In re GEICO Customer Data Breach Litig.

• Docket Number: 21-CV-2210-KAM-SJB
• Decision Date: 21 July 2023
• Parties: IN RE GEICO CUSTOMER DATA BREACH LITIGATION
• Court: U.S. District Court — Eastern District of New York

1

IN RE GEICO CUSTOMER DATA BREACH LITIGATION

No. 21-CV-2210-KAM-SJB

United States District Court, E.D. New York

July 21, 2023

REPORT & RECOMMENDATION

SANKET J. BULSARA, United States Magistrate Judge.

This is a consolidated putative class action filed after third parties gained access to driver's license numbers through GEICO's online insurance sales website. The putative class is composed of consumers whose personal information (including their driver's license numbers) was allegedly exposed by GEICO, and they have raised a variety of state law claims-negligence, negligence per se, intrusion upon seclusion, and a claim under New York's General Business Law § 349-and a violation of the federal Driver's Privacy Protection Act. GEICO has moved to dismiss the claims on a variety of grounds, and also asserts that the representative plaintiffs lack standing. (Mot. to Dismiss dated Nov. 4, 2022 (“Defs. Mot.”), Dkt. No. 73). For the reasons outlined below, the Court respectfully recommends the motion to dismiss be granted in part and denied in part.

FACTUAL BACKGROUND AND PROCEDURAL HISTORY

For the purposes of this motion, the Court is “required to treat” the Complaint's “factual allegations as true, drawing all reasonable inferences in favor of [Plaintiffs] to the extent that the inferences are plausibly supported by allegations of fact.” In re Hain Celestial Grp., Inc. Sec. Litig., 20 F.4th 131, 133 (2d Cir. 2021). The Court “therefore recite[s] the substance of the allegations as if they represented true facts, with the understanding that these are not findings of the court, as we have no way of knowing at this stage what are the true facts.” Id.

Defendants Government Employees Insurance Company, GEICO Casualty Company, GEICO Indemnity Company, and GEICO General Insurance Company (together, “GEICO”) sell private passenger automobile insurance policies. (Consolidated Class Action Compl. dated May 20, 2022 (“Compl.”), Dkt No. 61 ¶ 4). GEICO collects and stores personal information (“PI”) from prospective clients and current and former customers as part of its regular business practices, including during the quoting, application, or claims handling processes. (Id. ¶ 53). Specifically, GEICO obtains an individual's name address, phone number, social security number, and- most relevant here-driver's license number (“DLN”). (Id.).

As part of its sales efforts, GEICO provides insurance quotes to consumers through its online sales system on its publicly accessible website. (Id. ¶ 4). Plaintiffs allege that GEICO added a feature to its online sales platform whereby an individual's DLN would auto-populate when any user “enter[ed] a bare minimum of publicly available information about that individual.” (Id. ¶ 6). That is, GEICO's quoting feature asked a visitor to the site for their name, date of birth and address; once a visitor entered that basic information-which Plaintiffs claim is easily attainable and available on public databases at no cost-the system automatically displayed DLNs which either GEICO held or were provided from third party hosts. (Id. ¶¶ 58-59). Because GEICO did not require verification that the person accessing the system was actually the individual whose information was being revealed, third parties used automated processes, or “bots,” on the instant quote feature to obtain unauthorized access to individuals' DLNs. (Compl. ¶¶ 60-61).

These DLNs are highly valuable to cybercriminals because they are long-lasting and difficult to change, and because their disclosure often goes undetected. (Id. ¶¶ 83, 89). Stolen DLNs can be used to “craft curated social engineering phishing attacks” designed to manipulate a victim. (Id. ¶¶ 85, 91). For example, a fraudster could orchestrate a scam by sending an email impersonating the DMV, requesting the person verify his/her DLN, to obtain even more private information. The additional information is then aggregated into a “fullz” profile-that is, a complete or “full” identity profile-enabling cybercriminals to commit identity theft and other types of fraud. (Id. ¶ 85 & n.16). Here, fraudsters used DLNs to make fraudulent claims for government benefits (and more specifically, unemployment benefits), open bank accounts, transfer bank funds, and make credit card charges. (Id. ¶¶ 18-24, 31, 33-34, 42-43). Plaintiffs contend that many class members “never applied for insurance with [GEICO]” or were necessarily aware of GEICO's existence, and their personal information was stored by GEICO “unbeknownst” to them. (Id. ¶¶ 60, 156).

