IN THE UNITED STATES DISTRICT COURT NORTHERN...
Transcript of IN THE UNITED STATES DISTRICT COURT NORTHERN...
108709
IN THE UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA
ATLANTA DIVISION
In re: The Home Depot, Inc. Customer Data Breach Litigation This Document Relates to: All Financial Institution Cases
)))))))
MDL No. 14-02583-TWT
FINANCIAL INSTITUTION PLAINTIFFS’ MEMORANDUM IN OPPOSITION TO HOME DEPOT’S MOTION TO DISMISS
“If we rewind the tape, our security systems could have been better… Data security just wasn’t high enough
in our mission statement.”
Frank Blake, Home Depot’s recently retired Chief Executive Officer and Current Chairman of the Board
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 1 of 68
i
TABLE OF CONTENTS
PAGE �
INTRODUCTION ..................................................................................................... 1�
FACTUAL BACKGROUND .................................................................................... 4�
ARGUMENT AND CITATION OF AUTHORITY ................................................. 7�
I.� ARTICLE III STANDING EXISTS ..................................................... 7�
A.� Plaintiffs Suffered Concrete Injuries, Traceable to Home Depot, That Can Be Redressed by a Judgment in Their Favor .............................................................................. 7�
B.� Home Depot’s Standing Arguments are Meritless ..................... 9�
1.� Each Plaintiff Has Sufficiently Alleged a Concrete Injury ................................................................. 9�
2.� Mitigation Costs Incurred by Plaintiffs Confer Standing .......................................................................... 11�
3.� Lost Card Value Constitutes an Injury-in-Fact .............. 14�
II.� PLAINTIFFS ADEQUATELY PLEAD NEGLIGENCE CLAIMS .............................................................................................. 15�
A.� The Economic Loss Rule Does Not Bar the Negligence Claims .................................................................... 15�
B.� Home Depot Owed a Legal Duty to Plaintiffs .......................... 21�
C.� Plaintiffs Allege that the Criminal Acts Were Foreseeable ................................................................................ 27�
D.� Plaintiffs Adequately Plead a Negligence Per Se Claim ......................................................................................... 28�
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 2 of 68
ii
III.� PLAINTIFFS STATE VALID CLAIMS FOR EQUITABLE RELIEF ............................................................................................... 33�
IV.� PLAINTIFFS ADEQUATELY ALLEGE STATUTORY CLAIMS .............................................................................................. 37�
A.� Plaintiffs Have Standing to Assert Statutory Claims. ............... 37�
B.� Plaintiffs Have Alleged an Unfair Practice Under Each Statute. .............................................................................. 38�
C.� Plaintiffs Plead All Essential Elements of Each Statute. ....................................................................................... 39�
V.� PLAINTIFFS’ CLAIMS ARE RIPE .................................................. 47�
CONCLUSION ........................................................................................................ 50�
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 3 of 68
iii
TABLE OF AUTHORITIES PAGE
Cases
Aetna Life Ins. Co. of Hartford, Conn. v. Haworth, 300 U.S. 227 (1937) ............................................................................................ 48
Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) .............................................................. 27
Amick v. BM & KM, Inc., 275 F. Supp. 2d 1378 (N.D. Ga. 2003) ............................................................... 28
Anderson v. City of Alpharetta, 770 F.2d 1575 (11th Cir. 1985) .......................................................................... 15
Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) .................................................................. 12, 13, 27
Arcia v. Fla. Sec'y of State, 772 F.3d 1335 (11th Cir. 2014) .......................................................................... 37
Argonaut Midwest Ins. Co. v. McNeilus Truck & Mfg., Inc., No. 1:11-cv-3495, 2013 WL 489141 (N.D. Ga. Feb. 8, 2013) .......................... 17
Ashcroft v. Iqbal, 556 U.S. 662 (2009) .............................................................................................. 7
Atlanta & W. Point R.R. Co. v. Underwood, 126 S.E.2d 785 (Ga. 1962) ................................................................................. 33
Banknorth, N.A. v. BJ's Wholesale Club, Inc., 394 F. Supp. 2d 283 (D. Me. 2005) ................................................. 16, 20, 23, 48
Bans Pasta, LLC v. Mirko Franchising, LLC, No. 7:13-cv-00360-JCT, 2014 WL 637762 (W.D. Va. Feb. 12, 2014) ...... 29, 31
Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) .............................................................................................. 7
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 4 of 68
iv
Bishop v. Shorter Univ., Inc., No. 4:15-CV-00033-HLM (N.D. Ga. June 4, 2015) ..................... 1, 3, 15, 21, 27
BJ's Wholesale Club, 140 F.T.C. 465 (2005) ........................................................................................ 38
Blake v. Fed. Way Cycle Ctr., 698 P.2d 578 (Wash. Ct. App. 1985) .................................................................. 46
Blizzard Entm't, Inc. v. Ceiling Fan Software LLC, 28 F. Supp. 3d 1006 (C.D. Cal. 2013) ................................................................ 41
Bolin v. Story, 225 F.3d 1234 (11th Cir. 2000) .......................................................................... 35
Bradley Ctr., Inc. v. Wessner, 296 S.E.2d 693 (Ga. 1982) ................................................................................. 21
Brock v. Avery Co., 110 S.E.2d 112 (Ga. Ct. App. 1959) ................................................................... 24
CardSystems Solutions, Inc., No. C-4168, 2006 WL 2709787 (F.T.C. Sep. 5, 2006) ...................................... 38
Cel-Tech Commc'ns, Inc. v. L.A. Cellular Tel. Co., 973 P.2d 527 (Cal. 1999) .................................................................................... 40
Chabner v. United of Omaha Life Ins. Co., 225 F.3d 1042 (9th Cir. 2000) ............................................................................ 41
Citizens Bank of Pa. v. Reimbursement Techs., Inc., No. 12-1169, 2014 WL 2738220 (E.D. Pa. 2014) .............................................. 26
City of Atlanta v. Benator, 714 S.E.2d 109 (Ga. Ct. App. 2011) ................................................................... 19
Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013) ............................................................................. 7, 11, 12
Corbitt v. Walgreen Co., No. 7:14-CV-17 (MTT), 2015 WL 1726011 (M.D. Ga. Apr. 15, 2015) .... 21, 22
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 5 of 68
v
Cumis Ins. Soc'y, Inc. v. Merrick Bank Corp., No. CIV 07-374, 2008 WL 4277877 (D. Ariz. Sept. 18, 2008) ......................... 18
Dekalb Cnty. v. HSBC N. Am. Holdings, Inc., No. 1:12-CV-03640-SCJ, 2013 WL 7874104 (N.D. Ga. Sept. 25,
2013) ................................................................................................................... 47
Dempsey v. Joe Pignataro Chevrolet, Inc., 589 P.2d 1265 (Wash. Ct. App. 1979) ................................................................ 46
Downes-Patterson Corp. v. First National Supermarkets, Inc., 780 A.2d 967 (Conn. App. Ct. 2001) ................................................................. 42
Edmunds v. Cowan, 386 S.E. 2d 39 (Ga. Ct. App. 1989) ................................................................... 27
Erickson v. Pardus, 551 U.S. 89 (2007) ................................................................................................ 7
FEC v. Lance, 635 F.2d 1132 (5th Cir. 1981) ............................................................................ 48
Forum Architects LLC v. Candela, No. 1:07cv190/SPM/AK, 2008 WL 5101779 (N.D. Fla. Nov. 26, 2008) ................................................................................................................... 48
FTC v. Kitco of Nevada, Inc., 612 F. Supp. 1282 (D. Minn. 1985) .................................................................... 32
FTC v. Sperry & Hutchinson Co., 405 U.S. 233 (1972) ............................................................................................ 32
FTC v. World Wide Factors, Ltd., 882 F.2d 344 (9th Cir. 1989) .............................................................................. 32
FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014) .................................................... 24, 30, 32, 38
Galaria v. Nationwide Mutual Insurance Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014) ............................................................... 14
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 6 of 68
vi
Garrett v. RentGrow, Inc., No. 04 C 8309, 2005 WL 1563162 (N.D. Ill. July 1, 2005) .............................. 43
Gemtel Corp. v. Cmty. Redev. Agency of L.A., 23 F.3d 1542 (9th Cir. 1994) .............................................................................. 48
General Electric Co. v. Lowe’s Home Centers, Inc., 608 S.E.2d 636 (Ga. 2005) .......................................................................... 18, 19
Giordano v. Wachovia Sec., LLC, 2006 WL 2177036 (D.N.J. July 31, 2006) ......................................................... 14
Green v. Ebay Inc., No. 14-1688, 2015 WL 2066531 (E.D. La. May 4, 2015) ................................. 13
Hanover Ins. Co. v. Hermosa Constr. Group, LLC, 57 F. Supp. 3d 1389 (N.D. Ga. 2014) .................................................... 16, 17, 18
Heartland, 834 F. Supp. 2d at 604 ........................................................................................ 43
Hodges v. Putzel Elec. Contractors, 580 S.E.2d 243 (Ga. Ct. App. 2003) ................................................................... 22
Holbrook v. Exec. Conference Ctr., Inc., 464 S.E.2d 398 (Ga. Ct. App. 1995) ................................................................... 31
Hunt v. Wash. State Apple Adver. Comm'n, 432 U.S. 333 (1977) ............................................................................................ 36
Iconix, Inc. v. Tokuda, 457 F. Supp. 2d 969 (N.D. Cal. 2006) ................................................................ 41
In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Ca. 2014) ........ 8, 9, 10, 11, 12, 14, 34, 35, 38, 40, 41
In re Atlas Roofing Corp. Chalet Shingle Products Liability Litigation, No. 1:13-md-2495-TWT, 2015 WL 114285 (N.D. Ga. Jan. 8, 2015) ................ 36
In re Facebook Privacy Litig., 572 Fed. App'x 494 (9th Cir. 2014) .................................................................... 14
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 7 of 68
vii
In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108 (D. Me. 2009), aff'd in part, rev'd in part on other grounds, Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) ........................................................................ 23, 26
In re Heartland Payment Sys. Inc. Customer Data Breach Sec. Litig., 834 F. Supp. 2d 566 (S.D. Tex. 2011) ................................................................ 43
In re Managed Care Litig., 298 F. Supp. 2d 1259 (S.D. Fla. 2003) ............................................................... 36
In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill. 2011) ........................................................... 43, 44
In re Science Applications International Corp (SAIC) Backup Tape Data Theft Litigation, 45 F. Supp. 3d 14 (D.D.C. 2014) ........................................................................ 14
In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014) .................................................... 22, 34, 35
In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 2015 WL 2165432 (D. Minn. May 7, 2015) ...................... 49
In re Target Corp. Customer Data Sec. Breach Litig. (“Target (FI Track)”),
64 F. Supp. 3d 1304 (D. Minn. 2014) ........................................ 15, 22, 23, 25, 45
In re Target Corp. Customer Data Sec. Breach Litig. (“Target (Consumer Track)”),
66 F. Supp. 3d 1154 (D. Minn. 2014) ................................................ 9, 20, 21, 34 In re TJX Cos. Retail Sec. Breach Litig.,
564 F.3d 489 (1st Cir. 2009) ........................................................................ 15, 44
In re Zappos.com, Inc., No. 3:12-cv-00325, 2013 WL 4830497 (D. Nev. Sept. 9, 2013) ....................... 23
In re Zappos.com, Inc., No. 3:12-cv-00325, 2015 WL 3466943 (D. Nev. June 1, 2015) ........................ 13
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 8 of 68
viii
Intercoastal Realty, Inc. v. Tracy, 706 F. Supp. 2d 1325 (S.D. Fla. 2010) ............................................................... 43
James D. Hinson Elec. Contracting Co. v. BellSouth Tel., Inc., No. 3:07-cv-598-J-32MCR, 2008 WL 360803 (M.D. Fla. Feb. 8, 2008) ................................................................................................................... 43
Jasty v. Wright Med. Tech., Inc., 528 F.3d 28 (1st Cir. 2008) ................................................................................. 44
Kelly v. Palmer, Reifler, & Assocs., P.A., 681 F. Supp. 2d 1356 (S.D. Fla. 2010) ............................................................... 43
Kerfoot v. FNF Serving, Inc., No. 1:13-cv-33, 2013 WL 5797662 (M.D. Ga. Oct. 25, 2013) ............................ 8
Kwikset Corp. v. Superior Court, 246 P.3d 877 (Cal. 2011) .................................................................................... 34
Lee v. FTC, 679 F.2d 905 (D.C. Cir. 1980) ............................................................................ 32
Legacy Acad., Inc. v. Mamilove, LLC, 761 S.E.2d 880 (Ga. Ct. App. 2014), aff'd in part and rev'd in part on other grounds, 771 S.E.2d 868 (Ga. 2015) .................................................. 29, 31
Liberty Mut. Fire Ins. Co. v. Cagle's, Inc., No. 1:10-cv-2158, 2010 WL 5288673(N.D. Ga. Dec. 16, .................... 16, 17, 18
Life is Good, Inc., No. C-4218, 2008 WL 1839971 (F.T.C. April 16, 2008) ................................... 38
Lombard's, Inc. v. Prince Mfg., Inc., 753 F.2d 974 (11th Cir.1985), cert. denied, 474 U.S. 1082 (1986) ..................... 7
Lone Star Nat'l Bank v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013) ................................................................. 20, 21, 22
Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) ............................................................................................ 10
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 9 of 68
ix
McLain v. Mariner Health Care, 631 S.E.2d 435 (Ga. Ct. App. 2006) ................................................................... 25
MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118 (2007) ............................................................................................ 35
Miller v. Bank of Am., No. CGC-99-301917, 2004 WL 2403580 (Cal. Super. Ct. Oct. 13, 2004) ................................................................................................................... 40
Monroe v. Bd. of Regents, 602 S.E.2d 219 (Ga. Ct. App. 2004) ................................................................... 25
Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010) ............................................................................................ 12
Pa. State Emps. Credit Union v. Fifth Third Bank, No. 1:CV-04-1554, 2006 WL 1724574 (M.D. Pa. Jun. 16, 2006) ..................... 49
Perola v. Citibank (S.D.) N.A, 894 F. Supp. 2d 188 (D. Conn. 2012) ................................................................. 42
Powell v. McCormack, 395 U.S. 486 (1969) ............................................................................................ 34
Pulte Home Corp. v. Simerly, 746 S.E.2d 173 (Ga. Ct. App. 2006) ............................................................ 25, 28
Quality Foods de Centro Am., S.A. v. Latin Am. Agric. Dev. Corp., S.A., 711 F.2d 989 (11th Cir. 1983) .............................................................................. 7
Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) ................................................................................. 13
Remax The Mountain Co. v. Tabsum, Inc., 634 S.E.2d 77 (Ga. Ct. App. 2006) ..................................................................... 19
Remijas v. Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015) ............ 8, 9, 11, 12, 14
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 10 of 68
x
Resnick v. Avmed, Inc., 693 F.3d 1317 (11th Cir. 2012) ..................................................... 8, 9, 11, 15, 23
Rosen v. Protective Life Ins. Co., No. 1:09-cv-03620, 2010 WL 2014657 (N.D. Ga. May 20, 2010) .................... 16
Rowe v. Akin & Flanders, Inc., 525 S.E.2d 123 (Ga. Ct. App. 1999) ................................................................... 25
Saladin v. City of Milledgeville, 812 F.2d 687 (11th Cir. 1987) ............................................................................ 11
Salois v. Mut. of Omaha Ins. Co., 581 P.2d 1349 (Wash. 1978) .............................................................................. 46
Savannah, Fla. & W. RY. Co. v. Pritchard, 1 S.E. 261 (Ga. 1887) ......................................................................................... 13
Brock v. Avery Co., 110 S.E.2d 112 (Ga. Ct. App. 1959) ................................................................... 24
Sheppard v. Yara Engineering Corp., 281 S.E.2d 586 (Ga. 1981) ................................................................................. 17
St. Mary's Hosp. v. Radiology Professional Corp., 421 S.E.2d 731 (Ga. Ct. App. 1992) ................................................................... 30
State v. O'Neill Investigations, Inc., 609 P.2d 520 (Alaska 1980) ............................................................................... 40
Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871 (N.D. Ill. 2014) .................................................................... 13
Strickland v. Alexander, 772 F.3d 876 (11th Cir. 2014) ............................................................................ 35
Svenson v. Google Inc., No. 13-cv-04080, 2015 WL 1503429 (N.D. Cal. Apr. 1, 2015) ........................ 14
Teague v. Keith, 108 S.E.2d 489 (Ga. 1959) ................................................................................. 31
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 11 of 68
xi
TechBios, Inc. v. Champagne, 688 S.E.2d 378 (Ga. Ct. App. 2009) ................................................................... 25
Tidikis v. Network for Med. Commc'ns & Research, LLC, 619 S.E.2d 481 (Ga. Ct. App. 2005) ................................................................... 25
Tiller v. State Farm Mut. Auto. Ins. Co., No. 1:12-CV-3432-TWT, 2013 WL 451309 (N.D. Ga. Feb. 5, 2013), aff'd, 549 F. App'x 849 (11th Cir. 2013) ............................................................ 35
TJX Cos., No. C-4227, 2008 WL 3150421 (F.T.C. July 29, 2008) .................................... 38
Unger v. Bryant Equip. Sales & Servs., Inc., 335 S.E.2d 109 (Ga. 1985) ................................................................................. 20
United States Ass'n of Credit Bureaus v. FTC, 299 F.2d 220 (7th Cir. 1962) .............................................................................. 32
United States Retail Credit Ass'n. Inc. v. FTC, 300 F.2d 212 (4th Cir. 1962) .............................................................................. 32
United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S. 669 (1973) ............................................................................................ 10
Via Mat Int'l S. Am. Ltd. v. United States, 446 F.3d 1258 (11th Cir. 2006) ............................................................................ 8
Waldrip v. Voyles, 411 S.E.2d 765 (Ga. 1991) .......................................................................... 17, 18
Wells Fargo Bank v. Jenkins, 744 S.E.2d 686 (Ga. 2013) .......................................................................... 29, 31
West v. Mache of Cochran, Inc., 370 S.E.2d 169 (Ga. Ct. App. 1988) ................................................................... 31
Willingham v. Global Payments, Inc., No. 1:12-CV-01157-RWS, 2013 WL 440702
(N.D. Ga. Feb. 5, 2013) ......................................................................... 20, 21, 26
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 12 of 68
xii
Windemere, Ltd. v. Bettes, 438 S.E.2d 406 (Ga. Ct. App. 1993) ..................................................................... 8
Worix v. MedAssets, Inc., 869 F. Supp. 2d 893 (N.D. Ill. 2012) .................................................................. 26
Zhang v. Superior Court, 304 P.3d 163 (Cal. 2013) .................................................................................... 41
Statutes
15 U.S.C. § 45(a)(1) ................................................................................................. 24
28 U.S.C. § 2201 et seq., .......................................................................................... 33
28 U.S.C. § 2202 ...................................................................................................... 34
Alaska Stat. Ann. § 45.50.471 ................................................................................. 39
Alaska Stat. Ann. § 45.50.471(b) ............................................................................. 39
Alaska Stat. Ann. § 45.50.471(b)(55) ...................................................................... 39
Alaska Stat. Ann. § 45.50.545 ................................................................................. 39
Cal. Bus. & Prof. Code § 17200 ....................................................................... 40, 41
Cal. Bus. & Prof. Code § 17201 .............................................................................. 41
Cal. Bus. & Prof. Code § 17204 .............................................................................. 41
Cal. Bus. & Prof. Code § 22578 .............................................................................. 40
Cal. Civ. Code § 1798.1 ........................................................................................... 40
Cal. Civ. Code § 1798.81.5(a) ................................................................................. 40
Cal. Civ. Code § 1798.81.5(b) ................................................................................. 41
Conn. Gen Stat. § 42-110g ....................................................................................... 34
Fla. Stat. Ann. § 502.202(2) ..................................................................................... 43
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 13 of 68
xiii
Fla. Stat. Ann. § 501.211(1) ..................................................................................... 34
815 ILCS 505/10a(c) ................................................................................................ 34
Mass. Gen. Laws Ann. ch. 93A § 11 ....................................................................... 34
Minn. Stat. § 325E.64 .............................................................................................. 13
Minn. Stat. § 325E.64, subd. 2 ................................................................................. 45
O.C.G.A. § 13-6-11 .................................................................................................... 8
O.C.G.A. § 23-2-58 .................................................................................................. 25
O.C.G.A. § 51-1-6 .................................................................................................... 28
O.C.G.A. § 51-1-8 .................................................................................................... 25
O.C.G.A. § 51-1-11(a) ...................................................................................... 16, 19
O.C.G.A. § 51-12-11 ................................................................................................ 13
Wash. Rev. Code § 19.255.020 ......................................................................... 13, 45
Wash. Rev. Code § 19.255.020(3)(a) ...................................................................... 46
Wash. Rev. Code § 19.86.020 .................................................................................. 46
Wash. Rev. Code § 19.86.090 .................................................................................. 34
Other Authorities
7AA CHARLES A. WRIGHT, ET AL., FEDERAL PRACTICE AND PROCEDURE § 1775 (3d ed. 2008) ........................................................................................... 34 WILLIAM L. PROSSER & W. PAGE KEETON, LAW OF TORTS § 53 at 356, 358 (5th ed. 1984) ........................................................................... 21
RESTATEMENT (SECOND) OF TORTS § 282 ................................................................ 21
RESTATEMENT (SECOND) OF TORTS § 919 ................................................................ 13
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 14 of 68
1
INTRODUCTION
Judge Murphy recently refused to dismiss a negligence claim by students
whose personal data was stolen after the door to the room containing their records
was left unlocked. Bishop v. Shorter Univ., Inc., No. 4:15-CV-00033-HLM (N.D.
Ga. June 4, 2015). Home Depot’s misconduct was far worse. For years, Home
Depot left the virtual doors to its computer systems wide open despite repeated
warnings about what would happen if security was not improved. The results were
devastating and entirely foreseeable: one of the largest retail data breaches in
history and use of the stolen information to make millions of fraudulent
transactions on credit and debit cards belonging to Home Depot customers.
The brunt of the financial loss has been borne by Plaintiffs – the financial
institutions that issued the cards, paid for the fraudulent transactions and were
forced to reissue millions of cards to mitigate the ongoing fraud. Plaintiffs bring
this action to recover their losses from Home Depot on claims of negligence,
negligence per se, and violation of various state statutes and for appropriate
equitable relief. Home Depot moves to dismiss Plaintiffs’ claims. None of the
grounds for the motion have merit. The motion should be denied.
First, Home Depot argues Plaintiffs lack standing, ignoring that Plaintiffs
paid for their customers’ fraud losses – the type of concrete, economic injury that
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 15 of 68
2
readily confers standing. Instead, Home Depot asserts no standing exists because
“the vast majority” of Plaintiffs’ damages are due to their “voluntary” decision to
reissue cards to prevent “hypothetical future harm.” Setting aside that Home
Depot’s factual allegations cannot be considered on a motion to dismiss, Plaintiffs
allege they had out-of-pocket financial loss from reimbursing their customers for
fraud losses stemming from the breach – the quintessential injury-in-fact – and
reissued cards in the face of substantial risk of actual and impending harm and
under a legal duty to mitigate their damages. These allegations are sufficient.
Second, Home Depot argues Plaintiffs’ negligence and negligence per se
claims are barred by the economic loss rule. While prohibiting recovery in tort for
purely economic losses from a breach of contract, the rule does not apply if a right
of action exists independent of the contract. Plaintiffs do not seek damages
stemming from breach of contract, but breach of an independent tort duty. Thus,
the rule is inapplicable.
Third, Home Depot seeks dismissal of the negligence and negligence per se
claims because it purportedly had no duty to protect Plaintiffs from a “criminal
intrusion.” Yet, Georgia imposes a common law duty of reasonable care to avoid
causing foreseeable injury to others. In the Target data breach litigation, Judge
Magnuson recently construed similar Minnesota law to impose a duty owed to the
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 16 of 68
3
financial institutions to protect cardholder data. And, as Judge Murphy held in
Bishop, foreseeable intervening criminal activity does not relieve a defendant from
liability. Moreover, Section 5 of the Federal Trade Commission Act imposes a
statutory duty not to engage in unfair practices, which the FTC has repeatedly
determined includes the failure to maintain reasonable data security measures.
Fourth, Plaintiffs have adequately alleged a case or controversy under the
Declaratory Judgment Act, entitlement to equitable relief and an imminent risk of
future harm if Home Depot’s data security problems are not fixed. That Home
Depot contests the accuracy of these allegations is no basis for dismissal.
Fifth, in asserting Plaintiffs have no claim under any state statutes, Home
Depot misreads the complaint and applicable law. Plaintiffs adequately plead
statutory violations in eight states.
