Case: 11-13694 Date Filed: 09/05/2012 Page: 1 of 30
[PUBLISH]
IN THE UNITED STATES COURT OF APPEALS
FOR THE ELEVENTH CIRCUIT
________________________
No. 11-13694
________________________
D.C. Docket No. 1:10-cv-24513-JLK
JEAN RESNICK, et al.,
Plaintiffs,
JUANA CURRY,
WILLIAM MOORE,
Plaintiffs - Appellants,
versus
AVMED, INC.,
a Florida corporation,
Defendant - Appellee.
________________________
Appeal from the United States District Court
for the Southern District of Florida
________________________
(September 5, 2012)
Before WILSON, PRYOR and MARTIN, Circuit Judges.
Case: 11-13694 Date Filed: 09/05/2012 Page: 2 of 30
WILSON, Circuit Judge:
Juana Curry and William Moore (collectively “Plaintiffs”) appeal the district
court’s dismissal of their Second Amended Complaint (“Complaint”) for failure to
state a claim upon which relief may be granted. The district court held that among
its other deficiencies, the Complaint failed to state a cognizable injury. We find
that the complaint states a cognizable injury for the purposes of standing and as a
necessary element of injury in Plaintiffs’ Florida law claims. We also conclude
that the Complaint sufficiently alleges the causation element of negligence,
negligence per se, breach of contract, breach of implied contract, breach of the
implied covenant of good faith and fair dealing, and breach of fiduciary duty under
Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 127 S. Ct. 1955 (2007), and
Ashcroft v. Iqbal, 556 U.S. 662, 129 S. Ct. 1937 (2009). The Complaint similarly
alleges facts sufficient to withstand a motion to dismiss on the restitution/unjust
enrichment claim. However, the Complaint fails to allege entitlement to relief
under Florida law for the claims of negligence per se and breach of the implied
covenant of good faith and fair dealing. We therefore reverse in part, affirm in
part, and remand the case to the district court for further proceedings.
I
We state the facts as alleged in the Complaint, accept them as true, and
2
Case: 11-13694 Date Filed: 09/05/2012 Page: 3 of 30
construe them in the light most favorable to Plaintiffs. Lanfear v. Home Depot,
Inc., 679 F.3d 1267, 1271 n.4 (11th Cir. 2012). AvMed, Inc. is a Florida
corporation that delivers health care services through health plans and government-
sponsored managed-care plans. AvMed has a corporate office in Gainesville,
Florida, and in December 2009, two laptop computers were stolen from that office.
Those laptops contained AvMed customers’ sensitive information, which included
protected health information, Social Security numbers, names, addresses, and
phone numbers. AvMed did not take care to secure these laptops, so when they
were stolen the information was readily accessible. The laptops were sold to an
individual with a history of dealing in stolen property. The unencrypted laptops
contained the sensitive information of approximately 1.2 million current and
former AvMed members.
The laptops contained personal information of Juana Curry and William
Moore. Plaintiffs are careful in guarding their sensitive information and had never
been victims of identity theft before the laptops were stolen. Curry guards physical
documents that contain her sensitive information and avoids storing or sharing her
sensitive information digitally. Similarly, Moore guards physical documents that
contain his sensitive information and is careful in the digital transmission of this
information.
3
Case: 11-13694 Date Filed: 09/05/2012 Page: 4 of 30
Notwithstanding their care, Plaintiffs have both become victims of identity
theft. Curry’s sensitive information was used by an unknown third party in
October 2010—ten months after the laptop theft. Bank of America accounts were
opened in Curry’s name, credit cards were activated, and the cards were used to
make unauthorized purchases. Curry’s home address was also changed with the
U.S. Postal Service. Moore’s sensitive information was used by an unknown third
party in February 2011—fourteen months after the laptop theft. At that time, an
account was opened in Moore’s name with E*Trade Financial, and in April 2011,
Moore was notified that the account had been overdrawn.
II
In November 2010, five named plaintiffs seeking to represent the class of
individuals whose information was stored on the unsecured laptops filed this case
in Florida state court, captioned Jean Resnick et al. v. AvMed, Inc. AvMed
removed the case to federal court pursuant to the Class Action Fairness Act of
2005, 28 U.S.C. § 1332(d) and filed a motion to dismiss for failure to state a claim.
See Fed. R. Civ. P. 12(b)(6). The initial plaintiffs then amended their complaint to
address the identified deficiencies and filed a new complaint. The First Amended
Complaint added Curry as a named plaintiff. AvMed again filed a motion to
dismiss under Rule 12(b)(6), which the district court granted without prejudice on
4
Case: 11-13694 Date Filed: 09/05/2012 Page: 5 of 30
the ground that the plaintiffs failed to state a cognizable injury. Specifically, the
district court reasoned that the plaintiffs sought to “predicate recovery upon a mere
specter of injury: a heightened likelihood of identity theft.” The court explicitly
declined to analyze whether the plaintiffs’ complaint failed to allege a cognizable
injury for the purposes of standing, see Lujan v. Defenders of Wildlife, 504 U.S.
