McClain v. RBS Citizen's Bank, N.A.

MEMORANDUM

C. DARNELL JONES, II, District Judge.

Pending before the court is a motion to dismiss filed by defendants RBS Citizens *440Bank, N.A. and Citizens Bank of Pennsylvania. (Doc. No. 19.) After a thorough review of the motion and the parties’ respective briefs, the court will GRANT the motion IN PART and DENY IN PART. Count I (Negligent Infliction of Emotion Distress), Count II (Public Disclosure), Count III (Intrusion Upon Seclusion), and Count VIII (Punitive Damages) will be DISMISSED WITH PREJUDICE. Defendants’ motion to dismiss will be DENIED in all other respects.

BACKGROUND

The pertinent facts, viewed in the light most favorable to plaintiff, are as follows. Since 2002, plaintiff, Lisa McClain, a New Jersey resident, maintained personal banking accounts with defendants, Citizens Bank of Pennsylvania and RBS Citizens.2 (Sec. Am. Compl. at ¶¶ 1, 6.) Defendant Citizens Bank is a Pennsylvania Financial Institution with its registered office in Philadelphia, Pennsylvania. Id. at ¶ 3. Defendant RBS Citizens N.A. is a Rhode Island Corporation engaged in banking with offices throughout Philadelphia. Id. at ¶ 2.

Until August 5, 2011, plaintiff worked for and conducted her banking at defendant Citizens Bank in Philadelphia, Pennsylvania. Id. at ¶¶ 3-4. During that time, plaintiffs immediate supervisor was Kim O’Donnell, a Vice-President with defendant Citizens Bank. Id. at ¶ 5. After her termination on August 5, 2011, plaintiff continued to maintain her personal bank accounts. Id. at ¶¶ 6-7. Plaintiff alleges that, unbeknownst to her, Ms. O’Donnell used defendants’ IMI system to access plaintiffs bank accounts during work hours. Id. at ¶¶ 7, 28, 48. O’Donnell then shared plaintiffs personal financial information with her coworkers, specifically that plaintiff was seeing a psychiatrist, was receiving unemployment benefits, and was being treated by various doctors for personal health conditions. Id. at ¶¶ 7-8, 10-11. Plaintiff further alleges that O’Donnell disclosed plaintiffs salary information to O’Donnell’s coworkers and allegedly questioned how plaintiff and her husband paid their mortgage. Id. at ¶¶ 7-9, 10-11. Plaintiff alleges that O’Donnell had no legitimate banking reason for accessing accounts or disclosing her financial information to other RBS Citizens and Citizens Bank employees. Id. at ¶¶ 13, 63.

Plaintiff avers that, prior to the data breaches, defendants were aware that O’Donnell had engaged in similar 'inappropriate conduct in the past. Id. at ¶ 16. Further, after O’Donnell began accessing plaintiffs accounts, management-level employees of Citizens and RBS Citizens became aware of the intrusions and failed to report them. Id. at ¶ 14. Despite this knowledge, defendants continued to allow O’Donnell access to plaintiffs personal financial information—allegedly with the intent of holding plaintiff out to ridicule amongst her former co-workers. Id. at ¶¶ 17, 27. On July 24, 2012, plaintiff learned of O’Donnell’s conduct while attending a funeral when former co-workers asked her about her health and well-being. (Id. at ¶ 21.) Plaintiff claims she was humiliated and embarrassed. (Id. at ¶ 29.)

On February 15, 2013, plaintiff filed a complaint in the Court of Common Pleas, Philadelphia County. Defendants removed the complaint to federal court on March 25, 2013. (Doc. No. 1.) They filed their first motion to dismiss, (Doc. No. 7), and plaintiff filed an amended complaint before the court reached the merits of the motion, (Doc. No. 10). Defendants filed a *441second motion to dismiss, (Doc. No. 13), and the court granted plaintiff leave to amend her complaint to clarify the theory of liability under which she was seeking to hold defendants liable,3 (Doc. No. 18). On November 25, 2013, plaintiff filed a second amended complaint, which stated respon-deat superior claims for intentional infliction of emotional distress (Count I), public disclosure (Count II), and intrusion upon seclusion (Count III); direct liability claims for negligent supervision (Count V), negligent training (Count VI), and negligent hiring/retention (Count VII); claims under the Right to Financial Privacy Act of 1978 and the Gramm-Leach-Bliley Act (Count IV); and a claim for punitive damages (Count VIII). (Doc. No. 19.) Defendants filed a third motion to dismiss, (Doc. No. 20), which is the subject of the present discussion. Because the parties have fully briefed the motion, it is ripe for disposition.

