Attias v. Carefirst, Inc. ( 2019 )

                                             UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
CHANTAL ATTIAS, et al.,
Plaintiffs,
v.                                       Case No. 15-cv-00882 (CRC)
CAREFIRST, INC., et al.,
Defendants.
I.        Background ............................................................................................................................ 3
II.       Standard of Review ................................................................................................................ 6
III.      Jurisdiction ............................................................................................................................. 6
IV. Analysis.................................................................................................................................. 7
A.      Whether plaintiffs have adequately alleged damages for nine of their eleven claims . 8
1.       Plaintiffs must allege actual damages for nine of their causes of action ......... 10
2.       Four theories of actual damages ...................................................................... 12
B.      Whether the parties’ contractual relationship bars plaintiffs’ tort claims .................. 24
C.      Whether plaintiffs have pled in the alternative an unjust enrichment claim .............. 37
D. Whether plaintiffs have alleged an unlawful trade practice under the D.C. Consumer
Protection Procedures Act......................................................................................................... 38
E. Whether insurance companies are exempt from civil liability for data breaches under
the Maryland Consumer Protection Act ................................................................................... 40
V.        Conclusion ........................................................................................................................... 42
MEMORANDUM OPINION
In May 2015, the District of Columbia-area health insurer CareFirst announced that it had
suffered a data breach that compromised the personal information of millions of its
policyholders. Plaintiffs in this putative class action are among those whose data was accessed.
They seek compensation for the breach through both tort- and contract-based claims under
District of Columbia law, as well as statutory claims under several D.C., Maryland, and Virginia
consumer-protection laws.
Common to all of plaintiffs’ claims is the assertion that they have been injured by
CareFirst’s failure to protect their personal information from exposure. The alleged injuries do
not, for the most part, involve actual misuse of their personal information. Plaintiffs instead
claim that the data breach resulted in an increased risk of identity theft and the need for
prophylactic expenditures—on credit monitoring services and the like—to reduce that risk. They
also contend that CareFirst’s failure to protect their personal information resulted in a contractual
injury because they did not receive the full value of the policies they purchased. And they say
they have suffered emotional distress in dealing with the breach.
The Court previously dismissed plaintiffs’ claims for lack of Article III standing, finding
that they had failed to allege a non-speculative injury-in-fact. The D.C. Circuit reversed and
remanded. CareFirst now moves to dismiss the operative second amended complaint under
Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim.
The Court will grant the motion in large part. After briefly recounting the factual and
procedural background, the Court will begin by confirming that it has diversity jurisdiction over
the case pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d). It will then explain its
conclusion that, while plaintiffs’ alleged injuries may be enough to establish standing at the
pleading stage of the case, they are largely insufficient to satisfy the “actual damages” element of
nine of their state-law causes of action. The Court will then move to the interplay between
plaintiffs’ tort and contract claims, finding that the parties’ non-fiduciary contractual relationship
independently forecloses tort liability based on the allegations in the complaint. Finally, the
Court will address issues specific to plaintiffs’ unjust enrichment claim and their claims under
2
the District of Columbia Consumer Protection Procedures Act and the Maryland Consumer
Protection Act.
At the end of the day, the Court will dismiss all of plaintiffs’ claims except for a breach
of contract claim and a Maryland Consumer Protection Act claim brought by the only two
plaintiffs (Kurt and Connie Tringler of Maryland) who have plausibly alleged actual misuse of
personal information resulting from the data breach. In reaching this outcome, the Court
acknowledges the difficulty of applying traditional tort and contract principles in the
contemporary context of data security. It also recognizes that courts across the country have
divided on a number of important legal issues that frequently arise in data breach litigation. The
Court has attempted to illuminate some of these divisions in this opinion.
I.   Background
Seven plaintiffs bring this putative class action against CareFirst and certain of its
affiliates doing business in the District of Columbia, Maryland, and Virginia. Second Am. Class
Action Compl. (“SAC”), ECF No. 9. 1 CareFirst operates a group of health insurance companies
providing coverage to more than one million individuals in the District of Columbia, Maryland,
and Virginia. 

23. Plaintiffs are residents of the District of Columbia, Maryland, and
Virginia, and customers and insureds of CareFirst. 

25. When customers purchase
health insurance through CareFirst, they provide the company certain personal information,
including their names, credit card numbers, addresses, and social security numbers. 

27. CareFirst promises, explicitly or implicitly, to keep this information protected. 

1
The named plaintiffs are Chantal Attias and Andreas Kotzur of the District of
Columbia, Richard and Latanya Bailey of Virginia, and Curt and Connie Tringler and Lisa
Huber of Maryland. 

3
CareFirst allegedly failed to properly encrypt some of the data entrusted to its care, 

and
in June 2014, CareFirst suffered a cyberattack, 

It learned of the attack in April 2015 and
notified its customers, including plaintiffs, the following month. 

Plaintiffs initiated this action shortly after learning of the data breach and filed the
operative second amended complaint in July 2015. They bring eleven claims: breach of contract
(Count I), negligence (Count II), violation of the District of Columbia Consumer Protection
Procedures Act (Count III), violation of the District of Columbia Data Breach Notification
Statute (Count IV), violation of the Maryland Consumer Protection Act (Count V), violation of
the Virginia Consumer Protection Act (Count VI), fraud (Count VII), negligence per se (Count
VIII), unjust enrichment (Count IX), breach of the duty of confidentiality (Count X), and
constructive fraud (Count XI). They allege that they “have suffered economic and non-economic
loss in the form of mental and emotional pain and suffering and aguish [sic] as a result of
Defendants’ failures” to secure plaintiffs’ confidential information. SAC ¶ 38. The Tringlers
specifically allege that they have experienced “tax-refund fraud” as a result of the data breach.

And all plaintiffs allege that they “face years of constant surveillance of their financial
and personal records, monitoring, and loss of rights.” 

CareFirst moved to dismiss the complaint for lack of subject matter jurisdiction under
Rule 12(b)(1) and failure to state a claim under Rule 12(b)(6). The Court granted the 12(b)(1)
motion on the ground that plaintiffs had not identified an “actual or imminent” injury as is
necessary to satisfy the injury-in-fact requirement of constitutional standing. In so doing, the
Court observed that most of the plaintiffs had not alleged that their personal information had
actually been misused in any way. Nor had they explained how the information taken (which
CareFirst averred did not include financial information or social security numbers) could readily
4
be used to assume their identities. Based on these factors, the Court adopted the principle that
most other courts have followed in similar cases, including a Maryland federal class action
brought by another set of CareFirst customers stemming from the same breach: “Absent facts
demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner,
merely having one’s personal information stolen in a data breach is insufficient to establish
standing to sue the entity from wh[ich] the information was taken.” Attias v. CareFirst, Inc., 

, 197 (D.D.C. 2016). The Court further held that plaintiffs’ other asserted
injuries were also insufficient to meet the injury-in-fact requirement of standing. Those harms
included (1) expenditures on credit-monitoring services to prevent future identity theft; (2) some
indeterminate overpayment for their insurance coverage; (3) loss of the intrinsic value of the
stolen personal information; and (4) violation of their statutory rights under various consumer
protection laws. 

The D.C. Circuit reversed and remanded, finding that plaintiffs had plausibly alleged a
substantial risk of identity theft flowing from the data breach, which was enough to meet “the
light burden of proof the plaintiffs bear at the pleading stage” of the case. Attias v. CareFirst,
Inc., 

, 627–28 (D.C. Cir. 2017). The Circuit declined to reach CareFirst’s
alternative argument that plaintiffs had failed to state a claim under Rule 12(b)(6). 

It did so because this Court had reserved judgment on a second threshold jurisdictional
question—whether diversity jurisdiction exists under the Class Action Fairness Act, 28 U.S.C.
§ 1332(d)—which the Circuit could not answer on the record before it. 

–
30.
Venturing once more into the breach, CareFirst has now renewed its 12(b)(6) motion
before this Court. Mem. in Supp. of Defs.’ Mot. to Dismiss (“MTD”), ECF No. 44-1. Plaintiffs
5
oppose the motion. Pls.’ Opp’n to MTD (“Opp’n”), ECF No. 45. The Court held a hearing on
November 5, 2018, and the motion is now ripe for resolution.
II.   Standard of Review
In analyzing a motion to dismiss under Rule 12(b)(6), the Court must determine whether
the complaint “contain[s] sufficient factual matter, accepted as true, to ‘state a claim to relief that
is plausible on its face.’” Ashcroft v. Iqbal, 

, 678 (2009) (quoting Bell Atl. Corp. v.
Twombly, 

, 570 (2007)). This requires “factual content that allows the court to
draw the reasonable inference that the defendant is liable for the misconduct alleged.” 

this determination, the Court “must take all of the factual allegations in the complaint as
true.” 

must “constru[e] the complaint liberally in the plaintiff’s favor with the benefit
of all reasonable inferences derived from the facts alleged.” Stewart v. Nat’l Educ. Ass’n, 

, 173 (D.C. Cir. 2006). Finally, the Court may only “consider the facts alleged in the
complaint, documents attached thereto or incorporated therein, and matters of which it may take
judicial notice.” 

