There is also no evidence in the record that Best Buy was ever aware that it was putting Standifer's data at risk. To be sure, the Data Services SOP includes information about what to do if one client receives data from another client's device. (See id. at BB_57.) However, at most, this indicates Best Buy's general awareness that during the data transfer process data from one client's device may inadvertently end up on another client's device. It does not provide evidence that in this instance a Best Buy employee took action that he knew would likely result in Standifer's data being wrongfully transferred. As Standifer has failed to present any evidence that Best Buy or its employees were aware that they were taking action that put her data at risk, her wantonness claim fails as a matter of law. Therefore, Best Buy is entitled to summary judgment on Standifer's wantonness claim.
2. Negligence
Negligence "is the failure to do what a reasonably prudent person would have done under the same or similar circumstances, or the doing of something that a reasonably prudent person would not have done under the same or similar circumstances." Ford Motor Co. v. Burdeshaw , 661 So.2d 236, 238 (Ala. 1995) (citing Elba Wood Prods., Inc. v. Brackin , 356 So.2d 119 (Ala. 1978) ). "To establish negligence, [a] plaintiff must prove: (1) a duty to a foreseeable plaintiff; (2) breach of that duty; (3) proximate causation; and (4) damage or injury." Martin v. Arnold , 643 So.2d 564, 567 (Ala. 1994) (citing Albert v. Hsu , 602 So.2d 895, 897 (Ala. 1992) ).
Best Buy argues that there is no evidence that it had a duty to safeguard the data on Standifer's computer. In general, "every person owes every other person a duty not to hurt him." Smitherman v. McCafferty , 622 So.2d 322, 324 (Ala. 1993) (quoting Southeastern Greyhound Lines v. Callahan , 244 Ala. 449, 13 So.2d 660, 663 (1943) ). "In determining whether a duty exists in a given situation ... courts should consider a number of factors, including public policy, social considerations, and foreseeability. The key factor is whether the injury was foreseeable by the defendant." DiBiasi v. Joe Wheeler Elec. Membership Corp. , 988 So.2d 454, 461 (Ala. 2008) (quoting Patrick v. Union State Bank , 681 So.2d 1364, 1368 (Ala. 1996) ).
*1304Furthermore, "the existence of a duty is strictly a legal question." Id. at 460.
There is sufficient evidence to find that Best Buy owed Standifer a duty to exercise ordinary care in handling her data. As Standifer asserts, there is a duty to use due care in the performance of a voluntary undertaking. See Beasley v. MacDonald Engineering Co. , 287 Ala. 189, 249 So.2d 844, 846-47 (Ala. 1971). Moreover, the undisputed evidence shows that Best Buy had custody of Standifer's computer from August 15, 2015 to August 24, 2015. Even though Best Buy may not have known the exact contents of Standifer's computer files, it was particularly foreseeable that mishandling the files could cause her injury. It is common for people to include personal information on their computers or to use them to conduct work. This is presumably why Best Buy had procedures for how its employees should handle customer data. Accordingly, Best Buy owed Standifer a duty to exercise reasonable care.
Best Buy also argues that there is no evidence that it breached any duty owed Standifer, or, even if it did, that this conduct caused Standifer's damages. However, Standifer has presented circumstantial evidence from which a reasonable jury could conclude that her data was transferred to the Simpson computer as a result of negligence on the part of Best Buy. The Forensic Investigation Report revealed that Standifer's data was transferred to the Simpson computer on August 23, 2015. Best Buy does not dispute that this transfer occurred while both computers were in its custody. Standifer has also pointed to the Data Services SOP, which provides the protocols and procedures Best Buy employees should use when conducting data transfers. Those procedures indicate that Best Buy employees are supposed to use either the Mule Dock or Flash Drive to perform data transfer services. (See Doc. 49-2 at BB_48.) Despite data from Standifer's computer ending up on the Simpson computer, Best Buy has no records of Standifer's computer being hooked up to these devices for data services. A reasonable jury could conclude that Best Buy did not follow its procedures when handling Standifer's data and thus failed to exercise reasonable care. Moreover, a jury could also find that Best Buy's failure to exercise due care caused the unauthorized data transfer. After learning that data from Standifer's computer had been found on the Simpson computer, a Best Buy executive stated that "[i]t would certainly appear we had a hand in this issue." (See Doc. 49-5 at BB_28.) Based on the evidence in the record, a reasonable jury could conclude the same.
