Jones v. Sturm, Ruger & Co.

1

MARK JONES, et al., Plaintiffs, v. STURM, RUGER & COMPANY, INC., and FREESTYLE SOFTWARE, INC., Defendants.

No. 3:22-cv-1233 (KAD)

United States District Court, D. Connecticut

March 27, 2024

MEMORANDUM OF DECISION RE: DEFENDANTS' MOTIONS TO DISMISS (ECF NOS. 52 & 53)

KARI A. DOOLEY, UNITED STATES DISTRICT JUDGE.

This putative class action arises out of data breach of a server which hosted several ecommerce sites and allegedly resulted in the compromise of personal identifying information (“PII”) belonging to Plaintiffs Mark Jones Michelle Gould, Dicky Warren, Carl Jung, Lauren Copeland, and Lee Woods and those similarly situated. In a three-count Complaint, Plaintiffs assert state law claims for negligence breach of contract, and unjust enrichment against Defendants Freestyle Software, Inc. (“Freestyle”) and Sturm Ruger & Company, Inc. (“Sturm, Ruger”) (collectively, “Defendants”), alleging that the data breach of Freestyle's server, which hosted Sturm Ruger's e-commerce site, provided cybercriminals with access to their sensitive PII and payment card data (“PCD”) which could be used to perpetrate theft, identity crimes, and fraud. Pending before the Court are Defendants' motions to dismiss the Amended Complaint pursuant to Fed.R.Civ.P. 12(b)(1) for lack of Article III standing and Fed.R.Civ.P. 12(b)(6) for failure to state a claim. For the reasons set forth below, both Defendants' motions to dismiss are GRANTED in part and DENIED in part. (ECF Nos. 52 & 53)

Standard of Review Article III limits the subject-matter jurisdiction of the federal courts to “Cases” and “Controversies.” SM Kids, LLC v. Google LLC, 963 F.3d 206, 211 (2d Cir. 2020). The standing doctrine, which emerges from Article III, is designed “to ensure that federal courts do not exceed their authority as it has been traditionally understood.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). A plaintiff has Article III standing when the plaintiff has “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. In a class action, federal courts lack jurisdiction if no named plaintiff has standing. Frank v. Gaos, 586 U.S.-, 139 S.Ct. 1041, 1046 (2019).

A motion to dismiss for lack of Article III standing is properly brought under Fed.R.Civ.P. 12(b)(1). SM Kids, 963 F.3d at 210. When a motion under Rule 12(b)(1) is based solely on the complaint and the attached exhibits, as here, the plaintiff bears no evidentiary burden. Id. In addressing such a “facial” challenge, the task of the district court is to determine whether, after accepting as true all material factual allegations of the complaint and drawing all reasonable inferences in favor of the plaintiff, the alleged facts affirmatively and plausibly suggest that the court has subject matter jurisdiction. Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56-57 (2d Cir. 2016).

To survive a motion to dismiss filed pursuant to Rule 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. “The plausibility standard is not akin to a ‘probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting Twombly, 550 U.S. at 557). Legal conclusions and “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements,” are not entitled to a presumption of truth. Iqbal, 556 U.S. at 678. Nevertheless, when reviewing a motion to dismiss, the court must accept well-pleaded factual allegations as true and draw “all reasonable inferences in the non-movant's favor.” Interworks Sys. Inc. v. Merch. Fin. Corp., 604 F.3d 692, 699 (2d Cir. 2010).

Factual Allegations

Sturm, Ruger is a Connecticut corporation that manufactures firearms and firearm accessories and sells such accessories on www.ShopRuger.com. Am. Compl. 1- 2 ¶¶ 1-2; 7-8 ¶ 22. Freestyle is a New Jersey software developer that services e-commerce platforms such as ShopRuger. Id. at ¶ 1-2. Plaintiff class members consist of Ohio, Arizona, Tennessee, Missouri, Texas, and Michigan residents who made an account or a purchase on ShopRuger. Am. Compl. at 6 ¶¶ 10-15. Defendants required Plaintiffs to provide their names, shipping addresses, email addresses, credit or debit card numbers, card security or access codes, card expiration dates, and billing addresses as a condition of Plaintiffs making an account on or purchasing items from ShopRuger. Am. Compl. at 2 ¶ 2.