The Court turns first to the jurisdictional question that it previously left unresolved:
whether it has diversity jurisdiction over plaintiffs’ eleven state-law claims under the Class
Action Fairness Act (“CAFA”). It does. “CAFA gives federal courts jurisdiction over certain
class actions, . . . if the class has more than 100 members, the parties are minimally diverse, and
the amount in controversy exceeds $5 million.” Dart Cherokee Basin Operating Co., LLC v.
Owens, 

, 552 (2014) (citing 28 U.S.C. §§ 1332(d)(2), (5)(B)). Beginning with the
first requirement, plaintiffs estimate that there are more than one million class and sub-class
members, SAC ¶ 63, and CareFirst does not contest that number for purposes of this motion,
6
Hr’g Tr. at 3:2–3:14. Second, the parties are minimally diverse because “any member of a class
of plaintiffs is a citizen of a State different from any defendant,” 28 U.S.C. § 1332(d)(2)(A): The
plaintiffs are residents of the District of Columbia, Maryland, and Virginia and have sued
CareFirst and its affiliates doing business in those three places. And third, the amount in
controversy almost certainly exceeds the $5 million threshold. Under CAFA, the Court
aggregates the individual claims of class members. Here, even if individual class members’
claims are worth just $5 each, they would satisfy the amount-in-controversy requirement. But
it’s likely that the value of their claims is much more. For example, plaintiffs have brought
claims under the District of Columbia Consumer Protection Procedures Act, D.C. Code Ann.
§ 28-3901 et seq., which provides statutory damages of $1,500 per violation, and the Virginia
Consumer Protection Act (“VCPA”), Va. Code Ann. § 59.1-196 et seq., which entitles successful
plaintiffs to $500 to $1,000 per violation. SAC ¶¶ 90(d), 115. Although plaintiffs do not provide
a breakdown of the numbers in each subclass, it’s hard to imagine a distribution that would not
satisfy the amount-in-controversy requirement based solely on these statutory claims. In any
event, neither party questions that the amount in controversy exceeds $5 million. See SAC ¶ 10;
Hr’g Tr. at 3:2–3:4; Dart 

(explaining that amount-in-controversy
allegation should be accepted where not questioned by either party).
Accordingly, because the prospective class has more than 100 members, the parties are
minimally diverse, and the amount in controversy exceeds $5 million, this Court has diversity
jurisdiction under CAFA. See Dart 

.
IV. Analysis
“A federal court sitting in diversity must apply the substantive law of the jurisdiction in
which it sits.” Metz v. BAE Sys. Tech. Sol. & Servs. Inc., 

, 21–22 (D.C. Cir. 2014).
7
Here, that jurisdiction is the District of Columbia. 2 This means that the Court is bound by
decisions of the District of Columbia Court of Appeals—the highest court in D.C.—interpreting
D.C. law. 

is all the more salient in a data-breach case like this because
federal courts across the country have applied the relevant state law to claims arising out of data
breaches to very different effect. In the absence of a decision by the District of Columbia Court
of Appeals, the Court’s role in interpreting and applying D.C. law is to achieve the same
outcome it believes would result if the District’s highest court considered this case. 

follow, the Court first concludes that all plaintiffs but the Tringlers have failed to
allege, as they must, actual damages for nine of their eleven claims. The Court then finds that
plaintiffs’ contractual relationship with CareFirst precludes the rest of their claims: their tort
claims because they fail to allege an independent duty to safeguard private information; their
unjust enrichment claim because they fail to allege that their contract is invalid or unenforceable;
and their D.C. Consumer Protection Procedures Act claim because they fail to allege any
unlawful trade practice beyond the breach of contract itself. In the end, only the Tringlers
remain and they are left only with their breach of contract claim in Count I and their Maryland
Consumer Protection Act claim in Count V.
A. Whether plaintiffs have adequately alleged damages for nine of their eleven claims
CareFirst moves to dismiss the following nine of plaintiffs’ claims for failure to allege
actual damages: (1) breach of contract; (2) negligence and (3) negligence per se; (4) fraud and
(5) constructive fraud; (6) breach of the duty of confidentiality; violations of the (7) Maryland
2
Although there was some confusion in the briefing, the parties agreed at the hearing that
District of Columbia law applies to all but the state-specific statutory claims. See Opp’n at 12;
Hr’g Tr. at 6:2–6:10.
8
and (8) Virginia Consumer Protection Acts; and violation of the (9) District of Columbia Breach
Notification Statute. MTD at 6–10. Plaintiffs counter that CareFirst simply camouflages the
“the exact same argument” regarding speculative harm previously rejected by the D.C. Circuit in
deciding that they have adequately pled an injury-in-fact for purposes of standing. Opp’n at 1, 5.
The D.C. Circuit’s standing ruling does not control whether plaintiffs have alleged actual
harm for purposes of their state-law claims. See 

Plaintiffs may satisfy the Article III
injury-in-fact requirement and yet fail to adequately plead damages for a particular cause of
action. For example, in Krottner v. Starbucks Corp., 406 F. App’x 129 (9th Cir. 2010), the Ninth
Circuit explained that its holding in a concurrently published opinion that the plaintiffs “pled an
injury-in-fact for purposes of Article III standing does not establish that they adequately pled
damages for purposes of their state-law claims” arising out of the theft of a company laptop
containing the confidential personal information of thousands of Starbucks employees. 

3 The court concluded that, despite having Article III standing based on the risk of future
identity theft, the employees failed to state a negligence claim because, under the relevant state
law, “[t]he mere danger of future harm, unaccompanied by present damage, will not support a
negligence action.” 

So too here. Although plaintiffs have successfully
pled an injury-in-fact sufficient to support federal constitutional standing, they must still plead a
proper cause of action under the relevant D.C. or state law.
With that issue aside, the Court now turns to the merits of CareFirst’s argument that nine
causes of action should be dismissed for failure to plead damages under the applicable state laws.
3
See also Carlsen v. GameStop, Inc., 

, 909 (8th Cir. 2016) (“As we
previously have cautioned, [i]t is crucial . . . not to conflate Article III’s requirement of injury in
fact with a plaintiff’s potential causes of action, for the concepts are not coextensive.” (internal
quotation marks and citation omitted) (alterations in original)).
9
1. Plaintiffs must allege actual damages for nine of their causes of action
All but two of plaintiffs’ claims require allegations of actual damages.
Breach of contract
Under District of Columbia law, actual loss or damage is an essential element for a
breach of contract cause of action. See Cahn v. Antioch Univ., 

, 130 (D.C. 1984)
(“It is clear in contract law that a plaintiff is not required to prove the amount of his damages
precisely; however, the fact of damage and a reasonable estimate must be established.” (quoting
W.G. Cornell Co. of Wash., D.C. v. Ceramic Coating Co., Inc., 

, 993 (D.C. Cir.
1980))); Sloan v. Urban Title Servs., Inc., 

, 133 & 133 n.7 (D.D.C. 2010)
(“Both District and Virginia law require proof of injury (i.e., damages) as an element of claims
for breach of contract[.]” (citing Osbourne v. Capital City Mortg. Corp., 

, 324–25
(D.C. 1999))). The mere danger of future harm, unaccompanied by present injury, will not
support a breach of contract action. See 

–35.
Negligence and negligence per se
Under D.C. law, “[t]o maintain an action for negligence, a plaintiff must allege more than
speculative harm from defendant’s allegedly negligent conduct.” Randolph v. ING Life Ins. &
Annuity Co., 

, 708 (D.C. 2009); see also Hillbroom v. PricewaterhouseCoopers
LLP, 

, 573 (D.C. 2011) (“[T]he mere breach of a professional duty, causing only
nominal damages, speculative harm, or the threat of future harm—not yet realized—does not
suffice to create a cause of action for negligence.” (quoting Knight v. Furlow, 

,
1235 (D.C. 1989))). The same is true for a negligence per se action. See Tolson v. The Hartford
Fin. Servs. Grp., Inc., 

, 36 (D.D.C. 2017) (explaining that plaintiff “would still
have to prove that she was injured” for her negligence per se claim).
10
Fraud and constructive fraud
Next, “provable damages” is also an “essential element[] of common law fraud” in the
District. Kitt v. Capital Concerts, Inc., 

, 860–61 (D.C. 1999) (citing Dresser v.
Sunderland Apartments Tenants Ass’n, Inc., 

, 839 (D.C. 1983)); see also Wetzel v.
Capital City Real Estate, LLC, 

, 1002–03 (D.C. 2013). “Constructive fraud differs
from actual fraud only in that the misrepresentation of material fact is not made with the intent to
mislead, but is made innocently or negligently.” De May v. Moore & Bruce, L.L.P., 584 F.
Supp. 2d 170, 185 (D.D.C. 2008) (quoting Nguyen v. Voorthuis Opticians, Inc., 

, 64 (D.D.C. 2007)). As such, constructive fraud also requires actual damages.
Breach of the duty of confidentiality
A claim for a breach of the duty of confidentiality is equivalent to a claim for a breach of
a fiduciary duty. See Democracy Partners v. Project Veritas Action Fund, 

,
120 (D.D.C. 2018). Under D.C. law, a breach of a fiduciary duty “require[s] a showing of injury
or damages.” Headfirst Baseball LLC v. Elwood, 

, 14 (D.D.C. 2017); see also

.
Statutory claims
Under the Maryland Consumer Protection Act, Md. Code Ann., Com. Law § 13-408(a), a
plaintiff must “plead actual injury or harm,” Lloyd v. Gen. Motors Corp., 

, 277
(Md. 2007) (citing Citaramanis v. Hallowell, 

, 969 (Md. 1992)). “[T]o articulate a
cognizable injury under the [Maryland] Consumer Protection Act, the injury must be objectively
identifiable,” meaning “the consumer must have suffered an identifiable loss, measured by the
amount the consumer spent or loss as a result of his or her reliance on the sellers’
misrepresentation.” 

