Lochridge v. Quality Temp. Servs.

Full title: MICHAEL LOCHRIDGE, individually and on behalf of all others similarly…

Court: United States District Court, E.D. Michigan, Southern Division

Date published: Jun 30, 2023

22-cv-12086 (E.D. Mich. Jun. 30, 2023)

Opinion

22-cv-12086

06-30-2023

MICHAEL LOCHRIDGE, individually and on behalf of all others similarly situated, Plaintiff, v. QUALITY TEMPORARY SERVICES, INC. d/b/a QUALIFIED STAFFING, Defendant.

F. Kay Behm, United States District Judge

ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS THE SECOND AMENDED CLASS ACTION COMPLAINT (ECF No. 22)

F. Kay Behm, United States District Judge

I. INTRODUCTION

This matter is before the court on Defendant Quality Temporary Services' Motion to Dismiss Plaintiff's Second Amended Class Action Complaint. (ECF No. 22). Plaintiff Michael Lochridge filed his Second Amended Class Action Complaint on March 31, 2023, alleging that his personal identifiable information (PII) was exposed as a result of Defendant's failure to properly safeguard their computer network. (ECF No. 20). Plaintiff brings claims on behalf of himself and all other similarly situated individuals for Negligence (Count I), Unjust Enrichment (Count II), and Breach of Implied Contract (Count III), and seeks a Declaratory Judgment (Count IV). (Id.). On April 14, 2023, Defendant filed a Motion to Dismiss Plaintiff's complaint pursuant to Federal Rule of Civil Procedure 12(b)(1) and 12(b)(6). (ECF No. 22). This case was initially before District Judge Paul D. Borman, but was reassigned to the undersigned on February 6, 2023. The court held a hearing on June 21, 2023, wherein both parties participated in oral argument. (See ECF No. 24). For the reasons stated below, the court GRANTS IN PART and DENIES IN PART Defendant's motion.

II. FACTUAL BACKGROUND

Defendant is a Michigan corporation providing job recruiting and staffing services across the United States. (ECF No. 20, PageID.198). To assist in placing individuals in employment opportunities, Defendant collects various PII from applicants. (Id., PageID.204). Plaintiff alleges he provided his PII to Defendant “with the reasonable expectation and mutual understanding that Defendant would comply with its obligations to keep such information confidential and secure from unauthorized access.” (Id.).

In October 2021, Defendant detected suspicious activity on its computer system and launched an investigation. (ECF No. 22, PageID.258). With the assistance of forensic computer specialists, Defendant determined they had been “the victim of a sophisticated cyberattack involving ransomware, and that an unauthorized actor may have accessed and/or acquired a limited amount of data stored on its systems between September 28, 2021 and October 13, 2021.” (See ECF No. 20-1, “Notice of Data Privacy Event”). The cyberattack resulted in hackers potentially gaining access to 81,355 individuals' PII, including their “names, addresses, Social Security numbers, driver's license or state identification card numbers, passport numbers, financial account information, payment card numbers, medical information, and health insurance information.” (Id.). Plaintiff alleges he received a notification letter from Defendant on or around June 14, 2022, informing him that various pieces of his PII had potentially been exposed. (ECF No. 20, PageID.201). The letter encouraged any affected individuals to “remain vigilant against incidents of identity theft and fraud by reviewing account statements, explanation of benefits, and monitoring free credit reports for suspicious activity and to detect errors,” but clarified that they were not aware of any actual or attempted misuse of information. (See ECF No. 20-1, “Notice of Data Privacy Event”).

Plaintiff alleges that, as a result of the breach, he and the other members of the proposed class have incurred, and will continue to incur, an increased risk of “harm, damaged credit, depravation of the value of their Private Information, loss of privacy, and/or additional damages...” (ECF No. 20, PageID.200). Additionally,

Plaintiff alleges that he was directly injured when his personal information was used to fraudulently apply for a loan and to open a financial account in his name. (Id., PageID.204). Plaintiff argues that these injuries were all directly and proximately caused by the data breach. (Id., PageID.205).

