Blahous v. Sarrell Regional Dental Center For Public Health, Inc.

(Reply in Support of 21 Motion) MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM Defendant's Reply In Support of Motion to Dismiss Complaint For Lack of Standing And Failure to State A Claim by Sarrell Regional Dental Center for Public Health, Inc. Modified on 2/4/2020 to correct the docket text to reflect as a rely and not a motion; Counsel selected the wrong event code during filing.

Middle District of Alabama, almd-2:2019-cv-00798

Current View

Full Text

7 IN THE UNITED STATES DISTRICT COURT FOR THE FOR THE MIDDLE DISTRICT OF ALABAMA NORTHERN DIVISION LINDSEY BLAHOUS, on behalf of herself, as guardian for her minor children L.B., F.B., and D.I. and on behalf of all others similarly situated, CASE NO. 2:19-cv-00798-RAH-SMD Plaintiff, v. SARRELL REGIONAL DENTAL CENTER FOR PUBLIC HEALTH, INC., Defendant. DEFENDANT'S REPLY IN SUPPORT OF MOTION TO DISMISS COMPLAINT FOR LACK OF STANDING AND FAILURE TO STATE A CLAIM ROBERT E. POUNDSTONE, IV CHRISTOPHER A. WIECH Alabama Bar No. 5864-N53R Georgia Bar No. 757333 BRADLEY ARANT BOULT cwiech@bakerlaw.com CUMMINGS LLP BAKER & HOSTETLER LLP RSA Dexter Avenue Building 1170 Peachtree Street, Suite 2400 445 Dexter Avenue, Suite 9075 Atlanta, Georgia 30309-7676 Montgomery, AL 36104 Telephone: (404) 946-9814 bpoundstone@bradley.com Facsimile: (404) 459-5734 Telephone: (334) 956-7700 (Admitted Pro Hac Vice) Facsimile (334) 956-7701 CASIE D. COLLIGNON Colorado Bar No. 35160 ccollignon@bakerlaw.com BAKER & HOSTETLER LLP 1801 California Street, Suite 4400 Denver, CO 80202 Telephone: (303) 861-0600 Facsimile: (303) 861-7805 (Admitted Pro Hac Vice) Attorneys for Defendant, Sarrell Regional Dental Center for Public Health, Inc. 7 Sarrell Regional Dental Center for Public Health, Inc. ("Sarrell") submits this Reply brief, responding to Plaintiffs' Opposition (Dkt. 26) to Sarrell's Motion to Dismiss (Dkt. 21) on two points. First, Plaintiffs cannot use their Opposition to elevate their pleaded allegations of a theoretically-possible injury into a certainly-plausible injury to meet Article III standing. The distinction between possible and plausible is material for determining whether an injury-in-fact—based on a concrete and particularized threat of imminent, non-conjectural future harm—has been sufficiently pled. And the United States Supreme Court has stated that mere "[a]llegations of possible future injury are not sufficient." But that is all Plaintiffs have pled in this case.1 Conveniently, Plaintiffs ignore the rationale of the United States Court of Appeals for the Eleventh Circuit, followed by the federal courts of this State, that standing should not exist for claims arising out of a data breach based on possible misuse of data that might result in possible future harm.2 Something more concrete and imminent is required, and Plaintiffs recognize as much. Indeed, it is telling that Plaintiffs have overstated critical allegations in their Opposition to manufacture plausible future harm. In their Opposition, Plaintiffs state that their personal data is "now" in the hands of thieves, whereas their Complaint only alleges that their personal data is "likely" in the hands of thieves.3 The allegation, as pled, is 1 Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n.5 (2013) (emphasis added); accord Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016). See Motion to Dismiss ("Mot.") at 8. 2 See infra pp. 4-6. 3 Compare Opposition ("Opp.") at 3 with Complaint ("Compl.") at ¶ 6. 1 7 theoretically possible, but, without more, certainly not plausible to support standing. Plaintiffs concede this point by acknowledging that it could be years before they realize harm—if any—from this lone ransomware attack.4 Moreover, even if the Court assumes Plaintiffs' personal information was "accessed" by criminals, as they allege, that factual allegation alone is insufficient to confer standing.5 Plaintiffs do not allege any facts of actual theft (beyond alleged access) of their personal data and subsequent misuse of it—or even a specific future criminal intent to misuse it—by the ransomware perpetrators. Instead, Plaintiffs rely on data breach statistics generally to allege that they will suffer future harm specifically.6 Further, Plaintiffs cannot adopt part of Sarrell's notice of the ransomware attack in their pleading and ignore the rest of it.7 On one hand, Plaintiffs completely rely on the notice—the fact that a ransomware attack occurred on Sarrell's network—as the basis for their lawsuit. Then, in classic ipso facto fashion, Plaintiffs tenuously extend from that 4 Compl. at ¶ 110. 