Virginia Consumer Protection Act also requires a plaintiff to plead actual loss in
order to bring a suit for damages under the Act. See Polk v. Crown Auto, Inc., 

,
543 (4th Cir. 2000) (citing Va. Code Ann. § 59.1-204(A)); see also Chisholm v. TranSouth Fin.
Corp., 

, 549 (E.D. Va. 2000).
Finally, by its terms, the District of Columbia Data Breach Notification Act likewise
requires “actual damages,” which do “not include dignitary damages, including pain and
suffering.” D.C. Code Ann. § 28-3853(a).
2. Four theories of actual damages
The Court discerns four possible theories of actual damages in plaintiffs’ complaint and
briefing: (1) actual and/or heightened risk of misuse of personal information, (2) loss of the
“benefit of the bargain” they struck when they purchased their policies, (3) consequential
damages like expenditures credit monitoring services, and (4) emotional distress. The Court will
address each theory in turn.
Misuse of personal information
The first theory of damages may be the most obvious in the context of a data breach:
actual or heightened risk of misuse of exposed personal information. Plaintiffs generally allege
that they have suffered both an “increased risk of identity theft, and also actual identity theft and
resulting losses.” SAC ¶ 17. They continue, “[m]any Plaintiffs and Class Members suffered
from actual economic injury resulting in tax-refund fraud, identity theft, credit card fraud, and
other conduct causing direct economic injury as a result of the identity theft they suffered.” 

see also 

(“many Plaintiffs have already suffered from direct economic injury such
as tax-refund fraud, identity theft, [and] credit card fraud.”).
12
The rub, though, is that only two of the named plaintiffs—the Tringlers from Maryland—
actually allege that they have already experienced any kind of economic injury. The Trinlgers
contend that they “have experienced tax-refund fraud” as a result of the breach. 

(emphasis added). 4 The rest claim only the threat of misuse by listing what “identity thieves”
“can” or “may” do with the kind of personal information accessed. See 

55
(emphases added). But the District of Columbia Court of Appeals has expressly declined to treat
an increased risk of future identity theft as an actual harm for purposes of negligence and breach
of fiduciary duty claims based on data breaches. See 

–09. 5 And there
is no reason to believe that court would decide any differently if presented with plaintiffs’ other
causes of action that require actual harm.
Plaintiffs do not confront the substance of this binding decision of the District of
Columbia Court of Appeals head on. Instead, they incorrectly describe Randolph as a case about
“the law of standing.” Opp’n at 10 n.4. Although the lower court did conclude that the
Randolph plaintiffs lacked standing, the D.C. Court of Appeals clearly explained that “the better
approach toward resolving [the] motion to dismiss is to analyze whether the amended complaint
succeeded in stating a claim.” 

.
4
While the Tringlers have not alleged specific facts connecting the two events, the Court
must draw all reasonable inferences in favor of plaintiffs when considering a motion under Rule
12(b)(6). Accordingly, even though the Tringlers may ultimately fail to prove causation at
summary judgment, it can be plausibly inferred for present purposes.
5
Randolph is not an outlier. Other courts across the country have likewise distinguished
between plaintiffs whose data has been exposed and misused and those whose data has been
exposed but not misused for purposes of claims requiring actual damages. See, e.g., Pisciotta v.
Old Nat’l Bancorp, 

, 639 (7th Cir. 2007) (“Without more than allegations
of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is
prepared to remedy.”).
13
Accordingly, with respect to plaintiffs’ negligence and breach of fiduciary duty claims,
the Court is bound by the Randolph decision. And, because this Court sitting in diversity is
charged with determining how the D.C. Court of Appeals would rule in the absence of a case
directly on point, the Court concludes that the D.C. Court of Appeals would likely hold,
consistent with Randolph, that the mere threat of misuse of personal information would not be
sufficient to state a claim for actual damages under the remaining seven claims not addressed in
that decision. Thus, under District of Columbia law, only the Tringlers have alleged actual
damages under this first theory of damages—misuse of exposed personal information.
Benefit of the bargain theory of damages
Plaintiffs also contend that they were harmed by “a loss of the benefit of the bargain.”
Opp’n at 5–6. Under this theory, plaintiffs allege that they “provided payment to Defendants for
certain services, including health insurance coverage, part of which was intended to pay
administrative costs of securing their [sensitive personal information].” SAC ¶ 25. In return,
however, they “received services devoid of these very important protections.” 

In other
words, plaintiffs allege that they overpaid for their health insurance because they contracted for a
service that would include data security but received a service that did not. This “benefit of the
bargain” loss is, plaintiffs say, “the standard measure” of damages in breach of contract claims.
Opp’n at 8.
District of Columbia courts have not addressed whether a “benefit-of-the-bargain” or
“overpayment” theory of damages is sufficient to state a claim for actual damages in the data-
breach context. But two fellow courts in this district have addressed the theory when considering
12(b)(1) motions to dismiss for lack of standing, and both rejected it as too “indeterminate.” In
In re Sci. Applications Int’l Corp. Backup Tape Data Theft Litigation, 

(D.D.C.
14
2014) (“SAIC”), for example, Judge Boasberg rejected the data-breach plaintiffs’ argument that
they plausibly alleged “actual loss” by “claim[ing] that some indeterminate part of their
premiums went toward paying for security measures.” 

He explained that the plaintiffs
had not alleged that the money paid could have gone towards a better data-security policy or
“that the market value of their insurance coverage (plus security services) was somehow less
than what they paid.” Id.; see also Austin-Spearman v. AARP & AARP Servs. Inc., 119 F.
Supp. 3d 1, 13–14 (D.D.C. 2015) (K.B. Jackson, J.) (concluding that plaintiff failed to plausibly
plead economic injury-in-fact based on an “overpayment” theory—that is, that she paid for an
online membership that included particular data-security benefits but received one that did not
(citing 

)). 6
As is often the case in the data-breach context, there are courts that disagree. The Eighth
Circuit, for example, has held that a plaintiff plausibly alleged an injury-in-fact for standing
based on a “devaluation” of his video-game subscription “in an amount equal to the difference
between the value of the subscription that he paid for and the value of the subscription that he
received, i.e., a subscription with compromised privacy protection.” 

.
And Judge Koh in the Northern District of California has generally embraced the benefit-of-the-
6
Courts in other jurisdictions have likewise concluded that alleged overpayment for
health insurance that does not include bargained-for data security is not sufficient to allege
injury-in-fact for purposes of standing. See Fero v. Excellus Health Plan, Inc., 

, 754–55 (W.D.N.Y. 2017) (listing cases). In Chambliss v. CareFirst, Inc., 

(D. Md. 2016), the Maryland class action arising out of the same CareFirst data breach, the
court rejected the plaintiffs’ benefit-of-the-bargain theory of injury in finding a lack of standing.
The court explained, “Plaintiffs make no allegations that the data breach diminished the value of
the health insurance they purchased from CareFirst” nor do they offer “factual allegations
indicating that the prices they paid for health insurance included a sum to be used for data
security.” 

As a result, the Chambliss plaintiffs did not “quantify this alleged loss.”

here.
15
bargain theory when considering 12(b)(6) motions in data-breach cases. See In re Yahoo! Inc.
Customer Data Sec. Breach Litig., 

, 1130 (N.D. Cal. 2018) (concluding that
plaintiff’s “allegations are sufficient to allege that he suffered benefit-of-the-bargain losses”
because he “pleads that he has paid $19.95 each year since December 2007 for Yahoo’s premium
email service,” which was supposed to be “secure,” and he would not have signed up “had he
known that Yahoo’s email service was not as secure as [Yahoo] represented”); In re Anthem,
Inc. Data Breach Litig., 

, 992, 995 (N.D. Cal. 2016) (adopting “loss of
benefit of the bargain” theory of “actual harm” for New York plaintiffs who alleged they had
contracted for “reasonable and adequate security measures” that Anthem failed to deliver,
causing plaintiffs to overpay for their health insurance); In re Anthem, Inc. Data Breach Litig.,
No. 15-md-2617, 

, at *12–13 (N.D. Cal. May 27, 2016) (concluding same for
California plaintiffs’ breach-of-contract claim, which required “appreciable and actual”
damages).
At the hearing, plaintiffs argued that “there has been a definite trend” away from the
conclusion in cases like SAIC and towards those in cases like Anthem and Yahoo!. Hr’g Tr. at
35:2–35:6. But trend or no across the country, the Court declines to go beyond the decisions of
its fellow courts in cases like SAIC and Austin-Spearman in the absence of controlling law from
the District of Columbia Court of Appeals, especially because the standard for alleging actual
damages is generally higher than that for plausibly alleging an injury-in-fact. Moreover, as in
SAIC, plaintiffs here broadly allege that some indeterminate amount of their health insurance
premiums went towards providing data security. SAC ¶ 25. And as in SAIC, they allege only in
conclusory fashion that the services they received “were of a diminished value.” 