Sixth, Home Depot argues that Plaintiffs’ claims are not ripe because
Plaintiffs could “potentially” recover some of their losses through what it terms the
“Card Brand Recovery Process.” That process arises from contracts not before the
Court and thus cannot be considered on a motion to dismiss. Regardless, the
ripeness doctrine does not apply to claims seeking damages and has no bearing
here, particularly since the recovery processes are voluntary, provide only partial
relief, and specifically preserve the right to pursue judicial remedies.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 17 of 68
4
FACTUAL BACKGROUND
Home Depot’s then-CEO and current Board Chairman Frank Blake all but
admitted the company’s negligence caused the breach when in November, 2014 he
stated “[i]f we rewind the tape, our security systems could have been better. Data
security just wasn’t high enough in our mission statement.” He also conceded the
company’s security systems were “desperately out-of-date.” Compl. ¶¶ 158-59.
For years Home Depot de-emphasized data security, creating a culture
characterized by neglect, incompetence and an overarching desire to minimize
costs. Id. ¶ 2. Employees and outside consultants repeatedly warned about
problems and recommended improvements, but the warnings went unheeded and
the recommendations ignored. Id. ¶ 160. Senior management discouraged IT staff
from making changes that would cost money and shelved important remedial
efforts, including a project to encrypt data on the point-of-sale terminals penetrated
by the hackers. Id. ¶¶ 98-101, 103, 110-14, 116. As a result, competent IT security
staff left the company in droves, and at least one employee warned friends to use
cash, rather than credit cards, at Home Depot stores. Id. ¶¶ 117-20.
The specific security problems that made Home Depot a sitting target for
hackers included the failure to: update security software; maintain an adequate
firewall; have controls to keep unauthorized users from navigating its network
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 18 of 68
5
without detection; restrict access to cardholder data to those who had a need-to-
know; use coded numbers to disguise point-of-sale terminals in self-checkout
lanes; have up-to-date antivirus software; encrypt cardholder data at the point-of-
sale; adequately monitor its network for suspicious activity; and properly scan its
in-store computer systems for vulnerabilities. Id. ¶¶ 95-96.
While the danger invited by Home Depot’s failure to fix these security
problems was longstanding, red flags warning of an imminent problem were
repeatedly raised in the ten months before the 2014 breach occurred, including:
x July 2013: Home Depot discovered data-stealing malware on point-of-sale terminals at a Texas store, signaling hackers were testing its systems.
x August 2013: Visa warned Home Depot of an increase in retail data breaches involving the type of point-of-sale terminals Home Depot used.
x October 2013: A consultant warned Home Depot its “NTP” firewall had been shut off and needed to be turned on.
x December 2013: Home Depot discovered that point-of-sale terminals at a Maryland store had been hacked with malware the NTP firewall was specifically designed to block.
x January 2014: An outside consultant told Home Depot its network did not comply with industry standards and was vulnerable to attack.
x January 2014: The FBI warned Home Depot of the increasing risk to customer data posed by malware on point-of-sale systems.
x February 2014: A consultant again told Home Depot to turn on the NTP firewall.
Id. ¶¶ 126-29, 134-36. Yet, Home Depot still failed to fix its ongoing problems.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 19 of 68
6
Home Depot also received an urgent wake-up call in December, 2013 when
a huge data breach occurred at Target, the nation’s second largest retailer,
dramatically demonstrating that lax IT security could be exploited on a massive
scale. Id. ¶ 130. In response, Home Depot formed a task force that recommended
the same remedial actions its IT staff had been recommending for years. Despite
the obvious risk of delay, Home Depot did not act immediately, even failing to
make easy fixes such as upgrading its antivirus software, activating all of its
security features and turning on the NTP firewall. As a result, when the hackers
attacked, Home Depot’s systems remained vulnerable. Id. ¶¶ 131, 136-37.
Beginning in approximately April 2014, hackers accessed Home Depot’s
computer system, exploiting the very vulnerabilities it repeatedly had been warned
about. Id. ¶¶ 138-40. The hackers placed malware on Home Depot’s self-checkout
terminals that remained undetected for roughly five months. Id. ¶ 141. In early
September 2014, payment card data stolen from Home Depot was sold on the
internet black market to thieves who used the data to make millions of fraudulent
transactions. Id. ¶¶ 145-47, 149-50, 152.
To mitigate the quickly mounting losses, financial institutions reissued cards
compromised by the breach and took other action, such as notifying customers,
increasing fraud monitoring, and closing accounts. Moreover, financial institutions,
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 20 of 68
7
which bear almost all liability for credit and debit card fraud, reimbursed
customers for fraudulent transactions on their cards. Id. ¶¶ 186-87.
ARGUMENT AND CITATION OF AUTHORITY
A complaint should be dismissed only where the facts alleged fail to state a
“plausible” claim for relief. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Factual
allegations must be taken as true and construed in the light most favorable to the
plaintiff. See Quality Foods de Centro Am., S.A. v. Latin Am. Agric. Dev. Corp.,
S.A., 711 F.2d 989, 994-95 (11th Cir. 1983). Generally, notice pleading is all that is
required. See Lombard’s, Inc. v. Prince Mfg., Inc., 753 F.2d 974, 975 (11th
Cir.1985), cert. denied, 474 U.S. 1082 (1986). The complaint need only provide
fair notice of the claim and the grounds upon which it rests. See Erickson v.
Pardus, 551 U.S. 89, 93 (2007) (citing Bell Atlantic Corp. v. Twombly, 550 U.S.
544, 555 (2007). Plaintiffs’ complaint meets these pleading standards.
I. ARTICLE III STANDING EXISTS
A. Plaintiffs Suffered Concrete Injuries, Traceable to Home Depot, That Can Be Redressed by a Judgment in Their Favor
Under long-settled Article III standing jurisprudence, a plaintiff must plead
an injury that is “‘concrete, particularized, and actual or imminent; fairly traceable
to the challenged action; and redressable by a favorable ruling.’” Clapper v.
Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013) (citation omitted). Plaintiffs
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 21 of 68
8
adequately plead each of these three elements, demonstrating they have each
suffered an injury-in-fact that is fairly traceable to Home Depot’s conduct and can
be remedied by a judgment in their favor. As a result, Article III standing exists.1
Plaintiffs allege concrete, particularized and actual injury. First and
foremost, each Plaintiff reimbursed its customers for fraudulent transactions.
Compl. ¶ 4, 11, 187-89. Plaintiffs also incurred substantial costs reissuing cards to
prevent additional fraud, notifying customers their cards had been compromised,
investigating fraud claims and losing income from reduced card usage. Id. ¶ 187.
These injuries suffice for standing purposes. See, e.g., Via Mat Int’l S. Am. Ltd. v.
United States, 446 F.3d 1258, 1263 (11th Cir. 2006) (economic harm creates
standing); Resnick v. Avmed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012) (monetary
damages incurred as a result of identity theft constitute injury-in-fact); Remijas v.
Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814, at *5 (7th Cir. July
20, 2015) (actions needed to mitigate future harm from identity theft confer
standing); In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1217 (N.D.
1 Home Depot is incorrect that Plaintiffs’ O.C.G.A. § 13-6-11 claim must be dismissed. HD Br. at 8 n. 3. Fees may be recovered where, as pled here, the defendant was grossly negligent and acted in utter disregard of a duty, despite the existence of a bona fide controversy as to liability. Windemere, Ltd. v. Bettes, 438 S.E.2d 406, 409 (Ga. Ct. App. 1993). Dismissal thus would be error. See Kerfoot v. FNF Serving, Inc., No. 1:13-cv-33, 2013 WL 5797662, at *7 (M.D. Ga. Oct. 25, 2013) (O.C.G.A. § 13-6-11 claim cannot be resolved at the dismissal stage).
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 22 of 68
9
Ca. 2014) (costs to mitigate effects of a data breach establish standing).
Plaintiffs’ injuries are fairly traceable to Home Depot’s conduct. The
complaint specifies how Home Depot’s negligence proximately caused the breach
and led directly to Plaintiffs’ losses. Compl. ¶¶ 2, 4-5, 158-65, 186-87, 214. These
allegations are enough. See, e.g., Avmed, 693 F.3d at 1324 (allegations plaintiffs
were victims of identity theft after defendant’s unencrypted laptops were stolen
sufficed to “fairly trace” their injury to defendant’s conduct); Adobe, 66 F. Supp.
3d at 1217; In re Target Corp. Customer Data Sec. Breach Litig. (“Target
(Consumer Track)”), 66 F. Supp. 3d 1154, 1159 (D. Minn. 2014); Neiman Marcus,
2015 WL 4394814, at *7.
Finally, Plaintiffs’ injuries are redressable by a judgment or settlement
providing money damages and appropriate equitable relief. See, e.g., Adobe, 66 F.
Supp. 3d at 1217; Avmed, 693 F.3d at 1324; Target (Consumer Track), 66 F. Supp.
3d at 1159; Neiman Marcus, 2015 WL 4394814, at *8.
B. Home Depot’s Standing Arguments are Meritless
1. Each Plaintiff Has Sufficiently Alleged a Concrete Injury
Home Depot argues that Plaintiffs have not adequately alleged concrete
injury. Noting that paragraphs 12-79 of the complaint list only the name and
headquarters of each Plaintiff, Home Depot concludes no Plaintiff alleges an
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 23 of 68
10
injury. Home Depot ignores the express allegation in paragraph 11 that each
Plaintiff issued compromised cards and suffered injuries including reissuance costs
and fraud losses. See ¶¶ 4, 11, 187, 214, 221, 266. Nothing requires that the same
language be repeated for each Plaintiff. See generally Adobe, 66 F. Supp. 3d at
1226-27 (“the pleading standard is not so rigid as to insist that each count repeat
every factual allegation”). Further, Home Depot discounts other paragraphs
because they “vaguely” allege “the same general categories of injuries.” HD Br. 9.
Yet, there is no rule requiring each Plaintiff to suffer a different injury, United
States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S.
669, 687 (1973) (“standing is not to be denied simply because many people suffer
the same injury”), and more detailed allegations are not required, Lujan v.
Defenders of Wildlife, 504 U.S. 555, 561 (1992) (“general factual allegations of
injury” are sufficient to show standing at the pleading stage).
Through a subtle sleight of hand, Home Depot avoids addressing all of
Plaintiffs’ injuries and specifically ignores the costs of reimbursing fraud losses.
Asserting mitigation costs are the “vast majority” of Plaintiffs’ damages (an
assertion which is of news to Plaintiffs), Home Depot focuses almost its entire
analysis on whether mitigation costs confer standing. The failure to deal with
Plaintiffs’ other injuries is both telling and fatal. Plaintiffs need not show that all of
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 24 of 68
11
their injuries satisfy Article III so long as at least one injury meets the standing
requirement. See, e.g., Saladin v. City of Milledgeville, 812 F.2d 687, 689 n.3 (11th
Cir. 1987) (declining to consider alternative theory of standing after finding
another theory of standing was satisfied); Neiman Marcus, 2015 WL 4394814 at
*1 (standing can be shown if “at least some” of the injuries satisfy Article III).
Plaintiffs’ costs of reimbursing fraud losses were not incurred to mitigate future
harm but from a legal duty to redress fraudulent acts that already had occurred. As
a result, there is no question Plaintiffs have standing, particularly in light of the
Eleventh Circuit’s holding in Avmed that monetary damages stemming from
“actual identity theft” are sufficient. 693 F.3d at 1323. Home Depot fails to cite or
even attempt to distinguish Avmed.
2. Mitigation Costs Incurred by Plaintiffs Confer Standing
Even if Plaintiffs had not reimbursed fraud losses, Home Depot’s standing
argument, relying on Clapper, does not warrant dismissal. Clapper does not
represent a dramatic reworking of standing jurisprudence. See, e.g., Adobe, 66 F.3d
at 1213 (“Clapper did not change the law governing Article III standing.”);
Neiman Marcus, 2015 WL 4394814 at *5 (“it is important not to overread
Clapper”). Clapper merely confirms that where standing is based on a “threatened
injury,” that injury “must be certainly impending to constitute injury in fact” and
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 25 of 68
12
“‘[a]llegations of possible future injury’ are not sufficient.” 133 S. Ct. at 1147
(citations omitted).