5 Compl. at ¶ 2. 6 Compl. at ¶¶ 23-25, 24, 40-42, 56-61. 7 Sarrell's notice of the ransomware attack, which it sent to Plaintiffs and is appended to their Complaint and incorporated by reference therein, is an integral part of Plaintiffs' pleading, and should be considered along with all of the factual allegations in the Complaint. "[T]he court may consider a document attached to a motion to dismiss without converting the motion into one for summary judgment if the attached document is (1) central to the plaintiff's claim and (2) undisputed. In this context, "undisputed" means that the authenticity of the document is not challenged." Day v. Taylor, 400 F.3d 1272, 1276 (11th Cir. 2005) (holding district court properly considered contract that was attached in defendants Answer). 2 7 fact that their personal data is "likely" in the hands of thieves.8 On the other hand, however, Plaintiffs ignore what the rest of the notice states:  Sarrell's "investigation has not found any evidence that any files or information were copied, downloaded, or removed from [its] network[,]" and  Sarrell has "not discovered any evidence that information that may be involved in this incident has been misused."9 These statements are incorporated into Plaintiffs' Complaint and cannot be discounted or ignored. Thus, based on Plaintiffs' allegations, including Sarrell's notice, they have failed to allege sufficient facts demonstrating that they have suffered an injury-in-fact from this ransomware attack. For these reasons, the Complaint should be dismissed. Second, should the Court find that Plaintiffs have met the standing hurdle at the pleading stage, they nevertheless have not stated a viable claim upon which they can recover. The case law on which Plaintiffs rely does not support straining or expanding the established law of this State to find a claim where none exists. For these reasons, as discussed below, the Complaint should also be dismissed. 8 Compl. at ¶¶ 6, 22. 9 Compl. at Exhibits A-D. 3 7 I. PLAINTIFFS' INABILITY TO PLEAD ARTICLE III STANDING WARRANTS DISMISSAL OF THEIR COMPLAINT UNDER RULE 12(b)(1) FOR LACK OF SUBJECT MATTER JURISDICITION A. Plaintiffs Have Not Sufficiently Alleged a Threat of Future Harm 1. The Eleventh Circuit's Opinion in Resnick v. AvMed, Inc. Provides Guidance Plaintiffs point out that the Eleventh Circuit has yet to decide whether the threat of possible future harm from possible misuse of personal data following a data breach is sufficient to establish Article III standing. (Opp. at 5.) They are correct, as Sarrell pointed out in its Motion to Dismiss. (Mot. at 12.) But Plaintiffs fail to take note of the guidance on this issue that the Eleventh Circuit provided in Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012). In Resnick, the Eleventh Circuit was not faced with plaintiffs like the ones in this case, who have not alleged any actual theft or misuse of their personal data. Nevertheless, in a case where the plaintiffs alleged that their personal data actually had been stolen and used to open fraudulent financial accounts, causing them monetary damage, the Eleventh Circuit still struggled to find that a sufficient injury had been pled to support Article III standing. Id. at 1327 ("Plaintiffs' allegations that the data breach caused their identities to be stolen move from the realm of the possible into the plausible. Had Plaintiffs alleged fewer facts, we doubt whether the Complaint could have survived a motion to dismiss." (emphasis added)). Although dicta, the Eleventh Circuit's sound reasoning provides guidance that anything less than allegations of actual identity theft or misuse of data would fall short of the Article III standing threshold. 