Standifer may not, however, recover emotional distress damages on her negligence claim. Under Alabama law, to show entitlement for emotional distress damages in a negligence action, a plaintiff must show that she can satisfy what is known as the zone-of-danger test City of Mobile v. Taylor , 938 So.2d 407, 410 (Ala. Civ. App. 2005) (quoting Wal-Mart Stores, Inc. v. Bowers , 752 So.2d 1201, 1203 (Ala. 1999) ). The Alabama Supreme Court recently reaffirmed this principle in Hamilton v. Scott where it stated that Alabama "has not recognized emotional distress as a compensable injury or harm in negligence actions outside the context of emotional distress resulting from actual physical injury, or, in the absence of physical injury, fear for one's own physical injury." 97 So.3d 728, 736 (Ala. 2012) (quoting AALAR, Ltd., Inc. v. Francis , 716 So.2d 1141, 1148 (Ala. 1998) ). Standifer has cited the Court to no authority to the contrary. Instead, the case she cites, Pittman v. Mast Advert. Pub., Inc. , 619 So.2d 1377, 1379 (Ala. 1993), includes no discussion about whether emotional distress damages can *1305be recovered in a negligence action absent physical injury. As Standifer has not produced any evidence that the unauthorized data transfer placed her in any physical danger, she cannot recover emotional distress damages for her negligence claims.
3. Contributory Negligence10
Under Alabama law, "a plaintiff cannot recover in a negligence suit where [the] plaintiff's own negligence is shown to have proximately contributed to his damage, notwithstanding a showing of negligence on the part of the defendant." Brown v. Piggly-Wiggly Stores , 454 So.2d 1370, 1372 (Ala. 1984) (citing Ala. Power Co. v. Scholz , 283 Ala. 232, 215 So.2d 447, 452 (1968) ). As with negligence, a plaintiff may be found to be contributorily negligent if she failed to act as a reasonably prudent person would. See H.R.H. Metals, Inc. v. Miller ex rel. Miller , 833 So.2d 18, 27 (Ala. 2002) (citing Sprouse v. Belcher Oil Co. , 577 So.2d 443, 444 (Ala. 1991) ).11
Best Buy asserts that several actions taken by Standifer contributed to her information being viewed by the Simpsons. It points to the fact that Standifer's husband was the one who originally downloaded the file that caused Standifer to take the computer to Best Buy and that the Forensic Investigation Report revealed that many of the files belonging to Best Buy's clients were stored in a folder bearing Standifer's husband's name. It also points to the undisputed evidence that Standifer was not the only individual who used this computer. Best Buy also faults Standifer for failing to research which store to take her computer to and for choosing Best Buy merely because it was open on a Saturday. Best Buy notes that Standifer knew nothing about the way it secures and transfers data and argues that Standifer never told it that her computer contained confidential or personal information. Best Buy also contends that the reason Standifer's private information and information of her clients were viewed by unauthorized third-parties was that she failed to password protect these files.
Standifer argues that she is entitled to summary judgment on Best Buy's contributory negligence defense because Best Buy has presented no evidence there was a causal connection between these actions and her alleged injury. She also contends that Best Buy has not presented any evidence that would indicate she acted negligently or had any duty to act differently than she did. Standifer's primary contention is that none of her actions led to her computer files being transferred to the Simpson computer.
*1306The Court agrees with Standifer that many of the actions Best Buy points to have no bearing on whether or not she was contributorily negligent. The fact that others within Standifer's household were able to access this computer in no way led to Standifer's files being published to the Simpson computer. There is also no evidence that by placing work files in her husband's folder Standifer made it more likely that her data would appear on the Simpson computer. Moreover, while Standifer's husband may have downloaded a virus that required Standifer to bring her computer to Best Buy, this does not suggest any negligence on the part of Standifer.
Similarly, Standifer's failure to research other stores before taking her computer to Best Buy cannot serve as the basis for a contributory negligence defense. The test is whether a plaintiff's actions "proximately contributed" to her injuries. See Brown , 454 So.2d 1370 (Ala. 1984). It does not require a plaintiff to answer for every action she took that ultimately may have led to her injury. For this same reason, any failure by Standifer to notify Best Buy of the information contained on her computer does not meet the causal connection requirement of contributory negligence. Best Buy has presented no evidence that if this notification had been made it would have taken some action to prevent Standifer's computer files from being published to the Simpson computer. Moreover, Best Buy has presented no evidence that these actions were in fact negligent.
