AMBER HANEY JASON EVANS MCKENNIA FITCH DAVID KNIGHTEN CHRISTIE STINSON v. CHARTER FOODS NORTH LLC CHARTER FOODS INC (2024)

MEMORANDUM OPINION

Before the Court is Defendants Charter Foods North, LLC and Charter Foods, Inc.'s motion to dismiss Plaintiffs' second consolidated class-action complaint (Doc. 63). For the following reasons, the Court will GRANT IN PART and DENY IN PART Defendants' motion.

I. BACKGROUND

Defendants are franchisees of Yum! Brands, Inc., the parent company of several nationwide fast-food restaurant chains, including KFC, Taco Bell, Pizza Hut, and Long John Silvers. (Doc. 54, at 1.) Plaintiffs Amber Haney, Jason Evans, McKennia Fitch, David Knighten, and Christie Stinson are current or former employees of Defendants. (Id. at 6.) On January 13, 2023, a criminal-hacker group known as Lockbit ¹ gained unauthorized access to Defendants' computer systems. (Id. at 2.) This breach gave the hackers access to the private information—including names, driver's license numbers, and Social Security numbers—of Plaintiffs as well as an estimated 110,000 of Defendants' current and former employees. (Id. at 2, 23.)

Although the incident occurred on January 13, 2023, Defendants did not notify the victims of the data breach until April 7, 2023. (Id. at 7.) In response to the breach, Defendants offered two years of allegedly inadequate credit-monitoring services for which Plaintiffs had to affirmatively sign up, as well as a call center for victims. (Id. at 8.) Plaintiffs allege that, shortly after the data breach, they “experienced a large increase in spam and suspicious phone calls, texts, and emails.” (Id. at 17–18, 20.) Plaintiffs also allege that they incurred monetary costs to purchase credit-monitoring services, credit freezes, and credit reports to detect potential identity theft, as well as “significant time responding” to the breach. (Id. at 3, 17, 19–20.)

Haney filed this action on May 10, 2023 (Doc. 1), and Fitch filed another action on June 20, 2023 (Doc. 1 in Case No. 2:23-cv-69). The Court consolidated these two cases on October 17, 2023 (Doc. 33). On December 7, 2023, the United States District Court for the Western District of Kentucky transferred Knighten and Evans's case to this Court (Doc. 47 in Case No. 2:23-cv-168), and, on February 21, 2024, the Court consolidated that case with the other two cases. (Doc. 50.) On May 20, 2024, Plaintiffs filed a second consolidated class-action complaint. (Doc. 54.)

Plaintiffs, on behalf of themselves and a proposed nationwide class consisting of “[a]ll individuals in the United States who had Private Information accessed and/or acquired as a result of the Data Breach, including all who were sent a notice of the Data Breach,” assert claims for (1) negligence, (2) negligence per se, (3) breach of implied contract, (4) breach of the implied covenant of good faith and fair dealing, and (5) unjust enrichment. (Doc. 54, at 23, 26–38.) On June 20, 2024, Defendants moved to dismiss Plaintiffs' second consolidated class-action complaint under Federal Rules of Civil Procedure 12(b)(1), 12(b)(6), and 12(b)(7). (Doc. 63.) This motion is now ripe for the Court's review.

II. STANDARD OF REVIEW

A. Federal Rule of Civil Procedure 12(b)(1)

“A motion to dismiss for lack of subject-matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) involves either a facial attack or a factual attack.” Glob. Tech., Inc. v. Yubei (XinXiang) Power Steering Sys. Co., 807 F.3d 806, 810 (6th Cir. 2015) (citing Am. Telecom Co. v. Republic of Leb., 501 F.3d 534, 537 (6th Cir. 2007)). A facial attack “is a challenge to the sufficiency of the pleading[,]” and, on such a motion, “the court must take the material allegations of the petition as true and construed in the light most favorable to the nonmoving party.” United States v. Ritchie, 15 F.3d 592, 598 (6th Cir. 1994) (citing Scheuer v. Rhodes, 416 U.S. 232, 235–37 (1974)). “A factual attack, on the other hand, is not a challenge to the sufficiency of the pleading's allegations, but a challenge to the factual existence of subject matter jurisdiction.” Id. (emphasis omitted). “On such a motion, no presumptive truthfulness applies to the factual allegations, ․ and the court is free to weigh evidence and satisfy itself as to the existence of its power to hear the case.” Id. (internal citations omitted).

B. Federal Rule of Civil Procedure 12(b)(6)

Under Rule 8 of the Federal Rules of Civil Procedure, a plaintiff's complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). Though the statement need not contain detailed factual allegations, it must contain “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Rule 8 “demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Id.

A defendant may obtain dismissal of a claim that fails to satisfy Rule 8 by filing a motion pursuant to Rule 12(b)(6). On a Rule 12(b)(6) motion, the Court considers not whether the plaintiff will ultimately prevail, but whether the facts permit the court to infer “more than the mere possibility of misconduct.” Id. at 679. For purposes of this determination, the Court construes the complaint in the light most favorable to the plaintiff and assumes the veracity of all well-pleaded factual allegations in the complaint. See Thurman v. Pfizer, Inc., 484 F.3d 855, 859 (6th Cir. 2007). This assumption of veracity, however, does not extend to bare assertions of legal conclusions, Iqbal, 556 U.S. at 679, nor is the Court “bound to accept as true a legal conclusion couched as a factual allegation,” Papasan v. Allain, 478 U.S. 265, 286 (1986).

