Opinion
C23-2048-LTS-KEM
05-09-2024
GHASSAN MOHSEN, on behalf of himself, and all others similarly situated, Plaintiff, v. VERIDIAN CREDIT UNION, Defendant.
MEMORANDUM OPINION AND ORDER ON DEFENDANT'S MOTION TO DISMISS
LEONARD T. STRAND UNITED STATES DISTRICT JUDGE
I. INTRODUCTION
This data breach case is before me on a motion (Doc. 8) to dismiss filed by defendant Veridian Credit Union (Veridian) pursuant to Federal Rule of Civil Procedure 12(b)(6). Plaintiff Ghassan Mohsen has filed a resistance (Doc. 23) and Veridian has filed a reply (Doc. 24). Oral argument is not necessary. See Local Rule 7(c).
II. BACKGROUND
Veridian is a credit union headquartered in Waterloo, Iowa. It is a “not-for-profit financial cooperative owned by [its] members,” which provides personal and business financial services to customers, including checking and savings accounts, debit and credit cards, online banking, certificates of deposit and IRAs, loans, as well as insurance services through Veridian Insurance. Veridian has tens of thousands of customers located in Iowa, Nebraska, California and throughout the United States. Mohsen is a California resident and citizen and Veridian customer.
These alleged facts are drawn from the complaint (Doc. 1).
Customers were required to provide Veridian with sensitive, private personal identifying information (PII) as a condition of banking with Veridian. This included names, dates of birth, social security numbers and other information such as financial account information, credit history and credit scores. On May 3, 2023, Veridian sent its customers a Notice of Data Security Incident (Date Breach Notice). The Data Breach Notice stated that an unauthorized person executed a cyberattack against Veridian's “online membership application system,” enabling them to access the PII of current and former customers, including their names, addresses, social security numbers, dates of birth, account/loan numbers and certain loan information (the Data Breach). According to Mohsen, the Data Breach actually began on or about March 14, 2023, but was not discovered by Veridian until April 3, 2023.
Mohsen alleges that Veridian failed to undertake adequate measures to safeguard the PII of Mohsen and the proposed class members, including failing to implement industry standards for data security, and failing to properly train employees on cybersecurity protocols, resulting in the Data Breach. While Veridian discovered the Data Breach on or about April 3, 2023, it did not begin to notify current and former customers of the unauthorized disclosure of their PII until May 3, 2023.
Mohsen alleges that his PII is now in the possession of cybercriminals and the Dark Web. Mohsen lists several instances of fraudulent activity involving his identity that have occurred since the Data Breach, including fraudulent credit card charges, unauthorized access to his Southwest Airlines account and a fraudulent tax return being filed in his name, which resulted in him being required to file paper returns in the future. He further states that he has spent a significant amount of time attempting to mitigate the effects of the Data Breach. This includes freezing his credit report, placing fraud alerts, contacting Veridian, contacting his financial institution and expending time and effort monitoring his accounts to protect from further identity theft. As a result of the data breach, Mohsen has experienced feelings of anxiety, sleep disruption, stress and fear. He alleges that he faces a lifetime risk of additional identity theft, as the Data Breach exposed information that cannot be changed such as his date of birth and Social Security number.
Mohsen filed his nine-count complaint (Doc. 1) on June 12, 2023. He asserts claims both individually and on behalf of various proposed classes, including a class of all persons whose PII was compromised as a result of the Data Breach and/or subclasses that would include all residents of California and/or Iowa whose PII was compromised. Doc. 1 at 30-31, ¶¶ 116-17. He contends that Veridian's failure to protect sensitive PII and warn current and former customers promptly about the Data Breach has caused Mohsen and the proposed class members to suffer widespread injury and damages. Veridian's motion (Doc. 8) seeks dismissal of all nine counts.
III. APPLICABLE STANDARDS
The Federal Rules of Civil Procedure authorize a pre-answer motion to dismiss for “failure to state a claim upon which relief can be granted.” Fed.R.Civ.P. 12(b)(6). The Supreme Court has provided the following guidance in considering whether a pleading properly states a claim:
Under Federal Rule of Civil Procedure 8(a)(2), a pleading must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” As the Court held in [Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)], the pleading standard Rule 8 announces does not require “detailed factual allegations,” but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation. Id., at 555, 127 S.Ct. 1955 (citing Papasan v. Allain, 478 U.S. 265, 286, 106 S.Ct. 2932, 92 L.Ed.2d 209 (1986)). A pleading that offers “labels and conclusions” or “a formulaic recitation of the elements of a cause of action will not do.” 550 U.S. at 555, 127 S.Ct. 1955. Nor does a complaint suffice if it tenders “naked assertion[s]” devoid of “further factual enhancement.” Id., at 557, 127 S.Ct. 1955.
To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to “state a claim to relief that is plausible on its face.” Id., at 570, 127 S.Ct. 1955. A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the
reasonable inference that the defendant is liable for the misconduct alleged. Id., at 556, 127 S.Ct. 1955. The plausibility standard is not akin to a “probability requirement,” but it asks for more than a sheer possibility that a defendant has acted unlawfully. Ibid. Where a complaint pleads facts that are “merely consistent with” a defendant's liability, it “stops short of the line between possibility and plausibility of ‘entitlement to relief.'” Id. at 557, 127 S.Ct. 1955 (brackets omitted).Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009).
Courts assess “plausibility” by “‘draw[ing] on [their own] judicial experience and common sense.'” Whitney v. Guys, Inc., 700 F.3d 1118, 1128 (8th Cir. 2012) (quoting Iqbal, 556 U.S. at 679). Also, courts “‘review the plausibility of the plaintiff's claim as a whole, not the plausibility of each individual allegation.'” Id. (quoting Zoltek Corp. v. Structural Polymer Grp., 592 F.3d 893, 896 n.4 (8th Cir. 2010)). While factual “plausibility” is typically the focus of a Rule 12(b)(6) motion to dismiss, federal courts may dismiss a claim that lacks a cognizable legal theory. See, e.g., Somers v. Apple, Inc., 729 F.3d 953, 959 (9th Cir. 2013); Ball v. Famiglio, 726 F.3d 448, 469 (3d Cir. 2013); Commonwealth Prop. Advocates, L.L.C. v. Mortg. Elec. Registration Sys., Inc., 680 F.3d 1194, 1202 (10th Cir. 2011); accord Target Training Intern., Ltd. v. Lee, 1 F.Supp.3d 927 (N.D. Iowa 2014).
