In re USAA Data Sec. Litig.

621 F.Supp.3d 454

IN RE: USAA DATA SECURITY LITIGATION

21 CV 5813 (VB)

United States District Court, S.D. New York

Signed August 11, 2022

Filed August 12, 2022

OPINION AND ORDER

Briccetti, United States District Judge:

Plaintiffs Vincent Dolan and Christine Mapes bring this consolidated putative class action against defendant United Services Automobile Association ("USAA"), arising out of USAA's disclosure of plaintiffs' driver's license numbers to non-party cybercriminals. Plaintiffs assert claims under the Driver's Privacy Protection Act (the "DPPA") and Section 349 of the New York State General Business Law, as well as state law claims for negligence and negligence per se.

Now pending is USAA's motion to dismiss the amended consolidated complaint under Rules 12(b)(1) and 12(b)(6). (Doc. #35).

For the foregoing reasons, the motion is GRANTED IN PART and DENIED IN PART.

BACKGROUND

For the purpose of ruling on the motion, the Court accepts as true all well-pleaded allegations in the amended consolidated complaint and draws all reasonable inferences in plaintiffs' favor, as summarized below.

USAA provides insurance and financial services to current and former members of the United States military and their families.

Plaintiffs allege USAA designed its website to ensure users could apply for its insurance policies as seamlessly as possible. Specifically, plaintiffs contend an individual seeking a quote for any of USAA's insurance policies could do so by first creating a USAA account, which requires providing "minimal information," such as a name, an address, and a date of birth, and then answering "yes" to questions regarding the individual's history of military service. (Doc. #34 ("Am. Compl.") ¶¶ 37, 43). Plaintiffs further allege that once the account is made, the USAA member would then receive an online quote form pre-filled with personally identifiable information ("PII") regarding the member drawn from the relevant state's department of motor vehicles ("DMV"), including the member's driver's license number.

According to plaintiffs, a driver's license number ranks among a person's most "highly valuable" PII because it is "readily useable to commit fraud and identity theft." (Am. Compl. ¶ 15). Plaintiffs contend driver's license numbers, particularly when combined with other PII, can be used to "file fraudulent unemployment claims, to open a new account, take out a loan in someone's name, or commit income tax refund fraud," among a "host of other financial crimes." (Id. ¶ 16).

On February 16, 2021, and again on March 30, 2021, the New York State Department of Financial Services ("NYSDFS") issued cybersecurity fraud alerts warning regulated financial entities like USAA that cybercriminals were targeting "websites that offer instant online automobile insurance premium quotes" to steal driver's license numbers. (Am. Compl. ¶ 48). In light of the "serious risk of theft and consumer harm" posed by the instant quote system, the NYSDFS recommended a number of data safety measures, including redacting PII or "avoid[ing] displaying prefilled [PII] on public-facing websites" entirely. (Id. ¶¶ 53-54).

Plaintiffs claim USAA failed to follow any of NYSDFS's recommendations, and, consequently, suffered the "type of data breach that NYSDFS predicted" on May 6, 2021. (Am. Compl. ¶ 57). Cybercriminals allegedly used certain of plaintiffs' PII—stolen from other sources—to create USAA accounts in plaintiffs' names and then steal plaintiffs' driver's license numbers that were automatically disclosed by USAA. Plaintiffs maintain they were never members of USAA, nor did they have any relationship of any kind with USAA before the data breach.

USAA allegedly informed plaintiffs, as well as the putative class members, of the data breach in a notice dated June 2, 2021 (the "USAA Notice"). In the USAA Notice, USAA claimed that upon learning of the breach, it immediately "blocked access to driver's license information," "enhanc[ed] [its] security measures to help prevent this type of incident in the future," and would be "offering a complimentary two-year membership" to an identity theft detection and resolution program. (Doc. #36-1 ("USAA Notice")).

Plaintiffs contend that in the immediate aftermath of the USAA breach, cybercriminals fraudulently filed a claim for unemployment in plaintiff Dolan's name, and successfully took out an insurance policy from another, unrelated insurance provider in plaintiff Mape's name. Plaintiffs allege they have spent "valuable time and resources" to address the existing identity theft and to guard against the "heightened risk for fraud and identity theft" likely to occur in the future, including by purchasing additional credit monitoring and identity theft protection services. (Am. Compl. ¶¶ 17, 22-23, 26-27, 138). Plaintiffs also allege they incurred "costs associated with requested credit freezes," and also suffered lowered credit scores as a result of repeated inquiries into their credit. (Id. ¶ 138).

