Plaintiffs Don't 'Plausibly Explain' Samsung's Data Breach Failures: Motion to Dismiss
The plaintiffs' allegations of actual identity theft in the Samsung data breach multidistrict litigation are “implausible, insufficiently pled, and not a cognizable injury absent economic loss,” said Samsung’s notice Friday (docket 1:23-md-03055) of its motion to dismiss in U.S. District Court for New Jersey in Camden.
The plaintiffs’ claims fail because they haven't pled sufficient injury and damages, said the motion. Their claim of diminished value of their personally identifiable information (PII) also fails, it said. Their benefit of the bargain claim isn't cognizable, it said. Expenditures on alleged prophylactic and mitigation measures aren't cognizable injuries, nor are lost time, increased spam emails and calls and imminent risk of future harm, it said.
The plaintiffs fail to allege that a breach proximately caused their alleged harm, nor do they plausibly explain “any specific failures” that allegedly allowed the breach to occur, said the motion. They also fail to plead how Samsung’s security measures were deficient or in what way the company wasn't in compliance with general cybersecurity standards, it said.
The complaint fails to plead any facts about specific measures Samsung should have taken but didn't, or how those measures would have prevented a successful criminal attack, said the motion. Conclusory breach allegations are “nothing more than ‘labels and conclusions,'” and courts have dismissed cases with “similarly threadbare allegations,” it said, citing the 2007 U.S. Supreme Court decision in Bell Atlantic v. Twombly.
Negligence as a cause of action in the case is barred by the economic loss doctrine, and the plaintiffs fail to allege Samsung owed them a duty, said the motion. The negligence claims should be dismissed because the plaintiffs fail to allege a breach, the notice said.
Negligence per se isn't an independent cause of action in certain states, said the motion, naming Alabama, California, Michigan and Pennsylvania. Those claims fail for the seven plaintiffs in those four states, it said. The plaintiffs’ claims also fail because the FTC Act, and “state data security statutes,” can't serve as a basis for negligence per se, it said. In states where that's “unsettled,” the negligence per se claims fail because they're recognized only “in limited circumstances not applicable here,” it said.
Breach of contract and implied contract causes of action fail because Samsung’s privacy policy is “not an enforceable contract,” said the notice. Even if the plaintiffs can establish the existence of a contract, they “have not plausibly alleged that Samsung breached any purported contractual obligation to protect their PII,” it said.
The plaintiffs’ claims are based on alleged promises that Samsung made in its privacy policy, said the notice. The plaintiffs said Samsung agreed it would only share data under certain circumstances, but Samsung didn't share the plaintiffs’ PII, "it was stolen,” said Samsung.
The plaintiffs’ reading of Samsung’s policy that it maintains “safeguards” to protect their PII as "a blanket guarantee" that their PII would be protected in all circumstances from third-party criminal actors is “wholly implausible,” the notice said. A promise to “maintain reasonable safeguards to protect a customer’s PII is not a promise that Samsung’s systems are impenetrable to professional criminal hackers,” it said.
Unjust enrichment isn't a recognized or stand-alone cause of action in California, Illinois and Texas, said the notice. In the 34 states where those laws do reside, the plaintiffs fail to state claims, it said. In at least 25 of the states included in the complaint, courts routinely dismissed unjust enrichment claims when plaintiffs fail to demonstrate there's no adequate remedy at law, it said.
The plaintiffs assert claims under 40 statutory consumer fraud statutes, said the notice. Most of those claims fail for basic reasons, such as because a statute doesn't include a private right of action for consumers, or prohibits or limits class actions requiring dismissal, it said. The plaintiffs’ allegations “are so deficient that they fail to provide fair notice under Rule 8 of their claims, thus preventing Samsung from even responding,” it said.
On claims that Samsung violated data breach notification statutes, the company wasn't legally obligated to notify members of the class outside of North Dakota and Washington, said the notice. Samsung's data breach notifications "explicitly stated" that Social Security numbers and credit card numbers weren't among the PII exposed, it said.
Other than in North Dakota and Washington, which require notification when a date of birth is exposed, “there is no requirement to notify based on the data elements involved in the incident,” said the notice. Regardless, Samsung said, several data breach notification statutes set outside time limits on what's reasonable, “none of which is shorter than 30 days."