Buckley v. Santander Consumer USA, Inc.
Filing
24
ORDER signed by Judge Benjamin H. Settle granting in part and denying in part 19 Motion to Dismiss for Failure to State a Claim. Buckley is granted leave to file second amended complaint by 4/6/2018. (TG)
1
2
3
4
5
UNITED STATES DISTRICT COURT
WESTERN DISTRICT OF WASHINGTON
AT TACOMA
6
7
8
SUZANNE BUCKLEY, et al.,
CASE NO. C17-5813 BHS
Plaintiffs,
9
10
v.
SANTANDER CONSUMER USA,
INC.,
ORDER GRANTING IN PART
AND DENYING IN PART
DEFENDANT’S MOTION TO
DISMISS
11
Defendant.
12
13
14
15
16
This matter comes before the Court on Defendant Santander Consumer USA,
Inc.’s (“Santander”) motion to dismiss. Dkt. 19. The Court has considered the pleadings
filed in support of and in opposition to the motion and the remainder of the file and
hereby grants the motion in part and denies it in part for the reasons stated herein.
17
18
19
20
21
I.
BACKGROUND
The factual allegations in Plaintiff Suzanne Buckley’s (“Buckley”) amended
complaint are accepted as true for the purpose of ruling on the pending motion.
On some unspecified date prior to February 15, 2017, Buckley incurred a debt
related to the financing of a purchased vehicle. Dkt. 15 at 2. The debt was financed
22
ORDER - 1
1
through Santander. Id. Buckley’s sales agreement with the vehicle dealership stated:
2
“You agree to pay the Creditor – Seller . . . the Amount Financed and Finance Charge in
3
U.S. funds according to the payment schedule below . . . .” Dkt. 19-1 at 2. Sometime
4
later, but still before February 15, 2017, Buckley defaulted on her debt. Dkt. 15 at 2.
5
On some subsequent date, still before February 15, 2017, Buckley alleges two
6
alternative theories whereby her personal information was transferred from Santander’s
7
possession so that it eventually fell into the hands of Apex National Services (“Apex”), a
8
purported debt collection company. Id. Buckley first alleges that the information was
9
stolen from Santander. Id. Under this theory, Buckley alleges that Santander “recklessly
10
failed to maintain secure servers to impede any unauthorized access to sensitive
11
consumer information” and “fail[ed] to notify [Buckley] that [her] personal identifying
12
information had been disclosed to unauthorized third parties.” Id. at 8–9. Alternatively,
13
Buckley alleges that Santander “assigned, placed, or otherwise transferred the alleged
14
debt to an unauthorized third party.” Id. at 2. The information that Buckley alleges was
15
improperly transferred to or obtained by a third party included Buckley’s name, social
16
security number, driver’s license, address, file number, and vehicle identification number
17
for the subject vehicle of Buckley’s debt. Id.
18
On an unspecified date, prior to February 15, 2017, Apex contacted Buckley in an
19
attempt to collect the alleged debt. Id. at 3. Buckley began negotiations with Apex and
20
their agent, Universal Payment Processing (“Universal”), and eventually entered into an
21
agreement to settle the entire alleged debt for $5,000. Id. On February 15, 2017, Buckley
22
ORDER - 2
1
made the agreed-upon payment of $5,000 to Universal. Id. The same date, Universal sent
2
Buckley a letter informing her that the alleged debt was satisfied in full. Id.
3
On May 16, 2017, Crown Asset Management LLC (“Crown”), a debt collection
4
company, filed a lawsuit against Buckley to collect the same debt for which she had
5
negotiated and issued a payment to Apex and Universal. Id. Through the course of the
6
litigation, Buckley discovered that unfortunately, Apex “is an unauthorized or ‘ghost’
7
debt collector who does not legally collect from consumers and is not licensed in the state
8
of Washington as a debt collector. Id. at 4. Instead, Buckley, had been “tricked into
9
paying a scam debt collector . . . .” Id.
10
On October 11, 2017, Buckley filed her class action complaint. Dkt. 1. On January
11
4, 2018, Buckley filed an amended class action complaint (“complaint”). Dkt. 15. In the
12
complaint, Buckley asserts five claims against Santander: (1) violations of the
13
Washington Consumer Protection Act (“CPA”); (2) negligence, (3) intrusion upon
14
seclusion through disclosure of private information; (4) breach of contract; and (5) a
15
violation of the Washington Data Breach Act (“DBA”). Id. at 7–11.
