Penn, LLC v. Freestyle Software, Inc.

1

PENN, LLC, d/b/a PULSETV.COM, Plaintiff, v. FREESTYLE SOFTWARE, INC., f/k/a DYDACOMP DEVELOPMENT CORP., INC., Defendant.

Civil Action No. 22-6760 (SDW) (SDA)

United States District Court, D. New Jersey

July 23, 2024

OPINION

SUSAN D. WIGENTON, U.S.D.J.

Before this Court is Defendant Freestyle Software, Inc.'s (“Defendant” or “Freestyle”) Motion to Dismiss (D.E. 49 (“Motion”)) Plaintiff Penn LLC, d/b/a PulseTV.com's (“Plaintiff”) Amended Complaint (D.E. 47 (“Amended Complaint”)) for failure to state a claim upon which relief can be granted pursuant to Federal Rule of Civil Procedure (“Rule”) 12(b)(6). Jurisdiction is proper pursuant to 28 U.S.C. §§ 1332 and 1367. Venue is proper pursuant to 28 U.S.C. § 1391(b). This opinion is issued without oral argument pursuant to Rule 78. For the reasons stated herein, Defendant's Motion is GRANTED IN PART AND DENIED IN PART.

I. FACTUAL BACKGROUND

This case arises from a data breach. Plaintiff, an online retailer, sells products to its customers through its website, PulseTV.com. (D.E. 47 ¶¶ 1, 11.) Defendant provides e-commerce software and hosting services for hundreds of online stores, including Plaintiff's website. (Id. ¶ 20.) Since in or around March of 2001 Defendant has provided Plaintiff with its SiteLINK system, an internet shopping cart technology that, among other things, provides its users with paymentprocessing services related to bank-card and credit-card transactions. (Id. ¶ 28.)

In or about 2005, Defendant notified Plaintiff that, if it wanted to keep using SiteLINK, Plaintiff would need to move PulseTV.com entirely onto Defendant's web servers. (Id. ¶ 29.) Defendant represented that that transition was necessary for its compliance with the Payment Card Industry Data Security Standard (“PCI Standards”).^[1]Plaintiff allegedly relied upon that representation when it agreed to move its website entirely onto Defendant's servers. (Id. ¶ 29.) In the years that followed, Defendant repeatedly reassured Plaintiff-via email, website posts, webinars, and a case study-that SiteLINK was compliant with the PCI Standards. (Id. ¶¶ 4151.) Those affirmations, Plaintiff insists, convinced it to enter into several more iterations of the services agreements. (Id. ¶¶ 30-31.)

Plaintiff contends that Defendant failed to abide by those promises, however. Specifically, Plaintiff avers that, in August or September 2020, hackers installed RAM scraper malicious software (i.e., malware) on the SiteLINK system. (Id. ¶ 2.) The malware, which “target[ed] credit card information temporarily stored in computer memory before the credit card information [wa]s encrypted,” went undetected until February 2022, at which time a PCI forensic investigator hired by Plaintiff uncovered it along with the apparent flaws in Defendant's software security system. (Id. ¶¶ 4, 52-59.)

Defendant contends that the day after the breach was discovered, it identified and removed the malware. (D.E. 49-1 at 9-10.) By then, Plaintiff asserts, the damage was already done; the data breach compromised the payment card information-including cardholder name and address, primary account number, expiration date, and security code (collectively, “Payment Card Data”)- of over 236,000 of Plaintiff's customers, and after Plaintiff disclosed the data breach to its customers, it experienced losses in excess of $30 million. (Id. ¶¶ 83-84.) More specifically, the Amended Complaint alleges that the data breach caused: Payment Card Data belonging to Plaintiff's customers to be dispersed on the dark web, making it available for sale to bad actors with nefarious and illegal purposes, (id. ¶ 58); a near 50 percent decrease in Plaintiff's forecasted revenue and gross sales volumes, (id. ¶¶ 10, 61); a loss of customers from Plaintiff's email distribution lists^[2], (id. ¶¶ 12, 62, 69-74); and losses of approximately $902 per week advertising revenue, which equates to $117,360.88 over the next five years, (id. ¶ 74). Plaintiff maintains that these losses would have been prevented if Defendant had in place adequate measures to safeguard the Payment Card Data. (Id. ¶¶ 88-90.)

