Savidge et al v. Pharm-Save, Inc. et al
Filing
26
MEMORANDUM OPINION AND ORDER Signed by Senior Judge Thomas B. Russell on 12/1/2017: Defendants' Motion #5 to Dismiss is GRANTED IN PART AND DENIED INPART; The parties have until 1/31/2018 to conduct limited discovery on the issue of personal jurisdiction. Thereafter, Defendants have leave to refile their motion to dismiss Neil Medical Group, Inc. under Rule 12(b)(2). Plaintiffs' Joint Motion #8 for Extension of Time to File Response as to Defendants' Motion to Dismiss is GRANTED; Plaintiffs' Joint Motion #11 to Remand is DENIED AS MOOT; Plaintiffs' Motion #7 for Leave to File First Amended Class Action Complaint is GRANTED. Defendants will hereafter be permitted to file another motion to dismiss addressing Plaintiffs' new claims; Plaintiffs' Joint Motion #18 to Stay is DENIED; Defendants' Motion #23 for Leave to File Sur-Reply is GRANTED. cc: Counsel (JBM)
<![CDATA[
UNITED STATES DISTRICT COURT
WESTERN DISTRICT OF KENTUCKY
LOUISVILLE DIVISION
CIVIL ACTION NO. 3:17-CV-00186-TBR
ANDREA K. SAVIDGE, et al.,
PLAINTIFFS
v.
PHARM-SAVE, INC., et al.,
DEFENDANTS
MEMORANDUM OPINION AND ORDER
This matter is before the Court on several pending motions. First, Defendants PharmSave Inc. and Neil Medical Group, Inc. filed a motion to dismiss, [DN 5.] Plaintiffs Andrea
Savidge and Beth Lynch responded, [DN 13], and Defendants replied, [DN 15.] For the reasons
discussed in detail below, Defendants’ motion to dismiss is GRANTED IN PART AND
DENIED IN PART. Second, Plaintiffs filed a motion to remand this action back to Kentucky
state court, [DN 11.] Defendants responded, [DN 14], and Plaintiffs replied, [DN 16.] However,
because the parties no longer dispute that this Court has jurisdiction to hear this case, the motion
to remand is DENIED AS MOOT.
Third, Plaintiffs filed a motion for leave to file a first amended class action complaint,
[DN 17.] Defendants responded, [DN 19], and Plaintiffs replied, [DN 22.] For the reasons
discussed below, that motion is GRANTED.
Finally, Plaintiffs filed a motion to stay the ruling on Defendants’ motion to dismiss until
after Plaintiffs have had an opportunity to conduct limited discovery, [DN 18.] Defendants
responded, [DN 20] and Plaintiffs replied, [DN 21.] Defendants then moved to file a sur-reply,
[DN 23], to which Plaintiffs responded, [DN 24], and Defendants replied, [DN 25.] The Court
will GRANT Defendants’ motion to file a sur-reply and, though it agrees with Plaintiffs that
limited discovery is warranted, will DENY Plaintiffs’ motion to stay. Rather, the Court will
1
DENY WITHOUT PREJUDICE Defendants’ 12(b)(2) motion at this time pending further
limited discovery.
BACKGROUND
Plaintiffs Andrea Savidge and Beth Lynch were employees of Defendant Pharm-Save
Inc. (“Pharm-Save”) from 2013 to 2015 and 2013 to 2014, respectively. [DN 1-1 at 4
(Complaint).] On March 3, 2016, after the each of the Plaintiffs’ employment with Pharm-Save
had ended, a data breach occurred through which “an outside individual or group obtained copies
of the W-2 forms which [Pharm-Save] sent to [its employees] and the IRS which would have
included [employees’] social security number[s], address[es] and [their] 2015 salary
information.” [DN 1-1 at 21, 24 (Letters from Pharm-Save to Plaintiffs).] In letters dated March
26, 2016, Pharm-Save notified all affected employees, including Savidge and Lynch, of the
incident. [DN 1-1 at 21–23, 24–26.] Therein, Pharm-Save explained the security breach and told
employees that “[i]t is possible that the criminal(s) may have filed or may try to file fraudulent
tax refunds in the names of our employees.” [Id. at 21, 24.] Also in the letters, Pharm-Save
offered employees “a complimentary two-year membership of Experian’s ProtectMyID Alert.
This product helps detect possible misuse of your personal information and provides you with
superior identity protection support focused on immediate identification and resolution of
identity theft.” [Id.] The letters also contained instructions on how to activate the ProtectMyID
service. [Id.]
In a letter dated March 29, 2016, the IRS notified Savidge that it had received a federal
income tax return for the 2015 tax year with her name and social security number. [Id. at 28.]
However, the IRS stated that, [t]o protect [Savidge] from identity theft, we need to verify your
2
identity before we process your return.” [Id.] Additionally, the IRS wrote “[w]e won’t process
this . . . tax return until we hear from you.” [Id.] Indeed, that tax return was fraudulent. [Id. at 9.]
On March 2, 2017, Plaintiffs brought suit against Pharm-Save Inc. (d/b/a Neil Medical
Group) and Neil Medical Group, Inc. in Kentucky state court, alleging several causes of action
related to the theft of their personally identifiable information (“PII”). Defendants removed the
action to this Court on March 27, 2017, [DN 1 (Notice of Removal)], and simultaneously filed
the instant motion to dismiss, [DN 5.]
STANDARD
A complaint must contain “a short and plain statement of the claim showing that the
pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). In order to survive a motion to dismiss under
Rule 12(b)(6), a party must “plead enough ‘factual matter’ to raise a ‘plausible’ inference of
wrongdoing.” 16630 Southfield Ltd. P'ship v. Flagstar Bank, F.S.B., 727 F.3d 502, 504 (6th Cir.
2013) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). A claim becomes plausible “when
the plaintiff pleads factual content that allows the court to draw the reasonable inference that the
defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citing Bell Atl. Corp. v.
Twombly, 550 U.S. 544, 556 (2007)). When considering a Rule 12(b)(6) motion to dismiss, the
court must presume all of the factual allegations in the complaint are true and draw all reasonable
inferences in favor of the non-moving party. Total Benefits Planning Agency, Inc. v. Anthem
Blue Cross & Blue Shield, 552 F.3d 430, 434 (6th Cir. 2008) (citing Great Lakes Steel v.
Deggendorf, 716 F.2d 1101, 1105 (6th Cir. 1983)). “The court need not, however, accept
unwarranted factual inferences.” Id. (citing Morgan v. Church’s Fried Chicken, 829 F.2d 10, 12
(6th Cir. 1987)). Should the well-pleaded facts support no “more than the mere possibility of
misconduct,” then dismissal is warranted. Iqbal, 556 U.S at 679. The Court may grant a motion
3
to dismiss “only if, after drawing all reasonable inferences from the allegations in the complaint
in favor of the plaintiff, the complaint still fails to allege a plausible theory of relief.” Garceau v.