On February 16, 2021, the New York State Department of Financial Services (“DFS”) issued an “alert regarding an ongoing systemic and aggressive campaign to engage with public-facing insurance websites-particularly those that offer instant online automobile insurance quotes-to obtain non-public information, in particular unredacted driver's license numbers.” (Compl. ¶ 71). According to the DFS, the unauthorized collection of DLNs was “part of a growing fraud campaign targeting pandemic and unemployment benefits.” (Id.). The scheme was discovered after insurers noticed an unusual number of abandoned or cancelled insurance quote applications. (Id. ¶ 72).

On April 9, 2021, GEICO notified individuals that their DLNs were compromised in a data security incident (“Data Disclosure” or “Incident”). (Id. ¶ 69). The Notice stated:

We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you - which they acquired elsewhere -to obtain unauthorized access to your driver's license number through the online sales system on our website. We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.

(Notice of Data Breach dated Apr. 9, 2021 (“Notice”), attached as Ex. C to Defs. Mot., at 1).^[1] It further advised that “[a]s soon as GEICO became aware of the issue,” it “secured the affected website” and “implemented-and continue[s] to implement-additional security enhancements to help prevent future fraud.” (Notice at 1). Recipients of the Notice were given the opportunity to enroll in a one-year subscription to an identity theft monitoring and resolution service. (Id.).

Subsequently, five overlapping proposed class action lawsuits were filed in three federal courts alleging claims arising from the Data Disclosure.^[2] Four suits-Mirvis, Brody, Viscardi, and Connelly-were consolidated in this District as “In re GEICO Customer Data Breach Litigation.” (See Order dated Oct. 26, 2021, Dkt. No. 39; Order dated Nov. 9, 2021, Dkt. 21-CV-6091).

Plaintiffs Michael Viscardi, Kathleen Dorety, and William Morgan brought this suit against GEICO on their own behalf and as proposed class representatives for a class of all New York or U.S. residents whose DLN was subject to the Data Disclosure.^[3](Compl.).^[4] Each Plaintiff alleges he or she received the Notice, and that his or her DLN was obtained, used, and disclosed by GEICO. (Compl. ¶¶ 15, 28, 39). They allege, in the aftermath of the Data Disclosure, cybercriminals fraudulently filed a claim for unemployment in each of their names, (id. ¶¶ 18, 31, 42), attempted to transfer Viscardi's funds into an unauthorized account, (id. ¶ 21), made fraudulent charges on Viscardi's credit cards, (id. ¶¶ 23-24), and fraudulently opened a bank account in Dorety's name. (Id. ¶ 34). As a result, Plaintiffs have spent countless hours to “monitor[] accounts” and “deal[] with the fallout of the Data Disclosure,” and suffered “actual identity theft”; incurred “time and expenses interacting with government agencies,” “scrutinizing bank statements, credit card statements, and credit reports,” and “monitoring bank accounts”; lost personal data and property, because of compromised personal information; and suffered injury to their privacy rights. (Id. ¶¶ 25-26, 36-37, 46-47).

Plaintiffs set forth six claims in the Complaint. Count I alleges a violation of the Driver's Privacy Protection Act (“DPPA”), and Count II is a negligence claim. Count III is for negligence per se, based upon alleged duties owed under Section 5 of the Federal Trade Commission Act (“FTCA”), Gramm-Leach-Bliley Act (“GLBA”), and Section 349 of New York's General Business Law (“GBL”). Count IV pleads a violation of GBL § 349, and Count V is a common law privacy claim for intrusion upon seclusion. Count VI is a claim for declaratory and injunctive relief. (Compl. ¶¶ 133-206).

GEICO moved to dismiss the Complaint for failure to allege subject matter jurisdiction and failure to state a claim, pursuant to Federal Rule of Civil Procedure 12(b)(1) and 12(b)(6).^[5]

DISCUSSION

“The purpose of a motion to dismiss for failure to state a claim under Rule 12(b)(6) is to test the legal sufficiency of claims for relief.” Amadei v. Nielsen, 348 F.Supp.3d 145, 155 (E.D.N.Y. 2018) (citing Patane v. Clark, 508 F.3d 106, 112 (2d Cir. 2007)). In deciding such a motion, the Court must “construe the complaint liberally, accepting all factual allegations in the complaint as true, and drawing all reasonable inferences in the plaintiff's favor.” Palin v. N.Y. Times Co., 940 F.3d 804, 809 (2d Cir. 2019) (quotations and alteration omitted); Amadei, 348 F.Supp.3d at 155 (“[W]hen reviewing a complaint on a motion to dismiss for failure to state a claim, the court must accept as true all allegations of fact in the complaint and draw all reasonable inferences in favor of [the non-moving party].”).

Once the facts are construed in the light most favorable to the non-moving party-here, Plaintiffs-to avoid dismissal there must be sufficient facts that allege a plausible claim. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (“To survive a motion to dismiss [pursuant to Rule 12(b)(6)], a...