
    CITIZENS BANK OF PENNSYLVANIA, Appellant v. REIMBURSEMENT TECHNOLOGIES, INC.; Leah Brown.
    No. 14-3320.
    United States Court of Appeals, Third Circuit.
    Submitted Pursuant to Third Circuit LAR 34.1(a) April 21, 2015.
    Opinion Filed: April 30, 2015.
    
      Ellen D. Bailey, Esq., Robert J. Han-nen, Esq., Eckert, Seamans, Cherin & Mellott, Canonsburg, PA, for Appellant.
    Peter D. Hardy, Esq., Kate A. Kleba, Esq., Post & Schell, Philadelphia, PA, for Reimbursement Technologies, Inc. and Leah Brown.
    BEFORE: FISHER, CHAGARES and COWEN, Circuit Judges.
   OPINION

COWEN, Circuit Judge.

Citizens Bank (“Citizens” or the “Bank”) the plaintiff-appellant, filed suit in federal court against Reimbursement Technologies, Inc. (“RTI”), and Leah Brown, alleging a violation of the federal Stored Communications Act. It also alleged various state law claims against RTI. The District Court dismissed Citizens’ complaint, concluding that it failed to state a claim, and also denied its motion to amend its complaint for a third time. On appeal, Citizens does not challenge the dismissal of its federal claim, and thus all claims before us concern only RTI. It instead argues that, upon its dismissal of the federal claim, the District Court should not have considered its state law claims. It also argues that the District Court erroneously denied its motion to amend its complaint. For the reasons detailed below, we will affirm.

I.

Because we write solely for the parties, we will only set forth the facts necessary to inform our analysis.

RTI is a nationwide physician billing and financial management company, whose clients are emergency departments and other hospital-based physician practices. It manages, among other things, its clients’ patient billing services process, accounts receivable, submission of claims to Medicare, Medicaid, and other third-party pay-ors, registration and insurance verification and cash collection.

Citizens alleges that certain RTI employees and agents, including Brown, accessed non-public financial information of patients who utilized the services of RTI’s clients. Among the patients whose information was accessed were at least 134 individuals who also had bank accounts with Citizens.

Brown provided this financial information to a third-party “organized fraud ring.” (Comply 14.) As a result of the disclosure, the fraud ring illegally withdrew money from the Bank’s customers’ accounts from branches in six different states, including Pennsylvania. Upon discovering the fraud, Citizens, in compliance with the Uniform Commercial C.ode (“UCC”), re-credited its customers’ • accounts for the amounts fraudulently withdrawn from their accounts and offered additional services to those affected. As a result of these fraudulent transactions, Citizens alleges losses totaling at least $390,506.84.

II.

Citizens argues for the first time on appeal that upon dismissing the Stored Communications Act claim — the sole basis for federal jurisdiction — the District Court abused its discretion by nonetheless ruling on the remaining state law claims. In this regard, it argues that judicial' economy, convenience, and fairness to the parties warranted dismissal and it faults the District Court for failing to consider these factors.

Because Citizens failed to raise the issue of the District Court’s supplemental jurisdiction below, it has waived any challenge. To avoid waiver, it must now demonstrate the existence of “special circumstances.” See N.J. Tpke. Auth. v. PPG Indus., Inc., 197 F.3d 96, 113 (3d Cir.1999) (“A district court’s decision to determine [state law] claims is discretionary, and where a party has failed to object to the district court’s exercise of this jurisdiction, in the absence of special circumstances, the challenge is waived.”) (emphasis added). Although we have not precisely defined what special circumstances comprises in this context, whatever the term entails, it is clearly something more than what Citizens would have been required to show had- it first raised the issue in the District Court. To be sure, we make no determination as to whether the District Court would have, or should have, dismissed Citizens’ state law claims had Citizens raised the issue below. But given Citizens’ failure to articulate any special circumstances, its waiver is not excused.

III.

Having determined that Citizens waived any challenge to the District Court’s supplemental jurisdiction, we turn to the merits of the District Court’s dismissal of the Bank’s state law claims.

Negligence

A. Common Law Negligence

To establish a claim of negligence under Pennsylvania law, Citizens has to demonstrate the following elements: (1) RTI owed it a duty of care, (2) RTI breached that duty, (3) the breach resulted in its injury, and (4) it suffered an actual loss or damage. Martin v. Evans, 551 Pa. 496, 711 A.2d 458, 461 (1998). The District Court concluded that Citizens failed to plead a plausible claim of negligence because RTI does not owe it a duty of care.

Pennsylvania’s Supreme Court has specified five factors that courts should consider in a negligence action when determining the existence of a common law duty of care: (1) the relationship between the parties, (2) the social utility of the actor’s conduct (3) the nature of the risk imposed and foreseeability of the harm incurred, (4) the consequences of imposing a duty upon the actor, and (5) the overall public interest in the proposed solution. Althaus v. Cohen, 562 Pa. 547, 756 A.2d 1166, 1169 (2000). Whether a defendant owes a duty of care to a plaintiff is a question of law. Kleinknecht v. Gettysburg Coll., 989 F.2d 1360, 1366 (3d Cir.1993). While no individual factor is dispositive, “a duty will be found to exist where the balance of these factors weighs in favor of placing such a burden on a defendant.” Phillips v. Cricket Lighters, 576 Pa. 644, 841 A.2d 1000, 1008-09 (2003).

As an initial matter, Citizens does not challenge the District Court’s ruling that the mere coincidence it shares certain customers with RTI is insufficient to infer that a relationship existed between it and RTI. This is a significant factor that weighs against the existence of a duty. We do, however, agree that the social utility factor weighs in favor of finding a duty, given that whatever social utility is gleaned from RTFs data management services would be seriously undermined by its inability to safeguard the personal and financial information it receives to deliver those services. Nonetheless, neither party suggests that, in the current context, this factor is a particularly significant one.

We further conclude that Citizens’ harm was foreseeable. Foreseeability is a legal requirement before recovery can be had. See Kleinknecht, 989 F.2d at 1369. “The type of foreseeability that determines a duty of care, as opposed to proximate cause, is not dependent on the foreseeability of a specific event.” Id. (emphasis added). Rather, in the context of duty, “[t]he concept of foreseeability means the likelihood of the occurrence of a general type of risk rather than the likelihood of the occurrence of the precise chain of events leading to the injury.” Id. (alteration in original) (internal quotation marks omitted).

The question, for purposes of foreseeability, is therefore only whether the harm suffered by Citizens as a result of the data breach from RTI’s allegedly inadequate safeguards is part of a broad general class of risk. It is not necessary that RTI foresee the precise chain of events that would lead to the Bank’s injury. It is enough that Citizens’ harm falls within a “general type of risk” that accompanies the theft of financial information. Id. at 1369-70. Given that RTFs data breach resulted in the theft of individuals’ personal banking information, it was reasonably foreseeable that the theft of such information would result in harm to the financial institutions holding those accounts. Indeed, it is hard to imagine what use financial information of the type stolen would have to a third party other than to defraud financial institutions like the Bank to access the necessary accounts and make the desired withdrawals. This factor, therefore, additionally weighs in favor of the existence of a duty.

The remaining factors, however, militate against the existence of a duty. As to the fourth factor, we conclude that the conse- ' quenees of imposing a duty on RTI do not support Citizens’ position. Citizens, as the financial institution allowing the withdrawals, should have had in place its own safeguards, sufficient to ensure that the subject withdrawals were legitimate. It concedes as much in its complaint, by alleging that it was required to re-credit its customers’ bank accounts for the amounts of the fraudulent transactions pursuant to its obligations under Article 3 of the Uniform Commercial Code. Section 3^401(a), cited by Citizens in its complaint, essentially provides for no consumer liability on an instrument for unauthorized transactions. See U.C.C. § 3^101(a). And, as we have noted, “Article 3 of the UCC furnishes us with the applicable loss-allocation rules for the check payments.” Menichi- ni v. Grant, 995 F.2d 1224, 1232 (3d Cir.1993).

“These rules, premised on the responsibility to exercise ordinary care, proceed from the principle that liability rests with the party best able to prevent the loss.” Id. Without delving too far into Citizens’ rights and obligations under the UCC— questions far beyond the scope of this appeal — it is enough that Citizens’ own complaint bolsters the opinion that it had some duty to detect and halt the fraudulent conduct. Given that Citizens was the institution actually presented with the fraudulent withdrawals, and the fact that there is no allegation that RTI was involved in any way with the third-party fraud ring, aided its employee in providing her the stolen information, or knew how she planned to use the stolen information, the consequences of imposing a duty on RTI would seem to misplace the responsibility on the entity in the worse position of actually preventing the fraudulent conduct.

Regarding the final factor, we conclude that the District Court correctly analyzed the public’s overall interest in imposing the alleged duty of care on RTI. As the Court noted, the public has an interest in holding medical information companies liable to their customers for any mishandling of the customers’ confidential data. There may also be good reason for the public to hold companies like RTI liable to their customers’ patients. But the public has very little overall interest in holding companies like RTI liable to their financial institutions, particularly when those institutions are unrelated third parties that are only derivatively connected to the company suffering the breach through their clients’ clients separate business relationships. In short, even in light of the other factors weighing in favor, this is simply an insufficient rationale on which to base a duty of care.