In considering a Rule 12(b)(6) motion, ordinarily the court “cannot consider matters outside the pleadings without converting the motion into a motion for summary judgment.” McMahon v. Transamerica Life Ins., No. C17-149-LTS, 2018 WL 3381406, at *2 n.2 (N.D. Iowa July 11, 2018); see Fed.R.Civ.P. 12(b)(6). On the other hand, when a copy of a “written instrument” is attached to a pleading, it is considered “a part of the pleading for all purposes,” pursuant to Federal Rule of Civil Procedure 10(c). Thus, when the pleadings necessarily embrace certain documents, I may consider those documents without turning a motion to dismiss into a motion for summary judgment. Id. These documents include “exhibits attached to the complaint.” Mattes v. ABC Plastics, Inc., 323 F.3d 695, 697 n.4 (8th Cir. 2003).
When a complaint does not state a claim for relief that is plausible on its face, the court must consider whether it is appropriate to grant the pleader an opportunity to replead. The rules of procedure permit a party to respond to a motion to dismiss by amending the challenged pleading “as a matter of course” within 21 days. See Fed.R.Civ.P. 15(a)(1)(B). Thus, when a motion to dismiss highlights deficiencies in a pleading that can be cured by amendment, the pleader has an automatic opportunity to do so. When the pleader fails to take advantage of this opportunity, the question of whether to permit an amendment depends on considerations that include:
whether the pleader chose to stand on its original pleadings in the face of a motion to dismiss that identified the very deficiency upon which the court dismissed the complaint; reluctance to allow a pleader to change legal theories after a prior dismissal; whether the post-dismissal amendment suffers from the same legal or other deficiencies as the dismissed pleading; and whether the post-dismissal amendment is otherwise futile.Meighan v. TransGuard Ins. Co. of Am., 978 F.Supp.2d 974, 982 (N.D. Iowa 2013).
Rule 12(e) allows a party to move for a more definite statement “of a pleading to which a responsive pleading is allowed but which is so vague or ambiguous that the party cannot reasonably prepare a response.” Fed.R.Civ.P. 12(e). The motion must “point out the defects complained of and the details desired.” Id.
IV. DISCUSSION
The complaint includes the following counts, each asserted on behalf of Mohsen individually and, depending on the specific count, one or more of the proposed classes or subclasses:
Count I: negligence
Count II: breach of implied contract
Count III: unjust enrichment
Count IV: breach of confidence
Count V: invasion of privacy - intrusion upon seclusion;
Count VI: violations of the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §§ 1798, et seq.;
Count VII: violation of California's Consumer Records Act (CCRA), Cal. Civ. Code § 1798.82; et seq.;
Count VIII: violation of the Iowa Consumer Fraud Act (ICFA), Iowa Code §§ 714h.3, 714h.5; and
Count IX: violation of the Iowa Personal Information Security Breach Protection Act (PISBPA), Iowa Code § 715c.2.Doc. 1. Veridian seeks dismissal of all counts. In his resistance, Mohsen states that he is voluntarily dismissing Count VI (CCPA) and Count IX (PISBPA). Doc. 23 at 2 n.1. Those two counts will therefore be dismissed without further discussion. I will address the seven remaining counts in turn.
A. Count I - Negligence
Veridian contends (1) that it had no legal duty to safeguard the personal data at issue and (2) that the economic loss rule bars the negligence claim. Doc. 8 at 6-8.
1. Duty
The elements of a negligence claim under Iowa law are: existence of a duty to conform to a standard of conduct to protect others, failure to conform to that standard, proximate cause and damages. Haafke v. Mitchell, 347 N.W.2d 381, 385 (Iowa 1984). A standard of care or duty is a necessary element of negligence. Seeman v. Liberty Mut. Ins. Co., 322 N.W.2d 35, 37 (Iowa 1982).
In their briefing, both parties have assumed that Iowa law applies to Mohsen's common law claims. Docs. 8, 23, 24. As such, I will apply Iowa law to those claims.
Veridian argues that it did not owe Mohsen or the proposed class members a common law duty to safeguard their personal data. Doc. 8 at 6. While Iowa courts have not yet addressed the issue of whether there is a common law duty to safeguard personal data, other courts have with varying results. Veridian points to several cases holding that no common law duty exists in the data security context. Doc. 24 at 2 (citing Worix v. MedAssets, Inc., 869 F.Supp.2d 893, 897 (N.D. Ill. 2012) (rejecting argument defendant had a common law duty to reasonably handle and safeguard medical information); Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947, at *6 (N.D. Ill. Jan. 21, 2015) (dismissing negligence claim after finding no common law duty to protect personal information); Cooney v. Chi. Pub. Schs., 943 N.E.2d 23, 29 (Ill.App.Ct. 2010) (affirming dismissal of negligence claim because there was no common law duty to protect personal information); Hammond v. Bank of N.Y. Mellon Corp., No. 08 Civ. 6060, 2010 WL 2643307, at *10 (S.D.N.Y. June 25, 2010) (same)).
Other courts have found a common law duty to protect private data. See Brush v. Miami Beach Healthcare Grp. Ltd., 238 F.Supp.3d 1359, 1365 (S.D. Fla. 2017) (“It is well-established that entities that collect sensitive, private data from consumers and store that data on their networks have a duty to protect that information.”); In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183, 1222-23 (S.D. Fla. 2022) (finding that there was a common law duty to safeguard plaintiffs' personal information from theft); Webb v. Injured Workers Pharmacy, LLC, No. 22-cv-10797, 2023 WL 5938606, at *2 (D. Mass. Sept. 12, 2023) (finding a duty of reasonable care to protect plaintiffs' PII where the complaint listed best practices to protect against cyberattacks published by the federal government and plausibly alleged that defendant failed to follow these best practices); Clemens v. ExecuPharm, Inc., 678 F.Supp.3d 629, 636 (E.D. Pa. 2023) (finding that Pennsylvania law recognizes a duty to exercise reasonable care in collecting and storing personal and financial information on computer systems and that third-party criminal acts do not preclude liability); Lochridge v. Quality Temporary Services, Inc., No. 22-cv-12086 2023 WL 4303577, at *6 (E.D. Mich. June 30, 2023); In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295, 1325 (N.D.Ga. 2019) (“The Court concludes that, under the facts alleged in the Complaint, Equifax owed the Plaintiffs a duty of care to safeguard the personal information in its custody. This duty of care arises from the allegations that the Defendants knew of a foreseeable risk to its data security systems but failed to implement reasonable security measures.”); In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. 19-md-2904, 2021 WL 5937742, at *14 (D.N.J. Dec. 16, 2021); In re Blackbaud, Inc., Customer Data Breach Litig., 567 F.Supp.3d 667, 682 (D.S.C. 2021).