16
On January 18, 2018, Santander moved to dismiss Buckley’s complaint. Dkt. 19.
17
On February 5, 2018, Buckley responded. Dkt. 21. On February 9, 2018, Santander
18
replied. Dkt. 22.
19
20
21
22
II. DISCUSSION
A.
Motion to Dismiss Standard
Motions to dismiss brought under Rule 12(b)(6) of the Federal Rules of Civil
Procedure may be based on either the lack of a cognizable legal theory or the absence of
ORDER - 3
1
sufficient facts alleged under such a theory. Balistreri v. Pacifica Police Department, 901
2
F.2d 696, 699 (9th Cir. 1990). Material allegations are taken as admitted and the
3
complaint is construed in the plaintiff’s favor. Keniston v. Roberts, 717 F.2d 1295, 1301
4
(9th Cir. 1983). To survive a motion to dismiss, the complaint does not require detailed
5
factual allegations but must provide the grounds for entitlement to relief and not merely a
6
“formulaic recitation” of the elements of a cause of action. Bell Atl. Corp. v. Twombly,
7
550 U.S. 544, 555 (2007). Buckley must allege “enough facts to state a claim to relief
8
that is plausible on its face.” Id. at 570.
9
B.
Alternative Pleading Under Rule 8
Santander has argued that Buckley’s claims are inadequately pled because she can
10
11
only speculate as to alternative theories. See Dkt. 19 at 9–10. The Court summarily
12
rejects this argument. Pleading in the alternative is plainly not the type of formulaic
13
“speculative” pleading prohibited by Twombly, 550 U.S. at 555. Rule 8 authorizes the
14
pleading of inconsistent alternative theories. Fed. R. Civ. P. 8(d)(2). To the extent that
15
Santander argues that Buckley has pled inconsistent facts, it is clear that the factual
16
theories asserted by Buckley, while mutually exclusive, are not inconsistent with the
17
overarching theory that Santander provided Apex access to Buckley’s sensitive personal
18
information. Moreover, these mutually exclusive factual theories are not asserted for a
19
single unitary claim, but rather separate alternative claims, and “plaintiffs may state as
20
many separate claims as they have regardless of consistency.” In re Livent, Inc.
21
Noteholders Sec. Litig., 151 F. Supp. 2d 371, 406 (S.D.N.Y. 2001) (citing Fed. R. Civ. P.
22
8(e)).
ORDER - 4
1
2
C.
CPA Claims
Santander moves to dismiss Buckley’s claims for violations of the CPA. Under the
3
CPA, a person may bring a civil action against a business to recover damages stemming
4
from any “[u]nfair methods of competition and unfair or deceptive acts or practices in the
5
conduct of any trade or commerce.” RCW 19.86.020. “To establish a claim under the
6
CPA, five elements must be established: ‘(1) unfair or deceptive act or practice; (2)
7
occurring in trade or commerce; (3) public interest impact; (4) injury to plaintiff in his or
8
her business or property; (5) causation.’” Svendsen v. Stock, 143 Wn.2d 546, 553 (2001)
9
(quoting Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wn.2d 778,
10
11
780 (1986)).
Buckley has pled two alternative claims under the CPA. Under the first theory,
12
Buckley claims that Santander violated the CPA by assigning her debt or otherwise
13
disclosing her personal information to an “unauthorized third party.” Alternatively,
14
Buckley argues that Santander violated the CPA by maintaining Buckley’s information
15
on an inadequately secured server and failing to notify her when the data was stolen. The
16
Court will address the motion to dismiss as it pertains to each theory.
17
1.
Wrongful Disclosure Theory
18
Santander moves to dismiss Buckley’s CPA claim under wrongful disclosure
19
theory on the basis that the complaint’s cursory allegations of a wrongful disclosure to an
20
“unauthorized third party” is too vague to adequately plead an unfair or deceptive act or
21
practice. There are three ways that a plaintiff may plead a deceptive or unfair act or
22
practice. State v. Mandatory Poster Agency, Inc., 199 Wn. App. 506, 518 (2017), review
ORDER - 5
1
denied, 189 Wn.2d 1021 (2017). One is to plead a per se violation that has been expressly
2
prohibited by a relevant statute, id., but Buckley has not alleged that the allegedly
3
wrongful disclosure of her personal information constitutes a per se CPA violation. The
4
other two methods are to describe either an act or practice that has the capacity to deceive
5
a substantial portion of the public, or a practice that is in violation of the public interest.
6
Id.
