Krefting v. Kaye-Smith Enterprises Inc et al, No. 2:2023cv00220 - Document 44 (W.D. Wash. 2023)
Court Description: ORDER granting in part and denying in part Defendant's 24 Motion to Dismiss. Plaintiff's implied contract and unjust enrichment claims against BECU are dismissed with prejudice. Plaintiff's negligence claim, to the extent it relies o n BECU's alleged failure to notify him about the Data Breach is also dismissed with prejudice. But Plaintiff's third-party beneficiary claims against BECU is dismissed without prejudice. To the extent Plaintiff wishes to file an amended complaint, he must comply with the Civil and Local Rules. Signed by Judge Jamal N Whitehead. (SB)
Download PDF
<![CDATA[
Krefting v. Kaye-Smith Enterprises Inc et al Doc. 44 1 2 3 4 5 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT SEATTLE 6 7 8 RICHARD KREFTING, individually and on behalf of all others similarly situated, 9 Plaintiff, 10 11 12 v. CASE NO. 2:23-cv-220 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS KAYE-SMITH ENTERPRISES INC., and BOEING EMPLOYEE CREDIT UNION, Defendants. 13 14 Plaintiff Richard Krefting banked with Defendant Boeing Employees’ Credit Union 15 16 17 18 19 20 21 22 23 (“BECU”). BECU shared his personally identifiable information with its printing vendor, Defendant Kaye-Smith Enterprises, Inc. A third-party hacked Kaye-Smith’s computer network in a data breach and gained access to Plaintiff’s and other BECU customers’ information. Plaintiff sued BECU and Kaye-Smith in this putative class action for negligence, unjust enrichment, breach of third-party beneficiary contract, breach of implied contract, and violations of the Washington State Consumer Protection Act. BECU filed this motion to dismiss, arguing that Plaintiff lacks standing and has otherwise failed to state a plausible claim for relief against BECU. Having reviewed the parties’ briefs and supporting material filed in support of and 24 -1 Dockets.Justia.com 1 opposition to the motion, and the complaint, the Court GRANTS in part and DENIES in part 2 BECU’s motion. BACKGROUND 3 4 5 6 I. Background. The Court takes the following alleged facts from Plaintiff’s Complaint (Dkt. No. 1) and considers them true for purposes of ruling on the pending Motion to Dismiss. 7 Defendant Boeing Employees’ Credit Union (“BECU”) is a Washington-based credit 8 union. Dkt. No. 1 at 4. Defendant Kaye-Smith Enterprises is an Oregon-based company that 9 “provides statement processing and billing services, inventory management, direct mail 10 marketing, web applications, warehousing and distribution, and data management services” for 11 BECU and other corporate clients. Id. at 2, 4. BECU collected the personally identifiable 12 information (“PII”) of its customers, and it provided this information to Kaye-Smith, which in 13 turn stored the customers’ PII on its system. Id. at 2. At some point, cybercriminals breached 14 Kaye-Smith’s computer network, accessing the PII of BECU’s customers (the “Data Breach”). 15 Id. at 2-3, 5. 16 In May 2022, Kaye-Smith learned of the Data Breach. Id. at 5. In July 2022, BECU 17 notified Plaintiff that his personal information, including name, address, account number(s), 18 credit score, and Social Security number had been exposed to cybercriminals. Id. at 6. 19 After the Data Breach, Plaintiff discovered that a credit account was fraudulently opened 20 using his personal information. Id. at 6. He also received notifications from Credit Karma that 21 someone has tried to change his home address and make a credit inquiry without his permission. 22 Id. at 6-7. Plaintiff has spent numerous hours responding to the Data Breach, including time 23 spent researching the facts and scope of the breach, monitoring his accounts and personal 24 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 2 1 information, reviewing his credit reports, responding to the fraudulent activity, and taking other 2 steps to mitigate the consequences. Id. at 7. 3 Plaintiff filed this putative class action against BECU and Kaye-Smith (together, 4 “Defendants”), to “redress Kaye-Smith’s unlawful, willful and wanton failure to protect the 5 personally identifiable information of hundreds of thousands of individuals” that had been 6 “exposed in a major data breach of Kaye-Smith’s network.” Id. at 2. Plaintiff alleges that he has 7 suffered theft of his PII, “imminent and certain impending injury flowing from fraud and identity 8 theft posed by Plaintiff’s PII being placed in the hands of cybercriminals,” diminution in value of 9 PII, loss of the benefit of the bargain, and continued risk to his PII. Id. at 7. DISCUSSION 10 11 I. Legal Standard. 12 A. Motion to Dismiss Standard. 