Toretto v. Donnelley Fin. Solutions, Inc.

523 F.Supp.3d 464

Phillip TORETTO, Daniel C. King, and Sheri Braun, individually and on behalf of others similarly situated, Plaintiffs,

v.DONNELLEY FINANCIAL SOLUTIONS, INC. and Mediant Communications, Inc., Defendants.

1:20-cv-2667-GHW

United States District Court, S.D. New York.

Signed March 5, 2021

John A. Yanchunis, Morgan & Morgan, P.A., Carrie Ann Laliberte, Elaine A. Ryan, Phoenix, AZ, John Austin Moore, Lindsay Todd Perkins, Norman E. Siegel, Stueve Siegel Hanson LLP, Kansas City, MO, Patricia N. Syverson, San Diego, CA, Ryan McGee, Morgan & Morgan Complex Litigation Group, Tampa, FL, Amanda Peterson, Morgan & Morgan, New York, NY, for Plaintiffs Phillip Toretto, Daniel C. King.

Carrie Ann Laliberte, Elaine A. Ryan, Phoenix, AZ, John Austin Moore, Lindsay Todd Perkins, Norman E. Siegel, Stueve Siegel Hanson LLP, Kansas City, MO, Patricia N. Syverson, San Diego, CA, for Plaintiff Sheri Braun.

David T. Cohen, Orrick, Herrington & Sutcliffe LLP, New York, NY, Douglas H. Meal, Orrick, Herrington & Sutcliffe LLP, Boston, MA, Michelle L. Visser, Orrick, Herrington & Sutcliffe LLP (San Francisco), San Francisco, CA, for Defendant Donnelley Financial Solutions, Inc.

Casie D. Collignon, Baker Hostetler Denver Denver, CO, for Defendant Mediant Communications, Inc.

MEMORANDUM OPINION AND ORDER

GREGORY H. WOODS, United States District Judge:

Defendants Donnelley Financial Solutions ("Donnelley") and Mediant Communications, Inc. ("Mediant") work together to provide proxy services for public companies and mutual funds. In 2019, hackers breached one of Mediant's servers. The hackers stole the personal information of over 200,000 people, including Plaintiffs. Plaintiffs brought this action against Mediant alleging, among other things, that Mediant was negligent in the implementation of its cyber security policies. Although the breach itself occurred at Mediant, Plaintiffs allege that Donnelley too was negligent because it failed to adequately supervise Mediant's cyber security practices.

In this set of motions, Defendants challenge Plaintiffs’ standing to bring the claims against them. Defendants’ arguments focus on the sufficiency of the complaints’ allegations regarding whether Donnelley and Mediant are partners—Donnelley contends that unless it is demonstrated to have been Mediant's partner, Plaintiffs’ injuries cannot be "fairly traceable" to it. And Mediant contends that it cannot be held liable for breaches of contracts entered into by Donnelley unless it is shown to have been Donnelley's partner. But the motion disregards the complaint's allegations that each of the Defendants directly caused Plaintiffs’ alleged injuries, and confuses the standard for pleading the merits of a claim and that for standing. Because the complaint makes the modest showing required to plead standing, Defendants’ motions to dismiss are denied.

I. BACKGROUND

A. Facts

1. The Hack

On April 1, 2019, hackers accessed the business email accounts of Mediant. Second Am. Compl. ("SAC"), Dkt. No. 57, ¶¶ 16. The hackers stole the personal information of a number of individuals, including the named plaintiffs in this case. Id. ¶¶ 6–8, 29–30, 36–38, 42–43. Mediant had received the stolen information as part of its business providing investor communication services to financial institutions. ¶ 20. Mediant discovered the hack the day of the intrusion, and promptly disconnected the affected server from its system. Id. ¶ 16. Mediant began an investigation into the breach, but the company did not immediately notify the impacted customers. Id. It was not until the end of May 2019, nearly two months after the breach that Mediant notified the affected customers. Id. ¶ 17. The breach was truly massive: notices went out to "over 200,000 individuals in all fifty states and the District of Columbia and Puerto Rico." Id.

Plaintiffs allege that the hack was enabled by Mediant's poor network security. "The criminal hackers would not have been able to gain access to four email accounts simultaneously but for Mediant maintaining deficient controls to prevent and monitor for unauthorized access." Id. ¶ 23. And Mediant did not encrypt personal information stored in the company's system. Id. ¶ 18. Plaintiffs also allege that Mediant failed to adequately notify its customers regarding the breach. Id. ¶¶ 26–27.