III. STANDARDS OF REVIEW

A. Rule 12(b)(1)

A motion brought under Federal Rule of Civil Procedure 12(b)(1) alleges that the court does not have subject matter jurisdiction over the claims as presented. Fed.R.Civ.P. 12(b)(1). Allegations that a plaintiff lacks standing can be brought as a motion to dismiss for lack of subject matter jurisdiction. Stalley v. Methodist Healthcare, 517 F.3d 911, 916 (6th Cir. 2008) (“We review de novo a district court's dismissal of a case for lack of standing - lack of subject matter jurisdiction - under Fed.R.Civ.P. 12(b)(1).”). Motions brought under Rule 12(b)(1) fall into two categories: facial attacks and factual attacks. United States v. Ritchie, 15 F.3d 592, 598 (6th Cir. 1994). A facial attack is a “challenge to the sufficiency of the pleading itself” whereas a factual attack “is a challenge to the factual existence of subject matter jurisdiction.” Id. In this case, Defendant brings a facial attack challenging the sufficiency of Plaintiff's allegations that he suffered a concrete injury in fact. Id. Because this is a facial attack, the court must “accept[] the material allegations in the complaint as true and construe[] them in the light most favorable to the nonmoving party.” Id.

B. Rule 12(b)(6)

A motion to dismiss brought under Federal Rule of Civil Procedure 12(b)(6) alleges that a complaint fails to state a claim upon which relief may be granted. Fed.R.Civ.P. 12(b)(6). In reviewing a motion to dismiss under this section, the court must “construe the complaint in the light most favorable to the plaintiff, accept its allegations as true, and draw all reasonable inferences in favor of the plaintiff.” DirectTV v. Treesh, 487 F.3d 471, 476 (6th Cir. 2007). The court may not consider matters outside of the pleadings except for “the Complaint and any exhibits attached thereto, public records, items appearing in the record of the case and exhibits attached to defendant's motion to dismiss so long as they are referred to in the Complaint and are central to the claims contained therein.” Ashh, Inc. v. All About It, LLC, 475 F.Supp.3d 676, 679 (E.D. Mich. 2020) (citing Bassett v. Nat'l Coll. Athletic Ass'n, 528 F.3d 426, 430 (6th Cir. 2008)).

To survive a motion to dismiss under Rule 12(b)(6), a complaint must provide “‘a short and plain statement of the claim showing that the pleader is entitled to relief' in order to ‘give the defendant fair notice of what the...claim is and the grounds upon which it rests.'” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 545 (2007) (citing Conley v. Gibson, 355 U.S. 41, 47 (1957)). Although a plaintiff's factual allegations are assumed to be true, they must “do more than create speculation or suspicion of a legally cognizable cause of action; they must show entitlement to relief.” LULAC v. Bredsen, 500 F.3d 523, 527 (6th Cir. 2007). A complaint will not suffice if it offers only “a formulaic recitation of the elements of a cause of action” or if it “tenders naked assertion[s] devoid of further factual enhancement.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (citing Twombly, 550 U.S. at 557).

IV. ANALYSIS

A. Article III Standing

The court must first analyze whether Plaintiff has Article III standing to pursue his claims in federal court.¹Defendant argues that Plaintiff has failed to plead facts showing he suffered a concrete injury in fact sufficient to give rise to Article III standing. Plaintiff responds by arguing he has suffered the following injuries: (1) he has “had a financial account fraudulently opened using his personal information and had a loan fraudulently applied for using his information;” (2) he has spent “numerous hours” responding to the data breach; (3) he has suffered “diminution in value of his PII;” (4) he has suffered “loss of the benefit of the bargain;” and (5) he has an “ongoing risk of identity theft.” (See ECF No. 23, PageID.292). Likewise, Plaintiff argues that he has sufficiently pled Article III standing to pursue his claims. (Id., PageID.294).

