Alonso v. Blue Sky Resorts, LLC

ENTRY ON DEFENDANTS’ MOTION TO DISMISS

TANYA WALTON PRATT, JUDGE.

This matter .is before the Court on a Motion to Dismiss pursuant .to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6), filed by Defendants Blue Sky Resorts, LLC, and Blue Sky Casinos, LLC (collectively, “Blue Sky”) (Filing No. 34). Plaintiffs Annie Alonso (“Alonso”) and Natalie Hardt (“Hardt”) (collectively, “Plaintiffs”), filed this consumer action lawsuit individually and on behalf of all other individuals similarly situated, alleging Breach of Implied Contract, Unjust Enrichment, and Breach of Duty of Good Faith and Fair Dealing after their personal information was stolen as a result of a data breach of Blue Sky’s servers. For the following reasons, the Court GRANTS Blue Sky’s Motion to Dismiss.

I. BACKGROUND

Blue Sky owns and operates the French Lick Resort1 located in Southern Indiana. Alonso, a-resident of Indiana, stayed at Blue Sky’s West Baden Springs Hotel from July 27 to July 29, 2014, and paid for her room with her credit card. Hardt, a resident of Kentucky, stayed at Blue Sky’s French Lick Springs Hotel from May 23 to May 26, 2014, and she also paid for her room with her credit card.

On January 19, 2015, Blue Sky learned that it had suffered a data breach committed by hackers who had installed a mal-ware program on one of its servers on French Lick Resort’s point of sale system. This malware allowed the hackers to periodically obtain certain credit card information from some, but not all, of the resort’s customers who had used their credit cards at the resort—specifically the names, credit card numbers, and card expiration dates were stolen (Filing No. 36 at 3-4). Upon discovering the data breach, Blue Sky immediately provided information to law enforcement authorities and employed a specialized computer technology team to investigate, isolate, and eliminate the mal-*860ware. The concealment of the' malware was so sophisticated that it was undetected by these experts for several days. An internal investigation revealed that the malware had been installed on the point of sale system on April 23, 2014, and it was not disabled until January 21, 2015, two days after the first notification of a data breach.

Starting on January 26, 2015, Blue Sky provided notification of the data breach to its customers by sending letters directly to them. Additionally, starting on January 26, 2015, Blue Sky began notifying the Attorneys General in fifteen states, including Indiana. On January 27, 2015, Blue Sky provided notification to major news publications in the affected areas, established a call center for customer inquiries and concerns, established free credit monitoring services with Experian for customers, and established insurance coverage for identity theft situations arising out of the data breach of up to $1 million per credit card number. Customers also were encouraged to carefully monitor their credit card statements for unauthorized transactions and were advised to cancel their credit cards and request replacement cards.

According to the Third Amended Complaint (Filing No. 33), Alonso’s credit card was replaced in January 2015, and Hardt’s credit card was replaced in June 2014. Alonso and Hardt each suffered damages as a result of Blue Sky’s inability to safeguard their personal data. Specifically, Al-onso was delinquent in her automatic credit card payment to her AT&T account when her credit card was cancelled due to the data breach, and she spent over an hour of her time changing various automatic credit card payment setups. Hardt also spent over an hour of her time researching and signing up with a credit card monitoring service for which she is being charged $8.49 per month. Neither Alonso nor Hardt have alleged or offered any evidence that their credit card information was actually used, resulting in any fraudulent transactions on their accounts.

Alonso and Hardt allege that there is a class of others similarly situated who had their personal information stolen.2 Plaintiffs describe the purported class as “[a]ll persons who live in the United States and whose personal and/or financial information was breached as a result of the Data Breach discovered by the - Defendants in January 2015.” (Filing No. 33 at 8.) Plaintiffs allege that they, and the purported class members, were overcharged for their purchase of products and services at the French Lick Resort in that a portion of the purchase price was dedicated to ensuring that customers were protected and safeguarded from data breaches.

