Clemens v. ExecuPharm, Inc.

678 F.Supp.3d 629

Jennifer CLEMENS, Plaintiff, v. EXECUPHARM, INC., et al., Defendants.

CIVIL ACTION NO. 20-3383

United States District Court, E.D. Pennsylvania

Signed June 22, 2023

Barrett J. Vahle, Caleb J. Wagner, J. Austin Moore, Norman E. Siegel, Stueve Siegel Hanson, Kansas City, MO, Mark S. Goldman, Goldman Scarlato & Penny PC, Conshohocken, PA, for Plaintiff.

Donald Houser, Shifali Baliga, Kristine McAlister Brown, Alston & Bird LLP, Atlanta, GA, Mathieu J. Shapiro, Melissa M. Blanco, Obermayer Rebmann Maxwell & Hippel LLP, Philadelphia, PA, for Defendants.

MEMORANDUM

PAPPERT, District Judge

Jennifer Clemens, individually and on behalf of a purported class, sued ExecuPharm, Inc. and parent Parexel International Corporation over a data breach at ExecuPharm. Defendants move to dismiss the Complaint pursuant to Federal Rule of Civil Procedure 12(b)(6). For the reasons that follow, the Court grants Defendants' Motion with respect to Counts Two, Five, Six and all other claims against Parexel, and denies it with respect to Counts One, Three, Four and Seven against ExecuPharm. Clemens may amend her Complaint consistent with the accompanying Order.

I

A

i

Clemens worked at ExecuPharm from February to November of 2016 and provided the company "significant amounts of her personal and financial information" as a "condition of her employment." (Compl. ¶¶ 56-57, 59, ECF 1.) She signed an employment agreement "[a]s a further condition of her employment." (Id. at ¶ 58.) In it, ExecuPharm agreed to "take appropriate measures to protect the confidentiality and security of all personal information." (Id.) Although Clemens left the company years prior, ExecuPharm retained her sensitive personal information until at least March 13, 2020. (Id. at ¶ 59.) On that date, ExecuPharm's server was hacked by the CLOP ransomware group. (Id. at ¶¶ 1, 11, 14, 31.) CLOP organized a successful email phishing scheme to obtain server access and encrypt data by installing malware. (Id. at ¶ 13.) It accessed thousands of individuals' sensitive information, including full names, home addresses, social security numbers, taxpayer IDs, credit card and bank information, beneficiary information and, in some cases, passport copies. (Id. at ¶¶ 1-2, 4.) It then demanded a ransom from ExecuPharm in exchange for data decryption tools and threatened to release the data if the ransom was not timely paid. (Id. at ¶ 13.)

On April 26, CLOP made at least some of the information it stole available for download on the "dark web." (Id. at ¶¶ 2, 15, 29.) "[T]he download links contained nearly 123,000 files and 162 gigabytes of data, including nearly 19,000 files of correspondence involving ExecuPharm and Parexel; more than 80,600 e-mail correspondences; financial, accounting, user documents of ExecuPharm's employees and managers; and a complete backup file of ExecuPharm's document management system." (Id. at ¶ 29.) Clemens alleges she learned in an email from ExecuPharm on March 20 that her information was accessed during CLOP's data breach and ExecuPharm "confirm[ed]" in an April 26 email "that her family's most sensitive personal and financial [information] was 'shared on the dark web.' " (Id. at ¶¶ 60, 64.)

According to the Complaint, ExecuPharm's March 20 email stated: "Unfortunately, we now believe sensitive information has been accessed, including social security numbers, banking information (copy of a personal check for direct deposit), driver's license, date of birth, home address, spouse's name, beneficiary information (including social security numbers) and payroll tax forms (such as W-2 and W-4). For some employees, copies of passports also were accessed." (Compl. ¶ 18.) The email appended a pdf of a March 18 letter to former employees, which explained to recipients "[i]f you are receiving this . . . we believe you may be among the group of former employees impacted by this incident." (Id. at ¶ 16 (emphasis added).) ExecuPharm's April 26 email stated it had "become aware that the information accessed by the cyberattackers has been shared on the dark web"—it does not appear to have said anything about Clemens's or her family's data specifically. (Id. at ¶ 30.)

ii

After the breach, ExecuPharm offered free identity monitoring services for one year to all potentially affected current and former employees. (Id. at ¶¶ 24, 65.) Clemens took advantage of these services, but also purchased additional services for herself and her family at a cost of $39.99 per month. (Id. at ¶ 71.) Since the breach, Clemens "has spent significant time and effort reviewing her financial accounts, bank records, and credit reports for unauthorized activity and will continue to do so." (Id. at ¶¶ 61, 67-69.) She has occasionally missed work in order to pursue mitigative measures. (Id. at ¶ 70.) Once, after she changed her family's bank account numbers, she was delayed from accessing her funds due to a mistake by the bank. (Id. at ¶ 69.)