Because no decision of the Iowa Supreme Court is directly on point, I must predict how that Court would rule if faced with this issue. See, e.g., Blankenship v. USA Truck, Inc., 601 F.3d 852, 856 (8th Cir. 2010). Having reviewed the cases cited above, I predict that the Iowa Supreme Court would conclude that a party collecting private data from its customers has a duty to take reasonable measures to safeguard that data. Applying this prediction to Mohsen's allegations, I find that he has plausibly alleged that Veridian owed him and proposed class members a duty of reasonable care to protect their PII and that Veridian breached this duty by failing to properly safeguard against a data breach. The Complaint lists publicly available industry and national best practices to prevent cyberattacks published by the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST) and the Cybersecurity & Infrastructure Security Agency. Doc. 1 at 20-21, ¶¶ 76-80. These best practices support a plausible allegation that Veridian's security procedures were deficient, permitting an inference that it breached its duty of care.
2. The Economic Loss Rule
Under Iowa law, “the economic loss rule bars recovery in negligence when the plaintiff has suffered only economic loss.” Annett Holdings, Inc., v. Kum & Go, L.C., 801 N.W.2d 499, 503 (Iowa 2011) (citing Neb. Innskeepers, Inc. v. Pittsburgh-Des Moines Corp., 345 N.W.2d 124, 126 (Iowa 1984)). Mohsen attempts to avoid the economic loss rule through two arguments. First, he argues that the diminution in value of his PII constitutes direct harm to property such that the economic loss rule does not apply. Doc. 23 at 10. Second, he argues that he suffered non-economic damages in the form of emotional distress as a result of the data breach. Id.
a. Is diminution of the value of PII a non-economic property injury?
The Iowa Supreme Court has signaled an unwillingness to circumvent the economic loss rule in cases involving theft of personal data. In Annett Holdings, Inc., v. Kum & Go, L.C., 801 N.W.2d 499, 506 (Iowa 2011), the Court held that the economic loss rule barred negligence claims against a convenience store after a third party fraudulently used the plaintiff's credit card. The court favorably discussed Cumis Ins. Society, Inc. v. BJ's Wholesale Club, Inc., 918 N.E.2d 36 (Mass. 2009), which applied the economic loss rule to negligence claims against a retailer whose improper storage of credit card data resulted in the theft of customers' sensitive data. Annett Holdings, 801 N.W.2d at 506. As the Iowa Supreme Court explained, Cumis rejected the plaintiff credit unions' argument that replacing and reissuing the compromised credit cards due to the theft constituted non-economic property damage, and thus applied the economic loss rule to bar the plaintiffs' negligence claim. Id. (citing Cumis Ins. Society, Inc., 918 N.E.2d at 46-47). Other courts applying Iowa law in data breach cases have found that the economic loss rule barred negligence claims. See Fox v. Iowa Health Sys., 399 F.Supp.3d 780, 794-95 (W.D. Wis. 2019) (holding that the loss in value of plaintiffs' private health information “reflect[s] a pecuniary loss rather than a personal injury or damage to property.”); In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1174 (D. Minn. 2014) (dismissing Iowa negligence claims, which were based on a data breach resulting in the theft of their sensitive personal information, due to the economic loss rule).
In support of his argument that diminution in the value of his PII constitutes a noneconomic property injury, Mohsen points to the statement in Hameed-Bolden v. Forever 21 Retail, Inc., No. CV 18-03019, 2018 WL 6802818, at *5 (C.D. Cal. Oct. 1, 2018), that “[t]he recent set of cases strongly suggest that PII has value.” Id.; Doc. 23 at 10. I am not persuaded that this case establishes that the diminution in the value of Mohsen's PII allows him to escape the economic loss rule. The cases Hameed-Bolden cites that “strongly suggest that PII has value” each discuss PII in contexts other than the economic loss rule, such as breach of contract claims or Article III standing. See, e.g., In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617, 2016 WL 3029783, at *15 (N.D. Cal. May 27, 2016) (finding that allegations that plaintiffs' PII is a “valuable commodity” and that theft of PII reduces its value are sufficient to plead damages for a breach of contract claim); In re Facebook Privacy Litig., 572 Fed.Appx. 494 (9th Cir. 2014) (same); See also In re Yahoo! Inc. Customer Data Security Breach Litig., 16-MD-02752, 2017 WL 3727318, at *13-14, 49 (N.D. Cal. Aug. 30, 2017) (finding that “loss of value of PII” is “sufficient to plausibly allege injury” for the purposes of Article III standing). When discussing the diminution of PII in the context of the economic loss rule, the Hameed-Bolden court required a showing from the plaintiffs that “the theft of their PII damaged them in a non-economic manner.” Hameed-Bolden, 2018 WL 6802818, at *5. Because the Hameed-Bolden plaintiffs failed to plead sufficient facts to decide this inquiry, the court applied the economic loss rule to preclude the plaintiffs' claims. Id.