13 The Court will grant a motion to dismiss only if the complaint fails to allege “enough 14 facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 15 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that 16 allows the court to draw the reasonable inference that the defendant is liable for the misconduct 17 alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citations omitted). The plausibility 18 standard is less than probability, “but it asks for more than a sheer possibility” that a defendant 19 did something wrong. Id. (citations omitted). “Where a complaint pleads facts that are ‘merely 20 consistent with’ a defendant’s liability, it ‘stops short of the line between possibility and 21 plausibility of ‘entitlement to relief.’’” Id. (quoting Twombly, 550 U.S. at 557). In other words, a 22 plaintiff must have pled “more than an unadorned, the-defendant-unlawfully-harmed-me 23 accusation.” Id. 24 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 3 1 When considering a motion to dismiss, the Court accepts factual allegations pled in the 2 complaint as true and construes them in the light most favorable to the plaintiff. Lund v. Cowan, 3 5 F.4th 964, 968 (9th Cir. 2021). But courts “do not assume the truth of legal conclusions merely 4 because they are cast in the form of factual allegations.” Fayer v. Vaughn, 649 F.3d 1061, 1064 5 (9th Cir. 2011) (citations omitted). Thus, “conclusory allegations of law and unwarranted 6 inferences are insufficient to defeat a motion to dismiss.” Id. (internal quotation marks omitted). 7 B. Choice of Law. 8 “A federal court sitting in diversity ordinarily must follow the choice-of-law rules of the 9 State in which it sits.” Atl. Marine Constr. Co. v. U.S. Dist. Ct., 571 U.S. 49, 65 (2013). “This 10 applies to actions brought under the Class Action Fairness Act [(“CAFA”), 28 U.S.C. § 11 1332(d)(2),] as well, since CAFA is based upon diversity jurisdiction.” Veridian Credit Union v. 12 Eddie Bauer, LLC, 295 F. Supp. 3d 1140, 1149 (W.D. Wash. 2017) (citations omitted). Here, 13 Krefting filed this case in federal court pursuant to CAFA. Dkt. No. 1 at 5. Consequently, the 14 Court follows Washington’s choice-of-law rules. Because there is no “conflict between the law 15 of Washington and the law of another state,” the Court need not analyze this issue further and 16 will apply Washington law to this dispute. Burnside v. Simpson Paper Co., 864 P.2d 937, 942 17 (Wash. 1994). 18 II. Plaintiff has standing to sue. 19 BECU claims Plaintiff lacks Article III standing to sue. To establish Article III standing, 20 Plaintiff must demonstrate “(i) that he suffered an injury in fact that is concrete, particularized, 21 and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the 22 injury would likely be redressed by judicial relief.” TransUnion LLC v. Ramirez, 141 S. Ct. 23 2190, 2203 (2021) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–561 (1992)). 24 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 4 1 First, BECU claims that Plaintiff has not suffered an injury in fact. The Supreme Court 2 recently revisited this subject in TransUnion, and it held that “[t]o have Article III standing to 3 sue in federal court, plaintiffs must demonstrate, among other things, that they suffered a 4 concrete harm. No concrete harm, no standing.” TransUnion LLC, 141 S. Ct. at 2200. Concrete 5 harms, such as physical harm and monetary harms, readily qualify as concrete injuries under 6 Article III. Id. at 2204. But intangible harms can also be concrete when the injury bears a “close 7 relationship to harm traditionally recognized as providing a basis for lawsuits in American 8 courts.” Id. (quotations omitted). The Supreme Court described disclosure of private information 9 and intrusion upon seclusion as examples of intangible harms that can also be concrete for 10 standing purposes. Id. Importantly, within the context of this case, the Supreme Court held that 11 “the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless 12 the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2211 13 (emphasis in original). 14 Plaintiff alleges that after the Data Breach, he “discovered a credit account fraudulently 15 opened using his personal information” and received “notifications from Credit Karma that 16 someone ha[d] attempted to change the location of his home address” and “made a credit inquiry 17 without his permission.” Dkt. No. 1 at 6, 7. BECU argues that Plaintiff’s allegations regarding 18 fraudulent activities are insufficient to constitute a concrete harm. The Court disagrees. 19 Plaintiff’s claims that someone fraudulently opened an account in his name and attempted to 20 change his home address are actual injuries, and a far cry from the threatened harm of identity 21 theft the Supreme Court found to be “too speculative” for standing purposes in TransUnion. 141 22 S. Ct. at 2212. On this record, the Court finds Plaintiff’s allegations of actual misuse of his PII 23 sufficient to state concrete injury under Article III. See, e.g., Webb v. Injured Workers Pharmacy, 24 LLC, No. 22-1896, 2023 WL 4285814, at *5 (1st Cir. June 30, 2023) (“[T]he complaint’s ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 5 1 plausible allegations of actual misuse of Webb’s stolen PII to file a fraudulent tax return suffice 2 to state a concrete injury under Article III.”); Gaddy v. Long & Foster Cos., No. 3 CV212396RBKEAP, 2023 WL 1926654, at *8 (D.N.J. Feb. 10, 2023) (“Misuse of financial 4 information is a cognizable, intangible injury that, even without financial loss, is sufficient to 5 confer standing.”). 