555, 122 S. Ct. 2130 (1992), or under state law, see Pisciotta v. Old National
Bancorp, 499 F.3d 629 (7th Cir. 2007). The court found that to the extent the
plaintiffs alleged actual identity theft, they failed to satisfy the pleading standards
established by the Supreme Court in Twombly. Plaintiffs then filed a Second
Amended Complaint—the Complaint at issue in this appeal—in which they added
Moore and dropped the original five named plaintiffs who did not allege actual
identity theft.
In the Complaint at issue, Plaintiffs seek to represent the class of AvMed
customers whose sensitive information was stored on the stolen laptops and a
subclass of individuals whose identities have been stolen since the laptop theft.
Plaintiffs brought seven counts against AvMed under Florida law. Plaintiffs allege
that AvMed was negligent in protecting their sensitive information and negligent
per se when it violated section 695.3025 of the Florida Statutes, which protects
medical information. Plaintiffs also allege that AvMed breached its contract with
5
Case: 11-13694 Date Filed: 09/05/2012 Page: 6 of 30
Plaintiffs, and alternatively that AvMed breached its implied contract with
Plaintiffs. In the alternative to the breach of contract claim, Plaintiffs also allege a
claim for restitution/unjust enrichment. Finally, Plaintiffs allege that AvMed
breached the implied covenant of good faith and fair dealing, and that AvMed
breached the fiduciary duty it owed to Plaintiffs.
AvMed filed a motion to dismiss the Complaint for failure to state a claim,
and the district court granted the motion, stating only that “[a]mong its other
deficiencies, Plaintiffs’ Second Amended Complaint again fails to allege any
cognizable injuiry.” Plaintiffs appeal.
III
Prior to making an adjudication on the merits, we must assure ourselves that
we have jurisdiction to hear the case before us. Anago v. Shaz, 677 F.3d 1272,
1275 (11th Cir. 2012) (citing Arbaugh v. Y&H Corp., 546 U.S. 500, 514, 126 S. Ct.
1235, 1244 (2006)). Litigants must show that their claim presents the court with a
case or controversy under the Constitution and meets the “irreducible
constitutional minimum of standing.” Lujan, 504 U.S. at 560, 112 S. Ct. at 2136.
To fulfill this requirement, a plaintiff must show that:
(1) it has suffered an “injury in fact” that is (a) concrete and
particularized and (b) actual or imminent, not conjectural or
hypothetical; (2) the injury is fairly traceable to the challenged action
of the defendant; and (3) it is likely, as opposed to merely speculative,
6
Case: 11-13694 Date Filed: 09/05/2012 Page: 7 of 30
that the injury will be redressed by a favorable decision.
Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180–
81, 120 S. Ct. 693, 704 (2000). “At the pleading stage, general factual allegations
of injury resulting from the defendant’s conduct may suffice” to establish standing.
Lujan, 504 U.S. at 561, 112 S. Ct. at 2137.
Whether a party claiming actual identity theft resulting from a data breach
has standing to bring suit is an issue of first impression in this Circuit. Plaintiffs
allege that they have become victims of identity theft and have suffered monetary
damages as a result. This constitutes an injury in fact under the law. 1 Via Mat
Int’l S. Am. Ltd. v. United States, 446 F.3d 1258, 1263 (11th Cir. 2006) (finding
economic harm sufficient to create standing); see also Lambert v. Hartman, 517
F.3d 433, 437 (6th Cir. 2006).
We must next determine whether Plaintiffs’ injury is fairly traceable to
AvMed’s actions. A showing that an injury is “fairly traceable” requires less than
a showing of “proximate cause.” Focus on the Family v. Pinellas Suncoast Transit
Auth., 344 F.3d 1263, 1273 (11th Cir. 2003). Even a showing that a plaintiff’s
1
Some of our sister Circuits have found that even the threat of future identity theft is
sufficient to confer standing in similar circumstances. Krottner v. Starbucks Corp., 628 F.3d
1139, 1142–43 (9th Cir. 2010) (finding an injury in fact where plaintiffs alleged a data breach
and threat of identity theft, but no actual identity theft); Pisciotta v. Old Nat’l Bancorp, 499 F.3d
629, 634 (7th Cir. 2007) (same). As Plaintiffs have alleged only actual—not speculative—
identity theft, we need not address the issue of whether speculative identity theft would be
sufficient to confer standing.
7
Case: 11-13694 Date Filed: 09/05/2012 Page: 8 of 30
injury is indirectly caused by a defendant’s actions satisfies the fairly traceable
requirement. Id. Plaintiffs allege that AvMed failed to secure their information on
company laptops, and that those laptops were subsequently stolen. Despite
Plaintiffs’ personal habits of securing their sensitive information, Plaintiffs became
the victims of identity theft after the unencrypted laptops containing their sensitive
information were stolen. For purposes of standing, these allegations are sufficient
to “fairly trace” their injury to AvMed’s failures.
Finally, Plaintiffs must show that a favorable resolution of the case in their
favor could redress their alleged injuries. Friends of the Earth, Inc., 528 U.S. at
180–81, 120 S. Ct. at 704. Plaintiffs allege a monetary injury and an award of
compensatory damages would redress that injury. Plaintiffs have alleged sufficient
facts to confer standing, and we now turn to the merits of their appeal.