2. The "Partnership"

The hackers attacked Mediant, but Mediant is not the only target of this lawsuit. That is because Mediant worked together with Donnelley to provide investor communication services. It was through Mediant's working relationship with Donnelley that Mediant received the personal information of the named plaintiffs in this case. Id. ¶¶ 30, 37, 43. The Defendants’ motions focus on the nature of the relationship between Mediant and Donnelley. In particular, the motions challenge whether Donnelley's involvement in Mediant's business was sufficient for Donnelley to be sued for the alleged deficiencies in Mediant's cybersecurity, and whether the two companies are adequately alleged to have been "partners," such that Mediant can be bound by contracts signed by Donnelley.

Donnelley describes itself as "a leader in risk and compliance solutions, providing insightful technology, industry expertise and data insights to clients across the globe." Id. ¶ 13. Donnelley offers a broad range of products and services, significantly here in technology, initial public offerings, mergers and acquisitions, proxy services, and other global filings. Id. Mediant "holds itself out as a leader in investor communications, offering ‘game-changing new technologies for banks, brokers, fund companies, and issuers.’ " Id. ¶ 14.

Donnelley and Mediant work together to provide proxy services. Id. ¶ 15. The pair describe themselves as "the perfect partnership to power [their clients’] fund proxies." Id. Defendants’ marketing materials describe the pair as "industry's only single-source solution for start-to-finish fund proxy services." Id. (quoting The Perfect Partnership to Power Your Fund Proxies , https://www.dfinsolutions.com/insights/fact-sheet/dfin-and-mediant-perfect-partnership-power-you-fund-proxies ).

Partially in reliance on Donnelley and Mediant's description of themselves as a partnership, the complaint alleges that the pair formed a legal partnership, and refers to them collectively as the "Partnership." The complaint alleges that Donnelley "had equal rights in the management and conduct of the Partnership." Id. ¶ 26. It also states that, in particular, Donnelley had the "right as a partner in the Partnership" to "exercise appropriate managerial oversight of Mediant's data security." Id.

The complaint alleges that the companies and investment funds that used the pair's services hired both of them together—not just one or the other, but instead, the touted "perfect partnership." Id. ¶ 1. The complaint alleges that "[p]ublic companies and mutual funds hire Donnelley and Mediant as their proxy agent to distribute materials to shareholders, coordinate shareholder votes, and tabulate voting results." Id. The allegation is that the pair are hired jointly as the singular "proxy agent" for the companies and funds. Id.

Donnelley is alleged to be liable for the security breach at Mediant for two reasons. First, Plaintiffs assert that Donnelley is vicariously liable for the hack at Mediant and its consequences because the pair were partners. Id. ¶ 130 ("[B]y entering into a partnership with Mediant for the provision of proxy services, Donnelley is vicariously liable for Mediant's failures as alleged herein."); see also id. ¶¶ 4, 26, 140. The complaint attributes many of the asserted deficiencies that led to the breach, and in the response to the breach, to the "Partnership."

Second, Plaintiffs assert that Donnelley was directly liable for the plaintiffs’ injuries because of its alleged "failure to exercise appropriate managerial oversight of Mediant's data security." Id. ¶¶ 4, 26. Donnelley is alleged to have failed "to ensure its agent and partner Mediant implemented security systems, protocols and practices sufficient to protect Plaintiffs’ and Class Members’ Personal Information" and failed "to supervise its agent and partner Mediant regarding Mediant's data security systems, protocols and practices when it knew or should have known those systems, protocols and practices were inadequate." Id. ¶ 129. Donnelley is also alleged to have been directly liable as a result of its conduct after the breach because it failed "to timely disclose that Plaintiffs’ and Class Members’ Personal Information had been improperly acquired or accessed." Id. Donnelley is also alleged to have violated contracts of which Plaintiffs were third party beneficiaries. Id. ¶¶ 145–49.

3. Plaintiffs’ Claims to be Third Party Beneficiaries of Donnelley and Mediant's Contracts with Their Customers

Plaintiffs assert that they are third party beneficiaries of contracts entered into between Donnelley and its customers—the funds and companies to whom it provides proxy and other financial services. Donnelley "entered into contracts with public companies and mutual funds to provide and perform proxy services." Id. ¶ 145. The personal information of each of the named Plaintiffs was stolen as a result of their investment in identified funds. In the case of each named Plaintiff, the relevant fund had entered into a direct contractual relationship with Donnelley for the provision of proxy services. See, e.g. , id. ¶ 30 ("Donnelley had the direct contractual relationship with Blackstone Real Estate Income Trust, Inc. or its agents for the performance of the Partnership's proxy services."); see also id. ¶¶ 37, 43 (alleging the same with respect to funds in which the other named Plaintiffs invested). The complaint also alleges that "[i]n some instances, acting in the ordinary course of the Partnership, Mediant also directly contracted with public companies and mutual funds to provide and perform proxy services. Id. ¶ 145.

The complaint...