Unlike Clapper, which turned on a “highly attenuated chain of possibilities”
and concern the plaintiffs had tried to manufacture standing, 133 S. Ct. 1147-48,
Plaintiffs here did not incur mitigation expenses to establish standing or to address
a hypothetical risk of future harm. Rather, when Plaintiffs acted, millions of cards
already had been compromised, sold to thieves and were being used to commit
fraud on a massive and mounting scale. Immediate reissuance was needed to stop
the bleeding and avoid additional harm that was “certainly impending.” Plaintiffs’
mitigation costs thus confer standing under Clapper. See, e.g., Neiman Marcus,
2015 WL 4394814 at *3-5; Adobe, 66 F. Supp. 3d at 1216-17.
In fact, Clapper supports Plaintiffs’ position by recognizing that standing
can be “based on a ‘substantial risk’ that [future] harm will occur, which may
prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” 133 S.
Ct. at 1150 n.5 (citing Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 153-
55 (2010)). Faced with substantial risk of additional fraud, Plaintiffs’ decisions to
reissue cards were reasonable. As the First Circuit recognized in a data breach case
involving information belonging to more than 4 million customers:
That many banks or issuers immediately issued new cards is evidence of the reasonableness of replacement of cards as mitigation. Those
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 26 of 68
13
banks thought the cards would be subject to unauthorized use, and cancelled those cards to mitigate their own losses in what was a commercially reasonable judgment.
Anderson v. Hannaford Bros. Co., 659 F.3d 151, 164 (1st Cir. 2011).
Plaintiffs had a legal duty to mitigate damages, see O.C.G.A. § 51-12-11,
and are entitled to recover the expenses they incurred in doing so. See, e.g.,
Hannaford, 659 F.3d at 164; RESTATEMENT (SECOND) OF TORTS § 919 (“One
whose legally protected interests have been endangered by the tortious conduct of
another is entitled to recover for expenditures reasonably made or harm suffered in
a reasonable effort to avert the harm threatened.”); Savannah, Fla. & W. RY. Co. v.
Pritchard, 1 S.E. 261, 264 (Ga. 1887). Moreover, the Washington and Minnesota
statutes pled here explicitly authorize recovery of mitigation costs. See Wash. Rev.
Code § 19.255.020; Minn. Stat. § 325E.64. Plaintiffs have standing to recover
mitigation expenses that they are legally authorized to recover.
The other cases Home Depot cites (HD Br. 11-12) – all of which involve
consumer rather than financial institution plaintiffs – are inapposite.2 Unlike here,
2 See, e.g., Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 881 n.18 (N.D. Ill. 2014) (plaintiff “concede[d] that she has not sought or received any notice . . . that her PII was compromised by the breach”); Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011) (“no evidence suggests that the data has been—or will ever be—misused”); In re Zappos.com, Inc., No. 3:12-cv-00325, 2015 WL 3466943, at *7-9 (D. Nev. June 1, 2015) (plaintiffs did not show actual financial damages); Green v. Ebay Inc., No. 14-1688, 2015 WL 2066531, at *4-5 (E.D. La.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 27 of 68
14
none involved actual injuries, unauthorized charges, or misuse of stolen data. See
Adobe, 66 F. Supp. 3d at 1215-16 (distinguishing Galaria v. Nationwide Mutual
Insurance Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014) and In re Science
Applications International Corp (SAIC) Backup Tape Data Theft Litigation, 45 F.
Supp. 3d 14 (D.D.C. 2014) on the ground neither involved stolen data that had
already been misused or surfaced on websites). Moreover, one was reversed after
Home Depot’s brief was filed. See Neiman Marcus, 2015 WL 4394814, at *8.
3. Lost Card Value Constitutes an Injury-in-Fact
Home Depot also argues Plaintiffs were not injured when the cards they
issued were rendered worthless because Plaintiffs fail to explain how the cards
“could ever have value.” Such allegations suffice for standing. See Svenson v.
Google Inc., No. 13-cv-04080, 2015 WL 1503429, at *5 (N.D. Cal. Apr. 1, 2015)
(allegation the value of plaintiffs’ personal information was diminished was
sufficient for pleading purposes); In re Facebook Privacy Litig., 572 Fed. App’x
494 (9th Cir. 2014). Regardless, the cards have value to Plaintiffs, as they represent
an income stream that may be diminished if a compromised card is never again May 4, 2015) (plaintiff’s information was compromised but not yet misused and no financial information was stolen during the breach); Giordano v. Wachovia Sec., LLC, 2006 WL 2177036, at *5 (D.N.J. July 31, 2006) (plaintiff did not allege “even that her financial information was stolen or ended up in the possession of someone who might potentially misuse it”).
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 28 of 68
15
used. See In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498 (1st Cir.
2009) (card data “can have value and the value can be lost”). Moreover, the cards
are valued between $50 and $100 on the black market.3 Compl. ¶¶ 145-47.
II. PLAINTIFFS ADEQUATELY PLEAD NEGLIGENCE CLAIMS
Plaintiffs allege Home Depot violated its common law and statutory duties
by failing to use reasonable measures to protect cardholder data and to provide
timely notice of the breach. The complaint details Home Depot’s negligent acts
and omissions and alleges that its negligence proximately caused Plaintiffs’
injuries. Compl. ¶¶ 205-15. These allegations are enough to survive dismissal. See,
e.g., Avmed, 693 F.3d at 1325-28 (plaintiffs plausibly pled negligence claim arising
from data breach); Bishop, No. 4:15-CV-00033-HLM, at 21-30; In re Target Corp.
Customer Data Sec. Breach Litig. (“Target (FI Track)”), 64 F. Supp. 3d 1304,
1309-10 (D. Minn. 2014) (denying motion to dismiss negligence and negligence
per se claims). While Home Depot argues the claims are barred by the economic
loss rule and it owed no duty to Plaintiffs, its arguments lack merit.
A. The Economic Loss Rule Does Not Bar the Negligence Claims
“The economic loss rule provides that a plaintiff may not recover in tort for
3 Home Depot’s reliance on Anderson v. City of Alpharetta, 770 F.2d 1575 (11th Cir. 1985) is misplaced. The case upheld dismissal of the NAACP on the eve of trial in a housing discrimination case because it never alleged a concrete injury or even identified a single victim. Id. at 1583.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 29 of 68
16
purely economic damages arising from a breach of contract.” Hanover Ins. Co. v.
Hermosa Constr. Group, LLC, 57 F. Supp. 3d 1389, 1395 (N.D. Ga. 2014). On its
face, the rule is inapplicable here because Plaintiffs are not parties to any contracts
with Home Depot. While Home Depot asserts it is a party to a “chain of contracts”
that includes Plaintiffs, no such contracts are before the Court, and it would be
inappropriate to consider them at this stage. See Banknorth, N.A. v. BJ’s Wholesale
Club, Inc., 394 F. Supp. 2d 283, 287 (D. Me. 2005). Regardless of whether
Plaintiffs and Home Depot are contractually related, the economic loss rule does
not apply because of two exceptions.
First, “where an independent duty exists under the law, the economic loss
rule does not bar a tort claim because the claim is based on a recognized
independent duty of care and thus does not fall within the scope of the rule.”
Liberty Mut. Fire Ins. Co. v. Cagle’s, Inc., No. 1:10-cv-2158, 2010 WL 5288673,
at *3 (N.D. Ga. Dec. 16, 2010) (quotation omitted); see also Hanover Ins. Co., 57
F. Supp. 3d at 1396; Rosen v. Protective Life Ins. Co., 1:09-cv-03620, 2010 WL
2014657, at *9 (N.D. Ga. May 20, 2010); O.C.G.A. §51-1-11(a) (“if [a] tort results
from a violation of a duty which is itself the consequence of a contract, the right of
action is confined to the parties and those in privity to that contract, except in cases
where the party would have a right of action for the injury done independently of
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 30 of 68
17
the contract”).
The Georgia Supreme Court described the basis for this legal principle in
Sheppard v. Yara Engineering Corp., 281 S.E.2d 586, 587 (Ga. 1981):
It is axiomatic that a single act or course of conduct may constitute not only a breach of contract but an independent tort as well, if in addition to violating a contract obligation it also violates a duty owed to plaintiff independent of contract to avoid harming him. . . .Thus, to constitute a tort the duty must arise independent of the contract.
(internal quotation marks and citation omitted). The independent duty exception
applies when the plaintiff identifies “a statutory or common law duty that would
have existed absent the underlying contract.” Hanover Ins. Co., 57 F. Supp. 3d at
1396 (citing Liberty Mut., 2010 WL 5288673, at *3); see also Waldrip v. Voyles,
411 S.E.2d 765, 767 (Ga. 1991) (independent duty may also arise from “relations
created by contract, express or implied”). Plaintiffs identify numerous independent
duties in the following section of this brief, triggering this exception.
Second, Georgia recognizes an “accident” exception to the economic loss
rule based upon the “general duty under tort law, independent of any contract, to
avoid causing a sudden and calamitous event which . . . poses an unreasonable risk
of injury to other persons or property.” Argonaut Midwest Ins. Co. v. McNeilus
Truck & Mfg., Inc., 1:11-cv-3495, 2013 WL 489141, at *4 (N.D. Ga. Feb. 8, 2013)
(quotations omitted). The accident exception applies here because a data breach
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 31 of 68
18
case presents a real danger of harm to persons or property and is a sudden and
calamitous event. See Cumis Ins. Soc’y, Inc. v. Merrick Bank Corp., No. CIV 07-
374, 2008 WL 4277877, at *7-8 (D. Ariz. Sept. 18, 2008) (declined to apply the
rule because a “data security breach is comparable to a tortious ‘accident’ and the
damages are of a type that caused economic harm to persons or entities”).
Home Depot fundamentally misreads Georgia’s economic loss rule.
According to Home Depot, “there is no recovery in tort for economic losses unless
they result from injury to person or property.” HD Br. 14. Because Plaintiffs have
not alleged personal injury or property damage, Home Depot reasons, the
economic loss rule applies. This argument is inconsistent with numerous cases
declining to apply the rule where plaintiffs sought economic losses other than
physical injury. See, e.g., Liberty Mut., 2010 WL 5288673, at *3 (claim relating to
insurance premiums was not barred where the claim arose out of an independent
duty of good faith); Hanover Ins. Co., 57 F. Supp. 3d at 1396 (refusing to apply the
rule where plaintiff sought damages from mishandling a surety claim); Waldrip,
411 S.E.2d at 593-94 (negligence claim for economic losses resulting from
misallocation of a debtor’s payments not barred).
Further, Home Depot’s position is unsupported by the three cases it cites,
none of which hold economic losses cannot be recovered in a tort action. General
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 32 of 68
19
Electric Co. v. Lowe’s Home Centers, Inc., did not apply the rule because the
plaintiff sought to recover lost profits, but because the plaintiff sought to recover
lost profits based on damage to someone else’s property. 608 S.E.2d 636, 637-38
(Ga. 2005). Addressing a question from the Eleventh Circuit – i.e., “whether
Georgia’s economic loss rule allows a plaintiff to recover in tort lost profits that
would have only been realized by using its damaged property and other damaged
property that it did not own” – the court held that “a plaintiff may only recover lost
profits associated with damage to its own property.” Id. at 637 (second and third
emphasis added). Similarly, Remax The Mountain Co. v. Tabsum, Inc., simply held
in reliance on General Electric that “a plaintiff cannot recover economic losses
associated with injury to the person or damage to the property of another.” 634
S.E.2d 77, 79 (Ga. Ct. App. 2006) (emphasis added). City of Atlanta v. Benator
applied the economic loss rule in a contract case and the court declined to find an
independent duty based on the “the particular facts and circumstances” of the
case.4 714 S.E.2d 109, 117 (Ga. Ct. App. 2011).
4 Traditionally, Georgia courts have applied the rule only in defective product cases. See Benator, 714 S.E.2d at 116. After General Electric, a few courts have applied the rule in other cases, id., but the case law is neither well developed nor particularly well-reasoned. For example, Benator suggests the rule can provide guidance regarding the existence of an independent duty. Id. But, under O.C.G.A. §51-1-11(a), the existence of an independent duty precludes application of the rule. To conflate the concepts of duty and application of the rule is both circular and
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 33 of 68
20
Home Depot also cites several cases from other jurisdictions invoking the
rule to bar negligence claims in data breach cases. Other cases have reached the
opposite result. See Lone Star Nat’l Bank v. Heartland Payment Sys., Inc., 729
F.3d 421, 426 (5th Cir. 2013); Banknorth, N.A., 394 F. Supp. 2d at 286; Target
(Consumer Track), 66 F. Supp. 3d at 1171-76. These cases all turn on the scope of
the applicable state’s law and thus offer limited guidance here except for the
Target decision, which construed Georgia’s economic loss rule and refused to
apply it to negligence claims in a data breach case.5 Id. at 1173.