7
The Court rejects Santander’s argument that all of Buckley’s CPA claims must be
8
dismissed for the complaint’s lack of “factual allegations relating to what [Santander]’s
9
‘deceptive act’ was, when it may have occurred, or who it involved.” Dkt. 19 at 9.
10
Santander is correct that Buckley does not allege that Santander has engaged in any
11
misleading practices or made any misrepresentations. “Implicit in the definition of
12
‘deceptive’ under the CPA is the understanding that the practice misleads or
13
misrepresents something of material importance.” Holiday Resort Cmty. Ass'n v. Echo
14
Lake Associates, LLC, 134 Wn. App. 210, 226 (2006), as amended on denial of
15
reconsideration (Aug. 15, 2006). Accordingly, Buckley’s claim cannot be premised on a
16
“deceptive” act or practice, because no such misrepresentation has been alleged. Even so,
17
“an act or practice can be unfair without being deceptive . . . . The ‘or’ between ‘unfair’
18
and ‘deceptive’ is disjunctive.” Klem v. Washington Mut. Bank, 176 Wn.2d 771, 787
19
(2013).
20
21
22
[The Washington] Supreme Court has suggested a defendant’s act or
practice might be “unfair” if it “‘causes or is likely to cause substantial
injury to consumers which is not reasonably avoidable by consumers
themselves and is not outweighed by countervailing benefits.’” Klem, 176
Wn.2d at 787 (quoting 15 U.S.C. § 45(n)). Similarly, a defendant’s act or
ORDER - 6
1
2
3
practice might be “unfair” if it “offends public policy as established ‘by
statutes [or] the common law,’ or is ‘unethical, oppressive, or
unscrupulous,’ among other things.” Id. at 786.
Mellon v. Reg’l Tr. Servs. Corp., 182 Wn. App. 476, 489–90 (2014).
4
By alleging that Santander deliberately disclosed her information to an
5
unauthorized third party, Buckley has outlined a theory that Santander intentionally
6
exposed her to an unacceptable likelihood of being subject to identity theft or some other
7
unlawful activity premised on the exploitation of her personal information. Buckley has
8
further alleged that she was ultimately subject to such a fraudulent scheme premised on
9
the misuse of her personal information regarding her debt with Santander and that she
10
suffered $5,000 in economic damages as a result. The intentional disclosure of a
11
consumer’s social security number, driver’s license, address, and other personal
12
information to third parties not authorized to possess such information could in many
13
circumstances be unethical, oppressive, and unscrupulous. Further, such a practice would
14
be likely to inflict the harm of making consumers the target of identity theft or other
15
deceptive schemes, such as the fraudulent debt collection scheme perpetrated upon
16
Buckley by Apex.
17
Buckley’s complaint is admittedly sparse on facts describing the details of the
18
allegedly unlawful transfer of Buckley’s information. However, it may be overlooked
19
that Buckley has failed to allege much factual background information regarding the
20
alleged transfer of information beyond the fact that it occurred prior to February 15,
21
2017. The Federal Rules “do not require heightened fact pleading of specifics, but only
22
enough facts to state a claim to relief that is plausible on its face.” Twombly, 550 U.S. at
ORDER - 7
1
570. Buckley has adequately identified what personal information is in Santander’s
2
possession and has offered an approximate time frame for when the allegedly wrongful
3
disclosure occurred. Furthermore, as Buckley has noted in her response, this is a case
4
where there are multiple possible theories as to how a defendant inflicted a particular
5
injury, “however the details of how and why the wrong occurred are in the possession
6
and control of [the] [d]efendant.” Dkt. 21 at 5.
7
There remains a substantial question of whether Santander’s alleged disclosure of
8
Buckley’s personal information to an unauthorized third party can bear a sufficient causal
9
link to Buckley’s harm of being tricked by Apex’s fraudulent scheme. However,
10
Santander has not moved for dismissal on this ground, and such an issue is likely best
11
reserved for summary judgment proceedings since any detailed information regarding the
12
alleged transfer is presently in the sole possession of Santander or the third party to which
13
Santander allegedly made the disclosure of Buckley’s information.
14
2.
15
Santander also moves to dismiss Buckley’s CPA claim under her stolen data
16
theory on the basis that the DBA preempts CPA claims for failure to inform consumers of
17
data breaches. Indeed, while the DBA authorizes the state attorney general to pursue CPA
18
claims against businesses that fail to notify consumers of data breaches, the DBA
19
expressly preludes CPA civil actions by persons or entities other than the attorney
20
general. RCW 19.255.010(17) (“An action to enforce this section may not be brought
21
under RCW 19.86.090.”). In her response, Buckley notes that she is not basing any CPA
22
claim on a violation of the DBA. Dkt. 21 at 12. Accordingly, to the extent Buckley’s
ORDER - 8
Stolen Data Theory
1
complaint can be construed to claim that Santander violated the CPA by failing to inform
2
its consumers of a data breach, such allegations fail to state a CPA claim upon which
3
relief can be granted.
