
    Rhonda L. HUTTON, O.D. et al., Plaintiffs v. NAT’L BD. OF EXAM’RS IN OPTOMETRY, INC., Defendant Nicole Mizrahi, Plaintiff v. Nat’l Bd. of Exam’rs in Optometry, Inc., Defendant
    CIVIL NO. JKB-16-3025, CIVIL NO. JKB-16-3146
    United States District Court, D. Maryland.
    Signed 03/22/2017
    
      Hassan A. Zavareei, Tycko and Zavareei LLP, Donald J. Enright, Levi and Korsin-sky LLP, Washington, DC, Barrett J. Vahle, J. Austin Moore, Norman E. Siegel, Stueve Siegel Hanson LLP, Kansas City, MO, Carl Malmstrom, Wolf Haldenstein Adler Freeman and Herz LLC, Chicago, IL, Michael Liskow, Wolf Haldenstein Adler Freeman and Herz LLP, New York, NY, for Plaintiffs.
    Cynthia L. Maskol, Wilson Elser Mar-kowitz Edelman and Dicker LLP, Baltimore, MD, for Defendants.
   MEMORANDUM

James K. Bredar, United States District Judge

I. Background

Two cases before the Court rest upon similar allegations by different Plaintiffs, and they are the subjects of nearly identical defense motions. Both cases seek to represent the same class of similarly situated individuals. The causes of action overlap between the cases, with some differences in state-law theories of recovery. Plaintiffs allege the Defendant, National Board of Examiners in Optometry, Incorporated (“NBEO”), suffered a data breach sometime before July 23, 2016, that the personally identifiable information (“PH”) Plaintiffs had supplied to NBEO to register for exams in order to obtain an optometry license was stolen, and that they have incurred damage as a result. (16-3025, Compl., ECF No. 1; 16-3146, Compl, ECF No. 1.).

Now pending before the Court are NBEO’s motions to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)6) or, in the alternative, motions to strike pursuant to Rules 12(f) and 23(d)(1)(D). (16-3025, ECF No. 11; 16-3146, ECF No. 9.) Plaintiffs have also filed motions to consolidate the two cases. (16-3025, ECF No. 12; 16-3146, ECF No. 10.) NBEO does not object to the latter motion as long as the motions to dismiss are addressed first. The Court agrees it is appropriate to decide the potentially dispositive motions first. The motions have been briefed and are ripe for decision. No hearing is necessary. Local Rule 105.6 (D. Md. 2016). NBEO’s motions will be granted pursuant to Rule 12(b)(1) for lack of standing. As a result, the Court will find moot NBEO’s motions to the extent they are premised on other rules. Concomitantly, the Court will find moot Plaintiffs’ motions to consolidate.

II. Standard for Dismissal under Rule 12(b)(1)

The burden of proving subject-matter jurisdiction is on the plaintiff. A challenge to jurisdiction may be either facial, ie., the complaint fails to allege facts upon which subject-matter jurisdiction can be based, or factual, ie., jurisdictional allegations of the complaint are not true. Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982). See also Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009) (same); Richmond, Fredericksburg & Potomac Ry. Co. v. U.S., 945 F.2d 765, 768 (4th Cir. 1991) (same). In the case of a factual challenge, it is permissible for a district court to “consider evidence outside the pleadings without converting the proceeding to one for summary judgment.” Richmond, Fredericksburg, 945 F.2d at 768 (citing Adams, 697 F.2d at 1219).