City of Flint, 572 F. App’x. 369, 371 (6th Cir. 2014) (citing Iqbal, 556 U.S. at 677–79).
DISCUSSION
Defendants seek dismissal of Plaintiffs’ claims of negligence, negligence per se, invasion
of privacy, breach of implied contract, and intentional and negligent infliction of emotional
distress. [DN 5 at 12–28; see DN 1-1.] Defendants make three primary arguments in their motion
regarding why dismissal is proper. First, Defendants argue that Neil Medical Group, Inc. is not
an appropriately named Defendant because it “was not in operation at the time of the alleged
conduct.” [DN 5-1 at 4.] Second, Defendants argue that Plaintiffs lack Article III standing to
bring their claims in this Court. [Id. at 6.] Third, Defendants argue that Plaintiffs fail to state a
claim upon which relief can be granted under Federal Rule of Civil Procedure 12(b)(6). [Id. at
12.] However, Defendants have withdrawn their standing argument, [DN 12 (Notice of
Withdrawal)],1 and therefore only Defendants’ first and third arguments for dismissal remain for
the Court to address.
1
Specifically, Defendant now concedes that Plaintiffs have standing to maintain this suit resulting from the theft of
their personally identifying information. [DN 12 (Notice of Withdrawal of Article III Standing Argument from
Motion to Dismiss).] Moreover, the Sixth Circuit recently held that victims of a data security breach have Article III
standing to bring suit. Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016) (“Plaintiffs'
allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish
a cognizable Article III injury at the pleading stage of the litigation. Plaintiffs allege that the theft of their personal
data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of
“possible future injury” or “objectively reasonable likelihood” of injury that the Supreme Court has explained are
insufficient . . . There is no need for speculation where Plaintiffs allege that their data has already been stolen and is
now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given
its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets
personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the
fraudulent purposes alleged in Plaintiffs' complaints.”). Accordingly, the Court is likewise satisfied that Plaintiffs
have Article III standing.
4
A. Whether Plaintiffs’ Claims State a Claim Upon Which Relief Can Be Granted
The Court will first address whether the claims made in Plaintiffs’ Complaint are
cognizable under Rule 12(b)(6). These include negligence, negligence per se, invasion of
privacy, breach of implied contract, intentional infliction of emotional distress, and negligent
infliction of emotional distress. [See DN 1-1.]
1. Negligence
The parties agree that Kentucky law governs this action. [See DN 5 at 13; DN 13 at 3–
12.] Under Kentucky law, “[a] common law negligence claim requires proof of (1) a duty owed
by the defendant to the plaintiff, (2) breach of that duty, (3) injury to the plaintiff, and (4) legal
causation between the defendant's breach and the plaintiff's injury.” Wright v. House of Imports,
Inc., 381 S.W.3d 209, 213 (Ky. 2012) (citing Pathways, Inc. v. Hammons, 113 S.W.3d 85, 88–89
(Ky. 2003)). “The standard of care applicable to a common-law negligence action is that of
ordinary care—that is, ‘such care as a reasonably prudent person would exercise under the
circumstances.’” Id. (quoting Slusher v. Brown, 323 S.W.2d 870, 872 (Ky. 1959)).
a.
Duty and Breach
With regard to the first two elements of common law negligence, Defendants argue that
Plaintiffs have failed to plausibly allege that Defendants breached a duty they owed to Plaintiffs.
Specifically, Defendants argue that Plaintiffs “allege, without any support, that [Defendants’]
security measures must have been inadequate.” [DN 5-1.] In their complaint, Plaintiffs assert that
“the Defendants’ duty to the Plaintiffs and other class members included, inter alia, establishing
processes and procedures to protect the personal and sensitive information from wrongful
disclosure and training employees who had access to that information as to those processes and
5
procedures.” [DN 1-1 at 10.] Plaintiffs further assert that, because Plaintiffs’ information was
ultimately disclosed, “the Defendants clearly breached those duties.” [Id. at 11.]
True, Plaintiffs’ allegations are scant. However, at the motion to dismiss stage, the Court
is required to construe the allegations in the light most favorable to Plaintiffs “and reasonable
inferences must be made in favor of the non-moving party.” Total Benefits Planning Agency, 552
F.3d at 434. See also Keenan v. Marker, 23 F. App'x 405, 406 (6th Cir. 2001) (“In determining
whether a complaint fails to state a claim, the court must construe the complaint in a light most
favorable to the plaintiff, accept all the factual allegations as true, and determine whether the
plaintiff undoubtedly can prove no set of facts . . . that would entitle him to relief.”) Here, the
Court can draw the reasonable inference that, because Plaintiffs’ information was released to
unauthorized individuals, Defendants breached their duties to safeguard that information.
Whether Plaintiffs can prove such a breach is matter reserved for summary judgment or trial.
However, at this early stage, it is enough that Plaintiffs have plausibly alleged a breach of
Defendants’ duties.
b.
Injury
With regard to the third element of common law negligence, Defendants argue that
Plaintiffs have failed to plead any cognizable injury. [DN 5-1 at 16–19.] In detail, Defendants
argue that Plaintiffs have pointed only to speculative damages and the risk of future harm, which
are insufficient. Indeed, Plaintiffs spend much of their complaint alleging that the cybercriminals
who obtained their information may misuse that information in the future. For instance, Plaintiffs
allege that the cybercriminals “may continue to exploit the data . . . or sell the data in the socalled ‘dark markets.’” [DN 1-1 at 9.] Next, Plaintiffs allege that the cybercriminals now have
the ability “to commit a broad range of fraud . . . including but not limited to” “ obtaining
6
employment,” “obtaining a loan,” “applying for credit cards or spending money,” “obtaining
medical care,” “stealing Social Security and other governmental benefits,” or “applying for a
driver’s license, birth certificate, or other public document.” [Id.] In addition, Plaintiffs allege
that, “if a Plaintiff’s Social Security number is used to create a false identification for someone
who commits a crime, that individual may become entangled in the criminal justice system,
impairing his or her ability to gain employment or obtain a loan.” [Id. (emphasis added)] Finally,
Plaintiffs assert that, “for the rest of their lives . . . [they] will bear a heightened risk of all
manners of identity theft.” [Id.]
The Court agrees that Plaintiffs’ allegations about heightened risks and the possibility of
future harm are insufficient. Kentucky law is clear that “[a] cause of action does not exist until
the conduct causes injury that produces loss or damage.” Capital Holding Corp. v. Bailey, 873
S.W.2d 187, 192 (Ky. 1994) (emphasis added). Accordingly, “Kentucky law . . . prohibits the
possibility of future harm from constituting an element of damages if that possibility is
considered outside the realm of damages for mental anguish.” Gill v. Burress, 382 S.W.3d 57, 64
(Ky. Ct. App. 2012). Indeed, this Court has previously held that “an increased threat of an injury
that may never materialize cannot satisfy the injury requirement” for damages under Kentucky
law. Holmes v. Countrywide Fin. Corp., No. 5:08-CV-00205-R, 2012 WL 2873892, at *6 (W.D.