After sorting the factual allegations from the legal conclusions, the Court next considers whether the factual allegations, if true, would support a claim entitling the plaintiff to relief. See Thurman, 484 F.3d at 859. The factual allegations must “state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). Plausibility “is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 556). “[W]here the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged—but it has not ‘show[n]’—‘that the pleader is entitled to relief.’ ” Id. at 679 (quoting Fed. R. Civ. P. 8(a)(2)).

C. Federal Rule of Civil Procedure 12(b)(7)

Rule 12(b)(7) of the Federal Rules of Civil Procedure provides for dismissal when required parties are not joined under Rule 19 of the Federal Rules of Civil Procedure. See Fed. R. Civ. P. 12(b)(7). To determine whether a party is required under Rule 19, the Court conducts a three-part inquiry:

First, the court must determine whether the person or entity is a necessary party under Rule 19(a). Second, if the person or entity is a necessary party, the court must then decide if joinder of that person or entity will deprive the court of subject matter jurisdiction. Third, if joinder is not feasible because it will eliminate the court's ability to hear the case, the court must analyze the Rule 19(b) factors to determine whether the court should “in equity and good conscience” dismiss the case because the absentee is indispensable.

Glancy v. Taubman Ctrs., Inc., 373 F.3d 656, 666 (6th Cir. 2004) (internal citations omitted). In other words, a party is only required or indispensable under Rule 19 if “(1) it is necessary, (2) its joinder cannot be effected, and (3) the court determines that it will dismiss the pending case rather than proceed in the case without the absentee.” Id. (citation omitted) (emphasis in original).

III. ANALYSIS

Defendants argue that the Court should dismiss Plaintiffs' second consolidated class-action complaint for three reasons: (1) Plaintiffs lack standing to bring their claims, (2) Plaintiffs fail to state a claim for which relief can be granted on all claims,² and (3) Plaintiffs failed to join a necessary and indispensable party. (Doc. 64, at 8–10.)

A. Standing

Defendants argue that Plaintiffs lack standing to bring their claims. (Id. at 13.) The case-or-controversy requirement of Article III, Section 2 mandates that a plaintiff have standing in order to sue. See Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). To have standing, a plaintiff must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Daunt v. Benson, 956 F.3d 396, 417 (6th Cir. 2020) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)). An injury, for standing purposes, means the “invasion of a legally protected interest which is (a) concrete and particularized, and (b) ‘actual or imminent.’ ” Id. (quoting Lujan, 504 U.S. at 560). “For an injury to be ‘particularized,’ it ‘must affect the plaintiff in a personal and individual way.’ ” Spokeo, 578 U.S. at 339 (quoting Lujan, 504 U.S. at 560 n.1). A “concrete” injury in fact does not have to be tangible, but it must be “ ‘real,’ and not ‘abstract.’ ” Id. at 340. Further, “[w]here plaintiffs seek to establish standing based on an imminent injury, the Supreme Court has explained ‘that “threatened injury must be certainly impending to constitute injury in fact,” and that “[a]llegations of possible future injury” are not sufficient.’ ” Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016) (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013) (emphasis in original)).

The plaintiff bears the burden of showing that standing exists. Id. at 387 (citing Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009)). At the pleading stage, the plaintiff must clearly allege facts demonstrating each element of standing. See Spokeo, 578 U.S. at 338 (citing Warth v. Seldin, 422 U.S. 490, 518 (1975)). Lastly, “[p]laintiffs are not absolved of their individual obligations to satisfy the injury element of Article III just because they allege class claims.” Desai v. Geico Cas. Co., 574 F. Supp. 3d 507, 520 (N.D. Ohio 2021) (citing Soehnlen v. Fleet Owners Ins. Fund, 844 F.3d 576, 582 (6th Cir. 2016)). “A class representative must demonstrate ‘individual standing vis-à-vis the defendant; he cannot acquire such standing merely by virtue of bringing a class action.’ ” Bowen v. Paxton Media Grp., No. 5:21-cv-143, 2022 WL 4110319, at *2 (W.D. Kent. Sept. 8, 2022) (quoting Desai, 574 F. Supp. 3d at 520).

1. Injury in Fact

Plaintiffs allege several injuries: (1) “imminent, immediate, and continuing increased risk of experiencing devastating instances of identity theft”; (2) “a substantial risk of being targeted in future phishing, data intrusion, and other illegal schemes”; (3) past and future “time monitoring their accounts and records for misuse”; and (4) “out-of-pocket expenses and the value of their time reasonably incurred to remedy and mitigate the effects of the Data Breach.” (Doc. 54, at 24–25.)

The Sixth Circuit has held that “allegations of a substantial risk of harm, coupled with reasonably incurred mitigations costs, are sufficient to establish a cognizable Article III injury at the pleading stage of litigation.” Galaria, 663 F. App'x at 388. In Galaria, the plaintiffs filed a class action after hackers breached the defendant's computer network and accessed the plaintiffs' personal information—including names, dates of birth, and social security numbers. Id. at 386. The plaintiffs alleged several injuries, including that the breach created an “imminent, immediate and continuing risk” of identity theft, out-of-pocket expenses to monitor their credit, and time spent monitoring their financial accounts for potential fraud. Id. at 386–87. The Sixth Circuit held these injuries were sufficiently concrete to establish an Article III injury. Id. at 388. The Sixth Circuit explained, “[t]here is no need for speculation where [the p]laintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals” and that “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in [the p]laintiffs' complaints.” Id. The Sixth Circuit further reasoned that “although it might not be literally certain that [the p]laintiffs' data will be misused, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable.” Id. (quoting Clapper, 568 U.S. at 415 n.5). While the defendants provided the plaintiffs with a year of free credit-report monitoring and identity-fraud protection, the court held that, because these services were limited and temporary, the plaintiffs reasonably expended their own time and money to monitor their credit. Id. at 386, 388–89.

