Opinion
18-cv-6278 (LDH) (RML)
03-30-2020
RALPH PENA, individually and on behalf of all others similarly situated, Plaintiff, v. BRITISH AIRWAYS, PLC (UK), Defendant.
MEMORANDUM AND ORDER :
Plaintiff Ralph Pena, individually and on behalf of himself and a class of similarly-situated individuals, brings the instant action against Defendant British Airways, PLC, asserting claims under New York law for negligence, breach of contract, and violations of New York General Business Law ("NYGBL") § 349. Defendant moves pursuant to Rules 12(b)(1) and 12(b)(6) of the Federal Rules of Civil Procedure to dismiss the complaint in its entirety.
BACKGROUND
Unless otherwise stated, the following facts are taken from the amended complaint and are assumed to be true for purposes of the instant motion. (ECF No. 24.)
Defendant is a subsidiary airline of the International Consolidated Airlines Group S.A. ("IAG"), and holds a membership in Oneworld Alliance. (Am. Compl. ("Compl.") ¶¶ 8, 19, ECF No. 24.) According to the complaint, Defendant allows customers to purchase airline tickets and make air travel reservations on its online platform and mobile application. (Id. ¶ 2.)
On September 6, 2018, Defendant announced that it had suffered a data breach, and as a result, some of its customers' sensitive personal information had been compromised. (Id. ¶ 3.) Specifically, Defendant announced that information related to 382,000 transactions made through its online platform and mobile application between August 21, 2018, and September 5, 2018 had been stolen. (Id. ¶¶ 3, 26.) At some time following this announcement, Defendant conducted an internal investigation. Two months later, Defendant announced that its internal investigation revealed that the period of the data breach was greater than originally believed, and had actually affected customers who booked travel between April 21, 2018, and July 28, 2018. (Id. ¶¶ 3, 37.) The compromised personal information included the names, billing addresses, email addresses, and credit card information (account numbers, expiration dates, and CVV codes) of Defendant's account holders. (Id. ¶¶ 1, 33, 37.)
Plaintiff holds Emerald Status with Oneworld Alliance. (Id. ¶ 8.) Plaintiff alleges that his private information was twice compromised in connection with Defendant's data breach. (Id. ¶ 8, 11.) On July 1, 2018, Plaintiff purchased a ticket change on Defendant's website using his Chase credit card. (Id. ¶ 8.) At some time in August, Plaintiff discovered unauthorized transactions on that credit card and canceled it. (Id. ¶ 9.) On September 1, 2018, Plaintiff purchased a ticket on Defendant's website using his Citibank credit card. (Id. ¶ 11.) Plaintiff discovered an unauthorized transaction on that card later in September and canceled it. (Id.) The unauthorized transactions discovered by Plaintiff on his Citibank credit card was eventually reversed. (Id. ¶ 11.)
Plaintiff alleges that Defendant failed to exercise reasonable care in safeguarding its customers' data, thereby putting their personal information at risk of theft. (Id. ¶¶ 1, 4.) Plaintiff further alleges that Defendant should have implemented certain cybersecurity measures that would have prevented or mitigated the data breaches, and that Defendant's failure to implement these measures ran afoul of certain express statements made in Defendant's online "Privacy Policy" and "Statement on Website Security." (Id. ¶¶ 22, 23.) According to the complaint, Plaintiff has suffered injuries as a result of Defendant's conduct including: the improper disclosure and theft of his personal information; an imminent threat of fraud and identity theft; damages to and diminution in the value of his personal information; loss of privacy; loss of time in addressing the breach; and loss of reward points that he would have otherwise accrued on purchases he made between the time he canceled his credit cards and the time the new cards were issued. (Id. ¶ 15.)
DISCUSSION
I. Standing
"A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it." Makarova v. U.S., 201 F.3d 110, 113 (2d Cir. 2000). The plaintiff bears the burden of establishing beyond a preponderance of the evidence that subject-matter jurisdiction exists. Id. "In reviewing a Rule 12(b)(1) motion to dismiss, the court 'must accept as true all material factual allegations in the complaint, but [the court is] not to draw inferences from the complaint favorable to plaintiff[ ].'" Tiraco v. New York State Bd. of Elections, 963 F. Supp. 2d 184, 190 (E.D.N.Y. 2013) (quoting J.S. ex rel. N.S. v. Attica Cent. Sch., 386 F.3d 107, 110 (2d Cir.2004)). Further, "[i]n resolving a motion to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), a district court . . . may refer to evidence outside the pleadings." Makarova, 201 F.3d at 113.