The only Georgia data breach case Home Depot cites is Willingham v.
Global Payments, Inc., No. 1:12-CV-01157-RWS, 2013 WL 440702, at *18 (N.D.
Ga. Feb. 5, 2013). The unpersuasive decision is a magistrate judge’s report and
recommendation that was never adopted because the parties settled, contains only a
rudimentary discussion of Georgia’s economic loss rule and involves claims
unhelpful. Cf. Unger v. Bryant Equip. Sales & Servs., Inc., 335 S.E.2d 109 (Ga. 1985) (the issue is not one of “the ‘economic loss’ versus ‘physical damage’ dichotomy that is used in products liability cases,” but “whether the [plaintiff] has asserted a claim in tort which does not arise from the contract, but is independent of it”) (internal quotations omitted). 5 Home Depot concedes that Georgia law applies for purposes of its motion and that this Court has ruled the choice of law analysis is more appropriate at class certification. (HD Br. 14 n.4.) Accordingly, Plaintiffs need not address the law in other states at this time, especially since the consumer plaintiffs have already done so. See Consumer Plaintiffs’ Opposition, Appendix 4.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 34 of 68
21
against a processor that had no direct role in the breach. See Target (Consumer
Track), 66 F. Supp. 3d at 1173 (distinguishing Willingham). Moreover, the
decision relies upon two out-of-state cases, one of which was later reversed. See
Heartland Payment Systems, Inc. 729 F.3d 421 (reversing holding that plaintiffs’
claim was barred). Willingham is also inconsistent with Judge Murphy’s refusal to
dismiss a negligence claim based upon the failure to protect personal data, which
implicitly recognized a common law duty. Bishop, No. 4:15-cv-00033, at 21-30.
B. Home Depot Owed a Legal Duty to Plaintiffs
The duty element of a negligence claim – the only element that Home Depot
challenges in its motion to dismiss – involves the “question of whether the
defendant is under any obligation for the benefit of the particular plaintiff” and
represents “an expression of the sum total of those considerations of policy which
lead the law to say that the plaintiff is entitled to protection.” WILLIAM L. PROSSER
& W. PAGE KEETON, LAW OF TORTS § 53 at 356, 358 (5th ed. 1984).
Georgia recognizes a “general duty one owes to all the world not to subject
them to an unreasonable risk of harm. . . . ‘[N]egligence is conduct which falls
below the standard established by law for the protection of others against
unreasonable risk of harm.’” Bradley Ctr., Inc. v. Wessner, 296 S.E.2d 693, 695
(Ga. 1982) (citing RESTATEMENT (SECOND) OF TORTS § 282); see, e.g., Corbitt v.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 35 of 68
22
Walgreen Co., No. 7:14-CV-17 (MTT), 2015 WL 1726011, at *2 (M.D. Ga. Apr.
15, 2015). The duty requires the exercise of ordinary care to avoid causing
“foreseeable” and “unreasonable” harm. Hodges v. Putzel Elec. Contractors, 580
S.E.2d 243, 247 (Ga. Ct. App. 2003). To be foreseeable, it is only necessary to
anticipate that some injury will result, not all the particular consequences that
might ensue. Corbitt, 2015 WL 1726011, at *2 (citation omitted).
Consistent with these principles, the complaint alleges Home Depot had a
general duty to prevent foreseeable risk of harm to others and Plaintiffs’ injuries
were foreseeable if cardholder data was not adequately protected. There can be no
question that Plaintiffs’ injuries were foreseeable. See, e.g., Heartland, 729 F.3d at
426; Target (FI Track), 64 F. Supp. 3d at 1310. Indeed, Home Depot
acknowledged the risk in its annual reports since 2008. Compl. ¶¶ 205-06.
Accordingly, pursuant to its general duty under Georgia law to avoid subjecting
Plaintiffs to an unreasonable risk of harm, Home Depot had a duty to secure
cardholder data and notify Plaintiffs of the breach in a timely manner.
Courts considering whether there is a duty to protect confidential
information agree that this duty exists – in cases brought by both consumers and
financial institutions. See, e.g., In re Sony Gaming Networks & Customer Data
Sec. Breach Litig., 996 F. Supp. 2d 942, 966 (S.D. Cal. 2014) (“the existence of a
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 36 of 68
23
legal duty to safeguard a consumer’s confidential information entrusted to a
commercial entity . . . [is] well supported by both common sense and [applicable
state] law”); Avmed, 693 F.3d at 1326-28 (health care provider had duty to secure
customer information); In re Zappos.com, Inc., No. 3:12-cv-00325, 2013 WL
4830497, at *3 (D. Nev. Sept. 9, 2013) (finding duty to “protect Plaintiffs’ private
data from electronic theft with sufficient electronic safeguards”); In re Hannaford
Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 115 (D. Me.
2009), aff’d in part, rev’d in part on other grounds, Anderson v. Hannaford Bros.
Co., 659 F.3d 151 (1st Cir. 2011) (“when a merchant is negligent in handling a
customer’s electronic payment data and that negligence causes an unreimbursed
fraudulent charge or debit against a customer’s account, the merchant is liable for
that loss”); Banknorth N.A., 394 F. Supp. 2d. at 286-87 (merchant owed a duty to
issuing bank “to safeguard cardholder information from thieves”); Target (FI
Track), 64 F. Supp. 3d at 1310 (merchant owed a duty to issuing banks to protect
cardholder data based on the general duty to avoid a foreseeable risk of harm).6
6 Home Depot contends, without citing any authority, that Target is an “outlier.” To the contrary, the weight of authority recognizes a duty to protect private information, including the Eleventh Circuit’s decision in Avmed that Home Depot ignores. Most of the cases rejecting claims by consumers and the relatively few claims by financial institutions have been decided on other grounds, specifically standing and the economic loss rule, not the lack of a duty. Further, the trend in the
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 37 of 68
24
Recognizing Home Depot has a legal duty fulfills the underlying purposes of
negligence law – compensation and deterrence – by placing the risk of financial
loss on the only entity with the ability to prevent that loss. Absent a duty to protect
customers’ data, a merchant such as Home Depot has a strong incentive to cut
corners, take minimum precautions and, as Home Depot’s CEO admitted, not place
data security “high enough on its mission statement” while the financial
institutions that issued the cards, which have little ability to protect themselves, are
forced to bear the costs. On the other hand, if a duty is imposed holding merchants
legally responsible, they will implement adequate data security measures to avoid
having to pay damages to those who are injured.
Other factors also support imposing a duty on Home Depot. For example,
Section 5 of the FTC Act, 15 U.S.C. § 45(a)(1), creates a legal duty to refrain from
engaging in unfair or deceptive acts. According to the FTC, the failure to maintain
adequate security measures is an unfair practice prohibited by the Act. See FTC v.
Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 622 (D.N.J. 2014). Whether an
action for negligence per se can be based on Section 5, the federal mandate to
avoid unfair practices by having adequate data security lends credence to the
existence of a duty in a traditional negligence action. See, e.g., Brock v. Avery Co., law – represented by Target, Adobe, and the Seventh Circuit’s decision last month in Neiman Marcus – has been to expand liability for data breach claims.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 38 of 68
25
110 S.E.2d 112, 126 (Ga. Ct. App. 1959) (a statute that is too indefinite to
constitute negligence per se does “furnish a rule of civil conduct”); Pulte Home
Corp. v. Simerly, 746 S.E.2d 173, 179 (Ga. Ct. App. 2006) (citing McLain v.
Mariner Health Care, 631 S.E.2d 435, 437-38 (Ga. Ct. App. 2006) for the
proposition that “violations of federal statutes and regulations support [a] claim of
breach of legal duty in both traditional negligence and negligence per se actions”).
Similarly, imposing a legal duty on Home Depot is consistent with industry
standards, its internal policies regarding data security and the public statements on
its website that it was using “industry standard means” to protect customer
information and that its security measures were “appropriate for the type of
information we collect.”7 Compl. ¶ 207. See Target (FI Track), 64 F. Supp. 3d at
1310 (discounting the burden of imposing a duty on merchants because they have
already “voluntarily assumed” similar duties); Rowe v. Akin & Flanders, Inc., 525
S.E.2d 123, 126 (Ga. Ct. App. 1999) (duty implied by law requiring contractor to
7 Plaintiffs also allege they had a “special relationship” with Home Depot that supports imposing a duty. Such a relationship may arise from particular facts, by law, or the relationship between the parties. See O.C.G.A. §§ 23-2-58 and 51-1-8; Monroe v. Bd. of Regents, 602 S.E.2d 219, 222 (Ga. Ct. App. 2004); TechBios, Inc. v. Champagne, 688 S.E.2d 378, 382 (Ga. Ct. App. 2009). The existence of a special relationship is a fact question and thus cannot be resolved on a motion to dismiss. Tidikis v. Network for Med. Commc’ns & Research, LLC, 619 S.E.2d 481, 484-85 (Ga. Ct. App. 2005).
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 39 of 68
26
perform its work in accordance with industry standards). These factors buttress the
longstanding common law duty to avoid foreseeable harm that is dispositive here,
demonstrate that imposing a duty is not burdensome, and thus should be
considered in the duty analysis.
None of the cases Home Depot cites compels a different result. Willingham,
which as already noted is an unpersuasive report and recommendation that was
never adopted, did not discuss the general duty under Georgia law to avoid
foreseeable risk of harm and was based largely on two out-of-state cases, one of
which was later reversed. 2013 WL 440702, at *18. Worix v. MedAssets, Inc.,
simply declined to adopt a new legal duty under state law in light of a state
appellate decision reserving the issue for the legislature. 869 F. Supp. 2d 893, 897-
98 (N.D. Ill. 2012). And, Citizens Bank of Pa. v. Reimbursement Techs., Inc.,
involved dissimilar facts – a “rogue employee” who stole patient information –
leading the court to decline to impose a duty because the plaintiff, unlike in this
case, failed to allege how the company’s security systems were inadequate, the
actions of the employee were foreseeable and enhanced data security would have
made any difference.8 No. 12-1169, 2014 WL 2738220, at *2-4 (E.D. Pa. 2014).
8 The other two cases Home Depot cites involved a common law duty to provide notice of a data breach. In re Hannaford held that Maine did not recognize a “stand-alone” claim for failure to provide such notice, but the case is not helpful to
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 40 of 68
27
C. Plaintiffs Allege that the Criminal Acts Were Foreseeable
Home Depot, citing only Edmunds v. Cowan, argues there is no legal duty to
anticipate criminal acts. However, Cowan states that the principle does not apply if
there were “reasonable grounds to believe that a criminal act would be committed.”
386 S.E. 2d 39, 41 (Ga. Ct. App. 1989) (citation omitted). Plaintiffs, as noted
above, adequately allege that it was reasonably foreseeable Home Depot’s systems
would be hacked. Thus its motion to dismiss on this ground should be denied. See,
e.g., Bishop, No. 4:15-cv-00033-HLM, at 23 (Judge Murphy declined to dismiss
negligence claims because the plaintiffs adequately alleged that “the defendant had
reason to anticipate the criminal act.”).
Relying on premises liability cases, Home Depot contends that a duty to
protect against foreseeable criminal activity only arises if “the defendant has
superior knowledge that the criminal activity might occur.” HD Br. 23. However, a
premises liability case presents a “materially different set of facts” and different
duty. Bishop, at 25-28. Moreover, Home Depot’s assertion that it lacked superior
knowledge is nonsensical. Plaintiffs had no way of knowing that, contrary to its Home Depot. 613 F. Supp. 2d at 124. The court recognized a general negligence claim could be pursued. Id. at 128. Moreover, although the decision was reversed in part, the plaintiff did not appeal the ruling on the failure to provide notice claim. See Anderson, 659 F.3d at 157. The other case – Amburgy v. Express Scripts, Inc., – largely turned on a notification statute that did not provide a private right of action. 671 F. Supp. 2d 1046, 1055 (E.D. Mo. 2009).
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 41 of 68
28
public assurances, Home Depot’s security systems were, in the words of its CEO,
“desperately out-of-date” and, among other things, that warnings about major
vulnerabilities in its systems were being ignored by senior management and
customer data was not being encrypted at the point-of-sale.