This
distinguishes the allegations here from those in In re Yahoo!, for example, where the plaintiffs
16
put a number—the $19.95 subscription fee for a premium email service with allegedly better
security—on the value of the contracted-for data security. Accordingly, the Court concludes that
plaintiffs fail to state a claim for actual damages under their benefit-of-the-bargain theory.
“Mitigation costs” theory of damages
Plaintiffs devote much of their opposition brief to a third theory of damages, this one
related to their efforts to protect against identity theft. They allege that they “have or will have
to spend significant time and money to protect themselves.” SAC ¶ 19. These costs include “the
cost of responding to the data breach, the cost of acquiring identity theft protection and
monitoring, cost of conducting a damage assessment, mitigation costs, costs to rehabilitate [their
sensitive information], and costs to reimburse from losses incurred as a proximate result of the
breach.” 

unclear whether plaintiffs contend that this category of “mitigation” costs
constitutes economic damage in its own right or is recoverable as consequential damages.
Compare SAC ¶ 17 (Plaintiffs “need to take immediate action to protect themselves from identity
theft, which have already and will continue to result in real and actual loss regardless of whether
identity theft actually occurs.”); Opp’n at 5 (describing “the loss of money and time in the form
of expenditures made to protect themselves” as “actual economic damage”); Hr’g Tr. at 45:17
(describing “loss mitigation” as “direct economic harm”), with Opp’n at 7 (“Plaintiffs have
alleged that as a consequence of Defendants’ failures, breaches and misrepresentations, they
have lost time and money.”); 

(“[P]laintiffs who allege a breach of contract may recover
both consequential and incidental damages.”).
The District of Columbia Court of Appeals has rejected the theory that prophylactic
mitigation measures constitute actual damages in their own right. In Randolph, the court
explained that no plaintiff had alleged any misuse of any personal information that had been
17
compromised by the theft of a company laptop containing personal 

. The court then addressed the plaintiffs’ alternative argument regarding preventative
expenditures:
[T]o the extent [the plaintiffs] allege actual harm from expenses they have incurred
to undertake credit monitoring or other security measures to guard against possible
misuse of their data, they have alleged an injury that is ‘not the result of any present
injury, but rather the [result of] the anticipation of future injury that has not

(citation omitted) (third alteration in original). Because “the time and expense
of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury
the law [of negligence] is prepared to remedy,” 

original) (quoting Shafran v.
Harley-Davidson, No. 07-cv-1365, 

, at *3 (S.D.N.Y. Mar. 24, 2008)), the court
concluded that the plaintiffs had failed to state a negligence claim. The court dismissed the
plaintiffs’ common-law breach of fiduciary duty claim “[f]or much the same reason.” 

7 Under Randolph, then, time and money spent protecting against future identity theft
cannot constitute damage in their own right for purposes of plaintiffs’ negligence and breach of
fiduciary duty claims. 8 And again, there is no reason to believe the D.C. Court of Appeals would
treat plaintiffs’ other D.C. law claims any differently.
7
Cf. In re U.S. Office of Personnel Mgmt. Data Sec. Breach Litig., 

, 40
(D.D.C. 2017), appeal filed No. 18-1182 (dismissing case for lack of subject matter jurisdiction
where plaintiffs failed to allege facts that would support waiver of sovereign immunity under
Privacy Act because “those plaintiffs who purchased credit monitoring services or incurred other
expenses to prevent future identity theft have not suffered actual damages because expenditures
undertaken voluntarily to prevent possible future harm do not constitute actual damages”
(citation omitted)).
8
The D.C. Circuit concluded that plaintiffs plausibly alleged redressability for purposes
of Article III standing because they “reasonably spent money to protect themselves against a
substantial risk,” meaning they could “be made whole by monetary damages.” 

. But again, Article III standing and actual damages are separate questions governed by
18
This is consistent with how the vast majority of courts have treated mitigation costs in the
context of data-breach litigation. They have distinguished between plaintiffs whose information
has been exposed and misused and those whose information has been exposed but not misused.
These courts draw the line at responsive versus preventative expenditures. For the former, costs
are generally recoverable as consequential damages; for the latter, costs are not actual damages
in their own right and cannot be recovered as consequential damages because there is not an
actual injury, only an anticipated one.
For example, in Pisciotta v. Old National Bancorp, 

(7th Cir. 2007), the
Seventh Circuit considered whether Indiana contract and tort law would permit recovery for the
cost of “past and future credit monitoring services” incurred by bank customers after a hacker
accessed their confidential information on the bank’s website. 

635. “Significantly,
the plaintiffs did not allege any completed direct financial loss to their accounts . . . . [n]or did
they claim that they . . . already had been the victim of identity theft[.]” 

The court
concluded that “[w]ithout more than allegations of increased risk of future identity theft, the
plaintiffs have not suffered a harm that the law is prepared to remedy” by expending time and
resources to monitor and protect their identities. 

see also, e.g., Hendricks v. DSW
Shoe Warehouse, Inc., 

, 783 (W.D. Mich. 2006) (rejecting “plaintiff’s
position that the purchase of credit monitoring constitutes either actual damages or a cognizable
loss,” which would have been “a novel legal theory of damages” for a breach of contract in
Michigan, “based on a risk of injury at some indefinite time in the future”); Forbes v. Wells
federal and state law respectively. Therefore, the preventative measures plaintiffs have taken
may be sufficient to support redressability but are not, under D.C. law, sufficient as actual
damages.
19
Fargo Bank, N.A., 

, 1020–21 (D. Minn. 2006) (rejecting plaintiffs’
contention for both negligence and breach-of-contract claims “that the time and money they have
spent monitoring their credit suffices to establish damages” in “anticipation of future injury that
has not materialized”).
Dieffenbach v. Barnes & Noble, Inc., 

(7th Cir. 2018), on which plaintiffs
rely, see Opp’n at 7, is not to the contrary. In that case, a class of plaintiffs sued Barnes & Noble
after discovering that hackers had accessed individuals’ names and credit card information on the
company’s computer system. 

. A named plaintiff from California
alleged four kinds of injury stemming from the data breach after someone used her account “to
make a fraudulent purchase”: a delay in the restoration of funds to her bank account, the time she
spent coordinating with the police and her bank, a delay in her ability to use the compromised
account, and her failure to receive the full measure of her bargain with Barnes & Noble. 

The Seventh Circuit concluded that the first three losses were actual economic injuries
sufficient to state a claim. 

9 The same was true for the named plaintiff from Illinois,
who decided to renew her monthly credit-monitoring service after her bank contacted her about a
potentially fraudulent charge and froze her card for several days. 

words, the Seventh
Circuit considered credit-monitoring and other mitigation services to be cognizable injuries for
both named plaintiffs who alleged they were already experiencing actual misuse. See also
Anthem, 

, at *15–16 (describing these kind of mitigation costs as
9
Hewing to the result in the majority of cases cited in Section (IV)(A)(2)(b) above, the
Seventh Circuit rejected the argument that the plaintiff suffered an economic “benefit of the
bargain” loss because she did not contend that any of the items she purchased were “defective”
or that “Barnes & Noble promised any particular level of security, for which she paid.” 

20
“consequential out of pocket expenses” where plaintiff was notified his personal information was
stolen, he learned that his financial information had been “compromised” and “used for
unauthorized charges,” and then he “took actions to prevent further financial damage”).
Apart from the Tringlers, plaintiffs here complain only of the cost of prophylactic, rather
than responsive, measures. Consistent with the weight of authority on this issue, the remaining
plaintiffs who have not alleged actual misuse of their exposed personal information may not
plead actual damages under a mitigation-cost theory. Only the Tringlers—who, as discussed
above, have alleged actual misuse in the form of tax-refund fraud—would be able to recover
consequential damages like the money spent monitoring their credit.
Emotional distress
Finally, plaintiffs seek non-economic damages for five of the nine claims that require
actual damage: negligence, SAC ¶ 83; negligence per se, 

violation of the Maryland
Consumer Protection Act (“MCPA”), 

fraud, 

and constructive fraud, 

10 They claim that, in addition to economic loss, they have suffered “non-economic loss in
the form of mental and emotional pain and suffering and aguish [sic] as a result of Defendants’
failures.” 

Based on the Court’s conclusions regarding plaintiffs’ theories of economic
loss, all but the Tringlers are left with allegations of purely emotional damages. At the hearing,
CareFirst took the position that emotional distress alone may as a matter of law sustain a claim
10
Plaintiffs do not seek emotional distress damages for their breach of contract, D.C.
Data Breach Notification Statute, Virginia Consumer Protection Act, and breach of the duty of
confidentiality claims. 

97, 114, 144. In any event, emotional distress damages would
not be recoverable for at least some of these claims. See Howard Univ. v. Baten, 

,
392 (D.C. 1993) (breach of contract); D.C. Code ¶ 28-3853(a) (excluding “dignitary harms,
including pain and suffering,” from the definition of “[a]ctual damages” under the D.C. Data
Breach Notification Statute).
21
for actual damages, but that here, plaintiffs have failed to adequately plead emotional distress.
Hr’g Tr. at 15:24–16:15. The Court sees two questions: first, whether a plaintiff may sustain a
claim for negligence, fraud, or violation of the MCPA based solely on emotional distress; and
second, whether plaintiffs have adequately pled such damages here.
The District of Columbia Court of Appeals applies “a different framework” for “[c]laims
of negligence that seek damages for only mental pain and suffering.” Hedgepeth v. Whitman
Walker Clinic, 

, 795 (D.C. 2011). To state a claim where “emotional distress is the
only injury suffered,” 

10, the plaintiff must satisfy either the “zone of physical danger”
rule set out in Williams v. Baker, 

(D.C. 1990) (en banc), or the special
relationship and undertaking rule set out in 

–11. Such “negligent
infliction of emotional distress” claims are distinct from other negligence claims where the
plaintiff seeks to recover for pain and suffering as “parasitic” damages as a result of or incident
to the “invasion of another legally protected interest.” 