DISCUSSION

I. Standards of Review

A. Rule 12(b)(1)

"[F]ederal courts are courts of limited jurisdiction and lack the power to disregard such limits as have been imposed by the Constitution or Congress." Durant, Nichols, Houston, Hodgson & Cortese-Costa, P.C. v. Dupont, 565 F.3d 56, 62 (2d Cir. 2009).¹ "A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it." Nike, Inc. v. Already, LLC, 663 F.3d 89, 94 (2d Cir. 2011), aff'd, 568 U.S. 85, 133 S.Ct. 721, 184 L.Ed.2d 553 (2013). The party invoking the court's jurisdiction bears the burden of establishing jurisdiction exists. Conyers v. Rossides, 558 F.3d 137, 143 (2d Cir. 2009).

"When the Rule 12(b)(1) motion is facial, i.e., based solely on the allegations of the complaint . . . , the plaintiff has no evidentiary burden," and "[t]he task of the district court is to determine whether the [complaint] alleges facts that affirmatively and plausibly suggest that the plaintiff has standing to sue." Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56 (2d Cir. 2016).

In deciding a motion to dismiss under Rule 12(b)(1) at the pleading stage, the court "must accept as true all material facts alleged in the complaint and draw all reasonable inferences in the plaintiff's favor." Conyers v. Rossides, 558 F.3d at 143. But "argumentative inferences favorable to the party asserting jurisdiction should not be drawn." Buday v. N.Y. Yankees P'ship, 486 F. App'x 894, 895 (2d Cir. 2012) (summary order).

When a defendant moves to dismiss for lack of subject matter jurisdiction and on other grounds, the court should consider the Rule 12(b)(1) challenge first. Rhulen Agency, Inc. v. Ala. Ins. Guar. Ass'n, 896 F.2d 674, 678 (2d Cir. 1990).

B. Rule 12(b)(6)

In deciding a Rule 12(b)(6) motion, the Court evaluates the sufficiency of the complaint under the "two-pronged approach" articulated by the Supreme Court in Ashcroft v. Iqbal, 556 U.S. 662, 679, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). First, a plaintiff's legal conclusions and "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements," are not entitled to the assumption of truth and thus are not sufficient to withstand a motion to dismiss. Id. at 678, 129 S.Ct. 1937; Hayden v. Paterson, 594 F.3d 150, 161 (2d Cir. 2010). Second, "[w]hen there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief." Ashcroft v. Iqbal, 556 U.S. at 679, 129 S.Ct. 1937.

To survive a Rule 12(b)(6) motion, the complaint's allegations must meet a standard of "plausibility." Ashcroft v. Iqbal, 556 U.S. at 678, 129 S.Ct. 1937; Bell Atl. Corp. v. Twombly, 550 U.S. 544, 564, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A claim is facially plausible "when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. at 678, 129 S.Ct. 1937. "The plausibility standard is not akin to a 'probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Id. (quoting Bell Atl. Corp. v. Twombly, 550 U.S. at 556, 127 S.Ct. 1955).

"In considering a motion to dismiss for failure to state a claim pursuant to Rule 12(b)(6), a district court may consider the facts alleged in the complaint, documents attached to the complaint as exhibits, and documents incorporated by reference in the complaint." DiFolco v. MSNBC Cable L.L.C., 622 F.3d 104, 111 (2d Cir. 2010).

II. Standing of the Named Plaintiffs

USAA argues plaintiffs do not allege an injury-in-fact sufficient to support Article III standing.

The Court disagrees.

A. Legal Standard

To satisfy the "irreducible constitutional minimum of standing . . . [t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, 578 U.S. 330, 338, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016).

An injury-in-fact is "an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical." Spokeo, Inc. v. Robins, 578 U.S. at 339, 136 S.Ct. 1540. This is "a low threshold which helps to ensure that the plaintiff has a personal stake in the outcome of the controversy." John v. Whole Foods Mkt. Grp., Inc., 858 F.3d 732, 736 (2d Cir. 2017).

To be concrete, an injury "must actually exist." Spokeo, Inc. v. Robins, 578 U.S. at 340, 136 S.Ct. 1540. Further, an injury-in-fact must bear a "close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts—such as physical harm, monetary harm, or various intangible harms." TransUnion LLC v. Ramirez, — U.S. —, 141 S. Ct. 2190, 2200, 210...