Arizona Federal Court Grants Pest Control Company’s Motion To Dismiss Data Breach Class Claims

By Gerald L. Maatman, Jr., Jennifer A. Riley, and George J. Schaller

Duane Morris Takeaways: In Gannon v. Truly Nolen of America Inc., No. 22-CV-428 (D. Ariz. Aug. 31, 2023), Judge James Soto of the U.S. District Court for the District of Arizona granted Defendant’s motion to dismiss with prejudice on negligence, breach of contract, and consumer fraud claims related to a data breach class action. For companies facing data breach claims in class actions, this decision is instructive in terms of how courts consider cognizable damages, especially when damages allegations are inadequately plead.

Case Background

Defendant Truly Nolen of America Inc. (“Defendant” or the “Company”), is an Arizona corporation that provides pest control services across the United States and in 30 countries around the world.  Id. at 2.  The Company experienced a data breach between April 29, 2022 and May 11, 2022.  On May 11, 2022, the Company learned the breach occurred and identified personally identifiable information (“PII”) and personal health information (“PHI”) that was compromised.  Id.  In August of 2022, Defendant sent notice letters to individuals whose data may have been compromised.  Id.  

The Named Plaintiff, Crystal Gannon (“Plaintiff”), alleged that she received her notice letter regarding the data breach in August of 2022.  Id. at 3.  In her First Amended Complaint (“FAC”), Plaintiff sought to represent two proposed classes of plaintiffs, including one for a Nationwide Class and one for an Arizona Sub-class, related to the data breach.  Id.

Plaintiff alleged numerous claims such as negligence, invasion of privacy, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violation of the Arizona Consumer Fraud Act (“Fraud Act”).  Id.  In response, Defendant filed a motion to dismiss on the grounds that Plaintiff’s case was without basis and the entire case was subject to dismissal.  Id.

The Court’s Decision

The Court held that there was no valid basis for Plaintiff’s negligence claim.  Id. at 4.  Plaintiff argued that the Health Insurance Portability and Accountability Act (“HIPAA”) and the Federal Trade Commission Act (“FTCA”) created a duty in Arizona from which relief could be sought.  Id.  The Court disagreed. It found that neither the HIPAA nor the FTCA provided a private right of action.  Id.  The Court reasoned that “[p]ermitting HIPAA to define the ‘duty and liability for breach is no less than a private action to enforce HIPAA, which is precluded.’”  Id.  The Court applied the same logic to the FTCA.  Id.

On negligence damages, the Court held that Plaintiff’s FAC failed “to show identity theft or loss in continuity of healthcare of any class members – only the possibility of each.”  Id.  Under Arizona law, negligence damages require more than merely a threat of future harm, and on their own, threats of future harm are not cognizable negligence injuries.  Id. 4-5.  Similarly, as to out-of-pocket expenses, the Court opined that Plaintiff failed to demonstrate that her expenses were necessary because she did not properly show that Defendant’s identity monitoring services were inadequate.  Id. at 5.  Finally, the Court recognized that merely alleging a diminution in value to somebody’s PII or PHI was insufficient.  Id.  Therefore, the Court dismissed Plaintiff’s negligence claims.

Turning to Plaintiff’s breach of contract claims, the Court determined that Plaintiff did not show cognizable damages, a reasonable construction for the terms of the contract, or consideration for the existence of an implied contract.  Id. at 6. The Court held that Plaintiff’s FAC allegations only reflected speculative damages and did not allege proof of real damages.  Id. at 5.  The Court opined that Plaintiff’s “vaguely pleaded” contract terms failed to show any language that would inform the terms of the agreement and Plaintiff did not point to any conduct or circumstances from which the terms could be determined.  Id. at 5-6.  Finally, the Court determined that even if Defendant had an obligation to protect the data at issue, such pre-existing obligations did not serve as consideration for a contract.  Id.  Therefore, the Court dismissed all breach of implied contract claims.  Id.

On the claim for breach of the implied covenant of good faith and fair dealing, Plaintiff argued that Defendant breached by failing to maintain adequate computer systems and data security practices, failed to timely and adequately disclose the data breach, and inadequately stored PII and PHI.  Because Plaintiff failed to show an enforceable promise, the Court held there could be no breach, and all claims for breach of the implied covenant of good faith and fair dealing were dismissed.  Id. at 6.