III. Standing

In a class action, the Court must “analyze standing based on the allegations of personal injury made by the named plaintiffs.” Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017). To .have standing, one must claim “injury in fact” (1) that is concrete and particularized, and either actual or imminent, (2) that has a causal connection to defendant’s conduct, and (3) that is likely redressable by a favorable judicial decision. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). To establish standing at the motion-to-dismiss stage, a plaintiff must allege “sufficient ‘factual matter’” to render a claim of standing “ ‘plausible on its face.’ ” Beck, 848 F.3d at 270 (citing Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009)). As with any motion to dismiss premised upon the question of sufficiency of the pleading, “[f]actual allegations must be enough to raise a right to relief above the speculative level.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). “A pleading that offers ‘labels and conclusions’ or ‘a formulaic recitation of the elements of a cause of action will not do.’ ... Nor does a complaint suffice if it tenders ‘naked assertion[s]’ devoid of ‘further factual enhancement.’ ” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (quoting Twombly, 550 U.S. at 555, 557, 127 S.Ct. 1955). Although when considering a motion to dismiss a court must accept as true all factual allegations in the complaint, this principle does not apply to legal conclusions couched as factual allegations. Twombly, 550 U.S. at 555, 127 S.Ct. 1955.

IV. Allegations of the Complaint

Plaintiff Rhonda L. Hutton, O.D., is a Kansas resident who submitted her PII to NBEO in 1998. (16-3025 Compl. ¶5.) Plaintiff Tawny P. Kaeochinda, O.D., is a California resident who submitted her PII to NBEO in 2006-2008. (Id. ¶ 6.) Hutton and Kaeochinda are the two named Plaintiffs in 16-3025. In 16-3146, the named Plaintiff is Nicole Mizrahi, O.D., who is a New York resident and who alleges she supplied her PII to NBEO, but does not say when that occurred. (16-3146 Compl. ¶ 9.) The PII is defined by Hutton as “including but not limited to names, birth dates, Social Security numbers, addresses, and credit card information.” (16-3025 Compl, ¶ 1.)

The context for Plaintiffs! complaints is provided in the following paragraphs from Hutton’s complaint:

2. On or around July 23, 2016, optometrists from around the country began to notice that fraudulent Chase accounts •were being opened in their names. They started discussing it on various Face-book groups and soon realized they were all victims of the same type of fraud. In particular, many optometrists learned that a Chase Amazon Visa credit card had been applied for in their name, or some.other line of credit, and all within a few days of one another. The optometrists. soon realized that the only common source amongst them and to which they had all given their Personal Information that included Social Security numbers and dates of birth (information necessary to apply for new lines of credit, among other things), was the NBEO, where every graduating optometry student has to submit their Personal Information to sit for board-certifying exams. This also affected optometrists who served as examiners or committee members for NBEO and optometrists who later sat for additional NBEO competency exams well after graduating from optometry school. Individuals that submitted their Personal Information to NBEO even more than fifteen years ago have been affected, and the fraud has expanded from only Chase accounts to other means.
3. The NBEO denied its responsibility for the fraud for several days, but on August 4, 2016, it issued a statement on its website stating that it .had “decided further to investigate whether personal data was stolen from [its] information systems' to support the perpetrators’ fraud on individuals and Chase.”1
1 http://www.optometry.or^

Mizrahi also alleges the following:

Since [the August 4, 2016, statement], the NBEO has deigned to update the public only once, on August 25, 2016, to state' that the investigation is ongoing but that so far the investigation “does not establish whether an' intrusion in fact occurred. Collection and technical analysis is therefore continuing, involving still more data, both current and retrospective.”3 The NBEO also stated that “[depending on what that inquiry reveals and when, it could take a number of additional weeks to complete.”4
3 Id. [referring to https://www. facebook.com/NationalBoard/hc_ref== NEWSFEED&fref=nf (last viewed September 13, 2016); http://www. optometry.org/ (last viewed September 13, 2016) ].
4 Id.

(16-3146 Compl. ¶ 6.)

As for the individual Plaintiffs, Hutton alleges that she received on August 5, 2016, a Chase Amazon Visa credit card for which she did not apply, (16-3025 Compl. ¶5.) She alleges the card was opened in her maiden name, which was the name she had supplied to NBEO. (Id.) She claims she was harmed by the compromise of her PII and faces an “increased threat of identity theft and fraud due to her Personal Information being sold on the Internet black market and/or misused by criminals. Plaintiff Hutton also has spent time and money putting credit freezes in place with the credit reporting agencies Experian, TransUnion, and Equifax.” (Id.)