4
However, the DBA only preempts claims pertaining to the failure to notify
5
consumers of a data breach. The DBA does not deal with an entity’s failure to maintain
6
sensitive personal information on an adequately secured server. Accordingly, the Court
7
must separately assess whether such a failure constitutes a violation of the CPA. In a
8
recent decision, the Honorable James L. Robart, U.S. District Judge, determined that a
9
credit union adequately plead a valid CPA claim premised on the theory “that Eddie
10
Bauer failed to take proper measures to protect account information of credit and debit
11
card holders with respect to its POS and data security systems.” Veridian Credit Union v.
12
Eddie Bauer, LLC, C17-0356JLR, 2017 WL 5194975, at *13 (W.D. Wash. Nov. 9,
13
2017). Judge Robart reasoned that inadequately securing such sensitive consumer
14
information constituted an “unfair practice” because (1) it could foreseeably result in
15
harm to thousands of consumers and payment card issuers, (2) the plaintiff had
16
adequately alleged that such harm had actually occurred, and (3) with no ability to know
17
of Eddie Bauer’s allegedly deficient security measures, the consumers had little to no
18
ability to avoid the harms engendered by such deficient security. See id., 2017 WL
19
5194975 at *13–14.
20
The Court agrees with the analysis set forth in Veridian and finds that it is equally
21
applicable here. Santander received sensitive personal information that could result in
22
significant financial harm to Buckley if mishandled. Santander’s alleged “failure to take
ORDER - 9
1
reasonably adequate security measures constitutes an unfair act because it knowingly and
2
foreseeably put [Buckley] at a risk of harm from data theft and fraudulent . . . activity and
3
this harm allegedly occurred.” Id., 2017 WL 5194975 at *14. Accordingly, the Court
4
denies Santander’s motion to dismiss Buckley’s CPA claims based on unfair practices.
5
To the extent the complaint asserts conclusory claims of “deceptive” acts or practices
6
without factual allegations of misrepresentations or omissions, those claims are
7
dismissed.
8
D.
9
Negligence Claims
Santander next moves to dismiss Buckley’s negligence claims on the basis that
10
Buckley has failed to allege facts supporting the existence of any legal duty to keep her
11
information private. 1
12
Under Washington law, negligence requires “(1) the existence of a duty to the
13
plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the breach as the
14
proximate cause of the injury.” Degel v. Majestic Mobile Manor, 129 Wn.2d 43, 48
15
(1996). “[A]n actor ordinarily owes no duty to protect an injured party from harm caused
16
by the criminal acts of third parties,” Parrilla v. King Cty., 138 Wn.App. 427, 436
17
(2007), but there are exceptions to this general rule. For instance, a duty to prevent a third
18
party’s wrongdoing may arise “based on the existence of a ‘special relationship’ between
19
either the actor and the victim, or between the actor and the criminal third party.” Id. at
20
21
1
22
Notably, Santander has not challenged any element of negligence other than the
existence of a duty, and the Court will not address issues not raised in the motion.
ORDER - 10
1
437. Such a special relationship has been recognized to arise between a business and its
2
customers as follows:
3
4
[A] business owes a duty to its invitees to protect them from imminent
criminal harm and reasonably foreseeable criminal conduct by third
persons. The business owner must take reasonable steps to prevent such
harm in order to satisfy the duty.
5
Nivens v. 7-11 Hoagy’s Corner, 133 Wn.2d 192, 205 (1997), as amended (Oct. 1, 1997).
6
Also, Washington courts have held that “a duty to guard against a third party’s
7
foreseeable criminal conduct exists where an actor’s own affirmative act has created or
8
exposed another to a recognizable high degree of risk of harm through such misconduct,
9
which a reasonable person would have taken into account.” Parrilla, 138 Wn. App. at
10
439. Under such a theory, it is necessary that the defendant have engaged in some
11
“misfeasance,” which “necessarily entails the creation of a new risk of harm to the
12
plaintiff.” Robb v. City of Seattle, 176 Wn.2d 427, 437 (2013). An example of this duty
13
has arisen “when [a] bus driver affirmatively created a new risk by disembarking from a
14
bus, leaving keys in the ignition with the engine running and an erratic passenger
15
onboard, providing the instrumentality and opportunity to cause harm.” Id. (citing
16
Parrilla, 138 Wn. App. 427).