Ky. July 12, 2012) (Russell, J.). Similarly, federal courts deciding data breach cases have held
that a risk of future harm is insufficient to plead cognizable injury. See Krottner v. Starbucks
Corp., 406 F. App'x 129, 131 (9th Cir. 2010) (“The alleged injuries here stem from the danger of
future harm. Even Shamasa, the only plaintiff who claims his personal information has been
misused, alleges no loss related to the attempt to open a bank account in his name.”). Therefore,
Plaintiffs’ allegations regarding future harm they may suffer are insufficient.
7
Nor does it appear that the mere filing of a fraudulent tax return in Plaintiff Savidge’s
name, by itself, caused her cognizable injury. Rather, the IRS, apparently skeptical of the
authenticity of the return, notified Savidge that it had been filed and stated that it would not
process it until she verified that it was genuine. [DN 1-1 at 28–29.] See Whalen v. Michaels
Stores, Inc., 689 F. App'x 89, 90 (2d Cir. 2017) (“Whalen asserts . . . she has lost time and
money resolving the attempted fraudulent charges and monitoring her credit. Whalen does not
allege a particularized and concrete injury suffered from the attempted fraudulent purchases,
however; she never was either asked to pay, nor did pay, any fraudulent charge.”); Krottner, 406
F. App’x at 131 (“[Plaintiff] alleges no loss related to the attempt to open a bank account in his
name.”); Holmes, 2012 WL 2873892, at *8 (“The Beneficial Letter is the only evidence that
might show a threat of identity theft. Still, Plaintiffs concede this attempt to secure an automobile
loan was unsuccessful and did not result in any actual injury.”). Contrast In re Yahoo! Inc.
Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *14 (N.D.
Cal. Aug. 30, 2017) (“Dugas alleges that a fraudulent tax return was filed under his Social
Security number and that he was not able to timely file his own taxes as a result. Because Dugas
could not file his own tax return, Dugas was unable to timely file a financial aid application for
his daughters. This resulted in Dugas needing to pay an additional $9,000 in tuition expenses that
he would not otherwise have had to pay.” (internal citations omitted)).
The Court also does not find persuasive Plaintiffs’ argument, made in response to
Defendants’ motion to dismiss, that they can plead a cognizable injury due to the diminished
value of their PII itself. “Plaintiffs here posit that their PII (with which Defendants were
entrusted as Plaintiffs’ employer) constitutes property,” and argue that they are “entitled to
recover for any injury to their PII that they have sustained because of Defendants’ unauthorized
8
disclosure.” [DN 13 at 8.] In detail, Plaintiffs argue that “[a]n intrusion (or encroachment) which
is an unreasonable interference with the property owner's possessory use of his/her property is
sufficient evidence of an actual injury (or damage to the property) to award actual damages.”
[DN 13 at 8 (quoting Smith v. Carbide & Chemicals Corp., 226 S.W.3d 52, 57 (Ky. 2007)).]
Further, Plaintiffs contend that their PII has been damaged “by losing the sales value of that
information.” [Id. at 10 (quoting In re Facebook Privacy Litig., 572 F. App'x 496 (9th Cir.
2014)).] However, Plaintiffs do not adequately allege how the value of their PII has been
diminished, nor that they would have attempted to sell their PII in the future. See Khan v.
Children's Nat'l Health Sys., 188 F. Supp. 3d 524, 533–34 (D. Md. 2016) (“Khan alleges that the
value of her personally identifiable information has been diminished by the data breach. She
does not, however, explain how the hackers’ possession of that information has diminished its
value, nor does she assert that she would ever actually sell her own personal information . . . the
data breach has not deprived her of the use of her personal information.”); Fernandez v. Leidos,
Inc., 127 F. Supp. 3d 1078, 1088 (E.D. Cal. 2015) (“Where the plaintiff has not alleged that he
‘attempted to sell his PII [;] that he would to do so in the future[;] or that he was foreclosed from
entering into a ... transaction relating to his PII[ ] as a result of [the defendant's] conduct,’ the
plaintiff has ‘not alleged facts sufficient to show [an] injury[ ] in [ ]fact based on the purported
diminution in value of his PII.’”). Accordingly, Plaintiffs have failed to adequately plead injury
to their PII itself as a property interest.
Next, Plaintiffs allege in their response to Defendants’ motion to dismiss that “the mental
distress that Plaintiffs suffered and continue to suffer because of the increased likelihood of
identity theft is an injury that is compensable.” [DN 13 at 10.] Indeed, Kentucky law allows
recovery in tort “of damages for mental anguish.” Gill, 382 S.W.3d at 64. However, nowhere in
9
Plaintiffs’ complaint did they allege that they suffer and will continue to suffer from emotional
distress related to their fear of identity theft. [See DN 1-1.] The most Plaintiffs allege, for
purposes of their intentional and negligent infliction of emotional distress claims, is that
Defendants’ conduct “did indeed cause severe emotional distress.” [Id. at 17.] However, as the
Court discusses in detail below, this mere recitation of the element of an intentional and
negligent infliction of emotional distress claim, without more, is insufficient. Because Plaintiffs
did not adequately plead mental anguish damages in their complaint, this, also, does not qualify
as a cognizable injury.
However, Plaintiffs also allege that they have incurred “additional expense[s] associated
with mitigating the risk of identity theft.” [DN 1-1 at 11.] Further, they allege that they “have
suffered and will continued to suffer” such injuries as
(a) out-of-pocket costs associated with addressing false tax returns filed with the
IRS and state tax agencies; . . . (c) out-of-pocket costs associated with procuring
identity protection and restoration services; . . . and (c) lost productivity and
enjoyment as a result of time spent monitoring, addressing and correcting future
consequences of the breach.
[Id. at 12.] In recent years, a growing number of Courts have recognized that the purchase of
credit monitoring services and the costs expended to deal with fraudulent activity following the
theft of PII, when spent with the knowledge that stolen information has already been misused,
can constitute cognizable injuries.2 See Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir.
2012) (“The Complaint specifically alleges that both Curry and Moore suffered financial injury;
monetary loss is cognizable under Florida law for damages in contract, quasi-contract,
negligence, and breach of fiduciary duty . . . Plaintiffs have therefore alleged a cognizable injury
2
The Court recognizes, as Defendants point out, that it previously held, in a prior case, that “[t]he legal tenor of
future injuries means Kentucky courts would not condone payments for credit monitoring unless Plaintiffs' identities
were actually stolen and then used to their financial detriment.” Holmes v. Countrywide Fin. Corp., No. 5:08-CV00205-R, 2012 WL 2873892, at *8 (W.D. Ky. July 12, 2012). However, in light of the cases cited above, and the
modern increase in data and security breaches, the Court is no longer convinced of this reasoning.
