Penn, LLC v. Freestyle Software, Inc.

1

PENN, LLC, d/b/a PULSETV.COM, Plaintiff, v. FREESTYLE SOFTWARE INC., f/k/a DYDACOMP DEVELOPMENT CORP., INC., Defendant.

Civil Action No. 22-6760 (SDW) (ESK)

United States District Court, D. New Jersey

September 15, 2023

NOT FOR PUBLICATION

OPINION

SUSAN D. WIGENTON, U.S.D.J.

Before this Court is Defendant Freestyle Software, Inc.'s (“Defendant” or “Freestyle”) Motion to Dismiss (D.E. 18 (“Motion”)) Plaintiff Penn LLC, d/b/a PulseTV.com's (“Plaintiff” or “PulseTV”) Complaint (D.E. 1 (“Complaint”)) for failure to state a claim upon which relief can be granted pursuant to Federal Rule of Civil Procedure (“Rule”) 12(b)(6). Jurisdiction is proper pursuant to 28 U.S.C. §§ 1331 and 1367. Venue is proper pursuant to 28 U.S.C. § 1391(b). This opinion is issued without oral argument pursuant to Rule 78. For the reasons stated herein, Defendant's Motion is GRANTED IN PART AND DENIED IN PART.

I. FACTUAL AND PROCEDURAL HISTORY

This case arises from a data breach. Plaintiff, a business-to-consumer e-commerce company, sells products to its customers through its website, PulseTV.com. (D.E. 1 ¶¶ 15-16.) Defendant provides e-commerce software and hosting services for hundreds of online stores. (Id. ¶ 2.)

A. The Services Agreements

Since March 2001, Plaintiff has used Defendant's online shopping cart technology, SiteLINK Toolkit. (Id. ¶ 21.) Among other things, SiteLINK provides its users with paymentprocessing services related to bank-card and credit-card transactions. (Id.) In or about 2005, Defendant notified Plaintiff that it would no longer offer SiteLINK outside of Defendant's hosting environment-i.e., its web servers. (Id. ¶ 24.) To convince Plaintiff to transition PulseTV.com's e-commerce store to Defendant's web servers, Defendant and its agents misrepresented the servers' safety, security, and compliance with the Payment Card Industry Data Security Standard (“PCI DSS”).^[1] (Id. ¶ 26.) As a result of those misrepresentations, Plaintiff entered into a new services contract with Defendant. (Id. ¶¶ 26, 29, 32-33.)

Defendant's false assurances allegedly continued throughout the parties' years-long business relationship. (Id. ¶¶ 32-33.) For instance, the Complaint alleges that “Freestyle's President[] falsely stated to PulseTV that Freestyle had a plan to become PCI DSS compliant in 2005,” (id. ¶ 27); that “Freestyle's current President, Jim Cahill, later noted that Freestyle had retained a PCI Compliance Officer,” (id.); that “[b]etween 2005 and 2012, Freestyle made numerous misrepresentations to PulseTV that SiteLINK and Freestyle's hosting environment were safe, secure, and PCI DSS compliant,” (id. ¶ 29); and that around March 2012, “Freestyle represented to PulseTV that Freestyle had a plan to maintain PCI compliance,” (id. ¶ 36). Plaintiff asserts that, because of these repeated misrepresentations, it continued to accept updated terms and conditions from Defendant,^[2] and Defendant, in turn, became solely responsible for hosting and managing Plaintiff's e-commerce infrastructure. (Id. ¶ 18.) As such, Defendant's network contained highly sensitive information-including “credit and/or debit number(s), expiration date(s), internal bank codes, personal identifying information and/or other confidential financial information-for tens of thousands of Plaintiff's customers. (Id. ¶ 4.)

B. The Data Breach

In March 2021, Plaintiff received a third-party email notice of a potential Common Point of Purchase (“CPP”).^[3] (Id. ¶ 52.) At that time, no evidence of a data breach was discovered. (Id.) Months later, in October 2021, Plaintiff again received a notice of additional CPPs and, in turn, hired forensic investigators to uncover the issue. (Id. ¶¶ 53-54.) Because of Defendant's poor management of its systems, Plaintiff's first forensic investigator was unable to determine the source of the breach. (Id. ¶ 54.) At the behest of several credit brands, Plaintiff continued to investigate the breach. (Id.)

On or around January 11, 2022, Plaintiff engaged Kroll, a global company certified as a PCI Forensic Investigator, to conduct a PCI Forensic Investigation. (Id. ¶ 71.) Kroll determined that Defendant's web server was compromised by malicious software (“malware”) as early as September 9, 2020. (Id. ¶¶ 72.) The breach was not contained until in or about February 2022. (Id. ¶ 169.) According to the Complaint, Defendant failed to comply with the PCI standards by neglecting to create and retain backups, failing to implement file integrity monitoring, and lacking a change-detection mechanism to alert personnel to unauthorized access to its network. (Id. ¶¶ 63, 65, 73.)