17
As discussed above, Buckley has alleged two alternative factual theories of this
18
case. Under the first, Santander intentionally disclosed Buckley’s personal information to
19
an unauthorized third party. This constitutes an affirmative act, or “misfeasance.” It is
20
foreseeable that providing a customer’s private information, including a social security
21
number, driver’s license, address, and other debt information, creates a new risk of harm
22
ORDER - 11
1
to the customer, particularly of identity theft or other fraudulent schemes based on the
2
exploitation of such data. Buckley’s alleged harm of suffering from such a scheme is a
3
directly foreseeable result of transmitting such information to an unauthorized third party.
4
Accordingly, the Court finds that Buckley’s theory that Santander deliberately
5
transmitted her personal information to an unauthorized third party adequately alleges a
6
duty to protect Buckley from the wrongful acts of Apex where Santander’s “own
7
affirmative act has created or exposed [her] to a recognizable high degree of risk of harm
8
through such misconduct, which a reasonable person would have taken into account.”
9
Parrilla, 138 Wn. App. at 439.
10
Under the second theory, Santander allegedly maintained Buckley’s private
11
information with inadequate security and failed to inform her when it was stolen. The
12
Court declines to find that allegations of Santander’s failure to maintain adequate security
13
implicate a common law legal duty that could support a negligence claim. The crux of
14
whether a business can be liable for the acts of third parties absent a special relationship
15
“is the distinction between an act and an omission.” Robb, 176 Wn.2d at 435. In contrast
16
with Buckley’s first theory, Buckley’s second theory does not allege that Santander took
17
any affirmative act that placed Buckley’s information in the hands of an unauthorized
18
third party. In regards to the special relationship doctrine, the special relationship
19
addressed in Nivens arose in the context of a business’s “invitee,” and review of that
20
decision reveals that the Supreme Court’s decision was specifically an extension of a
21
business’s liability for physical harm under a premises liability theory. Nivens, 133
22
Wn.2d at 203 (quoting Restatement (Second) of Torts § 344 (1965)). Buckley was not a
ORDER - 12
1
business invitee of Santander, and she does not allege any physical harm under a theory
2
of premises liability. Nor is it appropriate for the Court to rely on the reasoning in
3
Merriman v. Am. Guarantee & Liab. Ins. Co., 198 Wn. App. 594 (2017), review denied
4
(Sept. 28, 2017), as suggested by Buckley. See Dkt. 21 at 15. In Merriman it was
5
determined that an insurance adjuster could be liable for a claim adjustment that fell
6
below a well-established professional standard of care. Id. at 616 (citing First State
7
Insurance Co. v. Kemper National Insurance Co., 94 Wn. App. 602, 612-13 (1999)) (“A
8
claim for negligent claim handling exists in Washington.”). No such well-established
9
standard of professional liability has been breached here, and Washington courts have not
10
recognized a “special relationship” between consumers and data custodians as they have
11
between insurers and their insureds.
12
In any instance, the Court would be reticent to formulate any common-law
13
“special relationship” not previously recognized or explicitly formulated by Washington
14
case law or statute. The Second Restatement of Torts notes that “[t]he law appears . . . to
15
be working slowly toward a recognition of the duty to aid or protect in any relation of
16
dependence or of mutual dependence.” Restatement (Second) of Torts § 314A cmt. b
17
(1965). In our digital age, it could be argued that Buckley’s allegations should implicate a
18
previously unrecognized common law duty to maintain adequate security as to prevent
19
data breaches that compromise sensitive personal information due to the parties’
20
relationship. Indeed, once Buckley’s information was submitted to finance her vehicle
21
purchase, a custodial type of relationship was formed over Buckley’s personal
22
information that deprived Buckley of any meaningful opportunity to prevent the
ORDER - 13
1
information from being obtained by wrongful actors like Apex. However, such a theory
2
of the “special relationship” doctrine moves into uncharted waters that other courts have
3
only recently begun to navigate under different state law tests. See Corona v. Sony
4
Pictures Entm’t, Inc., 14-CV-09600 RGK EX, 2015 WL 3916744, at *5 (C.D. Cal. June
5
15, 2015) (finding special relationship exists between employer and employees under
6
California’s six-factor “special relationship” test). Absent clear Washington authority, the
7
Court declines to extend Washington’s “special relationship” doctrine to include
8
relationships between businesses and consumers when the parties’ transaction involves
9
the disclosure of private information.
