             Case: 11-13694     Date Filed: 09/05/2012   Page: 1 of 30




                                                                         [PUBLISH]

               IN THE UNITED STATES COURT OF APPEALS

                          FOR THE ELEVENTH CIRCUIT
                            ________________________

                                  No. 11-13694
                            ________________________

                         D.C. Docket No. 1:10-cv-24513-JLK


JEAN RESNICK, et al.,

                                                          Plaintiffs,

JUANA CURRY,
WILLIAM MOORE,

                                                          Plaintiffs - Appellants,

                                    versus

AVMED, INC.,
a Florida corporation,

                                                          Defendant - Appellee.

                            ________________________

                   Appeal from the United States District Court
                       for the Southern District of Florida
                         ________________________

                                (September 5, 2012)

Before WILSON, PRYOR and MARTIN, Circuit Judges.
              Case: 11-13694     Date Filed: 09/05/2012   Page: 2 of 30

WILSON, Circuit Judge:

      Juana Curry and William Moore (collectively “Plaintiffs”) appeal the district

court’s dismissal of their Second Amended Complaint (“Complaint”) for failure to

state a claim upon which relief may be granted. The district court held that among

its other deficiencies, the Complaint failed to state a cognizable injury. We find

that the complaint states a cognizable injury for the purposes of standing and as a

necessary element of injury in Plaintiffs’ Florida law claims. We also conclude

that the Complaint sufficiently alleges the causation element of negligence,

negligence per se, breach of contract, breach of implied contract, breach of the

implied covenant of good faith and fair dealing, and breach of fiduciary duty under

Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 127 S. Ct. 1955 (2007), and

Ashcroft v. Iqbal, 556 U.S. 662, 129 S. Ct. 1937 (2009). The Complaint similarly

alleges facts sufficient to withstand a motion to dismiss on the restitution/unjust

enrichment claim. However, the Complaint fails to allege entitlement to relief

under Florida law for the claims of negligence per se and breach of the implied

covenant of good faith and fair dealing. We therefore reverse in part, affirm in

part, and remand the case to the district court for further proceedings.

                                           I

      We state the facts as alleged in the Complaint, accept them as true, and

                                          2
               Case: 11-13694    Date Filed: 09/05/2012    Page: 3 of 30

construe them in the light most favorable to Plaintiffs. Lanfear v. Home Depot,

Inc., 679 F.3d 1267, 1271 n.4 (11th Cir. 2012). AvMed, Inc. is a Florida

corporation that delivers health care services through health plans and government-

sponsored managed-care plans. AvMed has a corporate office in Gainesville,

Florida, and in December 2009, two laptop computers were stolen from that office.

Those laptops contained AvMed customers’ sensitive information, which included

protected health information, Social Security numbers, names, addresses, and

phone numbers. AvMed did not take care to secure these laptops, so when they

were stolen the information was readily accessible. The laptops were sold to an

individual with a history of dealing in stolen property. The unencrypted laptops

contained the sensitive information of approximately 1.2 million current and

former AvMed members.

      The laptops contained personal information of Juana Curry and William

Moore. Plaintiffs are careful in guarding their sensitive information and had never

been victims of identity theft before the laptops were stolen. Curry guards physical

documents that contain her sensitive information and avoids storing or sharing her

sensitive information digitally. Similarly, Moore guards physical documents that

contain his sensitive information and is careful in the digital transmission of this

information.

                                           3
              Case: 11-13694    Date Filed: 09/05/2012   Page: 4 of 30

      Notwithstanding their care, Plaintiffs have both become victims of identity

theft. Curry’s sensitive information was used by an unknown third party in

October 2010—ten months after the laptop theft. Bank of America accounts were

opened in Curry’s name, credit cards were activated, and the cards were used to

make unauthorized purchases. Curry’s home address was also changed with the

U.S. Postal Service. Moore’s sensitive information was used by an unknown third

party in February 2011—fourteen months after the laptop theft. At that time, an

account was opened in Moore’s name with E*Trade Financial, and in April 2011,

Moore was notified that the account had been overdrawn.

                                         II

      In November 2010, five named plaintiffs seeking to represent the class of

individuals whose information was stored on the unsecured laptops filed this case

in Florida state court, captioned Jean Resnick et al. v. AvMed, Inc. AvMed

removed the case to federal court pursuant to the Class Action Fairness Act of

2005, 28 U.S.C. § 1332(d) and filed a motion to dismiss for failure to state a claim.

See Fed. R. Civ. P. 12(b)(6). The initial plaintiffs then amended their complaint to

address the identified deficiencies and filed a new complaint. The First Amended

Complaint added Curry as a named plaintiff. AvMed again filed a motion to

dismiss under Rule 12(b)(6), which the district court granted without prejudice on

                                          4
                  Case: 11-13694   Date Filed: 09/05/2012   Page: 5 of 30

the ground that the plaintiffs failed to state a cognizable injury. Specifically, the

district court reasoned that the plaintiffs sought to “predicate recovery upon a mere

specter of injury: a heightened likelihood of identity theft.” The court explicitly

declined to analyze whether the plaintiffs’ complaint failed to allege a cognizable

injury for the purposes of standing, see Lujan v. Defenders of Wildlife, 504 U.S.