1 Where, as here, the court addresses standing prior to class certification, the analysis will focus on the standing of the named plaintiff. See In re Packaged Ice Antitrust Litigation, 779 F.Supp.2d 642, 657 (E.D. Mich. 2011). To demonstrate standing, “named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Id. (citing Lewis, 518 U.S. 343, 347 (2011)).

Article III of the Constitution limits the jurisdiction of federal courts to hear actual “cases” and “controversies.” U.S. Const. Art. III § 2 cl. 1. For there to be a case or controversy under Article III, a plaintiff must have a “personal stake” in the case, otherwise known as standing. TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2203 (2021). In a proposed class action matter, each named plaintiff must personally demonstrate standing independent of any claims brought on behalf of a putative class. See Lewis v. Casey, 518 U.S. 343, 357 (1996). To establish standing, a plaintiff bears the burden to show: “(i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” Id. (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)). “Each element of standing ‘must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at successive stages of litigation.'” Fair Elections Ohio v. Husted, 770 F.3d 456, 459 (6th Cir. 2014). At the pleading stage of litigation, “the plaintiff must ‘clearly allege facts demonstrating' each element” and the court “must accept as true all material allegations and construe the complaint in favor of the complaining party.” Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 388 (6th Cir. 2016) (citations omitted).

i. Injury in Fact

To establish an injury in fact, a plaintiff must show that he or she suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016) (citing Lujan, 504 U.S. at 560). To be concrete, an injury must “actually exist,” but it may be tangible or intangible. Id. The most obvious concrete injuries are tangible, such as physical or monetary harms. TransUnion, 141 S.Ct. at 2204. However, intangible harms can also be concrete, particularly when they have a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” including, for example, “reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. Where a plaintiff seeks to establish standing based on an imminent injury, the “threatened injury must be certainly impending ...allegations of possible future injury are not sufficient.” Galaria, 663 Fed.Appx. at 388. This standard does not require plaintiffs to demonstrate that it is “literally certain that the harms they identify will come about,” rather, the Supreme Court has recognized that a “‘substantial risk' that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm,” can be sufficient to confer standing. Clapper v. Amnesty Intern. USA, 568 U.S. 398, 414 n.5 (2013) (citations omitted).

The Sixth Circuit has previously addressed a factually similar case brought by victims of a data breach, Galaria v. Nationwide Mut. Ins. Co. While the Galaria decision is unpublished and not technically binding on this court, its analysis on the issue of standing is persuasive. See U.S. v. Flores, 477 F.3d 431, 433-34 (6th Cir. 2007); Smith v. Astrue, 639 F.Supp.2d 836, 841 (W.D. Mich. 2009) (“like judges throughout the Sixth Circuit, this court regularly discusses nonprecedential decisions when they can illuminate an issue.”). In Galaria, the plaintiffs argued that they were injured because they had incurred, and would continue to incur, a number of costs for “purchasing credit reporting services, purchasing credit monitoring and/or internet monitoring services, frequently obtaining, purchasing, and reviewing credit reports, bank statements, and other similar information, instituting and/or removing credit freezes and/or closing or modifying financial accounts.” Galaria, 663 Fed.Appx. at 386-87. The Sixth Circuit reasoned that theft of an individual's personal data “places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of ‘possible future injury' or ‘objectively reasonable likelihood' of injury that the Supreme Court has explained are insufficient.” Id. (citing Clapper, 568 U.S. at 409). Likewise, the court held that the “[p]laintiffs' allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, [were] sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.” Id. at 398.