The Pennsylvania Supreme Court has explained that “in administering a broad policy assessment such as the Althaus [duty of care] inquiry, the Court assigns appropriate weight to each salient policy factor, depending on the particularized nature of the asserted duty at hand and context.” Seebold v. Prison Health Servs., Inc., 618 Pa. 632, 57 A.3d 1232, 1249 (2012). On balance here, the scales tip heavily against the existence of a duty. No relationship exists between the Bank and RTI, and the public interest in holding companies like RTI liable for data breaches to financial institutions with which it has no connection is negligible. Notwithstanding that the harm to the Bank was reasonably foreseeable, the consequences of imposing a duty on RTI would effectively excuse the Bank’s own failure to ensure that withdrawals from its branches are legitimate. In sum, the District Court’s decision that no duty exists was correct.

B. Negligence Per Se

Citizens also argues that it pled adequate facts to state a claim for negligence per se based on RTI’s alleged violation of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). To establish negligence per se, it must show that the purpose of the statute relied upon is, at least in part, to protect the interest of the plaintiff individually, as opposed to the public interest. HIPAA’s stated purpose is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.” Pub.L. No. 104-191, 110 Stat. 1936. It is clear that HIPAA was in no way intended to protect medical patients’ banks from possible financial fraud, and Citizens does not seriously argue otherwise. Moreover, we decline to address Citizens’ argument that RTI violated the Gramm-Leach-Biley Act of 1999, which is not mentioned anywhere in the complaint and was, therefore, not sufficiently pled.

Equitable Subrogation

To establish a claim of equitable subro-gation under Pennsylvania law, Citizens must show: (1) it paid a debt to protect its own interests, (2) it did not act as a volunteer, (3) it was not primarily liable for the debt, (4) the entire debt has been satisfied and (5) allowing subrogation will not cause injustice to the rights of others. Tudor Dev. Group, Inc. v. U.S. Fid. & Guar. Co., 968 F.2d 357, 361 (3d Cir.1992). As the U.S. Supreme Court has explained, subro-gation is a doctrine whereby “one who has been compelled to pay a debt which ought to have been paid by another is entitled to exercise all the remedies which the creditor possessed against that other.” Am. Surety Co. of New York v. Bethlehem Nat’l Bank of Bethlehem, Pa., 314 U.S. 314, 317, 62 S.Ct. 226, 86 L.Ed. 241 (1941) (internal quotation marks omitted).

As RTI argues, Citizens’ equitable subrogation claim fails because, as the complaint establishes, it did not pay a debt on behalf of its customers. Rather, it re-credited its customers’ bank accounts for the amounts of the fraudulent transactions pursuant to its obligations under the Uniform Commercial Code. In its reply brief, Citizens does not address, much less dispute, RTI’s argument, which we find persuasive. Given that Citizens did not plead that the payments it made to its customers were in satisfaction of a debt that ought to have been paid by RTI, we will affirm the District Court decision on this ground. Id.

Fraud

Under Pennsylvania law, a prima facie case of fraud consists of the following elements: (1) a false representation, (2) made with knowledge of its falsity or recklessness as to whether it is true or false, (3) which is intended to make the receiver act, (4) justifiable reliance on the misrepresentation, and (5) damages to the receiver as a proximate result of the reliance. Kutner Buick, Inc. v. Am. Motors Corp., 868 F.2d 614, 620 (3d Cir.1989) (citing Delahanty v. First Pa. Bank, N.A., 318 Pa.Super. 90, 464 A.2d 1243, 1252 (1983)).

The District Court noted that Citizens appears to assert both a “positive assertion” claim and an “intentional nondisclosure” claim, and it argues both theories on appeal. Citizens alleges that “RTI, through its agents, servants, workmen, and/or employees, fraudulently and intentionally misrepresented to [it] that the withdrawals from the accounts of [its] customers were authorized.” (CompU 47.) However, as the complaint makes plain, the fraudulent transactions were made by a third-party fraud ring, and not RTI or its employees.

Nor did Citizens adequately allege a false representation regarding RTI’s intentional non-disclosure. As Citizens concedes, an omission is “actionable as fraud ... where there is an independent duty to disclose the omitted information.” Duquesne Light Co. v. Westinghouse Elec. Corp., 66 F.3d 604, 612 (3d Cir.1995) (internal quotation marks omitted). No relationship existed between the parties and, contrary to Citizens’ argument, mere possession of non-public information does not give rise to a fiduciary duty. See, e.g., Dirks v. SEC, 463 U.S. 646, 654, 103 S.Ct. 3255, 77 L.Ed.2d 911 (1983) (noting that “there is no general duty to disclose before trading on material nonpublic information” and that “a duty to disclose under § 10(b) [of the securities laws] does not arise from the mere possession of nonpublic market information. Such a duty arises rather from the existence of a fiduciary relationship.”) (internal quotation marks and citation omitted). Accordingly, the District Court correctly dismissed this claim as well.