Defendant contends that Plaintiff's claims should be dismissed for lack of subject-matter jurisdiction because Plaintiff cannot establish standing. (Mem. L. Supp. Def. Mot. Dismiss ("Def.'s Mem.") 12-18, ECF 89-1.) To establish Article III standing, a plaintiff must show "(1) that he suffered an injury-in-fact—an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) that there was a causal connection between the injury and the conduct complained of; and (3) that it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Carver v. City of New York, 621 F.3d 221, 225 (2d Cir. 2010) (internal quotations and modifications omitted) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560). A plaintiff seeking to establish standing based on the threat of a future injury, may do so by demonstrating that the "threatened injury is certainly impending or that there is a substantial risk that the harm will occur." Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (internal quotations omitted). Plaintiff has done neither.
Here, Plaintiff alleges that he has suffered six distinct injuries as a result of Defendant's data breach: (1) improper disclosure and theft of his personal information; (2) an imminent threat of fraud and identity theft; (3) damages to and diminution in the value of his personal information; (4) loss of privacy; (5) loss of time in addressing the breach; and (6) loss of reward points that he would have otherwise accrued on purchases he made after the cancellation of his compromised credit cards but before his replacement cards were issued. (Compl. ¶ 15.) None of these alleged injuries is sufficiently concrete and particularized to confer standing.
First, Plaintiff has failed to allege actual injury from any improper disclosure and theft of his personal information. To the extent that Plaintiff relies on the allegations that his credit card information was stolen and used in August and September 2018, those allegations are insufficient to qualify as injuries-in-fact, because, Plaintiff does not allege that he actually incurred any expense related to any fraudulent charge. (see Id. ¶¶ 8-11.); see Whalen v. Michaels Stores, Inc., 689 F. App'x 89, 90 (2d Cir. 2017) ("Whalen II") (finding that the plaintiff suffered no particularized and concrete injury from fraudulent credit card purchases where the plaintiff did not pay, any fraudulent charge incurred).
Second, the threat of future identity theft is neither imminent nor plausible. This is so because both of Plaintiff's compromised credit cards have since been cancelled, and thus any future use of those cards is not possible. (Compl. ¶¶ 9, 11.) Moreover, no personal information apart from Plaintiff's billing address, such as his date of birth or social security number, was compromised in the breach, which might have allowed for the inference of a likelihood of future identity theft. (Id. ¶¶ 1, 33); Whalen, 689 F. App'x at 90 (concluding that the risk of future fraud was not plausible when only the plaintiff's credit card information was stolen, and the plaintiff promptly canceled the affected credit cards after the breach).
Plaintiff's reliance on Fero v. Excellus Health Plan, Inc., 304 F. Supp. 3d 333 (W.D.N.Y. 2018) and Sackin v. Transperfect Glob., Inc., 278 F. Supp. 3d 739 (S.D.N.Y. 2017) are unavailing because both involved data breaches that compromised more sensitive and detailed personal information than the data breach here. See Fero, 304 F. Supp. 3d at 335, 345 (finding that the threat of future harm resulting from data breach sufficed to confer standing, where compromised data included plaintiffs' names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification, financial information, credit card numbers, and medical claims information); Sackin, 278 F. Supp. 3d at 746 (finding same, where data stolen included plaintiffs' names, addresses, dates of birth, Social Security numbers and bank account information).
Third, assuming Plaintiff's personal information has value, Plaintiff has failed to allege any facts indicating how Defendant's data breach diminished that value in any way. Plaintiff maintains that companies offer individuals opportunities to sell their personal information. (Mem. Law Opp. Mot. Dismiss ("Pl. Opp.") 12, ECF No. 30.) That fact, even if true, is of no consequence here as Plaintiff has not alleged that he was offered or forewent any opportunity to profit from the sale of his personal information, or that Defendant's data breach in any way diminished the value of his personal information. See Whalen v. Michaels Stores, Inc., 153 F. Supp. 3d 577, 581-82 (E.D.N.Y. 2015) ("Whalen I") (finding that the plaintiff's alleged diminution in value of personal information was too vague to confer standing because the plaintiff failed to allege how her personal information became less valuable as a result of the defendant's security breach), aff'd, 689 F. App'x 89 (2d Cir. 2017); see also Fero, 236 F. Supp. 3d at 755 (finding that the alleged diminution in value was insufficient to confer standing where the plaintiffs failed to sufficiently allege that that their personal information was made less valuable to them as a result of the defendant's data breach, or that the breach negatively impacted the value of their data such that they could not use or sell it.)