Kaeochinda alleges that, “on August 1, 2016, she learned that someone had applied for a Chase Amazon Visa credit card using, among other things, her former married name, which was the name she provided to NBEO as part of the examination process.” (Id. ¶ 6.) She claims the same injury as Hutton, although Kaeochin-da adds that she has filed reports with the FTC, FBI, IRS, and her local police department. (Id.)

Mizrahi alleges the following:

... her credit score was damaged when unknown persons applied for a Chase Bank Amazon credit card in her name on August 26, 2016. Plaintiff now faces a long, arduous, and potentially costly struggle to prevent her [PII] from being used in fraudulent transactions that may affect her finances. Plaintiffs [PII] has been compromised due to the NBEO’s failure to maintain reasonable and adequate security measures to protect the [PII] it collected from Plaintiff and the Class in exchange for, inter alia, payments to the NBEO.

(16-3146 Compl. ¶ 7.) Mizrahi alleges that, after she placed a fraud alert on her credit reporting file, the application for the Chase Amazon card was automatically denied. (¶¶ 30-31.) She alleges a credit monitoring service informed her that her credit score decreased 11 points between August 23, 2016, and August 31, 2016, and the decrease was due to the application made in her name on August 26, 2016. (Id. ¶ 32.) Mizrahi received a letter from Chase (the Court presumes the .reference is to JPMorgan Chase Bank) on September 2, 2016, “notifying her of steps to be taken to protect personal information that may have been compromised but not specifically stating that any such compromise had occurred.” (Id. ¶33.) In a conversation with a Chase representative on September 6, 2016, Mizrahi was told “that an application had been made in her name for a Chase Amazon card on August 26, 2016, and that the applicant for the Chase card had used Plaintiffs correct name, address, social security number and Plaintiffs Mother’s maiden name in completing the application.” (Id. ¶34.) Mizrahi was also told by someone, whom she does not identify, “that it would take approximately 60 days to reverse the decrease in her credit score stemming from the fraudulent application.” (Id. ¶ 35.)

Plaintiffs. do not allege they incurred any fraudulent charges or were denied credit, either in toto or at a more favorable rate of interest.

V. Analysis

In common, Plaintiffs have asserted causes of action for negligence, breach of contract, and breach of implied contract. Hutton and Kaeochinda have also asserted violations of the California Customer Records Act, Cal. Civ. Code § 1798.81 et seq., and violations of California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200. Mizrahi has also included a count for unjust enrichment in her complaint. NBEO argues Plaintiffs have failed to establish Article III standing and, therefore, their respective complaints should be dismissed for lack of subject-matter jurisdiction. The Court concludes NBEO’s argument has merit.

The United States Court of Appeals for the Fourth Circuit recently addressed the question of Article III standing in relation to a data breach in the Beck v. McDonald opinion. In so doing, the Beck Court relied upon the Supreme Court’s opinion in Clapper v. Amnesty International USA, 568 U.S. 398, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013), which discussed when a threatened injury constitutes an injury in fact for Article Ill’s purposes. 848 F.3d at 271-73. The Court drew from Clapper two tests for “imminence” in the standing inquiry: (1) a threatened injury must be certainly impending, or (2) a “substantial risk” exists that a threatened harm will occur. Id. at 272, 275. In Beck, the plaintiffs had asserted two grounds for standing: (a) increased risk of future identity theft, and (b) costs of protecting against the same. Id. at 273. However, in all of the cases discussed by the Beck Court, and in all of the cases that have been cited by the parties in the instant cases, an actual data breach had occurred and had been acknowledged or announced by the entity whose data files had been breached.

