Hutton et al v. National Board of Examiners in Optometry, Inc.
Filing
19
MEMORANDUM. Signed by Judge James K. Bredar on 3/22/2017. (dass, Deputy Clerk)
<![CDATA[
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF MARYLAND
RHONDA L. HUTTON, O.D. et al..,
Plaintiffs
*
*
v.
CIVIL NO. JKB-16-3025
*
NAT’L BD. OF EXAM’RS
IN OPTOMETRY, INC.,
Defendant
*
NICOLE MIZRAHI,
Plaintiff
*
*
v.
CIVIL NO. JKB-16-3146
*
NAT’L BD. OF EXAM’RS
IN OPTOMETRY, INC.,
Defendant
*
*
*
*
*
*
*
*
*
*
*
*
*
*
MEMORANDUM
I. Background
Two cases before the Court rest upon similar allegations by different Plaintiffs, and they
are the subjects of nearly identical defense motions. Both cases seek to represent the same class
of similarly situated individuals. The causes of action overlap between the cases, with some
differences in state-law theories of recovery. Plaintiffs allege the Defendant, National Board of
Examiners in Optometry, Incorporated (“NBEO”), suffered a data breach sometime before
July 23, 2016, that the personally identifiable information (“PII”) Plaintiffs had supplied to
NBEO to register for exams in order to obtain an optometry license was stolen, and that they
have incurred damage as a result. (16-3025, Compl., ECF No. 1; 16-3146, Compl., ECF No. 1.)
Now pending before the Court are NBEO’s motions to dismiss pursuant to Federal Rules
of Civil Procedure 12(b)(1) and 12(b)6) or, in the alternative, motions to strike pursuant to
Rules 12(f) and 23(d)(1)(D). (16-3025, ECF No. 11; 16-3146, ECF No. 9.) Plaintiffs have also
filed motions to consolidate the two cases. (16-3025, ECF No. 12; 16-3146, ECF No. 10.)
NBEO does not object to the latter motion as long as the motions to dismiss are addressed first.
The Court agrees it is appropriate to decide the potentially dispositive motions first. The motions
have been briefed and are ripe for decision. No hearing is necessary. Local Rule 105.6 (D. Md.
2016). NBEO’s motions will be granted pursuant to Rule 12(b)(1) for lack of standing. As a
result, the Court will find moot NBEO’s motions to the extent they are premised on other rules.
Concomitantly, the Court will find moot Plaintiffs’ motions to consolidate.
II. Standard for Dismissal under Rule 12(b)(1)
The burden of proving subject-matter jurisdiction is on the plaintiff. A challenge to
jurisdiction may be either facial, i.e., the complaint fails to allege facts upon which subjectmatter jurisdiction can be based, or factual, i.e., jurisdictional allegations of the complaint are not
true. Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982). See also Kerns v. United States, 585
F.3d 187, 192 (4th Cir. 2009) (same); Richmond, Fredericksburg & Potomac Ry. Co., 945 F.2d
765, 768 (4th Cir. 1991) (same). In the case of a factual challenge, it is permissible for a district
court to “consider evidence outside the pleadings without converting the proceeding to one for
summary judgment.” Richmond, Fredericksburg, 945 F.2d at 768 (citing Adams, 697 F.2d at
1219).
III. Standing
In a class action, the Court must “analyze standing based on the allegations of personal
injury made by the named plaintiffs.” Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017). To
2
have standing, one must claim “injury in fact” (1) that is concrete and particularized, and either
actual or imminent, (2) that has a causal connection to defendant’s conduct, and (3) that is likely
redressable by a favorable judicial decision. See Lujan v. Defenders of Wildlife, 504 U.S. 555,
560-61 (1992). To establish standing at the motion-to-dismiss stage, a plaintiff must allege
“sufficient ‘factual matter’” to render a claim of standing “‘plausible on its face.’” Beck, 848
F.3d at 270 (citing Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). As with any motion to dismiss
premised upon the question of sufficiency of the pleading, “[f]actual allegations must be enough
to raise a right to relief above the speculative level.” Bell Atl. Corp. v. Twombly, 550 U.S. 544,
555 (2007). “A pleading that offers ‘labels and conclusions’ or ‘a formulaic recitation of the
elements of a cause of action will not do.’ . . . Nor does a complaint suffice if it tenders ‘naked
assertion[s]’ devoid of ‘further factual enhancement.’” Iqbal, 556 U.S. at 678 (quoting Twombly,
550 U.S. at 555, 557). Although when considering a motion to dismiss a court must accept as
true all factual allegations in the complaint, this principle does not apply to legal conclusions
couched as factual allegations. Twombly, 550 U.S. at 555.