10
under Florida law.”) (internal citations omitted); Anderson v. Hannaford Bros. Co., 659 F.3d
151, 166 (1st Cir. 2011) (“Knowing her personal data had been breached and misused, and
knowing the thieves were sophisticated and had rung up thousands of unauthorized charges,
plaintiff Valburn had a reasonable basis for purchasing identity theft insurance to avoid further
damage.”); Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *4
(N.D. Cal. Sept. 14, 2016) (“Only some of the plaintiffs have actually incurred out-of-pocket
expenses so far . . . Those who have incurred such out-of-pocket expenses have pleaded
cognizable injuries, whereas those who claim only that they may incur expenses in the future
have not.”); Corona v. Sony Pictures Entm't, Inc., No. 14-CV-09600 RGK EX, 2015 WL
3916744, at *4 (C.D. Cal. June 15, 2015) (“Upon review of the allegations, the Court finds that
the Complaint sufficiently alleges facts to support the reasonableness and necessity of Plaintiffs’
credit monitoring.”).
In Castillo, for example, the Court wrote:
Plaintiffs claim Seagate’s negligence caused the following injuries: (1) out-ofpocket costs related to the false tax returns filed; (2) increased costs associated
with preparing and filing tax returns; (3) out-of-pocket costs connected with
procuring additional identity protection and restoration services; (4) out-of-pocket
costs associated with credit repair in the event of a future identity theft; and (5)
lost productivity and enjoyment as a result of monitoring use of personal
identifying information. Compl. ¶ 53. Only some of the plaintiffs have actually
incurred out-of-pocket expenses so far. Tran hired an accountant to help her
navigate the process of refiling tax returns. Id. ¶ 26. Dattona and Wilk bought a
subscription to LifeLock, an identity-protection service, because they wanted
greater protection than that offered by Seagate. Id. ¶¶ 31, 33. In contrast, the
Castillos are merely considering purchasing such services, id. ¶ 30, and Lang has
not incurred any out-of-pocket expenses, id. ¶ 32. Those who have incurred such
out-of-pocket expenses have pleaded cognizable injuries, whereas those who
claim only that they may incur expenses in the future have not.
Castillo, 2016 WL 9280242, at *4 (emphasis added). In that case, the plaintiffs who had already
incurred out of pocket expenses specifically identified those expenses in their complaint. Here,
Savidge and Lynch only claim that they “have suffered and will continued to suffer” out of
11
pocket costs related to credit monitoring and, with respect to Savidge, the fraudulent tax return
filed in her name. [DN 1-1 at 11–12.] To be sure, these allegations are minimal. However, the
Court finds that there are sufficient allegations to reasonably infer, at this early stage of the
proceedings, that Plaintiffs’ alleged purchase of credit monitoring and/or identity protection
services, along with Savidge’s expenses associated with the fraudulent tax return filed in her
name, were incurred reasonably, rather than in response to injuries that were overly speculative.
Here, Plaintiffs have pled facts showing that cybercriminals did, indeed, file a false tax return in
Savidge’s name. True, the IRS intercepted the fraudulent return before it was processed. But the
fact that cybercriminals have already misused Savidge’s information may suggest that Plaintiffs’
purchase of identity protection services, with the knowledge that her information had already
been misused, was reasonable and necessary.
To be clear, the Court cannot decide and is not deciding, at this time, that Plaintiffs’ have
demonstrated or proven that they have suffered compensable injuries as a matter of law. This is
not the proper stage to determine whether Plaintiffs’ alleged expenses were, in fact, incurred and,
if so, were reasonable and therefore recoverable. However, at this time, the Court finds that
Plaintiffs have plead sufficient information to allow the Court to draw the reasonable inference
that their alleged expenses were incurred justifiably and therefore may be compensable under a
negligence theory. Therefore, the Court cannot say that Plaintiffs “can prove no set of facts . . .
that would entitle [the]m to relief” on their negligence theory. Keenan, 23 F. App'x at 406.
Finally, Defendants argue that, even if Plaintiffs have incurred various expenses, the
economic loss rule bars their recovery in tort. The Supreme Court of Kentucky has adopted the
economic loss rule and defined it as the rule that “a manufacturer in a commercial relationship
has no duty under either a negligence or strict products-liability theory to prevent a product from
12
injuring itself.” Giddings & Lewis, Inc. v. Indus. Risk Insurers, 348 S.W.3d 729, 738 (Ky. 2011)
(quoting E. River S.S. Corp. v. Transamerica Delaval, Inc., 476 U.S. 858, 871 (1986)). In other
words, the “rule recognizes that economic losses, in essence, deprive the purchaser of the benefit
of his bargain and that such losses are best addressed by the parties’ contract and relevant
provisions of Article 2 of the Uniform Commercial Code.” Id. “Thus, costs for repair or
replacement of the product itself, lost profits and similar economic losses cannot be recovered
pursuant to negligence or strict liability theories but are recoverable only under the parties’
contract, including any express or implied warranties.” Id.
Based on the Giddings court’s analysis of the economic loss rule, however, it appears that
Kentucky courts only apply this rule to products liability actions, in which a plaintiff seeks to
recover economic costs relating to a dangerous or malfunctioned product itself. See Sackin v.
TransPerfect Glob., Inc., No. 17 CIV. 1469 (LGS), 2017 WL 4444624, at *5 (S.D.N.Y. Oct. 4,
2017) (“The economic loss rule . . . does not bar Plaintiffs’ negligence claim, as Defendant
suggests, for two reasons . . . First, the rule is inapplicable because the Complaint does not allege
a products liability claim. See Id., 727 N.Y.S.2d 49, 750 N.E.2d at 1101 n.1 (stating that the
economic loss rule “stands for the proposition that an end-purchaser of a product is limited to
contract remedies and may not seek damages in tort for economic loss against a manufacturer
....”)). The claims in this case do not sound in product liability, however, and no express or
implied warranties exist as they would in a product liability case. Accordingly, the Court is not
persuaded that the economic loss rule applies to bar their potential recovery in negligence.
c.
Causation
Defendants further argue that, even if Plaintiffs have pled a cognizable injury, they have
still failed to adequately plead that Defendants’ alleged breach caused their injury. “A cause of
13
action does not exist until the conduct causes injury that produces loss or damage.” Capital
Holding Corp. v. Bailey, 873 S.W.2d 187, 192 (Ky. 1994). According to Defendants, “Plaintiffs
fail to allege that they were not the victims of another hack, which may have caused their alleged
injury. Because there are multiple possible causes of any alleged harm, Plaintiffs cannot state a
negligence claim.” [DN 5-1 at 15.]
