Sackin v. Transperfect Global, Inc.

• Decision Date: 04 October 2017
• Docket Number: 17 Civ. 1469 (LGS)
• Citation: 278 F.Supp.3d 739
• Parties: Jessie SACKIN, et al., Plaintiffs, v. TRANSPERFECT GLOBAL, INC., Defendant.
• Court: U.S. District Court — Southern District of New York

278 F.Supp.3d 739

Jessie SACKIN, et al., Plaintiffs,

v.TRANSPERFECT GLOBAL, INC., Defendant.

17 Civ. 1469 (LGS)

United States District Court, S.D. New York.

Signed October 4, 2017

Douglas Gregory Blankinship, Chantal Khalil, Jeremiah Lee Frei–Pearson, Finkelstein Blankinship, Frei–Pearson & Garber, LLP, White Plains, NY, for Plaintiffs.

Claudia Drennen McCarron, Mullen Coughlin LLC, New York, NY, Jennifer Anne Coughlin, Nelson Levine De Luca & Hamilton, Blue Bell, PA, for Defendant.

MEMORANDUM OPINION AND ORDER

LORNA G. SCHOFIELD, District Judge:

Plaintiffs filed this purported class action against TransPerfect Global, Inc. ("TransPerfect" or "Defendant") on February 27, 2017, stemming from a data breach of TransPerfect's computer systems that disclosed Plaintiffs' sensitive personally identifiable information ("PII") to hackers. TransPerfect moves to dismiss the Amended Complaint ("Complaint") pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). As discussed below, the Rule 12(b)(1) motion is denied because Plaintiff has standing to sue. The Rule 12(b)(6) motion is granted in part, dismissing only the claim of breach of express contract.

I. BACKGROUND

The following facts are drawn from the Complaint and accepted as true for the purpose of this motion. Defendant employs over 4,000 individuals. The company maintains a corporate privacy policy and security manual that describes "robust procedures designed to protect the PII with which it is entrusted." However, unlike other similarly situated companies, TransPerfect did not train employees on data security; did not erect digital firewalls and did not maintain PII retention and destruction protocols.

Defendant understood the prevalence of cyber-attacks on corporate records and appreciated the gravity of the risk posed by such attacks. High-profile corporate data breaches dominated recent headlines, and 282 breaches were publicly reported between 2014 and 2015. Defendant's own website warns clients that cyber-attacks "are neither new nor infrequent." The website cautions, "never send your credit card number, Social Security number, bank account number, driver's license number or similar details in an email," because email "is generally not secure" and is the method of communication "most vulnerable to hacking."

On or about January 17, 2017, at least one TransPerfect employee received a "phishing" email. The email appeared to come from TransPerfect's CEO, but actually was sent by unidentified cyber-criminals. The email asked for the W–2 forms and payroll information of all current and former TransPerfect employees. Because TransPerfect's cyber-security was not up to industry par, at least one TransPerfect employee sent the information to the hackers in an unencrypted format. As a result, cyber-criminals obtained Plaintiffs' names, addresses, dates of birth, Social Security numbers, direct deposit bank account numbers and routing numbers.

Hackers can use PII to obtain by fraud employment, loans, credit cards and can file tax returns. Criminals can also use PII to steal government benefits and create false identification for use in further schemes. Stolen PII is frequently bought and sold amongst various criminals on "dark markets." TransPerfect responded to the breach by offering Plaintiffs two free years of enrollment in an identity theft monitoring service. Plaintiffs purchased preventive services.

II. LEGAL STANDARDS

"A district court properly dismisses an action under Fed. R. Civ. P. 12(b)(1) for lack of subject matter jurisdiction if the court lacks the statutory or constitutional power to adjudicate it, such as when ... the plaintiff lacks constitutional standing to bring the action." Cortlandt St. Recovery Corp. v. Hellas Telecomms., S.a.r.l. , 790 F.3d 411, 416–17 (2d Cir. 2015) (internal citation omitted). The task of the district court is to determine whether the "[p]leading allege[s] facts that affirmatively and plausibly suggest that [the plaintiff] has standing to sue." Carter v. HealthPort Techs., LLC , 822 F.3d 47, 56 (2d Cir. 2016) (internal quotation marks omitted). "In resolving a motion to dismiss under Rule 12(b)(1), the district court must take all uncontroverted facts in the complaint ... as true, and draw all reasonable inferences in favor of the party asserting jurisdiction." Fountain v. Karim , 838 F.3d 129, 134 (2d Cir. 2016) (quoting Tandon v. Captain's Cove Marina of Bridgeport, Inc. , 752 F.3d 239, 243 (2d Cir. 2014) ). "The plaintiff bears the burden of alleging facts that affirmatively and plausibly suggest that it has standing to sue." Cortlandt , 790 F.3d at 417 (internal quotation marks omitted). The issue of subject matter jurisdiction is resolved before turning to the sufficiency of the Complaint. See generally Carver v. Nassau Cty. Interim Fin. Auth. , 730 F.3d 150, 156 (2d Cir. 2013) ("Normally, in cases involving the issue of Article III subject matter jurisdiction, this issue would have to be addressed first.").