The basic facts of this case are almost identical to the facts of Galaria. In both cases, the defendant's computer servers were breached by hackers who obtained access to a large amount of PII. Galaria, 663 Fed.Appx. at 385; (ECF No. 20, PageID.200). The accessed PII in both cases was composed of highly sensitive information, including social security numbers and birth dates, that are “not easily changeable or replaceable.” See Finesse Express, LLC v. Total Quality Logistics, LLC, No. 1:20CV235, 2021 WL 1192521, at *3 (S.D. Ohio Mar. 30, 2021) (one factor to consider is whether the type of information compromised is “easily changeable or replaceable information, such as credit and debit card information..."); see also Galaria, 663 Fed.Appx. at 385; (ECF No. 20, PageID.200). Both cases also involved allegations that the hackers had used or attempted to use the PII obtained in the breach. See Galaria, 663 Fed.Appx. at 387; (ECF No. 20, PageID.204). Likewise, Galaria's analysis will guide the court's decision.

Defendant argues that, following the Supreme Court's decision in TransUnion, the holding of Galaria is no longer valid. (ECF No. 22, PageID.266). The court disagrees. First, the Sixth Circuit has yet to officially reconsider Galaria in light of TransUnion. See Brickman v. Maximus, Inc., No. 2:21-CV-3822, 2022 WL 16836186, at *4 (S.D. Ohio May 2, 2022). Additionally, the injuries in TransUnion can be distinguished from those present in Galaria. In TransUnion, the plaintiffs were individuals whose internal credit files had been incorrectly marked as a potential match to a list of “‘specially designated nationals who threaten America's national security.” TransUnion, 141 S.Ct. at 2201. The Court held that only the plaintiffs whose internal credit files had been actually disseminated to a third party had suffered an injury sufficient to confer standing. Id. at 2212. In Galaria, the core of the alleged injury also involved the dissemination of information, but it was to third party cybercriminals, not a legitimate credit reporting agency. Galaria, 663 Fed.Appx. at 387 (“where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for fraudulent purposes.”). Given these differences, Galaria more readily considered the unique threats present when information is obtained during a targeted cyberattack.

Viewing the facts of this case in the light most favorable to Plaintiff, and applying the Sixth Circuit's rationale from Galaria, Plaintiff has alleged a sufficient injury in fact to support Article III standing. Plaintiff alleges that, as a result of the “immediate, imminent, and heightened risk of all manners of identity theft,” he and the other class members have needed to take mitigation actions including “placing ‘freezes' and ‘alerts' with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring bank accounts and credit reports for unauthorized activity.” (ECF No. 20, PageID.200, 212). It would be “unreasonable to expect Plaintiffs to wait for actual misuse” before taking these mitigation steps, especially when they were specifically suggested by Defendant in the notification letter. Galaria, 663 Fed.Appx. at 387 . Additionally, Plaintiff argues that he “had a financial account fraudulently opened using his personal information and had a loan fraudulently applied for using his information.” (ECF No. 20, PageID.204). These allegations further support a finding that plaintiff has met the injury in fact requirement. See In Re Medical Collection Agency Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742, at *8 (D.N.J. Dec. 16, 2021) (“they have suffered the actionable intangible harm of the wrongful use and dissemination of their private information, like the interests protected by common law privacy torts.”). Likewise, Plaintiff's allegations of a substantial risk of harm, coupled with his reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage.² See Galaria, 663 Fed.Appx. at 387.

2 Plaintiff also argues that he has suffered a diminution in value of his private information as a result of the data breach. (ECF No. 20, PageID.205). Courts have previously held that “a loss in value of personal information supports a finding that a plaintiff has suffered an injury in fact.” Finesse Express, LLC v. Total Quality Logistics, LLC, 2021 WL 1192521, at *3 (citing Svenson v. Google, Inc., 2015 WL 1503429, at *5 (N.D. Cal. Apr. 1, 2015)). However, other courts have cautioned that plaintiffs have failed to allege an injury in fact “when there are no allegations that the plaintiffs attempted to sell their personal information or.the data breach forced them to accept a decreased price for that information.” Id. (citing Chambliss v. Carefirst, Inc., 189 F.Supp.3d 564, 572 (D. Md. 2016)). Here, Plaintiff does not allege any specific facts showing he planned to sell his information, just that it must have decreased in value because of the data breach. (See ECF No. 20, PageID.205). Likewise, the court does not find that this suffices as an independent injury in fact sufficient to confer standing in this case.