II. LEGAL STANDARD

A'motion to dismiss under Rule 12(b)(1) challenges the court’s subject matter jurisdiction. The burden of proof is on the plaintiff, the party asserting jurisdiction. United Phosphorus, Ltd. v. Angus Chem. Co., 322 F.3d 942, 946 (7th Cir.2003), overruled on other grounds by Minn-Chem, Inc. v. Agrium, Inc., 683 F.3d 845 (7th Cir.2012) (en banc). “The plaintiff has the burden of supporting the jurisdictional allegations of the complaint by competent proof.” Int’l Harvester Co. v. Deere & Co., 623 F.2d 1207, 1210 (7th Cir.1980). “In deciding whether the plaintiff has carried this burden, the court must look to the state of affairs as of the filing of the complaint; a justiciable controversy must have existed at that time.” Id. “When ruling on a motion to dismiss for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1), the dis*861trict court must accept as true all well-pleaded factual allegations, and draw reasonable inferences in favor of the plaintiff, unless standing is challenged as a factual matter.” Ezekiel v. Michel, 66 F.3d 894, 897 (7th Cir.1995) (citation omitted). Furthermore, “[t]he district court may properly look beyond the jurisdictional allegations of the complaint and view whatever evidence has been submitted on the issue to determine whether in fact subject matter jurisdiction exists.” Id. (citation and quotation marks omitted).

Federal Rule of Civil Procedure 12(b)(6) allows a defendant to move to dismiss a complaint that has failed to “state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). When deciding a motion to dismiss under Rule 12(b)(6), the court accepts as true all factual allegations in the complaint and draws all inferences in favor of the plaintiff. Bielanski v. County of Kane, 560 F.3d 632, 633 (7th Cir.2008).

The complaint must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). In Bell Atlantic Corp. v. Twombly, the United States Supreme Court explained that the complaint must allege facts that are “enough to raise a right to relief above the speculative level.” 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). Although “detailed factual allegations” are not required, mere “labels,” “conclusions,” or “formulaic reci-tationfs] of the elements of a cause of action” are insufficient. Id. “[I]t is not enough to give a threadbare recitation of the elements of a claim without factual support.” Bissessur v. Ind. Univ. Bd. of Trs., 581 F.3d 599, 603 (7th Cir.2009). The allegations must “give the defendant fair notice of what the ... claim is and the grounds upon which it rests.” Twombly, 550 U.S. at 555, 127 S.Ct. 1955. Stated differently, the complaint must include “enough facts to state a claim to relief that is plausible on its face.” Hecker v. Deere & Co., 556 F.3d 575, 580 (7th Cir.2009) (citation and quotation marks omitted). To be facially plausible, the complaint must allow “the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955).

III. DISCUSSION

Blue Sky moves to dismiss the Third Amended Complaint under Rule 12(b)(1), asserting Alonso and Hardt lack standing in that they present no allegations of a concrete and actual injury or a foreseeable concrete and actual injury that is traceable to the challenged conduct. Blue Sky’also moves to dismiss under Rule 12(b)(6), alleging Alonso and Hardt fail to present a cognizable claim for their alleged injuries. The Court will address each contention in turn.

A. Dismissal Under Rule i2(b)(l)

Blue Sky argues that Plaintiffs have failed to establish Article III standing, and thus, their claims should be dismissed pursuant to Rule 12(b)(1). The standard to establish Article III standing has been articulated by the Supreme Court as follows:

First, the plaintiff must have suffered an “injury in fact”—an invasion of a legally protected interest which is (a) concrete and particularized, and (b) “actual or imminent, not ‘conjectural’ or ‘hypothetical.’” Second, there must be a causal connection between the injury and the conduct complained of—the injury has to be “fairly.. .traceable to the challenged action of the defendant, and not.. .the result of the independent action of some third party not before the court.” Third,- it must be “likely,” as *862opposed to merely “speculative,” that the injury will be “redressed by a favorable decision.”

Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (citations omitted). These three elements are the “irreducible constitutional minimum of standing.” Id. at 560, 112 S.Ct. 2130. Plaintiffs have the burden to establish standing as an indispensable element of their case. Apex Digital, Inc. v. Sears Roebuck & Co., 572 F.3d 440, 443 (7th Cir.2009).

Regarding the first element of Article III standing, the Supreme Court recently has explained,

Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes— that the injury is certainly impending. Thus, we have repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that allegations of possible future injury are not sufficient.

Clapper v. Amnesty Int’l USA, — U.S. —, 133 S.Ct. 1138, 1147, 185 L.Ed.2d 264 (2013) (citations arid quotation marks omitted).