Following Galaria, the Supreme Court issued TransUnion LLC v. Ramirez, where it decided whether two distinct classes had standing to bring claims against a credit reporting agency based on the presence of false information in their credit reports. See 594 U.S. 413, 432– 433 (2021). These two classes consisted of individuals whose credit reports contained false information. See id. at 432. However, one class's reports were disseminated to third-party businesses, and the other class's reports were not shared. Id. The Supreme Court held that the first class suffered a concrete injury—dissemination of the false information to third-party businesses. Id. at 432. However, the court also held that the second class, consisting of members whose information was not disseminated, did not suffer a concrete injury. Id. at 433– 34. In rejecting the second class's theory that risk of future harm satisfies the injury-in-fact requirement, the court concluded that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 436.

TransUnion does not, however, abrogate Galaria completely. In TransUnion, the Supreme Court held that the class of consumers whose information was disseminated to third parties suffered a concrete injury. Id. at 432. The Supreme Court recognized dissemination alone as an injury; it did not require the class to demonstrate actual use of the information by third parties that caused additional harm. See id. The plaintiffs in Galaria alleged dissemination of their private information, and the court agreed that, simply because the plaintiff's information was “in the hands of ill-intentioned criminals,” their injuries were not speculative. 633 F. App'x at 388. Further, the plaintiffs in Galaria alleged more than just the risk of future harm associated with their information being accessed by third parties; they also alleged that they incurred expenses to mitigate this risk of future harm. Id. Galaria's holding that substantial risk of future harm coupled with reasonably incurred mitigation costs is a concrete injury squares with TransUnion's holding that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm ․ unless the exposure to the risk of future harm itself causes a separate concrete harm.” 594 U.S. at 436. Due to a data breach, plaintiffs suffer more than just the risk of future harm from use of their data; even before such use, they have experienced concrete harms such as dissemination of their personal information and reasonably incurred mitigation costs, as outlined in Galaria. Therefore, Galaria is consistent with TransUnion and still good law.³

Given that Galaria still applies, Plaintiffs in this case have adequately pled a concrete injury because they allege a substantial risk of harm, coupled with reasonably incurred mitigations costs. As in Galaria, Plaintiffs alleged that their private information “was accessed, exfiltrated, and stolen” by criminals, placing them at a substantial increased risk of identity theft; that they incurred reasonable expenses to mitigate the damages from the breach, including purchasing credit monitoring; and that they have expended time to monitor their financial accounts for signs of fraudulent activity. (Doc. 54, at 3, 8–9; 24–25); see Galaria, 663 F. App'x at 388. Also, just as in Galaria, Plaintiffs allege that Defendants provided inadequate credit-monitoring services for a limited time, but Defendants did not cover other protections, and Plaintiffs had to incur these costs out of pocket. (Doc. 54, at 8–9); see Galaria, 663 F. App'x at 388–89. As in Galaria, these expenses can be reasonably incurred. The substantial and imminent risk of identity theft Plaintiffs allege, coupled with the costs they reasonably incurred to mitigate this risk, are sufficient to establish an injury under Article III.⁴

2. Traceability

Next, Plaintiffs' injuries must be “fairly traceable” to the challenged conduct. Defendants argue that Plaintiffs only allege that their harms “could have” been traced to Defendants' actions, which, Defendants say, is insufficient. (Doc. 64, at 11.) An injury is “fairly traceable” to the challenged conduct if “there [is] a causal connection between the injury and the conduct complained of” that is not “the result of the independent action of some third party not before the court.” Lujan, 504 U.S. at 560 (citation omitted) (cleaned up).

Here, Plaintiffs' substantial risk of future harm coupled with their mitigation costs are sufficiently traceable to Defendants' conduct. Plaintiffs allege that Defendants' “failure to properly secure and safeguard” Plaintiffs' personal information led to the information being compromised in the breach. (Doc. 54, at 2.) Plaintiffs also allege that Defendants' failure to timely inform Plaintiffs of the breach led to additional harm. (Id.) According to Plaintiffs, without Defendants' actions, a breach—which caused the substantial risk of future harm and mitigation costs—would not have occurred, or, at minimum, its harms would have been minimized. Nor are Plaintiffs' injuries solely traceable to the hackers; Galaria expressly rejected this argument. 663 F. App'x at 390 (“Although hackers are the direct cause of [the p]laintiffs' injuries, the hackers were able to access [the p]laintiffs' data only because [the defendant] allegedly failed to secure the sensitive personal information entrusted to its custody.”) This is sufficient to trace Plaintiffs' injuries to Defendants' alleged actions and inactions.⁵

3. Redressability

Lastly, Plaintiffs' must show that their injuries can be redressed by a favorable judicial decision. Daunt, 956 F.3d at 417. Defendants do not contest redressability. Here, Plaintiffs seek compensatory damages as well as injunctive relief requiring Defendants to implement actions to protect personal information. (Doc. 54, at 42–44.) Such relief would redress Plaintiffs' injuries.

B. Failure to State a Claim Upon Which Relief Can Be Granted

Defendants also argue that Plaintiffs fail to state a claim upon which relief can be granted. (Doc. 64, at 21.) The Court will address each relevant issue in turn.

1. Choice of Law

Preliminarily, the Court must determine which state's law applies to Plaintiffs' common-law claims. “A federal court sitting in diversity ordinarily must follow the choice-of-law rules of the State in which it sits.” Atlantic Marine Const. Co v. U.S. Dist. Ct. for the W. Dist. of Tex., 571 U.S. 49, 66 (2013) (citation omitted). Tennessee applies the “most significant relationship test” to tort claims, which provides that the law of the state where the injury occurred applies unless some other state has a more significant relationship to the litigation. See Hataway v. McKinley, 830 S.W.2d 53, 59 (Tenn. 1992)). To determine the state with the most significant relationship, courts must consider several factors: (1) the place where the injury occurred; (2) the place where the conduct causing the injury occurred; (3) the domicile, residence, nationality, place of incorporation and place of business of the parties; and (4) the place where the relationship, if any, between the parties is centered. Id. In contract cases, Tennessee law provides that a contract is governed by the law of the state where it was executed. See Williams v. Smith, 465 S.W.3d 150, 153 (Tenn. Ct. App. 2014) (citation omitted).

In this case, the court will apply Tennessee law to the tort claims because Tennessee is the state with the most significant relationship. While the proposed class is nationwide, meaning that Plaintiffs' domiciles vary and that the alleged injuries occurred in different states,⁶ the remaining factors point to Tennessee being the state with the most significant relationship. The data breach occurred in Tennessee, and Defendants, whose conduct is the common denominator among the proposed class, are based in Tennessee. The Court will therefore apply Tennessee law to the tort claims. For the contract claims, the Court will apply Tennessee law for the same reasons; although there is not a written contract, any contractual duties were bestowed on Tennessee-based businesses, and the alleged breach-of-implied-contract claim relies on actions taken in Tennessee. (Doc. 54, at 5.)

2. Comparative Fault

Defendants next argue that, because Tennessee has abolished joint-and-several liability and adopted comparative fault, they cannot be held responsible for the actions solely attributable to Lockbit, which warrants dismissal of all claims against them. (Doc. 64, at 21–22.)

However, based on Plaintiffs' allegations, the doctrine of comparative fault does not require dismissal of their claims. The Tennessee Supreme Court has held that “the conduct of a negligent defendant should not be compared with the intentional conduct of another in determining comparative fault where the intentional conduct is the foreseeable risk created by the negligent tortfeasor.” Turner v. Jordan, 957 S.W.2d 815, 823 (Tenn. 1997). Plaintiffs allege exactly this; they allege that Defendants negligently failed to protect Plaintiffs against a foreseeable and intentional cyberattack. (Doc. 54, at 32.) And, as discussed below, foreseeability is a question for a jury. See infra III.C.3.d. Therefore, at this time, comparative fault does not bar Plaintiffs' claims.

3. T.C.A. § 29-34-215

Defendants argue that the recently enacted T.C.A. § 29-34-215 (the “Cybersecurity Statute”) bars Plaintiffs' class claims. (Doc. 64, at 11.) The Court will treat this argument as part of Defendants' Rule 12(b)(6) motion.

On May 21, 2024, the Cybersecurity Statute went into effect, it and provides:

SECTION 1. Tennessee Code Annotated, Title 29, Chapter 34, Part 2, is amended by adding the following as a new section:

(a) As used in this section:

(1) “Cybersecurity event” means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system;

(2) “Information system” has the same meaning as defined in § 56-2-1003;

(3) “Nonpublic information” means information that is not publicly available and concerns a person that, because of a name, number, personal mark, or other identifier, can be used to identify that person, in combination with the following:

(A) A social security number;

(B) A driver license number or non-driver identification card number;

(C) A financial account number or credit or debit card number;

(D) A security code, access code, or password that would permit access to the person's financial accounts; or

(E) Biometric records;

(4) “Private entity” means a corporation, religious or charitable organization, association, partnership, limited liability company, limited liability partnership, or other private business entity, whether organized for-profit or not-for-profit; and

(5) “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public.

(b) A private entity is not liable in a class action lawsuit resulting from a cybersecurity event unless the cybersecurity event was caused by willful and wanton misconduct or gross negligence on the part of the private entity.

SECTION 2. This act takes effect upon becoming a law, the public welfare requiring it.

Defendants contend (1) that the Cybersecurity Statute applies retroactively, and (2) that the complaint fails to allege “willful and wanton misconduct or gross negligence” with sufficient plausibility. (Doc. 64, at 5–6; Doc. 68, at 1–3.) If Defendants are correct on both grounds, then the Cybersecurity Statute shields Defendants from liability in this class action.

However, the Cybersecurity Statute does not apply retroactively. “Generally, statutes are presumed to operate prospectively and not retroactively.” Kee v. Shelter Ins., 852 S.W.2d 226, 228 (Tenn. 1993) (citing Woods v. TRW, Inc., 557 S.W.2d 274, 275 (Tenn.1977); Cates v. T.I.M.E., DC, Inc., 513 S.W.2d 508, 510 (Tenn.1974)). For a statute to overcome this presumption and apply to pending litigation, it must be “remedial or procedural in nature.” Id. “A procedural or remedial statute is one that does not affect the vested rights or liabilities of the parties. A procedural statute is one that addresses the mode or proceeding by which a legal right is enforced.” In re D.A.H., 142 S.W.3d 267, 273 (Tenn. 2004) (quoting Nutt v. Champion Int'l Corp., 980 S.W.2d 365, 368 (Tenn. 1998)).

Defendants argue this case is analogous to American Heritage Apartments, Inc. v. Hamilton County Water & Wastewater Treatment Authority, which denied class certification on the ground that a new statute barring class actions against the defendant applied retroactively. See 2018 WL 4150875, at *1 (Tenn. Ct. App. Aug. 29, 2018). But the Cybersecurity Statute is distinguishable from the statute at issue in American Heritage Apartments, Inc.—§ 66-221-608(e) of the Tennessee Code (which provides in § 66-221-608(e)(4) that “this part shall not authorize or permit any class action lawsuits against any authority․”)—in two ways. First, the statute in American Heritage Apartments is “clear[ly] ․ remedial in nature,” 2018 WL 4150875, at *5: it proscribes, inter alia, the procedures by which parties may appeal actions of the municipal authorities board; the defendant's authority to “establish rules and procedures governing the method for consideration of appeals”; procedural due process requirements for the defendant's decisions, such as a written statements of reasons; and the means through which parties should seek judicial review of the defendant's decisions. See § 66-221-608(e)(1)-(2). In contrast, the Cybersecurity Statute is focused predominantly on substantive law related to cybersecurity; the reference to class actions on which Defendants rely represents the extent of its procedural or remedial interests. See T.C.A. § 29-34-215. Second, whereas § 66-221-608(e)(4) bars class actions categorically “except as to holders of the authority's bonds,” the Cybersecurity Statute draws its distinction based on a defendant's substantive conduct: “A private entity is not liable in a class action lawsuit resulting from a cybersecurity event unless the cybersecurity event was caused by willful and wanton misconduct or gross negligence on the part of the private entity.” § 29-34-215(b) (emphasis added). This provision thus goes beyond “merely affecting[ing] the ‘procedural privilege to proceed as a class action.” American Heritage Apartments, Inc., 2018 WL 4150875, at *6. Rather, it alters the “vested rights and liabilities of the parties” by heightening the mens rea required for defendants to be liable. In re D.A.H., 142 S.W.3d at 273. Given the generally substantive nature of the Cybersecurity Statute and its heightened mens rea requirement—and in light of the presumption of prospective application, Kee, 852 S.W.2d at 228—the Court finds the Cybersecurity Statute does not apply retroactively and cannot bar Plaintiffs' claims.

Accordingly, the Court need not reach the issue of whether the complaint sufficiently alleges a mens rea that would satisfy the Cybersecurity Statute.

4. Negligence

Defendants next argue that Plaintiffs fail to state a negligence claim. (Doc. 54, at 30.) To prevail on a negligence claim under Tennessee law, a plaintiff must establish “(1) a duty of care owed by the defendant to the plaintiff; (2) conduct by the defendant falling below the standard of care amounting to a breach of that duty; (3) an injury or loss; (4) causation in fact; and (5) proximate or legal cause.” Satterfield v. Breeding Insulation Co., 266 S.W.3d 347, 355 (Tenn. 2008) (citing Naifeh v. Valley Forge Life Ins. Co., 204 S.W.3d 758, 771 (Tenn. 2006); Draper v. Westerfield, 181 S.W.3d 283, 290 (Tenn. 2005)).

a. Duty

Plaintiffs have pled that Defendants owed them a duty to safeguard their private information. (Doc. 54, at 6.) Whether such a duty exists is a question of law. See Biscan v. Brown, 160 S.W.3d 462, 478 (Tenn. 2005). No Tennessee court has discussed the issue of whether a business has a common-law duty to protect its employees from data breaches. Therefore, the Court “essentially must attempt to place itself in the shoes of the Tennessee Supreme Court by ‘predicting how that court would rule.” ’ Williams v. BMW of N. Am., LLC, 514 F. Supp. 3d 1036, 1044 (E.D. Tenn. 2021) (quoting Berrington v. Wal-Mart Stores, Inc., 696 F.3d 604, 608 (6th Cir. 2012) (alterations omitted).

The Tennessee Supreme Court has held, more generally, that a business has a duty to take reasonable measures to protect its customers from foreseeable criminal acts. See McClung, 937 S.W.2d at 902. However, Tennessee courts have not addressed whether this duty extends to protecting employees from foreseeable criminal acts. Nonetheless, the Court is convinced that the Tennessee Supreme Court would extend a business's duty to protect its customers from foreseeable criminal acts to include a duty to protect its employees from foreseeable criminal acts, such as a data breach. The Tennessee Supreme Court has noted in dicta that:

Under some circumstances, an employer has been held liable to his employee for injuries resulting from assault by a third person where the employer, but not the employee, had knowledge or notice of an unusual risk of assault by third parties and the employer failed to warn the employee of that danger. Ordinarily, however, an employer is under no legal duty to protect his employees from unlawful assault by strangers, and is not, as a rule, to be held liable for the intentional injury to or killing of his employee by a third person.

Thomas v. Gen. Elec. Co., 494 S.W.2d 493, 496 (Tenn. 1973) (citation omitted). Tennessee previously had adopted this same rule—a duty arises if a business has actual or constructive knowledge of the criminal actions of third parties—with respect to customers. See Cornpropst v. Sloan, 528 S.W.2d 188, 198 (Tenn. 1975) (holding businesses do not owe customers a duty to protect them from criminal acts “unless they know or have reason to know that acts are occurring or about to occur on the premises that pose imminent probability of harm”). But, in McClung, the Tennessee Supreme Court overruled this holding, calling the Cornpropst rule “obsolete.” 937 S.W.2d at 896. Instead, it imposed a more lenient rule:

[A] duty to take reasonable steps to protect customers arises if the business knows, or has reason to know, either from what has been or should have been observed or from past experience, that criminal acts against its customers on its premises are reasonably foreseeable, either generally or at some particular time.

Id. at 902.

Additionally, “[i]n determining the duty that exists, the foreseeability of harm and the gravity of the harm must be balanced against the commensurate burden imposed on the business to protect against that harm.” Id. Given that the Tennessee Supreme Court has adopted this more lenient test in regard to customers, the Court is convinced it would apply the same test regarding a business's duty to protect its employees from criminal acts. The Tennessee Supreme Court has already recognized similar duties in situations with a “special relationship” between the defendant and a potential victim, such as a physician/patient relationship, Bradshaw v. Daniel, 854 S.W.2d 865, 890 (Tenn. 1993), a psychiatrist/patient relationship, Turner, 957 S.W.2d at 820, and a nursing home/resident relationship, Limbaugh, 59 S.W.3d at 80–81. Such relationships are akin to that between an employer and its employees.

Applying this test, the Court finds that Defendants owed Plaintiffs a duty to take reasonable steps to protect them from a data breach and to timely inform Plaintiffs of the breach. Plaintiffs allege that they were required to provide Defendants with highly sensitive personal information as a condition of their employment and that this information, in malicious hands, placed them at substantial risk of various harms. (Doc. 54, at 2, 6.) They also allege that Defendants should have known that they would be a target for a breach. (Id. at 31.) The risk of a data breach is a risk of great harm, and companies are aware—or at least should be aware—of the scale and harm a data breach can cause. Data breaches have affected many large businesses for years and are only increasing in frequency. See Phil Muncaster, US Smashes Data Breach Record With Three Months Left, Infosecurity Magazine (Oct. 12, 2023), https://www. infosecurity-magazine.com/news/us-smashes-data-breach-record/; Brian Fung, Hackers Post Email Addresses Linked to 200 Million Twitter Accounts, Security Researches Say, CNN (Jan. 5, 2023) https://www.cnn.com/2023/01/05/tech/twitter-data-email-addresses/index.html; Jess, Weatherbed, T-Mobile Discloses its Second Data Breach so Far This Year, The Verge (May 2, 2023), https://www.theverge.com/2023/5/2/23707894/tmobile-data-breach-april-personal-data-pin-hack-security; Chris Isidore & David Goldman, Ashley Madison Hackers Post Millions of Customer Names, CNN Business (Aug. 19, 2015), https://money.cnn.com/2015/08/18/ technology/ashley-madison-data-dump/index.html. Indeed, in their briefing, Defendants acknowledge the high risk of cyberattacks companies face. (Doc. 64, at 8 (“the current cybersecurity situation facing American businesses is a story akin to David and Goliath”).) Given the high level of foreseeability and known risks of data breaches, Defendants had a duty to take reasonable care to protect Plaintiffs from the data breach. Thus, Plaintiffs sufficiently allege duty.

b. Breach

Plaintiffs have alleged at least six ways in which Defendants breached duties owed to them: (1) “[f]ailing to adopt, implement, and maintain adequate security measures to safeguard [Plaintiffs'] Private Information”; (2) “[f]ail[ing] to adequately monitor the security of their networks and systems”; (3) “[a]llowing unauthorized access to [Plaintiffs'] Private information”; (4) “[f]ailing to comply with the FTCA and applicable industry standards”; (5) [f]ailing to detect in a timely manner that [Plaintiffs] Private Information had been compromised; and (6) “[f]ailing to timely notify [Plaintiffs'] about the Data Breach so that they could take appropriate steps to mitigate the potential for identify theft and other damages.” (Doc. 54, at 32–33.) All these allegations directly address whether Defendants breached their duty. Therefore, Plaintiffs adequately allege breach.

c. Injury

Defendants do not contest this element. Nonetheless, Plaintiffs allege, that because of Defendants' actions, they were harmed in various ways, as discussed in the Court's injury-in-fact analysis. See supra III.A.1. Therefore, Plaintiffs adequately allege injury.

d. Causation

Defendants do not contest that Plaintiffs have adequately alleged cause in fact, but rather argue that Plaintiffs fail to allege that the cyberattack was foreseeable, as is required to plead proximate cause. (Doc. 64, at 25.) Specifically, they argue that Plaintiffs fail to allege “exactly how [Defendants] should have been aware that it might be a target for an international cybercrime organization.” (Id.).

Here, Plaintiffs adequately allege that the data breach was foreseeable and, therefore, was the proximate cause of their injuries. As discussed above, data breaches are increasingly common occurrences for large businesses such as Defendants, and Plaintiffs allege as such. (Doc. 54, at 2–6.) Plaintiffs allege that Defendants should have known they would be a target for hacking groups. (Id. at 31.) Plaintiffs also allege that Defendants failed to take reasonable measures to protect their data and that Defendants failed to timely notify Plaintiffs of a breach. (Id. at 32–33.) It follows that the risk of failing to adequately protect against a known risk of a data breach is a data breach and the associated harms occurring. Therefore, at this stage, Plaintiffs adequately allege proximate cause.

Because Plaintiffs adequately allege all elements, they successfully state a claim for negligence.

5. Negligence Per Se

Plaintiffs also allege a claim for negligence per se. (Doc. 54, at 34–35.) Under Tennessee law, “[t]he negligence per se doctrine does not create a new cause of action.” Rains v. Bend of the River, 124 S.W.3d 580, 589 (Tenn. Ct. App. 2003) (citations omitted). Instead, “it is a form of ordinary negligence that enables the courts to use a penal statute to define a reasonably prudent person's standard of care.” Id. (internal citations omitted).

Because negligence per se is not a cause of action, the Court will dismiss this claim as duplicative of Plaintiffs' negligence claim. However, nothing in this opinion should be construed as eliminating Plaintiffs' ability to rely on failure to comply with Section 5 of the FTC Act and other statutory and regulatory violations as a vehicle to establish that Defendants breached their common-law duty as discussed above.