Courts have explained that “[g]enerally, to prove that a data breach caused identity theft,
the pleadings must include allegations of a nexus between the two instances beyond allegations
of time and sequence.” Resnick, 693 F.3d at 1326. For instance, the Eleventh Circuit held that a
sufficient nexus existed for causation purposes when “the sensitive information on the stolen
laptop was the same sensitive information used to steal Plaintiffs’ identity.” Id. at 1327.
Similarly, here, Pharm-Save specifically told the affected individuals that the breach “involved
the information provided on [their] W-2” and “[i]t is possible that the criminal(s) may have filed
or try to file fraudulent tax refunds in the names of our employees.” [DN 1-1 at 21, 24.] The fact
that this is precisely what happened to Savidge indeed suggests a nexus between the data breach
and the fraudulent activity that took place. See Resnick, 693 F.3d at 1326 (“Considering the
Complaint as a whole and applying common sense to our understanding of this allegation, we
find that Plaintiffs allege that the same sensitive information that was stored on the stolen laptops
was used to open the Bank of America account. Thus, Plaintiffs' allegations that the data breach
caused their identities to be stolen move from the realm of the possible into the plausible.”).
Based on these allegations, the Court is satisfied that, at this stage, Plaintiffs have plausibly
alleged causation. Therefore, Defendants’ motion to dismiss will be denied with respect to
Plaintiffs’ negligence claim.
14
2. Negligence Per Se
Under Kentucky law, “[n]egligence per se . . . ‘is ... a negligence claim with a statutory
[or regulatory] standard of care substituted for the common law standard of care.’” Wright, 381
S.W.3d at 213 (quoting Real Estate Mktg., Inc. v. Franz, 885 S.W.2d 921, 927 (Ky. 1994)).
“KRS 446.070 codifies the doctrine of negligence per se, and provides: ‘A person injured by the
violation of any statute may recover from the offender such damages as he sustained by reason of
the violation, although a penalty or forfeiture is imposed for such violation.’” Id. (quoting Ky.
Rev. Stat. Ann. § 446.070). Here, Plaintiffs allege that Defendants violated KRS § 365.732(2),
which states:
Any information holder shall disclose any breach of the security of the system,
following discovery or notification of the breach in the security of the data, to any
resident of Kentucky whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized person. The
disclosure shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforcement, as
provided in subsection (4) of this section, or any measures necessary to determine
the scope of the breach and restore the reasonable integrity of the data system.
Ky. Rev. Stat. Ann. § 365.732(2). Specifically, Plaintiffs contend that Defendants failed to notify
Plaintiffs of the breach of their personal information “in the most expedient time possible and
without unreasonable delay.” Id.
Even assuming, for argument’s sake only, that Defendants did not notify Plaintiffs in the
most expedient time possible, Plaintiffs have identified no injury caused by this alleged delay.
The parties agree that the breach occurred on March 3, 2016. [DN 1-1 at 8 (Complaint); DN 1-1
at 21, 24 (Letters from Pharm-Save to Plaintiffs).] Pharm-Save sent letters to the affected
individuals dated March 24, 2016 notifying them of the March 3 breach. [DN 1-1 at 21, 24.]
Accordingly, less than three weeks elapsed between the breach and Pharm-Save’s notifications
to the Plaintiffs.
15
According to Plaintiffs, as a result of this nearly three week period, they “were subject to
potentially avoidable harm which could have been mitigated by (i) purchasing identity
protection services; (ii) monitoring their bank accounts, credit cards and other financial
accounts; and (iii) taking other steps to protect against identity theft and the fraudulent use of
their information by third parties.” [Id. at 14.] However, Plaintiffs do not allege what kind of
“potentially avoidable harm” they experienced that could have been mitigated had they learned
of the breach earlier. This mere allegation of harm, without accompanying factual allegations, is
insufficient to warrant an inference that the alleged delay in notifying Plaintiffs of the security
breach caused them cognizable injury. See Castillo v. Seagate Tech., LLC, No. 16-CV-01958RS, 2016 WL 9280242, at *5 (N.D. Cal. Sept. 14, 2016) (“No plaintiffs . . . have stated a
cognizable injury that resulted from Seagate’s alleged failure to provide adequate and timely
notice of the breach. They have not, for example, pleaded any facts suggesting timelier or more
adequate notice would have prevented the filing of fraudulent tax returns.”). For these reasons,
Plaintiffs’ negligence per se claim will be dismissed for failure to state a claim upon which relief
can be granted.
3. Invasion of Privacy
Under Kentucky law, “[t]he right of privacy . . . protects against four distinct torts: (1)
unreasonable intrusion upon seclusion of another; (2) misappropriation of another's name or
likeness; (3) unreasonable publicity given to one’s private life; and (4) publicity that places
another in a false light.” Pearce v. Whitenack, 440 S.W.3d 392, 401 (Ky. Ct. App. 2014) (citing
McCall v. Courier–Journal & Louisville Times Co., 623 S.W.2d 882, 887 (Ky. 1981) (adopting
Restatement (Second) of Torts § 652A (1976))).
16
In their complaint and response to Defendants’ motion to dismiss, Plaintiffs allege the
theory of “unreasonable publicity given to one’s private life.” See id. Generally, Kentucky courts
have adopted Restatement principles with regard to invasion of privacy claims. See id. (Adopting
“the principles of th[e] tort [of invasion of privacy] as enunciated in the Restatement (Second) of
Torts (1976).”) With regard to “unreasonable publicity” invasion of privacy, the Restatement
provides:
One who gives publicity to a matter concerning the private life of another is
subject to liability to the other for invasion of his privacy, if the matter publicized
is of a kind that
(a) would be highly offensive to a reasonable person, and
(b) is not of legitimate concern to the public.
Restatement (Second) of Torts § 652D (1977). Indeed, both parties agree that this test applies to
Plaintiffs’ invasion of privacy claim. [See DN 5-1 at 23; DN 13 at 17.]
Defendants argue that Plaintiffs cannot state a claim for unreasonable publicity into their
private lives because they have failed to allege that Defendants actually published their private
information. [DN 5-1 at 23–24.] Specifically, according to the Restatement, “‘[p]ublicity’ . . .
means that the matter is made public, by communicating it to the public at large, or to so many
persons that the matter must be regarded as substantially certain to become one of public
knowledge.” Restatement (Second) of Torts § 652D cmt. a (1977). Stated differently, publicity is
“a communication that reaches, or is sure to reach, the public.” Id. Here, Plaintiffs merely allege
in their complaint that “Defendants . . . published private, sensitive and personal facts of or
concerning the Plaintiffs and the absent members of the Plaintiff Class;” that “the matters
publicized are of a kind that would be highly offensive to a reasonable person, and that “the
matters publicized are not of legitimate concern to the public.” [DN 1-1 at 15.]