IV. Allegations of the Complaint
Plaintiff Rhonda L. Hutton, O.D., is a Kansas resident who submitted her PII to NBEO in
1998. (16-3025 Compl. ¶ 5.) Plaintiff Tawny P. Kaeochinda, O.D., is a California resident who
submitted her PII to NBEO in 2006-2008. (Id. ¶ 6.) Hutton and Kaeochinda are the two named
Plaintiffs in 16-3025. In 16-3146, the named Plaintiff is Nicole Mizrahi, O.D., who is a New
York resident and who alleges she supplied her PII to NBEO, but does not say when that
occurred. (16-3146 Compl. ¶ 9.) The PII is defined by Hutton1 as “including but not limited to
1
For ease of reference, the Court will refer to Hutton alone in 16-3025. When necessary, the Court will
separately identify allegations that are unique to Hutton or Kaeochinda. Unless Mizrahi’s allegations are materially
different from Hutton’s, the Court will cite only to Hutton’s complaint.
3
names, birth dates, Social Security numbers, addresses, and credit card information.” (16-3025
Compl. ¶ 1.)
The context for Plaintiffs’ complaints is provided in the following paragraphs from
Hutton’s complaint:
2.
On or around July 23, 2016, optometrists from around the country began
to notice that fraudulent Chase accounts were being opened in their names. They
started discussing it on various Facebook groups and soon realized they were all
victims of the same type of fraud. In particular, many optometrists learned that a
Chase Amazon Visa credit card had been applied for in their name, or some other
line of credit, and all within a few days of one another. The optometrists soon
realized that the only common source amongst them and to which they had all
given their Personal Information that included Social Security numbers and dates
of birth (information necessary to apply for new lines of credit, among other
things), was the NBEO, where every graduating optometry student has to submit
their Personal Information to sit for board-certifying exams. This also affected
optometrists who served as examiners or committee members for NBEO and
optometrists who later sat for additional NBEO competency exams well after
graduating from optometry school. Individuals that submitted their Personal
Information to NBEO even more than fifteen years ago have been affected, and
the fraud has expanded from only Chase accounts to other means.
3.
The NBEO denied its responsibility for the fraud for several days, but on
August 4, 2016, it issued a statement on its website stating that it had “decided
further to investigate whether personal data was stolen from [its] information
systems to support the perpetrators’ fraud on individuals and Chase.” 1
1
http://www.optometry.org/
Mizrahi also alleges the following:
Since [the August 4, 2016, statement], the NBEO has deigned to update the public
only once, on August 25, 2016, to state that the investigation is ongoing but that
so far the investigation “does not establish whether an intrusion in fact occurred.
Collection and technical analysis is therefore continuing, involving still more
data, both current and retrospective.”3 The NBEO also stated that “[d]epending
on what that inquiry reveals and when, it could take a number of additional weeks
to complete.”4
3
Id. [referring to https://www.facebook.com/NationalBoard/hc_ref=
NEWSFEED&fref=nf (last viewed September 13, 2016); http://www.
optometry.org/ (last viewed September 13, 2016)].
4
Id.
4
(16-3146 Compl. ¶ 6.)
As for the individual Plaintiffs, Hutton alleges that she received on August 5, 2016, a
Chase Amazon Visa credit card for which she did not apply. (16-3025 Compl. ¶ 5.) She alleges
the card was opened in her maiden name, which was the name she had supplied to NBEO. (Id.)