Blue Sky explains that Plaintiffs have not suffered or alleged an actual concrete injury or a certainly impending future injury that would establish standing because Alonso and Hardt fail to present any allegations that their credit card accounts ever had any fraudulent charges made on them, let alone that ,if any such unauthorized charges occurred, they were not reimbursed or were- cancelled by -their credit card companies. Blue Sky notes- that neither plaintiff alleges that her credit card information was actually obtained by the hackers’ malware. Importantly, not all resort customers who used their credit cards during the relevant time period were actually exposed to the hackers’ malware. Rather, only those transactions that were made at points of sale other than for hotel room charges are even possibly at risk. Thus, even within that subset, only some were the subject of the malware’s periodic but not constant “scraping” functions.

Blue Sky further points out that neither Alonso nor Hardt have presented any factual allegations that anyone has actually impersonated them. or otherwise stolen their identities, for example, to obtain passports, driver licenses, immigration status, medical benefits, government benefits, or tax return refunds, to secure a job, or to procure housing. There are no allegations that Plaintiffs’ social security numbers were ever provided to the resort. Blue Sky reports that these numbers were never stored on the resort’s computer server at issue, thus, it would be impossible for the hackers’ malware to have even possibly stolen such information. Only names, credit card numbers, and card expiration dates were stolen from some customers. Blue Sky asserts that it is entirely implausible to suggest that identity theft or false impersonation could.arise solely out of the misappropriation of a person’s credit card number.

In response, Alonso asserts that her credit card was replaced by her credit card company in January 2015. Because of the data breach, Alonso was delinquent on her AT&T account payment that was set up for an automatic payment via her credit card after her credit card company can-celled the card due to the data breach. Alonso believes that the “delinquency likely resulted in a negative trade line on her credit report(s).” (Filing No. 33 at 5.) She also spent over an hour of her time to change credit card information for various automatic payments set up through her credit card and “other related issues.”

*863For her claim, Hardt asserts that her credit card was replaced by her credit card company in late or early June 2014, within one month of staying at the French Lick Resort. Hardt spent over an hour of her time researching and signing up for a credit monitoring service. She is being, charged $8.49 per month by her credit monitoring service and she “will have to-incur this charge indefinitely as it is unknown how or when her stolen information may fraudulently be used.” (Filing No. 33 at 5.) . .

In further support of their claims, Plaintiffs allege that they “have had to, or could have to, incur: (1) costs associated with lost wages; (2) value of time spent in an attempt to resolve or mitigate the effects of this Data Breach, including identifying fraudulent transactions, ordering new credit cards, reduced credit limits while, any fraudulent transactions are investigated; (3) costs of credit monitoring services indefinitely; and (4) stress, nuisance, and annoyance.” (Filing No. 33 at 6.)

Responding to these allegations, Blue Sky points out that Plaintiffs do not allege that they in fact have lost any wages because of the data breach, that they in fact have experienced any reduced credit limits while any fraudulent transactions were.investigated, or that they in fact have had any transactions on their credit cards refused because of any reduced credit limits. They have not alleged any actual fraudulent transactions on their credit card- accounts. Blue Sky further points out that no social security numbers were stolen in the data breach, eliminating any concern for identity theft.

Blue Sky further explains that Alonso alleged only one instance of a delinquent payment to AT&T; however, Alonso did not allege that AT&T actually charged her any additional fees because of this delinquency or that AT&T provided her with no grace period to address this delinquency. Blue Sky points out that, instead, Alonso speculates only that the delinquency likely resulted in a negative trade line on her credit report. But she presented no allegation that her credit worthiness was, in fact, somehow damaged by the data breach at the resort. She did not allege that her credit report was actually marred, that her credit score was actually lowered, that she was ever denied credit, or that she was ever charged a higher interest rate than she would have otherwise been charged for credit.

Regarding Hardt’s allegations, Blue Sky points out that she alleged that she spent over an hour of her time researching and signing up for a credit monitoring service, which service costs her $8.49 per month. She further alleged that she will have to keep this service in place indefinitely because it is unknown how or when her stolen information may be fraudulently used. However, Hardt admits in her allegations that her credit card was replaced by her credit card company in late or early June 2014, within one month of staying at the resort. Blue Sky explains that no fraudulent charges thus could be made on her account after that date, so there is no reason for her to continue to monitor her credit accounts because of the data breach at issue in this. case. Blue. Sky also argues that Hardt failed to allege why such credit monitoring expenses are even reasonable or necessary in light of the free credit monitoring services offered by Blue Sky.