IV
We review a district court’s dismissal of a complaint for failure to state a
claim upon which relief may be granted de novo. Spain v. Brown & Williamson
Tobacco Corp., 363 F.3d 1183, 1187 (11th Cir. 2004).
V
AvMed contends that the Complaint fails to allege a cognizable injury under
Florida law and that the Complaint fails to allege facts sufficient to establish
8
Case: 11-13694 Date Filed: 09/05/2012 Page: 9 of 30
causation under the federal pleading standards. We address each argument in turn.
A
AvMed contends that Plaintiffs’ injuries are not cognizable under Florida
law because the Complaint alleges only “losses,” not “unreimbursed losses.” This
is a specious argument. On a motion to dismiss, we review the pleadings and draw
“reasonable inference[s]” from the facts alleged. Iqbal, 556 U.S. at 678, 129 S. Ct.
at 1949. Under the notice-pleading standard, we no longer require the hyper-
technical code pleadings of ages past, see id. at 678–79, 129 S. Ct. at 1950, and we
“draw on [our] judicial experience and common sense” when construing the
allegations in a complaint, id. at 679, 129 S. Ct. at 1950.
The Complaint specifically alleges that both Curry and Moore suffered
financial injury (D.E. 31 ¶¶ 47, 48, 49, 51, 63, 66); monetary loss is cognizable
under Florida law for damages in contract, quasi-contract, negligence, and breach
of fiduciary duty. See, e.g., Capitol Envtl. Servs., Inc. v. Earth Tech, Inc., 25 So.
3d 593 (Fla. Dist. Ct. App. 2009) (contract); Young v. Becker & Poliakoff, P.A., 88
So. 3d 1002, 1006, 1008 (Fla. Dist. Ct. App. 2012) (fiduciary duty). Plaintiffs
have therefore alleged a cognizable injury under Florida law.
B
At the pleading stage, a complaint must contain a “short and plain statement
9
Case: 11-13694 Date Filed: 09/05/2012 Page: 10 of 30
of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2).
Plaintiffs must plead all facts establishing an entitlement to relief with more than
“labels and conclusions” or “a formulaic recitation of the elements of a cause of
action.” Twombly, 550 U.S. at 555, 127 S. Ct. at 1965. The complaint must
contain enough facts to make a claim for relief plausible on its face; a party must
plead “factual content that allows the court to draw the reasonable inference that
the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678, 129 S.
Ct. at 1949 (citing Twombly, 556 U.S. at 570, 127 S. Ct. at 1965).
Following the approach suggested by the Supreme Court in Iqbal, we begin
our analysis by identifying “pleadings that, because they are no more than
conclusions, are not entitled to the assumption of truth.” 556 U.S. at 680, 129 S.
Ct. at 1950. We then turn to the “well-pleaded factual allegations” and, assuming
their veracity, “determine whether they plausibly give rise to an entitlement to
relief.” Id.
First, we determine what must be pled for each cause of action. Plaintiffs
brought seven counts against AvMed, all under Florida law. Of the seven causes
of action alleged, Florida law requires a plaintiff to show that the defendant’s
challenged action caused the plaintiff’s harm in six of them: negligence,
negligence per se, breach of fiduciary duty, breach of contract, breach of contract
10
Case: 11-13694 Date Filed: 09/05/2012 Page: 11 of 30
implied in fact, 2 and breach of the implied covenant of good faith and fair dealing.
A negligence claim requires a plaintiff to show that (1) defendants owe plaintiffs a
duty, (2) defendants breached the duty, (3) defendants’ breach injured plaintiffs,
and “(4) [plaintiffs’] damage [was] caused by the injury to the plaintiff as a result
of the defendant’s breach of duty.” Delgado v. Laundromax, Inc., 65 So. 3d 1087,
1089 (Fla. Dist. Ct. App. 2011) (emphasis added). Similarly, under Florida law, an
action for negligence per se requires a plaintiff to show “violation of a statute
which establishes a duty to take precautions to protect a particular class of persons
from a particularly injury or type of injury.” Davis v. Otis Elevator Co., 515 So.
2d 277, 278 (Fla. Dist. Ct. App. 1987) (citing de Jesus v. Seaboard Coast Line
R.R., 281 So. 2d 198, 200–01 (Fla. 1973)). As part of this showing, plaintiffs must
establish “that the violation of the statute was the proximate cause of [their]
injury.” de Jesus, 281 So. 2d at 201 (emphasis added). The elements of a cause of
action for breach of fiduciary duty in Florida include “damages flowing from the
breach.” Crusselle v. Mong, 59 So. 3d 1178, 1181 (Fla. Dist. Ct. App. 2011).