She claims she was harmed by the compromise of her PII and faces an “increased threat of
identity theft and fraud due to her Personal Information being sold on the Internet black market
and/or misused by criminals. Plaintiff Hutton also has spent time and money putting credit
freezes in place with the credit reporting agencies Experian, TransUnion, and Equifax.” (Id.)
Kaeochinda alleges that, “on August 1, 2016, she learned that someone had applied for a
Chase Amazon Visa credit card using, among other things, her former married name, which was
the name she provided to NBEO as part of the examination process.” (Id. ¶ 6.) She claims the
same injury as Hutton, although Kaeochinda adds that she has filed reports with the FTC, FBI,
IRS, and her local police department. (Id.)
Mizrahi alleges the following:
. . . her credit score was damaged when unknown persons applied for a Chase
Bank Amazon credit card in her name on August 26, 2016. Plaintiff now faces a
long, arduous, and potentially costly struggle to prevent her [PII] from being used
in fraudulent transactions that may affect her finances. Plaintiff’s [PII] has been
compromised due to the NBEO’s failure to maintain reasonable and adequate
security measures to protect the [PII] it collected from Plaintiff and the Class in
exchange for, inter alia, payments to the NBEO.
(16-3146 Compl. ¶ 7.) Mizrahi alleges that, after she placed a fraud alert on her credit reporting
file, the application for the Chase Amazon card was automatically denied. (¶¶ 30-31.) She
alleges a credit monitoring service informed her that her credit score decreased 11 points
between August 23, 2016, and August 31, 2016, and the decrease was due to the application
made in her name on August 26, 2016. (Id. ¶ 32.) Mizrahi received a letter from Chase (the
5
Court presumes the reference is to JPMorgan Chase Bank) on September 2, 2016, “notifying her
of steps to be taken to protect personal information that may have been compromised but not
specifically stating that any such compromise had occurred.” (Id. ¶ 33.) In a conversation with a
Chase representative on September 6, 2016, Mizrahi was told “that an application had been made
in her name for a Chase Amazon card on August 26, 2016, and that the applicant for the Chase
card had used Plaintiff’s correct name, address, social security number and Plaintiff’s Mother’s
maiden name in completing the application.” (Id. ¶ 34.) Mizrahi was also told by someone,
whom she does not identify, “that it would take approximately 60 days to reverse the decrease in
her credit score stemming from the fraudulent application.” (Id. ¶ 35.)
Plaintiffs do not allege they incurred any fraudulent charges or were denied credit, either
in toto or at a more favorable rate of interest.
V. Analysis
In common, Plaintiffs have asserted causes of action for negligence, breach of contract,
and breach of implied contract. Hutton and Kaeochinda have also asserted violations of the
California Customer Records Act, Cal. Civ. Code § 1798.81 et seq., and violations of
California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200. Mizrahi has also
included a count for unjust enrichment in her complaint. NBEO argues Plaintiffs have failed to
establish Article III standing and, therefore, their respective complaints should be dismissed for
lack of subject-matter jurisdiction. The Court concludes NBEO’s argument has merit.
The United States Court of Appeals for the Fourth Circuit recently addressed the question
of Article III standing in relation to a data breach in the Beck v. McDonald opinion. In so doing,
the Beck Court relied upon the Supreme Court’s opinion in Clapper v. Amnesty International
USA, 133 S. Ct. 1138 (2013), which discussed when a threatened injury constitutes an injury in
6
fact for Article III’s purposes. 848 F.3d at 271-73. The Court drew from Clapper two tests for
“imminence” in the standing inquiry: (1) a threatened injury must be certainly impending, or
(2) a “substantial risk” exists that a threatened harm will occur. Id. at 272, 275. In Beck, the
plaintiffs had asserted two grounds for standing: (a) increased risk of future identity theft, and
(b) costs of protecting against the same. Id. at 273. However, in all of the cases discussed by the
Beck Court, and in all of the cases that have been cited by the parties in the instant cases, an
actual data breach had occurred and had been acknowledged or announced by the entity whose
data files had been breached.