10
Nonetheless, while the failure to implement adequate data security measures does
11
not implicate a legal duty on its own, Buckley’s second theory also alleges that Santander
12
failed to notify Buckley after learning that her information had been stolen in a data
13
breach. In Washington, “[a] duty may be predicated on violation of statute or of common
14
law principles of negligence.” Jackson v. City of Seattle, 158 Wn. App. 647, 651 (2010)
15
(quotation marks omitted). While the Court declines to find that a “special relationship”
16
existed between Buckley and Santander for the purpose of imposing liability for third-
17
party acts, the DBA specifically imposes an obligation on businesses to notify their
18
consumers of data breaches that compromise the type information that was allegedly
19
stolen in this case. RCW 19.255.010(1), (5)(a)(b). In determining whether a statutory
20
provision indicates a duty that can sustain a negligence claim, Washington courts have
21
adopted the test set forth in the Second Restatement of Torts, which states:
22
ORDER - 14
1
2
3
4
5
The court may adopt as the standard of conduct of a reasonable
[person] the requirements of a legislative enactment . . . whose purpose is
found to be exclusively or in part
(a) to protect a class of persons which includes the one whose
interest is invaded, and
b) to protect the particular interest which is invaded, and
c) to protect that interest against the kind of harm which has
resulted, and
(d) to protect that interest against the particular hazard from which
the harm results.
6
Hansen v. Friend, 118 Wn.2d 476, 480–81 (1992) (quoting Restatement (Second) of
7
Torts § 286 (1965)).
8
The Court finds that this four-factor test is satisfied in regards to Santander’s
9
alleged violation of the DBA. The Washington legislature’s comments on the DBA
10
expressly state that the DBA was “intend[ed] to provide consumers whose personal
11
information has been jeopardized due to a data breach with the information needed to
12
secure financial accounts and make the necessary reports in a timely manner to minimize
13
harm from identity theft.” Laws of 2015, Ch. 64, § 1. As a consumer whose personal
14
information had been jeopardized, Buckley falls within the class the DBA was enacted to
15
protect. The DBA was enacted to protect the interest of such consumers in maintaining
16
privacy and security in their sensitive personal information, which is the same interest
17
that Buckley’s allegations make clear was invaded. Finally, the DBA was intended to
18
protect Buckley’s interest in securely maintaining private information against the kind of
19
financial harm Buckley suffered which was brought about by a form of identity theft.
20
Accordingly, the Court concludes that Buckley’s complaint implicates legal duties
21
that can support a negligence claim under either of her two theories. First, a legal duty is
22
ORDER - 15
1
implicated by Santander’s alleged misfeasance of disclosing Buckley’s sensitive personal
2
information to an unauthorized third party. Alternatively, a legal duty is implicated by
3
Santander’s alleged failure to carry out its duty under the DBA and notify Buckley that
4
her sensitive personal information had been compromised in a known data breach. 2 To
5
the limited extent that Santander moves to dismiss Buckley’s negligence claims based
6
solely on the allegation that Santander failed to implement adequate data security, the
7
motion is granted. Otherwise, the motion is denied.
8
E.
Intrusion Upon Seclusion Claim
9
Santander moves to dismiss Buckley’s claim for intrusion upon seclusion.
10
Washington common law recognizes a “protectable interest in privacy [that] is generally
11
held to involve four distinct types of invasion: intrusion, disclosure, false light and
12
appropriation.” Eastwood v. Cascade Broad. Co., 106 Wn.2d 466, 469 (1986). Santander
13
has moved to dismiss Buckley’s privacy claims under either an intrusion or disclosure
14
theory, but Buckley has expressly limited his claim to an intrusion theory. Dkt. 21 at 17
15
(“[Santander] makes an argument relating to the tort of public disclosure of private facts,
16
however, [Buckley] has not pled this claim and thus, there is no need to address the
17
argument.
18
19
2
20
21
22
The Court notes that Santander has not argued that the DBA bars a common law
negligence claim for failure to timely notify affected consumers of data breaches. The Court will
not address this issue absent argument from Santander that the statutory remedy in the DBA is
mandatory and exclusive. See Korslund v. Dyncorp Tri-Cities Servs., Inc., 121 Wn. App. 295,
321 (2004), aff’d, 156 Wn.2d 168 (2005) (“[A] statutory remedy does not bar a common law tort
claim unless the statutory remedy is mandatory and exclusive.”).