6 Additionally, Plaintiff alleges that he shared private, sensitive data with BECU, and that 7 BECU failed to safeguard his information, which allowed malicious third parties to carry out the 8 Data Breach. See generally Dkt. No. 1. The Court finds that Plaintiff’s claimed injuries flowing 9 from these acts have a close historical and common-law analog since the theft and loss of control 10 over PII is akin to traditional claims for invasions of privacy and intrusion upon seclusion. See 11 TransUnion, 141 S. Ct. 2204; see also Patel v. Facebook, Inc., 932 F.3d 1264, 1274 (9th Cir. 12 2019) (“Under the common law, an intrusion into privacy rights by itself makes a defendant 13 subject to liability.”). Indeed, “[n]umerous courts” since TransUnion, “including the Ninth 14 Circuit, have found allegations concerning the interference with plaintiffs’ control over their 15 personal data to be sufficient for standing on account of their injury implicating an “invasion of 16 the historically recognized right to privacy.” Leonard v. McMenamins, Inc., No. 2:22-CV-00094- 17 BJR, 2022 WL 4017674, at *5 (W.D. Wash. Sept. 2, 2022) (collecting cases). 18 Even without a historical analog tethering his claims to a concrete injury in fact, the 19 Court finds that Plaintiff has sufficiently pled that the Data Breach caused “separate concrete 20 harm” in the form of time expended investigating and mitigating the breach. Dkt. No. 1 at 30. As 21 the Third Circuit explained, “if the plaintiff's knowledge of the substantial risk of identity theft 22 causes him to presently experience emotional distress or spend money on mitigation measures 23 like credit monitoring services, the plaintiff has alleged a concrete injury.” Clemens v. 24 ExecuPharm Inc., 48 F.4th 146, 156 (3d Cir. 2022); see also TransUnion, 141 S. Ct. at 2211 n.7 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 6 1 (“[A] plaintiff ’s knowledge that he or she is exposed to a risk of future physical, monetary, or 2 reputational harm could cause its own current emotional or psychological harm.”); Whittum v. 3 Univ. Med. Ctr. of S. Nev., No. 221CV01777MMDEJY, 2023 WL 2967306, at *3 (D. Nev. Apr. 4 17, 2023) (“Because Plaintiffs undertook substantial mitigation and remedial measures to prevent 5 fraud, incurred out-of-pocket expenses, and suffered emotional distress from the anticipation of 6 fraud, the Court finds that Plaintiffs have alleged concrete, separate injuries for standing from the 7 risk of future harm.”). 8 Accordingly, Plaintiff has plausibly alleged an injury in fact. Having found at least 9 several of Plaintiff’s alleged harms to confer standing, the Court need not address the sufficiency 10 of Plaintiff’s other alleged harms like the increased risk of fraud or identity theft, or the 11 diminution in the value of Plaintiff’s PII. See Dkt. No. 1 at 31. 12 Next, the Court considers whether Plaintiff’s injuries are “fairly traceable” to BECU’s 13 actions. A showing that an injury is fairly traceable requires less than a showing of “proximate 14 cause.” Maya v. Centex Corp., 658 F.3d 1060, 1070 (9th Cir. 2011) (concluding that, for 15 purposes of Article III standing, plaintiffs need not “demonstrate that defendants’ actions are the 16 ‘proximate cause’ of plaintiffs’ injuries”). This step examines the chain of causation, but the 17 chain does not fail simply because it contains several links or because the defendant’s actions are 18 not the last link in the chain. See Wash. Env’t Council v. Bellon, 732 F.3d 1131, 1142 (9th Cir. 19 2013). “Even a showing that a plaintiff’s injury is indirectly caused by a defendant’s actions 20 satisfies the fairly traceable requirement.” Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th 21 Cir. 2012). Here, Plaintiff alleges BECU provided his PII to Kaye-Smith, who ultimately 22 suffered the data breach. Thus, for purposes of the Court’s standing analysis, Plaintiff’s 23 allegations demonstrate sufficiently that BECU’s actions are within the causal chain and 24 therefore fairly traceable to his injuries. ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 7 1 Concerning the last element of standing—whether Plaintiff’s alleged injuries are 2 redressable by relief that could be obtained through this lawsuit—the Court finds that Plaintiff 3 has alleged sufficient facts demonstrating that her injuries could be compensated through 4 monetary damages and injunctive relief. See Thole v. U. S. Bank N.A, 140 S. Ct. 1615, 1618 5 (2020). Accordingly, the final standing requirement is met. 6 III. Plaintiff fails to state a plausible claim for relief on some of his claims. 