.
Plaintiffs’ allegations regarding their pain and suffering are too conclusory to satisfy
either the Williams or Hedgepeth rule. See Hawkins v. Wash. Metro. Area Transit Auth., 311 F.
Supp. 3d 94, 107–08 (D.D.C. 2018) (dismissing negligent infliction of emotional distress claim
where plaintiffs failed to plead “serious and verifiable” emotional distress). This makes sense:
Plaintiffs did not set out to state a claim only for emotional damages. Rather, they seek
“ancillary or ‘parasitic’ damages for related mental distress (sometimes referred to as ‘pain and
suffering’).” 

. As such, they cannot sustain their negligence and
negligence per se claims based on emotional distress alone.
The same is true for plaintiffs’ fraud and constructive fraud claims. Although a plaintiff
may seek both economic and emotional damages in an action for intentional fraud, Osbourne v.
22
Capital City Mort. Corp., 

, 1328 (D.C. 1995), superseded by statute on other
grounds, D.C. Code Ann. § 28-3905(k)(1), the “sine qua non of any recovery for
misrepresentation is a showing of pecuniary loss proximately caused by reliance on the
misrepresentation,” 

(quoting Day v. Avery, 

, 1029 (D.C. Cir.
1976) (per curiam)). Put another way, the economic torts of fraud and constructive fraud require
some showing of economic harm in order for the plaintiff to recover emotional damages as well.
And finally, the Maryland Court of Appeals has held that the MCPA permits “recovery of
damages for emotional distress if there [is] at least a ‘consequential’ physical injury,’” but not
where the plaintiff makes allegations like, “This made me feel bad; this upset me.” Sager v.
Hous. Comm’n of Anne Arundel Cty., 

, 548–49 (D.D.C. 2012) (quoting
Hoffman v. Stamper, 

, 296 (Md. 2005)). Plaintiffs’ allegations are more akin to the
latter than the former, and thus cannot support a claim for a violation of the MCPA based on
emotional distress alone.
Accordingly, plaintiffs’ allegations of emotional distress are not sufficient to sustain their
claims for negligence or negligence per se, fraud or constructive fraud, or violation of the
MCPA.
*       *       *
Based on the foregoing, the Court will dismiss the following claims: breach of contract,
negligence, negligence per se, fraud, constructive fraud, and breach of the duty of confidentiality
brought by all plaintiffs but the Tringlers. The Court will also dismiss the District of Columbia
Breach Notification Statute claim brought on behalf of the D.C. plaintiffs and the Virginia
Consumer Protection Act claim brought on behalf of the Virginia plaintiffs. Finally, the Court
will dismiss the Maryland Consumer Protection Act claim brought by Ms. Huber but not by the
23
Tringlers. This leaves (at this point) the Tringlers with all of their claims; the D.C. plaintiffs
with their unjust enrichment and D.C. Consumer Protection Procedures Act claims; the Virginia
plaintiffs with their unjust enrichment claim; and Ms. Huber with her unjust enrichment claim.
The Court now moves to the interplay between plaintiffs’ contract and tort claims.
B. Whether the parties’ contractual relationship bars plaintiffs’ tort claims
As an alternative to its arguments that plaintiffs fail to plead damages, CareFirst moves to
dismiss plaintiffs’ five tort claims—negligence, negligence per se, fraud, constructive fraud, and
breach of aduty of confidentiality—based on the parties’ contractual relationship. CareFirst
asserts that plaintiffs cannot recover in tort for breach of duties that merely restate CareFirst’s
alleged contractual duties. According to CareFirst, because plaintiffs have failed to allege an
independent common-law duty to reasonably safeguard personal information separate from any
contractual one, they cannot “double dip” with claims sounding in tort. And even if there is such
a duty, CareFirst asserts that the “economic loss rule” bars recovery here because, in the absence
of a “special relationship” between parties, plaintiffs may not recover purely economic loses in
tort. Finally, CareFirst contends that insurers and insureds do not have a fiduciary relationship
that would support plaintiffs’ claim for breach of a duty of confidentiality.
The Court starts and stops with the independent duty rule. Because the Court concludes
that plaintiffs have failed to allege a duty to reasonably safeguard insureds’ data separate from
CareFirst’s contractual duties—in part because the parties do not have a fiduciary relationship—
it need not reach whether the parties are in a special relationship such that the economic loss rule
would not apply.
“The failure to perform a contractual obligation typically does not give rise to a cause of
action in tort.” Jones v. Hartford Life & Accident Ins. Co., 

, 5 (D.D.C. 2006).
24
Under D.C. law, for a plaintiff to recover in tort for conduct that also constitutes a breach of
contract, “the tort must exist in its own right independent of the contract, and any duty upon
which the tort is based must flow from considerations other than the contractual relationship.”
Choharis v. State Farm Fire & Cas. Co., 

, 1089 (D.C. 2008). Thus, the viability of
plaintiffs’ tort claims turns on whether plaintiffs have plausibly alleged that CareFirst owes them
an independent duty of care to reasonably safeguard private information beyond the parties’
contractual relationship.
They have not. The complaint alleges no “facts separable from the terms of the contract
upon which the tort may independently rest” and identifies no “duty independent of that arising
out of the contract itself.” 

that they “contracted for services that included a
promise by Defendants to safeguard, protect, and not disclosure [sic] their personal
information . . . .” SAC ¶ 26; 

They identify four sources of this promise: two CareFirst
privacy policies, 

29, 67; its written services contract, which “promised” that CareFirst
would “only disclose health information when required to do so by federal or state law,” 

and its “promise[] to comply with all HIPAA standards,” 

Plaintiffs’ breach-of-contract
claim turns on CareFirst’s alleged breach of these promises. 

72. Plaintiffs’ negligence
claim does not include additional facts or identify a separate duty to safeguard personal data;
instead, it simply alleges that CareFirst “owed the Plaintiffs a duty of care in protecting the
confidentiality of the personal and private information that the Plaintiffs provided to the
Defendants as consumers of the Defendants’ health insurance policies.” 

This allegation
makes clear that “the duty of which [plaintiffs] essentially complain[]”—the duty to reasonably
safeguard insureds’ personal information—“necessarily arose from the contractual relationship.”
Nugent v. Unum Life Ins. Co. of Am., 

, 54 (D.D.C. 2010). But for the
25
contract between CareFirst and plaintiffs, CareFirst would not have had access to plaintiffs’
information and thus would have had no occasion—or obligation—to protect it. 11
Plaintiffs’ response to Choharis is two-fold and doubly unsuccessful. First, they
misinterpret its holding as being limited to a particular kind of tort—a first-party bad faith cause
of action. See Opp’n at 17. The Choharis court clearly applied the broad rule—that “the tort
must exist in its own right independent of the contract”—beyond the tort of bad faith to fraud
and negligent misrepresentation as 

–90 (affirming summary judgment
where plaintiff’s “assertions [regarding “fraudulent or negligent misrepresentation”] directly
related to an obligation arising under the contract”). Plaintiffs’ second argument implicitly
reveals the error of their narrow interpretation of the case by attempting to fit their allegations
into the Choharis framework: They contend that they have in fact alleged an “independent injury
over and above the mere disappointment of plaintiff’s hope to receive his contracted-for-benefit”
because they do not allege that any “health insurance benefits were wrongfully denied.” Opp’n
at 17–18 (quoting 

). Put differently, they attempt—for purposes of
their tort claims—to limit the contract’s reach to the mere provision of health insurance benefits.
But that argument undermines their contractual one—namely, that they “contracted for services
11
Other federal courts across the country have dismissed data-breach negligence claims
where the plaintiffs failed to identify a non-contractual duty to safeguard private information.
See, e.g., Gordon v. Chipotle Mexican Grill, Inc., No. 17-cv-1415-CMA-MLC, 

, at *16–17 (D. Colo. Aug. 1, 2018), magistrate R&R adopted in relevant part by 

, at *10 (D. Colo. Sept. 26, 2018) (dismissing negligence claim in consumer data
breach case where “[p]laintiffs do not cite any Colorado authorities to support [the assertion that]
Defendant had an independent duty to safeguard [private information]” and plaintiffs “alleged
the same duty under their implied contract”); SELCO Cmty. Credit Union v. Noodles & Co., 

, 1295 (D. Colo. 2017) (dismissing financial-institution data breach case where
plaintiffs “cite no support for the existence of specific common law or statutory duties of care
related to data security” and “most important of all,” the duties alleged by plaintiffs were
“created by, and completely contained in, the contractual provisions” (citation omitted)).
26
that included a guarantee by Defendant to safeguard their personal information.” SAC ¶ 21.
Plaintiffs cannot have their cake (a contract that sets forth specific promises to safeguard
information) and eat it too (a contract that provides only for the provision of health insurance). 12
Plaintiffs therefore fail to satisfy the Choharis requirement that they allege a tort duty
independent of CareFirst’s contractual obligations. 13
12
Plaintiffs advanced a version of this argument at the hearing. When asked to explain
where in the complaint they allege an independent duty, counsel responded that CareFirst’s
“privacy policy” constitutes “a separate representation” from the contractual representations that
more obviously relate to health insurance, like a promise to “cover my claim if I hurt my leg.”
Hr’g Tr. at 42:11–42:18. But when the Court pointed out that plaintiffs also base their contract
claim in part on the promises made in those policies, counsel simply responded, “[i]t’s broken
promises in the four corners of the contract, and it’s broken promises outside of the four corners
of the contract.” 

