Hendricks v. DSW Shoe Warehouse Inc.

444 F. Supp. 2d 775 (2006)

Teresa HENDRICKS, individually and on behalf of a class, Plaintiff,
v.
DSW SHOE WAREHOUSE INC., an Ohio corporation, Defendant.

No. 1:05-CV-767.

United States District Court, W.D. Michigan, Southern Division.

July 26, 2006.

*776 Curtis Charles Warner, Edelman Combs Latturner & Goodwin LLC, Chicago, IL, for Plaintiff.

Bruce W. Neckers, John M. Lichtenberg, Rhoades McKee, Grand Rapids, MI, for Defendant.

OPINION AND ORDER ON MOTION TO DISMISS

MILES, Senior District Judge.

Plaintiff Teresa Hendricks, acting individually and on behalf of a class, filed this diversity action against defendant DSW Shoe Warehouse, Inc. ("DSW"). Plaintiff alleges that DSW is liable for the costs of a credit monitoring product which plaintiff and others purchased to protect themselves from identity theft after their personal financial information, provided during *777 transactions with the company, was stored and later "compromised" by an unauthorized third party. The matter is currently before the court on a motion by DSW for dismissal under Fed.R.Civ.P. 12(b)(6) (docket no. 16). Plaintiff has opposed the motion.

For the reasons to follow, the court GRANTS the motion.

I

Plaintiff is an individual residing in Grand Rapids, Michigan. DSW is an Ohio corporation having its principal offices in Columbus, Ohio. DSW operates 199 shoe stores in 32 states. At least three of these stores are located within the Western District of Michigan.

Plaintiff purchased shoes from two west Michigan DSW stores on a number of occasions during late 2004 and early 2005, using a debit card associated with her checking account. Sometime during this same period, personal financial information maintained on a computer network by DSW—including customers' credit card and debit card numbers, along with the corresponding names to those cards, and checking account numbers and drivers' license numbers provided by check writers—was "compromised by an unauthorized third party." Amended Complaint at 2, ¶ 7. This included information from at least seven Michigan DSW locations, including Lansing, Michigan, where plaintiff had purchased shoes using her debit card. The information "compromised" included the numbers and names associated with approximately 1,438,281 credit and debit cards and 96,385 checking account numbers and drivers' license numbers. Id. at 3, ¶ 8.

DSW became aware of the compromise of this information in March, 2005. Id. at 3, ¶ 9. This situation apparently became publicly known as early as March 10, 2005, shortly after the data theft. See id. at 3, ¶ 10. In June, 2005, plaintiff received a letter from DSW informing her that she was one of the customers whose personal information had been "stolen." Id. at 4, ¶ 15. Plaintiff alleges that in November, 2005, her bank provided her with a new debit card "as protection," presumably from potential fraudulent charges on the card. Id. at 15, ¶ 77. After she received the new debit card, plaintiff also purchased a "credit monitoring product" in order to "protect herself from identity theft." Id. at 15, ¶ 79. Although plaintiff alleges generally that "[firaudulent charges have been made on some of the credit card and debit card accounts that were obtained from DSW by an unauthorized user," id. at 14, ¶ 67 (emphasis supplied), plaintiff has not alleged either that her personal information has been used, that she or any other putative class member has been held liable for any fraudulent charges to a credit or debit card, or that her credit or that of any other putative class member has been damaged. Instead, the sole claim for damages is based on the allegation that it is reasonable for plaintiff and other putative class members to purchase credit monitoring in order to "prevent future unauthorized use" of their credit and debit card accounts. Id.

The Federal Trade Commission ("FTC") filed a complaint against DSW, alleging that the company's "failure to employ reasonable and appropriate security measures to protect personal information and files caused or is likely to cause substantial injury to consumers" and constituted an "unfair act or practice in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)." In re DSW, Inc., No. 52-3096, 2005 WL 3366974 (F.T.C. Dec. 1, 2005); In re DSW, Inc., No. 52-3096, 2006 WL 752215 (F.T.C. March 7, 2006). According to the allegations of plaintiff's complaint in this case, DSW subsequently entered into *778 a consent order with the FTC based on the allegations of the FTC's complaint. Amended Complaint at 12, ¶ 61.

