In re GE/CBPS Data Breach Litig.

In re GE/CBPS DATA BREACH LITIGATION

No. 20 Civ. 2903 (KPF)

United States District Court, S.D. New York

August 4, 2021

OPINION AND ORDER

KATHERINE POLK FAILLA UNITED STATES DISTRICT JUDGE

A breach in early 2020 (the “Data Breach”) of an email account maintained by Defendant Canon Business Process Services, Inc. (“Canon”) resulted in an unauthorized third party gaining access to personally identifiable information (“PII”) of current and former employees of Defendant General Electric Company (“GE, ” and collectively with Canon “Defendants”) and their beneficiaries. Canon maintained this information as a provider of business process and document management services to GE. Plaintiff Steven Fowler (“Plaintiff” or “Fowler”), a former GE employee, then brought suit against Defendants on behalf of himself and all others similarly situated, seeking redress for harms they allegedly have suffered and are at risk of suffering in the future as a result of the Data Breach. Defendants have moved to dismiss the Consolidated Class Action Complaint for lack of subject matter jurisdiction and failure to state a claim upon which relief may be granted. For the reasons set forth herein, the Court grants Defendants' motion in part and denies it in part.

BACKGROUND^[1]

A. Factual Background

1. The Parties

Plaintiff Steven Fowler is a citizen of the State of Kentucky. (Compl. ¶ 21). He is a former employee of Defendant GE. (Id.). While employed at GE, Fowler was required to provide sensitive personal information to GE. (Id.). On or about March 20, 2020, GE notified Fowler that his PII had been compromised in the Data Breach. (Id.).

Defendant GE is a New York corporation with its headquarters in Boston, Massachusetts. (Compl. ¶ 22). Defendant Canon is a Delaware corporation with its principal place of business in the State and City of New York. (Id. at ¶ 23).

2. GE's Data Collection and Protection Policies

As a condition of employment, GE collects and maintains personal and financial information about its employees and their dependents or other beneficiaries. (Compl. ¶ 27). Among the types of information collected are “employment data obtained in the context of an employment relationship” and “any information relating to a directly or indirectly identifiable person, ” including “name, address, email, phone, national identifier, and credit card number.” (Id.).

GE has written and publicly distributed several policy documents that touch on privacy and information security. On its website, GE advertises that it “respects the privacy rights of individuals and is committed to handling Personal Information responsibly, in accordance with applicable law and GE's Commitment to the Protection of Personal Information[.]” (Compl. ¶ 30). In its Commitment to the Protection of Personal Information, GE states:

GE strives to protect Personal Information with appropriate technical and organizational measures to ensure its integrity, confidentiality, security and availability. GE will inform individuals of a security breach affecting their GE Personal Information that could pose a high risk to their individual rights and freedoms. In accordance with applicable law, GE will provide reasonable assistance to Customers, where GE is a processor, to ensure the security of their processing and will inform GE Customers of a security breach of GE Customer Personal Information as required under such laws.

(Id. at ¶ 31). GE also addresses its handling of PII in its Employment Data Protection Standards and in a policy document called “The Spirit & The Letter.” (Id. at ¶¶ 33-37). The Employment Data Protection Standards address in greater detail measures GE takes to protect PII, including measures related to equipment and information security, access security, and training. (Id. at ¶ 37). “The Spirit & The Letter” instructs employees in best practices for limiting access to GE information to authorized individuals and preventing unauthorized access, disclosure, or destruction. (Id. at ¶ 39). It also provides that “non-controlled affiliates should be encouraged to adopt and follow GE compliance policies.” (The Spirit & The Letter at 2).

3. The Data Breach and Its Consequences

GE contracts with Canon to process documents relating to current and former GE employees and their beneficiaries. (Compl. ¶ 41). On March 20, 2020, GE issued a data breach notice stating that in February 2020, one of Canon's employee email accounts had been breached by an unauthorized party. (Id. at ¶ 43). The notice states:

We were notified on February 28, 2020 that Canon had determined that, between approximately February 314, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon's systems.... Canon has indicated that the affected documents, which contained certain personal information, were uploaded by or for GE employees, former employees and beneficiaries entitled to benefits in connection with Canon's workflow routing service. The relevant personal information, which was contained in documents such as direct deposit forms, driver's licenses, passports, birth certificates, marriage certificates, death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents, may have included names, addresses, Social Security numbers, driver's license numbers, bank account numbers, passport numbers, dates of birth, and other information contained in the relevant forms.