This response only reinforces the Court’s conclusion that
plaintiffs have not alleged an independent duty.
13
Responding to CareFirst’s arguments regarding the economic loss rule, plaintiffs
contend that “it has already been held that an insurer has ‘additional obligations’ beyond those
stated in a contract by nature of the insurer-insured relationship.” Opp’n at 15 (citing Cent.
Armature Works, Inc. v. Am. Motorists Ins. Co., 

, 292 (D.D.C. 1980)).
Although it does not reach the economic loss rule arguments, the Court will address this
contention to the extent it can be construed as asserting that such “additional obligations” give
rise to some sort of independent duty. In Central Armature Works, the court upheld an award of
punitive damages in a breach of contract action against an insurance company in part because
“an insurer has additional obligations to its insured which subject it to more stringent standards
of conduct than those normally imposed on parties to a 

.
Acknowledging that “[n]either party [] presented any authority from the District of Columbia
which establishes the relationship between an insurer and its insured,” 

relied on out-
of-district precedent and a general assertion by the District of Columbia Court of Appeals that
insurers have a “duty to process and pay claims expeditiously and in good faith,” 

Ins. Co. v. Lynham, 

, 483 (D.C. 1972)). In 1993, the D.C. Circuit likewise
relied on out-of-district precedent to explain that the “bad faith tort [for “refusal to pay insurance
benefits”] is grounded on the covenant of good faith and fair dealing that is implicit in all
contracts [and] supplemented by the idea that insurance contracts have special characteristics that
warrant heightened liability for breach of that covenant.” Messina v. Nationwide Mut. Ins. Co.,

, 5 (D.C. Cir. 1993). But since Central Armature Works and Messina, “the D.C. Court
of Appeals has spoken clearly and ‘bad faith conduct,’ to the extent proved, ‘can be compensated
within those principles’ of the contractual obligation of good faith and fair dealing.” 

(quoting 

). Coming full circle, then, plaintiffs’
27
Even where plaintiffs fail to identify a non-contractual duty, some courts outside this
jurisdiction have recognized a stand-alone duty to provide reasonable data security separate from
any operative agreement. The District of Columbia Court of Appeals has not confronted this
question. And jurisdictions across the country are divided as to whether there is a common law
duty to provide data security. The courts that have recognized such a duty have rooted it in one,
or a combination, of three theories: an affirmative duty to refrain from causing others harm, the
foreseeability of harm, or the nature of the parties’ relationship. The Court considers these
theories in turn.
First, some courts have recognized a duty to provide reasonable data security under the
“basic principle” of tort law that “everyone has a duty to refrain from affirmative acts that
unreasonably expose others to a risk of harm.” In re Sony Gaming Networks & Customer Data
Sec. Breach Litig., 

, 966 (S.D. Cal. 2014) (quoting Yakubowicz v.
Paramount Pictures Corp., 

, 1070 (Mass. 1989)). The Sony court concluded
that this general duty to refrain translated to a specific “legal duty to provide reasonable network
security . . . separate and independent from the PSN User Agreement” and any contractual
obligations that arose from that agreement. 

(emphasis added). Because Sony
allegedly breached that duty by “fail[ing] to employ reasonable security measures to protect” the
plaintiffs’ personal information—“provided . . . to Sony as part of a commercial transaction”—
overreading of Central Armature Works to impose a separate tort as opposed to contractual
obligation is foreclosed by Choharis.
28
the plaintiffs could “pursue both contract and tort remedies, to the extent [their] tort claims are
not barred by the economic loss doctrine.” 

Court is not persuaded by Sony’s reasoning because it elides the distinction between
a duty to refrain and a duty to act. While there may be a general duty to refrain from acts that
cause others harm, this usually does not extend to an obligation to act affirmatively. Here, as in
Sony, plaintiffs allege that CareFirst failed to act by not employing reasonable security measures
to protect customers’ personal information. The Court hesitates to recognize a common-law duty
based on that alleged omission. See also Veridian Credit Union v. Eddie Bauer, LLC, 295 F.
Supp. 3d 1140, 1158 (W.D. Wash. 2017) (finding no common law duty to reasonably secure
credit card information where plaintiffs’ “allegations comprise numerous omissions or
nonfeasance on the part of Eddie Bauer, but they do not describe misfeasance or any affirmative
act ‘that created a situation of peril’ for [plaintiffs]” (citation omitted)).
Still, there are some circumstances under District of Columbia law where even a failure
to act will give rise to a legal duty. “[W]hether a duty exists is the result of a variety of
considerations.” Bd. of Tr. of Univ. of Dist. of Columbia v. DiSalvo, 

, 871 (D.C.
2009). These considerations include the foreseeability of harm and the nature of the relationship
between the parties. 

& 871 n.2; see also 

(“We have
described a court’s examination of whether a duty exists as a ‘foreseeability of harm test’ that is
determined, in large part, by the nature of the relationship between the parties.” (quoting Odemns
14
Demonstrating the complicated interaction between the independent duty doctrine and
the economic loss rule, the Sony court ultimately concluded that the “special relationship”
exception to the economic loss rule did not apply because the plaintiffs “failed to allege a
‘special relationship’ with Sony beyond those envisioned in everyday consumer transactions.”

“[T]herefore, negligence [was] the wrong legal theory on which to pursue recovery
for [their] economic losses.” 

District of Columbia, 

, 143 (D.C. 2007)). The balance of these considerations
operates on “a sliding scale: If the relationship between the parties strongly suggests a duty of
protection, then specific evidence of foreseeability is less important, whereas if the relationship
is not of a type that entails a duty of protection, then the evidentiary hurdle is higher.” 

(quoting Workman v. United Methodist Comm. on Relief, 

, 264
(D.C. Cir. 2003)).
This leads to the second theory: Some of the courts that have recognized a common law
duty to reasonably secure consumers’ data have done so based on the foreseeability of harm. For
example, in In re Arby’s Restaurant Group, Inc. Litigation, No. 1:17-cv-514-AT, 

(N.D. Ga. Mar. 5, 2018), a group of financial institutions and consumers sued Arby’s
after hackers breached the restaurant’s point of sales machines. 

Applying Georgia law,
the court emphasized the role that “foreseeability” plays “in defining the existence of a legal
duty.” 

More specifically, the Arby’s court explained that under state law, a person or
entity “may still have a duty to protect against a criminal act of a third person,” which would
include hacking into a private data system, “if it is alleged that [the entity] had ‘reason to
anticipate’ the criminal act.” 

In that case, the plaintiffs alleged that Arby’s
knew or should have known about the risk of a data breach based on known problems specific to
Arby’s point of sales system as well as other recent highly publicized data breaches in that
industry. 

The court found those allegations “sufficient to establish the existence of a
plausible legal duty and survive a motion to dismiss.” Id.; 

(concluding that both tort
and contract actions could proceed because plaintiffs identified “a common law duty that would
30
have applied regardless of the existence of an underlying contract”). 15 Here, by contrast,
plaintiffs have made no allegations that it was foreseeable that CareFirst specifically would
suffer a data breach based on, for instance, known vulnerabilities in its data-storage systems.
And third, some courts that have recognized a common law duty in the data-breach
context have done so based on the nature of the relationship between the party providing the
confidential information and the party receiving it, as well as the sensitive nature of the
information provided. An inquiry into the nature of the relationship often overlaps with two
separate but related legal questions: whether the “special relationship” exception to the economic
loss rule barring tort claims applies and whether there is a fiduciary relationship to support a duty
of confidentiality. In some cases, the analysis merges entirely.
Take Daly v. Metropolitan Life Insurance Co., 

(N.Y. Sup. Ct. 2004),
where a New York trial court considered “a new area of law”—namely, “whether liability may
attach to an entity that fails to safeguard personal and confidential information obtained in
conjunction with the purchase of a life insurance policy.” 

In the absence of case law
on this then-nascent legal question, the court drew a parallel to the breach of a fiduciary duty of
confidentiality, where one party puts its trust in the other by relying on the other’s superior
expertise. 

The court analogized that the insurance company—like a fiduciary—
“had a duty to protect the confidential personal information provided by” subscribers because
15
See also, e.g., In re The Home Depot, Inc. Customer Data Sec. Breach Litig., No. 1:14-
md-2583-TWT, 

, at *3 (N.D. Ga. May 18, 2016) (“A retailer’s actions and
inactions, such as disabling security features and ignoring warning signs of a data breach, are
sufficient to show that the retailer caused foreseeable harm to a plaintiff and therefore owed a
duty in tort.”); In re Target Corp. Customer Data Sec. Breach Litig., 

, 1310
(D. Minn. 2014) (same).
31
insurance subscribers were “required to” provide the insurance company “with highly sensitive
personal information” in order to obtain life insurance and that company had represented in its
privacy notice that it would safeguard that information. 