4 7 Based on the same reasoning, Plaintiffs' Complaint falls short as it is based on possible—not plausible—future harm. Their pleading omits allegations of actual misuse of their personal data, and instead relies entirely on consumer reports and general statistics about data breaches and the presumed possibility that their personal data is "likely in the hands of thieves"—notwithstanding Sarrell's notice to the contrary. (Compl. at ¶¶ 6, 23-25, 32-42, 52-54, 61, 66-67.) In fact, in their Opposition, Plaintiffs concede that it may be years before actual harm, if any, occurs. (Opp. at 11, citing Compl. at ¶ 44.) In other words, Plaintiffs concede that their injury—assuming they have one—is not certainly impending. Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013) (a plaintiff may not "manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending."). 2. Prior Decisions of Alabama Federal Courts Are Consistent with the Eleventh Circuit's Reasoning in Resnick Notably, Plaintiffs' Opposition does not address this Court's decision on standing in Smith v. Triad of Alabama, LLC, No. 1:14-cv-324-WKW, 2015 WL 5793318 (M.D. Ala. Sept. 29, 2015), nor its sister court's decision in In re Community Health Systems, Inc. Customer Security Data Breach Litigation, No. 15-cv-222-KOB, 2016 WL 4732630 (N.D. Ala. Sept. 12, 2016). And for good reason, those cases follow the line of reasoning articulated by the Eleventh Circuit in Resnick. Absent allegations of actual identity theft and misuse of personal data, standing does not exist. In Smith, this Court recognized that despite the plaintiffs' "sparse" allegations, they alleged "that they have become victims 5 7 of actual identity theft in that their information has been used for the filing of fraudulent tax returns, and they set out specific ways in which they have suffered quantifiable monetary losses as a consequence of identity theft." 2015 WL 5793318 at *1 (emphasis added). In Community Health Systems, the neighboring district court found that "no injury-in-fact exists for the purposes of Article III case or controversy standing. . . based on the allegations that Plaintiffs have an 'increased risk' of becoming victims of identity theft crimes, fraud and abuse. . . where that risk is not accompanied by misuse of the stolen data." 2016 WL 4732630 at *10. Similarly, Plaintiffs have not alleged any actual exfiltration and subsequent misuse of their personal data resulting from the ransomware attack. Thus, Plaintiffs have not sufficiently pled standing as recognized by the federal courts in this State. 3. Plaintiffs' Reliance on In re 21st Century Oncology Customer Data Security Breach Litigation Is Well Founded To meet standing, Plaintiffs rely primarily on the three-factor test for standing in data breach cases established by the Florida federal district court in In re 21st Century Oncology Customer Data Security Breach Litigation. 380 F. Supp. 3d 1243, 1250-256 (M.D. Fla. 2019) (collecting cases and analyzing circuit split on standing for increased risk of harm from data breach, and finding standing where actual identity theft occurred). (Opp. at 6.) That case is indeed instructive, which is why Sarrell repeatedly cited it in its Motion to Dismiss. (Mot. at 12, 15, 18.) Analyzing decisions of courts nationwide and noting their differing results, the court in 21st Century Oncology nonetheless gleaned a universal approach to analyzing standing in data breach cases: 6 7  consider the motives of the hacker perpetrating the data breach;  consider the type of information purportedly compromised; and  consider the evidence of actual access to or use of that information. Id. at 1252-254. Plaintiffs' attempt to meet the three-factor test demonstrates how their allegations fall short. First, regarding motives, Plaintiffs commonly presume that all hackers break into databases with the specific intent to obtain personal data to assume others' identities. (Opp. at 6: "Certainly, here, the motive of the hacker is nefarious. Hack