ii. Traceability

To have Article III standing, Plaintiff must also sufficiently allege that his injury is “fairly traceable” to the conduct at issue. California v. Texas, 141 S.Ct. 2104, 2113 (2021). The key question under this factor is whether there is a “causal connection between the injury and the conduct complained of...” that is not “th[e] result [of] the independent action of some third party not before the court.” Lujan, 504 U.S. at 560-61 (citing Simon v. Eastern Ky. Welfare Rights Organization, 426 U.S. 26, 41-42 (1976)). Here, Plaintiff has reasonably argued that his alleged injuries were caused by Defendant's failure to secure their computer system, leading to the cyberattack. Further, Defendant does not directly contest that Plaintiff has met this factor. The facts presented in Plaintiff's complaint are “more than speculative but less than but-for causation.” Id. (citing Parsons v. U.S. Dept. of Justice, 801 F.3d 701, 714 (6th Cir. 2015)). Likewise, this factor has been satisfied.

iii. Redressability

Finally, Plaintiff must show that it is likely, not just merely speculative, that his injury will be “redressed by a favorable decision.” Id. at 561. Here, Plaintiff seeks damages in the form of “monetary relief, including compensatory damages, punitive damages, attorney fees, expenses, costs, and such other and further relief as is just and proper” as well as “injunctive and other equitable relief as necessary.” (ECF No. 20, PageID.240). Again, Defendant does not directly contest this factor. Given Plaintiff's alleged injuries, a favorable verdict would provide redress. See Galaria, 663 Fed.Appx. at 391. Likewise, this factor is also satisfied.

Considering the above factors, the court is satisfied that, viewing the facts in the light most favorable to Plaintiff, he has sufficiently alleged an injury in fact that is fairly traceable to Defendant's conduct and can be redressed by a favorable decision. Plaintiff has met his burden to plead Article III standing at this stage of the litigation.

B. Common Law Claims

In his Second Amended Complaint, Plaintiff asserts claims for Negligence (Count I), Unjust Enrichment (Count II), and Breach of Implied Contract (Count III), and seeks a Declaratory Judgment (Count IV). (ECF No. 20, PageID.230-40). Defendant argues that Plaintiff has “failed to plead sufficient facts to support any of the causes of action set forth in the Second Amended Complaint.” (ECF No. 22, PageID.269). The court agrees as to Plaintiff's claims for Unjust Enrichment and a Declaratory Judgment but will permit his Negligence and Breach of Implied Contract claims to proceed.

i. Negligence

To plead a claim for negligence under Michigan law,³a plaintiff must satisfy the following elements: “(1) [t]he defendant owed the plaintiff a legal duty, (2) the defendant breached the legal duty, (3) the plaintiff suffered damages, and (4) the defendant's breach was a proximate cause of the plaintiff's damages.” Powell-Murphy v. Revitalizing Auto Communities Env't Response Tr., 333 Mich.App. 243, 243 (2020) (citing Hill v. Sears, Roebuck & Co., 492 Mich. 651, 660 (2012)). A duty of care may be one that the defendant owes specifically to the plaintiff, or it may be one that is owed to the general public. Id. (citations omitted). Generally, a person has an obligation to “use due care, or so govern his actions as to not unreasonably endanger the person or property of others.” Id. at 243-44 (citing Clark v. Dalman, 379 Mich. 251, 261 (1967)).

3 As an initial matter, the parties do not contest that Michigan law should be used to analyze the common law claims at this stage in the proceedings. (See ECF No. 22, PageID.270 (“Michigan law should apply to Plaintiff's tort claims and his contract claim.”); ECF No. 23, PageID.304 (“Nevertheless, for brevity, Plaintiff addresses each claim under Michigan law.”)). Therefore, while a full choice of law analysis may be premature at this stage, the court will utilize Michigan law to address whether Plaintiff has sufficiently stated a claim.

