Attias v. Carefirst, Inc., Case No. 15-cv-00882 (CRC)

• Decision Date: 30 January 2019
• Docket Number: Case No. 15-cv-00882 (CRC)
• Parties: Chantal ATTIAS, et al., Plaintiffs, v. CAREFIRST, INC., et al., Defendants.
• Court: U.S. District Court — District of Columbia

365 F.Supp.3d 1

Chantal ATTIAS, et al., Plaintiffs,

v.CAREFIRST, INC., et al., Defendants.

Case No. 15-cv-00882 (CRC)

United States District Court, District of Columbia.

Signed January 30, 2019

Christopher T. Nace, Matthew Andrew Nace, Paulson & Nace, PLLC, Jonathan B. Nace, Nidel & Nace, PLLC, Washington, DC, Matthew W. Stonestreet, Pro Hac Vice, Troy Nino Alexander Giatras, Giatras Law Firm, PLLC, Charleston, WV, for Plaintiffs.

Matthew O. Gatewood, Eversheds Sutherland (US) LLP, Washington, DC, Robert D. Owen, Sutherland Asbil & Brennan, LLP, New York, NY, Kristine M. Maher, Graydon, Head & Ritchey, LLP, Cincinnati, OH, for Defendants.

MEMORANDUM OPINION

CHRISTOPHER R. COOPER, United States District Judge

I. Background...6

II. Standard of Review...7

III. Jurisdiction...7

IV. Analysis...8

A. Whether plaintiffs have adequately alleged damages for nine of their eleven claims...9

1. Plaintiffs must allege actual damages for nine of their causes of action...9

2. Four theories of actual damages...11

B. Whether the parties' contractual relationship bars plaintiffs' tort claims...17

C. Whether plaintiffs have pled in the alternative an unjust enrichment claim...25

D. Whether plaintiffs have alleged an unlawful trade practice under the D.C. Consumer Protection Procedures Act...25

E. Whether insurance companies are exempt from civil liability for data breaches under the Maryland Consumer Protection Act...26

V. Conclusion...27

In May 2015, the District of Columbia-area health insurer CareFirst announced that it had suffered a data breach that compromised the personal information of millions of its policyholders. Plaintiffs in this putative class action are among those whose data was accessed. They seek compensation for the breach through both tort- and contract-based claims under District of Columbia law, as well as statutory claims under several D.C., Maryland, and Virginia consumer-protection laws.

Common to all of plaintiffs' claims is the assertion that they have been injured by CareFirst's failure to protect their personal information from exposure. The alleged injuries do not, for the most part, involve actual misuse of their personal information. Plaintiffs instead claim that the data breach resulted in an increased risk of identity theft and the need for prophylactic expenditures—on credit monitoring services and the like—to reduce that risk. They also contend that CareFirst's failure to protect their personal information resulted in a contractual injury because they did not receive the full value of the policies they purchased. And they say they have suffered emotional distress in dealing with the breach.

The Court previously dismissed plaintiffs' claims for lack of Article III standing, finding that they had failed to allege a non-speculative injury-in-fact. The D.C. Circuit reversed and remanded. CareFirst now moves to dismiss the operative second amended complaint under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim.

The Court will grant the motion in large part. After briefly recounting the factual and procedural background, the Court will begin by confirming that it has diversity jurisdiction over the case pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d). It will then explain its conclusion that, while plaintiffs' alleged injuries may be enough to establish standing at the pleading stage of the case, they are largely insufficient to satisfy the "actual damages" element of nine of their state-law causes of action. The Court will then move to the interplay between plaintiffs' tort and contract claims, finding that the parties' non-fiduciary contractual relationship independently forecloses tort liability based on the allegations in the complaint. Finally, the Court will address issues specific to plaintiffs' unjust enrichment claim and their claims under the District of Columbia Consumer Protection Procedures Act and the Maryland Consumer Protection Act.

At the end of the day, the Court will dismiss all of plaintiffs' claims except for a breach of contract claim and a Maryland Consumer Protection Act claim brought by the only two plaintiffs (Kurt and Connie Tringler of Maryland) who have plausibly alleged actual misuse of personal information resulting from the data breach. In reaching this outcome, the Court acknowledges the difficulty of applying traditional tort and contract principles in the contemporary context of data security. It also recognizes that courts across the country have divided on a number of important legal issues that frequently arise in data breach litigation. The Court has attempted to illuminate some of these divisions in this opinion.