ORDER - 16
1
Under an intrusion theory, “[o]ne who intentionally intrudes, physically or
2
otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is
3
subject to liability to the other for invasion of his privacy, if the intrusion would be highly
4
offensive to a reasonable person.” Mark v. Seattle Times, 96 Wn.2d 473, 497 (1981)
5
(quoting Restatement (Second) of Torts § 652B (1977)). Washington courts have defined
6
such a claim to require that a plaintiff establish the following elements:
7
11
1. An intentional intrusion, physically or otherwise, upon the
solitude or seclusion of plaintiff, or his private affairs
2. With respect to the matter or affair which plaintiff claims was
invaded, that plaintiff had a legitimate and reasonable expectation of
privacy;
3. The intrusion would be highly offensive to a reasonable person;
and
4. That the defendant’s conduct was a proximate cause of damage to
plaintiff.
12
Doe v. Gonzaga Univ., 143 Wn.2d 687, 705–06 (2001), reversed on other grounds, 536
13
U.S. 273 (2002).
8
9
10
14
Buckley has not alleged facts to suggest that Santander ever intentionally intruded
15
upon her private affairs. “[A]n actor commits an intentional intrusion only if he believes,
16
or is substantially certain, that he lacks the necessary legal or personal permission to
17
commit the intrusive act.” Poore-Rando v. United States, C16-5094 BHS, 2017 WL
18
5756871, at *2 (W.D. Wash. Nov. 28, 2017) (quoting O’Donnell v. United States, 891
19
F.2d 1079, 1083 (3d Cir. 1989)). Because Santander allegedly financed Buckley’s vehicle
20
purchase, Santander possessed the necessary legal permission to acquire Buckley’s
21
personal information. To the extent that Buckley complains that Santander deliberately
22
passed this information along to an unauthorized third party, that is not a claim for
ORDER - 17
1
intrusion but rather disclosure. Even if Buckley were to bring a claim for wrongful
2
disclosure of private facts, the Court agrees that Buckley’s pleadings lack the necessary
3
allegations to support the necessary publicity element of such a claim. See Fisher v. State
4
ex rel. Dep’t of Health, 125 Wn. App. 869, 879 (2005) (“[P]ublicity for the purposes of
5
[this claim] means communication to the public at large so that the matter is substantially
6
certain to become public knowledge, and that communication to a single person or a
7
small group does not qualify.”).
8
9
10
11
Because Buckley has failed to allege a deliberate intrusion by Santander upon her
private affairs, Buckley’s intrusion upon seclusion claim must be dismissed.
F.
Breach of Contract
Santander moves to dismiss Buckley’s breach of contract claim on the basis that
12
Buckley’s complaint fails to allege facts that show the breach of any contract provisions.
13
Santander has attached Buckley’s sales agreement with the vehicle dealership as an
14
exhibit to its motion. Dkt. 19-1.
15
Buckley’s complaint has alleged the breach of two contract provisions. First,
16
Buckley alleges that Santander breached an agreement to “not disclose any private
17
information to unauthorized third parties.” Dkt. 15 at 10. No such provision exists in the
18
sales agreement. See Dkt. 19-1. Additionally, Buckley has abandoned this claim in her
19
response, instead arguing only that Santander “breached the contract by forcing [her] . . .
20
to pay the [sic] on the debt twice.” Dkt. 21 at 18. Because Buckley has failed to specify
21
any agreement that Santander would not disclose her information to third parties and has
22
likewise failed to indicate how this may have formed an implied covenant of her sales
ORDER - 18
1
agreement, the Court dismisses Buckley’s breach of contract claim predicated on the
2
disclosure of private information to third parties.
3
Buckley’s short response to the motion to dismiss argues only that Santander
4
allegedly “breached the contract by forcing [Buckley] . . . to pay the [sic] on the debt
5
twice.” Dkt. 21 at 18. Buckley identifies the following statement as the provision that was
6
breached. “You agree to pay the Creditor – Seller . . . the Amount Financed and Finance
7
Charge in U.S. funds according to the payment schedule below . . . .” Id. (quoting Dkt.
8
19-1 at 2). Buckley argues that “what [the contract] noticeably does not say, is that
9
[Buckley] will pay the Creditor — Seller more than what is specified in the contract.”