DISCUSSION

A. NIED, PUBLIC DISCLOSURE, AND INTRUSION UPON SECLUSION

As an initial matter, it is worth clarifying that, although Count I is titled “negligent infliction of emotional distress,” the court will construe it as a claim for intentional infliction of emotion distress. In its brief in opposition, plaintiff represented to the court that it intended to raise an IIED claim and that the incorrect heading in Count I is the result of a clerical error. (Pi’s Br. at 3.) In response, defendants filed a reply brief addressing the merits of Count I as an IIED claim. (Defs Reply Br. at 2-6.) Therefore, because defendants have had an opportunity to be heard, there is no danger of prejudice.

Defendants first move to dismiss Counts I, II, and III on respondeat superi- or grounds. (Defs Br. at 4-10.) To state a respondeat superior claim under Pennsylvania law, a party must allege facts showing that an employee’s conduct “is of a kind and nature that the employee is employed to perform; ... occurs substantially within the authorized time and space limits; ... is actuated, at least in part, by a purpose to serve the employer; and ... if force is intentionally used by the employee against another, the use of force is not unexpected by the employer.” Costa v. Roxborough Memorial Hosp., 708 A.2d 490, 493 (Pa.Super.Ct.1998). Here, plaintiff alleged in her complaint that Ms. O’Donnell accessed defendants’ IMI system “for the purpose of accessing [pjlaintiff s ba[n]king account for the sole purpose of disseminating information to [pjlaintiff s former co-workers relating to her spending activities, personal financial activities and personal health information.” (Sec. Am. Compl. at ¶ 7.) She further alleges that O’Donnell “had no legitimate banking reason for doing so,” and that her actions “were intended to cause [pjlaintiff to suffer ridicule and embarrassment amidst her former coworkers.” (Sec. Am. Compl. at ¶¶ 13 & 27.) These allegations contradict plaintiffs respondeat superior claims because accessing defendants’ financial database for the purposes plaintiff alleges—essentially gossip—cannot be described as “actuated, at least in part, by a purpose to serve the employer.” Even without plaintiffs allegations concerning Ms. O’Donnell’s purpose, the court is at a loss to postulate any business purpose for her conduct. While it may be true that Ms. O’Donnell’s job responsibilities required her to have access to plaintiffs financial information for business pur*442poses,- her conduct in this instance simply cannot be said to impose vicarious liability on defendants. As such, Counts I, II, and III will be DISMISSED.

B. NEGLIGENT SUPERVISION, TRAINING, AND HIRINGIRETENTION

In Counts V, VI, and VII of her second amended complaint, plaintiff sets forth claims of negligent supervision (Count V), negligent training (Count VI), and negligent hiring/retention of employees. (Sec. Am. Compl. at ¶¶ 60-76.) Defendants move to dismiss these counts on the grounds that plaintiff has inadequately alleged knowledge on the part of Ms. O’Donnell’s employer concerning the disclosures at issue and that plaintiff failed to sufficiently allege how her employer received information regarding Ms. O’Donnell’s alleged indiscretions. (Defs Br. at 13.) Defendants also move for dismissal on the grounds that Ms. O’Donnell’s actions occurred off the employer’s premises. (Defs Br. at 13.)

Pennsylvania law imposes direct liability on “[a] person conducting an activity through servants or other agents ... if he is negligent or reckless ... (b) in the employment of improper persons or instrumentalities in work involving risk of harm to others; or (c) in the supervision of the activity; or (d) in permitting, or failing to prevent, negligent or other tortious conduct by persons, whether or not his servants or agents, upon premises or with instrumentalities under his control.” Heller v. Patwil Homes, Inc., 713 A.2d 105, 107 (Pa.Super.Ct.1998) (quoting Restatement (Second) of Agency § 213 (1958)). To establish liability, the employer must have known or, in the exercise of appropriate care, should have known that an employee had a propensity to engage in conduct for which the employee could be held liable. Keffer v. Bob Nolan’s Auto Service, Inc., 59 A.3d 621, 662 (Pa.Super.Ct.2012).