An earlier First Circuit case provides guidance for how to analyze the diminution of the value of electronic data when a plaintiff pleads sufficient facts to show that this data has decreased in value. In In re TJX Companies Retail Sec. Breach Litig., 564 F.3d 489 (1st Cir. 2009), a data breach resulted in the theft of millions of customers' sensitive debit and credit card information. Id. at 491-92. This also resulted in harm to the banks that had issued the cards to the customers, as they had to reimburse customers for the fraudulent use of their information. Id. One of these banks, AmeriFirst, filed a lawsuit that included a negligence claim. Id. at 492. After the district court dismissed that claim under the economic loss rule AmeriFirst appealed, arguing that “it did suffer property damage because it had a property interest in the payment card information, which the security breach rendered worthless.” Id. at 498. The First Circuit rejected this argument, stating, “[e]lectronic data can have value and the value can be lost, but the loss here is not a result of physical destruction of property. Indeed, a reduction in real property value, by dumping of contaminants in the neighborhood but not on plaintiff's property was held to be economic loss. Lewis v. General Electric, 37 F.Supp.2d 55 (D. Mass.1 999).” Id.
Here, for two reasons, I hold that any diminution of the value of Mohsen's PII does not constitute a non-economic property injury. First, the Iowa Supreme Court's reasoning in Annett Holdings signals that the Court will be skeptical of circumventing the economic loss rule in cases involving the theft of personal data. Indeed, the case the Iowa Supreme Court favorably discussed, Cumis, involved arguably more tangible property damage in that the plaintiffs had to reissue physical credit and debit cards. Second, I find the First Circuit's reasoning in In re TJX persuasive and predict that the Iowa Supreme Court will adopt it if faced with this issue. Mohsen's PII may have value, and he may have plausibly pleaded that this value was diminished due to the data breach, however, any such diminution in value is an economic loss, not physical damage to property. As such, Mohsen's argument that the diminution of the value of his PII constitutes property injury, and thus falls outside the scope of the economic loss rule, fails.
b. Does Mohsen's allegation of emotional distress injuries preclude the application of the economic loss rule?
Mohsen argues that he has plausibly pleaded non-economic emotional harm, thus precluding application of the economic loss rule. Doc. 23 at 10. Specifically, Mohsen alleges that he has experienced feelings of anxiety, sleep disruption, stress and fear as a result of the theft of his PII. Doc. 1 at 15 ¶ 56.
Iowa courts have not directly addressed whether pleading emotional harm allows a plaintiff to avoid application of the economic loss rule. While Mohsen does not cite any authority supporting his claim that emotional harm would allow his negligence claim to escape the economic loss rule, some courts have held emotional harm to be a noneconomic injury outside the scope of the economic loss rule. See Maio v. TD Bank, N.A., No. 1:22-CV-10578 , 2023 WL 2465799, at *4 (D. Mass. Mar. 10, 2023) (“Plaintiffs' allegations of lost sleep, anxiety, and depression are sufficient to satisfy the exception to the economic loss doctrine at this stage of the proceedings.”); Mulkey v. RoundPoint Mortg. Servicing Corp., No. 1:21CV 01058, 2021 WL 5804575, at *2-3 (N.D. Ohio Dec. 7, 2021) (finding plaintiffs' allegations of time and money expended to monitor their credit accounts and emotional distress to be plausible non-economic damages at the motion to dismiss stage); Ross v. AT&T Mobility, LLC, No. 19-cv-06669, 2020 WL 9848766, at *13 n. 9 (N.D. Cal. May 14, 2020) (“The economic loss rule, which only precludes the recovery of economic damages in a tort action, would in no event bar Ross' negligence claims as a whole because Ross' negligence claims are not limited to seeking economic damages; he also alleges to have suffered emotional distress as a result of AT&T's conduct.”).
Other courts have found that pleading emotional harm does not preclude application of the economic loss rule. See Hobbs v. Wells Fargo Bank, N.A., 21-cv-01700, 2022 WL 17972163, at *4 (S.D. Cal. Sept. 14, 2022) (“Plaintiff cites no authority for the proposition that there is an ‘emotional distress' exception to the economic loss rule...”); Theuerkauf v. United Vaccines Div. of Harlan Sprague Dawley, Inc., 821 F.Supp. 1238, 1242 (W.D. Mich. 1993) (“Allowing plaintiff to defeat the Economic Loss Doctrine by seeking compensation for emotional distress and punitive damages would also swallow the Doctrine.”); Fryfogle v. First Nat. Bank of Greencastle, 07cv00035, 2009 WL 700161, at *7 (W.D. Va. Mar. 17, 2009) (“Claims of emotional distress suffered as a result of the economic loss complained of do not remove the claims from the scope of the economic loss doctrine.”); Pegasus Trucking, LLC v. Asset Redeployment Grp., Inc., No. CV19-10339, 2021 WL 1234879, at *7 (C.D. Cal. Feb. 16, 2021).
Iowa courts “have refused to recognize an independent claim for emotional distress based on negligence without some physical harm.” Clark v. Estate of Rice ex re. Rice, 653 N.W.2d 166, 170 (Iowa 2022). There are only two exceptions to this rule:
The first exception involves bystander liability based on the breach of a duty of care by the defendant not to cause emotional distress to those who witness conduct that causes serious harm to a close relative. Barnhill v. Davis, 300 N.W.2d 104, 108 (Iowa 1981).
* * *
A second exception has been carved out for direct victims of emotional distress and exists when the nature of the relationship between the plaintiff and the defendant is such that it supports the imposition of a duty of care on the defendant to avoid causing emotional harm to the plaintiff. Oswald v. LeGrand, 453 N.W.2d 634, 639 (Iowa 1990); Niblo, 445 N.W.2d at 354. Under the tort theory of negligence, there is no general duty of care to avoid causing emotional harm to another. See Niblo, 445 N.W.2d at 354. However, where the parties assume a relationship that is contractual in nature and deals with services or acts that involve deep emotional responses in the event of a breach, we recognize a duty of care to protect against emotional distress. Lawrence, 534 N.W.2d at 421; Oswald, 453 N.W.2d at 639. Thus, we have recognized a cause of action to recover damages for negligently inflicted emotional distress based upon medical malpractice involving the treatment by a physician of a pregnant woman and her premature fetus. Oswald, 453 N.W.2d at 639. We have also recognized a cause of action to recover negligently inflicted emotional distress in the performance of a contract for funeral services. Meyer v. Nottger, 241 N.W.2d 911, 920 (Iowa 1976). Much earlier, even before we began to formulate our present rules for liability for emotional harm, we permitted recovery for emotional distress for negligent delivery of a telegram announcing the death of a close relative. Cowan v. W. Union Tel. Co., 122 Iowa 379, 386-87, 98 N.W. 281, 282-84 (1904); Mentzer v. W. Union Tel. Co., 93 Iowa 752, 768-69, 62 N.W. 1, 6 (1895). On the other hand, we have refused to recognize such a duty from an attorney-client relationship in a claim for attorney malpractice involving services performed in a bankruptcy case. Lawrence, 534 N.W.2d at 423. The acts performed by the lawyer were not so related to matters of mental concern that emotional distress would naturally result from negligent acts. Id. Since the time we first recognized this exception, our cases have recognized a duty only when there has been some contractual relationship between the parties. See
Lawrence, 534 N.W.2d at 421; Millington v. Kuba, 532 N.W.2d 787, 793 (Iowa 1995).Clark, 653 N.W.2d at 170-72.