2
Plaintiffs do not specify whether they intend to bring an action for breach of contract
implied in law or impilied in fact. The Complaint suggests that they intend to allege a contract
implied in fact, and we analyze it as such. See D.E. 31 ¶¶ 118–119 (“In order to benefit from
Defendant’s healthcare plan, Plaintiffs . . . disclosed Sensitive Information . . . . By providing
that Sensitive Information and upon Defendant’s acceptance of such information, Plaintiffs . . .
and Defendant . . . entered into implied contracts . . . .”). To the extent Plaintiffs allege a
contract implied in law, such contracts must be pled in the same way as unjust enrichment
claims, discussed infra. See Hull & Co. v. Thomas, 834 So. 2d 904, 906–07 (Fla. Dist. Ct. App.
2003).
11
Case: 11-13694 Date Filed: 09/05/2012 Page: 12 of 30
The contract claims also require a showing of causation. In Florida, a breach
of contract claim requires a party to show that damages resulted from the breach.
Rollins, Inc. v. Butland, 951 So. 2d 860, 876 (Fla. Dist. Ct. App. 2006). Florida
courts use breach of contract analysis to evaluate claims of breach of contract
implied in fact 3 and breach of the covenant of good faith and fair dealing. See
Baron v. Osman, 39 So. 3d 449, 451 (Fla. Dist. Ct. App. 2010) (per curiam)
(contract implied in fact); Hospital Corp. of Am. v. Fla. Med. Ctr., Inc., 710 So. 2d
573, 575 (Fla. Dist. Ct. App. 1998) (per curiam) (implied covenant of good faith
and fair dealing).
In discussing causation, Plaintiffs allege that “AvMed’s data breach caused
[Plaintiffs’] identity theft,” that the facts Plaintiffs allege have “sufficiently shown
that the data breach caused [the] identity theft,” and that “but for AvMed’s data
breach, [Plaintiffs’] identit[ies] would not have been stolen.” Although at this
stage in the proceedings we accept plaintiffs’ allegations as true, we are not bound
to extend the same assumption of truth to plaintiffs’ conclusions of law. Twombly,
550 U.S. at 555, 127 S. Ct. at 1965; see also Iqbal, 556 U.S. at 678, 129 S. Ct. at
1950. These claims state merely that AvMed was the cause of the identity theft—a
conclusion we are not bound to accept as true.
3
In Florida, whether a contract is implied in fact is “inferred from the facts and
circumstances of the case.” Eskra v. Provident Life & Accident Ins. Co., 125 F.3d 1406, 1413
(11th Cir. 1997).
12
Case: 11-13694 Date Filed: 09/05/2012 Page: 13 of 30
We now consider the well-pleaded factual allegations relating to causation to
determine whether they “plausibly suggest an entitlement to relief.” Iqbal, 556
U.S. at 681, 129 S. Ct. at 1951. The complaint alleges that, prior to the data
breach, neither Curry nor Moore had ever had their identities stolen or their
sensitive information “compromised in any way.” It further alleges that “Curry
took substantial precautions to protect herself from identity theft,” including not
transmitting sensitive information over the Internet or any unsecured source; not
storing her sensitive information on a computer or media device; storing sensitive
information in a “safe and secure physical location;” and destroying “documents
she receives in the mail that may contain any of her sensitive information, or that
contain any information that could otherwise be used to steal her identity, such as
credit card offers.” Similarly, Moore alleges in the complaint that he “took
substantial precautions to protect himself from identity theft,” including not
transmitting unencrypted sensitive information over the internet or any other
source, storing documents containing sensitive information “in a safe and secure
physical location and destroy[ing] any documents he receives in the mail” that
include either sensitive information or information that “could otherwise be used to
steal his identity.” Plaintiffs became victims of identity theft for the first time in
their lives ten and fourteen months after the laptops containing their sensitive
13
Case: 11-13694 Date Filed: 09/05/2012 Page: 14 of 30
information were stolen. Curry’s sensitive information was used to open a Bank of
America account and change her address with the United States Post Office, and
Moore’s sensitive information was used to open an E*Trade Financial account in
his name.
Our task is to determine whether the pleadings contain “sufficient factual
matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’”
Iqbal, 556 U.S. at 681, 129 S. Ct. at 1949 (quoting Twombly, 550 U.S. at 570, 127
S. Ct. at 1966.) A claim is facially plausible when the court can draw “the
reasonable inference that the defendant is liable for the misconduct alleged” from
the pled facts. Id. Taken as true, these factual allegations are consistent with
Plaintiffs’ conclusion that AvMed’s failure to secure Plaintiffs’ information caused
them to become victims of identity theft. After thorough consideration, we
conclude that the allegations are sufficient to cross the line from merely possible to
plausible. See id.
Generally, to prove that a data breach caused identity theft, the pleadings
must include allegations of a nexus between the two instances beyond allegations
of time and sequence. In an unpublished opinion on summary judgment, the Ninth
Circuit found that a plaintiff sufficiently showed a causal relationship where “(1)
[plaintiff] gave [the defendant] his personal information; (2) the identity fraud
14
Case: 11-13694 Date Filed: 09/05/2012 Page: 15 of 30
incidents began six weeks after the hard drives containing [defendant’s] customers’
personal information were stolen; and (3) [plaintiff had] previously not suffered
any such incidents of identity theft.” Stollenwerk v. Tri-West Health Care
Alliance, 254 F. App’x 664, 667 (9th Cir. 2007) (emphasis added). There, the
court stated that these three facts, in conjunction with the inference a jury could
make that the type of information stolen was the same type of information needed
to open the fraudulent accounts, were sufficient to defeat a motion for summary
judgment brought on the basis of a failure to establish causation. Id. at 667–68.