Plaintiffs second amended complaint states, in relevant part:

14. After Defendants’ employee O’Donnell commenced the intrusion into Plaintiffs accounts, her access became known to other management level employees of Defendants RBS [Citizens] Bank, N.A. and [Citizens] Bank of Pennsylvania, who failed to stop O’Donnell or to further report her activities despite their understanding of the campaign she was waging to disseminate confidential information about the Plaintiff.
15. Specifically, a security specialist within Defendants’ employ became aware that O’Donnell was making intrusions into Plaintiffs bank accounts with Defendants.
16. . Additionally, prior to intrusions into Plaintiffs accounts, Defendants’ employee O’Donnell made electronic intrusions without permission into the ac- . count of a former employee, Christine Harrington.
17. Despite the knowledge of management level employees, Defendants’ employee O’Donnell continued to access the Plaintiffs personal financial information and continued to disseminate information obtained using the Defendants’ IMI system in order to hold Plaintiff up to ridicule amidst the population of her former co-workers.

(Sec. Am. Compl. at 3.)

The court believes that plaintiff has adequately alleged that Ms. O’Donnell’s employer knew that she was accessing the company’s database, collecting information regarding employees, and misusing that information for her own purposes. The federal pleading rules do not require plaintiff to allege with specificity how defendants found out about Ms. O’Donnell’s un*443lawful activity, nor do they require a party to plead such knowledge with specificity. See Fed.R.Civ.P. 8 (requiring only short and plain statement of claims); Fed.R.Civ.P. 9 (allowing parties to plead conditions of mind generally). Moreover, plaintiffs allegations are sufficient to inform defendants of the bases of her claims. She explains that a security specialist became aware of Ms. O’Donnell’s intrusions, that management level employees were informed about the intrusion, and that Ms. O’Donnell had engaged in similar conduct with regard to a former employee, Christine Harrington, which defendants allegedly also knew about. These allegations are sufficient to state a plausible claim to relief.

Moving to defendants’ second objection, a cursory review of the complaint demonstrates that plaintiff never alleges that Ms. O’Donnell’s intrusions occurred while she was off company premises. To the contrary, the complaint contains factual allegations from which the court can infer that it was plausible that she accessed plaintiffs confidential information and disclosed it to other employees while she was on company premises. Plaintiff states, “O’Donnell accessed the [plaintiffs personal financial information during work hours and with the use of Defendants’ IMI system.” (Sec. Am. Compl. at ¶ 28.) Nothing in the complaint indicates that Ms. O’Donnell routinely worked from home or accessed defendants’ network remotely. In the alternative, even if Ms. O’Donnell did access plaintiffs financial records off premises, Pennsylvania law alternatively imposes direct liability on an employer when an employee uses an instrumentality of the employer to commit a tort or other wrongdoing. Heller, 713 A.2d at 107. Here, Ms. O’Donnell used her employer’s IMI system to access plaintiffs information. Therefore, defendants could be liable for Ms. O’Donnell’s use of its instrumentality to access plaintiffs personal information even if the alleged breach did not occur on the company’s tangible property. In sum, defendants’ motion to dismiss Counts V, VI, arid VII will be DENIED.

C. RIGHT TO FINANCIAL PRIVACY ACT & GRAMM-LEACH-BLILEY ACT

In Count IV of her complaint, plaintiff alleges that defendants violated the Right to Financial Privacy Act of 1978 (RFPA), 12 U.S.C. § 3401 et seq., and the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801 et seq. (Sec. Am. Compl. at ¶ 58.). Defendants move to dismiss these claims on two grounds: (1) RFPA is inapplicable to O’Donnell’s financial data disclosures because the Act only applies to invasions of privacy by government actors, and (2) the GLBA does not allow private causes of action. (Defs Br. at 10-11.) Plaintiff takes the position that defendants are precluded from asserting these defenses because they failed to raise them in their motions to dismiss the original and first amended complaint. (Pi’s Br. at 22.) Without addressing the merits of these claims, the court notes that plaintiff raised identical claims in its initial complaint and its first amended complaint, but defendant failed to move for dismissal of these claims in its prior motions. Therefore, they are prevented from moving for their dismissal now. Fed.R.Civ.P. 12(h); GCL, LLC v. Schwab, No. 11-CV4593, 2012 WL 4321972, *3 (E.D.Pa.2012).

