Summary
In Pruchnicki v. Envision Healthcare Corp., this Court held that "tangible, out-of-pocket expenses are required in order for lost time spent monitoring credit to be cognizable as damages."
Summary of this case from Smallman v. MGM Resorts Int'lOpinion
Case No. 2:19-CV-1193 JCM (BNW)
2020-02-20
Peggy PRUCHNICKI, Plaintiff(s), v. ENVISION HEALTHCARE CORPORATION, et al., Defendant(s).
David H. Krieger, Krieger Law Group, LLC, Henderson, NV, Matthew I. Knepper, Miles N. Clark, Knepper & Clark LLC, Las Vegas, NV, for Plaintiff(s). Amanda M. Perach, Amanda C. Yen, McDonald Carano LLP, Las Vegas, NV, Matthew Pearson, Pro Hac Vice, Casie D. Collignon, Pro Hac Vice, Sammantha Tillotson, Sean B. Solis, Pro Hac Vice, Baker and Hostetler LLP, Denver, CO, for Defendant(s).
David H. Krieger, Krieger Law Group, LLC, Henderson, NV, Matthew I. Knepper, Miles N. Clark, Knepper & Clark LLC, Las Vegas, NV, for Plaintiff(s).
Amanda M. Perach, Amanda C. Yen, McDonald Carano LLP, Las Vegas, NV, Matthew Pearson, Pro Hac Vice, Casie D. Collignon, Pro Hac Vice, Sammantha Tillotson, Sean B. Solis, Pro Hac Vice, Baker and Hostetler LLP, Denver, CO, for Defendant(s).
ORDER
James C. Mahan, UNITED STATES DISTRICT JUDGE
Presently before the court is defendants Envision Healthcare Corporation d/b/a Envision Healthcare ("Envision"), EmCare, Inc. ("EmCare"), and Sheridan Healthcorp, Inc.'s ("Sheridan") (collectively, "defendants") motion to dismiss. (ECF No. 18). Plaintiff Peggy Pruchnicki ("plaintiff") filed a response (ECF No. 23), to which defendants did not reply.
Also before the court is defendants' motion to dismiss plaintiff's second amended complaint. (ECF No. 27). Plaintiff filed a response (ECF No. 31), to which defendants replied (ECF No. 36).
I. Background
The instant putative class action arises from a data breach. (ECF No. 26). Plaintiff brings claims for negligence, breach of implied contract, negligent misrepresentation, and violation of Nevada Revised Statute ("NRS") § 41.600 on behalf of herself and "[a]ll persons whose [p]ersonal [d]ata was procured by a third party as a result of the [d]ata [b]reach due to the Envision Defendants' failure to secure its internal systems of record." Id. at 12.
Alternatively, she brings her claims on behalf of Nevada residents, rather than "all persons" who were affected by the data breach. (ECF No. 26 at 12).
Plaintiff provided her personal and/or financial information to defendants. Id. at 3. In July 2018, defendants' systems were breached by an unidentified third party, who was allegedly able to procure plaintiff's name, date of birth, social security number, driver's license number, and unidentified "financial information." Id. Defendants did not notify the individuals whose information was compromised until October 10, 2018, at which time they indicated that such information "may" have been compromised. Id. at 4. On February 29, 2019, defendants determined that plaintiff's information had been compromised. Id. at 5. Plaintiff did not receive notice that her information had, in fact, been compromised until May 3. Id.
Although plaintiff has not suffered identity theft or fraud, she alleges that such criminal activity is "imminent and certainly impending." Id. at 8. On that basis, plaintiff brought her claims in Nevada state court (ECF No. 1-1), and defendants timely removed the action (ECF No. 1).
II. Legal Standard
A court may dismiss a complaint for "failure to state a claim upon which relief can be granted." Fed. R. Civ. P. 12(b)(6). A properly pled complaint must provide "[a] short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2) ; Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). While Rule 8 does not require detailed factual allegations, it demands "more than labels and conclusions" or a "formulaic recitation of the elements of a cause of action." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citation omitted).