Plaintiff filed this action on behalf of herself and a putative class consisting of all persons who have Michigan addresses or did business with a Michigan DSW location, whose personal information from either their credit card, debit card, or personal check was retained by DSW and was compromised by an unauthorized third party. Plaintiff estimates that the class consists of 50,000 to 60,000 Michigan residents. The amended complaint, which contains a number of allegations which appear to be derived from the FTC complaint filed against DSW, asserts the following claims arising under state law: (1) breach of a contract between DSW and its customers "by failing to safeguard [customers'] personal information and limit its use to the sole purpose of facilitating transactions with customers" (Count I); (2) breach of a contract between DSW and credit and debit card issuers, which required DSW "to secure, protect, and dispose of [customers'] credit and debit card information" (Count II); and (3) an individual claim, on behalf of plaintiff only, alleging violation of the Michigan Consumer Protection Act, M.C.L. §§ 445.901 et seq. ("MCPA"), specifically M.C.L. § 445.903(1)(s), by failing to disclose to plaintiff that DSW was not implementing adequate security measures to protect plaintiff's personal information. As relief on behalf of herself and the putative class, plaintiff seeks both injunctive relief "requiring DSW to take adequate measures to protect consumer data entrusted to it" and damages "in an amount sufficient to pay for the monitoring of credit reports and accounts." Amended Complaint at 17, ¶ 91; at 19, ¶ 97; at 20, ¶ 110. In addition, as relief on her individual MCPA claim, plaintiff also seeks an award of attorney fees and costs. Amended Complaint at 20, ¶ 110.

Shortly after plaintiff filed this action, the court, which questioned whether the requirements for diversity jurisdiction under 28 U.S.C. § 1332 were satisfied, issued an Order requiring the parties to brief the question of subject matter jurisdiction. The parties did so. The court's principal concern derived from the amount in controversy requirement, which the court is now convinced is satisfied in this case, notwithstanding critical deficiencies in plaintiff's claims.[1]

II

DSW seeks dismissal for failure to state a claim under Fed.R.Civ.P. 12(b)(6). Fed.R.Civ.P. 12(b)(6) permits a district court to dismiss a plaintiff's complaint for "failure to state a claim upon which relief can be granted." A motion under the rule may be granted only when it appears beyond doubt that the plaintiff can prove no set of facts in support of her claim that would entitle her to relief. Conley v. Gibson, 355 U.S. 41, 45-46, 78 S. Ct. 99, 102, 2 L. Ed. 2d 80 (1957); Miller v. Currie, 50 F.3d 373, 377 (6th Cir.1995). In deciding a motion under Rule 12(b)(6), the court accepts all of the allegations as true and construes the complaint "liberally in favor of the party opposing the motion." Miller, 50 F.3d at 377. A district court *779 need not, however, accept as true legal conclusions or unwarranted factual inferences. Michigan Paytel Joint Venture v. City of Detroit, 287 F.3d 527, 533 (6th Cir.2002); Gregory v. Shelby County, 220 F.3d 433, 446 (6th Cir.2000). "To survive a motion to dismiss under Fed.R.Civ.P. 12(b)(6), a complaint must contain either direct or inferential allegations respecting all the material elements to sustain recovery under some viable legal theory." Begala v. PNC Bank, Ohio, Nat'l Assn., 214 F.3d 776, 779 (6th Cir.2000) (emphasis in original; internal quotations and citation omitted).

III

In its motion, DSW argues that plaintiffs action is a novel effort, in the wake of a data theft incident, to assert claims which run afoul of established principles of Michigan law applicable to such claims. Although DSW raises a number of issues in support of its motion, the court herein addresses only two deficiencies: (1) plaintiffs failure to allege any cognizable damages or loss stemming from the data theft, as opposed to a mere risk of future damages, and (2) plaintiffs failure to allege a cognizable duty of disclosure.