Even with this close connection in time, the court recognized that allegations only
of time and sequence are not enough to establish causation: “purely temporal
connections are often insufficient to establish causation. . . . [H]owever, proximate
cause is supported not only by the temporal[] but also by the logical[] relationship
between the two events.” Id. at 668 (citation omitted).
Plaintiffs in the present case have pled facts indicating causation similar to
those pled in Stollenwerk, but the inferential leap they ask us to make from the
initial data breach to the stolen identities includes a time span more than six times
greater than the one in Stollenwerk. Rather than a six-week gap between the initial
data breach and the identity theft, Plaintiffs here allege gaps of ten and fourteen
months between the two events. As the Stollenwerk court stated, a mere temporal
15
Case: 11-13694 Date Filed: 09/05/2012 Page: 16 of 30
connection is not sufficient; Plaintiffs’ pleadings must indicate a logical connection
between the two incidents. Here, Plaintiffs allege a nexus between the two events
that includes more than a coincidence of time and sequence: they allege that the
sensitive information on the stolen laptop was the same sensitive information used
to steal Plaintiffs’ identity. (D.E. 31 ¶¶ 2, 41, 46, 61.) Plaintiffs explicitly make
this connection when they allege that Curry’s identity was stolen by changing her
address and that Moore’s identity was stolen by opening an E*Trade Financial
account in his name because in both of those allegations, Plaintiffs state that the
identity thief used Plaintiffs’ sensitive information. (D.E. 31 ¶¶ 46, 61) We
understand Plaintiffs to make a similar allegation regarding the bank accounts
opened in Curry’s name even though they do not plead precisely that Curry’s
sensitive information was used to open the Bank of America account. The
Complaint states that Curry’s sensitive information was on the unencrypted stolen
laptop (Id. ¶ 7), that her identity was stolen, and that the stolen identity was used to
open unauthorized accounts (Id. ¶ 44). Considering the Complaint as a whole and
applying common sense to our understanding of this allegation, we find that
Plaintiffs allege that the same sensitive information that was stored on the stolen
laptops was used to open the Bank of America account.4 Thus, Plaintiffs’
4
Our interpretation of the Complaint is reasonable when considering the allegation
16
Case: 11-13694 Date Filed: 09/05/2012 Page: 17 of 30
allegations that the data breach caused their identities to be stolen move from the
realm of the possible into the plausible. Had Plaintiffs alleged fewer facts, we
doubt whether the Complaint could have survived a motion to dismiss. However,
Plaintiffs have sufficiently alleged a nexus between the data theft and the identity
theft and therefore meet the federal pleading standards. Because their contention
that the data breach caused the identity theft is plausible under the facts pled,
Plaintiffs meet the pleading standards for their allegations on the counts of
negligence, negligence per se, breach of fiduciary duty, breach of contract, breach
of implied contract, and breach of the implied covenant of good faith and fair
dealing.
C
Plaintiffs’ unjust enrichment claim does not have a causation element, so we
analyze the sufficiency of the Complaint on that claim separately. In the
Complaint, Plaintiffs allege that AvMed cannot equitably retain their monthly
insurance premiums—part of which were intended to pay for the administrative
costs of data security—because AvMed did not properly secure Plaintiffs’ data, as
evinced from the fact that the stolen laptop containing sensitive information was
contained two paragraphs later in paragraph 46, “Curry’s sensitive information was also used to
change her home address with the U.S. Postal Service.” Use of the word “also” indicates that
Plaintiffs intended the allegation made in paragraph 44, that “Curry’s identity was stolen and . . .
used” to mean that Curry’s sensitive information was stolen and used.
17
Case: 11-13694 Date Filed: 09/05/2012 Page: 18 of 30
unencrypted. AvMed argues that the district court correctly dismissed the
Complaint because Plaintiffs’ alleged injuries are not cognizable under the law and
because Plaintiffs paid AvMed not for data security but for health insurance.
To establish a cause of action for unjust enrichment/restitution, a Plaintiff
must show that “1) the plaintiff has conferred a benefit on the defendant; 2) the
defendant has knowledge of the benefit; 3) the defendant has accepted or retained
the benefit conferred; and 4) the circumstances are such that it would be
inequitable for the defendant to retain the benefit without paying fair value for it.”
Della Ratta v. Della Ratta, 927 So. 2d 1055, 1059 (Fla. Dist. Ct. App. 2006).
Plaintiffs allege that they conferred a monetary benefit on AvMed in the
form of monthly premiums, that AvMed “appreciates or has knowledge of such
benefit,” that AvMed uses the premiums to “pay for the administrative costs of
data management and security,” and that AvMed “should not be permitted to retain
the money belonging to Plaintiffs . . . because [AvMed] failed to implement the
data management and security measures that are mandated by industry standards.”