7 The fact that Plaintiff has standing to sue does not mean he has stated a plausible claim 8 for relief against BECU. See Krottner v. Starbucks Corp., 406 F. App’x 129, 131 (9th Cir. 2010) 9 (“Article III standing does not establish that they adequately pled damages for purposes of their 10 state-law claim.”). Indeed, establishing Article III standing means a Plaintiff has “[s]tanding to 11 sue” but not necessarily “to succeed.” Doe v. Chao, 540 U.S. 614, 641 (2004). 12 Here, Plaintiff asserts five claims against BECU: negligence, unjust enrichment, breach 13 of a third-party beneficiary contract, breach of implied contract, and violation of the CPA. 14 Plaintiff must allege enough to state a plausible claim for relief, but as explained below, he has 15 not done so here for all of his claims. 16 A. Plaintiff has stated a plausible negligence claim, in part. 17 1. Plaintiff alleges sufficient facts demonstrating that BECU’s conduct gave rise to a 18 19 duty to protect his data from third-party acts. Plaintiff alleges that “it was negligent to provide [his] … PII and financial information to 20 [Kaye-Smith] who lacked adequate security systems.” Dkt. No. 1 at 3. BECU argues, however, 21 that it owed Plaintiff no duty to safeguard his data, and that even if it did, it did not breach that 22 duty and that any alleged breach did not cause any legally cognizable injury. 23 24 To establish a claim for negligence under Washington Law, a plaintiff must prove: “(1) the existence of a duty to the plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 8 1 breach as the proximate cause of the injury.” Degel v. Majestic Mobile Manor, Inc., 914 P.2d 2 728, 731 (Wash. 1996). “The existence of a duty is a question of law and depends on mixed 3 considerations of logic, common sense, justice, policy, and precedent.” Snyder v. Med. Serv. 4 Corp., 35 P.3d 1158, 1164 (Wash. 2001) (internal quotation marks omitted). Duty may be 5 “predicated on violation of statute or common law principles of negligence.” Jackson v. City of 6 Seattle, 244 P.3d 425, 428 (Wash. Ct. App. 2010) (citation omitted). As general rule, there is no duty under Washington law “to control the conduct of a third 7 8 person so as to prevent him from causing harm to another.” Robb v. City of Seattle, 295 P.3d 9 212, 216 (Wash. 2013) (citation omitted). But there are exceptions to this rule, which generally 10 fall into two camps: when there is a “special relationship” with the victim or criminal, and when 11 “the actor’s own affirmative act creates a recognizable high degree of risk of harm” to another. 12 Id. BECU is correct that no Washington court has recognized a special relationship between 13 14 banks and their customers when it comes to safeguarding their PII, and Plaintiff cites no 15 authority to the contrary. 1 So without more, Plaintiff’s conclusory statements that a special 16 relationship existed will not suffice to create a duty where none has been previously recognized 17 by a Washington court. But the Court need not decide whether a special relationship could exist because Plaintiff 18 19 has sufficiently pled that BECU’s affirmative acts exposed her to a high risk of harm thereby 20 21 22 23 24 1 In fact, one of the primary cases relied upon by Plaintiff—Buckley v. Santander Consumer USA, Inc., reached the same conclusion that Washington recognizes no such duty. No. C17-5813 BHS, 2018 WL 1532671, at *5 (W.D. Wash. Mar. 29, 2018) (“Washington courts have not recognized a ‘special relationship’ between consumers and data custodians as they have between insurers and their insureds.”); see In re MCG Health Data Sec. Issue Litig., No. 2:22-CV-849RSM-DWC, 2023 WL 3057428, at *3 (W.D. Wash. Mar. 27, 2023), report and recommendation adopted, No. 2:22-CV-849-RSM-DWC, 2023 WL 4131746 (W.D. Wash. June 22, 2023) (same). ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 9 1 creating a duty. See Washburn v. City of Fed. Way, 310 P.3d 1275, 1289 (Wash. 2013) (holding 2 tortfeasor’s affirmative acts created new danger giving rise to a duty to guard against the 3 criminal conduct of a third-party). Plaintiff alleges BECU knew that “cybercriminals routinely 4 target corporations … in an attempt to steal the[ir] collected Private Information,” that Kaye- 5 Smith “failed to maintain many reasonable and necessary industry standards necessary to prevent 6 data breaches,” that BECU failed to ensure that Kaye-Smith had proper safeguards in place, and 7 that BECU provided its customers’ PII to Kaye-Smith nevertheless. Dkt. No. 1 at 6, 15, 17, 26. 8 This last step, as alleged, is the affirmative act by BECU that subjected Plaintiff to harm. 9 BECU tries in vain to disrupt Plaintiff’s stated formulation of his negligence claim, 10 arguing that “Plaintiff does not allege that BECU knew that Kaye-Smith allegedly lacked 11 adequate security measures,” but Plaintiff’s complaint alleges BECU failed to ensure that Kaye- 12 Smith had proper safeguards in place before deliberately sharing Plaintiff’s data. This is all that 13 is required at this stage of the case to adequately allege a duty was owed. See Dkt. No. 1 at 6. 