The Court also dismissed Plaintiff’s Fraud Act claims because Plaintiff failed to show cognizable damages.  Id. at 7.  The Court reasoned “[p]laintiff cannot simply argue that the system is inadequate because a negative result occurred.”  Id.  The Court also reasoned that Plaintiff failed to demonstrate that Defendant’s security was inadequate when compared to other companies or any set of industry standards. Id.  As to Plaintiff’s privacy claims, the Court held that there were no cognizable claims for invasion of privacy or breach of privacy, and Plaintiff did not dispute these claims in her response.  Id.

Accordingly, the Court granted Defendant’s motion to dismiss as to all claims, denied Plaintiff leave to amend her complaint, and dismissed the case with prejudice. Id.

Implications For Companies

Companies confronted with data breach lawsuits should take note that the Arizona federal court in Gannon relied heavily on inadequately pleaded allegations in considering cognizable damages for purposes of granting Defendant’s motion to dismiss. Further, from a practical standpoint, companies should carefully evaluate pleadings for insufficient or speculative assertions on damages.

Eleventh Circuit Requests Refined Class Definition For Data Breach Class Action

By Gerald L. Maatman, Jr., Alex W. Karasik, and George J. Schaller

Duane Morris Takeaways: In Steinmetz et al. v. Brinker International, Inc., No. 21-13146, 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), the Eleventh Circuit vacated the district court’s order certifying a nationwide class and California-only class in a data breach case. In so doing, it remanded the case with instructions to the district court to define the phrase “who had their data accessed by cybercriminals” and to analyze the viability of the California class.

For employers facing data breach claims in class actions, this decision is instructive in terms of what reviewing courts consider in certifying a class, especially when class definition terms or phrases are broad.

Case Background

Defendant Brinker International, Inc, owner of Chili’s restaurants, faced a cyber-attack between March and April 2018, in which customers’ credit and debit cards were compromised.  Id. at 2.  Hackers targeted Chili’s restaurant systems and stole both customer data and personally identifiable information, and posted that information on an online market place for stolen payment data.  Id. at 2-3.  Plaintiffs alleged that 4.5 million cards were accessed by hackers.  Id. at 3.

The three named plaintiffs – Shenika Theus, a Texas resident, Michael Franklin, a California resident, and Eric Steinmetz, a Nevada resident – alleged they used their cards at Chili’s restaurants between March and April in their respective states.  Id. at 3-4.  After their visits, Theus and Franklin had unauthorized charges on their cards requiring them to cancel their cards, Steinmetz did not experience fraudulent charges.  Id. at 3-4.

Plaintiffs moved to certify two classes, including a nationwide class and California statewide class, seeking both injunctive and monetary relief.  Id. at 4The district court certified the nationwide class for negligence claims and a separate California class under the state’s unfair competition laws.  Id. at 5.  Brinker appealed the district court’s class certification orders.  Id.

The Eleventh Circuit’s Decision

The Eleventh Circuit held that Plaintiffs alleged a concrete injury that was sufficient to establish Article III standing.  Id. at 10.  Plaintiffs showed both a present injury – by alleging their personal information was taken by hackers and put on the dark web – and a substantial risk of future misuse through future misuse of information associated with the hacked credit card.  Id. at 9-10.

The Eleventh Circuit, however, vacated the district court’s order and found Franklin and Steinmetz could not meet the traceability requirement for standing.  Id. at 11.  Franklin alleged two visits outside the “at-risk timeframe” when Chili’s was compromised in the data breach and therefore his injury was not fairly traceable.  Id.  Steinmetz similarly stated in responses to interrogatories and his deposition that he visited Chili’s on a date outside the affected period and could not “fairly trace” any alleged injury to Brinker’s action.  Id. at 12-13.  For these reasons, the Eleventh Circuit opined that Theus did meet traceability for standing purposes.  Id. at 13.

As to the class definitions at issue in the litigation, the Eleventh Circuit ruled that the district court’s phrase “data accessed by cybercriminals” in both class definitions was too broad and limited the class to “cases of fraudulent charges or posting of credit information on the dark web.”  Id. at 15.  The Eleventh Circuit determined that the district could need to refine the class definition to include those two categories only and then conduct a new predominance analysis to include uninjured individuals who simply had their data accessed. As a result of the problems with the class definition, the Eleventh Circuit remanded the case.  Id. at 15-16.  The Eleventh Circuit also remanded the case in light of Franklin’s lack of standing to determine the viability of the California-based class.  Id. at 16.

Implications For Employers

Employers confronted with class certification motions in data breach lawsuits should take note that the Eleventh Circuit relied on the broad phrase “data accessed by cybercriminals” in remanding the district court’s order.

Further, from a practical standpoint, employers should carefully evaluate district court’s class definitions for overbroad terms or phrases when preparing an appeal.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress