Hapka v. CareCentrix, Inc.
Filing
31
MEMORANDUM AND ORDER denying 10 Motion to Dismiss. Signed by District Judge Carlos Murguia on 12/19/2016. (ydm)
<![CDATA[
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF KANSAS
SARAH HAPKA,
individually and on behalf of all others
similarly situated,
Plaintiff,
v.
CARECENTRIX, INC.,
Defendant.
)
)
)
)
)
)
)
)
)
)
)
)
)
Case No. 16-2372-CM
MEMORANDUM AND ORDER
Plaintiff Sarah Hapka brings this putative class action, claiming that defendant CareCentrix,
Inc. negligently permitted a data breach of around two thousand former and current employees’
personal information. Plaintiff claims that shortly after the data breach, someone filed a fraudulent tax
return in her name. She seeks to hold defendant responsible for her damages because she believes that
defendant failed to implement adequate and reasonable cyber-security procedures. This matter is
before the court on defendant’s motion to dismiss (Doc. 10). Defendant moves to dismiss plaintiff’s
complaint under Federal Rule of Civil Procedure 12(b)(1) because plaintiff lacks Article III standing,
and under 12(b)(6) because plaintiff fails to state a claim upon which relief can be granted. For the
following reasons, the court denies defendant’s motion.
I.
Factual Background
Plaintiff, individually and on behalf of all others similarly situated, alleges a claim for common
law negligence. Plaintiff claims that on February 24, 2016, an unauthorized person posed as one of
defendant’s employees and emailed a request for current and former employees’ 2015 Internal Revenue
Service (“IRS”) Wage and Tax Statements (“W-2 Forms”). One of defendant’s employees complied with
-1-
the request. These forms included information such as names, addresses, birth dates, wages, and Social
Security numbers. Plaintiff alleges that the data breach compromised her own information, as well as that
of up to two thousand people.
Defendant notified plaintiff of the data breach on March 27, 2016. On April 18, 2016, plaintiff
received a letter from the IRS indicating that someone had filed a fraudulent tax return in plaintiff’s name.
Plaintiff claims that since April 18, 2016, she has “spent multiple hours on telephone conferences
with IRS representatives,” experienced delay, expended “costs related to postage and mileage in countering
the tax fraud,” and “will continue to be at heightened risk for tax fraud and identity theft.” (Doc. 1 at 10–
11.) She also claims that she faces a continuing, real, immediate risk of identity theft and tax fraud.
II.
Legal Standards
Defendant moves to dismiss plaintiff’s complaint under both Fed. R. Civ. P. 12(b)(1) and
12(b)(6). Dismissal pursuant to Rule 12(b)(1) is appropriate when the court lacks subject matter
jurisdiction over a claim for relief. The party asserting jurisdiction has the burden of establishing
subject matter jurisdiction. Port City Props. v. Union Pac. R.R. Co., 518 F.3d 1186, 1189 (10th Cir.
2008). A motion under this rule attacks the existence of jurisdiction rather than the allegations of the
complaint and, therefore, dismissal under this rule is not a judgment on the merits of the claims.
Brereton v. Bountiful City Corp., 434 F.3d 1213, 1218 (10th Cir. 2006).
Fed. R. Civ. P. 12(b)(6) governs motions to dismiss for failure to state a claim for which relief
can be granted. To survive a Rule 12(b)(6) motion, a complaint must present “enough facts to state a
claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). In
reviewing the motion, the court assumes all well-pleaded factual allegations are true and views the
facts in the light most favorable to the nonmoving party. Smith v. United States, 561 F.3d 1090, 1098
(10th Cir. 2009). “A claim has facial plausibility when the plaintiff pleads factual content that allows
the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.”
-2-
Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Ultimately, the issue is “not whether the plaintiff will
prevail, but whether the plaintiff is entitled to offer evidence to support [the plaintiff’s] claims.”
Beedle v. Wilson, 422 F.3d 1059, 1063 (10th Cir. 2005).
III.
Analysis
A.
Standing and Rule 12(b)(1)
Defendant first argues that plaintiff lacks standing to bring her negligence claim. Under Article
III of the United States Constitution, the jurisdiction of federal courts is limited to actual cases or
controversies. Summers v. Earth Island Inst., 555 U.S. 488, 492–93 (2009); Dias v. City & Cnty. of
Denver, 567 F.3d 1169, 1176 (10th Cir. 2009). A party seeking relief in federal court must have
standing to sue. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). To have standing, a
plaintiff bears the burden of showing that (1) she suffered an injury in fact that is (a) concrete and
particularized and (b) actual and imminent—not merely conjectural or hypothetical; (2) the injury is
fairly traceable to the defendant’s conduct; and (3) a favorable decision is likely to redress her alleged
injuries. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180–81 (2000)
(citing Lujan, 504 U.S. at 560–61). “[S]tanding is not dispensed in gross.” Lewis v. Casey, 518 U.S.
343, 358 n.6 (1996). Rather, “a plaintiff must demonstrate standing for each claim [s]he seeks to
press” and “‘for each form of relief’” that she seeks. DaimlerChrysler Corp. v. Cuno, 547 U.S. 332,
352 (2006) (citation omitted); see also Davis v. Fed. Election Comm’n, 554 U.S. 724, 733–34 (2008).
To analyze standing, the court considers the facts existing at the time plaintiff filed the complaint.
Tandy v. City of Wichita, 380 F.3d 1277, 1283–84 (10th Cir. 2004).
-3-
1.
Injury in Fact
The first question the court addresses is whether plaintiff has shown that she suffered an injury
in fact. “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a
legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural
or hypothetical.’” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016) (quoting Lujan, 504 U.S. at
560). The threatened injury must be “certainly impending”—not merely speculative. Clapper v.
Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013); Tandy, 380 F.3d at 1283. At times, the Supreme
Court has found standing based on a “‘substantial risk’ that the harm will occur, which may prompt
plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Clapper, 133 S. Ct. at 1150 n.5
(citations omitted). “A claimed injury that is contingent upon speculation or conjecture is beyond the
bounds of a federal court’s jurisdiction.” Tandy, 380 F.3d at 1283–84 (citing Whitmore v. Arkansas,
495 U.S. 149, 158 (1990)).
There is one key fact in this case: plaintiff’s personal information has been fraudulently used to
file a false tax return. Plaintiff has therefore suffered some form of actual, concrete injury. Defendant
concedes this fact, although it maintains that any such injury is de minimus. But defendant asks the
court to consider plaintiff’s other allegations of injury separately, distinct from the tax fraud.
Defendant argues that plaintiff’s other allegations of injury are too speculative to provide plaintiff with
standing to pursue her claims based on those injuries. Specifically, defendant targets plaintiff’s claims
for the following injuries:
The imminent and certain impending injury flowing from fraud and identity theft posed
by their personal information being placed in the hands of hackers; . . . [d]amages to
and diminution in value of their personal information entrusted to CareCentrix for
purpose of maintaining employment; and . . . [c]ontinued risk to affected individuals’
personal information, which remains in the possession of CareCentrix and which is
subject to further breaches so long as CareCentrix fails to undertake appropriate and
adequate measures to protect the personal information that affected individuals
entrusted to CareCentrix.
-4-
(Doc. 1 at 15–16.)
The problem with defendant’s approach is that defendant wants the court to look at each of
plaintiff’s alleged injuries in a vacuum. While standing is an individualized inquiry, DaimlerChrysler
Corp., 547 U.S. at 352, the allegation that plaintiff is the victim of tax fraud impacts plaintiff’s other
allegations of injury. The fact that her stolen information has been used once has a direct impact on
the plausibility of future harm. The court therefore considers plaintiff’s allegations of future harm in
light of her allegations that her personal information was used for tax fraud shortly after the data
breach.
As noted by the parties, in dealing with similar “loss of data” cases, federal courts have split on
the issue of whether an alleged increased risk of identity theft and fraud is an injury in fact sufficient to
support standing. Courts have discussed this issue at length, and this court will not repeat that
discussion here. For ease of reference, however, the court cites below a number of the cases it has
reviewed in evaluating whether plaintiff has shown injury in fact.
First, the cases finding no injury in fact: Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir.
2011) (affirming dismissal for lack of standing based on an increased risk of harm when
unaccompanied by misuse of the information); In re Zappos.com, Inc., 108 F. Supp. 3d 949, 958–59
(D. Nev. 2015) (finding no injury in fact for future threat of fraud when over three years had passed
since data breach with no reports of fraud); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape
Data Theft Litig., 45 F. Supp. 3d 14, 26–27 (D.D.C. 2014) (finding no standing based on an increased
risk of harm alone); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1052–53 (E.D. Mo.