Fourth, Plaintiff's lost time and expenses incurred in addressing the breach are not sufficient to confer standing. That is, the time and expense Plaintiff allegedly devoted to credit monitoring and the mitigation of the identity theft, are not redressable injuries, particularly where, as here, Plaintiff canceled the compromised credit cards. (See Compl. ¶¶ 9, 11); see also Whalen v. Michael Stores Inc., 153 F. Supp. 3d at 581 (E.D.N.Y. 2015) (citing Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138, 1151 (2013) (holding that lost time and money resulting from credit monitoring and other mitigation expenses is insufficient to confer standing, especially where a plaintiff has cancelled the compromised credit card); Shafran v. Harley-Davidson, 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (holding that credit monitoring costs sought by plaintiff to protect against the risk of future identity theft did not constitute an actual and legally cognizable injury).
Fifth, Plaintiff's lost opportunity to earn reward points is too speculative an injury to serve as a predicate for Article III standing. To date, no court in this Circuit has yet ruled on whether the loss of the ability to earn credit card reward points as a result of a data breach satisfies the elements of standing, and district courts in other circuits are divided on the issue. Nonetheless, on the facts of this case, this Court finds that this injury is insufficiently pleaded. Plaintiff alleges that he used his Chase credit card for restaurant purchases, but that, because of the data breach, he was unable to accrue points on dining purchases made between the time of the cancellation of the compromised card and the issuance of a new one. (Compl. ¶ 10.) Although Plaintiff provides the restaurant names where he dined, and alleges to have paid in cash, he fails to allege the specific monetary amounts of his dining purchases, or the value of the reward points he would have accrued had he been able to use his Chase credit card. (Id.) Absent additional facts supporting Plaintiff's allegation that he lost an opportunity to earn reward points as a result of Defendant's data breach, his allegation is conclusory and therefore insufficient to confer standing. See generally, Alfi, 2010 WL 5093434, at *1-5.
See Tsao v. Captiva MVP Rest. Partners, LLC, 2018 WL 5717479, at *2 (M.D. Fla. Nov. 1, 2018) (loss of cash back rewards overly speculative to support standing); Alfi v. Nordstrom, Inc., 2010 WL 5093434, at *1-5 (S.D. Cal. Dec. 8, 2010) (loss of rewards points did not support standing in absence of any specific facts, such as the value of points lost); but see Torres v. Wendy's Int'l, LLC, 2017 WL 8780453, at *2 (M.D. Fla. Mar. 21, 2017) (loss of credit card reward points and cash back rewards, along with $3 late fee on a utility bill resulting from an account freeze following data breach, represented actual injury sufficient for standing); In re Brinker Data Incident Litig., 2019 WL 3502993, at *5 (M.D. Fla. Aug. 1, 2019) (loss of reward points constitutes sufficient injury).
II. Pre-emption
Even if the Court found that Plaintiff had standing, Plaintiff's claims for negligence, and violations of NYGBL § 349 would nonetheless be dismissed as pre-empted by federal law.
Plaintiff makes no arguments in opposition of Defendant's motion to dismiss his negligence claim as pre-empted. The Court therefore deems Plaintiff's negligence claim abandoned, and Defendant's motion to dismiss this claim is granted.
The Airline Deregulation Act (the "ADA") provides that a state "may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier that may provide air transportation under this subpart." 49 U.S.C. § 41713(b)(1). The ADA's express pre-emption provision applies to "[s]tate enforcement actions having a connection with or reference to airline rates, routes, or services," provided that the connection is not "too tenuous, remote, or peripheral." Morales v. TWA, 504 U.S. 374, 384, 390 (1992) (internal quotes and citations omitted). Actions arising under state common law are also subject to ADA pre-emption. Indeed, the Supreme Court has instructed that "[w]hat is important . . . is the effect of a state law, regulation, or provision, not its form, and the ADA's deregulatory aim can be undermined just as surely by a state common-law rule as it can by a state statute or regulation." Northwest, Inc. v. Ginsberg, 572 U.S. 273, 283 (2014).
