Smallman v. MGM Resorts Int'l
| Decision Date | 02 November 2022 |
| Docket Number | 2:20-cv-00376-GMN-EJY |
| Parties | SMALLMAN et al., Plaintiffs, v. MGM Resorts International, Defendant. |
| Court | U.S. District Court — District of Nevada |
1
SMALLMAN et al., Plaintiffs,
v.
MGM Resorts International, Defendant.
No. 2:20-cv-00376-GMN-EJY
United States District Court, D. Nevada
November 2, 2022
ORDER
Gloria M. Navarro, District Judge
Pending before the Court is Defendant MGM Resorts International's (“Defendant MGM's”) Motion to Dismiss, (ECF No. 103). Plaintiffs Ryan Bohlim, Duke Hwynn, Andrew Sedaghatpour, Gennady Simkin, Robert Taylor, Michael Fossett, Victor Wukovits, Kerri Shapiro, Julie Mutsko, John Dvorak, Larry Lawter, individually and on behalf of those similarly situated (collectively “Plaintiffs”) filed a Response, (ECF No. 109), and Defendant MGM filed a Reply, (ECF No. 117).
For the reasons discussed below, the Court GRANTS in part and DENIES in part Defendant MGM's Motion to Dismiss.
I. BACKGROUND
This case arises from a July 7, 2019, data breach of Defendant MGM's network in which hackers download the personally identifiable information (“PII”) of Defendant MGM guests worldwide (“Data Breach”). (Consolidated Class Action Complaint (“CAC”) ¶¶ 1, 29, ECF No. 101). Plaintiffs are a consolidated class action of consumers whose PII was stolen in the Data Breach. (Id.). Specifically, hackers accessed Plaintiffs name, address, phone number, email address, and dates of birth (Id. ¶¶ 2, 29). Furthermore, certain Plaintiffs also had their driver's license number, passports number, and military identification number stolen. (Id.).
2
Plaintiffs allege that the stolen PII has been posted on the dark web for purchase on at least three separate occasions. (Id. ¶ 46). Cybersecurity journalists have observed that the PII of at least 10.6 million MGM guests are available on a dark web hacking forum. (Id ¶ 34). In a letter to the North Dakota Attorney General on September 7, 2019, Defendant MGM noted that the hacker “posted the data on a closed internet forum with the intent to sell the information for financial gain.” (Id. ¶ 32). Plaintiffs posit that they now face a long-term heightened risk that their PII will be sold or disseminated on the dark web. (Id. 47-65).
Defendant MGM has not disclosed how the hackers were able to obtain consumers PII. (Id. ¶ 37). However, a Defendant MGM spokesperson revealed that the Data Breach may have been caused by “unauthorized access to a cloud server.”[1](Id.) Further, Defendant MGM disclosed to the North Dakota Attorney General that the hackers “exfiltrated data by exploiting a compromised account.” (Id. ¶ 38). Despite the Data Breach occurring on July 7, 2019, Defendant MGM did not notify affected consumers until nearly two months later, on September 7, 2019. (Id. ¶ 44). Plaintiffs allege that Defendant MGM's delayed response exacerbated the risk of harm to Plaintiffs. (Id. ¶ 45).
Plaintiffs contend that Defendant MGM failed to implement reasonable data security measures to protect their PII, maintain and monitor its server against intrusions, and retained Plaintiffs PII for longer than necessary. (Id. ¶¶ 7, 77, 90-91). Additionally, Plaintiffs allege that Defendant MGM failed to encrypt the PII stored on its server. (Id. ¶ 38). Furthermore, Plaintiffs allege that Defendant MGM failed to adopt reasonable safety measures despite knowing that the hotel industry is frequently targeted by cyber security attacks. (Id. ¶ 77-88).
Following the Data Breach, all Plaintiffs have experienced an increase in spam and phishing phone calls, text messages, and emails. (Id. ¶¶ 10-20). Similarly, all Plaintiffs allege
3
that they have spent a greater amount of time monitoring their financial and other accounts. (Id.). Additionally, all Plaintiffs contend that their PII is available on the dark web, and that they have been forced to expend a significant amount of time and energy resetting passwords and taking additional steps to protect their PII. (Id.). Plaintiffs posit that the value of their PII has diminished due to its dissemination. (Id. ¶¶ 5, 100). Plaintiffs further contend they have suffered “benefit of the bargain” damages because they paid MGM for services that were “intended to be accompanied by adequate data security[] but were not.” (Id. ¶ 5, 111-12).
In addition to the alleged injuries set forth above, several Plaintiffs have asserted additional harms. Specifically, multiple Plaintiffs contend that criminals have attempted to make fraudulent purchases on their accounts. (Id. ¶¶ 13-14, 16). Other Plaintiffs assert that criminals have perpetrated ransom attacks against them or attempted to sign into their personal accounts. (Id. ¶ 11, 16, 19). Several Plaintiffs have taken the additional step of purchasing security services to protect their PII. (Id. ¶¶ 12, 16, 20).