14 The Court finds that Plaintiff has stated a plausible claim for relief as to the other 15 elements of his negligence claim because (1) Plaintiff’s factual allegations about a duty owed 16 also include an allegation that BECU breached its duty to safeguard his data by sharing it with 17 Kaye-Smith, (2) Plaintiff alleges sufficient facts, as explained above, demonstrating that he has 18 been injured by BECU’s negligent conduct, and (3) Plaintiff has alleged sufficient connection 19 between BECU’s conduct and his alleged harms. See Meyers v. Ferndale Sch. Dist., 481 P.3d 20 1084, 1088 (Wash. 2021) (In Washington, the “duty analysis informs the proximate cause 21 analysis,” which is “generally a question of fact for the jury….”). 22 Even so, BECU argues that it could never be liable for Kaye-Smith’s conduct because “in 23 Washington, one who employs an independent contractor is not liable to third parties for the 24 alleged negligence of that independent contractor or its employees.” Dkt. No. 24 at 19. But ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 10 1 Washington courts recognize several exceptions to this rule, including “exceptions that subject 2 the principal to liability for its own negligence and the second being exceptions that subject the 3 principal to liability for its contractor's tortious conduct even if the principal has itself exercised 4 reasonable care.” Millican v. N.A. Degerstrom, Inc., 313 P.3d 1215, 1219 (Wash. Ct. App. 2013); 5 see generally David K. DeWolf & Keller W. Allen, 16 Washington Practice, Tort Law and 6 Practice § 4.15 (5th ed. 2020) (discussing exceptions to general rule exempting a contracting 7 party for the negligence of an independent contractor). Many of the exceptions are highly fact- 8 specific, and the Court need not analyze them at this early stage of the case, except to say that 9 Plaintiff has alleged facts sufficient to show that BECU owed him a duty as outlined above. 10 Accordingly, the Court finds that Plaintiff has adequately pled his theory that BECU 11 owed him a duty because it transmitted his personal data to Kaye-Smith without ensuring that 12 Kaye-Smith had taken adequate measures to safeguard Plaintiff’s data, thus exposing him to a 13 high degree of risk of data theft. See Buckley, 2018 WL 1532671, at *5 (holding the plaintiff 14 adequately alleged a negligence claim in a data breach case when bank “deliberately transmitted” 15 plaintiff’s personal information to an unauthorized third party who later suffered a data breach). 16 2. Plaintiff’s negligence claim based on a failure to notify fails to state a claim. 17 Plaintiff argues that BECU owed him a duty of care to “timely and sufficiently notify” 18 him of the Data Breach, but that BECU failed to act within the 30-days generally allowed to 19 notify affected consumers under Washington’s Data Breach Act (“DBA”), RCW 19.255.010(8). 20 BECU argues that it notified Plaintiff within 30 days of learning that his data was breached, as 21 distinguished from when it first learned of the data intrusion in general, and thus complied with 22 the DBA. 23 24 Washington courts turn to the Restatement (Second) of Torts section 286 to determine whether a duty may be predicated upon a statutory violation. Barrett v. Lucky Seven Saloon, Inc., ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 11 1 96 P.3d 386, 390 (Wash. 2004). “Under this provision of the Restatement, “[t]he court may adopt 2 as the standard of conduct of a reasonable [person] the requirements of a legislative enactment . . 3 . whose purpose is found to be exclusively or in part (a) to protect a class of persons that includes 4 the person whose interest is invaded, and (b) to protect the particular interest which is invaded, 5 and (c) to protect that interest against the kind of harm which has resulted, and (d) to protect that 6 interest against the particular hazard from which the harm results.” Id. (quoting Restatement 7 (Second) of Torts § 286 (1965)). 8 9 The Court is unaware of, and the parties do not cite, any Washington cases deciding whether a duty may be derived from the breach-notification provision found in the DBA, but the 10 Court need not decide the issue, as BECU notified Plaintiff within the time prescribed by the 11 statute. In pertinent part, the statute reads: 13 Notification to affected consumers under this section must be made in the most expedient time possible, without unreasonable delay, and no more than thirty calendar days after the breach was discovered…. 14 RCW 19.255.010(8). Here, Plaintiff attached to his complaint the notice BECU provided him 15 following the breach, stating that BECU learned on July 5, 2022, that an unauthorized third party 16 accessed Plaintiff’s personal data. Dkt. No. 1 at 39. Plaintiff alleges he “received a breach 17 notification letter from BECU” on July 25, 2022, which was no more than 30 calendar days after 18 BECU discovered that Plaintiff was affected by the breach. Dkt. No. at 6. 