In contrast, that fundamental element is missing from the instant cases. Plaintiffs have relied upon their online conversations with other optometrists to conclude that NBEO suffered a data breach. They posit as ■ factual bases for such an event the fact that some optometrists who had registered with NBEO received unsolicited Chase Amazon Visa credit cards and the fact that, at some point, they had provided NBEO their names, addresses, dates of birth, and Social Security numbers. Ergo, they conclude, a hacker must have broken into NBEO’s data files and stolen Plaintiffs’ PII. Their conclusion rests upon sheer speculation. And their speculation is mistakenly fueled by NBEO’s announcements that it is looking into whether an intrusion occurred and that it denies such in fact happened. That kind of neutral announcement does not imply culpability, despite Plaintiffs’ preferred interpretation otherwise. Interestingly, Hutton also alleges, “The other potential common links, the American Optometric Association (AOA), the American Academy of Optometry (AAO), and the Association of Schools and Colleges of Optometry (ASCO), neither gather nor store Social Security numbers or have investigated and confirmed that their databases have not been breached.” (16-3025 Compl. ¶ 16.) Plaintiffs ' do not explain why NBEO’s denial of a data breach is less credible than those of the other optometry-related organizations. In summary, Plaintiffs have failed to allege a plausible, inferential link between the provision of PII to NBEO at some point in the past and their recent receipt of unsolicited credit cards.

Beyond that, Plaintiffs have incurred no fraudulent charges. They have not been denied credit or been required to pay a higher interest rate for credit they received. Although their complaints allege other things that could happen, such as a hacker’s using an identity theft victim’s identity to commit immigration fraud, to obtain government benefits, or to file a fraudulent tax return (16-3025 Compl. ¶25), Plaintiffs have not alleged they or anyone else in the putative class has, in fact, experienced any of those forms of injury. In short, they have sustained no actual economic injury. It should be noted that the risk of identity theft in Beck was determined by the Fourth Circuit neither to be “certainly impending” nor to amount to a “substantial risk” based upon a similar absence of economic damage to the plaintiffs or to those similarly situated in the putative class. Id. at 274-76. Further, because the Beck plaintiffs’ claim of imminent injury from the risk of identity theft was judged to be only speculative, the Court also found their claim of injury based upon the cost of mitigative measures to prevent the risk of identity theft to be equally unmeritorious as a basis for claiming Article III standing. Id. at 276-77. Likewise, this Court concludes Plaintiffs have failed to establish standing either upon their asserted increased risk of identity theft or upon their expenses to negate identity theft.

VI. Conclusion

Since all of Plaintiffs’ causes of action are premised upon their “naked assertion” of a data breach at NBEO, see Twombly, 550 U.S. at 557, 127 S.Ct. 1955 (naked assertion, without further factual enhancement, insufficient to turn possibility into plausibility), and since they have failed to support their complaints ■ with sufficient factual matter to establish Article III injury, the Court concludes the complaints must be dismissed for lack of subject-matter jurisdiction. A separate order follows. 
      
      . For ease of reference, the Court will refer to Hutton alone in 16-3025. When necessary, the Court will separately identify allegations that are unique to Hutton or Kaeochinda. Unless Mizrahi’s allegations are materially different from Hutton’s, the Court will cite only to .Huttons complaint.
     
      
      . An additional puzzlement is Plaintiffs’ certainty that unsolicited credit cards sent to them constitute evidence of fraud. An instance of such may more reasonably indicate a questionable use of legitimately accessed information for the purpose of opening new accounts for Plaintiffs—in that event, no data breach would be at issue—and not an attempt to defraud‘Plaintiffs. The Court does not suggest one’s receipt of an unsolicited credit card is not a cause,-for concern, but, in itself, it is not indicative of fraud.
      The Court also observes that the complaints do not allege that only optometrists registered with NBEO received unsolicited Chase Amazon Visa cards.
     