17
However, Plaintiffs never allege that their information has been communicated to the
public at large or to so many people that it is “substantially certain to become . . . public
knowledge.” Restatement (Second) of Torts § 652D cmt. a (1977). Rather, Plaintiffs only allege
that “their sensitive and personal information is literally in the hands of cybercriminals who
intend to use that information for nefarious purposes.” [DN 1-1 at 15.] In their response,
Plaintiffs argue that “Defendants communicated Plaintiffs’ PII to one or more cybercriminals”
and that “it is more than plausible that the cybercriminals either did or will ‘sell the data in the
so-called ‘dark markets.’” [DN 13 at 18 (citing DN 1-1 at 9).] However, Plaintiffs’ mere
allegations that the cybercriminals “may . . . sell the data in the so-called ‘dark markets,’” [DN 11 at 9], is not enough to support an inference that Plaintiffs’ information is in the hands of the
public. Accordingly, the Court agrees with Defendants that these allegations fall short of alleging
that Defendants published Plaintiffs’ information to the public large or in such a way as to make
it substantially certain that Plaintiffs’ information would become public knowledge. Because
Plaintiffs have failed to plausibly allege publicity, their invasion of privacy claim will be
dismissed.
4. Breach of Implied Contract
Defendants move to dismiss Plaintiffs’ breach of implied contract claim on grounds that
Plaintiffs fail to plead that a meeting of the minds ever took place and, alternatively, that
Plaintiffs cannot show damages resulting from an alleged breach. [DN 5-1 at 24–25.] The
Supreme Court of Kentucky has explained “[b]asic contract law provides that, as in the case of
an express contract, an implied contract requires the agreement of the promisor to be bound.”
Furtula v. Univ. of Kentucky, 438 S.W.3d 303, 308 (Ky. 2014), as modified (June 23, 2014). An
implied contract
18
may be inferred wholly or partly from such conduct as justifies the promisee in
understanding that the promisor intended to make a promise. To constitute such a
contract there must, of course, be a mutual assent by the parties–a meeting of
minds–and also an intentional manifestation of such assent. Such manifestation
may consist wholly or partly of acts, other than written or spoken words.
Id. (quoting Kellum v. Browning's Adm'r, 231 Ky. 308, 21 S.W.2d 459, 463 (1929) (internal
citations omitted) (emphasis added)).
Here, Plaintiffs allege that they provided their W-2 information to Defendants so that
Defendants could verify their identities, provide them with compensation, and to provide
Defendants with complete records for tax purposes. [DN 1-1 at 16.] According to Plaintiffs,
Defendants “implicitly promised . . . that they would take adequate measures to protect their
sensitive and personal information,” that “a material term of this contract is a covenant by
Defendants that they will take reasonable efforts to safeguard that information,” and that
Defendants breached that covenant by improperly releasing their PII. [DN 1-1 at 16–17.] The
court in Castillo, which the Court referenced above, addressed a similar argument. There, the
court explained:
The upshot of the averments in the plaintiffs’ complaint . . . is quite clear: The
employees provided their personal information for tax purposes and to receive
employment and benefits, with the understanding that Seagate, while it held the
information, would take adequate measures to protect it. Seagate received the
personal information so that it could employ the plaintiffs, and provide them with
employment and benefits. While Seagate made no explicit promises as to the
ongoing protection of personal information, it is difficult to imagine how, in our
day and age of data and identity theft, the mandatory receipt of Social Security
numbers or other sensitive personal information would not imply the recipient’s
assent to protect the information sufficiently.
Castillo, 2016 WL 9280242, at *9. The Court finds this reasoning highly persuasive. Here,
Plaintiffs make nearly identical allegations as those in Castillo. Like that court, this Court finds
that these facts are sufficient for the Court to draw the reasonable inference that Defendants
impliedly assented to protect Plaintiffs’ information. “A factfinder can ultimately determine
19
whether an implied contract to protect adequately plaintiffs' information existed, and whether
such a contract for adequate protection required protection beyond an employment term.” Id.
However, at this early stage, the Court is satisfied that Plaintiffs have adequately pled the
existence of an implied contract.
5. Intentional Infliction of Emotional Distress
In order to establish a common-law claim for intentional infliction of emotional distress
under Kentucky law,
[1] the wrongdoer's conduct must be intentional or reckless; [2] the conduct must
be outrageous and intolerable in that it offends against the generally accepted
standards of decency and morality; [3] there must be a causal connection between
the wrongdoer's conduct and the emotional distress; and [4] the emotional distress
must be severe.
Stringer v. Wal-Mart Stores, Inc., 151 S.W.3d 781, 788 (Ky. 2004), abrogated on other grounds
by Toler v. Süd-Chemie, Inc., 458 S.W.3d 276 (Ky. 2014), as corrected (Ky. Apr. 7, 2015), and
reh'g denied (Ky. May 14, 2015); see also Childers v. Geile, 367 S.W.3d 576, 579 (Ky. 2012).
The Court must decide, as to the second element, “whether the conduct complained of can
reasonably be regarded to be so extreme and outrageous as to permit recovery” unless reasonable
minds could differ on the subject. Keaton v. G.C. Williams Funeral Home, Inc., 436 S.W.3d 538,
544 (Ky. Ct. App. 2013) (quoting Goebel v. Arnett, 259 S.W.3d 489, 493 (Ky. Ct. App. 2007)).
The bar is set high, for, under Kentucky law, “a claim for the tort of outrage requires the plaintiff
to prove conduct which is so outrageous in character, and so extreme in degree, as to go beyond
all possible bounds of decency, and to be regarded as atrocious, and utterly intolerable in a
civilized community.” Hume v. Quickway Transp., Inc., No. 3:16-cv-00078-JHM, 2016 WL
3349334, at *9 (W.D. Ky. June 15, 2016) (quoting Futrell v. Douglas Autotech Corp., No. 5:09-
20
CV-21, 2010 WL 1417779, at *4 (W.D. Ky. Apr. 2, 2010)); see also Mineer v. Williams, 82 F.
Supp. 2d 702, 706 (E.D. Ky. 2000) (“The standards for this tort are strict.”).
Even taking all of Plaintiffs’ allegations as true, they have identified no “outrageous and
intolerable” conduct approaching this high threshold. Rather, they have merely alleged that “the
Defendants engaged in extreme and outrageous conduct.” [DN 1-1 at 17.] The Supreme Court
has made clear, however, that “[a] pleading that offers ‘labels and conclusions’ or ‘a formulaic
recitation of the elements of a cause of action will not do.’” Ashcroft v. Iqbal, 556 U.S. 662, 678
(2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). “Nor does a complaint
suffice if it tenders ‘naked assertion[s]’ devoid of ‘further factual enhancement.’” Id. (quoting
Twombly, 550 U.S. at 557). Here, Plaintiffs only allege that Defendants’ conduct was extreme
and outrageous. This allegation merely recites an element of an intentional infliction of
emotional distress claim, but does not offer any factual enhancement to allege how Defendants’
conduct rose to that level.