However, a question of fact exists as to whether Standifer's failure to password protect her documents or implement other security measures constitutes contributory negligence. Although Standifer is correct in stating that there is no evidence that this made the unauthorized data transfer more likely to occur, the injury that Standifer complains of is not just that her files were transferred to the Simpson computer. She also seeks damages because these files were viewed by the Simpsons. Although Standifer has pointed to evidence that someone would have to have her login and password before being able to log onto her computer, a reasonable jury could find that Standifer's failure to password protect the individual, confidential files contributed to the Simpsons viewing those files. A reasonable jury could also find that Standifer's failure to take this additional precaution breached the standard of care. Standifer herself testified that she believes that it is a good business practice to password protect confidential client information. (See Doc. 40-2 at 12.)
Standifer also owed a duty to secure confidential information on her computer. Standifer argues that Best Buy has not demonstrated that she had this duty because it has not pointed to facts that would have allowed her to foresee that Best Buy would commit an unauthorized transfer. While a jury may find that Standifer could not have foreseen the data transfer and thus her failure to include additional security measures was reasonable, this does not go toward the element of duty. The relevant duty under the contributory negligence analysis is the duty of a plaintiff to take reasonable precautions for the safety and protection of her own person and property. See Thomas v. Earnest , 72 So.3d 580, 584-85 (Ala. 2011) (noting that passenger in automobile has a duty to exercise reasonable or ordinary care to avoid injury); Restatement (Second) of Torts § 463 (1965) ("Contributory negligence is conduct on the part of the plaintiff which falls below the standard to which [she] should conform for [her] own protection...."). It was foreseeable to Standifer that a failure to password protect her documents may lead to unwanted parties viewing them. It is for a jury to decide *1307whether the precautions that Standifer did take were reasonable and whether Standifer's actions proximately contributed to her computer files being viewed by the Simpsons. Therefore, Standifer's motion for partial summary judgment on her contributory negligence defense is due to be denied.
In its motion for summary judgment, Best Buy argues that evidence of Standifer's own negligence entitles it to summary judgment on the negligence claim. However, as discussed above, there is a genuine dispute of material fact as to whether Standifer acted negligently and whether those actions contributed to her alleged injury. Moreover, "[t]o establish contributory negligence as a matter of law, a defendant seeking summary judgment must show that the plaintiff put himself in danger's way and that the plaintiff had a conscious appreciation of the danger at the moment the incident occurred." Hannah , 840 So.2d at 860 (citing H.R.H. Metals , 833 So.2d 18 ). This is stricter than the standard given to a jury at trial. Id. at 861. There, the jury "must decide only whether the plaintiff failed to exercise reasonable care." Id.
Here, Best Buy has presented no evidence that Standifer had a conscious appreciation that her actions may have put her data and the data of her clients at risk. Although it is undisputed that Standifer did not password protect all of her files, there is nothing to suggest that Standifer subjectively thought that this could lead to the data being put at risk. Additionally, evidence that Standifer has since updated her business practices does not go toward whether she knew that her business practices at the time the data was transferred to the Simpson computer were inadequate. It is also wholly irrelevant to Best Buy's contention that Standifer was contributorily negligent as a matter of law that in May 2018 Alabama enacted a statute that businesses like Standifer's must "maintain reasonable security measures to protect sensitive personally identifying information against a breach of security." See Ala. § 8-38-3. Not only was this statute enacted well after Standifer's data was found on Simpson's computer, but it also does not establish that Standifer appreciated the risks of failing to have adequate security measures. Therefore, the Court does not find Standifer contributorily negligent as a matter of law, and Best Buy is not entitled to summary judgment on Standifer's negligence claim.
G. Damages
Standifer claims as damages: the actions she undertook to prevent her personal information from being disseminated, the extra work she has put into her business, reputational harm, and mental anguish and emotional distress. (See Doc. 48 at 29-31.) Best Buy contends that Standifer cannot recover damages for any of her alleged injuries because they are "solely the result of a perceived and speculative risk of future harm." (See Doc. 40 at 16 (quoting Shafran v. Harley-Davidson, Inc. , 07 Civ. 01365(GBD), 2008 WL 763177, at *3 (S.D.N.Y. 2008) ).)