"Factual allegations must be enough to rise above the speculative level." Twombly , 550 U.S. at 555, 127 S.Ct. 1955. Thus, to survive a motion to dismiss, a complaint must contain sufficient factual matter to "state a claim to relief that is plausible on its face." Iqbal , 556 U.S. at 678, 129 S.Ct. 1937 (citation omitted).
In Iqbal , the Supreme Court clarified the two-step approach district courts are to apply when considering motions to dismiss. First, the court must accept as true all well-pled factual allegations in the complaint; however, legal conclusions are not entitled to the assumption of truth. Id. at 678–79, 129 S.Ct. 1937. Mere recitals of the elements of a cause of action, supported only by conclusory statements, do not suffice. Id. at 678, 129 S.Ct. 1937.
Second, the court must consider whether the factual allegations in the complaint allege a plausible claim for relief. Id. at 679, 129 S.Ct. 1937. A claim is facially plausible when the plaintiff's complaint alleges facts that allow the court to draw a reasonable inference that the defendant is liable for the alleged misconduct. Id. at 678, 129 S.Ct. 1937.
Where the complaint does not permit the court to infer more than the mere possibility of misconduct, the complaint has "alleged—but not shown—that the pleader is entitled to relief." Id. (internal quotation marks omitted). When the allegations in a complaint have not crossed the line from conceivable to plausible, plaintiff's claim must be dismissed. Twombly , 550 U.S. at 570, 127 S.Ct. 1955.
The Ninth Circuit addressed post- Iqbal pleading standards in Starr v. Baca , 652 F.3d 1202, 1216 (9th Cir. 2011). The Starr court stated, in relevant part:
First, to be entitled to the presumption of truth, allegations in a complaint or counterclaim may not simply recite the elements of a cause of action, but must contain sufficient allegations of underlying facts to give fair notice and to enable the opposing party to defend itself effectively. Second, the factual allegations that are taken as true must plausibly suggest an entitlement to relief, such that it is not unfair to require the opposing party to be subjected to the expense of discovery and continued litigation.
Id.
III. Discussion
As an initial matter, the court notes that plaintiff filed her second amended complaint on August 26, 2019. (ECF No. 26). Thus, the court denies defendants' motion to dismiss the prior complaint as moot. (ECF No. 18). The court now turns to defendants' motion to dismiss the operative complaint.
The instant case falls within the ambit of recent data breach litigation across the country, and the instant motion embraces a developing area of law. See, e.g., In re Zappos.com, Inc. , 888 F.3d 1020 (9th Cir. 2018), cert. denied sub nom. Zappos.com, Inc. v. Stevens , ––– U.S. ––––, 139 S. Ct. 1373, 203 L.Ed.2d 609 (2019) ; Dieffenbach v. Barnes & Noble, Inc. , 887 F.3d 826 (7th Cir. 2018) ; In re Horizon Healthcare Servs. Inc. Data Breach Litig. , 846 F.3d 625 (3d Cir. 2017) ; In re SuperValu, Inc. , 870 F.3d 763 (8th Cir. 2017) ; Attias v. Carefirst, Inc. , 865 F.3d 620 (D.C. Cir. 2017) ; Remijas v. Neiman Marcus Grp., LLC , 794 F.3d 688 (7th Cir. 2015) ; Reilly v. Ceridian Corp. , 664 F.3d 38 (3d Cir. 2011) ; Krottner v. Starbucks Corp. , 628 F.3d 1139 (9th Cir. 2010) ; Pisciotta v. Old Nat. Bancorp , 499 F.3d 629 (7th Cir. 2007) ; In re Anthem, Inc. Data Breach Litig. , 162 F. Supp. 3d 953 (N.D. Cal. 2016).
