Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

McKenzie v. Allconnect, Inc.

United States District Court, E.D. Kentucky, Central Division, Lexington

March 28, 2019

METTEKJISTINE MCKENZIE, et al., Plaintiffs,
v.
ALLCONNECT, INC., Defendant.

          MEMORANDUM OPINION AND ORDER

          Joseph M. Hood, Senior U.S. District Judge.

         An unsuspecting employee of Defendant Allconnect, Inc., responded to a fraudulent phishing email, resulting in an unauthorized release of employee W-2 tax forms, including sensitive personal information contained within those forms. The named Plaintiffs are former employees of Allconnect who allege that they, and other similarly situated employees, were harmed by the unauthorized release of their personally identifable information (“PII”).

         In response to this lawsuit, the Defendant argues that the Defendants lack standing because they have not alleged an actual injury in fact. Furthermore, the Defendant claims that the Plaintiffs have failed to properly plead claims upon which relief may be granted. Finally, and in the alternative, the Defendant moves to strike the class allegations from Plaintiffs' complaint. For the reasons that follow, Allconnect's motion to dismiss, and motion to strike the class allegations, [DE 5] is GRANTED IN PART and DENIED IN PART.

         First, Allconnect's motion to dismiss for lack of Article III standing is denied because the Plaintiffs have provided sufficient factual information to demonstrate that they suffered financial loss, lost time, and emotional distress as a result of the unauthorized release of their personal information.

         Second, Allconnect's motion to dismiss Plaintiffs' claims for negligence, invasion of privacy based on intrusion upon seclusion, and breach of implied contract is denied because the Plaintiffs have pleaded sufficient information to meet federal pleading standards for these claims. Still, Plaintiffs' claims for invasion of privacy based on unreasonable publicity and for breach of fiduciary duty must be dismissed for failure to state claims upon which relief may be granted based on Rule 12(b)(6).

         Third, and finally, the Court does not have sufficient information to adequately address the class certification issue at present. As such, the Court will allow limited discovery on factual issues relevant to class certification and will address class certification when the Plaintiffs raise the issue in a proper motion to certify the class.

         I. Procedural History and Factual Allegations

         For the purposes of this motion to dismiss, the factual allegations in Plaintiffs' complaint are treated as true and viewed in the light most favorable to the Plaintiffs. Still, most of the relevant facts at this juncture do not appear to be in dispute.

         Defendant Allconnect is a company that connects consumers with offers for internet services, television, home security, electricity, and other products. Allconnect operates multiple offices across the United States, including sales and customer care centers in Georgia, Kentucky, Texas, and Utah. [DE 1-1 at 5, Pg ID 13].

         Plaintiffs Mettekjistine McKenzie and Chasity Combs are former employees of Allconnect. McKenzie is a resident of Arizona and was employed at Allconnect's Utah-based call center in 2016 and 2017. [Id. at 8, Pg ID 16]. Combs is a resident of Kentucky and worked at Allconnect's Kentucky-based call center from 2014 until 2018. [Id. at 9, Pg ID 17].

         On February 14, 2018, an unknown individual impersonating Steven Sibley, the president of Allconnect, contacted an Allconnect employee through email and requested 2017 W-2 information for all Allconnect employees. [Id. at 6, Pg ID 14]. Likely believing that the email message was actually from Sibley, the Allconnect employee sent a data file containing Allconnect employees' W-2 information, including employees' names, addresses, social security numbers, and wage information. [Id. at 6, 11, Pg ID 14, 19].

         Of course, it turns out that the email sent to the unsuspecting Allconnect employee was not from Allconnect's president and the data file sent in response was sent to cybercriminals perpetuating a fraud to gain the personal information of Allconnect's employees. On or around March 28, 2018, Allconnect discovered the unauthorized data disclosure. [Id. at 6, Pg ID 14]. In response, on April 2, 2018, Allconnect emailed former and current employees informing them about the data disclosure. [Id. at 5-6, Pg ID 13-14]. Additionally, Allconnect mailed letters to affected employees on April 2, 2018. [Id.]. Finally, Allconnect agreed to provide affected employees with two years of complimentary identity protection services through Allclear Id. [Id. at 11, Pg ID 19].

         Plaintiffs claim that they, and other similarly affected Allconnect employees have been damaged by the unauthorized disclosure of their personal data. The Plaintiffs argue that they must take measures to “both deter and detect identity theft.” [Id. at 6, Pg ID 14]. For instance, Plaintiffs claim that time spent on efforts to mitigate the harm from the data disclosure would otherwise be dedicated to different professional and personal activities. [Id.]. Moreover, the Plaintiffs argue that they have suffered lost time and damages as a result of having to place freezes and alerts on their credit reports with credit reporting agencies, have had to close or modify financial accounts, contact their financial institutions, and closely monitor their reports, among other mitigating activities. [Id. at 6-7, Pg ID 14-15].

         As a result, the Plaintiffs filed a lawsuit in Fayette Circuit Court. [DE 1-1]. The action was removed to this Court by Allconnect based on minimal diversity of citizenship pursuant to the Class Action Fairness Act of 2005 (“CAFA”). [DE 1]. Subsequently, Defendant Allconnect moved to dismiss Plaintiffs' complaint for lack of standing, failure to state claims upon which relief may be granted, and, in the alternative, moved to strike the class allegations in the complaint. [DE 5]. The Plaintiffs responded in opposition [DE 20] and the Defendant replied [DE 22], making this matter ripe for review.