I find that under Iowa law, Mohsen's allegations of emotional harm do not preclude application of the economic loss rule to bar his negligence claim. I agree with those courts that have recognized that allowing plaintiffs to simply plead emotional harms based on purely economic injuries would swallow the economic loss rule. It also seems apparent that the Iowa Supreme Court would be skeptical of this pleading tactic given that Court's narrow exceptions for negligence claims based on emotional harms absent physical injury. The first exception, based on bystander liability, clearly does not apply to this situation. The second exception, based on services that involve deep emotional responses, likewise does not apply. While stressful, the theft of PII does not rise to the level of deep emotional response as do the situations described in Clark. Id. The inadequate safeguarding of PII is “not so related to matters of mental concern that emotional distress would naturally result from negligent acts.” Id. As such, I find that Mohsen cannot escape the economic loss rule by pleading emotional distress.
Because Mohsen's arguments for avoiding the economic loss rule fail, that rule bars his negligence claim. Count I will be dismissed.
B. Count II - Implied Contract
Mohsen alleges that through its course of conduct, Veridian entered into implied contracts with Mohsen and the proposed class members for financial services under which Veridian would deal with Mohsen and proposed class members fairly and in good faith and that Veridian would implement data security adequate to protect the privacy of the PII entrusted to Veridian. Doc. 1 at 40-41 ¶ 147.
Under Iowa law, a contract may be express or implied. Rucker v. Taylor, 828 N.W.2d 595, 601 (Iowa 2013). As the Iowa Supreme Court has explained:
When the parties manifest their agreement by words the contract is said to be express. When it is manifested by conduct it is said to be implied in fact. Both are true contracts formed by a mutual manifestation of assent by the parties to the same terms of the contract. The differentiation arises from the method of proving the existence thereof.Id. “When there ‘is merely a tacit promise, one that is inferred in whole or in part from expressions other than words on the part of the promisor' it is said to be implied in fact.” Iowa Waste Systems, Inc. v. Buchanan County, 617 N.W.2d 23, 29 (Iowa Ct. App. 2000) (quoting Corbin on Contracts § 1.18, at 51). To recover for breach of an implied contract, the plaintiff must prove that services were performed under such circumstances as to give the recipient reason to understand that:
a. they were performed for him and not some other person, and
b. they were not rendered gratuitously, but with the expectation of compensation from the recipient; and
c. the services were beneficial to the recipient.Id. at 30 (citing Bloomgarden v. Coyer, 479 F.2d 201, 208-09 (D.C. Cir. 1973)).
Veridian contends that Mohsen's implied contract claim fails for two reasons. First, Mohsen's reference to written documents such as the privacy policy means that an express contract existed between the parties, thus precluding the possibility of an implied contract. Doc. 8 at 8-9. Second, Mohsen failed to state facts supporting mutual assent and Veridian did not agree to “have an impenetrable data security system nor to protect [Mohsen] from [] third-party cybercriminals.” Id. at 9. Mohsen counters that an implied contract was formed when he and the proposed class members applied to receive, or actually received, Veridian's financial services in exchange for their non-public PII. Doc. 23 at 11-12. Mohsen further contends that after Veridian solicited him and the proposed class members to provide their PII, they accepted Veridian's offers and provided their PII to Veridian. Id. at 12. Mohsen argues that this amounts to conduct in addition to the written statements embodied in the Veridian's privacy policy. Id.
As with the negligence claims, Iowa courts have not directly addressed implied contracts in the data breach context. Some courts addressing this issue have held that providing PII in exchange for services may create an implied contract to safeguard the PII. See Baldwin v. Nat'l W. Life Ins. Co., No. 21-CV-04066, 2021 WL 4206736, at *7 (W.D. Mo. Sept. 15, 2021) (“[I]n light of the procedural standard at this early stage of litigation, the Court finds that ... Plaintiffs sufficiently allege that NWL breached its obligations of an implied contract by failing to secure Ms. Baldwin's and purported Class Members' PII.”); Mackey v. Belden, Inc., No. 21-CV-00149, 2021 WL 3363174, at *8-9 (E.D. Mo. Aug. 3, 2021) (quoting Castillo v. Seagate Tech., LLC, 16-cv-01958, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016): “[I]t is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient's assent to protect the information sufficiently.”)); Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 764 (C.D. Ill. 2020).
By contrast, other courts have declined to find an implied contract under similar circumstances. See J.R. v. Walgreens Boots All., Inc., 470 F.Supp.3d 534, 558-59 (D.S.C. 2020) (holding that no contract could be implied when customers did not know that their PII would be shared by a pharmacy operator and a term prohibiting such use of their PII could not be implied); Tate v. EyeMed Vision Care, LLC, No. 21-cv-36, 2023 WL 6383467, at *8 (S.D. Ohio Sept. 29, 2023). Here, I find that dismissing Mohsen's implied contract claims at this stage would be premature. Contrary to Veridian's assertion, Mohsen has alleged conduct - the exchange of PII for Veridian's services - in addition to the written documents. As alleged in the complaint, this conduct plausibly forms the basis of an implied contract. Doc. 1 at 41-45. I agree with Mohsen that the existence of written documents does not flatly preclude a finding of an implied contract if there is also conduct that forms the basis of an implied contract. Iowa Waste Systems, 617 N.W.2d at 29. Further, Mohsen properly alleges each of the elements of an implied contract under Iowa law. The exchange of PII for banking services was performed for Mohsen and the proposed class. Mohsen and proposed class members did not provide the PII gratuitously but rather expected that it would be protected and they would receive banking services in return. Finally, the exchange of PII was beneficial to the recipient, Veridian, in that it received valuable personal information that made banking with its customers possible. Count II will not be dismissed.