12 19 20 21 Thus, Plaintiff fails to allege facts supporting his claim that BECU failed to timely and sufficiently notify him of the breach even assuming the DBA created a duty owed. B. Because an express contract covers the same subject matter, Plaintiff cannot 22 maintain separate claims for breach of an implied contract and unjust 23 enrichment. 24 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 12 1 Plaintiff claims BECU breached an implied contract to safeguard his PII. He claims that 2 when he provided his PII to BECU in exchange for banking services, that they entered an 3 implied contract “in which Defendant agreed to comply with its statutory and common law 4 duties to protect” him and timely notify him in the event of a data breach. Dkt. No. 34 at 26. 5 Plaintiff’s only allegation that BECU failed to safeguard his information is that it negligently 6 shared his PII with Kaye-Smith. In response, BECU argues Plaintiff cannot claim breach of an 7 implied contract when there’s an actual express contract that covers the issues at stake. BECU 8 has a point. 9 Under long standing Washington law, “[a] party to a valid express contract is bound by 10 the provisions of that contract, and may not disregard the same and bring an action on an implied 11 contract relating to the same matter, in contravention of the express contract.” Chandler v. Wash. 12 Toll Bridge Auth., 137 P.2d 97, 103 (Wash. 1943). Before addressing this issue squarely, 13 however, the Court must first determine the scope of the record on review. 14 Typically, the Court’s review of the record is confined to the contents of the complaint 15 when considering a Rule 12(b)(6) motion. Campanelli v. Bockrath, 100 F.3d 1476, 1479 (9th 16 Cir. 1996). But courts may consider documents referenced extensively in the complaint, 17 documents that form the basis of plaintiff’s claim, and matters of judicial notice when 18 determining whether the allegations in the complaint state a claim upon which relief can be 19 granted. United States v. Ritchie, 342 F.3d 903, 908–09 (9th Cir. 2003). BECU has submitted its 20 standard Membership Agreement containing the terms and conditions of its relationship with 21 customers like Plaintiff. Dkt. No. 25 at 3-40. Plaintiff has not challenged the authenticity of the 22 agreement or whether the Court may consider it as a matter of judicial notice or under the 23 doctrine of incorporation by reference. For purposes of determining whether Plaintiff has stated a 24 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 13 1 plausible claim for relief under an implied contract theory, the Court will consider the 2 Membership Agreement. 3 Plaintiff does not contest that the Membership Agreement is a valid contract. But he 4 contends that the Membership Agreement does not govern either dispute. The Membership 5 Agreement contains a section title, “PRIVACY NOTICE.” Dkt. No. 25 at 8 (emphasis in 6 original). The notice explains that, among other things, BECU will collect and share its 7 customers’ PII “for [its] everyday business purposes,” “for [its] marketing purposes,” and “for 8 joint marketing with other financial companies.” Id. When it comes to protecting personal 9 information, the Membership Agreement states that BECU will protect “personal information 10 from unauthorized access and use” and that BECU will “use security measures that comply with 11 federal law[,]” including “computer safeguards and secured files and buildings.” Id. On this 12 record, the Court finds that the Membership Agreement covers the same subject matter 13 implicated by Plaintiff’s implied contract claim. 14 Plaintiff may contend that his claims are based on BECU’s alleged failure to follow some 15 more generalized standard of care apart from its express contractual obligations, but this theory 16 falls for at least two reasons: Plaintiff alleges no facts that BECU agreed to be bound by anything 17 more than what’s in the express agreement, and any claim that BECU failed to exercise some 18 level of reasonable care sounds in something other than contract. Thus, Plaintiff may not 19 maintain a cause of action for breach of an implied contract. 20 Plaintiff’s unjust enrichment claim meets a similar fate. “Unjust enrichment is the method 21 of recovery for the value of the benefit retained absent any contractual relationship because 22 notions of fairness and justice require it.” Young v. Young, 191 P.3d 1258, 1262 (Wash. 2008); 23 see also Hurlbut v. Crines, 473 P.3d 263, 270 (Wash. Ct. App. 2020) (“[T]he courts will not 24 allow a claim for unjust enrichment in contravention of a provision in a valid express contract.”) ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 14 1 (internal citation omitted). Like Plaintiff’s implied contract claim, the Court finds that the 2 Membership Agreement relates to the same subject matter as Plaintiff’s unjust enrichment claim 3 and thus applies with equal preclusive force. 4 5 Because the defects in Plaintiff’s implied contract and unjust enrichment claims cannot be cured with additional factual allegations, the Court dismisses these claims with prejudice. 