As noted above, the only damages which plaintiff alleges to have incurred as a result of the data theft are expenses which she has made to purchase a credit monitoring product, which she alleges will prevent future unauthorized use of her personal data. However, although the amount of recoverable damages is a question of fact, the measure of damages upon which the factual computation is based is a question of law. Wolff & Munier, Inc. v. Whiting-Turner Contracting Co., 946 F.2d 1003, 1009 (2d Cir.1991); see Cold Metal Process Co. v. E.W. Bliss Co., 285 F.2d 231, 242 (6th Cir.1960) (ruling on the measure of damages arising out of undisputed facts involved a question of law); see also Neyer v. United States, 845 F.2d 641, 644 (6th Cir.1988) ("the exact amount of a damages award is left to the discretion of the trier of fact within the framework of allowable elements under the law") (emphasis supplied). Therefore, although plaintiff alleges that she and the putative class have incurred or will incur damages represented by the costs of purchasing a credit monitoring product, the question of law for the court is whether such alleged damages—or, in the case of the MCPA, such alleged losses—are properly recoverable under Michigan law on the claims asserted by plaintiff, assuming the truth of plaintiffs well-pleaded factual allegations.[2]

In her complaint plaintiff alleges, somewhat unnecessarily, that "[i]dentity theft is a real and serious threat to persons whom have had their personal information compromised[.]" Amended Complaint at 12, ¶ 64. For purposes of resolving the present motion, the court assumes this to be true. The court also assumes the truth of plaintiffs allegation that the relief which plaintiff seeks both on behalf of herself and the putative class—the cost of purchasing credit monitoring—will "protect" them from identity theft. Id. at 15, ¶ 79. (Indeed, if this is true, perhaps it would be prudent for everyone to monitor their credit?) However, the facts, as plaintiff has alleged, do not indicate that plaintiff has had her identity stolen or that her personal information has been used to her detriment in any way. Instead, plaintiff is claiming as damages the costs of protecting herself against a risk that the stolen data will, in the future, be used to her detriment. If plaintiffs theory of damages is accepted, she is entitled to a recovery *780 now in the form of expenses for monitoring her credit, as opposed to a recovery later, if and when she suffers actual harm in the event that she is held responsible for a fraudulent charge or her credit is adversely affected. She is, according to her theory, entitled to damages to buy peace of mind, or to help her determine when and if a claim accrues through actual loss. But Michigan law does not accept such a theory of recovery on the claims asserted by plaintiff.

Plaintiff has asserted two claims based on breach of contract. Under Michigan law,

Once a valid contract claim has been established, a plaintiff seeking to recover on a breach of contract theory must then prove by a preponderance of the evidence the terms of the contract, that the defendant breached the terms of the contract, and that the breach caused the plaintiff's injury.

In re Brown, 342 F.3d 620, 628 (6th Cir. 2003) (emphasis supplied). "The party asserting a breach of contract has the burden of proving its damages with reasonable certainty, and may recover only those damages that are the direct, natural, and proximate result of the breach." Alan Custom Homes, Inc. v. Krol, 256 Mich. App. 505, 512, 667 N.W.2d 379, 383 (2003) (emphasis supplied). Contract damages are limited to those which "arise naturally from the breach." Kewin v. Massachusetts Mutual Life Ins. Co., 409 Mich. 401, 295 N.W.2d 50, 53 (1980). Dismissal of a contract claim is warranted where damages are "dependent upon the chances of business or other contingencies[.]" McEwen v. McKinnon, 48 Mich. 106, 11 N.W. 828, 829 (1882). In addition, a breach of contract claim must be rejected where the breach, if any, is "damnum absgue injuria." United States v. County of Muskegon, 298 F.3d 569, 585 (6th Cir. 2002). Finally, mental distress and anguish are generally not proper elements of damages in breach of contract actions, Bolden v. John Hancock Mutual Ins. Co., 422 F. Supp. 28, 29 (E.D.Mich.1976), "absent purposeful tortious conduct independent of the breach." Willis v. New World Van Lines, Inc., 123 F. Supp. 2d 380, 389 (E.D.Mich.2000).