Similarly, Plaintiffs have failed to adequately plead their alleged “severe” emotional
distress. Plaintiffs state in their complaint only that Defendants’ conduct “did indeed cause
severe emotional distress.” [DN 1-1 at 17.] Once again, however, a mere formulaic recitation of
an element of a cause of action is insufficient to state a claim without accompanying factual
allegations. See Alioto v. Advantage Assocs., Inc., No. CIV.A. 10-14-C, 2011 WL 4435681, at *3
(W.D. Ky. Sept. 22, 2011) (Coffman, J.) (“Even if this court were to read the plaintiffs’
complaint to assert severe distress, such legal conclusions, without support by factual allegations,
are not sufficient to survive a motion to dismiss.”). For these reasons, Plaintiffs’ claim of
intentional infliction of emotional distress will be dismissed.
21
6. Negligent Infliction of Emotional Distress
To prove negligent infliction of emotions distress, a plaintiff must first prove the
elements of a standard negligence claim, meaning 1) duty, 2) breach, 3) causation, and 4)
damages, and then, as with an intentional infliction of emotional distress claim, must
demonstrate 5) severe emotional injury. Osborne v. Keeney, 399 S.W.3d 1, 17–18 (Ky. 2012).
However, as the Court already discussed above, Plaintiffs did not adequately plead their alleged
severe emotional distress. Specifically, claiming only that Defendants “cause[d] severe
emotional distress” to Plaintiffs is insufficient. Accordingly, this claim, like Plaintiffs’
intentional infliction of emotional distress claim, will be dismissed.
B. Proposed Amended Complaint
Plaintiffs also seek to file an Amended Complaint to add four new causes of action:
violations of the Kentucky Uniform Trade Secrets Act, conversion, trespass to chattels, and
bailment. [DN 17 (Motion for Leave to File First Amended Class Action Complaint).] Federal
Rule of Civil Procedure 15(a)(2) permits a party to amend a pleading “with the opposing party’s
written consent or the court’s leave.” Fed. R. Civ. P. 15(a)(2). The Rule states that “court[s]
should freely give leave when justice so requires.” Id. In determining whether the interests of
justice support a grant of leave to amend, courts consider several factors, including “undue delay
in filing, lack of notice to the opposing party, bad faith by the moving party, repeated failure to
cure deficiencies by previous amendments, undue prejudice to the opposing party, or futility of
the amendment.” Brumbalough v. Camelot Care Ctrs., Inc., 427 F.3d 996, 1001 (6th Cir. 2005)
(citing Coe v. Bell, 161 F.3d 320, 341–42 (6th Cir. 1998)); see also Foman v. Davis, 371 U.S.
178, 182 (1962). “The grant or denial of leave to amend is within the discretion of the trial court,
and review is for abuse of discretion.” Sec. Ins. Co. of Hartford v. Kevin Tucker & Assocs., Inc.,
22
64 F.3d 1001, 1008 (6th Cir. 1995) (citing Roth Steel Prods. v. Sharon Steel Corp., 705 F.2d 134,
155 (6th Cir. 1983)).
In Defendants’ response to Plaintiffs’ motion for leave to file an amended complaint,
Defendants state that they “recognize that the Court has discretion in permitting amended
pleadings, particularly at this early stage in the proceedings, and, therefore, leave the
determination of Plaintiffs’ motion to the Court’s discretion.” [DN 19 at 1–2.] Due to this lack of
opposition from Defendants, and Rule 15(a)(2)’s direction that courts should allow parties to
amend pleadings freely as justice requires, the Court will grant Plaintiffs’ motion to amend, [DN
17.] However, as Defendants further point out in their response, due to the filing of this amended
complaint, they shall be entitled to file a renewed motion to dismiss addressing the new claims
presented in Plaintiffs’ amended complaint.
C. Whether Neil Medical Group, Inc. is a Proper Defendant
In their complaint, Plaintiffs allege that Neil Medical Group, Inc.
constitutes a mere instrumentality and alter ego of Pharm-Save (and/or viseversa), as the two corporate entities share the exact same (1) corporate
governance, (2) registered office, (3) principal office, (4) registered agent,
(5) mailing address and (6) employees. Moreover, the North Carolina
Department of Revenue has suspended Neil Medical as a corporation and, as
explained supra , Neil Medical is not registered with the Secretary of State of
the Commonwealth of Kentucky, so corporate formalities do not appear to be
followed.
[DN 1-1 at 4–5.] In their motion to dismiss, Defendants assert that Defendant Neil Medical
Group, Inc. is not properly named in this action and should therefore be dismissed. [DN 5-1 at 4–
6.] In detail, Defendants contend that “Neil Medical Group, Inc. was not in operation at the time
of the alleged conduct” and that Neil Medical Group, Inc. and Pharm-Save have numerous
differences that preclude a finding of alter-ego liability. [Id.] In support of these claims,
23
Defendants attached to their motion the affidavit of Erik P. Lindberg, the corporate
representative of Pharm-Save, Inc. and Neil Medical Group, Inc. [DN 5-2.]
In Plaintiffs’ view, however, if the Court considers Lindberg’s affidavit, it must convert
Defendants’ motion to one for summary judgment. [DN 13 at 25 (citing Fed. R. Civ. P. 12(d)).]
Federal Rule of Civil Procedure 12(d) provides that,
[i]f on a motion under Rule 12(b)(6) or 12(c), matters outside the pleadings are
presented to and not excluded by the court, the motion must be treated as one for
summary judgment under Rule 56. All parties must be given a reasonable
opportunity to present all the material that is pertinent to the motion.
Fed. R. Civ. P. 12(d). Accordingly, Plaintiffs assert that Neil Medical Group, Inc. should not be
dismissed from this suit “until the extent of its involvement (and business relationship with the
other Defendant) is ascertained” through discovery. [DN 13 at 26.] In their reply, the Defendants
respond that Neil Medical Group, Inc. should, then, be granted summary judgment on the basis
of the Lindberg affidavit. [DN 15 at 16.]
After Defendants filed their reply, Plaintiffs filed a motion asking the Court to deny or
stay its ruling on Defendants’ motion to dismiss if the Court considers the Lindberg affidavit.