To survive a motion to dismiss under Rule 12(b)(6), "a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). "Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. On a Rule 12(b)(6) motion, "all factual allegations in the complaint are accepted as true and all inferences are drawn in the plaintiff's favor." Littlejohn v. City of N.Y. , 795 F.3d 297, 306 (2d Cir. 2015).

III. DISCUSSION

A. Subject Matter Jurisdiction

The motion to dismiss for lack of subject matter jurisdiction is denied because the Complaint "affirmatively and plausibly" alleges facts sufficient to establish standing. See HealthPort Techs , 822 F.3d at 56. The Complaint alleges four injuries as a consequence of the data breach: (1) an imminent risk of future identity theft; (2) lost time and money expended to mitigate the threat of identity theft; (3) diminished value of personal information; and (4) a loss of privacy. Because the first and second alleged harms satisfy constitutional standing requirements, this opinion does not address the other two claimed injuries.

"[T]he irreducible constitutional minimum of standing contains three elements." Lujan v. Defenders of Wildlife , 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). "The plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v Robins , ––– U.S. ––––, 136 S.Ct. 1540, 1547, 194 L.Ed.2d 635 (2016) (internal quotation marks and citation omitted). Defendant challenges only the first element, arguing that the Complaint does not plead injury in fact. As explained below, this argument is incorrect.

To satisfy the injury-in-fact requirement, a plaintiff must allege "an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical." John v. Whole Foods Mkt. Grp. , 858 F.3d 732, 736 (2d Cir. 2017) (citing Spokeo , 136 S.Ct. at 1548 ). Allegations of future harm establish injury in fact as long as the future harm is "certainly impending." Clapper v. Amnesty Int'l USA , 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013). By contrast, mere "[a]llegations of possible future injury are not sufficient." Id. (internal quotation marks omitted). While "imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes ...." Id.

The harms alleged in the Complaint do not stretch imminence beyond its breaking point. The allegations that Defendant has provided Plaintiffs' names, addresses, dates of birth, Social Security numbers and bank account information directly to cyber-criminals creates a risk of identity theft sufficiently acute so as to fall comfortably into the category of "certainly impending." The most likely and obvious motivation for the hacking is to use Plaintiffs' PII nefariously or sell it to someone who would. See Remijas v. Neiman Marcus Grp. , 794 F.3d 688, 693 (7th Cir. 2015) ("Why else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities."). Circuit courts addressing this issue consistently have held that Article III does not require Plaintiffs to wait for their identities to be stolen before seeking legal recourse. See Attias v. Carefirst, Inc. , 865 F.3d 620, at 629–30 (D.C. Cir. 2017) (holding that alleged increased risk of identity theft was sufficiently imminent to establish standing after a retailer's data breach); Remijas , 794 F.3d at 695 (same); Galaria v. Nationwide Mut. Ins. , 663 Fed.Appx. 384, 388 (6th Cir. 2016) (same); Anderson v. Hannaford Bros. Co. , 659 F.3d 151, 164 (1st Cir. 2011) (same).

While the Second Circuit has yet to address the question, two recent unreported decisions suggest that it will follow the lead of its sister circuits. See Katz v. Donna Karan Co. , 872 F.3d 114, 120–21 (2d Cir. 2017) ; Whalen v. Michaels Stores, Inc. , 689 Fed.Appx. 89, 90 (2d Cir. 2017) (summary order). In Whalen , the Second Circuit concluded that the complaint failed to allege standing because the plaintiff never paid a fraudulent charge, nor did she face a plausible threat of future harm. Her "stolen credit card was promptly canceled after the breach and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen." Id. Similarly, in Katz , the Second Circuit held that a "district court did not clearly...