Toretto v. Donnelley Fin. Solutions, Inc.

• Decision Date: 04 February 2022
• Docket Number: 1:20-cv-2667-GHW
• Citation: 583 F.Supp.3d 570
• Parties: Phillip TORETTO, Daniel C. King, and Sheri Braun, individually and on behalf of others similarly situated, Plaintiffs, v. DONNELLEY FINANCIAL SOLUTIONS, INC. and Mediant Communications, Inc., Defendants.
• Court: U.S. District Court — Southern District of New York

583 F.Supp.3d 570

Phillip TORETTO, Daniel C. King, and Sheri Braun, individually and on behalf of others similarly situated, Plaintiffs,
v.
DONNELLEY FINANCIAL SOLUTIONS, INC. and Mediant Communications, Inc., Defendants.

1:20-cv-2667-GHW

United States District Court, S.D. New York.

Signed February 4, 2022

583 F.Supp.3d 580

Carrie Ann Laliberte, May Potenza Baran & Gillespie, PC, Phoenix, AZ, Elaine A. Ryan, Auer Ryan, PC, Maricopa, AZ, John Austin Moore, Lindsay Todd Perkins, Norman E. Siegel, Stueve Siegel Hanson LLP, Kansas City, MO, Patricia N. Syverson, Bonnett Fairbourn Friedman & Balint, San Diego, CA, Ryan McGee, John A. Yanchunis, Morgan & Morgan Complex Litigation Group, Tampa, FL, Amanda Peterson, Lerner, Arnold & Winston, LLP, New York, NY, for Plaintiffs Phillip Toretto, Daniel C. King.

Carrie Ann Laliberte, May Potenza Baran & Gillespie, PC, Phoenix, AZ, Elaine A. Ryan, Auer Ryan, PC, Maricopa, AZ, John Austin Moore, Lindsay Todd Perkins, Norman E. Siegel, Stueve Siegel Hanson LLP, Kansas City, MO, Patricia N. Syverson, Bonnett Fairbourn Friedman & Balint, San Diego, CA, for Plaintiff Sheri Braun.

David T. Cohen, Orrick, Herrington & Sutcliffe LLP, New York, NY, Douglas H. Meal, Orrick, Herrington & Sutcliffe LLP, Boston, MA, Michelle L. Visser, Orrick, Herrington & Sutcliffe LLP, San Francisco, CA, for Defendant Donnelley Financial Solutions, Inc.

Casie D. Collignon, Matthew C. Baisley, Baker & Hostetler LLP, Denver, CO, Douglas H. Meal, Orrick, Herrington & Sutcliffe LLP, Boston, MA, for Defendant Mediant Communications, Inc.

MEMORANDUM OPINION AND ORDER

GREGORY H. WOODS, United States District Judge:

Plaintiffs bring this putative class action against Defendants Donnelley Financial

583 F.Supp.3d 581

Solutions, Inc. ("Donnelley") and Mediant Communications, Inc. ("Mediant"), alleging claims for negligence, negligence per se , breach of contracts to which Plaintiffs are third-party beneficiaries, unjust enrichment, violation of the California Customer Records Act (the "CRA"), violation of the California Unfair Competition Law (the "UCL"), violation of the Florida Deceptive and Unfair Trade Practices Act (the "FDUTPA"), and declaratory judgment. Plaintiffs’ claims stem from a data breach of one of Mediant's email servers, in which hackers stole the personal information of over 200,000 individuals. Mediant obtained Plaintiffs’ personal information while working with Donnelley to provide proxy services to public companies and mutual funds in which Plaintiffs had invested. Defendants moved to dismiss Plaintiffs’ complaint. Because Plaintiffs plausibly allege that Mediant breached its duty to exercise reasonable care safeguarding Plaintiffs’ personal information, Plaintiffs’ negligence and declaratory judgment claims against Mediant can proceed. However, Mediant's motion to dismiss is granted as to the remainder of Plaintiffs’ claims and Donnelley's motion to dismiss is granted in full.

I. BACKGROUND

A. Facts¹

1. The Hack

On April 1, 2019, hackers gained unauthorized access to Mediant's business email accounts. Second Amended Complaint (the "SAC"), Dkt. No. 57, ¶ 16. The hackers stole the personal information of a number of individuals, including the named Plaintiffs in this case. Id. ¶¶ 6–8, 29–30, 36–38, 42–43. Mediant had received the personal information as part of its business providing investor communication services to financial institutions. Id. ¶ 20. Mediant discovered the hack the day of the intrusion, and promptly disconnected the affected server from its system. Id. ¶ 16. Mediant began an investigation into the breach, but the company did not immediately notify the impacted customers. Id. It was not until the end of May 2019, nearly two months after the breach, that Mediant notified the affected customers. Id. ¶ 17. The breach was truly massive: notices went out to "over 200,000 individuals in all fifty states and the District of Columbia and Puerto Rico." Id.