6 C. Plaintiff fails to state a breach of a third-party beneficiary contract claim. 7 Plaintiff asserts that he was a third-party beneficiary to the contract between BECU and 8 9 Kaye-Smith, but his allegations lack specificity, and therefore, fail to state a claim. “The right of a third party beneficiary to sue upon a contract depends, as a rule, upon 10 whether the contract is for his direct benefit or whether his benefit under it is merely incidental, 11 indirect or consequential.” Lonsdale v. Chesterfield, 573 P.2d 822, 825 (Wash. Ct. App. 1978). 12 Under Washington law, “both contracting parties must intend that a third-party beneficiary 13 contract be created.” Rajagopalan v. NoteWorld, LLC, 718 F.3d 844, 847 (9th Cir. 2013) 14 (citation omitted). The “key” question is “whether performance under the contract would 15 necessarily and directly benefit the party.” Id. “The contracting parties’ intent is determined by 16 construing the terms of the contract as a whole, in light of the circumstances under which it is 17 made.” Postlewait Constr., Inc. v. Great Am. Ins. Cos., 720 P.2d 805, 807 (Wash. 1986). 18 Here, Plaintiff alleges that Kaye-Smith and BECU entered various contracts “expressly 19 for the benefit of Plaintiff” to perform services, including “process and servicing of third-party 20 information.” Dkt. No. 1 at 31-31. These contentions are borderline conclusory in nature and 21 close to the unadorned, the-defendant-unlawfully-harmed-me accusation that the Supreme Court 22 warns against, but the Court construes them in the light most favorable to Plaintiff and finds that 23 he has sufficiently alleged that he is a third-party beneficiary of a contract between the 24 defendants. ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 15 1 But Plaintiff has not sufficiently alleged that BECU breached its contract with Kaye- 2 Smith, which is fatal to his third-party claim against BECU. Indeed, his complaint alleges that 3 Kaye-Smith breached the contract and is silent about any breach by BECU. Plaintiff tries to 4 expand the scope of his factual allegations in his opposition brief by arguing that the contract 5 was breached when the PII was exposed and when “BECU failed to timely notify” Plaintiff of 6 the Data Breach. These claims, however, are found nowhere in his complaint and the Court will 7 not consider them now. See Schneider v. Cal. Dep’t of Corr., 151 F.3d 1194, 1197 n.1 (9th Cir. 8 1998) (“In determining the propriety of a Rule 12(b)(6) dismissal, a court may not look beyond 9 the complaint to a plaintiff's moving papers, such as a memorandum in opposition to a 10 defendant's motion to dismiss.”); Car Carriers v. Ford Motor Co., 745 F.2d 1101, 1107 (7th Cir. 11 1984) (“[T]he complaint may not be amended by the briefs in opposition to a motion to 12 dismiss.”). 13 14 Thus, the Court finds that Plaintiff has failed to state a plausible claim for breach of a third-party beneficiary contract claim. 15 D. Plaintiff states a plausible CPA claim. 16 BECU argues that Plaintiff fails to make out a CPA claim because he has not pled any 17 unfair or deceptive practice. The Court disagrees. 18 The Washington CPA prohibits “[u]nfair methods of competition and unfair or deceptive 19 acts or practices in the conduct of any trade or commerce ….” RCW 19.86.020. To prevail on his 20 CPA claim, Plaintiff must show: (1) an unfair or deceptive act (2) in trade or commerce (3) that 21 affects the public interest, (4) injury to the plaintiff in his or her business or property, and (5) a 22 causal link between the unfair or deceptive act complained of and the injury suffered. Trujillo v. 23 Nw. Tr. Servs., Inc., 355 P.3d 1100, 1107 (Wash. 2015). Plaintiff must satisfy every element of a 24 CPA claim. Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 719 P.2d 531, 539-40 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 16 1 (Wash. 1986). But the CPA “shall be liberally construed [so] that its beneficial purposes may be 2 served.” RCW 19.86.920. 3 ‘“Because the CPA does not define ‘unfair or deceptive, the Washington Supreme Court 4 has allowed the definitions to evolve through a gradual process of judicial inclusion and 5 exclusion.’” Veridian Credit Union, 295 F. Supp. 3d at 1161 (quoting Saunders v. Lloyd’s of 6 London, 779 P.2d 249, 256 (Wash. 1989). “Either an unfair or a deceptive act can be the basis 7 for a CPA claim.” Id. (citing Klem v. Wash. Mut. Bank, 295 P.3d 1179, 1187 (Wash. 2013)). 8 ‘“An unfair act is established by evidence that it (1) causes or is likely to cause substantial injury, 9 which (2) consumers cannot avoid, and (3) is not ‘outweighed by countervailing benefits.’’” Id. 10 (quoting Merriman v. Am. Guar. & Liab. Ins. Co., 396 P.3d 351, 368 (Wash. Ct. App. 2017)). 