It appears that the Alabama state courts have yet to decide the precise issue of what damages consumers may recover when there has been a data breach. However, in various tort cases, the Supreme Court of Alabama has held that "mere fear of a future injury or disease, without more, does not constitute a compensable mental or emotional injury." Crutcher v. Williams , 12 So.3d 631, 650 (Ala. 2008). Thus, Alabama law does not allow a plaintiff to recover damages if she cannot show that she has suffered actual as opposed to anticipated harm. See Laurel v. Prince , 154 So.3d 95, 100 (Ala. 2014). As Best Buy points out, in interpreting their states' adoption of this principle, several other *1308federal district courts have dismissed state-law tort claims where the alleged damages were only based on actions taken due to the fear of future identity theft. See, e.g. , Muchnik v. Sambodromo, LLC, Case No. 08-21248-CIV-LENARD/GARBER, 2009 WL 10667067, at *2 (S.D. Fla. May 18, 2009) ; Caudle v. Towers, Perrin, Forster & Crosby, Inc. , 580 F.Supp.2d 273 (S.D.N.Y. 2008) ; Melancon v. La. Office of Student Fin. Assistance , 567 F.Supp.2d 873 (E.D. La. 2008).
Ponder v. Pfizer, Inc. , 522 F.Supp.2d 793 (M.D. La. 2007), is illustrative of this line of cases. In Ponder , the private data of around 17,000 current and former Pfizer employees were exposed to outsiders in an unauthorized data breach. See id. at 794. This data included "the names, social security numbers, and in some instances, addresses and bonus information of Pfizer employees." Id. This information was exposed after an employee installed an unauthorized file-sharing software on his company laptop. Id. An investigation conducted by Pfizer revealed that certain files containing employee data had been accessed and copied by an outside third-party. See id. A former employee brought a putative class action against Pfizer, alleging that the data breach had caused them damages in the form of "fear and apprehension of fraud, loss of money, and identity theft; the burden and cost of credit monitoring; the burden and cost of closing compromised credit accounts and opening new accounts; the burden of scrutinizing credit card statements and other statements for unauthorized transactions; damage to their credit; loss of privacy and other economic damages." Id. at 795.
The district court dismissed the plaintiff's Louisiana state-law tort claim holding that his complaint failed to allege that he suffered any actual harm from the data breach. See id. at 798. The court reasoned that the fear of harm from having information exposed was similar to Louisiana cases where the state courts held that absent "a manifest physical or mental injury or disease" plaintiffs could not recover "for future medical treatment, services, surveillance, or procedures of any kind." See id. at 797 (quoting Bonnette v. Conoco, Inc. , 837 So.2d 1219, 1230 n.6 (La. 2003) ). The Court further reasoned that although the plaintiff's confidential information had been exposed that he would not suffer any actual damages until the disclosed information had been used to his detriment. See id. at 798. Thus, the Court held that the plaintiff could not recover damages for the increased time and effort he had spent monitoring his credit, scrutinizing account statements, and closing and opening accounts because all of these actions were done in the anticipation of future harm. Id.
This Court finds the reasoning of the authorities cited by Best Buy to be persuasive and concludes that some of the damages Standifer complains of are unquestionably the result of an anticipated future harm that has never manifested. This includes Standifer taking on new clients and working unbilled hours for fear that her existing clients were going to leave her and updating her business practices to ensure the confidentiality of client information. Standifer has not lost clients, received bad reviews, or had a loss in revenue as a result of the data transfer. Thus, there is no evidence that Standifer had to undertake the additional hours that she did in order to maintain the level of business that she enjoyed prior to the data transfer.
Standifer argues that her situation is distinguishable from that of the plaintiffs in the cases cited by Best Buy because she has evidence that specific information belonging to her and her clients were exposed to unauthorized third-parties. However, the only known unauthorized parties *1309to view Standifer's data were Simpson, his father, and his sister. There is no evidence that any of these individuals misused or copied any potentially confidential data that they saw. Instead, Simpson was the one who notified Standifer of the data transfer. As the efforts Standifer took to retain client confidence and secure her information were exclusively to prevent an anticipated future harm, she cannot recover damages for these efforts.
The damages Standifer alleges from the work she undertook to inform her clients of the unauthorized data transfer, to notify the State of Alabama and the IRS of a data breach, and to write letters to credit agencies for Mark English present a closer question. A reasonable jury could conclude that those actions were necessary in the wake of the unauthorized data transfer. In his affidavit, English claims that his contact information ended up on several websites and that he attributed this to the Best Buy incident. (See Doc. 49-6 at 3.) Although Best Buy correctly notes that there is no evidence that the suspicious activity on English's credit report was caused by the unauthorized data transfer, English thought that it was related and asked Standifer to write to the credit agencies. Thus, Standifer has presented sufficient evidence that the time and expense of writing those letters was a cognizable damage from the unauthorized data transfer. As Standifer has presented evidence that English "expressed frustration" about the data transfer and had second thoughts about continuing to use her business, she can also seek damages for any of her efforts to retain his particular business.