2009) (finding no standing when the plaintiff was unsure whether his own personal information had
been stolen); Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 8 (D.D.C. 2007)
(“Plaintiffs’ allegation that they have incurred or will incur costs in an attempt to protect themselves
-5-
against their alleged increased risk of identity theft fails to demonstrate an injury that is sufficiently
“concrete and particularized” and “actual or imminent.”) (citation omitted); Key v. DSW, Inc., 454 F.
Supp. 2d 684, 690 (S.D. Ohio 2006) (finding no injury in fact when the plaintiff alleged only that she
was “subjected to a substantial increased risk of identity theft or other related financial crimes”).
Next, the cases finding injury in fact: Galaria v. Nationwide Mut. Ins. Co., Nos. 15-3386/3387,
2016 WL 4728027, at *2–*4 (6th Cir. Sep. 12, 2016) (finding injury in fact based on a “sufficiently
substantial risk of harm that incurring mitigation costs is reasonable”); Lewert v. P.F. Chang’s China
Bistro, Inc., 819 F.3d 963, 966–67 (7th Cir. 2016) (finding injury in fact based on “the increased risk
of fraudulent charges and identity theft they face because their data has already been stolen”); Remijas
v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694–95 (7th Cir. 2015) (“At this stage in the litigation, it
is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus
data breach. Why else would hackers break into a store’s database and steal consumers’ private
information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or
assume those consumers’ identities.”); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir.
2010) (finding standing); McLoughlin v. People’s United Bank, Inc., No. 08-cv-00944 (VLB), 2009
WL 2843269, at *4 (D. Conn. Aug. 31, 2009) (same); Caudle v. Towers, Perrin, Forster & Crosby,
Inc., 580 F. Supp. 2d 273, 280 (S.D.N.Y. 2008) (same); see also In re Zappos.com, Inc., MAL No.
2357, 2016 WL 2637810, at *4 (D. Nev. May 6, 2016) (holding that plaintiffs’ allegations of “use of
their credit, harm to their credit, lost time spent closing fraudulent accounts, and lost funds and
business due to fraudulent charges” conferred standing); SAIC, 45 F. Supp. 3d at 25 (“A handful of
Plaintiffs claims that they have suffered actual identity theft, and those Plaintiffs have clearly suffered
an injury.”).
-6-
The court has reviewed these cases and others at length. Because plaintiff has alleged that she
is a victim of tax fraud, the cases addressing only potential future harm are inapposite. Instead, the
court follows the cases finding that plaintiffs had standing when they suffered from an incident of
identity theft after a data breach. Plaintiff has standing to bring her claim for negligence. Ultimately,
she may not be able to recover for some of her alleged injuries, but that fact does not impact her
standing to proceed with her negligence claim at this point.
2.
Fairly Traceable
From a standing perspective, defendant also challenges whether plaintiff’s alleged injuries are
traceable to defendant’s actions. “[T]he traceability component of the standing test contemplates a
causal relationship between the injury and the defendants’ challenged acts.” United States v. Ramos,
695 F.3d 1035, 1046 (10th Cir. 2012). A full showing of proximate cause, however, is not necessary.
Id. (citation omitted).
Here, plaintiff relies heavily on the timing of the fraudulent tax return. It was filed less than
two months after the data breach. The return included the use of plaintiff’s name, wages, and Social
Security number—all of which were included in the information that was stolen in the data breach.
Plaintiff has met her burden of showing traceability.
3.
Redressability
Redressability merits no more discussion than traceability in this case. “To satisfy the
redressability prong of the standing test, the plaintiff must demonstrate that a substantial likelihood
exists that the relief requested will redress the injury claimed.” Ash Creek Min. Co. v. Lujan, 969 F.2d
868, 875 (10th Cir. 1992). Plaintiff has alleged that monetary damages will compensate her for her
injuries, and no more is required at this stage.
-7-
4.
Class Allegations: Commonality and Typicality
Defendant next argues that plaintiff cannot proceed with her negligence claim because her
claim is not common with or typical of the claims of the putative class. This is an argument better left
for a class certification motion. At this stage of the litigation, plaintiff need only allege facts that show
she has standing to pursue her own claim.
5.
Ripeness
Similar to its argument about plaintiff’s failure to allege injury in fact, defendant also argues
that plaintiff’s claim is not ripe. For the same reasons the court finds that plaintiff has satisfied the
injury-in-fact requirement, defendant’s ripeness defense does not bar plaintiff’s claim.