Plaintiffs also allege that AvMed either failed to implement or inadequately
implemented policies to secure sensitive information, as can be seen from the data
breach. Accepting these allegations as true, we find that Plaintiffs alleged
sufficient facts to allow this claim to survive a motion to dismiss.
18
Case: 11-13694 Date Filed: 09/05/2012 Page: 19 of 30
VI
AvMed argues that we can affirm the district court because the Complaint
fails to allege an entitlement to relief under Florida law on each count. On review,
we find that two of the pled causes of action do not allow Plaintiffs to recover
under Florida law. We address only the two claims that fail: negligence per se, and
breach of the covenant of good faith and fair dealing.
A
Plaintiffs allege that AvMed was negligent per se when it violated section
395.3025 of the Florida Statutes by disclosing “Plaintiffs’ health information
without authorization.” Plaintiffs state that this statute was enacted “to protect the
confidentiality of medical information of Florida residents . . . and expressly
provides that a person’s medical information must not be disclosed without his or
her consent.” Plaintiffs contend that they are a part of the class of people the
statute sought to protect and that the harm they suffered was the type of harm the
statute sought to avoid, thereby concluding that AvMed was negligent per se.
Florida Statute section 395.3025(4) states that “[p]atient records are
confidential and must not be disclosed without the consent of the patient.” This
statute is contained in a chapter regulating the licensure, development,
establishment, and minimum standard enforcement of hospitals, ambulatory
19
Case: 11-13694 Date Filed: 09/05/2012 Page: 20 of 30
surgical centers, and mobile surgical facilities. Fla. Stat. § 395.001. Because
AvMed is an integrated managed-care organization and not a hospital, ambulatory
surgical center, or mobile surgical facility, AvMed is not subject to this statute.
See Hendley v. State, 58 So. 3d 296, 298 (Fla. Dist. Ct. App. 2011) (finding that
Fla. Stat. § 395.3025 only applies to licensed facilities defined in § 395.002(16)
and not to pharmacies). Section 395.3025 does not purport to regulate AvMed’s
behavior, and so AvMed’s failure to comply with the statute cannot serve as a basis
for a negligence per se claim.
B
While “every contract contains an implied covenant of good faith and fair
dealing” under Florida law, a breach of this covenant—standing alone—does not
create an independent cause of action. Centurion Air Cargo, Inc. v. United Parcel
Serv. Co., 420 F.3d 1146, 1151 (11th Cir. 2005). The duty of good faith must
“relate to the performance of an express term of the contract and is not an abstract
and independent term of a contract which may be asserted as a source of breach
when all other terms have been performed pursuant to the contract requirements.”
Ins. Concepts & Design, Inc. v. Healthplan Servs., Inc., 785 So. 2d 1232, 1235
(Fla. Dist. Ct. App. 2001) (per curiam) (emphasis omitted) (quoting Hospital Corp.
of Am. v. Fla. Med. Center, Inc., 710 So. 2d 573, 575 (Fla. Dist. Ct. App. 1998)).
20
Case: 11-13694 Date Filed: 09/05/2012 Page: 21 of 30
A claimant asserting a cause of action for breach of the implied covenant must
allege “a failure or refusal to discharge contractual responsibilities, prompted not
by an honest mistake, bad judgment or negligence; but, rather by a conscious and
deliberate act, which unfairly frustrates the agreed common purpose and
disappoints the reasonable expectations of the other party.” Tiara Condo. Ass’n,
Inc. v. Marsh & McLennan Cos., Inc., 607 F.3d 742, 747 (11th Cir. 2010)
(applying Florida law) (quoting Shibata v. Lim, 133 F. Supp. 2d 1311, 1319 (M.D.
Fla. 2000)).
Plaintiffs here allege that AvMed breached the express provision of the
service contract, which required AvMed to “ensure the ‘confidentiality of
information about members’ medical health condition being maintained by the
Plan and the right to approve or refuse the release of member specific information
including medical records, by AvMed, except when the release is required by
law.’” However, Plaintiffs do not allege that AvMed’s failures to secure their data
resulted from a “conscious and deliberate act, which unfairly frustrates the agreed
common purpose” as required under Florida law. Id.
From the language used in the Complaint—that AvMed “did not honor” its
obligations and that it “failed to safeguard[,] . . . fail[ed] to promptly and
sufficiently notify[,] . . . [and] fail[ed] to fully comply with the proscriptions of
21
Case: 11-13694 Date Filed: 09/05/2012 Page: 22 of 30
applicable statutory law”—we do not understand Plaintiffs to allege that AvMed’s
shortcomings were conscious acts to frustrate the common purpose of the
agreement. We find therefore that AvMed failed to meet the pleading standard in
this claim as well.
VII
In this digital age, our personal information is increasingly becoming
susceptible to attack. People with nefarious interests are taking advantage of the
plethora of opportunities to gain access to our private information and use it in
ways that cause real harm. Even though the perpetrators of these crimes often
remain unidentified and the victims are left to clean up the damage caused by these
identity thieves, cases brought by these victims are subject to the same pleading
standards as are plaintiffs in all civil suits. Here, Plaintiffs have pled a cognizable
injury and have pled sufficient facts to allow for a plausible inference that
AvMed’s failures in securing their data resulted in their identities being stolen.