C. Count III - Unjust Enrichment
“The doctrine of unjust enrichment is based on the principle that a party should not be permitted to be unjustly enriched at the expense of another or receive property or benefits without paying just compensation.” State ex rel. Palmer v. Unisys. Corp., 637 N.W.2d 142, 154 (Iowa 2001). A claim for unjust enrichment under Iowa law is comprised of the following three elements: “(1) defendant was enriched by the receipt of a benefit; (2) the enrichment was at the expense of the plaintiff; and (3) it is unjust to allow the defendant to retain the benefit under the circumstances.” Id. at 154-55.
Mohsen alleges that he and the proposed class conferred benefits upon Veridian in the form of payments for financial services, as well as providing their PII to Veridian that was used to facilitate payment and the provision of services. Doc. 1 at 45 ¶ 172. Mohsen further alleges that Veridian appreciated these benefits and still failed to adequately safeguard the PII it received. Id. ¶ 173-74. At this stage of the litigation, Mohsen has adequately alleged an unjust enrichment claim. Paying Veridian for its services and providing it with PII satisfies the first element of Veridian being “enriched by the receipt of a benefit.” Unisys Corp., 637 N.W.2d at 154-55. This was at the expense of Mohsen and the proposed class, as they were providing the payments and PII, thus satisfying the second element. Id. Finally, a reasonable jury could conclude that it would be “unjust to allow [Veridian] to retain the benefit” of the payments that Mohsen and the proposed class made, in addition to their PII. Count III will not be dismissed.
D. Count IV - Breach of Confidence
Mohsen has cited no Iowa case recognizing a common law claim for breach of confidence and I am aware of no Iowa authority suggesting that such a claim might exist. In any event, even if the Iowa Supreme Court would adopt the limited authorities Mohsen relies upon, his breach of confidence claim would fail. Mohsen cites a Sixth Circuit case holding that “[a] common law claim for breach of confidence occurs when a person discloses private information to another person and the receiver of that information reveals it to a third party.” Thomas v. TOMS King (Ohio), LLC, 997 F.3d 629, 640 (6th Cir. May 11, 2021). Mohsen has not cited any allegations that Veridian revealed his information to a third party. Rather, Mohsen alleges that inadequate safeguards allowed a third party to steal his PII. Doc. 1 at 45-46. This falls short of stating a plausible breach of confidence claim. The only other case Mohsen cites in support of a breach of confidence claim is TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2204 (2021), in which the Supreme Court mentioned the disclosure of private information as a potential harm in the context of Article III standing.
Other courts addressing data breach cases dismissed breach of confidence claims. Weekes v. Cohen Cleary P.C., No. 23-10817, 2024 WL 1159642, at *4 (D. Mass. Mar. 15, 2024); In re Canon U.S.A. Data Breach Litig., No. 20-CV-6239, 2022 WL 22248656, at *11 (E.D.N.Y. Mar. 15, 2022); Mackey, 2021 WL 3363174, at *9; Farmer v. Humana, Inc., 582 F.Supp.3d 1176, 1188-89 (M.D. Fla. 2022); In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1146-47 (C.D. Cal. 2021); In re American Medical Collection Agency, Inc. Customer Data Security Breach Litig., No. 19-md-2904, 2023 WL 8540911, at *5-6 (D.N.J. May 5, 2023); Purvis v. Aveanna Healthcare, LLC, 563 F.Supp.3d 1360, 1378 (N.D.Ga. 2021); In re Brinker Data Incident Litig., No. 18-cv-686, 2020 WL 691848, at *21-22 (M.D. Fla. Jan. 27, 2020). In the absence of controlling Iowa authority, I predict the Iowa Supreme Court would decline to recognize such a claim. Count IV will be dismissed.
E. Count V - Invasion of Privacy - Intrusion Upon Seclusion
The invasion of privacy claim is based upon a theory of intrusion upon seclusion. Doc. 1 at 48; Doc. 23 at 16 (“Plaintiff has adequately alleged the elements of intrusion upon seclusion under Iowa law.”). The Iowa Supreme Court has explained this claim as follows:
We adopted the definition of invasion of privacy recognized by the Restatement (Second) of Torts, including unreasonable intrusion upon seclusion. Winegard v. Larsen, 260 N.W.2d 816, 822 (Iowa 1977); see also Stessman v. Am. Black Hawk Broad. Co., 416 N.W.2d 685, 686 (Iowa 1987). This form of invasion of privacy generally requires the plaintiff to establish two elements. The first element requires an intentional intrusion into a matter the plaintiff has a right to expect privacy. Stessman, 416 N.W.2d at 687. The next element requires the act to be “ ‘highly offensive to a reasonable person.' ” Id. (quoting Winegard, 260 N.W.2d at 822). We have held that an intrusion upon seclusion occurs when a person “ ‘intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns ... if the intrusion would be highly offensive to a reasonable person.' ” In re Marriage of Tigges, 758 N.W.2d 824, 829 (Iowa 2008) (quoting Restatement (Second) of Torts § 652B, at 378).Koeppel v. Speirs, 808 N.W.2d 177, 181 (Iowa 2011).
Mohsen's claim fails under the first element, intentional intrusion. Nothing in the complaint provides grounds for a reasonable inference that Veridian intentionally shared the stolen PII with a third party. Rather, the complaint focuses on Veridian's alleged failure to safeguard the PII from theft by a third party. See Doc. 1 at 48-49 ¶¶ 191, 192, 196, 198. Mohsen argues that this failure to safeguard the PII is enough to satisfy the intent element because Veridian acted with a “knowing state of mind” when it allegedly failed to safeguard the PII and acted with “reckless disregard in operating with inadequate and insufficient data security practices.” Doc. 1 at 49 ¶¶ 196, 197; Doc. 23 at 16.