II. PROCEDURAL HISTORY

On November 23, 2022, Plaintiff filed with this Court a 12-count complaint against Defendant. (D.E. 1 (“Complaint”).) On February 21, 2023, Defendant filed a motion to dismiss the Complaint, which this Court granted in part and denied in part on September 15, 2023. (D.E. 38, 39.) Plaintiff filed the Amended Complaint on November 14, 2023, alleging against Defendant the following four claims: negligence/gross negligence (Count I); breach of contract (Count II); breach of the implied covenant of good faith and fair dealing (Count III); and negligent misrepresentation (Count IV). (See generally D.E. 47.) On December 12, 2023, Defendant moved to dismiss the Amended Complaint, and the parties completed briefing. (D.E. 49, 53, 56.)

III. LEGAL STANDARD

To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief,” Fed.R.Civ.P. 8(a)(2), in order to “give the defendant fair notice of what the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (internal quotation marks omitted). The factual allegations, accepted as true, must be sufficient to “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Determining whether the allegations in a complaint constitute a “plausible” claim is a “context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Id. at 679.

In considering a motion to dismiss pursuant to Rule 12(b)(6), a district court must conduct a three-step analysis. First, it must “tak[e] note of the elements a plaintiff must plead to state a claim.” Oakwood Lab'ys LLC v. Thanoo, 999 F.3d 892, 904 (3d Cir. 2021) (alteration in original) (quoting Santiago v. Warminster Twp., 629 F.3d 121, 130 (3d Cir. 2010)). Second, the court “disregard[s] threadbare recitals of the elements of a cause of action, legal conclusions, and conclusory statements.” Id. (quoting James v. City of Wilkes-Barre, 700 F.3d 675, 681 (3d Cir. 2012)); see also Twombly, 550 U.S. at 555 (“[C]ourts ‘are not bound to accept as true a legal conclusion couched as a factual allegation.”). Third, the court assumes the veracity of all well-pleaded factual allegations, “constru[es] them in the light most favorable to the plaintiff, and draw[s] all reasonable inferences in the plaintiff's favor.” Lutz v. Portfolio Recovery Assocs., LLC, 49 F.4th 323, 328 (3d Cir. 2022) (citations omitted). “If, after completing this process, the complaint alleges ‘enough fact[s] to raise a reasonable expectation that discovery will reveal evidence of' the necessary elements of a claim, then it plausibly pleads a claim.” Id. (alteration in original) (quoting Twombly, 550 U.S. at 556). If, however, the “well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct,” the complaint should be dismissed for failing to “show[] that the pleader is entitled to relief” as required by Rule 8(a)(2). Id.

IV. DISCUSSION

Although Plaintiff's contract-based claims may proceed, it has once again failed to state a claim sounding in negligence. This Court elaborates further below.

A. Count II: Breach of Contract

To state a claim for breach of contract under New Jersey law, a plaintiff must allege that “the parties entered into a valid contract, that the defendant failed to perform his obligations under the contract[,] and that the plaintiff sustained damages as a result.” Fed Cetera, LLC v. Nat'l Credit Servs., Inc., 938 F.3d 466, 469 (3d Cir. 2019) (quoting Murphy v. Implicito, 920 A.2d 678, 689 (N.J.Super.Ct.App.Div. 2007)); Globe Mot. Co. v. Igdalev, 139 A.3d 57, 64 (N.J. 2016).

As discussed in this Court's previous Opinion, the operative agreement between the parties (D.E. 47-6 (the “Agreement”)) contains a confidentiality provision.^[3]Here, the Amended Complaint, once again, sufficiently asserts that Defendant breached it. According to the Amended Complaint, Defendant was required to safeguard “the data provided by [Plaintiff] . . . by using the same degree of protection that such party uses to protect similar proprietary confidential information, but in no event less than reasonable care,” (id.; D.E. 47 ¶ 99); the Payment Card Data of Plaintiff's customers was seemingly provided to Defendant via Plaintiff's e-commerce shopping cart, (D.E. 47 ¶¶ 1-2); and by failing to either comply with the PCI standards or employ reasonable measures to safeguard the Payment Card Data, Defendant breached the confidentiality provision and caused damages to Plaintiff, (id. ¶¶ 49-50, 60-78).

Defendant presses several arguments that, it contends, justify dismissal of Count II. They are unpersuasive.

First Defendant spills much ink arguing that the confidentiality provision does not extend to Plaintiff's customers' Payment Card Data. “Your Users,” Defendant argues, includes only “person(s) assigned a unique user identification that can utilize [Defendant's] Software under th[e] Agreement,” and Plaintiff, Defendant continues, had only one such user identification. (D.E. 491 at 16.) It is premature for this Court to reach that conclusion. As an initial matter, unique user identification is not a defined term in the Agreement, and to define that term-and thereafter discern who constitutes a User-would require analysis of information beyond the scope of the Amended Complaint and the documents integral thereto.^[4] Moreover, without the benefit of discovery, it is unclear to this Court whether it need even determine the scope of “Your Users.” ...