(Id. at ¶ 44). Analysis by members of the public suggested that the Data Breach was the result of a “standard credential phishing attack or due to credential reuse on another site.” (Id. at ¶ 46).

Canon determined that, as a result of the Data Breach, unauthorized persons may have obtained Fowler's name, employee identification number, home address, phone number, and email address. (Allen Decl. ¶ 6). After the Data Breach, Fowler received phishing and scam emails to his personal email address, and phishing and scam phone calls to his personal phone number. (Fowler Decl. ¶¶ 2-3). Other proposed class members allegedly suffered increased risk of identity theft and fraud; the time and expense necessary to remediate and mitigate the increased risk of identity theft and fraud; the inability to use debit cards because those cards had been canceled, suspended, or otherwise rendered unusable; fraudulent debit charges; and loss of confidentiality and value of their personal and financial information. (Compl. ¶¶ 79, 88(1), 104, 112, 119, 125, 182).

Defendants have offered individuals whose data was compromised identity theft and credit monitoring services at no charge for two years. (Compl. ¶ 66). However, no compensation or other form of relief has been provided. (Id.).

B. Procedural Background

Plaintiff Fowler filed the original complaint in this case, then captioned Fowler v. Canon Business Process Services, Inc., et al., on April 8, 2020. (Dkt. #1). On April 22, 2020, the Court accepted as a related case Baz v. General Electric Co., et al., No. 20 Civ. 3149, brought by another former GE employee, Maher Baz (“Baz”). (See Dkt. #10). On May 15, 2020, the Court entered a stipulation (i) consolidating the Fowler and Baz matters as well as any other related cases then pending or subsequently filed in, removed to, or transferred to this District, under case number 20 Civ. 2903 and the case caption In re GE/CBPS Data Breach Litigation; (ii) providing rules for applications for appointment as interim class counsel or other designated counsel; and (iii) setting a scheduling for Fowler and Baz to file a consolidated complaint and for Defendants to file a responsive pleading or motion to dismiss. (Dkt. #14). Counsel for Fowler and Baz each sought appointment as interim class counsel. (Dkt. #16-20, 26-28). On June 10, 2020, Fowler and Baz notified the Court that they had agreed to proceed cooperatively and were seeking appointment of their respective counsel as co-lead interim class counsel. (Dkt. #34). The Court held a hearing on the matter the next day, June 11, 2020, and, per Fowler's and Baz's agreement, appointed Joseph I. Marchese of Bursor & Fisher, P.A., Gary M. Klinger of Mason Lietz & Klinger LLP, and Rosemary M. Rivas of Levi & Korsinsky LLP as co-lead interim class counsel. (Minute Entry for June 11, 2020; Dkt. #35).

Fowler and Baz filed the Consolidated Class Action Complaint (the “Complaint”), which is the operative pleading in this matter, on August 11, 2020. (Dkt. #40). On October 5, 2020, Defendants filed a pre-motion letter notifying the Court of their intent to file a motion to compel Baz to arbitrate his claims and a motion to dismiss the Complaint. (Dkt. #41). Fowler and Baz filed a responsive letter on October 8, 2020. (Dkt. #44). The Court held a pretrial conference on October 21, 2020, and set a briefing schedule on Defendants' motion to compel arbitration and to stay Fowler's claims pending resolution of the motion. (Dkt. #47). Defendants filed their motion to compel arbitration on November 5, 2020. (Dkt. #48-50). On December 14, 2020, Baz filed a notice of voluntary dismissal pursuant to Federal Rule of Civil Procedure 41(a)(1)(A)(i). (Dkt. #53-54). Fowler remained in the case as named plaintiff and proposed class representative on behalf of the proposed classes. (Id.).

On December 17, 2020, the Court set a briefing schedule on Defendants' anticipated motion to dismiss. (Dkt. #56). In accordance with that schedule, Defendants filed their motion and supporting papers on January 21, 2021 (Dkt. #57-59) Plaintiff filed his opposition...