In advancing this argument, Mohsen relies on Bowen v. Paxton Media Group, LLC, No. 21-CV-00143, 2022 WL 4110319, at *7-8 (W.D. Ky. Sept. 8, 2022), in which the court noted that under Kentucky law, “[a] defendant's actions may be intentional when the Defendant acts with such reckless disregard for the privacy of the plaintiff that the actions rise to the level of being an intentional tort.” Id. Mohsen does not cite to any authority establishing a similar principle under Iowa law. Instead, Mohsen's claim falls under a line of cases dismissing intrusion upon seclusion claims in the data breach context because of the lack of intentional intrusion. See Fox, 399 F.Supp.3d at 797 (dismissing plaintiffs' invasion of privacy claims under Iowa law in the data security context); Roper v. Rise Interactive Media & Analytics, LLC, No. 23CV1836, 2023 WL 7410641, at *8 (N.D. Ill. Nov. 9, 2023) (“Plaintiffs do not allege that Defendant intentionally provided their private information to the hackers; indeed, they allege the opposite-Defendant negligently allowed the hackers to access their data. In other words, it was the hackers, not Defendant, who made the unauthorized intrusion.”); In re Accellion, Inc. Data Breach Litig., 21-cv-01155, 2024 WL 333893, at *15 (N.D. Cal. Jan. 29, 2024); Feins v. Goldwater Bank NA, No. CV-22-00932, 2022 WL 17552440, at *5-6 (D. Ariz. Dec. 9, 2022); Purvis, 563 F.Supp.3d at 1377.
I find that Mohsen has failed to plead a plausible claim of invasion of privacy/intrusion upon seclusion under Iowa law. Count V will be dismissed.
F. Count VII - California Consumer Records Act
The California Consumer Records Act (CCRA) “regulates businesses with regard to treatment and notification procedures relating to their customers' personal information.” Corona v. Sony Pictures Entertainment, No. 14-CV-09600, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015). Mohsen alleges that Veridian violated § 1798.82 of the CCRA. Doc. 1 at 55-56 ¶ 228. This provision states, in relevant part:
A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an
unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.Cal. Civ. Code § 1798.82(a). “The disclosure shall be made in the most expedient time possible and without unreasonable delay[.]” Id.
Veridian argues that Mohsen failed to allege that Veridian conducts business in California and is thus not covered by the statute. Doc. 8 at 13. Veridian is wrong. Mohsen alleges that Veridian is “a credit union headquartered in Waterloo, Iowa ... with branches in Iowa and Nebraska, and ‘serving all 50 states digitally.'” Doc. 1 at 5 ¶ 16 (emphasis added). This sufficiently alleges that Veridian conducts business in California. Veridian also argues that Mohsen “does not allege Veridian owns or licenses computerized data that involves personal information. As such, Veridian is not a business for purposes of CRA.” Doc. 8 at 14. I disagree. Mohsen's complaint is replete with allegations that Veridian acquires its customers' PII in exchange for its services. See Doc. 1 at 6-7 ¶ 19. At this stage of litigation, this is a sufficient allegation that Veridian “owns or licenses computerized data that includes personal information.” Cal. Civ. Code § 1798.82(a).
Next, Veridian argues that it did not unreasonably delay providing notice about the incident and that Mohsen did not adequately allege that he suffered “incrementally increased damages separate and distinct from those simply caused by the Data Breach itself”, as required to state a claim under the CCRA. Doc. 8 at 14; Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 16-cv-00014, 2016 WL 6523428, at *7 (S.D. Cal. Nov. 3, 2016). Mohsen counters that the delayed notice prevented him and the proposed class from timely mitigating identity theft and fraudulent use of their PII by third parties. Doc. 23 at 17-18. Courts have found that five-month and nine-month delays in providing notice of data breaches sufficiently alleged unreasonable delays under the CCRA, when coupled with allegations of incremental harm from the delay in notification. In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F.Supp.3d 1284, 1300 (S.D. Cal. 2020); In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 589-90 (N.D. Ill. 2022). On the other hand, a ten-day delay in providing notice of a data breach was not a sufficient allegation of unreasonable delay when the plaintiff failed to allege how the ten-day delay caused him to incur separate damages from the data breach itself. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 1010 (S.D. Cal. 2014). The Sony Gaming Networks court also stated that “whether or not the ten-day delay was unreasonable is a factual determination not properly decided on a motion to dismiss.” Id.
I find that Mohsen has sufficiently pleaded a claim for violation of the CCRA. While the complaint alleges a significantly shorter delay than in Solara and Arthur J. Gallagher, Mohsen has alleged that the one-month delay incrementally harmed him separately from the data breach. Specifically, Mohsen alleges that the delay prevented him from securing identity theft protection or requesting a credit freeze which could have mitigated the damage caused by the data breach. Doc. 1 at 55 ¶ 227. While the onemonth period between the data breach and the notification of customers may be found to be reasonable at a later stage, this argument will benefit from a more developed factual record. See In re Sony Gaming Networks, 996 F.3d at 1010. Count VII will not be dismissed.
Veridian makes the additional argument that Mohsen's request for punitive damages under Cal. Civ. Code § 3294 fails as a matter of law because Mohsen has not alleged facts showing that Veridian engaged in oppression, fraud or malice. Doc. 8 at 15. I agree. As California federal court has explained:
By statute, where a plaintiff proves “by clear and convincing evidence that the defendant has been guilty of oppression, fraud, or malice, the plaintiff, in addition to the actual damages, may recover [punitive] damages.” Cal. Civ. Code § 3294(a). Nevertheless, a corporate entity cannot commit willful and malicious conduct; instead, “the advance knowledge and conscious disregard, authorization, ratification or act of oppression, fraud, or malice must be on the part of an officer, director, or managing agent of
the corporation.” Id. § 3294(b); *1148 Taiwan Semiconductor Mfg. Co. v. Tela Innovations, Inc., No. 14-CV-00362-BLF, 2014 WL 3705350, at *6 (N.D. Cal. July 24, 2014) (“[A] company simply cannot commit willful and malicious conduct-only an individual can.”). Therefore, Plaintiffs must plead that an officer, director, or managing agent of Defendants committed an act of oppression, fraud, or malice.In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F.Supp.3d 1113, 1147-48 (N.D. Cal. 2018). Mohsen's complaint does not contain any allegations that an officer, director or managing agent of Veridian committed an act of oppression, fraud or malice. See Doc. 1 at 56 ¶¶ 230-232. Therefore, while Count VII will proceed, Mohsen's request for punitive damages under Cal. Civ. Code § 3294 will be dismissed.
