities there. Finally, the acts of the defendant or consequences caused by the defendant must have a substantial enough connection with the forum state to make the exercise of jurisdiction over the defendant reasonable. Means v. United States Conference of Catholic Bishops, 836 F.3d 643, 649 (6th Cir. 2016) (quoting S. Mach. Co. v. Mohasco Indus., Inc., 401 F.2d 374, 381 (6th Cir. 1968)). In their motion to dismiss Neil Medical Group, Inc. as a Defendant, Defendants essentially address these personal jurisdiction factors. For instance, Defendants argue, based on the Lindberg affidavit, that “Neil Medical Group, Inc. has never been engaged in the pharmacy business;” “has never done business in or operated in the Commonwealth of Kentucky; and that it “was not operational at the time the Complaint was filed or at the time of the alleged 25 conduct outlined in the Complaint.” [DN 5-1 at 4 (citing DN 5-2).] Accordingly, the Court finds that Defendants’ motion with respect to Neil Medical Group, Inc. can be properly construed as a motion to dismiss for lack of personal jurisdiction under Rule 12(b)(2). However, the Court agrees that Plaintiffs are entitled to conduct discovery on this issue before the Court makes a determination regarding personal jurisdiction. When “[p]resented with a properly supported 12(b)(2) motion and opposition, the court has three procedural alternatives: it may decide the motion upon the affidavits alone; it may permit discovery in aid of deciding the motion; or it may conduct an evidentiary hearing to resolve any apparent factual questions.” Theunissen v. Matthews, 935 F.2d 1454, 1458 (6th Cir. 1991) (citing Serras v. First Tennessee Bank Nat. Ass'n, 875 F.2d 1212, 1214 (6th Cir. 1989)). Here, Plaintiffs have requested preliminary discovery as to this issue, and the Court agrees that, to properly oppose Defendants’ motion, they are entitled to it. Accordingly, the Court will allow the parties to conduct discovery limited solely to the issue of the Court’s personal jurisdiction over Neil Medical Group, Inc. For judicial efficiency’s sake, at this time, the Court will deny the portion of Defendants’ motion brought under 12(b)(2) without prejudice and with leave to refile following the completion of limited discovery. D. Class Certification Plaintiffs state in their complaint that they seek to bring this suit as a class action on behalf of all individuals whose PII was compromised as a result of the March 3, 2016 breach. [DN 1-1 at 5–8.] In their motion to dismiss, Defendants oppose class certification, making several arguments related to broadness, arbitrariness, ascertainability, numerosity, adequate representation, typicality, and predominance. [DN 5-1 at 28–40.] In response, Plaintiffs state that they have not yet moved yet moved for class certification, but plan to do so at a later time, 26 after “the Plaintiffs have been afforded a full and fair opportunity to conduct discovery to refine their proposed class definition.” [DN 13 at 25.] The Court agrees that, at this early stage, it is premature to decide the class certification issue. See In re Am. Med. Sys., Inc., 75 F.3d 1069, 1079 (6th Cir. 1996) (“[O]rdinarily the determination should be predicated on more information than the pleadings will provide.... The parties should be afforded an opportunity to present evidence on the maintainability of the class action.”) (quoting Weathers v. Peters Realty Corp., 499 F.2d 1197, 1200 (6th Cir. 1974)). Accordingly, the Court will address this issue at a later time after Plaintiffs have properly raised it in a motion to certify. CONCLUSION For the reasons stated herein, IT IS HEREBY ORDERED as follows: (1) Defendants’ Motion to Dismiss, [DN 5], is GRANTED IN PART AND DENIED IN PART. Plaintiffs’ claims of negligence per se, invasion of privacy, intentional infliction of emotional distress, and negligent infliction of emotional distress are dismissed for failure to state a claim upon which relief can be granted. The portion of Defendants’ motion to dismiss Neil Medical Group, Inc. on grounds of lack of personal jurisdiction under Rule 12(b)(2) is DENIED WITHOUT PREJUDICE. The parties have until January 31, 2018 to conduct limited discovery on the issue of personal jurisdiction. Thereafter, Defendants have leave to refile their motion to dismiss Neil Medical Group, Inc. under Rule 12(b)(2). (2) Plaintiffs’ Joint Motion for Extension of Time to File Response as to Defendants’ Motion to Dismiss, [DN 8], is GRANTED. (3) Plaintiffs’ Joint Motion to Remand, [DN 11], is DENIED AS MOOT. 27 (4) Plaintiffs’ Motion for Leave to File First Amended Class Action Complaint, [DN 17], is GRANTED. Defendants will hereafter be permitted to file another motion to dismiss addressing Plaintiffs’ new claims. (5) Plaintiffs’ Joint Motion to Stay, [DN 18], is DENIED. (6) Defendants’ Motion for Leave to File Sur-Reply, [DN 23], is GRANTED. Date: cc: December 1, 2017 Counsel 28