In the wake of the Supreme Court's decisions in Spokeo, Inc. v. Robins , ––– U.S. ––––, 136 S. Ct. 1540, 194 L.Ed.2d 635 (2016), as revised (May 24, 2016), and Clapper v. Amnesty Int'l USA , 568 U.S. 398, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013), many defendants facing data-breach cases disputed plaintiffs' standing to bring their claims. But the Supreme Court has not provided guidance on standing issues specifically in the data-breach context. Instead, standing arguments in data-breach cases have been left to the circuit courts, where they have been met with mixed success. The D.C., Sixth, Seven, and Ninth Circuits have held that data-breach plaintiffs alleging future harm have standing. See, e.g., In re Zappos.com, Inc. , 888 F.3d 1020 (holding that data-breach plaintiffs alleging future harms have standing); Dieffenbach , 887 F.3d 826 (same); Attias , 865 F.3d 620 (same); Galaria v. Nationwide Mut. Ins. Co. , 663 F. App'x 384 (6th Cir. 2016) (same). On the other hand, the First, Second, Third, Fourth, and Eighth Circuits have not. See, e.g., In re SuperValu, Inc. , 870 F.3d 763 (affirming dismissal for lack of standing); In re Horizon Healthcare Servs. Inc. Data Breach Litig. , 846 F.3d 625 (same); Reilly , 664 F.3d 38 (same); Whalen v. Michaels Stores, Inc. , 689 F. App'x 89 (2d Cir. 2017) (same).
While the circuits remain split on the issue, this court is bound by Ninth Circuit precedent. The Ninth Circuit in In re Zappos.com, Inc. expressly held that "[a] plaintiff threatened with future injury has standing to sue if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur." 888 F.3d at 1024 (quoting Susan B. Anthony List v. Driehaus , 573 U.S. 149, 134 S.Ct. 2334, 2341, 189 L.Ed.2d 246 (2014) ) (internal quotation marks omitted).
But, as the Eighth Circuit advised, "it is crucial ... not to conflate Article III's requirement of injury in fact with a plaintiff's potential causes of action, for the concepts are not coextensive." Carlsen v. GameStop, Inc. , 833 F.3d 903, 909 (8th Cir. 2016) (citation, alteration, and quotation marks omitted); see also Bond v. United States , 564 U.S. 211, 218, 131 S.Ct. 2355, 180 L.Ed.2d 269 (2011) ("Even though decisions ... have been careful to use the terms ‘cause of action’ and ‘standing’ with more precision, the distinct concepts can be difficult to keep separate."). Thus, while threatened future injury satisfies the "injury in fact" requirement for standing to bring a claim, the issue of damages as an element thereof is a separate, albeit analogous, inquiry. Unfortunately, there is little authority—whether in this circuit or others—to provide guidance on this issue.
Defendants concede that plaintiff has standing to bring her claims. (ECF No. 27). They instead argue instead that plaintiff has not alleged cognizable damages as an element of her negligence, breach of implied contract, negligent misrepresentation, and NRS 41.600 claims. Id. And, to be sure, plaintiff must prove damages to prevail on any of those claims. Sanchez ex rel. Sanchez v. Wal-Mart Stores, Inc. , 125 Nev. 818, 221 P.3d 1276, 1280 (2009) ("[T]o prevail on a negligence claim, a plaintiff must establish ... damages."); Saini v. Int'l Game Tech. , 434 F. Supp. 2d 913, 919–20 (D. Nev. 2006) ("Nevada law requires the plaintiff in a breach of contract action to show ... damage as a result of the breach." (citing Richardson v. Jones , 1 Nev. 405, 405 (Nev. 1865) )); Barmettler v. Reno Air, Inc. , 114 Nev. 441, 446–47, 956 P.2d 1382, 1386 (1998) ("[Plaintiff] has the burden of proving each and every element of his fraudulent misrepresentation claim by clear and convincing evidence: ... (4) damage to the plaintiff as a result of relying on the misrepresentation."); Alexander v. Falk , No. 2:16-cv-02268-MMD-GWF, 2019 WL 3717802, at *5 (D. Nev. Aug. 7, 2019) ("A deceptive trade practices claim brought pursuant to NRS § 41.600(1) requires proof that the defendant committed consumer fraud causing damage to the plaintiff ." (emphasis added)).
Accordingly, the court is tasked with determining whether plaintiff has sufficiently alleged damage to sustain her claims. Although not entirely binding on this court, the case of Krottner v. Starbucks Corp. is instructive. In its published opinion, the Ninth Circuit held that the plaintiffs had standing to bring their claims in a data-breach case. 628 F.3d 1139. In its unpublished memorandum, however, the Ninth Circuit affirmed the district court's dismissal of plaintiffs' claims because they "did not adequately allege the elements of their state-law claims." Krottner v. Starbucks Corp. , 406 F.App'x. 129, 131 (9th Cir. 2010). In particular, the plaintiffs in Kottner did not establish a cognizable injury for purposes of their negligence claim. Id. The plaintiffs further failed to establish the existence of an implied contract. Id.