6. Breach of Implied Contract

Next, Plaintiffs assert a claim for breach of implied contract. (Doc. 54, at 37.) “When a plaintiff alleges breach of contract, he or she is responsible for proving (1) the existence of an enforceable contract, (2) nonperformance amounting to a breach of the contract, and (3) damages caused by the breach of contract.” Bancorp South Bank, Inc. v. Hatchel, 223 S.W.3d 223, 227 (Tenn. Ct. App. 2006). “While a contract may be either expressed or implied, or written or oral, it must result from a meeting of the minds of the parties in mutual assent to the terms.” Johnson v. Cent. Nat'l Ins. Co. of Omaha, Neb., 356 S.W.2d 277, 281 (Tenn. 1962) (citation omitted).

Defendants dispute the existence of an enforceable contract, arguing that Plaintiffs do not allege the existence of an implied contract, because no meeting of the minds as to the terms of the contract occurred. (Doc. 64, at 28.) Specifically, Defendants argue that they did not impliedly agree with Plaintiffs not to improperly disclose their personal information, nor did they impliedly agree to protect their personal information from the criminal acts of third parties. (Id.)

Plaintiffs allege that Defendants required Plaintiffs to provide them with personal information as a condition of employment and that, because of this, “entered implied contracts with Defendants in which Defendants agreed to safeguard and protect such Information and to timely detect any breaches of their Private Information.” (Doc. 54, at 6, 37.) In cases such as this, several courts in this circuit have held that an implied contract is formed between an employer and employee when employees are required to provide personal information to their employer as a condition of their employment, and the resulting implied contract requires the employer to take reasonable steps to protect the employees' information. See, e.g., McKenzie v. Allconect, Inc. 369 F. Supp. 3d 810, 821 (E.D. Ky. 2019) (holding that when the plaintiffs “as a condition of their employment [ ] had to provide personal information” to the defendant, the defendant “implicitly agreed to safeguard that information”); Bowen, 2022 WL 411031, at *7 (finding that the plaintiffs successfully pled a breach-of-implied-contract claim by alleging that their employer required personal information as a condition of employment and that the defendant implicitly agreed “to safeguard and protect such information, to keep such information secure and confidential, and to timely and accurately notify [the p]laintiffs ․ if their data had been breached and compromised or stolen”). While no court interpreting Tennessee law has done so, the Court finds these cases persuasive.

And, here, as in those cases, Plaintiffs alleged they were required to provide their private information to Defendants as a condition of their employment. (Doc. 54, at 6.) This creates an implied contract in which Defendants must take reasonable steps to protect such information. Accordingly, Plaintiffs successfully allege a claim for breach of implied contract.

7. Breach of the Implied Covenant of Good Faith and Fair Dealing

Defendants move to dismiss this claim on the same basis as above—that there is not an implied contract related to data protection. (Doc. 64, at 29–30.) For the same reasons as above, Plaintiffs sufficiently allege an implied contract, and, therefore, this claim survives.

8. Unjust Enrichment

In Tennessee, the elements of unjust enrichment are (1) “a benefit conferred upon the defendant by the plaintiff”; (2) “appreciation by the defendant of such benefit”; and (3) “acceptance of such benefit under such circumstances that it would be inequitable for him to retain the benefit without payment of the value thereof.” Freeman Indus., LLC v. Eastman Chem. Co., 172 S.W.3d 512, 525 (Tenn. 2005) (quoting Paschall's, Inc. v. Dozier, 407 S.W.2d 150, 155 (Tenn. 1966)) (alterations omitted).

This claim fails because Plaintiffs' personal information does not confer a benefit upon Defendants. Numerous courts in the Sixth Circuit agree. See, e.g., Lochridge, 2023 WL 4303577, at *6–7; Tate, 2023 WL 6383467, at *8; Kingen, 2023 WL 8544231, at *5. Plaintiffs allege that their private information has inherent value (Doc. 54, at 40) and argue the information is valuable not only to businesses who retain it but also to consumers who rely on the data's integrity to engage in transactions with the business (Doc. 67, at 33). The out-of-circuit cases Plaintiffs discuss in support of this point are distinguishable. In both In re Mariott International, Inc., Customer Data Security Data Litigation, 440 F. Supp. 3d 447 (D. Md. 2020) and In Re Capital One Consumer Data Security Breach Litigation, 488 F. Supp. 3d 374 (E.D. Va. Sept. 18, 2020), the data compromised in a breach consisted of not just personal identifying information but also consumer data, such as consumer preferences and purchase history. 440 F. Supp.3d at 454; 488 F. Supp. 3d at 399. Consumer information has monetary value to a company; armed with such information, the company can target marketing at specific customers or sell the information to a third party who will do the same. But Plaintiffs in this case do no allege that Defendants used their data for any of the above—only that the data had “inherent value.” However, unlike consumer data, Plaintiffs' personal information only dealt with their identities and lacks value for non-illicit uses, such as using this data to market or selling the data to third parties.

The Court agrees with the majority of district courts in this circuit and finds Plaintiffs' cited cases unpersuasive. Therefore, Plaintiffs did not confer a benefit upon Defendants by providing their personal data. Accordingly, the Court will dismiss Plaintiffs' claim for unjust enrichment.

C. Failure to Join a Necessary and Indispensable Party

Lastly, Defendants argue that the Court should dismiss the case because Plaintiffs failed to join a necessary party—Lockbit. (Doc. 64, at 20.) The Court first must determine whether Lockbit is a “necessary” or “required” party under Rule 19(a). “If the party is deemed necessary for the reasons enumerated in Rule 19(a), the court must next consider whether the party is subject to personal jurisdiction and can be joined without eliminating the basis for subject matter jurisdiction.” PaineWebber v. Cohen, 276 F.3d 197, 200 (6th Cir. 2001) (citations omitted). A party is a necessary party if:

(A) in that person's absence, the court cannot accord complete relief among existing parties; or

(B) that person claims an interest relating to the subject of the action and is so situated that disposing of the action in the person's absence may:

(i) as a practical matter impair or impede the person's ability to protect the interest; or

(ii) leave an existing party subject to a substantial risk of incurring double, multiple, or otherwise inconsistent obligations because of the interest.