Plaintiffs allege that the hack was enabled by Mediant's poor network security. "The criminal hackers would not have been able to gain access to four email accounts simultaneously but for Mediant maintaining deficient controls to prevent and monitor for unauthorized access." Id. ¶ 23. And Mediant did not encrypt personal information stored in the company's system. Id. ¶ 18. Plaintiffs also allege that Mediant failed to adequately notify its customers regarding the breach. Id. ¶¶ 26–27.

2. The "Partnership"

Donnelley and Mediant work together to provide proxy services. Id. ¶ 15. Donnelley describes itself as "a leader in risk and compliance solutions, providing insightful technology, industry expertise and data insights to clients across the globe." Id. ¶ 13. Donnelley offers a broad range of products and services, including in technology, initial public offerings, mergers and acquisitions, proxy services, and other global filings. Id. Mediant "holds itself out as a leader in investor communications, offering ‘game-changing new technologies for

583 F.Supp.3d 582

banks, brokers, fund companies, and issuers.’ " Id. ¶ 14. Together, the pair describe themselves as "the perfect partnership to power [their clients’] fund proxies." Id. ¶ 15. Defendants’ marketing materials describe the pair as the "industry's only single-source solution for start-to-finish fund proxy services." Id. Mediant received the personal information of the named Plaintiffs in this case through its working relationship with Donnelley. Id. ¶¶ 30, 37, 43.

Partially in reliance on Donnelley and Mediant's description of themselves as a partnership, the SAC alleges that the pair formed a legal partnership and refers to them collectively as the "Partnership." The SAC alleges that Donnelley "had equal rights in the management and conduct of the Partnership." Id. ¶ 26. It also states that Donnelley had the "right as a partner in the Partnership" to "exercise appropriate managerial oversight of Mediant's data security." Id.

The SAC alleges that the companies and investment funds that used the pair's services hired Donnelley and Mediant together—not just one or the other, but instead, the touted "perfect partnership." Id. ¶ 1. The SAC alleges that "[p]ublic companies and mutual funds hire Donnelley and Mediant as their proxy agent to distribute materials to shareholders, coordinate shareholder votes, and tabulate voting results." Id. The allegation is that the pair are hired jointly as the singular "proxy agent" for the companies and funds. Id.

Donnelley is alleged to be liable for the security breach at Mediant for two reasons. First, Plaintiffs assert that Donnelley is vicariously liable for the hack at Mediant and its consequences because the pair were partners. Id. ¶ 130 ("[B]y entering into a partnership with Mediant for the provision of proxy services, Donnelley is vicariously liable for Mediant's failures as alleged herein."); see also id. ¶¶ 4, 26, 130. The SAC attributes many of the asserted deficiencies that led to the breach, and in the response to the breach, to the "Partnership."

Second, Plaintiffs assert that Donnelley was directly liable for Plaintiffs’ injuries because of its alleged "failure to exercise appropriate managerial oversight of Mediant's data security." Id. ¶¶ 4, 26. Donnelley is alleged to have failed "to ensure its agent and partner Mediant implemented security systems, protocols and practices sufficient to protect Plaintiffs’ and Class Members’ Personal Information" and failed "to supervise its agent and partner Mediant regarding Mediant's data security systems, protocols and practices when it knew or should have known those systems, protocols and practices were inadequate." Id. ¶ 129. Donnelley is also alleged to have been directly liable as a result of its conduct after the breach because it failed "to timely disclose that Plaintiffs’ and Class Members’ Personal Information had been improperly acquired or accessed." Id. Donnelley is also alleged to have violated contracts of which Plaintiffs were third party beneficiaries. Id. ¶¶ 145–49.

3. Plaintiffs’ Claims to be Third Party Beneficiaries of Donnelley and Mediant's Contracts with Their Customers

Plaintiffs assert that they are third party beneficiaries of contracts entered into between Donnelley and its customers—the funds and companies to whom it provides proxy and other financial services. Donnelley "entered into contracts with public companies and mutual funds to provide and perform proxy services." Id. ¶ 145. The personal information of each of the named Plaintiffs was stolen as a result of their investment in identified funds. In the case of each named Plaintiff, the relevant fund had entered into a direct contractual relationship with Donnelley for the provision

583 F.Supp.3d 583

of proxy services. See, e.g. , id. ¶ 30 ("Donnelley had the direct contractual relationship with Blackstone Real Estate Income Trust, Inc. or its agents for the performance of the Partnership's proxy services."); see also id. ¶¶ 37, 43 (alleging the same with respect to funds in which the other named Plaintiffs invested). The SAC also alleges that "[i]n some instances, acting in the ordinary course of the Partnership, Mediant also directly contracted with public companies and mutual funds to provide and perform proxy services." Id. ¶ 145.

The SAC alleges that Donnelley acted "in the ordinary course of the business of the Partnership" when it entered into contracts with customers to provide proxy services. Id. As a result of Donnelley's agreement with the funds in which the named Plaintiffs invested, Mediant was provided their personal data, which was later stolen in the hack.

Plaintiffs allege "[o]n information and belief" that "each of those respective contracts contained provisions requiring Donnelley and/or Mediant to protect the investor information that Donnelley and/or Mediant received in order to provide such proxy services in carrying out the business of the Partnership." Id. ¶ 146. Also "[o]n information and belief" Plaintiffs...