Here, plaintiff alleges that her damages include lost time mitigating the effects of the data breach, emotional distress, the "imminent and certainly impending injury flowing from potential fraud and identity theft," diminution in value of her personal and financial information, and continued risk to her personal data. (ECF No. 26 at 7–11).
Consistent with the Ninth Circuit's Krottner memorandum, alleged injuries that stem from the danger of future harm are insufficient to support a negligence action. Thus, the court finds that the "imminent and certainly impending injury flowing from potential fraud and identity theft" and the continued risk to her personal data are too tenuous to constitute "damages" as an element of plaintiff's claims.
Accordingly, the court is left with three alleged categories of damages: lost time, emotional distress, and diminution in value of personal and financial information.
1. Lost time
Plaintiff relies on several cases to support the contention that lost time is sufficient to constitute damages for the purposes of her state-law claims. Plaintiff's cited authority include the Seventh Circuit's opinion in Dieffenbach , which held that "[m]oney out of pocket is a standard understanding of actual damages in contract law, antitrust law, the law of fraud, and elsewhere." Dieffenbach , 887 F.3d at 830. The Seventh Circuit specifically noted as follows:
the data theft may have led them to pay money for credit-monitoring services, because unauthorized withdrawals from their accounts cause a loss (the time value of money) even when banks later restore the principal, and because the value of one's own time needed to set things straight is a loss from an opportunity-cost perspective. These injuries can justify money damages, just as they support standing.
Id. at 828. But the plaintiffs in Dieffenbach had actually incurred the out-of-pocket expenses of a credit-monitoring service and had actually suffered fraudulent withdrawals from their accounts. Id.
Similarly, in Corona v. Sony Pictures Entm't, Inc. , the Northern District of California held that "general allegations of lost time are too speculative to constitute cognizable injury." No. 14-CV-09600 RGK EX, 2015 WL 3916744 at *4 (C.D. Cal. June 15, 2015). But the Corona court found that the plaintiffs adequately alleged a cognizable injury because they had already incurred "costs associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit." Id.
Another case from the Northern District of California, Castillo v. Seagate Tech., LLC , is similarly persuasive. No. 16-CV-01958-RS, 2016 WL 9280242 (N.D. Cal. Sept. 14, 2016). In Castillo , the court held that plaintiffs "who have incurred such out-of-pocket expenses have pleaded cognizable injuries, whereas those who claim only that they may incur expenses in the future have not." Id. at *4. Out-of-pocket expenses included the hiring of an accountant and a subscription to an identity-protection service. Id.
Accordingly, the court finds that tangible, out-of-pocket expenses are required in order for lost time spent monitoring credit to be cognizable as damages. Here, plaintiff does not allege that she has incurred any out-of-pocket expenses. Instead, her allegations are limited to "spend[ing] time procuring her consumer disclosures from several credit reporting agencies and investigating the content for allegedly fraudulent activity," obtaining a new payment card and credit card, and reviewing her accounts for roughly thirty minutes a week. (ECF No. 26 at 7–8). Although, "[a]s a nurse practitioner and a small business owner, [p]laintiff's time is as limited as it is valuable," id. at 8, it is not a cognizable injury sufficient to support the element of damages required to prevail on her negligence, breach of implied contract, negligent misrepresentation, or NRS 41.600 claims.