10
Dkt. 21 at 18 (emphasis in original). But this argument is disingenuous and ignores key
11
language of the purportedly breached provision. The provision states on its face that
12
Buckley must pay the amount owed to the Seller or Creditor, and Buckley has not
13
alleged that she ever did so. Instead, Buckley has stated that she defaulted on her loan and
14
then allegedly paid her late due payments to Apex, which she identifies as a third party
15
that was never authorized to collect the amount owed on behalf of Santander. Santander
16
cannot have breached the contract by requiring Buckley to pay twice on her debt when
17
the debt was never paid to Santander or an authorized collector in the first instance.
18
Therefore, Buckley’s breach of contract claim must be dismissed.
19
G.
20
DBA Claim
Finally, Santander moves to dismiss Buckley’s DBA claim on the basis that
21
Buckley has not adequately pled that Santander ever discovered any data breach.
22
Liability under the DBA arises only when a business that owns such personal information
ORDER - 19
1
fails to “disclose any breach of the security of the system following discovery or
2
notification of the breach . . . .” RCW 19.255.010 (emphasis added). However, Buckley
3
has alleged that Santander (1) was aware that Buckley’s information was stolen prior to
4
February 15, 2017, Dkt. 15 at 2, (2) “was aware that [Buckley]’s personal identifying
5
information was in possession of an illegal third party,” id. at 4, and (3) never contacted
6
Buckley to notify her that her information had been compromised, id. at 11. Furthermore,
7
Buckley has supported these claims with factual allegations that Apex obtained her
8
private information connected with the debt owed to Santander and then perpetrated a
9
fraud on her, resulting in $5,000 in damages. Santander offers no authority to support its
10
position that Buckley must plead sufficient facts to rule out the possibility that Apex
11
obtained her private information through some other means. The question of whether
12
Santander actually suffered a data breach prior to February 15, 2017, is an issue more
13
appropriately reserved for summary judgment.
14
H.
15
Leave to Amend
Buckley has requested that the Court grant her leave to amend any claims that are
16
inadequately pled. Dkt. 21 at 19. Leave to amend an initial pleading may be allowed by
17
leave of the Court and “shall freely be given when justice so requires.” Foman v. Davis,
18
371 U.S. 178, 182 (1962); Fed. R. Civ. P. 15(a). Granting leave to amend rests in the
19
discretion of the trial court. Internat’l Ass’n of Machinists & Aerospace Workers v.
20
Republic Airlines, 761 F.2d 1386, 1390 (9th Cir. 1985). In determining whether
21
amendment is appropriate, the Court considers five potential factors: (1) bad faith, (2)
22
undue delay, (3) prejudice to the opposing party, (4) futility of amendment, and (5)
ORDER - 20
1
whether there has been previous amendment. United States v. Corinthian Colleges, 655
2
F.3d 984, 995 (9th Cir. 2011). The Court’s decision is guided by the established practice
3
of permitting amendments with “extreme liberality” in order to further the policy of
4
reaching merit-based decisions. DCD Programs Ltd. v. Leighton, 833 F.2d 183, 186 (9th
5
Cir. 1987). In light of this policy, the nonmoving party generally bears the burden of
6
showing why leave to amend should be denied. Genentech, Inc. v. Abbott Labs., 127
7
F.R.D. 529, 530–31 (N.D. Cal. 1989). Here, Santander has not offered any reason why
8
leave to amend should be denied. Accordingly, Buckley’s request for leave to amend is
9
granted.
10
11
12
13
14
15
16
III. ORDER
Therefore, it is hereby ORDERED that Santander’s motion to dismiss (Dkt. 19) is
GRANTED in part and DENIED in part as follows:
1.
Buckley’s CPA claim premised on Santander’s failure to notify her of the
alleged data breach is DISMISSED;
2.
Buckley’s negligence claim premised on Santander’s failure to maintain
adequate security measures is DISMISSED;
17
3.
Buckley’s intrusion upon seclusion claim is DISMISSED;
18
4.
Buckley’s breach of contract claims are DISMISSED.
19
5.
To the extent Santander seeks to dismiss Buckley’s remaining claims for
20
21
22
negligence and violations of the CPA and DBA, its motion is DENIED.
Additionally, Buckley’s request for leave to amend is GRANTED. Buckley shall
file her second amended complaint no later than April 6, 2018. Failure to file an amended
ORDER - 21
1
complaint by that time shall, without further order from this court, result in the dismissal
2
with prejudice of the claims dismissed by this order.
3
Dated this 29th day of March, 2018.
A
4
5
BENJAMIN H. SETTLE
United States District Judge
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
ORDER - 22
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?