Plaintiffs argue that their allegations of the data breach occurring during their stays at the resort, their time spent updating automatic payments or researching credit monitoring services, the one delinquent payment that possibly could lead to a negative credit report, and paying for additional monthly credit monitoring services are enough to establish that Plaintiffs have suffered a concrete and particularized *864injury or a certainly impending injury to provide them with standing. Plaintiffs cite to a recent Seventh Circuit opinion involving a data breach claim—Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir.2015)—to assert that they have standing.

In Remijas, the plaintiffs' represented a class of over 9,200 individuals who had presented evidence that their credit card information actually had been stolen, and they actually had experienced fraudulent transactions on their accounts. Blue Sky points out that the important distinction in this case is that there .is no evidence of actual incidents of fraudulent transactions or any evidence of non-reimbursement for fraudulent transactions. There is no evidence (or allegations) of actual fraudulent activity ever occurring, and Plaintiffs have not shown that their credit card information was in fact actually stolen. Plaintiffs’ credit cards were canceled before any fraudulent transactions occurred, and because the cards have been canceled, future risk of injury is essentially nonexistent. Thus, any future harm is highly speculative and not certainly impending. To provide additional comfort and security, Blue Sky offered credit monitoring services to its guests. Further, Plaintiffs did not allege they suffered any actual lost wages, reduced credit limits, or unavailability of credit. Plaintiffs have not suffered a concrete, particularized, injury of a certainly impending injury in this case.

Regarding a future injury and protecting against such possibility, the Seventh Circuit noted that “[defendant’s] customers should not have to wait until buckets commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Id. at 693. However, such a standard is at odds with binding Supreme Court precedent governing ' standing, and the Supreme Court has noted as much: “As an initial matter, the Second Circuit’s ‘objectively reasonable likelihood’ standard is inconsistent with our requirement that threatened injury must be certainly impending to constitute injury in fact.” Clapper, 133 S.Ct. at 1147 (citation and quotation marks omitted). Any threat of injury must be certainly impending to support standing.

The Supreme Court declared that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending,” id. at 1161, and “they cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” Id. at 1155. Hardt’s $8.49 monthly expense for indefinitely monitoring her credit report is the type of action the Supreme Court noted could not manufacture standing. Hardt’s credit card was canceled and replaced within one month of staying at the resort (before the data breach was even known), no fraudulent transactions appeared on her account, and Blue Sky offered free credit monitoring services to her. She did not face a certainly impending injury, and her self-inflicted incurred costs cannot create standing to sue Blue Sky.

Finally, the fact that Plaintiffs have filed their Third Amended Complaint as a proposed class action does not help them establish standing. As the Seventh Circuit has explained,

[A] named plaintiff cannot acquire standing to sue by bringing his action on behalf of others who suffered injury which would have afforded them standing had they been named plaintiffs; it bears repeating that a person cannot predicate standing on injury which he does not share. Standing cannot be acquired through the back door of a class action.

*865Payton v. County of Kane, 308 F.3d 673, 682 (7th Cir.2002) (citation and quotation marks omitted). The Supreme Court also explained that a class action, in itself, cannot establish standing.

That a suit may be a class action, however, adds nothing to the question of standing, for even named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.

Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 40 n. 20, 96 S.Ct. 1917, 48 L.Ed.2d 450 (1976) (citation and quotation marks omitted).

The Court determines that Plaintiffs lack Article III standing because they have not alleged nor suffered a concrete, particularized injury. Additionally, they cannot demonstrate that any future injury they fear is certainly impending, and they cannot manufacture standing by incurring costs in anticipation of a non-imminent harm. Because Plaintiffs lack Article III standing, dismissal is appropriate under Rule 12(b)(1).

B. Dismissal Under Rule 12(b)(6)

As an additional basis for dismissal, Blue Sky argues that Plaintiffs have failed to present any cognizable claims, and thus, their claims should be dismissed pursuant to Rule 12(b)(6). “[Ojnly a complaint that states a plausible claim for relief survives a motion to dismiss.” Iqbal, 556 U.S. at 679, 129 S.Ct. 1937. This requires “more than the mere possibility of misconduct.” Id. The factual allegations must “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 127 S.Ct. 1955.