2. Emotional distress
Nevada law "require[s] a plaintiff to demonstrate that he or she has suffered some physical manifestation of emotional distress in order to support an award of emotional damages." Betsinger v. D.R. Horton, Inc. , 126 Nev. 162, 232 P.3d 433, 436 (2010) (citing Barmettler v. Reno Air, Inc. , 114 Nev. 441, 956 P.2d 1382, 1387 (1998) ; Chowdhry v. NLVH, Inc. , 109 Nev. 478, 851 P.2d 459, 462 (1993) ). Admittedly, the Nevada Supreme Court has "relaxed the physical manifestation requirement in a few limited instances." Id. (citing Olivero v. Lowe , 116 Nev. 395, 995 P.2d 1023, 1026 (2000) ). The Nevada Supreme Court provided guidance on the physical manifestation requirement as follows:
Unlike in Olivero , where we stated that "the nature of a claim of assault is such that the safeguards against illusory recoveries mentioned in Barmettler and Chowdhry are not necessary," 116 Nev. at 400, 995 P.2d at 1026, there is no guarantee of the legitimacy of a claim for emotional distress damages resulting from a failed real estate and lending transaction without a requirement of some physical manifestation of emotional distress.
Id.
Here, plaintiff's negligence, breach of implied contract, negligent misrepresentation, and NRS 41.600 claims all stem from a data breach. These claims bear more resemblance to a failed real estate and lending transaction—particularly because of plaintiff's contract claim—than an assault or battery claim. Thus, the court finds that the physical-manifestation requirement is applicable in this case. Regarding her emotional distress, plaintiff alleges only as follows:
The stress, nuisance, and annoyance of dealing with issues resulting from the [d]ata [b]reach. In particular, in addition to the items listed above, [p]laintiff has suffered from worry, anxiety, and hesitation, particularly in applying for new credit cards. Moreover, as a small business owner, [p]laintiff is concerned that damage to her creditworthiness could impact her ability to obtain credit for her business.
(ECF No. 26 at 8).
Plaintiff does not allege any out-of-pocket expenses related to the underlying data breach, with the sole exception of the conclusory and unsupported allegation that there are "[a]scertainable losses in the form of out-of-pocket expenses ... incurred to remedy or mitigate the effects of the data breach." (ECF No. 26 at 11). Although she alleges her concern about applying for credit, both personally and for her business, she does not allege that she has been denied credit. She also alleges that she obtained a new payment card from Bank of America and a new credit card from American Express, but she does not allege that either replacement involved any out-of-pocket expenses. Plaintiff's complaint is otherwise devoid of out-of-pocket expenses to support emotional-distress damages.
Accordingly, plaintiff's allegations of emotional distress are insufficient to satisfy the damages element of her claims.
3. Diminution in value of personal and financial information
Diminution in the value of personal information can be a viable theory of damages. See In re Facebook Privacy Litig. , 572 Fed. App'x 494, 494 (9th Cir. 2014) (unpublished) (" Facebook "). In order to survive a motion to dismiss on this theory of damages, a plaintiff "must establish both the existence of a market for her personal information and an impairment of her ability to participate in that market." Svenson v. Google Inc. , No. 13-CV-04080-BLF, 2016 WL 8943301, at *9 (N.D. Cal. Dec. 21, 2016) (citing In re Google, Inc. Privacy Policy Litig. , No. 5:12-CV-001382-PSG, 2015 WL 4317479 at *4 (N.D. Cal. July 15, 2015) (" Google ")).
None of the cases addressing diminution in value of personal and financial information were in the context of data breaches. In all three cases— Facebook , Svenson , and Google —the defendants specifically made the respective plaintiffs' personal information available to third parties. In Facebook , the plaintiffs specifically alleges that "the information disclosed by Facebook can be used to obtain personal information about plaintiffs...." Facebook , 572 F. App'x at 494. Similarly, in both Svenson and Google , Google made the plaintiffs' information available to third parties, which diminished their ability to sell that same information. Svenson , 2016 WL 8943301, at *9 ("[B]y making [plaintiff's] personal information available to YCDroid, Google diminished the value of that information."); Google , 2015 WL 4317479, at *4 ("Plaintiffs argue they have standing under two theories of injury-in-fact: ... economic injury resulting from Google's providing access to [p]laintiffs' personal information to third parties.").