11 Based on the Washington courts’ definition and the liberal construction afforded to the 12 CPA, the Court finds that Plaintiff has adequately alleged that BECU engaged in an unfair act 13 when it failed to safeguard its customers’ data by disclosing it to Kaye-Smith without 14 investigating whether its computer and network security systems were vulnerable to 15 cyberattacks. Plaintiff further alleges BECU engaged in an unfair or deceptive act by omitting 16 key information from consumers about Kaye-Smith’s inadequate data security measures. Under 17 similar circumstances, the Court has found that the failure to take proper measures to secure PII 18 can constitute an unfair act under the CPA. Leo Guy v. Convergent Outsourcing, Inc., No. C22- 19 1558 MJP, 2023 WL 4637318, at *8 (W.D. Wash. July 20, 2023); Veridian Credit Union, 295 F. 20 Supp. at 1162 (denying motion to dismiss CPA claim when “key wrong doing” alleged was 21 defendant’s “failure to employ adequate data security measures”); In re MCG Health Data Sec. 22 Issue Litig., 2023 WL 3057428, at *14, report and recommendation adopted, No. 2:22-CV-849- 23 RSM-DWC, 2023 WL 4131746 (W.D. Wash. June 22, 2023) (report and recommendation on 24 defendant’s motion to dismiss recommending that plaintiff’s Washington CPA claim proceed ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 17 1 based on plaintiffs allegations that defendant “failed to take proper measures to protect their 2 private information with respect to its data security systems.”); Buckley, 2018 WL 1532671, at 3 *3 (denying motion to dismiss CPA claim when plaintiff alleged that defendant “intentionally 4 exposed her to an unacceptable” risk of data theft when it shared her PII with unauthorized third- 5 party). 6 BECU also argues that Plaintiff suffered no injury as a result of its unfair or deceptive 7 practice, and that to the extent he did suffer an injury, BECU was not the cause. But “injury to 8 property or business is broadly construed;” “[e]ven minimal injury is sufficient to meet the 9 damages element of a CPA claim.” Univ. of Wash. v. Gov’t Emps. Ins. Co., 404 P.3d 559, 571 10 (Wash Ct. App. 2017). In fact, nonquantifiable injuries such as time or expense incurred 11 investigating a suspected deceptive practice will suffice. See Lock v. Am. Fam. Ins. Co., 460 P.3d 12 683, 694 (2020). As discussed above, under the standing analysis, the Court finds that Plaintiff 13 has alleged sufficient injuries to proceed with his claims. 14 The causation element is satisfied if the plaintiff establishes that he relied upon a 15 misrepresentation of fact, or where the defendant “induced” the plaintiff to act or refrain from 16 acting. See Desranleau v. Hyland’s, Inc., 450 P.3d 1203, 1210 (Wash. Ct. App. 2019), review 17 denied, 458 P.3d 783 (2020) (trial court properly dismissed CPA claim against manufacturer 18 where plaintiff had never heard of product until after child’s death). But when the unfair or 19 deceptive act is premised on an omission, as is the case here, Washington courts recognize a 20 rebuttable presumption of reliance. Eng. v. Specialized Loan Servicing, 500 P.3d 171, 181 21 (Wash. Ct. App. 2021) (trial court erroneously dismissed CPA claim where borrower was 22 entitled to rebuttable presumption of reliance); Deegan v. Windermere Real Estate/Center-Isle, 23 Inc., 391 P.3d 582, 587 (Wash. Ct. App. 2017). Thus, the Court finds that Plaintiff has stated a 24 plausible claim for a violation of the CPA. ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 18 1 2 IV. Leave to Amend. In his opposition to the motion, Plaintiff requests leave to amend his complaint “to the 3 extent any portion of the Motion is granted.” Dkt. No. 34 at 29, 30. As explained above, the 4 Court dismisses Plaintiff’s implied contract and unjust enrichment claims, as well as Plaintiff’s 5 negligence claim to the extent it relies on BECU’s alleged failure to timely notify him about the 6 Data Breach, with prejudice. Plaintiff’s third-party beneficiary claim is dismissed without 7 prejudice because the dismissal is rooted in the insufficiency of Plaintiff’s factual allegations. 8 Plaintiff may therefore move to amend his complaint, but he must comply with the Civil 9 and Local Rules in doing so. In light of the rulings, the Court need not decide whether Plaintiff’s 10 complaint constitutes impermissible “shotgun pleading,” as BECU contends. Dkt. No. 24 at 29. CONCLUSION 11 12 For the foregoing reasons, BECU’s motion to dismiss (Dkt. No. 24) is GRANTED in part 13 and DENIED in part. Plaintiff’s implied contract and unjust enrichment claims against BECU are 14 dismissed with prejudice. Plaintiff’s negligence claim, to the extent it relies on BECU’s alleged 15 failure to notify him about the Data Breach is also dismissed with prejudice. But Plaintiff’s third- 16 party beneficiary claims against BECU is dismissed without prejudice. To the extent Plaintiff 17 wishes to file an amended complaint, he must comply with the Civil and Local Rules. 18 19 20 21 22 Dated this 28th day of July, 2023. A Jamal N. Whitehead United States District Judge 23 24 ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT BECU’S MOTION TO DISMISS - 19
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