Clemens also says she sought and paid for counseling to cope with stress and anxiety caused by the breach. (Id. at ¶ 72.) She believes that "[g]iven the highly-sensitive nature of the information stolen, the value of [her] [p]ersonal [i]nformation has been diminished and she remains at substantial and imminent risk of future harm." (Id. at ¶¶ 73, 97.) But she does not allege she has experienced any identity theft or fraud. See generally (id.). According to Clemens, many breach victims "have already experienced significant harms . . . including, but not limited to, identity theft, financial fraud, tax fraud, medical and healthcare fraud, unauthorized financial accounts or lines of credit opened in their names, and fraudulent payment card purchases." (Id. at ¶ 81.) Victims other than herself have also spent time, money and effort monitoring their accounts and protecting their information. (Id.)

B

Clemens sued ExecuPharm and Parexel on July 10, 2020 seeking relief individually and on behalf of a class of individuals whose personal information was compromised by the breach. (Id. at ¶ 100.) Her Complaint asserts claims of negligence (Count I), negligence per se (Count II), breach of implied contract (Count III) and breach of contract (Count IV) against both Defendants and breach of fiduciary duty (Count V) and breach of confidence (Count VI) against ExecuPharm. See generally (id. at ¶¶ 116-56). It also seeks declaratory judgment that Defendants' existing data security measures fail to comply with their duties of care and an instruction that Defendants implement and maintain industry-standard data security measures moving forward. (Id. at ¶¶ 157-61.)

II

A

To avoid dismissal for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6), a complaint must contain facts sufficient to state a claim that is facially "plausible." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)). A claim has facial plausibility when the facts pleaded permit a court to make the reasonable inference that a defendant is liable for the alleged misconduct. Id. If the court can infer only the possibility of misconduct from the "well-pleaded" facts—those supported by sufficient factual content to make them facially plausible—the complaint has not shown the pleader is entitled to relief. Id. at 679, 129 S.Ct. 1937 (quoting Fed. R. Civ. P. 8(a)(2)); Schuchardt v. President of the United States, 839 F.3d 336, 347 (3d Cir. 2016).

Determining plausibility is a "context-specific task" requiring a court to use its judicial "experience and common sense." Schuchardt, 839 F.3d at 347 (quoting Iqbal, 556 U.S. at 675, 129 S.Ct. 1937). The court disregards a complaint's legal conclusions, assumes well-pleaded facts are true and then determines whether those facts plausibly entitle the pleader to relief. Connelly v. Lane Constr. Corp., 809 F.3d 780, 787 (3d Cir. 2016); Schuchardt, 839 F.3d at 347. In doing so, the court construes well-pleaded facts in the light most favorable to the plaintiff and draws reasonable inferences from them. Connelly, 809 F.3d at 790.

B

Clemens alleges that her Employment Agreement with ExecuPharm controls the choice of law in this case. (Compl. ¶ 111-112.) Defendants argue that the provision cannot be binding on tort claims because (1) the Agreement expired when Clemens's employment ended and (2) the choice of law provision was narrow, precluding its application to tort claims. (Mot. 5.)

A federal court exercising diversity jurisdiction must apply the choice of law rules of the forum state. Kruzits v. Okuma Mach. Tool, Inc., 40 F.3d 52, 55 (3d Cir. 1994). In Pennsylvania, courts will "generally honor the intent of the contacting parties and enforce choice of law provisions in contracts executed by them." Id. The parties agreed that the Employment Agreement "shall be governed by the laws of the Commonwealth of Pennsylvania" and that any action "pertaining to . . . Employee's employment" shall be brought exclusively in Pennsylvania state courts or this District. (Empl. Agreement 7, ECF 33-1.)

Clemens's claims clearly "pertain to" her employment, as ExecuPharm possessed her confidential information because she was an employee. The agreement that "any action brought under or pertaining to this Agreement . . . shall be brought exclusively in . . ." courts sitting in Pennsylvania is sufficiently broad as it embraces all aspects of the legal relationship. See, e.g., SKF USA Inc. v. Okkerse, 992 F. Supp. 2d 432, 448 n.8 (E.D. Pa. 2014) (citing cases and finding a nearly identical provision sufficiently encompassed tort claims). Defendants argue that, once Clemens' employment ended, so too did their obligation to resolve disputes under Pennsylvania law. (Mot. 5.)

Courts "presume as a matter of contract interpretation that the parties did not intend a pivotal dispute resolution provision to terminate for all purposes upon the expiration of the...