6.
Amount in Controversy
Finally, defendant’s last 12(b)(1) argument is that the court lacks subject matter jurisdiction
because plaintiff failed to allege the requisite amount in controversy. The Class Action Fairness Act
(“CAFA”) requires that the amount in controversy exceed $5,000,000 for federal jurisdiction. 28
U.S.C. § 1332(d). This amount represents the aggregated claims of all putative class members. Id.
Moreover, the court accepts the plaintiff’s amount-in-controversy allegation if it is made in good faith.
Dart Cherokee Basin Operating Co., LLC v. Owens, 135 S. Ct. 547, 553 (2014). To dismiss for lack
of jurisdiction on this basis, “[i]t must appear to a legal certainty that the claim is really for less than
the jurisdictional amount to justify dismissal.” St. Paul Mercury Indem. Co. v. Red Cab Co., 303 U.S.
283, 288 (1938).
Plaintiff has sufficiently alleged the requisite amount in controversy. Plaintiff alleges that the
putative class may include two thousand members. She has alleged both past and future injuries for
herself, and it is plausible that in aggregation, the value of those injuries exceeds $5,000,000. At this
time, the court will not dismiss the case on this basis.
-8-
B.
Plausibility and Rule 12(b)(6)
Defendant next challenges whether plaintiff has adequately pleaded the elements of a
negligence claim.
1.
Duty
First, the court considers whether defendant had a duty to plaintiff. Plaintiff alleges that
defendant “owed a duty to Plaintiff and the Class to exercise reasonable care in obtaining, securing,
safeguarding, deleting and protecting Plaintiff and Class members’ personal and tax information within
its control from being compromised, lost, stolen, accessed and misused by unauthorized persons.”
(Doc. 1 at 18.) Defendant argues that plaintiff’s allegations are insufficient because employers do not
have a statutory duty regarding employee information. Absent a statutory duty, plaintiff must show a
common-law duty, and defendant claims that plaintiff has failed to do so. See Dolmage v. Combined
Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947, at *5–*6 (N.D. Ill. Jan. 21, 2015) (“Because there is
no common law duty to protect personal information in Illinois . . . Plaintiff has failed to state a claim
for negligence.”) (citations omitted).
Plaintiff responds that defendant’s duty is to exercise reasonable care when it collects and
stores the personal information of its employees. In this instance, defendant was obligated to
implement reasonable data security measures to protect that information from disclosure. See In re
Target Corp. Customer Data Sec. Breach Litig., 64 F. Supp. 3d 1304, 1308 (D. Minn. 2014)
(“[G]eneral negligence law imposes a general duty of reasonable care when the defendant’s own
conduct creates a foreseeable risk of injury to a foreseeable plaintiff.”) (citations omitted).
The court agrees with plaintiff that requiring identification of a statutory duty is unnecessary.
Given plaintiff’s allegations that the harm was foreseeable, defendant had the duty to exercise
-9-
reasonable care to prevent that harm. The court will not dismiss plaintiff’s claim for failure to identify
a more specific duty.
2.
Breach
Plaintiff claims that defendant breached its duty to implement adequate cybersecurity
precautions. Plaintiff’s allegations regarding this element are sufficient.
3.
Causation
As for causation, defendant makes the same arguments that it did with respect to traceability.
Plaintiff has alleged that the data breach and her identity theft were both foreseeable, given defendant’s
previous data security issues, the fact that defendant is a health care company (which are often targeted
by hackers), and the prevalence of data breaches. Plaintiff has adequately pleaded causation.
4.
Cognizable, Actual Injury
Finally, defendant argues that plaintiff has not pleaded compensable injuries. These arguments
are similar to those that defendant made in regard to its standing/injury-in-fact arguments. To the
extent that defendant’s arguments are repeated, the court finds them unpersuasive for the same reasons
discussed above.
Defendant also argues that plaintiff’s injuries are de minimus. Defendant fails to show, based
on the allegations in plaintiff’s complaint, that plaintiff’s claims are not plausible based on the extent
of her injuries. The court determines that plaintiff has adequately stated a claim for negligence.
IT IS THEREFORE ORDERED that defendant’s motion to dismiss (Doc. 10) is denied.
Dated this 19th day of December, 2016, at Kansas City, Kansas.
s/ Carlos Murguia
CARLOS MURGUIA
United States District Judge
-10-
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