Plaintiff argues that Defendant “had full knowledge of the sensitivity of the Private Information it maintained and the types of harm that Plaintiff and Class Members could and would suffer if the Private Information were wrongfully disclosed.” (ECF No. 20, PageID.230). Likewise, “Defendant had a duty to Plaintiff and each Class Member to exercise reasonable care in holding, safeguarding, and protecting that information.” (Id.). Numerous courts have previously held that companies have a duty to “take reasonable precautions due to the reasonably foreseeable risk of danger of a data breach incident.” See In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295, 1325 (N.D.Ga. 2019); In Re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742, at *14 (D.N.J. Dec. 16, 2021). Plaintiff argues that Defendant breached that duty when they failed to take reasonable steps to protect his and the class members' PII. (ECF No. 20, PageID.234). He argues that this breach caused the parties to suffer reasonably foreseeable damages, including actual instances of individuals attempting to fraudulently use Plaintiff's information to open financial accounts. (Id., PageID.204).

Defendant does not contest that Plaintiff has satisfied the duty, breach, or causation elements of a negligence claim, and argues only that Plaintiff has failed to demonstrate an “actual injury to person or property.” (ECF No. 22, PageID.272). However, viewing the complaint in the light most favorable to Plaintiff, accepting all of its allegations as true, and drawing all reasonable inferences in favor of Plaintiff, he has alleged damages sufficient to state a claim for negligence. See DirectTV, 487 F.3d at 476. Even though Michigan law has recognized that “damages ‘incurred in anticipation of possible future injury rather than in response to present injuries,' are not cognizable under Michigan law,” Doe v. Henry Ford Health Sys., 308 Mich.App. 592, 600 (2014), the fact that Plaintiff alleges that his information was already used to fraudulently open an account and apply for a loan is sufficiently concrete to state a claim.⁴Likewise, Plaintiff's Second Amended Complaint sufficiently states a claim for negligence.

4 Defendant argues that Plaintiff has not alleged enough facts to suggest that his information was actually used to fraudulently open an account or apply for a loan. (ECF No. 22, PageID.262) (“[h]e has still not given details on what happened or how it injured him.”). However, at this stage in the proceedings, Plaintiff is not required to provide full details as to the extent of his injuries, his allegations must simply not be “naked assertion[s] devoid of further factual enhancement.” Ashcroft, 556 U.S. at 678 (citing Twombly, 550 U.S. at 557). Plaintiff's allegations are beyond the cases in which courts have found insufficient facts to state a claim. See Edwards v. Rougeau, 736 Fed.Appx. 135, 137-38 (6th Cir. 2018) (court found that the plaintiff failed to state a claim where the complaint did not contain any factual allegations regarding certain elements of the cause of action); E.M.J. by & through M.J. v. Garrard Cnty. Bd. of Educ., No. CV 5:18-45-DCR, 2018 WL 11407570, at *1 (E.D. Ky. Feb. 20, 2018) (court found that the plaintiff failed to state a claim where their complaint merely contained a list of words and phrases that were each legal terms of art); Small v. Fetter, No. CIV.A. 5:14-006-KKC, 2015 WL 1393585, at *5 (E.D. Ky. Mar. 25, 2015) (court found that plaintiff failed to state a claim where the alleged conduct did not itself rise to the level of a Fourth Amendment violation).

ii. Unjust Enrichment

To sufficiently plead a claim for unjust enrichment under Michigan law, a plaintiff must establish “(1) the receipt of a benefit by the defendant from the plaintiff and (2) an inequity resulting to the plaintiff because of the retention of the benefit by the defendant.” Morris Pumps v. Centerline Piping, Inc., 273 Mich.App. 187, 195 (2006) (citing Barber v. SMH (US), Inc., 202 Mich.App. 366, 375 (1993)). “In other words, the law will imply a contract to prevent unjust enrichment only if the defendant has been unjustly or inequitably enriched at the plaintiff's expense.” Id.