Plaintiff alleges that, if Defendant had complied with the PCI standards, it would have been able to detect and timely resolve the data breach. (Id. ¶ 73.) Instead, the data breach was able to persist from September 2020 until February 3, 2022, which allegedly caused Plaintiff and its customers harm in several ways: data belonging to Plaintiff's customers is now located on the dark web, which means it is available for sale to bad actors with nefarious and illegal purposes, (id. ¶ 69); since the first quarter of 2021, Plaintiff has experienced a near 50 percent decrease in gross sales volumes, (id. ¶¶ 75, 81); many of Plaintiff's customers have unsubscribed from its email distribution lists,^[4] (id. ¶¶ 76, 85, 87-88, 90); and Plaintiff has lost approximately $902 per week in advertising revenue, which equates to $117,360.88 over the next five years, (id. ¶ 90); and Defendant's inability to assist Plaintiff in concluding the investigation has precluded Plaintiff from mitigating its damages, (id. ¶¶ 64, 77). According to the Complaint, Defendant's breach compromised the payment card information of over 236,000 of Plaintiff's customers and caused losses in excess of $30 million. (Id. ¶¶ 83-84.)

C. Procedural History

On November 23, 2022, Plaintiff filed the Complaint in this Court, asserting the following claims against Defendant: Declaratory Judgment (Count I); Negligence/Gross Negligence (Count II); Breach of Contract (Count III); Breach of Implied Contract (Count IV); Negligence Per Se (Count V); Negligent Misrepresentation/Fraudulent Inducement (Count VI); Violation of the New Jersey Consumer Fraud Act (“NJCFA”), N.J. Stat. Ann. 56:8-1 et seq. (Count VII); Per Se Violation of the NJCFA (Count VIII); Violation of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 (Count IX); Violation of the New Jersey Truth-In-Consumer Contract, Warranty, and Notice Act (“NJTCNA”), N.J. Stat. Ann. 56:12-15 (Count X); Punitive Damages (Count XI); and Indemnification and Contribution (Count XII). On February 21, 2023, Defendant filed the Motion. (D.E. 18.) The parties timely completed briefing.^[5] (D.E. 26, 33.)

II. LEGAL STANDARD

An adequate complaint must be “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). This Rule “requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do. Factual allegations must be enough to raise a right to relief above the speculative level ....” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (internal citations omitted); see also Phillips v. Cnty. of Allegheny, 515 F.3d 224, 232 (3d Cir. 2008) (confirming that Rule 8 “requires a ‘showing,' rather than a blanket assertion, of an entitlement to relief”). In other words, Rule 8(a)(2) “demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 555). In addition, a plaintiff alleging fraud by a defendant must meet the “stringent pleading restrictions of Rule 9(b)” by pleading with particularity “the circumstances constituting fraud or mistake ....” Frederico v. Home Depot, 507 F.3d 188, 200 (3d Cir. 2007) (quoting Fed.R.Civ.P. 9(b)). To satisfy this heightened pleading standard, “the plaintiff must plead or allege the date, time and place of the alleged fraud or otherwise inject precision or some measure of substantiation into a fraud allegation.” Id. (citing Lum v. Bank of Am., 361 F.3d 2817, 224 (3d Cir. 2004)).

When considering a motion to dismiss under Rule 12(b)(6), a court must “accept all factual allegations as true, construe the complaint in the light most favorable to the plaintiff, and determine whether, under any reasonable reading of the complaint, the plaintiff may be entitled to relief.” Phillips, 515 F.3d at 231 (quoting Pinker v. Roche Holdings, Ltd., 292 F.3d 361, 374 n.7 (3d Cir. 2002)). However, “the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions. Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 555); see also Fowler v. UPMC Shadyside, 578 F.3d 203, 209-11 (3d Cir. 2009) (discussing the Iqbal standard). “[A] complaint must contain sufficient factual matter, accepted as true, ‘to state a claim to relief that is plausible on its face.'” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 555). Determining whether the allegations in a complaint are “plausible” is “a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Id. at 679. If “the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct,” the complaint should be dismissed for failing to “show[] . . . that the pleader is entitled to relief.” Id. (quoting Fed.R.Civ.P. 8(a)(2)).

III. DISCUSSION

A. Withdrawn Claims

At the outset, this Court notes that Plaintiff has attempted to “withdraw[] without prejudice its First,...