Plaintiff balks that "[d]efendants apparently want [p]laintiff to outline the details of the ‘market value’ in more detail, even though the allegation plausibly places them on notice of the allegation." (ECF No. 31 at 10–11). But Google is instructive on this point. In that case, the court granted Google's motion to dismiss even though the plaintiffs had retained an expert "to show an analysis of what third parties would pay for a consumer database containing identifying information for mass marketing purposes." Google , 2015 WL 4317479, at *5. The court noted as follows:
Plaintiffs do not allege economic injury from any dissemination—or any dissemination at all—or any injury in the form of loss of the [p]laintiffs' ability to sell their own information or its market value. Plaintiffs plead neither the existence of a market for their email addresses and names nor any impairment of their ability to participate in that market.
Id.
In Svenson , the case proceeded to summary judgment before being dismissed. Svenson , 2016 WL 8943301. In that case, the plaintiffs' expert "opine[d] that an active marketplace for consumers' personal information exists, he describes a market in which such information is bundled in groups of 1,000 individuals or 10,000 individuals." Id. at *9. The court granted Google's motion for summary judgment and dismissed plaintiffs' case because there was no indication that "as bundled, an individual's personal information would have less value if previously disclosed to an App developer such as YCDroid." Id.
In this case, there are no specific allegations that plaintiff has been unable to sell, profit from, or otherwise monetize her personal information. Similarly, there are no specific allegations suggesting how the value of her personal information has been reduced. Instead, there are only a handful of conclusory allegations to support these purported damages. Plaintiff argues that her allegation regarding the value of her personal information "plausibly places [defendant] on notice of the allegation." (ECF No. 31 at 11). Plaintiff summarily alleges "there is a well-established and quantifiable national and international market" for her personal information. Id. But she does not allege any details about that market. Plaintiff alleges that the deprivation of the value of her personal data is an "ascertainable loss," but does not allege that she tried to sell her information and was prevented from doing so. Similarly, plaintiff does not allege that there was a reduction in the value of her personal information. To the contrary, she summarily argues that there was some unspecified "deprivation" of value. (ECF No. 26 at 11).
In doing so, plaintiff seems to conflate Nevada's notice-pleading requirements with the federal judiciary's plausibility standard under Twombly and Iqbal .
Plaintiff presents no cogent allegations of a market for her information and provides no ascertainable loss to her own ability to sell her information. Unlike Svenson and Google , plaintiff has no expert opinion to support the existence of a market for her information. Moreover, unlike Svenson or Google —where information was specifically disclosed to third parties that may otherwise be in the market for personal information—there is no allegation that the hackers in this case have disclosed plaintiff's personal information or otherwise impeded her ability to participate in the market. Rather than provide any explanation of these markets or the value of her information, plaintiff supports her argument by citing NRS 597.770, which "provides that there is a ‘right of publicity’ in, among other things, a person's name...." Id. Thus, by plaintiff's estimation, "the simplest answer to the ‘market value’ question is the one the Nevada legislature contemplated: according to them, the market value for unlawful use of a person's name is at least $750 per person." Id. But the "right of publicity" and the unlawful appropriation of her name is separate and distinct from any such market. Similarly, the fact that statutory damages are set at $750 for the unlawful appropriation of her name does not reflect any diminution in the value of her personal information.
Although Svenson was decided at summary judgment after the plaintiff's expert was unable to identify a market for the plaintiffs' personal information, the court finds it instructive here.
Admittedly, the court in Google dismissed the case for lack of standing, not for failure to state a claim upon which relief can be granted. But the logic is the same: the case was dismissed because there was no showing of plaintiff's inability to participate in a personal-information market, if any such market existed.
Accordingly, plaintiff has failed to plead diminution of the value of her personal information as a cognizable injury to support her claims.
While sufficient to establish standing, none of plaintiff's purported damages are sufficient to plausibly allege a claim upon which relief can be granted. Therefore, defendants' motion to dismiss is granted.
IV. Conclusion
Accordingly,
IT IS HEREBY ORDERED, ADJUDGED, and DECREED that defendants' motion to dismiss (ECF No. 18) be, and the same hereby is, DENIED as moot.
IT IS FURTHER ORDERED that defendants' motion to dismiss (ECF No. 27) be, and the same hereby is, GRANTED.
IT IS FURTHER ORDERED that plaintiff's claims be, and the same hereby are, DISMISSED.
The clerk is instructed to enter judgment and close the case accordingly.