Plaintiff argues that “[t]hrough the use of Plaintiff's and Class Member's Private Information, Defendant received monetary benefits.” (ECF No. 20, PageID.235). Additionally, “Defendant enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiff's and Class Members' Private Information.” (Id.). These allegations do not satisfy the first element of a cause of action for unjust enrichment, which requires a defendant to have received a benefit directly from the plaintiff. Morris Pumps, 273 Mich.App. at 195 (“the receipt of a benefit by the defendant from the plaintiff”) (emphasis added). A plaintiff cannot state a claim for unjust enrichment where the only benefit received was the result of a contract or agreement between the two parties, not something received directly from the plaintiff. Karaus v. Bank of New York Mellon, 300 Mich.App. 9, 24 (2012) (“Mellon has not received a benefit from plaintiff because if anything, Mellon has merely received the benefit from the contract between Plaintiff and [a third party].”). Likewise, even viewing the complaint in the light most favorable to Plaintiff, he has not pled any facts tending to show that Defendant did, in fact obtain some monetary benefit or profit from Plaintiff. Plaintiff has, therefore, failed to state a claim for unjust enrichment and Count II is dismissed.

iii. Breach of Implied Contract

To state a claim for breach of contract under Michigan law, a plaintiff “must plead three elements: (1) a contract, (2) Defendants' breach of the contract, and (3) damages to Plaintiffs caused by the breach.” Emergency Dep't. Physicians P.C. v. United Healthcare, Inc., 507 F.Supp.3d 814, 828 (E.D. Mich. 2020) (citing Bank of Am., NA v. First Am. Title Ins., 499 Mich. 74, 100-01 (2016)). When an explicit contract does not exist between two parties, an implied contract may arise from their conduct, language, or other circumstances evidencing their intent to contract. Featherston v. Steinhoff, 226 Mich.App. 584 (1997). To form an implied contract, parties must have: “(1) competency to contract, (2) proper subject matter, (3) consideration, (4) mutuality of agreement, and (5) obligation.” Id. (citing Mallory v. City of Detroit, 181 Mich.App. 121, 127 (1989)). Defendant argues that Plaintiff has failed to show there was mutuality of agreement, known as a “meeting of the minds,” between the two parties and has also failed to plead damages. (ECF No. 22, PageID.277). As discussed above, Plaintiff has sufficiently alleged damages resulting from the disclosure of his data in the cyberattack. Likewise, the court's analysis will focus on the “meeting of the minds” element.

When looking at an implied contract, there must be mutuality of agreement between the two parties, “even though it is not manifested by direct or explicit words.” Auto-Owners Ins. Co. v. Lepp, No. 297534, 2011 WL 2858778, at *3 (Mich. Ct. App. July 19, 2011) (citing City of Detroit v. City of Highland Park, 326 Mich. 78, 99 (1949)). Prior cases from courts in this circuit have found that similar allegations were sufficient to show a meeting of the minds. In Bowen v. Paxton Media Group, the court found that, by asking for the plaintiffs' personal information as a condition of their employment, the defendants impliedly agreed “to safeguard and protect such information, to keep such information secure and confidential, and to timely and accurately notify [p]laintiffs and the Subclass if their data had been breached...” Bowen v. Paxton Media Grp., LLC, No. 5:21-CV-00143-GNS, 2022 WL 4110319, at *2 (W.D. Ky. Sept. 8, 2022). Further, in McKenzie v. Allconnect, the court agreed that “[i]mplicit in the employment agreement between [Defendant] and its employees was the obligation that both parties would maintain information confidentially and securely.” McKenzie v. Allconnect, 369 F.Supp.3d 810, 821 (E.D. Ky. 2019).