Here, plaintiff has, as part of her contract claims, specifically alleged that the unknown third party's access to DSW's customers' personal information was "unauthorized" by DSW. Amended Complaint at 2, ¶ 7; at 12, ¶ 62; at 14, ¶ 67; at 20, ¶ 107. Therefore, the complaint does not permit an inference that DSW engaged in "purposeful tortious conduct" independent of the alleged breach. Instead, plaintiff merely alleges that DSW's alleged breach has caused her to purchase peace of mind in the face of an increased risk of identify theft. However, even assuming that such a risk can be measured, Michigan law does not recognize the measure of damages proposed by plaintiff in breach of contract actions. Plaintiff has simply failed to allege damages of a type cognizable under Michigan common law applicable to contract actions, and therefore her contract claims are subject to dismissal as a matter of law.[3]

*781 At the outset of her response brief, plaintiff relies heavily on a decision issued by another federal district court, Richardson v. DSW, Inc., No. 05 C 4599, 2005 WL 2978755 (N.D.Ill. Nov. 3, 2005). In Richardson, the plaintiff—coincidentally represented by the same counsel representing plaintiff in this case—alleged that DSW negligently permitted unauthorized access to its computer system and that her financial information was stolen. She asserted claims based on implied contract, bailment, and the Illinois Consumer Protection Act. Applying Illinois law, the district court granted DSW's motion for dismissal of plaintiff's bailment and consumer fraud act claims, but denied the motion with respect to plaintiff's implied contract claim. The court's ruling in Richardson was based on the particular arguments raised by DSW in that case, which did not include all of the same arguments or deficiencies DSW has asserted here. That case—which this court is not required to follow in any event—therefore does not involve identical issues and does not have precedential value for purposes of resolving the specific motion before this court.[4]

Plaintiff's failure to allege cognizable damages is likewise fatal to her individual claim under the MCPA. This Michigan statute prohibits "[u]nfair, unconscionable, or deceptive methods, acts, or practices in the conduct of trade or commerce[.]" M.C.L. § 445.903(1). In her amended complaint, plaintiff relies on a section of the statute which proscribes "[flailing to reveal a material fact, the omission of which tends to mislead or deceive the consumer, and which fact could not reasonably be known by the consumer." M.C.L. § 445.903(1)(s). Specifically, plaintiff alleges that "DSW did not take appropriate measures to protect [her] information" and "failed to disclose this material fact, that it was not implementing adequate security measures with regard to [her] personal information." Amended Complaint at 19-20, ¶ s 103-104.

However, even assuming that plaintiff could establish the remaining elements of a cause of action under the cited section of the MCPA—including a duty to disclose to customers its specific data security measures (or lack thereof), as well as a violation of that duty which amounts to more than mere negligence—plaintiff has failed to allege that she has suffered a cognizable loss as required by the statute.

M.C.L. § 445.911(3) provides, in pertinent part, that "a person who suffers loss as a result of a violation of this act may bring an action to recover actual damages or $250.00, whichever is greater, together with reasonable attorneys' fees" (emphasis supplied). The statute, therefore, requires an allegation of "loss." See Mayhall v. A.H. Pond Co., Inc., 129 Mich.App., 178, 341 N.W.2d 268, 270 (1983) (statute requires *782 plaintiff "to have sustained a loss as a condition for bringing an action to recover damages. . . . By specifying in . . . § 11 of the MCPA that in order to bring a suit plaintiff must suffer a `loss' as a result of the statutory violation, the Legislature, we conclude, has incorporated in the acts the common-law requirement of injury").