On April 4, 2021, Plaintiffs filed the present Consolidated Class Action Complaint asserting claims for: (1) negligence; (2) negligent misrepresentation; (3) breach of implied contract; (4) unjust enrichment; (5) violation of the Nevada Consumer Fraud Act, NRS § 41.600; (6) violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq.; (7) violation of the California Consumers Legal Remedies Act, Cal. Civ. Code §§ 1750, et seq.; (8) violation of the California Customer Records Act, Cal. Civ. Code §§ 1798.80, et seq.; (9) violation of the Connecticut Unfair Trade Practices Act, Conn. Gen. Stat. § 42-110a, et seq.; (10) violation of the Georgia Deceptive Trade Practices Act, Ga. Code. Ann. §§ 10-1-370, et seq.; (11) violation of New York General Business Law, N.Y. Gen. Bus. Law § 349; (12) violation of the Ohio Deceptive Trade Practices Act, Ohio Rev. Code §§ 4165.01, et seq.; (13) violation of the Oregon Unlawful Trade Practices Act, Or. Stat. §§ 646.605, et seq.; and (14) violation of the Oregon Consumer Information Protection Act, Or. Stat. §§ 646A.600,et seq. (Id. ¶¶ 143-340).
4
On June 1, 2021, Defendant MGM filed the present Motion to Dismiss. (See generally MTD, ECF No. 103).
II. LEGAL STANDARD
Dismissal is appropriate under Rule 12(b)(6) where a pleader fails to state a claim upon which relief can be granted. Fed.R.Civ.P. 12(b)(6); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). A pleading must give fair notice of a legally cognizable claim and the grounds on which it rests, and although a court must take all factual allegations as true, legal conclusions couched as factual allegations are insufficient. Twombly, 550 U.S. at 555. Accordingly, Rule 12(b)(6) requires “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Id. “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. This standard “asks for more than a sheer possibility that a defendant has acted unlawfully.” Id.
“Generally, a district court may not consider any material beyond the pleadings in ruling on a Rule 12(b)(6) motion.” Hal Roach Studios, Inc. v. Richard Feiner & Co., 896 F.2d 1542, 1555 n.19 (9th Cir. 1990). “However, material which is properly submitted as part of the complaint may be considered.” Id. Similarly, “documents whose contents are alleged in a complaint and whose authenticity no party questions, but which are not physically attached to the pleading, may be considered in ruling on a Rule 12(b)(6) motion to dismiss.” Branch v. Tunnell, 14 F.3d 449, 454 (9th Cir. 1994). On a motion to dismiss, a court may also take judicial notice of “matters of public record.” Mack v. S. Bay Beer Distrib., 798 F.2d 1279, 1282 (9th Cir. 1986). Otherwise, if a court considers materials outside of the pleadings, the motion to dismiss is converted into a motion for summary judgment. Fed.R.Civ.P. 12(d).
5
If the court grants a motion to dismiss for failure to state a claim, leave to amend should be granted unless it is clear that the deficiencies of the complaint cannot be cured by amendment. DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 655, 658 (9th Cir. 1992). Pursuant to Rule 15(a), the court should “freely” give leave to amend “when justice so requires,” and in the absence of a reason such as “undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies by amendments previously allowed undue prejudice to the opposing party by virtue of allowance of the amendment, futility of the amendment, etc.” Foman v. Davis, 371 U.S. 178, 182 (1962).
III. DISCUSSION
Defendant MGM moves to dismiss all of Plaintiffs' common law[2]and statutory claims. The Court will first examine Plaintiffs negligence claim.
A. NEGLIGENCE
Defendant MGM argues that Plaintiffs negligence claim cannot survive the economic loss doctrine. (MTD 28:23-24). Alternatively, Defendant MGM contends that Plaintiffs have failed to allege that Defendant MGM breached a legal duty or suffered cognizable damages. (Id. 29:10-17). In rebuttal, Plaintiffs assert that their negligence claim survives the economic loss doctrine because they allege both economic and non-economic losses. (Resp. 27:8-29:16, ECF No. 109). Additionally, Plaintiffs argue that they sufficiently alleged Defendant MGM's deviation from industry standard data security procedure. (Id. 30:16-19). The Court will first examine whether Plaintiffs negligence claim is barred by the economic loss doctrine. /// /// ///
6
1. Economic Loss Doctrine
Here, Plaintiffs assert the economic loss doctrine does not apply because they allege non-economic harms in the form diminished value to their PII and intangible damage to their privacy caused by the Data Breach. (Resp. 27:18-27).
The Nevada Supreme Court has “applied the economic loss doctrine in product liability cases, as well as in negligence...
To continue reading
Request your trial