In contrast, that fundamental element is missing from the instant cases. Plaintiffs have
relied upon their online conversations with other optometrists to conclude that NBEO suffered a
data breach. They posit as factual bases for such an event the fact that some optometrists who
had registered with NBEO received unsolicited Chase Amazon Visa credit cards and the fact
that, at some point, they had provided NBEO their names, addresses, dates of birth, and Social
Security numbers. Ergo, they conclude, a hacker must have broken into NBEO’s data files and
stolen Plaintiffs’ PII. Their conclusion rests upon sheer speculation. And their speculation is
mistakenly fueled by NBEO’s announcements that it is looking into whether an intrusion
occurred and that it denies such in fact happened. That kind of neutral announcement does not
imply culpability, despite Plaintiffs’ preferred interpretation otherwise. Interestingly, Hutton
also alleges, “The other potential common links, the American Optometric Association (AOA),
the American Academy of Optometry (AAO), and the Association of Schools and Colleges of
Optometry (ASCO), neither gather nor store Social Security numbers or have investigated and
confirmed that their databases have not been breached.” (16-3025 Compl. ¶ 16.) Plaintiffs do
not explain why NBEO’s denial of a data breach is less credible than those of the other
7
optometry-related organizations.
In summary, Plaintiffs have failed to allege a plausible,
inferential link between the provision of PII to NBEO at some point in the past and their recent
receipt of unsolicited credit cards.2
Beyond that, Plaintiffs have incurred no fraudulent charges. They have not been denied
credit or been required to pay a higher interest rate for credit they received. Although their
complaints allege other things that could happen, such as a hacker’s using an identity theft
victim’s identity to commit immigration fraud, to obtain government benefits, or to file a
fraudulent tax return (16-3025 Compl. ¶ 25), Plaintiffs have not alleged they or anyone else in
the putative class has, in fact, experienced any of those forms of injury. In short, they have
sustained no actual economic injury. It should be noted that the risk of identity theft in Beck was
determined by the Fourth Circuit neither to be “certainly impending” nor to amount to a
“substantial risk” based upon a similar absence of economic damage to the plaintiffs or to those
similarly situated in the putative class. Id. at 274-76. Further, because the Beck plaintiffs’ claim
of imminent injury from the risk of identity theft was judged to be only speculative, the Court
also found their claim of injury based upon the cost of mitigative measures to prevent the risk of
identity theft to be equally unmeritorious as a basis for claiming Article III standing. Id. at 27677. Likewise, this Court concludes Plaintiffs have failed to establish standing either upon their
asserted increased risk of identity theft or upon their expenses to negate identity theft.
2
An additional puzzlement is Plaintiffs’ certainty that unsolicited credit cards sent to them constitute
evidence of fraud. An instance of such may more reasonably indicate a questionable use of legitimately accessed
information for the purpose of opening new accounts for Plaintiffs—in that event, no data breach would be at
issue—and not an attempt to defraud Plaintiffs. The Court does not suggest one’s receipt of an unsolicited credit
card is not a cause for concern, but, in itself, it is not indicative of fraud.
The Court also observes that the complaints do not allege that only optometrists registered with NBEO
received unsolicited Chase Amazon Visa cards.
8
VI. Conclusion
Since all of Plaintiffs’ causes of action are premised upon their “naked assertion” of a
data breach at NBEO, see Twombly, 550 U.S. at 557 (naked assertion, without further factual
enhancement, insufficient to turn possibility into plausibility), and since they have failed to
support their complaints with sufficient factual matter to establish Article III injury, the Court
concludes the complaints must be dismissed for lack of subject-matter jurisdiction. A separate
order follows.
DATED this 22nd day of March, 2017.
BY THE COURT:
_______________/s/___________________
James K. Bredar
United States District Judge
9
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