I. Background

Seven plaintiffs bring this putative class action against CareFirst and certain of its affiliates doing business in the District of Columbia, Maryland, and Virginia. Second Am. Class Action Compl. ("SAC"), ECF No. 9.¹ CareFirst operates a group of health insurance companies providing coverage to more than one million individuals in the District of Columbia, Maryland, and Virginia. Id. ¶¶ 5–8, 23. Plaintiffs are residents of the District of Columbia, Maryland, and Virginia, and customers and insureds of CareFirst. Id. ¶¶ 1–4, 25. When customers purchase health insurance through CareFirst, they provide the company certain personal information, including their names, credit card numbers, addresses, and social security numbers. Id. ¶¶ 26–27. CareFirst promises, explicitly or implicitly, to keep this information protected. Id. ¶¶ 28–29. CareFirst allegedly failed to properly encrypt some of the data entrusted to its care, id. ¶ 31, and in June 2014, CareFirst suffered a cyberattack, id. ¶ 33. It learned of the attack in April 2015 and notified its customers, including plaintiffs, the following month. Id. ¶¶ 35–36.

Plaintiffs initiated this action shortly after learning of the data breach and filed the operative second amended complaint in July 2015. They bring eleven claims: breach of contract (Count I), negligence (Count II), violation of the District of Columbia Consumer Protection Procedures Act (Count III), violation of the District of Columbia Data Breach Notification Statute (Count IV), violation of the Maryland Consumer Protection Act (Count V), violation of the Virginia Consumer Protection Act (Count VI), fraud (Count VII), negligence per se (Count VIII), unjust enrichment (Count IX), breach of the duty of confidentiality (Count X), and constructive fraud (Count XI). They allege that they "have suffered economic and non-economic loss in the form of mental and emotional pain and suffering and aguish [sic] as a result of Defendants' failures" to secure plaintiffs' confidential information. SAC ¶ 38. The Tringlers specifically allege that they have experienced "tax-refund fraud" as a result of the data breach. Id. ¶ 57. And all plaintiffs allege that they "face years of constant surveillance of their financial and personal records, monitoring, and loss of rights." Id. ¶ 56.

CareFirst moved to dismiss the complaint for lack of subject matter jurisdiction under Rule 12(b)(1) and failure to state a claim under Rule 12(b)(6). The Court granted the 12(b)(1) motion on the ground that plaintiffs had not identified an "actual or imminent" injury as is necessary to satisfy the injury-in-fact requirement of constitutional standing. In so doing, the Court observed that most of the plaintiffs had not alleged that their personal information had actually been misused in any way. Nor had they explained how the information taken (which CareFirst averred did not include financial information or social security numbers) could readily be used to assume their identities. Based on these factors, the Court adopted the principle that most other courts have followed in similar cases, including a Maryland federal class action brought by another set of CareFirst customers stemming from the same breach: "Absent facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner, merely having one's personal information stolen in a data breach is insufficient to establish standing to sue the entity from wh[ich] the information was taken." Attias v. CareFirst, Inc., 199 F.Supp.3d 193, 197 (D.D.C. 2016). The Court further held that plaintiffs' other asserted injuries were also insufficient to meet the injury-in-fact requirement of standing. Those harms included (1) expenditures on credit-monitoring services to prevent future identity theft; (2) some indeterminate overpayment for their insurance coverage; (3) loss of the intrinsic value of the stolen personal information; and (4) violation of their statutory rights under various consumer protection laws. Id. at 202–03.

The D.C. Circuit reversed and remanded, finding that plaintiffs had plausibly alleged a substantial risk of identity theft flowing from the data breach, which was enough to meet "the light burden of proof the plaintiffs bear at the pleading stage" of the case. Attias v. CareFirst, Inc., 865 F.3d 620, 627–28 (D.C. Cir. 2017). The Circuit declined to reach CareFirst's alternative argument that plaintiffs had failed to state a claim under Rule 12(b)(6). Id. at 629–30. It did so because this Court had reserved judgment on a second threshold jurisdictional question—whether diversity jurisdiction exists under the Class Action Fairness Act, 28 U.S.C. § 1332(d) —which the Circuit could not answer on the record before it. Attias, 865 F.3d at 629–30.

Venturing once more into the breach, CareFirst has now renewed its 12(b)(6) motion before this Court. Mem. in Supp. of Defs.' Mot. to Dismiss ("MTD"), ECF No. 44-1. Plaintiffs oppose the motion. Pls.' Opp'n to MTD ("Opp'n"), ECF No. 45. The Court held a hearing on November 5, 2018, and the motion is now ripe for resolution.

II. Standard of Review

In analyzing a motion to dismiss under Rule 12(b)(6), the Court must determine whether the complaint "contain[s] sufficient factual matter, accepted as true, to ‘state a claim...