At least one federal district
court has adopted Daly’s reasoning. In Jones v. Commerce Bancorp, Inc., the court concluded
that a bank customer sufficiently alleged a legal duty to safeguard information where the bank
required her to provide confidential personal information in order to open a business account and
warranted that it would safeguard that information. No. 06-cv-835-HB, 

, at
*1–2 (S.D.N.Y. May 23, 2006) (citing Daly, 

–35).
The problems of data breaches may no longer be “new” but courts around the country
continue to confront these legal questions. Just recently, for example, the Pennsylvania Supreme
Court held for the first time that “an employer has a legal duty to exercise reasonable care to
safeguard its employees’ sensitive personal information stored by the employer on an internet-
accessible computer system.” Dittman v. UPMC, 

, 1038 (Pa. 2018). The court
rooted this duty in the traditional common law duty to exercise reasonable care when engaging in
affirmative conduct as well as the nature of the relationship between the parties. The employees
alleged that “as a condition of their employment,” their employer “required them to provide
certain personal and financial information, which [it] collected and stored on its internet-
accessible computer system without use of adequate security measures.” 

According
to the court, this dynamic was sufficient to allege a duty of care. 

courts, however, have concluded that requiring another to provide sensitive
personal information creates such a duty. For example, in Cooney v. Chicago Public Schools,

(Ill. App. Ct. 2010), the Appellate Court of Illinois concluded that Chicago Public
Schools did not owe a legal duty to safeguard its employees’ personal information. 

In
32
that case, the Chicago Board of Education inadvertently disclosed the personal information,
including social security numbers and health insurance plan information, of almost 2,000 former
employees. 

The employees urged the court to “recognize a ‘new common law duty’ to
safeguard information” in light of the sensitive nature of personal data that was disclosed and the
fact that the Board had collected that data. 

But the Illinois court declined to go
beyond state statutory notice requirements and recognize a new duty in the absence of specific
authority. 

“Federal courts interpreting Illinois law have consistently declined to
impose a common law duty to safeguard personal information in data security cases” based on
Cooney. In re SuperValu, Inc., Customer Data Sec. Breach Litig., 14-md-2586-ADM-TNL,

, *14 (D. Minn. Mar. 7, 2018). In SuperValu, for instance, consumers argued
that SuperValu owed them “an extra-contractual duty” because it “solicited customers’ [private
personal information] and thus had a duty to take reasonable measures to safeguard their data
and notify them of any data breach.” 

court declined to recognize such a duty.
Id.; see also, e.g., Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 

, 816 (7th Cir.
2018) (relying on Cooney to conclude that Illinois “would not impose the common law data
security duty the plaintiff banks call for here”); Gordon, 

, at *15 (citing
Cooney and Community Bank of Trenton to dismiss an Illinois negligence claim “for lack of a
common law duty”).
Because the District of Columbia Court of Appeals has not determined one way or the
other whether there is a common law duty to safeguard data, the Court will follow the approach
taken in some of the cases cited above and look to analogous case law regarding the nature of the
relationship between insurers and insureds. “District of Columbia law does not . . . consider the
relationship between insurer and insured a fiduciary relationship” as a matter of law.
33
Gebretsadike v. Travelers Home & Marine Ins. Co., 

, 83 (D.D.C. 2015)
(citing Fireman’s Fund Ins. Co. v. CTIA-The Wireless Ass’n, 

, 15 (D.D.C.
2007)); see also Stevens v. United Gen. Title Ins. Co., 

, 66 (D.C. 2002) (applying
contract rather than fiduciary principles to determine whether duty to defend exists). This is
consistent with other jurisdictions. Instead, the relationship between parties to an insurance
contract is generally considered “contractual in nature.” See 

(quoting Batas v. Prudential Ins. Co. of Am., 

, 264 (N.Y. Sup. Ct. 2001))
(declining to recognize a “special relationship” necessary for negligent misrepresentation claim
between health insurance provider and consumers whose confidential health information was
accessed), withdrawn on other grounds by 

(W.D.N.Y. 2018); In re Premera
Blue Cross Customer Data Sec. Breach Litig., 

, 1203 (D. Or. 2016) (“[T]he
nature of the relationship between the parties [consumers and their insurance company] is not the
type of relationship that historically has been considered fiduciary in character.”); Dolmage v.
Combined Ins. Co. of Am., No. 14-cv-3809, 

, at *6 (N.D. Ill. Jan. 21, 2015)
(“In Illinois, it is well settled that no fiduciary relationship exists between an insurer and an
insured as a matter of law.” (internal alterations, quotation marks, citation omitted)).
Plaintiffs try to avoid this precedent by reframing their relationship with CareFirst as a
doctor-patient one, which has been historically recognized as a fiduciary relationship as a matter
of law. See Vassiliades v. Garfinckel’s, Brooks Bros., 

, 591–92 (D.C. 1985). They
allege—for purposes of their breach of the duty of confidentiality claim only—that CareFirst
owed them such a duty “pursuant to its fiduciary relationship with the Plaintiffs . . . as their
health care providers.” SAC ¶ 139 (emphasis added). But CareFist obviously is not a provider
of healthcare; it is a provider of health care insurance, as plaintiffs repeatedly acknowledge
34
elsewhere throughout their complaint. See, e.g., SAC ¶ 23 (“Defendants are a network of for-
profit health insurers which provide health insurance coverage to individuals[.] (emphases
added)); see also 

60, 65, 77, 89, 125. Accordingly, no doctor-patient relationship
exists that would give rise to a duty of confidentiality as a matter of law.
Even where, as here, a fiduciary relationship does not exist as a matter of law, District of
Columbia courts may imply such a relationship in special circumstances. Determining whether a
fiduciary relationship exists requires “a searching inquiry into the nature of the relationship, the
promises made, the types of services or advice given and the legitimate expectations of the
parties.” Council on Am.-Islamic Relations Action Network, Inc. v. Gaubatz, 

, 341 (D.D.C. 2011) (quoting Firestone v. Firestone, 

, 1211 (D.C. Cir. 1996));
Church of Scientology Int’l v. Eli Lilly & Co., 

, 1028 (D.D.C. 1994)
(recognizing that even though “no Court has ever found there to be a fiduciary relationship
between a public relations firm and one of its clients,” the court faced a “fact-intensive question”
about “the nature of the relationship” specific to the parties before it). In addition, “a fiduciary
relationship could exist [] where circumstances show that the parties extended their relationship
beyond the limits of the contractual obligations to a relationship founded upon trust and
confidence.” Paul v. Judicial Watch, Inc., 

, 6 (D.D.C. 2008) (citing Church of

); see also Ying Qing Lu v. Lezell, 

, 6
(D.D.C. 2013) (“While fiduciary relationships can be difficult to define, and may very well exist
between contracting parties, ‘[o]ne characteristic that District of Columbia courts have
traditionally looked for is a “special confidential relationship” that transcends an ordinary
business transaction and requires each party to act with the interests of the other in mind.’”
(citing High v. McLean Fin. Corp., 

, 1568 (D.D.C. 1987))).
35
Plaintiffs fail to plead anything to suggest that their relationship with CareFirst was
anything more than the typical commercial relationship between insurer and insureds. As in
Fero, nothing about the alleged “interactions would appear to fall outside the scope of what is
routine between insurers and insureds, and therefore, the interactions do no suggest any kind of
special relationship of trust and 

–74. True, CareFirst
required plaintiffs to provide personal and confidential information, but this will be the case in
almost every insurer-insured relationship. Plaintiffs do not allege a relationship beyond that
envisioned in every day interactions with a health insurance provider that would give rise to
either a common law duty to safeguard private information or a fiduciary duty. As such,
negligence, negligence per se, and breach of the duty of confidentiality are misplaced legal
theories on which to pursue recovery for the data breach.
The same is true for plaintiffs’ fraud and constructive fraud claims, which likewise arise
out of the same alleged conduct that supports their breach of contract claim. “District of
Columbia law requires that the factual basis for a fraud claim be separate from any breach of
contract claim that may be asserted.” Plesha v. Ferguson, 

, 113 (D.D.C.
2010) (citing 

). The plaintiffs in Plesha failed to satisfy this
requirement because their allegations of fraud arose out of the same alleged conduct by
defendants—“late payments and promises to pay”—that provided the basis for their breach of
contract claim. 

here. For their contract claim, plaintiffs allege that CareFirst
breached its “promise[] through its Internet Privacy Policy that it would encrypt all personal
information given to Defendants.” SAC ¶¶ 67, 72. For their fraud claim, plaintiffs similarly
allege that CareFirst “made false representations of material facts” in its “Internet Privacy Policy
and General Privacy Policy, which indicated that information provided . . . would be encrypted.”
36

see also 

(alleging, for constructive fraud claim, that CareFirst owed plaintiffs
a duty “to abide by the privacy policies it had incorporated and to safeguard personal health
information”). CareFirst’s allegedly unfulfilled promise to encrypt all personal information thus
cannot constitute a separately actionable fraud or constructive fraud claim.
*       *       *
Based on the foregoing, the Court will dismiss all plaintiffs’ tort claims, including
negligence, negligence per se, breach of the duty of confidentiality, fraud, and constructive
fraud. This leaves the following: the Tringlers with their breach of contract, unjust enrichment,
and Maryland Consumer Protection Act claims; Ms. Huber of Maryland with her unjust
enrichment claim; the D.C. plaintiffs with their unjust enrichment and D.C. Consumer Protection
Procedures Act claims; and the Virginia plaintiffs with their unjust enrichment claim. The Court
turns next to unjust enrichment.
C. Whether plaintiffs have pled in the alternative an unjust enrichment claim
CareFirst contends that its undisputed contractual relationship with plaintiffs also
precludes their unjust enrichment claim. MTD at 15–16. It is well-established that the existence
of a valid contract precludes a claim for unjust enrichment. See, e.g., Harrington v. Trotman,