On August 18, 2022, Sturm, Ruger notified Plaintiffs and others that Freestyle was a victim of malware that infected its servers between September 18, 2020, and February 3, 2022. Am. Compl. at 3 ¶ 6. Cybercriminals had access to Plaintiffs' PII. Id. Freestyle allegedly removed the malware from the servers in February 2022. Am. Compl. at 12 ¶ 42. Plaintiffs and other affected customers were offered twelve months of free identity protection and a $1,000,000 insurance reimbursement policy. Am. Compl. at 23 ¶ 86; Ex. A, ECF No. 52-2 at 2-3.

Plaintiffs allege that there is a strong possibility that their stolen payment card information is available on the black market, thereby making them at an increased risk of fraud. Am. Compl. at 17 ¶ 64. Plaintiffs and others have spent and will spend substantial time and expense finding fraudulent charges, cancelling and reissuing cards, purchasing credit monitoring and identity theft prevention, spending time addressing compromised accounts, and paying late and declined payment fees a result of failed automatic payments. Am. Comp at 17 ¶ 65; 19 ¶ 74.

Plaintiff Jones suffered five fraudulent charges on the credit card he used to make purchases on ShopRuger. Am. Compl. at 24 ¶ 90. Plaintiff Gould suffered multiple fraudulent transactions on her bank account that was connected to the debit card she used to make purchases on ShopRuger. Am. Compl. at 27 ¶ 113. Plaintiff Gould also spent time disputing the unauthorized charges and paid out-of-pocket for identity theft monitoring services. Am. Compl. at 27 ¶¶ 11718; 29-30 ¶¶ 126-27. Plaintiff Copeland found unauthorized transactions on her bank account and had to twice cancel her debit card. Am. Compl. at 35 ¶¶ 165-66. Plaintiffs generally allege that, as a direct result of Defendants' failure to maintain the security and confidentiality of their PII, they and other similarly situated face imminent and impending injury arising from the substantially increased risk of future fraud, identity theft, burglary,^[1]and misuse. Am. Compl. 26 ¶ 102; 29 ¶ 123; 32 ¶ 142; 34 ¶ 156; 36 ¶ 172; 38 ¶ 186.

Discussion

Both Defendants contend that this Court lacks subject matter jurisdiction because Plaintiffs have failed to establish that they suffered an injury in fact, a prerequisite to Article III standing. Defendants further contend that even if Plaintiffs have standing, they fail to plausibly allege claims for negligence, breach of contract, and unjust enrichment.

Standing - 12(b)(1) To establish Article III standing, a plaintiff must allege an injury in fact that satisfies three criteria. The injury must be “concrete, particularized, and actual or imminent.” Thole v. U.S. Bank N.A., 140 S.Ct. 1615, 1618 (2020). Whether an injury in fact is concrete and actual or imminent are related, but separate and distinct inquiries.^[2]

The Supreme Court's decision in TransUnion v. Ramirez, 594 U.S. 413 (2021) controls as to whether Plaintiffs have alleged a concrete injury. See Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276 (2d Cir. 2023). In TransUnion, the Supreme Court recognized that concrete harm may be both tangible-invoking traditional notions of injury, such as physical or monetary harms-as well as intangible. TransUnion 594 U.S. at 425. As to intangible harms, the Supreme Court held that “disclosure of private information” was an intangible harm “traditionally recognized as providing a basis for lawsuits in American courts.” Id. at 424. Therefore, the injury arising from such disclosure was concrete for the purposes of the Article III standing analysis. Id.

The Second Circuit has concluded that a plaintiff may also establish concrete harm based on expenses “reasonably incurred” to mitigate “a substantial risk of future identity theft or fraud” as a result of a data breach, and that this separate harm independently supports standing. Bohnak, 79 F.4th at 286 (quoting McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303 (2d Cir. 2021)). For such an expense to be reasonable, however, the plaintiff must also show that the risk of misuse is “actual and imminent.” Id. at 288. In Bohnak, another data breach case, the Second Circuit linked the determination of whether a harm is concrete to the determination of whether it is also actual or imminent. A future injury constitutes an Article III injury in fact “if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” Susan B. Anthony List v Driehaus, 573 U.S. 149, 158 (2014) (internal quotation marks omitted). In McMorris, the Second Circuit set forth “three non-exhaustive factors” that bear on whether an injury is actual or imminent in a data breach case: (1) “whether the data was compromised as the result of a targeted attack intended to get” PII; (2) whether “some part of the compromised dataset has...