They have shown a sufficient nexus between the data breach and the identity theft
beyond allegations of time and sequence. However, the Complaint fails to
sufficiently allege an entitlement to relief under Florida law on the allegations of
negligence per se and breach of the implied covenant of good faith and fair
dealing. We therefore affirm in part, reverse in part, and remand to the district
22
Case: 11-13694 Date Filed: 09/05/2012 Page: 23 of 30
court for further proceedings.
AFFIRMED IN PART, REVERSED IN PART, AND REMANDED.
23
Case: 11-13694 Date Filed: 09/05/2012 Page: 24 of 30
PRYOR, Circuit Judge, dissenting:
I agree with the majority opinion that Curry and Moore have standing to sue,
but Curry and Moore’s complaint should be dismissed for failure to state a claim.
Their complaint fails to allege a plausible basis for finding that AvMed caused
them to suffer identity theft, and their claim of unjust enrichment fails as a matter
of law.
Because of the paucity of well-pleaded facts about the cause of the identity
thefts, the majority opinion “doubt[s] whether the Complaint could have survived a
motion to dismiss” if Curry and Moore had “alleged fewer facts,” Majority
Opinion at 17, but Curry and Moore’s threadbare allegations about causation fail to
“nudge[] [the] claims” relating to identity theft “across the line from conceivable to
plausible,” Ashcroft v. Iqbal, 556 U.S. 662, 680, 129 S. Ct. 1937, 1951 (2009)
(quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S. Ct. 1955, 1974
(2007)) (internal quotation marks omitted). “To survive a motion to dismiss, a
complaint must contain sufficient factual matter, accepted as true, to ‘state a claim
to relief that is plausible on its face.’” Id. at 678, 129 S. Ct. at 1949 (quoting
Twombly, 550 U.S. at 570, 127 S. Ct. at 1974). “A claim has facial plausibility
when the plaintiff pleads factual content that allows the court to draw the
reasonable inference that the defendant is liable for the misconduct alleged.” Id.
24
Case: 11-13694 Date Filed: 09/05/2012 Page: 25 of 30
“The plausibility standard is not akin to a ‘probability requirement,’ but it asks for
more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting
Twombly, 550 U.S. at 556, 127 S. Ct. at 1955). “Where a complaint pleads facts
that are ‘merely consistent with’ a defendant’s liability, it ‘stops short of the line
between possibility and plausibility of ‘entitlement to relief.’” Id. (quoting
Twombly, 550 U.S. at 557, 127 S. Ct. at 1955). “[C]ourts may infer from the
factual allegations in the complaint ‘obvious alternative explanation[s],’ which
suggest lawful conduct rather than the unlawful conduct the plaintiff would ask the
court to infer.” Am. Dental Ass’n v. Cigna Corp., 605 F.3d 1283, 1290 (11th Cir.
2010) (quoting Iqbal, 556 U.S. at 682, 129 S. Ct. at 1951–52).
The parties do not dispute that laptops containing the sensitive information
of Curry and Moore were stolen from AvMed, but Curry and Moore’s second
amended complaint fails to plead enough facts to allow a factfinder to draw a
reasonable inference that the sensitive information identity thieves used to open the
fraudulent accounts in the plaintiffs’ names was obtained from AvMed. In an
attempt to bridge this gap, Curry and Moore allege that they have both been very
careful to protect their sensitive information. For example, Curry alleges that she
“destroys any documents she receives in the mail that contain any of her Sensitive
Information, or that contain any information that could otherwise be used to steal
25
Case: 11-13694 Date Filed: 09/05/2012 Page: 26 of 30
her identity, such as credit card offers,” Compl. ¶ 55, and Moore alleges that he
“destroys any documents he receives in the mail that contain any of his Sensitive
Information, or that contain any information that could otherwise be used to steal
his identity,” Compl. ¶ 71. But the manner in which Curry and Moore care for the
sensitive information they receive from third parties tells us nothing about how the
third parties care for that sensitive information before or after they send it to Curry
and Moore.
The factual allegations in the second amended complaint present “obvious
alternative explanation[s],” Am. Dental Ass’n, 605 F.3d at 1290 (quoting Iqbal,
556 U.S. at 682, 129 S. Ct. at 1951–52) (internal quotation marks omitted),
regarding the cause of the identity thefts that Curry and Moore suffered. An
unscrupulous third party that possessed the sensitive information of Curry and
Moore might have sold that information to the identity thieves who opened the
fraudulent accounts or a careless third party might have lost the information that
then found its way into the hands of those thieves. Although it is conceivable that
the unknown identity thieves used the sensitive information stolen from AvMed to
open the fraudulent accounts, it is equally conceivable, in the light of the facts
alleged in the complaint, that the unknown identity thieves obtained the
information from third parties. Curry and Moore do not allege any facts that make
26
Case: 11-13694 Date Filed: 09/05/2012 Page: 27 of 30
it plausible that the unknown identity thieves who opened the fraudulent accounts
obtained the sensitive information necessary to do so from AvMed.