G. Count VIII - Iowa Consumer Fraud Act
The Iowa Consumer Fraud Act (ICFA) provides, in relevant part:
A person shall not engage in a practice or act the person knows or reasonably should know is an unfair practice, deception, fraud, false pretense, or false promise, or the misrepresentation, concealment, suppression, or omission of a material fact, with the intent that others rely upon the unfair practice, deception, fraud, false pretense, false promise, misrepresentation, concealment, suppression, or omission in connection with the advertisement, sale, or lease of consumer merchandise ....Iowa Code § 714H.3(1). “[A] claimant alleging an unfair practice, deception, fraud, false pretense, false promise, or misrepresentation must prove that the prohibited practice related to a material fact or facts.” Id. ICFA claims are subject to Fed.R.Civ.P. 9(b)'s heightened pleading standard that “[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions of a person's mind may be alleged generally.” Fed.R.Civ.P. 9(b); Moeller v. Samsung Elecs. Am., Inc., 623 F.Supp.3d 978, 986 (S.D. Iowa 2022).
Veridian argues that Mohsen has not alleged any facts that Veridian “knew or should have known that the Veridian computer systems and data security practices were inadequate to safeguard Plaintiff's and class members' or Iowa class members' PII entrusted to it, and that risk of a data breach or theft was highly likely.” Doc. 8 at 1516 (quoting Doc. 1 at 58 ¶ 239). Veridian also argues that because Mohsen did not directly apply for a loan with Veridian, he could not have relied on any representations or omissions made by Veridian. Id. at 16.
In response, Mohsen relies on Moeller v. Samsung Elecs. Am., Inc., 623 F.Supp.3d 978 (S.D. Iowa 2022). In that case, the court declined to dismiss an ICFA claim in which the plaintiff alleged that the defendant never intended to honor language in its warranty that stated that free in-home repairs may be available to customers. Id. at 987. The court further held that the plaintiff satisfied Rule 9(b)'s heightened pleading requirement because her complaint “sufficiently alleged the ‘who, what, when, where and how' of her Iowa Consumer Fraud Act claim.” Id. (citing Cagin v. McFarland Clinic, 317 F.Supp.2d 964, 971 (S.D. Iowa 2004)). By contrast, in Bass v. J.C. Penney Co., 880 N.W.2d 751 (Iowa 2016), the plaintiffs alleged that the defendant had made a material misrepresentation related to its shipping and handling charges. Id. at 763. The court held that the defendant did not make a material misrepresentation because the representations it made regarding shipping were accurate and did not mislead the plaintiff. Id. at 764 (“Nowhere in the website did J.C. Penney claim that its shipping and handling charges were based upon ‘actual cost.' Indeed, the matrix chart provided by J.C. Penney plainly demonstrated that the key variables were not weight or size but cost of the item and the chosen method of delivery.”).
I agree with Mohsen that his ICFA claim resembles Moeller more than Bass. Mohsen has pleaded that Veridian represented that it would protect PII from unauthorized access and use. Doc. 1 at 8 ¶ 24. Throughout his complaint, Mohsen then alleges that Veridian failed to live up to its representations regarding data protection. See, e.g., Doc. 1 at 10 ¶ 38. Like Moeller, Mohsen properly alleges a mismatch between Veridian's words and its actions. The complaint also satisfies Rule 9(b)'s heightened pleading standard because it sets forth the date of the Data Breach and the dates and contents of the allegedly misleading representations that Veridian made, as well as where Veridian made these representations. Doc. 1 at 2-3, 7-8, 57-58 ¶¶ 4, 21, 24, 238. This properly alleges the “who, what, when, where and how” of the ICFA claim. Moeller, 623 F.Supp.3d at 987.
Contrary to Veridian's assertion that Mohsen did not allege facts showing that Veridian knew its safeguards were deficient, the Complaint lists publicly available industry and national best practices to prevent cyberattacks published by the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST) and the Cybersecurity & Infrastructure Security Agency. Doc. 1 at 20-21, ¶¶ 76-80. At the motion to dismiss stage, it can be inferred that these sources would have put Veridian on notice about the adequacy of its safeguards.
As to Veridian's argument that Mohsen could not have relied on any representations by Veridian because he did not directly apply for a loan through Veridian, I agree that the exact nature of Mohsen's (and the proposed class members') relationship with Veridian is unclear in the complaint. Veridian points out that in one part of the complaint, Mohsen states, “[o]n information and belief, [Mohsen] is a borrower of a loan which was purchased and is now held by Veridian.” Id. at 13 ¶ 49. However, Mohsen makes more specific allegations elsewhere, such as that Mohsen and the proposed class were required to provide their PII to Veridian in exchange for its services. Id. at 9 ¶ 32.
At this stage, it is plausible that this alleged arrangement could have created a situation in which Mohsen and the proposed class members relied on Veridian's representations about its safeguards before they decided to supply their PII. While the circumstances of this exchange and its timing are unclear from the complaint, I find that it would be more appropriate to address this issue at a later stage in the litigation. See Moeller, 623 F.Supp.3d at 987 (explaining that courts are in a better position to adjudicate ICFA claims after discovery). Reading the complaint in the light most favorable to Mohsen, I decline to dismiss Count VIII.
V. CONCLUSION
For the reasons set forth herein, Veridian's motion (Doc. 8) to dismiss is granted in part and denied in part, as follows:
1. The following claims are hereby dismissed:
Count I: negligence
Count IV: breach of confidence
Count V: invasion of privacy - intrusion upon seclusion
Count VI: violations of the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §§ 1798, et seq.
Count IX: violation of the Iowa Personal Information Security Breach Protection Act (PISBPA), Iowa Code § 715c.2
2. While Count VII is not dismissed, the demand for punitive damages pursuant to Cal. Civ. Code § 3294, as set forth within Count VII, is dismissed.
3. Veridian's motion is denied as to all remaining claims.
IT IS SO ORDERED.