In determining whether an action is related to an airline's services for the purposes of ADA pre-emption, district courts in this circuit apply the three-part test devised in Rombom v. United Air Lines, Inc., 867 F.Supp. 214 (S.D.N.Y. 1994) (Sotomayor, D.J.); see also Donkor v. British Airways, Corp., 62 F.Supp.2d 963, 972 n. 5 (E.D.N.Y.1999) (collecting cases citing the Rombom test). Under the Rombom test, the court first determines "whether the activity at issue in the claim is an airline service." Id. at 221. If so, the court then assesses "whether the claim affects the airline service directly or tenuously, remotely, or peripherally." Id. at 222. If the claim directly implicates a service, the court must then assess "whether the underlying tortious conduct was reasonably necessary to the provision of the service." Id.
NYGBL § 349 prohibits "deceptive business acts or practices in the onduct of any business, trade or commerce or in the furnishing of any service in this state." NYGBL § 349. Plaintiff contends that his NYGBL § 349 claim is not pre-empted, because the facts alleged in support of this claim do not satisfy all three prongs of the Rombom test. (Pl. Opp. 8-10.) Specifically, Plaintiff contends that his § 349 claim relates "solely to the provision of a false privacy policy" and only tenuously to the provision of any service; and that the provision of a privacy policy is not "reasonably necessary" to the provision of reservations or ticket sales. (Pl. Opp. 8, 10 (emphasis omitted).) The Court disagrees and finds the facts of this case not unlike those in In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299 (E.D.N.Y. 2005) ("JetBlue").
In JetBlue, plaintiffs asserted a claim under NYGBL § 349 alleging that, among other things, JetBlue Airways had unlawfully transferred its passengers' personal information to a third-party. Id. at 303, 315. The plaintiffs further alleged that JetBlue Airways had made deceptive representations about its privacy policy in the course of obtaining and misappropriating its customers' private information. Id. at 315. In determining whether the claim was pre-empted, the court applied the Rombom test. Id. at 315-16.
First, the court found that the claim related to JetBlue Airways's provision of reservations and sale of tickets, both of which it held were services under the ADA. Id. at 316. Like in JetBlue, Plaintiff's § 349 claim relates to Defendant's provision of reservations and ticket sales via its website and mobile application, and are therefore services as defined under the ADA. Second, the court found that the plaintiffs' § 349 claim directly affected JetBlue Airways's provision of those services by "attempt[ing] to regulate the representations and commitments that JetBlue Airways's ma[de]" in the course of providing those services. Id. The same is true here as Plaintiff's § 349 attempts to regulate the way in which Defendant represents its data privacy policy to customers in the course of providing those services. Third, the court found that JetBlue Airways's representations to customers about data privacy and disclosure were "reasonably necessary" to the provision of those services. Id. Here too, Defendant's communication of its data privacy policy is reasonably necessary to its provision of reservations and ticket sales, especially those made via its website and mobile application. Plaintiff's § 349 claim is pre-empted by the ADA.
III. Plaintiff's Breach of Contract Claim
Plaintiff's breach-of-contract claim fares no better. Breach of contract claims are generally pre-empted by the ADA. One exception to this rule, the Wolens exception, permits plaintiffs to bring breach of contract claims which seek "recovery solely for [an]airline's alleged breach of its own, self-imposed undertakings." American Airlines, Inc. v. Wolens, 513 U.S. 219, 228 (1995). Notably, unlike many of its sister circuits, the Second Circuit has held that claims that do not fall under the Wolens exception must be dismissed under Rule 12(b)(6) for failure to state a claim, not on the grounds of ADA pre-emption. See Cox v. Spirit Airlines, Inc., 786 F. App'x 283, 285 (2d Cir. 2019) (internal citations omitted) ("If carriage of [the plaintiffs'] carry-on items was within the scope of [the defendant's] contractual obligations, then the ADA does not preempt [the plaintiffs'] breach-of-contract claims. If carriage of [the plaintiffs'] carry-on items was not within the scope of [the defendant's] contractual obligations, then [the plaintiffs'] breach-of-contract claims fail because [the defendant] did not breach any alleged contractual obligation that forbade it from charging a separate fee for that service. If the latter, then the dismissal of [the plaintiffs'] complaint was proper because it failed to state a claim, not because [the plaintiffs'] claims are preempted.").