D. Plaintiffs Adequately Plead a Negligence Per Se Claim
Georgia law allows “the adoption of a statute or regulation as a standard of
conduct so that its violation becomes negligence per se.” Pulte Home Corp., 746
S.E.2d at 179; see also, O.C.G.A. § 51-1-6 (“When the law requires a person to
perform an act for the benefit of another or refrain from doing an act which may
injure another, although no cause of action is given in express terms, the injured
party may recover for the breach of such legal duty . . . .”). A plaintiff must show
he or she is within the class of persons the statute was intended to protect and the
statute is intended to protect against the harm suffered. Amick v. BM & KM, Inc.,
275 F. Supp. 2d 1378, 1382 (N.D. Ga. 2003). Plaintiffs allege that Home Depot
violated Section 5 of the FTC Act, they are within the class the statute was
intended to protect, and the statute was meant to protect against the harm that
occurred. As a result, Plaintiffs properly state a claim for negligence per se. Home
Depot’s three arguments to the contrary lack merit.
First, Home Depot asserts a violation of Section 5 can never support
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 42 of 68
29
negligence per se because there are no decisions so holding. But there are at least
two, both applying Georgia law: Bans Pasta, LLC v. Mirko Franchising, LLC, No.
7:13-cv-00360-JCT, 2014 WL 637762, at *12-13 (W.D. Va. Feb. 12, 2014) (an
FTC rule adopted pursuant to Section 5 set a standard of conduct which supported
a negligence per se claim); and Legacy Acad., Inc. v. Mamilove, LLC, 761 S.E.2d
880, 891-92 (Ga. Ct. App. 2014), aff’d in part and rev’d in part on other grounds,
771 S.E.2d 868 (Ga. 2015) (negligence per se claim allowed under FTC rule
interpreting Section 5).
Second, Home Depot contends Section 5 does not impose a “clear and
concrete duty or standard of conduct” of the type required for negligence per se
because the Act only prohibits an “unfair” practice. However, Plaintiffs’ claim is
not based solely on the terms of Section 5, but also on the FTC’s interpretation
requiring businesses to maintain reasonable data security practices, including such
concrete acts as encrypting data and implementing policies for installing security
updates. Compl. ¶¶ 179-83, 220. Further, Home Depot contends the FTC’s
guidelines do not “carry the force of law.” But, Georgia law does not require that a
governmental directive imposing a duty be expressed in a statute or regulation.
Wells Fargo Bank v. Jenkins, 744 S.E.2d 686, 688 (Ga. 2013) (recognizing that
negligence per se can be based upon a common law principle or any “regulation,
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 43 of 68
30
directive, or standard” authorized by law) (emphasis added).
Both of Home Depot’s contentions were also rejected in Wyndham, an
enforcement action in which the FTC sued a business for failure to have reasonable
data security practices. The defendant argued that the reasonableness standard was
not sufficiently clear to create a standard of conduct, the FTC’s guidance
documents were too vague to be enforceable and without specific rulemaking no
enforcement action could be taken. 10 F. Supp. 3d at 616. The court rejected each
argument and held the reasonableness of the defendant’s efforts could be measured
by “industry standard practices” referred to in own privacy policy. Id. at 620-21.
Like the defendant in Wyndham, Home Depot has a privacy policy stating it
uses “industry standard means” to protect customer data. Compl. ¶ 168. Home
Depot also adopted its own data security policies and procedures, which it failed to
follow. Id. ¶ 167. These standards and policies provide ample means to measure
whether Home Depot violated the FTC’s standard. St. Mary’s Hosp. v. Radiology
Professional Corp., 421 S.E.2d 731, 736-37 (Ga. Ct. App. 1992), is directly on
point. In that case, the court allowed a negligence per se claim against a hospital
for violating its own bylaws relating to the deprivation of a doctor’s practice
privileges based upon a standard of conduct prohibiting hospitals from acting in an
“unreasonable, arbitrary, capricious, or discriminatory” manner.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 44 of 68
31
The FTC’s reasonableness requirement, particularly as further defined in its
guidance documents and multiple enforcement actions, is not so vague as to be
enforceable as a standard of conduct. As the Georgia Supreme Court held:
Where a statute provides a general rule of conduct, although only amounting to a requirement to exercise ordinary care, the violation thereof is negligence as a matter of law, or negligence per se . . . .
Teague v. Keith, 108 S.E.2d 489, 491-92 (Ga. 1959) (emphasis added) (noting that
a negligence per se claim can be based on statutes prohibiting a driver from driving
at a “speed greater than is reasonable” or keeping a vehicle under “immediate
control”); see also, e.g., Holbrook v. Exec. Conference Ctr., Inc., 464 S.E.2d 398,
401-02 (Ga. Ct. App. 1995); West v. Mache of Cochran, Inc., 370 S.E.2d 169, 172-
73 (Ga. Ct. App. 1988).9
Third, Home Depot incorrectly contends Plaintiffs are not consumers and are
outside the class of persons protected by Section 5. The class of persons protected
by Section 5 is not limited to consumers. See Bans Pasta, 2014 WL 637762, at *13
(allegation by an LLC franchisee that it was within the class of persons protected
under Section 5 was sufficient to survive dismissal); Legacy Acad., 761 S.E.2d at
9 Home Depot improperly relies on four Georgia cases to show that Section 5 does not have an ascertainable standard. Wells Fargo involved an “aspirational statement,” not a government directive. 744 S.E.2d at 688. The others, decided by the Court of Appeals, are inconsistent with the Supreme Court’s decision in Teague.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 45 of 68
32
892-93 (LLC was entitled to pursue a negligence per se claim based upon Section
5); Wyndham, 10 F. Supp. 3d at 625 (noting the FTC’s position that a violation of
its data security standards “is likely to cause substantial consumer injury . . . to
consumers and businesses”) (emphasis added). The FTC and courts have long
applied Section 5 to practices victimizing businesses.10 Indeed, the requirement
that a practice cause “consumer injury” is an element of the definition of unfair
acts or practices and such injury has historically included harm to businesses. See
FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 245 n.5 (1972) (describing the
consumer injury requirement as “whether [the allegedly unfair act or practice]
causes substantial injury to consumers (or competitors or other businessmen)”)
(emphasis added) (citation omitted).
Plaintiffs are within the broad scope of persons protected by the FTC Act.
Additionally, Plaintiffs bear primary responsibility for reimbursing consumers for
10 See, e.g., FTC v. World Wide Factors, Ltd., 882 F.2d 344, 346-47 (9th Cir. 1989) (affirming preliminary injunction against seller of promotional merchandise to small businesses); Lee v. FTC, 679 F.2d 905, 906 (D.C. Cir. 1980) (upholding order against company providing promotional services to investors); United States Retail Credit Ass’n. Inc. v. FTC, 300 F.2d 212 (4th Cir. 1962) (affirming order against corporation offering debt collection services to businesses and professionals); United States Ass’n of Credit Bureaus v. FTC, 299 F.2d 220 (7th Cir. 1962) (modifying and enforcing order against provider of collection services to businesses); FTC v. Kitco of Nevada, Inc., 612 F. Supp. 1282, 1296-97 (D. Minn. 1985) (permanent injunction entered against seller of business opportunities).
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 46 of 68
33
fraud losses, and many Plaintiffs are credit unions, which are non-profit
cooperatives that act on behalf of and are owned by tens of millions of consumers.
Compl. ¶ 63. Moreover, the “class of persons” requirement in the negligence per se
analysis is not as narrow as Home Depot asserts. It cannot be disputed that the
purpose of the FTC’s standard is to prevent data breaches such as the one that
occurred, bringing Plaintiffs within its scope. See Atlanta & W. Point R.R. Co. v.
Underwood, 126 S.E.2d 785, 787-88 (Ga. 1962) (holding that a railroad was within
the class of persons protected by a statute requiring taxis to stop before crossing its
tracks because, even though primarily intended to protect passengers, the statute’s
purpose was to prevent collisions).
III. PLAINTIFFS STATE VALID CLAIMS FOR EQUITABLE RELIEF
Plaintiffs seek equitable relief pursuant to the Declaratory Judgment Act, 28
U.S.C. § 2201 et seq., and various state statutes. Plaintiffs allege there is a
continuing controversy relating to the scope of Home Depot’s data security
obligations and the inadequacy of its current practices. Compl. ¶¶ 278-82.
Plaintiffs further allege there is a real, immediate, and substantial risk of another
data breach and resultant future harm, and, if another breach occurs, their legal
remedies will be inadequate. Id. ¶ 282. Therefore, Plaintiffs seek a declaration that
Home Depot is failing to use reasonable security measures and that to comply with
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 47 of 68
34
its legal obligations, id. ¶¶ 280.a, 280.b, Home Depot must implement specified
additional security measures, id. ¶ 281.a-h. Such allegations are sufficient at the
pleading stage. See Adobe, 66 F. Supp. 3d at 1215, 1221-22 (denying a motion to
dismiss a declaratory relief claim challenging the adequacy of existing security
measures); Sony, 996 F. Supp. 2d at 999 (same); Target (Consumer Track), 66 F.
Supp. 3d. at 1161 (refusing to dismiss claim for injunctive relief).
Plaintiffs do not assert a “stand-alone claim” for an injunction or seek an
injunction as a remedy for negligence, as Home Depot contends. Rather, Plaintiffs
permissibly seek an injunction as an ancillary remedy under the Declaratory
Judgment Act.11 See 28 U.S.C. § 2202 (allowing “[f]urther necessary or proper
relief based on a declaratory judgment”); Powell v. McCormack, 395 U.S. 486, 499
(1969) (“A declaratory judgment can . . . be used as a predicate to further relief,
including an injunction.”) (citation omitted); 7AA CHARLES A. WRIGHT, ET AL.,
FEDERAL PRACTICE AND PROCEDURE § 1775 (3d ed. 2008) (“Because of the close
nexus between injunctive and declaratory relief, it is quite common for parties
seeking a declaration of their rights also to include a request for an injunction.”).
11 In addition, injunctive relief is available under the state statutes Plaintiffs invoke. See, e.g., Kwikset Corp. v. Superior Court, 246 P.3d 877, 895 (Cal. 2011) (injunctions are primary form of relief under California’s UCL); Conn. Gen Stat. § 42-110g; Fla. Stat. Ann. § 501.211(1); 815 ILCS 505/10a(c); Mass. Gen. Laws Ann. ch. 93A § 11; Wash. Rev. Code § 19.86.090.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 48 of 68
35
Home Depot also asserts Plaintiffs’ equitable claims fail because the
problems that led to the breach have been fixed, eliminating any likelihood of a
future breach. However, Plaintiffs dispute this assertion, alleging that there is a
substantial risk of another breach due to continuing security problems at Home
Depot, particularly in light of its longstanding, lackadaisical approach to data
security, its failure to heed repeated warnings about vulnerabilities and the fact that
a massive breach has already occurred due to its misconduct. Plaintiffs’ allegations
are sufficient to show that “there is a substantial controversy, between parties
having adverse legal interests, of sufficient immediacy and reality to warrant the
issuance of a declaratory judgment.” MedImmune, Inc. v. Genentech, Inc., 549
U.S. 118, 127 (2007) (quotations omitted); Strickland v. Alexander, 772 F.3d 876,
883-85 (11th Cir. 2014) (reversing dismissal of declaratory relief claim because the
risk of future harm was not, as the trial court found, remote). As a result, dismissal
of Plaintiffs’ equitable claims would be improper.12 See, e.g., Adobe, 66 F. Supp.
3d at 1215, 1221-22; Sony, 996 F. Supp. 2d at 999.
Next, Home Depot argues that Plaintiffs have not alleged the absence of an 12 Home Depot’s reliance on Tiller v. State Farm Mut. Auto. Ins. Co., No. 1:12-CV-3432-TWT, 2013 WL 451309 (N.D. Ga. Feb. 5, 2013), aff’d, 549 F. App’x 849 (11th Cir. 2013) and Bolin v. Story, 225 F.3d 1234, 1242 (11th Cir. 2000), is misplaced. As described above, Plaintiffs seek prospective relief to redress continuing harm from Home Depot’s ongoing data security deficiencies that is not duplicative of their claims for money damages.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 49 of 68
36
adequate legal remedy. But Plaintiffs have alleged they will not have an adequate
legal remedy if another breach occurs. Compl. ¶ 282. For example, many of the
injuries that will result from a future breach may not be readily quantifiable, such
as loss of good will and damage to Plaintiffs’ relationships with customers.
Because Plaintiffs have plausibly pled irreparable injury, unlike the plaintiffs in In
re Atlas Roofing Corp. Chalet Shingle Products Liability Litigation, No. 1:13-md-
2495-TWT, 2015 WL 114285, at *2 (N.D. Ga. Jan. 8, 2015), their claim for
injunctive relief should not be dismissed. See In re Managed Care Litig., 298 F.