The same is true for the time and expense Standifer took to write the letter informing her clients about the data transfer. Standifer did not write those letters only in anticipation of future harm, but instead, she also wrote them to inform her clients that the Simpsons had viewed files from her computer. Moreover, as there is evidence that the data breach caused unauthorized third parties to view Standifer's personal information, it is at least arguable that filling out an affidavit with the IRS and the State of Alabama was necessary. Thus, a jury should decide if Standifer can recover damages for these efforts.
Further, Standifer may recover emotional distress damages unrelated to her fear of potential future harm. Under Alabama law, mental anguish damages are recoverable for both fraud and conversion actions. See Ford Motor Co. v. Burkett , 494 So.2d 416, 418 (Ala. 1986) ; Williford v. Emerton , 935 So.2d 1150, 1155 (Ala. 2004). Standifer has presented evidence that she was embarrassed because Simpson was able to access the personal information that she stored on her computer and in fact viewed some of her files. Any embarrassment Standifer suffered due to private information that Simpson actually viewed, could be considered a direct result of the unauthorized data transfer. This is true even though Simpson viewed some of this information while showing Standifer what all was found on his father's computer.
Contrary to Best Buy's assertion, Standifer does not need expert medical testimony to prove these damages. "Under Alabama law, the presence of physical injury or physical symptoms is not a prerequisite for a claim for damages for mental anguish." Kmart Corp. v. Kyles , 723 So.2d 572, 578 (Ala. 1998). "The plaintiff is only required to present some evidence of mental anguish, and once the plaintiff has done so, the question of damages for mental anguish is for the jury." Id. (quoting Ala. Power Co. v. Harmon , 483 So.2d 386 (Ala. 1986) ). Here, Standifer has testified as to how the data transfer affected her mental state. She has also submitted affidavits from both her sister *1310and friend discussing their observations about the data transfer's effects on Standifer. Thus, although at trial, without expert medical testimony, Standifer may be precluded from presenting evidence that the data transfer caused her to suffer from a particular medical condition, this does not necessarily mean that she is foreclosed from recovering any emotional distress damages.
In sum, while several damages claimed by Standifer are not legally cognizable, she has presented sufficient evidence that other categories of damages are not the result of fear of future harm. Therefore, Standifer's remaining claims are not due to be dismissed for lack of damages.
IV. CONCLUSION
For the reasons stated above, Standifer's motion for partial summary judgment (doc. 37) is due to be GRANTED in PART and DENIED in PART and Best Buy's motion for summary judgment (doc. 39) is also due to be GRANTED in PART and DENIED in PART. An order consistent with this opinion will be entered contemporaneously herewith.
DONE and ORDERED on January 30, 2019.
Unlike with other portions of this Opinion, when considering Standifer's motion for summary judgment on Best Buy's contributory negligence defense, the Court considers the evidence in the light most favorable to Best Buy. See Mize v. Jefferson City Bd. of Educ. , 93 F.3d 739, 742 (11th Cir. 1996).
In the past, Alabama courts have held "[t]he three essential elements of contributory negligence are knowledge of the condition, appreciation of the danger, and failure to exercise reasonable care with such knowledge and appreciation of the danger." See Mitchell v. Torrence Cablevision USA, Inc. , 806 So.2d 1254, 1257 (Ala. Civ. App. 2000) (citing Wallace v. Ala. Power Co. , 497 So.2d 450, 457 (Ala. 1986) ). This would appear to conflate the subjective standard of an assumption of the risk defense with the objective standard traditionally associated with contributory negligence. However, the Alabama Supreme Court has since clarified that this subjective standard should only be applied when considering whether a plaintiff was contributorily negligent as a matter of law. See Horn v. Fadal Machining Ctrs., LLC , 972 So.2d 63, 75 (Ala. 2007) (citing Hannah v. Gregg, Bland & Berry, Inc. , 840 So.2d 839, 860-61 (Ala. 2002) ); see also Bielski v. Alfred Saliba Corp. , 984 F.Supp.2d 1170, 1176 (M.D. Ala. 2013). When considering Standifer's motion for summary judgment, the Court will apply an objective standard.