Plaintiff similarly argues that Defendant required Plaintiff to provide his information to utilize their services, thereby creating an implied contract that they would “protect Plaintiff's and Class members' Private Information and [] timely notify them in the event of a data breach.” (ECF No. 20, PageID.237). By arguing that Defendant did not protect their information or notify them in a timely matter, Plaintiff sufficiently states a claim for breach of implied contract.

iv. Declaratory Judgment

The Declaratory Judgment Act (DJA) permits a court to issue a declaratory judgment “[i]n a case of actual controversy.” 28 U.S.C. § 2201(a). The DJA does not create an independent cause of action, but rather acts as a “remedy for existing cases or controversies.” In Re American Medical Collection Agency, 2021 WL 5937742 at *36 (citing In re AZEK Bldg. Prod., Inc. Mktg & Sales Pracs. Litig., 82 F.Supp.3d 608, 624 (D.N.J. 2015)). When considering declaratory relief, a court should consider:

(1) whether the declaratory action would settle the controversy; (2) whether the declaratory action would serve a useful purpose in clarifying the legal relations in issue; (3) whether the declaratory remedy is being used merely for the purpose of “procedural fencing” or “to provide an arena for a race for res judicata;” (4) whether the use of a declaratory action would increase friction between our federal and state courts and improperly encroach upon state jurisdiction; and (5) whether there is an alternative remedy which is better or more effective.

Larry E. Parrish P.C. v. Bennett, 989 F.3d 452, 457 (6th Cir. 2021) (citing Grand Trunk W. Rail Co. v. Consolidated Rail Corp., 746 F.2d 323, 326 (6th Cir. 1984)). However, before a court can consider these five factors, they must look to whether the basic jurisdictional requirements have been met. Id. “A plaintiff must demonstrate standing for each claim he seeks to press and for each form of relief that is sought,” including declaratory and injunctive relief. Bowen, 2022 WL 411039 at *9 (citations omitted). Importantly, to establish standing when an alleged injury is a future injury, “the plaintiff must demonstrate that the threatened injury is certainly impending or there is a substantial risk that the harm will occur.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (citing Clapper, 568 U.S. at 414 n.5).

Plaintiff argues that, because Defendant still possesses Plaintiff's PII and has failed to specify any steps they have taken to prevent another data breach from occurring, he and the class members are at risk of harm caused by a subsequent breach. (ECF No. 20, PageID.239). Likewise, he seeks a declaration that: “(1) Defendant's existing security measures do not comply with its duties of care to provide reasonable security procedures and practices appropriate to the nature of the information to protect customers' personal information, and (2) to comply with its duties of care, Defendant must implement and maintain reasonable security measures....” (Id.). Both a declaration that Defendant's existing security measures are insufficient, and an injunction requiring Defendant to implement and maintain security measures going forward are aimed at preventing a future attack of Defendant's network. While, as discussed above, Plaintiff may have alleged a sufficient risk of future identity theft as a result of the previous data breach, he has not alleged any facts tending to show that a second data breach is currently impending or there is a substantial risk that one will occur. See Hall v. Centerspace, LP, No. 22-CV-2028 (KMM/DJF), 2023 WL 3435100, at *4 (D. Minn. May 12, 2023) (court found no risk of a second data breach where the plaintiff failed to suggest “[defendant] is currently being targeted by hackers, or that something about their operations makes them uniquely vulnerable to incursions.”). Defendant argues that Plaintiff cannot seek injunctive relief designed to prevent a future breach, only relief that would address the breach that already occurred. (ECF No. 22, PageID.279.). The court agrees. Viewing the facts in the light most favorable to Plaintiff, he has failed to meet the jurisdictional requirements to bring a claim for declaratory or injunctive relief. See also Bowen, 2022 WL 411039 at *9 (“Plaintiffs have failed to allege a live controversy warranting declaratory relief.”). Likewise, Count IV is dismissed.

V. CONCLUSION

For the reasons stated above, Defendant's Motion to Dismiss (ECF No. 22) is GRANTED IN PART and DENIED IN PART. Counts II and IV are dismissed for failure to state a claim, pursuant to Fed.R.Civ.P. 12(b)(6).

SO ORDERED.