Unjust Enrichment

The elements of unjust enrichment under Pennsylvania law have been defined as follows: (1) benefits conferred on defendant by plaintiff; (2) appreciation of such benefits by defendant; and (3) acceptance and retention of such benefits under such circumstances that it would be inequitable for defendant to retain the benefit without payment of value. Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 180 (3d Cir.2008).

Citizens alleged in its complaint that its own mitigation efforts in the wake of the fraud “reduced the losses, potential and/or actual, of [its] customers which, in turn, significantly reduced the potential liability exposure for RTI for claims based on identity theft and losses of finances” and that this reduced liability constitutes unjust enrichment for which Citizens is entitled to compensation. (Comply 61.) However, in light of Citizens’ independent obligation to re-credit its customers’ bank accounts for the amounts of the fraudulent transactions, any “incidental benefit to [RTI] is not enough to maintain an action; the nonpaying [bank customers] got the main benefit, not [RTI].” Allegheny Gen. Hosp. v. Philip Morris, Inc., 228 F.3d 429, 447 (3d Cir.2000) (all alterations added) (citing Restatement of Restitution § 106 (1937) (“A person who, incidentally to the performance of his own duty ... has conferred a benefit upon another, is not thereby entitled to contribution.”)). Thus, Citizens’ allegations of unjust enrichment fail to state a plausible claim.

IV.

Citizens also argues that the District Court erroneously denied its motion to amend its complaint. We generally review the denial of a motion for leave to amend a pleading for abuse of discretion. In re Burlington Coat Factory Sec. Litig., 114 F.3d 1410, 1434 (3d Cir.1997). Pursuant to Federal Rule of Civil Procedure 15, “a party may amend its pleading only with the opposing party’s written consent or the court’s leave.” Fbd.R.Civ.P. 15(a)(2). The District Court noted that amendment should be given in the absence of specific reasons, “such as ... futility of amendment.” Foman v. Davis, 371 U.S. 178, 182, 83 S.Ct. 227, 9 L.Ed.2d 222 (1962). “Amendment of the complaint is futile if the amendment will not cure the deficiency in the original [pleading] or if the amended [pleading] cannot withstand a renewed motion to dismiss.” Jablonski v. Pan Am. World Airways, Inc., 863 F.2d 289, 292 (3d Cir.1988). Here, Citizens sought leave in the District Court to amend its complaint to add facts regarding an additional data breach of RTI’s computer systems and also to add a claim for subrogation pursuant to 13 Pa. Con. Stat. § 4407. The District Court denied the motion, asserting that the amendments would he futile.

The District Court correctly noted that adding facts of an additional breach would not alter the analysis for any of Citizens’ state law claims. In addition, the District Court concluded that its proposed claim for subrogation pursuant to 13 Pa. Con. Stat. § 4407 would not withstand a motion to dismiss. Section 4407 provides that, under certain circumstances, a bank “is subrogated to the rights of’ the drawer or maker “against the payee or any other holder of the item.” 13 Pa. Con. Stat. § 4407. But Citizens did not allege that RTI was “the payee or any other holder of the item.” It merely alleged that an organized fraud ring withdrew money from its customers’ accounts. As a result, the District Court properly determined that Citizens’ proposed amendment would be futile and correctly denied the motion.

On appeal, Citizens argues that the District Court inappropriately determined it had not sufficiently alleged that RTI was a payee, given that RTI’s employees who disclosed the financial information could have received monetary gain from the fraudulent withdrawals. But a “payee” is defined in the Pennsylvania Commercial Code as the person to whom the item is payable and a “holder” is defined as “the person in possession” of the item. See, e.g., 13 Pa. Con. Stat. §§ 3110, 1201, respectively. Here, the “items” alleged are “over-the-counter Checking/Money Market withdrawal slips and foreign cashed checks.” (Compl. ¶ 15.) Thus, as RTI points out in its responsive brief, even if RTI’s employees received some financial benefit from the fraudulent withdrawals— a fact not pled in the current complaint— that would still not render RTI a “payee” or “holder” of the .alleged items for purposes of the Pennsylvania statute. In its reply brief, Citizens does not dispute this argument, but rather asserts that the District Court should have allowed limited discovery for purposes of its motion to amend. We disagree and will affirm the District Court’s decision on this basis as well.

V.

In light of the foregoing, the judgment of the District Court entered on June 17, 2014, will be affirmed. 
      
       This disposition is not an opinion of the full Court and pursuant to I.O.P. 5.7 does not constitute binding precedent.
     