, 346 (D.C. 2009) (holding that superior court “fundamentally erred as a matter of
law in finding unjust enrichment when there was a valid contract between the parties”).
Plaintiffs counter that while they cannot ultimately recover under both theories, they may plead
unjust enrichment in the alternative should the Court later find no contractual agreement between
the parties. Opp’n at 18–19. True enough, courts “sometimes permit[] a party to plead [unjust
enrichment] as an alternative in certain circumstances.” He Depu v. Yahoo! Inc., 

181, 193–94 (D.D.C. 2018) (citation omitted). But the devil is in the details: Such an
37
alternative theory “require[s] an allegation that the contract is invalid and unenforceable.” 

not alleged this, and CareFirst confirmed at the hearing that it has not taken the
position that the contract is invalid or unenforceable. See 

–85, 984
n.37 (dismissing unjust enrichment claims, pled in the alternative, where plaintiffs did not
challenge validity or enforceability of user agreements); Hr’g Tr. 20:5–20:11.
Accordingly, the Court will dismiss the unjust enrichment claim for all plaintiffs. This
leaves unaddressed the D.C. Consumer Protection Procedures Act claim brought on behalf of the
D.C. plaintiffs and the Maryland Consumer Protection Act claim brought on behalf of the
Tringlers. 16
D. Whether plaintiffs have alleged an unlawful trade practice under the D.C. Consumer
Protection Procedures Act
Like their tort claims, the District of Columbia plaintiffs’ D.C. Consumer Protection
Procedures Act (“DCCPPA”) claim is premised on CareFirst’s alleged breach of its contractual
obligations. They allege that CareFirst “violated [its] Internet Privacy Policy” and thus
“committed and [sic] unfair and unlawful trade practice” by not providing the benefits provided
for in that policy and misrepresenting a material fact “as indicated in their Internet Privacy
Policy.” SAC ¶ 88. 17
16
Remember that the Court dismissed the MCPA claim brought on behalf of the other
Maryland plaintiff, Ms. Huber, because she failed to allege actual damages.
17
Plaintiffs also alleged that CareFirst violated the DCCPPA by failing to comply with
HIPAA. Originally, CareFirst moved to dismiss the DCCPPA claim (as well as the breach of
contract, negligence, and negligence per se claims) as premised on an alleged violation of
HIPAA, which does not have a private right of action. MTD at 16. Plaintiffs have since
disavowed reliance on alleged HIPAA violations for all but their negligence per se claim. Opp’n
at 19. Because the Court has already concluded that plaintiffs have not stated a claim for
negligence per se due to their failure to allege actual damages and their failure to identify an
independent duty, it need not address this alternative basis for dismissal.
38
The Court can interpret plaintiffs’ DCCPPA allegations in one of two ways, neither of
which passes muster. On the one hand, plaintiffs could be alleging that the mere breach of
contract constitutes an unlawful trade practice under the DCCPPA. But they cite no support for
this proposition and at least one court in this district has implied that a DCCPPA claim must be
premised on at least some additional conduct other than a run-of-the-mill breach. See Jacobson
v. Hofgard, 

, 199–200, 206–07 (D.D.C. 2016) (denying motion to dismiss
because DCCPPA claim was not “inappropriately duplicative of Plaintiffs’ breach of contract
claim” where alleged misrepresentation preceded the formation of the contract); see also Am.
Airlines, Inc. v. Wolens, 

, 233 (1995) (concluding, under Illinois law, that “a breach
of contract, without more, ‘does not amount to a cause of action cognizable under the Consumer
Fraud Act and the Act should not apply to simply breach of contract claims” (internal alterations,
quotation marks, citation omitted)).
On the other hand, plaintiffs could be alleging that CareFirst “misrepresented a material
fact”—which would constitute an unlawful trade practice under the DCCPPA—by stating that it
would comply with the terms of its Internet Privacy Policy knowing full well that it would not.
But another court in this district has concluded that under D.C. law, “an intentional breach of
contract”—which is essentially what plaintiffs would need to argue under this misrepresentation
theory—“is not punishable as an unlawful trade practice under the Consumer Protection
Procedures Act simply because the breach was intended when the contract was formed.” Slinski
v. Bank of Am., N.A., 

, 36 (D.D.C. 2013). The Court agrees with that
reasoning.
39
Accordingly, because the D.C. plaintiffs’ DCCPPA claim is entirely duplicative of their
breach of contract claim and an intentional breach of contract cannot constitute an unlawful trade
practice, the Court will dismiss this claim as well.
E. Whether insurance companies are exempt from civil liability for data breaches under
the Maryland Consumer Protection Act
Last but not least, the Court addresses CareFirst’s argument that all of the plaintiffs’
claims under the Maryland Consumer Protection Act (“MCPA”)—including the Tringlers’—
must be dismissed because the Act exempts insurance companies from liability. MTD at 19–20.
The MCPA expressly states that its provisions do not apply to the “professional services” of an
“insurance company.” Md. Code Ann., Com. Law § 13-104(1). The question then is whether
“professional services” as that term is used under the Act applies to the data-security services at
issue in this case.
Maryland’s highest court has interpreted “professional services” narrowly as applied to
“medical or dental practitioner[s],” who are also exempt under the MCPA. In Scull v. Groover,
Christie & Merritt, P.C., 

(Md. 2013), the Maryland Court of Appeals held that a
radiology office’s medical-billing practices were not exempt under the professional-services
exemption because those practices were related to the “commercial or entrepreneurial” aspects of
the office rather than the “actual rendering of health care services.” 

1197–98. 18 To
reach this conclusion, the court considered the statutory function of the state’s Consumer
18
CareFirst relies on outdated case law to argue that the professional-services exemption
applies “broadly” even when one acts outside their professional capacity. MTD at 20 (citing
Lembach v. Bierman, 528 F. App’x 297, 304 (4th Cir. 2013)). For this proposition, the Fourth
Circuit in Lembach relied on the Maryland Court of Special Appeals’ decision in Scull v.
Doctors Groover, Christie & Merritt, P.C., 

(Md. Ct. Spec. App. 2012). But the
Fourth Circuit issued Lembach in June 2013, before Maryland’s highest court reversed in
relevant part the Court of Special Appeals’ decision below. See 

–97.
40
Protection Division’s (“CPD”) Health Education and Advocacy Unit, which is authorized to
refer disputes regarding a medical provider’s billing practices, but not the adequacy of its
treatment, to the CPD for potential enforcement actions, as well as the CPD’s longstanding view
that the MCPA applies to medical-billing practices. 

The court also considered
the legislative history of another exemption directed specifically at health care services. 

Finally, the court identified other areas of the law that distinguish between the ancillary
services of a medical office like billing and the more direct services like treating a wound or
implanting a dental filling. For example, professionals are generally licensed based on
specialized training and expertise directly related to their profession. 

And for
negligence actions, a professional is generally held to a special standard of care applicable to
their particular profession. 

concludes that the professional-services exemption of the MCPA does not
apply to CareFirst’s data-security practices. Rather, gathering and storing consumers’ private
information is ancillary to the provision of health insurance coverage much like billing is
ancillary to the provision of medical care. Other areas of Maryland law reinforce the conclusion
that an insurance company’s data-security practices are not exempt as a professional service.
Maryland’s Personal Information Protection Act provides that “a business that owns or licenses
personal information of an individual” must “implement and maintain reasonable security
procedures and practices” in order to “protect personal information from unauthorized access,
use, modification, or disclosure.” Md. Code Ann., Com. Law § 14-3503. Under the Act,
“business” is defined broadly to include any “business entity,” and “personal information” is
defined broadly to include data like a person’s name combined with their social security number,
credit card number, or health information. 

& (e)(1). Health information is in
41
turn defined as “any information created by an entity covered by the federal Health Insurance
Portability and Accountability Act of 1996” (“HIPAA”). 

As a health
insurance provider covered by HIPAA, CareFirst appears to be subject to the Personal
Information Protection Act. And because consumers may bring a violation of that Act as an
unfair or deceptive trade practice under the MCPA, 

exempting CareFirst’s data-
security services from the MCPA would create an inconsistency in state law similar to the one
the Scull court tried to avoid.
Therefore, the Court will deny CareFirst’s motion to dismiss the Tringlers’ Maryland
Consumer Protection Act claim.
V.    Conclusion
For the foregoing reasons, Defendants’ motion to dismiss will be granted in part and
denied in part. The Court will grant the motion to dismiss for all but the Tringlers’ breach of
contract claim in Count I and the Maryland Consumer Protection Act claim in Count V. A
separate order accompanies this memorandum opinion.
CHRISTOPHER R. COOPER
United States District Judge
Date: January 30, 2019
42