The majority opinion attempts to salvage the complaint by asserting that it
alleges that the sensitive information used to steal Curry and Moore’s identities
was obtained from AvMed, Majority Opinion at 16, but the complaint alleges no
such thing. The majority opinion cites six paragraphs of the complaint to support
its conclusion that the complaint plausibly alleges that the sensitive information
used to steal Curry and Moore’s identities was obtained from the stolen laptops:
• On or about December 10, 2009, two unencrypted laptop computers
were stolen from AvMed’s Gainesville, Florida corporate office . . . .
The laptops contained private, personal information including, but not
limited to, protected health information . . . , Social Security numbers
. . . , medical information and other information (collectively,
“Sensitive Information”) of approximately 1.2 million AvMed
enrollees;
• As a result of AvMed’s failure to implement and follow basic
security procedures, Plaintiffs’ Sensitive Information is now in the
hands of thieves. Plaintiffs now face a substantial increased risk of
identity theft; in fact, Curry and Moore have already experienced
repeated instances of identity theft since the data breach. . . .
• Curry’s Sensitive Information was contained on an unprotected and
unencrypted laptop computer that was stolen in the data breach. As a
result of the data breach, Curry’s identity was stolen.
• Curry’s identity was stolen and, in or around October 2010, it was
used to open bank accounts with Bank of America and activate cards
in her name;
27
Case: 11-13694 Date Filed: 09/05/2012 Page: 28 of 30
• Curry’s Sensitive Information was also used to change her home
address with the U.S. Postal Service;
• The E*Trade Financial bank account was opened by an individual
using Moore’s Sensitive Information.
Compl. ¶¶ 2, 3, 7, 44, 46, & 61; see also Majority Opinion at 16−17. But these
paragraphs do not plausibly allege that the identity thieves gained access to Curry
and Moore’s sensitive information from the stolen laptops. At most, the complaint
alleges that AvMed lost Curry and Moore’s sensitive information on December 10,
2009, and about a year later, unidentified third parties obtained unspecified
sensitive information from an unidentified source and used that unspecified
information to engage in identity theft. The complaint, in the words of the majority
opinion, alleges nothing “more than a coincidence of time and sequence.” Majority
Opinion at 16.
The majority opinion assures us that Curry and Moore have, in fact, alleged
something “more than a coincidence of time and sequence” between the stolen
laptops and the identity thefts because “Plaintiffs state that the identity thief used
Plaintiffs’ sensitive information” to open the fraudulent accounts, id., but that
circular reasoning fails. No one disputes that unknown identity thieves used the
plaintiffs’ sensitive information to open fraudulent accounts in their names. The
28
Case: 11-13694 Date Filed: 09/05/2012 Page: 29 of 30
dispute is whether the unknown identity thieves obtained that sensitive information
from the laptops stolen from AvMed.
The complaint fails to allege a plausible basis for inferring that the unknown
identity thieves obtained the sensitive information of Curry and Moore from
AvMed. The complaint, for example, does not allege that only AvMed possessed
the sensitive information used to open the fraudulent accounts. The complaint does
not even allege what sensitive information was used to open financial accounts in
the plaintiffs’ names. The complaint alleges, for example, that the sensitive
information stolen from AvMed included health and medical information, but the
complaint fails to allege that this kind of information was used to open financial
accounts in the plaintiffs’ names.
“Determining whether a complaint states a plausible claim for relief [is] a
context-specific task that requires the reviewing court to draw on its judicial
experience and common sense,” Iqbal, 556 U.S. at 679, 129 S. Ct. at 1950, and that
experience reveals that vast numbers of individuals, businesses, and governmental
bodies possess our sensitive information, e.g., our names, social security numbers,
health information, and other personal data. Technology allows this information to
be copied quickly and transmitted over the Internet in an instant. Because of the
nature of sensitive information—a social security number and a name are the same
29
Case: 11-13694 Date Filed: 09/05/2012 Page: 30 of 30
regardless of who possesses that information—it may be difficult to pinpoint the
source of the sensitive information that is used to commit identity theft. But that
difficulty does not relieve Curry and Moore of their burden under Rule 8 to plead a
plausible basis for inferring that the sensitive information used by the identity
thieves was obtained from AvMed.
The complaint also fails to state a claim of unjust enrichment under Florida
law. “Florida courts have held that a plaintiff cannot pursue a quasi-contract claim
for unjust enrichment if an express contract exists concerning the same subject
matter.” Diamond “S” Dev. Corp. v. Mercantile Bank, 989 So. 2d 696, 697 (Fla.
Dist. Ct. App. 2008); see also Am. Safety Ins. Serv., Inc. v. Griggs, 959 So. 2d
322, 331 (Fla. Dist. Ct. App. 2007) (“A plaintiff may recover under quasi-contract
where there is no express or implied-in-fact contract, but the defendant received
something of value or benefited from the service supplied.”). The parties do not
dispute that they entered into an enforceable contract; they dispute whether the
contract has been breached. In that circumstance, a claim of unjust enrichment
cannot be maintained.
I respectfully dissent.
30