Blue Sky asserts that Plaintiffs’ factual allegations establish nothing more than a trivial annoyance that did not result in actual injury, harm, or loss, and a tenuous worry about future injury that is essentially an impossibility. Blue Sky argues that Plaintiffs’ allegations fail to present a plausible claim that rises above the level of speculation or mere possibility. Based on the Court’s discussion above concerning Plaintiffs’ standing, the Court determines that Plaintiffs have failed to show an injury that can support a plausible claim that raises a right to relief above the speculative level.

Furthermore, as Blue Sky points out, Plaintiffs’ claims are not recognized under Indiana or Kentucky law. In an Indiana case involving claims for breach of contract and negligence after a data breach and theft of personal information, the Seventh Circuit dismissed claims for damages for past and future credit monitoring services because the claims were novel and not recognized under Indiana law. Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir.2007).

The court in Pisciotta considered analogous cases from Indiana and other states and then analyzed Indiana’s Disclosure of Security Breach statute (Ind. Code § 24-4.9-1 et seq.). After reviewing the statute, the court determined that “[i]t creates no private right of action against the database owner by an affected customer. It imposes no duty to compensate affected individuals for inconvenience or potential harm to credit that may follow.” Pisciotta, 499 F.3d at 637. The court then held that “[t]he narrowness of the defined duties imposed, combined with state-enforced penalties as the exclusive remedy, strongly suggest that Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as com-pensable damages.” Id.

In Pisciotta, the Seventh Circuit also reiterated the guiding principle that “[f]ed-eral courts are loathe to fiddle around with state law. Though district courts may try *866to determine how the state courts would rule on an unclear area of state law, district courts are encouraged to dismiss actions based on novel state law claims.” Id. at 636 (quoting Insolia v. Philip Morris, Inc., 216 F.3d 596, 607 (7th Cir.2000)). In this case, the Court determines that dismissal is appropriate under Rule 12(b)(6) because it is unlikely that Indiana courts would recognize Plaintiffs’ novel state law claims in the data breach context.

Hardt’s claims arguably are brought under Kentucky law. However, her claims fare no better than Alonso’s claims under Indiana law. A federal district court in Kentucky considered the question of whether courts in Kentucky would recognize claims for the risk of future identity theft, payments for credit monitoring, and time spent monitoring credit and financial accounts. Holmes v. Countrywide Fin. Corp., 2012 WL 2873892, 2012 U.S. Dist. LEXIS 96587 (W.D.Ky. July 12, 2012). The same theories of liability asserted in this case were addressed in Holmes—unjust enrichment, breach of contract, and breach of duty, of good faith and fair dealing. Id. There, the court dismissed the plaintiffs’ claims, determining that Kentucky law did not recognize such claims. Like1 Indiana, Kentucky has a Disclosure of. Security Breach statute (KRS § 365.732). And : like Indiana’s statute, Kentucky’s statute imposes only a narrow duty to provide notification to potentially affected 'individuals. It does not impose other affirmative duties. The Court determines that dismissal is appropriate under Rule 12(b)(6) because it is unlikely that Kentucky courts would recognize Plaintiffs’ novel state law claims in the data breach context.

Because Plaintiffs have failed to state a claim upon which relief can be granted, dismissal is appropriate under Rule 12(b)(6).3

IV. CONCLUSION

For the foregoing reasons, Blue Sky’s Motion to Dismiss (Filing No. 34) is GRANTED under Rules 12(b)(1) and 12(b)(6). Plaintiffs’ Third Amended Complaint is dismissed with prejudice. Final judgment will issue under separate order.

SO ORDERED.

. The French Lick Resort consists of two historic luxury hotels: French Lick Springs Hotel and West Baden Springs Hotel. See https:// www.frenchlick.com/.

. Alonso filed a Motion for Class Certification (Filing No. 15), which was voluntarily withdrawn (Filing No. 29); thus, this matter has not been certified as a class action.

. In dicta, the Seventh Circuit. commented that, in the data breach context, claims for unjust enrichment, failure to protect personal data sounding in a claim for products liability, and claims for property rights in private personal information are problematic and dubious. Remijas, 794 F.3d at 694-95.