To withstand a Rule 12(b)(6) motion to dismiss, a complaint "must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible when the alleged facts allow the court to draw a "reasonable inference" of a defendant's liability for the alleged misconduct. Id. While this standard requires more than a "sheer possibility" of a defendant's liability, id., "[i]t is not the Court's function to weigh the evidence that might be presented at trial" on a motion to dismiss. Morris v. Northrop Grumman Corp., 37 F. Supp. 2d 556, 565 (E.D.N.Y. 1999). Instead, "the Court must merely determine whether the complaint itself is legally sufficient, and, in doing so, it is well settled that the Court must accept the factual allegations of the complaint as true." Id. (citations omitted).
Plaintiff maintains that his breach of contract claim is proper under the Wolens exception. (Pl. Opp. 5-8.) Specifically, Plaintiff maintains that the parties' contract included Defendant's Privacy Policy, and that Defendant's data breach ran afoul of the express statements Defendant made to Plaintiff and other customers in that policy. (Id. 5-6.) The Court disagrees.
In support of his arguments Plaintiff primarily relies on JetBlue, 379 F. Supp. 2d 299. In JetBlue, the plaintiffs alleged that JetBlue Airways's published privacy policy constituted a self-imposed contractual obligation by and between the airline and its customers, and that JetBlue breached its obligation by disclosing its customers' personal information without their consent. JetBlue, 379 F. Supp. 2d at 316-17. Ultimately, the court sustained the plaintiff's breach of contract claim finding that JetBlue Airways's privacy policy was a valid part of the company's contract with its customers, and that the plaintiff's allegations adequately stated a breach of that policy. Id. at 318. This case is materially distinguishable from JetBlue.
As a threshold matter, unlike the policy at issue in JetBlue, Defendant's Privacy Policy explicitly states that it is "not contractual and d[oes] not form part of [Plaintiff's] contract with [Defendant]." (See Def.'s Mem., Ex. 10 at 2, ECF No. 29-12.) Thus, the only contractual agreement between Plaintiff and Defendant here was Defendant's General Conditions of Carriage (the "COC"), which the parties entered into at the time of ticket purchase. (Def.'s Mem., Ex. 9, ECF No. 29-11.) Indeed, the COC explicitly indicates that when a customer buys a ticket to travel on a flight operated by Defendant, the customer enters into a contract with Defendant governed by "the conditions in [the customer's] ticket or itinerary and receipt, any tariffs which apply, Conditions of carriage, [and Defendant's] regulations." (Id. 1.) Moreover, the COC does not incorporate or reference the statements made in the Privacy Policy. Thus, fatal to Plaintiff's claim, nothing in the COC or the Privacy Policy evince any intent on the part of Defendant to adopt the statements made in its Privacy Policy as contractual obligations.
In order to determine whether a plaintiff's claims properly fit within the Wolens exception, a court must examine the underlying agreement between the parties. It is well-established that when a "complaint relies on the terms of [an] agreement," the Court "may look to the agreement itself." Broder v. Cablevision Sys. Corp., 418 F.3d 187, 196 (2d Cir. 2005). --------
It is worth noting that the Central District of California addressed similar facts in McGarry v. Delta Air Lines, Inc., 2019 WL 2558199 (C.D. Cal. June 18, 2019). In McGarry, plaintiffs filed a class action against Delta Air Lines following a data breach alleging that Delta had breached its obligation to protect customers' data, an obligation based on an "integrated contract" comprised of the plaintiff's ticket, the contract of carriage, and Delta's privacy policy. Id. at *1. The court dismissed the plaintiffs' claim finding that the contract of carriage did not contain any specific terms relating to customer data, and Delta's privacy policy contained an express disclaimer, thereby defeating the plaintiffs' "integrated contract" theory. Id. at *5-6. The same result is warranted here. Plaintiff's breach of contract claim must be dismissed
CONCLUSION
For the foregoing reasons, Defendant's motion to dismiss the complaint in its entirety is GRANTED.
SO ORDERED. Dated: Brooklyn, New York
March 30, 2020
/s/ LDH
LASHANN DEARCY HALL
United States District Judge