Here, plaintiff has alleged not that she suffered a "loss" as a result of DSW's alleged violation of the statute. Instead, she has alleged only that she purchased a credit monitoring product to protect herself from identify theft. However, the court is aware of no Michigan authority which recognizes, as injury in an action under the MCPA, recovery for a potential future loss which has not actually occurred.

The MCPA also permits a plaintiff to seek declaratory and injunctive relief in the absence of damages. M.C.L. § 445.911(1). Here, because plaintiff seeks injunctive relief "requiring DSW to take adequate measures to protect consumer data entrusted to it[,]" the basic question is whether DSW "is engaging or is about to engage in a method, act, or practice which is unlawful under section 3 [of the act]." Insofar as many of the specific practices prohibited by the act— including that relied upon by the plaintiff here—involve fraud, it is proper to construe the statute with reference to that common law tort. Zine v. Chrysler Corp., 236 Mich.App. 261, 600 N.W.2d 384, 398 (1999); Mayhall, 341 N.W.2d at 270.

As noted above, plaintiff relies on a section of the MCPA which proscribes "[f]ailing to reveal a material fact, the omission of which tends to mislead or deceive the consumer, and which fact could not reasonably be known by the consumer." M.C.L. § 445.903(1)(s). This section does not impose any duty on sellers to provide data security information to customers, and no allegation is made that DSW assumed a duty to provide its customers with such information. See Zine, 600 N.W.2d at 395 ("the voluntary assumption of a duty is a concept applicable to negligence law[,]" whose principles "have little application"). However, under Michigan law, "silent fraud"—as plaintiff has alleged here—requires a plaintiff to show "that some type of representation that was false or misleading was made and that there was a legal or equitable duty of disclosure." M & D, Inc. v. McConkey, 231 Mich.App. 22, 585 N.W.2d 33, 39 (1998). Under Michigan common law, "there must be some type of misrepresentation, whether by words or action, in order to establish a claim of silent fraud." Id., 585 N.W.2d at 41.

Construing the MCPA with reference to the common law tort of silent fraud, the court concludes that Michigan courts would not recognize a claim under M.C.L. § 445.903(1)(s) in the absence of a duty of disclosure. Here, no such duty is alleged.[5] Moreover, plaintiff's citation to cases recognizing duties in context of negligence claims is an insufficient basis for the court to recognize such a duty, given that the principles of negligence law "have little application" to claims asserted under the MCPA, on which plaintiff has chosen to base her individual claim and which includes a provision for attorneys[6] fees. Zine, 600 N.W.2d at 395.6 Therefore, the *783 court concludes that plaintiff has failed to state a claim under section 3(1)(s) of the MCPA, M.C.L. § 445.903(1)(s).

IV

There is no existing Michigan statutory or case law authority to support plaintiff's position that the purchase of credit monitoring constitutes either actual damages or a cognizable loss. Indeed, there is reason to believe that Michigan's highest court would reject a novel legal theory of damages which is based on a risk of injury at some indefinite time in the future. See Henry v. Dow Chemical Co., 473 Mich. 63, 701 N.W.2d 684, 692 (2005) (rejecting "medical monitoring" cause of action, concluding that "our common law requires a present injury in addition to economic loss incurred as a result of that injury"). In addition, there is no existing Michigan statutory or case law authority to support plaintiff's position that DSW had a legal duty to disclose to its customers—who could conceivably include computer hackers—specific information about its computer security systems. This federal court, sitting in diversity, has a "proper reluctance to speculate on any trends of state law[.]" Combs v. International Ins. Co., 354 F.3d 568, 577 (6th Cir.2004). "Federal courts hearing diversity matters should be extremely cautious about adopting `substantive innovation' in state law." Id. (citation omitted). The court concludes that because Michigan courts would not recognize the causes of action asserted in plaintiff's amended complaint, her pleading is subject to dismissal as a matter of law.

Conclusion

Motion granted.