         III. Analysis and Standard of Review

         Plaintiffs bring four causes of action against Allconnect on behalf of the entire class, they are, (1) negligence, (2) invasion of privacy, (3) breach of implied contract, and (4) breach of fiduciary duty. The Defendant claims that the compliant must be dismissed. First, the Defendant argues that the Plaintiffs lack standing to bring this lawsuit because they have not alleged an injury in fact. Second, the Defendant argues that the Plaintiffs have failed to plead sufficient factual information upon which relief may be granted. Finally, and in the alternative, the Defendant asks the Court to strike the class allegations in the complaint if any of the claims survive.

         A. Article III Standing

         First, Allconnect claims that the Plaintiffs have failed to establish a sufficient injury in fact to establish a cognizable Article III injury. [DE 5-1 at 4-7, Pg ID 63-66]. More specifically, the Defendant argues that apprehension of future injury as a result of the data breach, without more, is insufficient to create standing. [Id. at 5-6, Pg ID 64-65].

         “Article III of the Constitution limits the jurisdiction of federal courts to ‘Cases' and ‘Controversies, '” and “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.'” Susan B. Anthony List v. Driehaus, 573 U.S. 149 (2014) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)). “To establish Article III standing, a plaintiff must show (1) an ‘injury in fact,' (2) a sufficient ‘causal connection between the injury and the conduct complained of,' and (3) a ‘likel[ihood]' that the injury ‘will be redressed by a favorable decision.'” Id. (quoting Lujan, 504 U.S. at 560-561 (internal quotation marks omitted)).

         But here, Allconnect expressly acknowledges that a split panel of the United States Court of Appeals for the Sixth Circuit held that Article III standing existed in a similar data breach situation. Galaria, 663 Fed.Appx. at 388. In Galaria, the Sixth Circuit was faced with a situation like the one at bar where Nationwide employees filed a putative class action after a data breach resulted in the unauthorized release of employees' personal data. The Defendant, Nationwide, argued in part that the plaintiffs did not have Article III standing because they had not alleged a cognizable injury as a result of the data breach.

         The majority in Galaria acknowledged that courts have reached different conclusions on whether plaintiffs had alleged a cognizable injury in data breach situations to confer Article III standing but ultimately concluded that “[p]laintiffs' allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.” Id. at 388-89 (discussing the circuit split and citing cases). In so holding, the Galaria court said, “[A]lthough it might not be literally certain that Plaintiffs' data will be misused . . . there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable” and that “these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.” Id.

         Still, the dissenting judge in Galaria stated that the court “need not take sides in the existing circuit split regarding whether an increased risk of identity theft is an Article III injury because, even assuming that it is, the plaintiffs have failed to demonstrate the second prong of Article III standing- causation.” Id. at 392. The dissent would not have reached the Article III issue and instead would have held that the plaintiffs had failed to demonstrate the requisite causal connection between Nationwide's activity and the conduct of third-party hackers that stole employees' personal information. Id. at 393.

         The Galaria decision is technically not binding on this Court since it is an unpublished and non-precedential opinion of the Sixth Circuit. See Plumley v. Austin, 135 S.Ct. 828, 831 (2015) (Thomas, J. and Scalia, J. dissenting) (“[T]he decision below is unpublished and therefore lacks precedential force.”); Fed. R. App. P. 32.1; 6 Cir. R. 32.1.

         Still, Allconnect seems to acknowledge that the Galaria decision is highly persuasive on the issue of standing but “respectfully submit[s] that Galaria's holding appears inconsistent with Clapper's[1] standard and therefore, is incorrectly decided.” [DE 5-1 at 6, Pg ID 65]. But Allconnect has not attempted to distinguish the Galaria holding from this case in a meaningful way. In fact, the Galaria court held that Article III standing existed in a data breach situation that is very similar to the case at bar.

         Here, applying the logic in Galaria, the Plaintiffs have demonstrated that they had to take reasonable steps to mitigate damages from the unauthorized release of their PII to unknown phishing scammers. The Plaintiffs have provided factual information that demonstrates that they have lost time and money as a result of taking steps to protect their personal data and prevent the misuse of that data by scammers. At the very least, the Plaintiffs' mitigation efforts constitute a cognizable injury that is a direct result of the unauthorized release of employees' PII by Allconnect. As such, the Plaintiffs have alleged a sufficient injury in the form of mitigation costs to prevent the misuse of their stolen personal information and have allege a sufficient Article III injury.

         As a result, at the pleading stage, the Plaintiffs in this case have demonstrated Article III standing by alleging that the unauthorized release of their personal data has resulted in a substantial risk of harm paired with mitigation costs. The Court notes that Allconnect argues that Galaria was incorrectly decided but Allconnect has not made any effort to distinguish Galaria from the present case. As a result, any arguments directly attacking the propriety of the holding in Galaria must be presented to the Sixth Circuit, not this Court. Regardless, at the pleading stage, Plaintiffs have provided enough information to demonstrate that they lost time and money, in ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.