By Gerald L. Maatman, Jr., Jennifer A. Riley, and George J. Schaller
Duane Morris Takeaways: In Gannon v. Truly Nolen of America Inc., No. 22-CV-428 (D. Ariz. Aug. 31, 2023), Judge James Soto of the U.S. District Court for the District of Arizona granted Defendant’s motion to dismiss with prejudice on negligence, breach of contract, and consumer fraud claims related to a data breach class action. For companies facing data breach claims in class actions, this decision is instructive in terms of how courts consider cognizable damages, especially when damages allegations are inadequately plead.
Case Background
Defendant Truly Nolen of America Inc. (“Defendant” or the “Company”), is an Arizona corporation that provides pest control services across the United States and in 30 countries around the world. Id. at 2. The Company experienced a data breach between April 29, 2022 and May 11, 2022. On May 11, 2022, the Company learned the breach occurred and identified personally identifiable information (“PII”) and personal health information (“PHI”) that was compromised. Id. In August of 2022, Defendant sent notice letters to individuals whose data may have been compromised. Id.
The Named Plaintiff, Crystal Gannon (“Plaintiff”), alleged that she received her notice letter regarding the data breach in August of 2022. Id. at 3. In her First Amended Complaint (“FAC”), Plaintiff sought to represent two proposed classes of plaintiffs, including one for a Nationwide Class and one for an Arizona Sub-class, related to the data breach. Id.
Plaintiff alleged numerous claims such as negligence, invasion of privacy, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violation of the Arizona Consumer Fraud Act (“Fraud Act”). Id. In response, Defendant filed a motion to dismiss on the grounds that Plaintiff’s case was without basis and the entire case was subject to dismissal. Id.
The Court’s Decision
The Court held that there was no valid basis for Plaintiff’s negligence claim. Id. at 4. Plaintiff argued that the Health Insurance Portability and Accountability Act (“HIPAA”) and the Federal Trade Commission Act (“FTCA”) created a duty in Arizona from which relief could be sought. Id. The Court disagreed. It found that neither the HIPAA nor the FTCA provided a private right of action. Id. The Court reasoned that “[p]ermitting HIPAA to define the ‘duty and liability for breach is no less than a private action to enforce HIPAA, which is precluded.’” Id. The Court applied the same logic to the FTCA. Id.
On negligence damages, the Court held that Plaintiff’s FAC failed “to show identity theft or loss in continuity of healthcare of any class members – only the possibility of each.” Id. Under Arizona law, negligence damages require more than merely a threat of future harm, and on their own, threats of future harm are not cognizable negligence injuries. Id. 4-5. Similarly, as to out-of-pocket expenses, the Court opined that Plaintiff failed to demonstrate that her expenses were necessary because she did not properly show that Defendant’s identity monitoring services were inadequate. Id. at 5. Finally, the Court recognized that merely alleging a diminution in value to somebody’s PII or PHI was insufficient. Id. Therefore, the Court dismissed Plaintiff’s negligence claims.
Turning to Plaintiff’s breach of contract claims, the Court determined that Plaintiff did not show cognizable damages, a reasonable construction for the terms of the contract, or consideration for the existence of an implied contract. Id. at 6. The Court held that Plaintiff’s FAC allegations only reflected speculative damages and did not allege proof of real damages. Id. at 5. The Court opined that Plaintiff’s “vaguely pleaded” contract terms failed to show any language that would inform the terms of the agreement and Plaintiff did not point to any conduct or circumstances from which the terms could be determined. Id. at 5-6. Finally, the Court determined that even if Defendant had an obligation to protect the data at issue, such pre-existing obligations did not serve as consideration for a contract. Id. Therefore, the Court dismissed all breach of implied contract claims. Id.
On the claim for breach of the implied covenant of good faith and fair dealing, Plaintiff argued that Defendant breached by failing to maintain adequate computer systems and data security practices, failed to timely and adequately disclose the data breach, and inadequately stored PII and PHI. Because Plaintiff failed to show an enforceable promise, the Court held there could be no breach, and all claims for breach of the implied covenant of good faith and fair dealing were dismissed. Id. at 6.
The Court also dismissed Plaintiff’s Fraud Act claims because Plaintiff failed to show cognizable damages. Id. at 7. The Court reasoned “[p]laintiff cannot simply argue that the system is inadequate because a negative result occurred.” Id. The Court also reasoned that Plaintiff failed to demonstrate that Defendant’s security was inadequate when compared to other companies or any set of industry standards. Id. As to Plaintiff’s privacy claims, the Court held that there were no cognizable claims for invasion of privacy or breach of privacy, and Plaintiff did not dispute these claims in her response. Id.
Accordingly, the Court granted Defendant’s motion to dismiss as to all claims, denied Plaintiff leave to amend her complaint, and dismissed the case with prejudice. Id.
Implications For Companies
Companies confronted with data breach lawsuits should take note that the Arizona federal court in Gannon relied heavily on inadequately pleaded allegations in considering cognizable damages for purposes of granting Defendant’s motion to dismiss. Further, from a practical standpoint, companies should carefully evaluate pleadings for insufficient or speculative assertions on damages.