D. PUNITIVE DAMAGES

As an initial matter, there is some dispute over whether plaintiffs separate count for punitive damages is permissible under federal pleading standards. “Punitive damages are a form of relief and not *444the basis for a separate cause of action.” Mansman v. Tuman, 970 F.Supp. 389, 404 (E.D.Pa.1997). Therefore, because Count VIII appears to be a claim solely for punitive damages, it will be DISMISSED.

Defendants next argue that plaintiff failed to allege sufficient facts regarding defendants’ liability for punitive damages. (Def s Br. at 14-15.) In particular, defendants claim that plaintiff did not adequately plead that defendants acted with the required state of mind. (Id.) Punitive damages are available under Pennsylvania law “when an individual’s actions are of such an outrageous nature as to demonstrate intentional, willful, wanton, or reckless conduct.” Interact Accessories, Inc. v. Video Trade Int’l, Ltd., No. 98-CV-2430, 1999 WL 159883, *3 (E.D.Pa. Mar. 22, 1999). “[P]unitive damages cannot be based upon ordinary negligence.” Boring v. Google Inc., 362 Fed.Appx. 273, 282 (3d Cir.2010). Whether a party is entitled to punitive damages is ordinarily a question of fact for the jury. Pichler v. UNITE, 542 F.3d 380, 388 (3d Cir.2008). Because only Counts IV, V, VI, and VII survive this motion to dismiss, the court need only address the issue as it pertains to those claims.

Here, plaintiff averred that defendants knew of O’Donnell’s conduct through individuals working in them security and fraud department. (Sec. Am. Compl. at ¶¶ 14, 15, 64, 71.) Given the nature of the alleged intrusions into plaintiffs private financial data, it is at least reasonable to infer that defendants appreciated the risk of harm that would accompany its failure to act on unauthorized intrusions. Pryor v. Mercy Catholic Med. Ctr., No. 99-CV-988, 1999 WL 956376, at *5 (E.D.Pa. Oct. 19, 1999) (“Given that throughout [plaintiffs complaint she alleges that defendants knew or should have known of the conduct in question, and yet failed to act, it cannot be said with certainty that the standard for punitive damages has not been met concerning [p]laintiffs remaining count of negligent supervision. It is simply too early in the proceedings to adequately make such a determination. As such, defendants’ request to strike the respective punitive damage demands cannot be granted.”) At this stage, the court is not prepared to hold that defendants did not have the requisite mental state to support an award of punitive damages. Plaintiff has sufficiently pled reckless indifference at this stage. Therefore, defendants’ motion to dismiss plaintiffs claim for punitive damages will be DENIED.

E. PROPER DEFENDANTS

Finally, defendant claims that RBS Citizens should be dismissed because it was not plaintiffs employer. At this stage, the court is limited to drawing facts from the face of the complaint. Plaintiff alleges that both banks were her employer, that Ms. O’Donnell was an employer at both banks, and that she maintained personal bank accounts at both banks. . At this point, the court is unable to state as a matter of law that RBS Citizens was not plaintiffs employer, nor can the court make a determination that RBS Citizens is not liable for the acts or omissions set forth in the complaint. As such, defendants motion to dismiss RBS Citizens as a defendant is DENIED.

CONCLUSION

After thoroughly reviewing defendants’ motion and the parties’ respective briefs, the motion to dismiss, (Doc. No. 20), will be GRANTED IN PART and DENIED IN PART. Count I (Negligent Infliction of Emotion Distress), Count II (Public Disclosure), Count III (Intrusion Upon Seclusion), and Count VIII (Punitive Damages) will be DISMISSED WITH PREJU*445DICE. Defendants’ motion to dismiss will be DENIED in all other respects.

ORDER

AND NOW, this 30th day of September, 2014, it is hereby ORDERED that defendants’ motion to dismiss, (Doc. No. 20), will be GRANTED IN PART and DENIED IN PART. It will be GRANTED insofar as it seeks dismissal of Count I (Negligent Infliction of Emotion Distress), Count II (Public Disclosure), Count III (Intrusion Upon Seclusion), and Count VIII (Punitive Damages). Those claims are DISMISSED WITH PREJUDICE. Defendants’ motion to dismiss will be DENIED in all other respects.

. It appears from the complaint as though Citizens Bank of Pennsylvania and RBS Citizens are the same entity. (Sec. Am. Compl. at ¶¶ 2-3.)

. It was unclear from the face of the complaint whether plaintiff was bringing claims against defendants under a theory of direct liability or respondeat superior liability.