Supp. 2d 1259, 1308 (S.D. Fla. 2003) (“whether money damages will prove to be
an adequate remedy at law cannot be determined” at the pleading stage).
Finally, the Association Plaintiffs have standing to sue on behalf of their
members. See, e.g., id.; Hunt v. Wash. State Apple Adver. Comm’n, 432 U.S. 333,
343 (1977). The sole basis for Home Depot’s challenge is an argument that
participation of the Association Plaintiffs’ members is required, which if true
would defeat associational standing. Id. Yet, members’ participation is not required
for the issues on which the Association Plaintiffs seek equitable relief – Home
Depot’s legal duties regarding data security, the adequacy of its current security
practices and whether particular safeguards are needed. These issues turn entirely
on Home Depot’s conduct, not that of the association’s members. See In re
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 50 of 68
37
Managed Care, 298 F. Supp. 2d at 1307-08 (“it is well-established that an
association may seek equitable relief on behalf of its members without running
afoul” of the member participation requirement). And, in any event, the
Association Plaintiffs have standing in their own right because they have and will
be forced to divert resources to deal with Home Depot’s data security problems
and their mission of assisting their members has been and will be frustrated.
Compl. ¶¶ 62-80. See Arcia v. Fla. Sec’y of State, 772 F.3d 1335, 1341-42 (11th
Cir. 2014) (diversion of resources confers standing on an association).
IV. PLAINTIFFS ADEQUATELY ALLEGE STATUTORY CLAIMS
Plaintiffs assert claims under statutes in eight states. Home Depot incorrectly
asserts each claim must be dismissed. Before turning to Home Depot’s specific
contentions, however, Plaintiffs emphasize four overarching principles governing
their statutory claims: state statutes prohibiting unfair practices are liberally and
broadly construed to protect the public; they allow businesses to sue for violations;
in construing the statutes, courts look for guidance to federal court decisions and
FTC actions interpreting Section 5 of the FTC Act; and whether conduct
constitutes an unfair practice is a decision for the trier of fact. See Exhibit A.
A. Plaintiffs Have Standing to Assert Statutory Claims.
Home Depot makes no new standing arguments relating to the statutory
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 51 of 68
38
claims, repeating arguments made earlier in its brief. Plaintiffs already have shown
they have Article III standing. See, e.g., Adobe, 66 F. Supp. 3d at 1218.
B. Plaintiffs Have Alleged an Unfair Practice Under Each Statute.
Unlike Roger Federer’s exquisite forehand, Home Depot’s mishit in
contending Plaintiffs have not alleged an unfair practice lands well wide of the
line. Plaintiffs allege Home Depot’s failure to maintain reasonable data security
measures constitutes an unfair trade practice under each statute. Compl. ¶¶ 224-28,
229-35, 240-44, 245-47, 249-54, 255-60, 267-72, 273-77.
Furthermore, as discussed above and pled in the complaint, the FTC has
repeatedly taken the position that inadequate security measures violate Section 5,
issued guidance to businesses, and pursued repeated enforcement actions in the
aftermath of data breaches involving problems similar to those at Home Depot.
See, e.g., Wyndham, 10 F. Supp. 3d at 608-09, 616-17, 624-25; BJ’s Wholesale
Club, 140 F.T.C. 465, 467 ¶ 7 (2005) (Sept. 20, 2005); CardSystems Solutions,
Inc., No. C-4168, 2006 WL 2709787 (F.T.C. Sep. 5, 2006); Life is Good, Inc., No.
C-4218, 2008 WL 1839971 (F.T.C. April 16, 2008); TJX Cos., No. C-4227, 2008
WL 3150421 (F.T.C. July 29, 2008). Indeed, in January, 2014, the FTC announced
its 50th data-security settlement.13 The FTC’s consistent interpretation of Section 5
13 See www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 52 of 68
39
supports Plaintiffs’ allegation that inadequate security measures constitute an
unfair practice. Particularly in light of the statutory directive that courts defer to the
FTC’s interpretation, dismissal of Plaintiffs’ statutory claims would be
inappropriate.
C. Plaintiffs Plead All Essential Elements of Each Statute.
(1) Alaska
Home Depot argues Plaintiffs do not have a claim in Alaska because its
statute lists 57 specific violations, none of which apply here. However, the
statutory list of unfair or deceptive acts is non-exclusive, Alaska Stat. Ann. §
45.50.471(b) (“[t]he terms ‘unfair or deceptive acts or practices’ include, but are
not limited to, the [listed] acts”) (emphasis added), and includes a violation of
Alaska’s data breach statute, which requires timely disclosure of data breaches, id.
§ 45.50.471(b)(55). Further, the statute, like the FTC Act, generally prohibits
unfair practices and in construing its provisions the statute directs courts to give
“due consideration and great weight” to the FTC’s interpretations of Section 5,
Alaska Stat. Ann. §§ 45.50.471 and 45.50.545, which include as an unfair act
inadequate data security practices. And the statutory definition of “unfair” acts is
the same as used by other courts which have refused to reject similar claims in data
breach cases such as Adobe, TJX Cos., and Michael Stores, as described below. See
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 53 of 68
40
State v. O’Neill Investigations, Inc., 609 P.2d 520, 535 (Alaska 1980).
(2) California
California’s UCL prohibits “any unlawful, unfair or fraudulent business act
or practice.” Cal. Bus. & Prof. Code § 17200; see generally Miller v. Bank of Am.,
No. CGC-99-301917, 2004 WL 2403580, at *19 (Cal. Super. Ct. Oct. 13, 2004).
Plaintiffs properly assert claims under both the “unfair” and “unlawful” prongs.
The “unfair” prong is met because, as Plaintiffs allege, Home Depot’s failure
to have reasonable security measures constitutes immoral, unethical, oppressive
and unscrupulous activity, causing substantial injury to consumers and businesses,
without providing any benefit to consumers or competition. Compl. ¶ 233. Home
Depot also violated public policy requiring that businesses safeguard customer data
as reflected in the California Constitution and statutes such as the Online Privacy
Protection Act, Cal. Bus. & Prof. Code § 22578; Information Practices Act, Cal.
Civ. Code § 1798.1; and Cal. Civ. Code § 1798.81.5(a). Such allegations are
sufficient to survive a motion to dismiss. See Adobe, 66 F. Supp. 3d at 1225-27.
The “unlawful” prong of the UCL prohibits “anything that can properly be
called a business practice and that at the same time is forbidden by law.” Cel-Tech
Commc’ns, Inc. v. L.A. Cellular Tel. Co., 973 P.2d 527, 560 (Cal. 1999). Plaintiffs
plausibly plead that Home Depot violated the California Customer Records Act
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 54 of 68
41
(“CRA”), Cal. Civ. Code § 1798.81.5(b), which requires a business to maintain
reasonable procedures to protect personal information about California residents
from unauthorized access or use. Compl. ¶¶ 230, 235. This CRA violation creates
liability under the UCL’s unlawful prong. See Adobe, 66 F. Supp. 3d at 1225-27.
Home Depot asserts Plaintiffs have no claim under the UCL based on CRA
violations because the CRA does not allow businesses to sue.14 That the CRA can
be enforced only by consumers, however, does not mean conduct the CRA
prohibits cannot be redressed by businesses under the UCL. See Adobe, 66 F.
Supp. 3d at 1225 (the UCL allows plaintiffs “to ‘borrow’ violations of other laws
and treat them as unlawful competition that is independently actionable”); Chabner
v. United of Omaha Life Ins. Co., 225 F.3d 1042, 1048 (9th Cir. 2000) (“It does not
matter whether the underlying statute also provides for a private cause of action;
section 17200 can form the basis for a private cause of action even if the predicate
statute does not.”); Zhang v. Superior Court, 304 P.3d 163, 171-72 (Cal. 2013)
(violation of a statute lacking a private right of action may support a UCL claim). 14 In discussing the UCL claim, Home Depot notes in passing that Plaintiffs are not consumers. HD Br. at 44. If Home Depot is suggesting Plaintiffs cannot sue under the UCL, it is wrong. The UCL allows a claim to be brought by an injured “person,” which is defined to include “natural persons, corporations, firms . . . associations and other organizations of persons.” Cal. Bus. & Prof. Code §§ 17201, 17204. Businesses routinely sue under the UCL. See, e.g., Blizzard Entm’t, Inc. v. Ceiling Fan Software LLC, 28 F. Supp. 3d 1006 (C.D. Cal. 2013); Iconix, Inc. v. Tokuda, 457 F. Supp. 2d 969 (N.D. Cal. 2006).
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 55 of 68
42
(3) Connecticut
Home Depot argues that when liability under CUTPA is based upon
“passive conduct,” the plaintiff must show the defendant had a legal duty to
perform a particular act, which Plaintiffs purportedly cannot do. However, as
shown above, Home Depot owed a duty to Plaintiffs to have adequate data security
measures. Further, Plaintiffs allege that Home Depot engaged in far more than
passive conduct, including interfering with efforts to fix its data security problems,
turning off security features of its security software, and, unlike the defendant in
Downes-Patterson Corp. v. First National Supermarkets, Inc., 780 A.2d 967
(Conn. App. Ct. 2001), intentionally deciding not to act despite having been
warned for years about the need for improvements. Perola v. Citibank (S.D.) N.A,
the other case Home Depot cites, also is distinguishable; the plaintiff’s CUTPA
claim was dismissed because it was predicated on previously dismissed claims and
she had not suffered an ascertainable loss caused by the defendants’ conduct, 894
F. Supp. 2d 188, 205-06 (D. Conn. 2012). Home Depot’s other argument – that
Plaintiffs’ injuries were not proximately caused by the breach – is addressed above.
Plaintiffs have alleged proximate cause, which is quintessentially a jury question.
(4) Florida
Home Depot wrongly challenges Plaintiffs’ FDUTPA claim on the ground
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 56 of 68
43
that only consumers purportedly have a right of action. The statute’s express
purpose is to “protect the consuming public and legitimate business enterprises
from those who engage in . . . unfair acts or practices.” Fla. Stat. Ann. § 502.202(2)
(emphasis added). While initially limited to consumers, FDUTPA was
substantially amended in 1993 and 2001 to delete that limitation and to broaden the
definition of “consumer” to include “any commercial entity.” James D. Hinson
Elec. Contracting Co. v. BellSouth Tel., Inc., No. 3:07-cv-598-J-32MCR, 2008 WL
360803, at *2-3 (M.D. Fla. Feb. 8, 2008). As a result, FDUTPA does not require a
plaintiff be a consumer.15 See, e.g., id.; Kelly v. Palmer, Reifler, & Assocs., P.A.,
681 F. Supp. 2d 1356, 1373-74 (S.D. Fla. 2010); Intercoastal Realty, Inc. v. Tracy,
706 F. Supp. 2d 1325, 1334 (S.D. Fla. 2010); In re Heartland Payment Sys. Inc.
Customer Data Breach Sec. Litig., 834 F. Supp. 2d 566, 604 (S.D. Tex. 2011).
(5) Illinois
Home Depot’s assertion that the failure to maintain adequate data security
measures does not state a claim under the ICFA is incorrect. See In re Michaels
Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill. 2011) (denying motion to
dismiss a claim alleging that the failure to comply with industry data security
standards and to properly notify consumers constituted unfair practices under the 15 The cases that have held to the contrary were decided before the amendments, mistakenly relied upon decisions that pre-dated the amendments, or are flat wrong.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 57 of 68
44
ICFA). The sole case relied upon by Home Depot – Garrett v. RentGrow, Inc. –
did not involve a data breach or data security issues and thus is not relevant. No. 04
C 8309, 2005 WL 1563162 (N.D. Ill. July 1, 2005).
(6) Massachusetts
Home Depot relies upon one case – Jasty v. Wright Med. Tech., Inc., 528
F.3d 28, 37 (1st Cir. 2008) – for its argument that inadequate data security
measures are outside the scope of MCPA. Jasty, which does not involve data
security issues, is inapplicable. In a data security case, the First Circuit later held
that allegations of inadequate security practices state an unfair practices claim
under the MCPA. In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d at 496. In so
holding, the First Circuit addressed the typical definition of an unfair practice used
in state versions of the FTC Act – e.g., that the practice is immoral, unethical,
oppressive or unscrupulous – and concluded:
If the charges in the complaint are true . . . a court using these general FTC criteria might well find in the present case inexcusable and protracted reckless conduct, aggravated by failure to give prompt notice when lapses were discovered internally, and causing very widespread and serious harm to other companies and to innumerable consumers. And such conduct, a court might conclude, is conduct unfair, oppressive and highly injurious – and so in violation of chapter 93A under the FTC’s interpretation.