Fed. R. Civ. P. 19(a)(1).

First, Plaintiffs can obtain complete relief without Lockbit. Even though Lockbit may be responsible for some of Plaintiffs' injuries, that is insufficient to make it a necessary party. See PaineWebber, Inc. v. Cohen, 276 F.3d 197, 204 (6th Cir. 2001) (“Specifically, a person's status as a joint tortfeasor does not make that person a necessary party, much less an indispensable party.” (citations omitted)). “Complete relief is determined as between persons already parties, ‘and not between a party and the absent person whose joinder is sought.’ ” Laethem Equip. Co. v. Deere & Co., 485 F. App'x 39, 44 (6th Cir. 2012) (quoting Sch. Dist. of Pontiac v. Sec'y of U.S. Dep't of Educ., 584 F.3d 253, 265 (6th Cir. 2009)). In this case, although Plaintiffs cannot obtain complete relief for their injuries, they can obtain complete relief between themselves and Defendants, which is the proper inquiry. See id. (“Thus, because [plaintiffs] brought suit against only one severally-liable tortfeasor, Deere, the nonjoinder of Kathryn Laethem, to whom a percentage of the fault may be allocated, does not affect whether plaintiffs will be able to recover complete relief as between themselves and Deere.”) (emphasis in original).

While Lockbit has an interest in the litigation, its interest is not impaired by its absence, nor are Defendants subject to the substantial risk of incurring double liability. As discussed by Defendants, Tennessee has abolished joint-and-several liability. (Doc. 64, at 21 (citing Tenn. Code Ann. § 29-11-107).) Because of this, Defendants are not jointly liable with Lockbit and are only liable for their own actions or inactions. Therefore, Lockbit is not a necessary party. Accordingly, the Court need not decide whether Lockbit is an indispensable party, and the Court denies Defendants' motion to dismiss on this ground.

IV. CONCLUSION

For the above-stated reasons, the Court GRANTS IN PART and DENIES IN PART Defendants' motion to dismiss (Doc. 63). Plaintiffs' claims for negligence per se and unjust enrichment are DISMISSED WITH PREJUDICE. The remainder of Plaintiffs' claims will proceed.

SO ORDERED.

FOOTNOTES

1.   Although the name of this group was unknown and therefore not contained in the complaint, both parties acknowledge the group is Lockbit. (See Doc. 64, at 8; Doc. 67, at 9.) The parties refer to the group as both Lockbit and Lockbit 3.0. (See id.) For simplicity, the Court will refer to the group as “Lockbit.”

2.   The Court will treat Defendants' preliminary argument that T.C.A. § 29-34-215 bars Plaintiffs' class-action claims as falling within their Rule 12(b)(6) motion.

3.   District courts in this circuit agree overwhelmingly. See, e.g., Kingen v. Warner Norcross + Judd LLP, No. 1:22-cv-1126, 2023 WL 8544231, at *2–3 (W.D. Mich. Oct. 4, 2023) (“[T]he Court finds the Galaria framework at least persuasive precedent.”); Brickman v. Maximus, Inc., 2022 WL 16836186, at *4 (S.D. Ohio May 2, 2022) (noting that while “much of the language in TransUnion suggests that Galaria's finding on an injury-in-fact based on a risk of future harm caused by a data breach may no longer be valid[,] ․ the Sixth Circuit has not yet reconsidered Galaria in light of TransUnion ․ [s]o, Galaria controls here․”); Lochridge v. Quality Temporary Servs., Inc., 2023 WL 4303577, at *4 (E.D. Mich. June 30, 2023 (rejecting the defendant's argument that the holding of Galaria is no longer valid following TransUnion); Bowen, 2022 WL 4110319, at *2 (“Galaria is consistent with TransUnion.”). While at least one court in this circuit has noted that “TransUnion LLC v. Ramirez casts some doubt on the continued viability of Galaria,” that court also noted that, because the Sixth Circuit has not reconsidered Galaria, it still controls. Brickman, 2022 WL 16836186, at *3. The Court is persuaded by these cases.

4.   Defendants argue that “[t]he bulk of Plaintiffs' alleged ‘injuries’ are self-imposed, and cannot be used to manufacture standing.” (Doc. 64, at 16.) But Galaria held that even “self-imposed” injuries are a concrete injury for purposes of standing, as long as such “self-imposed” injuries are reasonably incurred mitigation costs. 663 F. App'x at 388–89. As discussed above, Plaintiffs allege similar injuries to Galaria and, therefore, have suffered a concrete injury for purposes of standing.

5.   Defendants argue that “Plaintiffs have not alleged sufficient facts to allow this Court to find that they have satisfied the ‘causation’ prong of the standing analysis.” (Doc. 64, at 18.) But this argument focuses on the spam, activity on Plaintiffs' CashApp, Chime, and PayPal accounts, and suspicious phone calls. The Court need not address that argument since every alleged harm does not need to be traced to Defendants' alleged actions for standing to exist. As discussed above, the substantial risk of future harm, coupled with the mitigation costs, satisfies the concrete-injury requirement, and these injuries are traceable to Defendants' actions or lack of actions.

6.   This includes named Plaintiffs, none of whom is a Tennessee resident. (Doc. 54, at 4–5.)

TRAVIS R. MCDONOUGH UNITED STATES DISTRICT JUDGE