[DN 18.] Specifically, Plaintiffs argue that, “[b]y attaching the Lindberg Affidavit, Defendants
have converted their Motion to Dismiss into a Motion for Summary Judgment, so Plaintiffs are
entitled to discovery . . . the inclusion of the Lindberg Affidavit compels this Court to deny
Defendants’ Motion or stay its ruling so that Plaintiffs can have an opportunity to conduct
discovery.” [DN 18-1 at 2.] In response to the motion to stay, Defendants argue that the Court
need not convert their motion to one for summary judgment, because “[t]he Lindberg Affidavit, [
] relates solely to the lack of personal jurisdiction over Neil Medical and completely refutes
Plaintiffs’ claims that Neil Medical either (1) employed the Plaintiffs, or (2) is Pharm-Save’s
alter-ego.” [DN 20 at 1–2.] Defendants argue that, though they did not label their motion to
24
dismiss with respect to Neil Medical Group, Inc. as a motion to dismiss for lack of personal
jurisdiction under Rule 12(b)(2), that was the essence of their motion. And, because courts can
consider affidavits when making personal jurisdiction determinations, Defendant argues this
Court can properly consider the Lindberg affidavit for that purpose here.
In reply, Plaintiffs contend Defendants waived their defense of lack of personal
jurisdiction by failing to raise it in their first responsive pleading, their motion to dismiss. [DN
21 at 2.] The Court disagrees. As Defendant argues in its response, it appears that Defendants did
raise the issue of lack of personal jurisdiction in their initial motion to dismiss. True, Defendants
did not caption their arguments with respect to dismissing Neil Medical Group, Inc. as being
made under Rule 12(b)(2). However, Defendants arguments in their motion are indeed directed
toward a personal jurisdiction determination. Plaintiffs state in their complaint that Neil Medical
Group, Inc. is “a North Carolina corporation.” [DN 1-1 at 4.] In order to exercise personal
jurisdiction over an out-of-state company defendant,
[f]irst, the defendant must purposefully avail himself of the privilege of acting in
the forum state or causing a consequence in the forum state. Second, the cause of
action must arise from the defendant's activities there. Finally, the acts of the
defendant or consequences caused by the defendant must have a substantial
enough connection with the forum state to make the exercise of jurisdiction over
the defendant reasonable.
Means v. United States Conference of Catholic Bishops, 836 F.3d 643, 649 (6th Cir. 2016)
(quoting S. Mach. Co. v. Mohasco Indus., Inc., 401 F.2d 374, 381 (6th Cir. 1968)). In their
motion to dismiss Neil Medical Group, Inc. as a Defendant, Defendants essentially address these
personal jurisdiction factors. For instance, Defendants argue, based on the Lindberg affidavit,
that “Neil Medical Group, Inc. has never been engaged in the pharmacy business;” “has never
done
business
in
or
operated
in
the
Commonwealth
of
Kentucky;
and that it “was not operational at the time the Complaint was filed or at the time of the alleged
25
conduct outlined in the Complaint.” [DN 5-1 at 4 (citing DN 5-2).] Accordingly, the Court finds
that Defendants’ motion with respect to Neil Medical Group, Inc. can be properly construed as a
motion to dismiss for lack of personal jurisdiction under Rule 12(b)(2).
However, the Court agrees that Plaintiffs are entitled to conduct discovery on this issue
before the Court makes a determination regarding personal jurisdiction. When “[p]resented with
a properly supported 12(b)(2) motion and opposition, the court has three procedural alternatives:
it may decide the motion upon the affidavits alone; it may permit discovery in aid of deciding the
motion; or it may conduct an evidentiary hearing to resolve any apparent factual questions.”
Theunissen v. Matthews, 935 F.2d 1454, 1458 (6th Cir. 1991) (citing Serras v. First Tennessee
Bank Nat. Ass'n, 875 F.2d 1212, 1214 (6th Cir. 1989)). Here, Plaintiffs have requested
preliminary discovery as to this issue, and the Court agrees that, to properly oppose Defendants’
motion, they are entitled to it. Accordingly, the Court will allow the parties to conduct discovery
limited solely to the issue of the Court’s personal jurisdiction over Neil Medical Group, Inc. For
judicial efficiency’s sake, at this time, the Court will deny the portion of Defendants’ motion
brought under 12(b)(2) without prejudice and with leave to refile following the completion of
limited discovery.
D. Class Certification
Plaintiffs state in their complaint that they seek to bring this suit as a class action on
behalf of all individuals whose PII was compromised as a result of the March 3, 2016 breach.
[DN 1-1 at 5–8.] In their motion to dismiss, Defendants oppose class certification, making
several arguments related to broadness, arbitrariness, ascertainability, numerosity, adequate
representation, typicality, and predominance. [DN 5-1 at 28–40.] In response, Plaintiffs state
that they have not yet moved yet moved for class certification, but plan to do so at a later time,
26
after “the Plaintiffs have been afforded a full and fair opportunity to conduct discovery to refine
their proposed class definition.” [DN 13 at 25.] The Court agrees that, at this early stage, it is
premature to decide the class certification issue. See In re Am. Med. Sys., Inc., 75 F.3d 1069,
1079 (6th Cir. 1996) (“[O]rdinarily the determination should be predicated on more information
than the pleadings will provide.... The parties should be afforded an opportunity to present
evidence on the maintainability of the class action.”) (quoting Weathers v. Peters Realty Corp.,
499 F.2d 1197, 1200 (6th Cir. 1974)). Accordingly, the Court will address this issue at a later
time after Plaintiffs have properly raised it in a motion to certify.
CONCLUSION
For the reasons stated herein, IT IS HEREBY ORDERED as follows:
(1) Defendants’ Motion to Dismiss, [DN 5], is GRANTED IN PART AND DENIED IN
PART. Plaintiffs’ claims of negligence per se, invasion of privacy, intentional infliction
of emotional distress, and negligent infliction of emotional distress are dismissed for
failure to state a claim upon which relief can be granted. The portion of Defendants’
motion to dismiss Neil Medical Group, Inc. on grounds of lack of personal jurisdiction
under Rule 12(b)(2) is DENIED WITHOUT PREJUDICE. The parties have until
January 31, 2018 to conduct limited discovery on the issue of personal jurisdiction.
Thereafter, Defendants have leave to refile their motion to dismiss Neil Medical Group,
Inc. under Rule 12(b)(2).
(2) Plaintiffs’ Joint Motion for Extension of Time to File Response as to Defendants’ Motion
to Dismiss, [DN 8], is GRANTED.
(3) Plaintiffs’ Joint Motion to Remand, [DN 11], is DENIED AS MOOT.
27
(4) Plaintiffs’ Motion for Leave to File First Amended Class Action Complaint, [DN 17], is
GRANTED. Defendants will hereafter be permitted to file another motion to dismiss
addressing Plaintiffs’ new claims.
(5) Plaintiffs’ Joint Motion to Stay, [DN 18], is DENIED.
(6) Defendants’ Motion for Leave to File Sur-Reply, [DN 23], is GRANTED.
Date:
cc:
December 1, 2017
Counsel
28
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