Id. This conclusion applies to the other statutes under which Plaintiffs seek relief
which have the same definition of an unfair act or practice. See, e.g., Michaels
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 58 of 68
45
Stores, 830 F. Supp. 2d at 526 (relying upon TJX)).
(7) Minnesota
Plaintiffs allege Home Depot violated the Minnesota Plastic Card Security
Act (“MPCSA”) by retaining certain consumer data longer than allowed. Minn.
Stat. § 325E.64, subd. 2. According to Home Depot, Plaintiffs’ allegations are
deficient. Yet, the complaint alleges Home Depot kept the data longer than allowed
by the statute. Compl. ¶ 265. Plaintiffs also specify the length of time Home Depot
kept the data. See, id. ¶ 88 (merchants such as Home Depot collect information
within the scope of the MPCSA); ¶ 89 (Home Depot stored massive amounts of
this data “for years” and “indefinitely”); ¶¶ 170-71, 174-75 (Home Depot violated
industry requirements prohibiting it from storing cardholder data longer than
necessary to process a transaction); and ¶ 211.a (Home Depot failed to delete
cardholder information no longer needed to authorize a transaction). Because
Plaintiffs have adequately pled all elements of their MPCSA claim, Home Depot’s
motion to dismiss should be denied. See Target (FI Track), 64 F. Supp. 3d at 1314
(denying a motion to dismiss a MPCSA claim under similar facts).
(8) Washington
Plaintiffs plausibly plead valid claims under two Washington statutes: (1)
Wash. Rev. Code § 19.255.020, which requires businesses to take reasonable care
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 59 of 68
46
to guard against unauthorized access to account information; and (2) the
Washington Consumer Protection Act (“WCPA”), Wash. Rev. Code § 19.86.020,
which prohibits unfair practices. An unfair or deceptive act under the WCPA can
be based on a per se violation of another statute if the violation proximately caused
the plaintiffs’ injury and the plaintiff is within the class protected by the statute.
Dempsey v. Joe Pignataro Chevrolet, Inc., 589 P.2d 1265, 1270 (Wash. Ct. App.
1979); Blake v. Fed. Way Cycle Ctr., 698 P.2d 578, 581-82 (Wash. Ct. App. 1985).
Alternatively, a violation can be shown through proof that the defendant’s conduct
is illegal and against public policy as declared by the legislature or the judiciary.
Salois v. Mut. of Omaha Ins. Co., 581 P.2d 1349, 1351 (Wash. 1978).
Plaintiffs amply plead all of these requirements, asserting Home Depot
violated Wash. Rev. Code § 19.255.020(3)(a) by failing to adequately safeguard
customers’ account information; the violation proximately caused injury to
Plaintiff Sound Community Bank and the Washington Subclass; and they are
within the class of persons the statute was meant to protect, which cannot be
seriously disputed because the statute specifically allows them to recover their
mitigation costs. Further, Home Depot’s misconduct was illegal under Wash. Rev.
Code § 19.255.020(3)(a) and violated the clear public policy that customer data be
protected as provided by the statute.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 60 of 68
47
Home Depot asserts it has a defense if at the time of the breach it was
certified to be compliant with industry standards. According to Home Depot,
because the complaint is silent about whether such a certificate existed, the
Washington claim must be dismissed. This argument has no merit. Plaintiffs, in
fact, allege that Home Depot did not comply with industry standards at the time of
the breach, an outside investigator has so found, and Home Depot has a history of
misrepresenting its security procedures to certifying entities. Compl. ¶¶ 174-75,
178. In any event, Plaintiffs are under no obligation to negate an affirmative
defense in their pleadings. See Dekalb Cnty. v. HSBC N. Am. Holdings, Inc., No.
1:12-CV-03640-SCJ, 2013 WL 7874104, at *2 (N.D. Ga. Sept. 25, 2013).
V. PLAINTIFFS’ CLAIMS ARE RIPE
In a transparent attempt to delay this case indefinitely, Home Depot seeks
dismissal on ripeness grounds of all Plaintiffs’ claims because a “substantial
portion” of the alleged injuries are “potentially recoverable” through the so-called
Card Brand Recovery Process. Home Depot relies on three cases that apply the
ripeness doctrine to dismiss constitutional challenges to government laws and
actions. Significantly, Home Depot has not cited a single instance in which a
similar argument has ever been made, let alone adopted, in a case similar to this
one. That is for good reason. Applying the ripeness doctrine here makes no sense.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 61 of 68
48
A claim is ripe if the controversy is “definite and concrete, touching the
legal relations of parties having adverse legal interests.” Aetna Life Ins. Co. of
Hartford, Conn. v. Haworth, 300 U.S. 227, 240-41 (1937). Ripeness is rarely, if
ever, questioned in an action, such as this one, seeking damages for past conduct.
See Forum Architects LLC v. Candela, No. 1:07cv190/SPM/AK, 2008 WL
5101779 at *4 (N.D. Fla. Nov. 26, 2008) (“The overwhelming majority of cases
that raise the question of ripeness involve disputes that challenge, on constitutional
grounds, the validity of a statute or the actions of a governmental body, local
authority, or agency.); Gemtel Corp. v. Cmty. Redev. Agency of L.A., 23 F.3d 1542,
1545 (9th Cir. 1994) (“It is hard to see how a claim for damages could be unripe.
Either a cause of action has accrued, so it is ripe, or it has not yet accrued, so the
complaint fails to state a claim upon which relief can be granted.”).
Plaintiffs allege they suffered actual economic loss. Their claims do not
hinge on “uncertain and contingent future events that may not occur as anticipated,
or indeed may not occur at all” as required to apply the ripeness doctrine. See FEC
v. Lance, 635 F.2d 1132, 1138 (5th Cir. 1981) (citation omitted). If anything, it is
the so-called Card Brand Recovery Process that is the uncertain, contingent future
event. The process is not mentioned in the complaint, only vaguely described in
case law cited by Home Depot, and should not even be considered at this stage. See
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 62 of 68
49
Banknorth, N.A., 394 F. Supp. 2d at 287.
Plaintiffs expect discovery will show the recovery processes are voluntary,
non-binding, provide limited compensation and do not require participants to
release any claims or forego litigation. See Pa. State Emps. Credit Union v. Fifth
Third Bank, No. 1:CV-04-1554, 2006 WL 1724574, at *6 (M.D. Pa. Jun. 16, 2006)
(the process does not “eliminate a member’s right to pursue other legal remedies
that may be available outside the Visa compliance system, for example a fraud or
negligence claim”). Indeed, an unsuccessful attempt to use MasterCard’s process
to settle claims in the Target MDL provided such meager compensation that Judge
Magnuson noted the proposed settlement was not “fair and reasonable” and failed
to “pass the smell test.” In re Target Corp. Customer Data Sec. Breach Litig.,
MDL No. 14-2522, 2015 WL 2165432, at *2 (D. Minn. May 7, 2015).
If some Plaintiffs choose to participate in a recovery process and receive
some compensation for their injuries, Home Depot may have a right of set off. But,
there is no basis to find that their existing damage claims are not ripe because of
the possibility of some future recoveries from a non-party. Accordingly, Home
Depot’s ripeness argument should be rejected.
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 63 of 68
50
CONCLUSION
For the reasons set forth in this brief, Home Depot’s motion to dismiss
should be denied in its entirety.
Date: August 19, 2015 Respectfully submitted,
s/ Kenneth S. Canfield Kenneth S. Canfield, Ga. Bar # 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree St., NE, Suite 1600 Atlanta, Georgia 30309-3238 Telephone: 404-881-8900 [email protected] Co-lead Counsel
Joseph P. Guglielmo Erin Green Comite SCOTT+SCOTT, ATTORNEYS AT LAW, LLP 405 Lexington Avenue New York, New York 10174 Telephone: 212-594-5300 [email protected] [email protected] Co-lead Counsel
Gary F. Lynch Jamisen Etzel CARLSON LYNCH SWEET& KILPELA, LLP 1133 Penn Avenue, 5th Floor Pittsburgh, Pennsylvania 15222 Telephone: 412-322-9343 [email protected] [email protected] Co-lead Counsel
W. Pitts Carr W. PITTS CARR AND ASSOCIATES, PC 4200 Northside Parkway, NW Building 10 Atlanta, Georgia 30327 Telephone: 404-442-9000 [email protected] Co-liaison Counsel
Ranse M. Partin CONLEY GRIGGS PARTIN, LLP 1380 West Paces Ferry Road NW Suite 2100 Atlanta, Georgia 30327 Telephone: 404-467-1155 [email protected] Co-liaison Counsel
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 64 of 68
51
Plaintiffs’ Steering Committee
James H. Pizzirusso Swathi Bojedla HAUSFELD LLP 1700 K Street, NW, Suite 650 Washington, DC 20006 Telephone: 202-540-7200 [email protected] [email protected] Plaintiffs’ Steering Committee Chair Joseph Hank Bates III CARNEY BATES & PULLIAM 17 Washington Ave., N., Suite 300 Minneapolis, MN 55401 Telephone: 501-312-8500 [email protected] Bryan L. Bleichner CHESTNUT CAMBRONNE, PA 17 Washington Avenue North Suite 300 Minneapolis, MN 55401 Telephone: 612-339-7300 [email protected] Brian C. Gudmundson ZIMMERMAN REED, PLLP 1100 IDS Center 80 South 8th Street Minneapolis, MN 55042 Telephone: 612-341-0400 [email protected]
Robert N. Kaplan KAPLAN FOX & KILSHEIMER 850 Third Ave., 14th Floor New York, New York 10022 Telephone: 212-687-1980 [email protected] W. Daniel Miles, III Andrew E. Brasher Leslie L. Pescia BEASLEY ALLEN CROW MEHTVIN PORTIS & MILES P.O. Box 4160 218 Commerce Street Montgomery, Alabama 36103 Telephone: 334-269-2343 [email protected] Arthur M. Murray MURRAY LAW FIRM 650 Poydras Street, Suite 2150 New Orleans, Louisiana 71030 Telephone: 505-525-8100 [email protected] Karen H. Riebel LOCKRIDGE GRINDAL NAUEN 100 Washington Ave. S., Suite 2200 Minneapolis, MN 55401 Telephone: 612-339-6900 [email protected]
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 65 of 68
52
Vincent J. Esades David R. Woodward HEINS MILLS & OLSON, PLC 310 Clifton Avenue Minneapolis, MN 55403 Telephone: 612-338-4605 [email protected] [email protected] Andrew N. Friedman COHEN MILLSTEIN SELLERS TOLL 1100 New York Ave., NW East Tower, 5th Floor Washington, DC 20005 Telephone 202-408-4600 [email protected]
Thomas A. Withers GILLEN WITHERS & LAKE 8 E. Liberty Street Savannah, Georgia 31401 Telephone: 912-447-8400 [email protected]
Co-Counsel for Financial Institution Plaintiffs MaryBeth V. Gibson THE FINLEY FIRM, P.C. Piedmont Center 3535 Piedmont Road Building 14, Suite 230 Atlanta, GA 30305 Telephone: 404-320-9979 [email protected]
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 66 of 68
53
CERTIFICATION
The Undersigned hereby certifies, pursuant to Local Civil Rule 7.1D, that
the foregoing document has been prepared with one of the font and point selections
(Times New Roman, 14 point) approved by the Court in Local Civil Rule 5.1C.
/s/ Kenneth S. Canfield . Kenneth S. Canfield DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree St., NE, Ste. 1600 Atlanta, Georgia 30309-3238 Phone: 404-881-8900 Fax: 404-881-3017 KCanfield&Dsckd.com
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 67 of 68
54
CERTIFICATE OF SERVICE
I hereby certify that on August 19, 2015, I served all parties by causing a
true and correct copy of the foregoing Financial Institution Plaintiffs’
Memorandum in Opposition to Home Depot’s Motion to Dismiss to be filed with
the clerk of court using the CM/ECF system, which automatically sends a copy to
all counsel registered to receive service.
/s/ Kenneth S. Canfield . Kenneth S. Canfield
Co-Lead Counsel for the Financial Institution Plaintiffs
Case 1:14-md-02583-TWT Document 131 Filed 08/19/15 Page 68 of 68