NOTES

[1] In addition to invoking the court's diversity jurisdiction under 28 U.S.C. § 1332, paragraph 2 of plaintiff's amended complaint also nominally invokes jurisdiction under 28 U.S.C. § 1337, which provides for federal question jurisdiction in the district courts of any civil action arising under any Act of Congress regulating commerce or protecting trade and commerce against restraints and monopolies. However, because plaintiff has not asserted any federal claims, it is unclear why her amended complaint invokes § 1337. The court's assertion of jurisdiction is based on diversity, and not on the existence of any federal question.

[2] Plaintiff's amended pleading relies on Michigan law. For purposes of its motion, DSW assumes that Michigan law applies to all three of plaintiff's claims. The court does likewise herein.

[3] Here, it makes no difference that plaintiff seeks to bring the contract claims on behalf of a putative class. In order to obtain class certification, a plaintiff must first satisfy Fed. R.Civ.P. 23(a)'s requirements of numerosity, commonality, typicality, and adequacy of representation. Golden v. City of Columbus, 404 F.3d 950, 965 (6th Cir.2005). Plaintiff is not a proper class representative if her claims cannot survive dismissal. See Courtney v. Smith, 297 F.3d 455, 467 (6th Cir.2002) (plaintiffs who lacked standing to bring lawsuit could not advance claims of other unnamed individuals); see also Great Rivers Coop. of Southeastern Iowa v. Farmland Indus., Inc., 120 F.3d 893, 899 (8th Cir.1997) (named plaintiff whose claim was time-barred could not represent class). "[E]ven named plaintiffs who represent a class `must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.'" Lewis v. Casey, 518 U.S. 343, 116 S. Ct. 2174, 2183, 135 L. Ed. 2d 606 (1996) (citation omitted). The amended complaint's allegation that "[f]raudulent charges have been made on some of the credit card and debit card accounts" does not make plaintiff a proper class representative. Moreover, because no allegation is made that any putative class member has been held liable for fraudulent charges, it is unclear whether a proper class representative exists even if Rule 23(a)'s other requirements may be satisfied.

[4] After the initial ruling in Richardson, the plaintiff in that case filed a motion for leave to amend her complaint to assert an additional claim under the Illinois Consumer Fraud and Deceptive Practices Act. The court granted that motion. Richardson v. DSW, Inc., No. 05 C 4599, 2006 WL 163167 (N.D.Ill. Jan. 18, 2006). Nothing in that subsequent ruling impacts upon this court's conclusions herein.

[5] Plaintiff has conceded that whether a legal duty exists for purposes of the MCPA is a question of law for the court to decide. Plaintiff's Response at 16.

[6] For this reason, the landlord negligence cases on which plaintiff relies, including Aisner v. Lafayette Towers, 129 Mich.App. 642, 341 N.W.2d 852 (1983), Samson v. Saginaw Prof'l Bldg., Inc., 393 Mich. 393, 224 N.W.2d 843 (1975), and Stanley v. Town Square Coop., 203 Mich.App. 143, 512 N.W.2d 51 (1993), are neither applicable nor persuasive.

For the same reason, the unpublished case of Bell v. Michigan Council 25 of the Amer. Federation of State, County, and Mun. Employees, AFL-CIO, Local 1023, No. 246684, 2005 WL 356306 (Mich.Ct.App. Feb. 15, 2005), appeal denied, 474 Mich. 989, 707 N.W.2d 597 (Dec. 28, 2005), on which plaintiff relies, is likewise neither applicable nor persuasive. Bell, like the other cases which plaintiff cites, was a negligence case. Here, plaintiff has not asserted any claims of negligence. However, it also noted that in Bell, evidence was found indicating that the perpetrator of the identity theft had used the plaintiffs' personal information to purchase goods in plaintiffs' names. Id. at *1. In addition, the defendant in the case was the plaintiffs' union, which the court concluded had a "special relationship" with plaintiffs "such that [it] did owe plaintiffs a duty to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information[.]" Id. at *5.