555, 122 S. Ct. 2130 (1992), or under state law, see Pisciotta v. Old National

Bancorp, 499 F.3d 629 (7th Cir. 2007). The court found that to the extent the

plaintiffs alleged actual identity theft, they failed to satisfy the pleading standards

established by the Supreme Court in Twombly. Plaintiffs then filed a Second

Amended Complaint—the Complaint at issue in this appeal—in which they added

Moore and dropped the original five named plaintiffs who did not allege actual

identity theft.

       In the Complaint at issue, Plaintiffs seek to represent the class of AvMed

customers whose sensitive information was stored on the stolen laptops and a

subclass of individuals whose identities have been stolen since the laptop theft.

Plaintiffs brought seven counts against AvMed under Florida law. Plaintiffs allege

that AvMed was negligent in protecting their sensitive information and negligent

per se when it violated section 695.3025 of the Florida Statutes, which protects

medical information. Plaintiffs also allege that AvMed breached its contract with

                                            5
              Case: 11-13694      Date Filed: 09/05/2012    Page: 6 of 30

Plaintiffs, and alternatively that AvMed breached its implied contract with

Plaintiffs. In the alternative to the breach of contract claim, Plaintiffs also allege a

claim for restitution/unjust enrichment. Finally, Plaintiffs allege that AvMed

breached the implied covenant of good faith and fair dealing, and that AvMed

breached the fiduciary duty it owed to Plaintiffs.

      AvMed filed a motion to dismiss the Complaint for failure to state a claim,

and the district court granted the motion, stating only that “[a]mong its other

deficiencies, Plaintiffs’ Second Amended Complaint again fails to allege any

cognizable injuiry.” Plaintiffs appeal.

                                           III

      Prior to making an adjudication on the merits, we must assure ourselves that

we have jurisdiction to hear the case before us. Anago v. Shaz, 677 F.3d 1272,

1275 (11th Cir. 2012) (citing Arbaugh v. Y&H Corp., 546 U.S. 500, 514, 126 S. Ct.

1235, 1244 (2006)). Litigants must show that their claim presents the court with a

case or controversy under the Constitution and meets the “irreducible

constitutional minimum of standing.” Lujan, 504 U.S. at 560, 112 S. Ct. at 2136.

To fulfill this requirement, a plaintiff must show that:

      (1) it has suffered an “injury in fact” that is (a) concrete and
      particularized and (b) actual or imminent, not conjectural or
      hypothetical; (2) the injury is fairly traceable to the challenged action
      of the defendant; and (3) it is likely, as opposed to merely speculative,
                                            6
                Case: 11-13694        Date Filed: 09/05/2012        Page: 7 of 30

       that the injury will be redressed by a favorable decision.

Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180–

81, 120 S. Ct. 693, 704 (2000). “At the pleading stage, general factual allegations

of injury resulting from the defendant’s conduct may suffice” to establish standing.

Lujan, 504 U.S. at 561, 112 S. Ct. at 2137.

       Whether a party claiming actual identity theft resulting from a data breach

has standing to bring suit is an issue of first impression in this Circuit. Plaintiffs

allege that they have become victims of identity theft and have suffered monetary

damages as a result. This constitutes an injury in fact under the law. 1 Via Mat

Int’l S. Am. Ltd. v. United States, 446 F.3d 1258, 1263 (11th Cir. 2006) (finding

economic harm sufficient to create standing); see also Lambert v. Hartman, 517

F.3d 433, 437 (6th Cir. 2006).

       We must next determine whether Plaintiffs’ injury is fairly traceable to

AvMed’s actions. A showing that an injury is “fairly traceable” requires less than

a showing of “proximate cause.” Focus on the Family v. Pinellas Suncoast Transit

Auth., 344 F.3d 1263, 1273 (11th Cir. 2003). Even a showing that a plaintiff’s

       1
          Some of our sister Circuits have found that even the threat of future identity theft is
sufficient to confer standing in similar circumstances. Krottner v. Starbucks Corp., 628 F.3d
1139, 1142–43 (9th Cir. 2010) (finding an injury in fact where plaintiffs alleged a data breach
and threat of identity theft, but no actual identity theft); Pisciotta v. Old Nat’l Bancorp, 499 F.3d
629, 634 (7th Cir. 2007) (same). As Plaintiffs have alleged only actual—not speculative—
identity theft, we need not address the issue of whether speculative identity theft would be
sufficient to confer standing.
                                                    7
              Case: 11-13694     Date Filed: 09/05/2012    Page: 8 of 30

injury is indirectly caused by a defendant’s actions satisfies the fairly traceable

requirement. Id. Plaintiffs allege that AvMed failed to secure their information on

company laptops, and that those laptops were subsequently stolen. Despite

Plaintiffs’ personal habits of securing their sensitive information, Plaintiffs became

the victims of identity theft after the unencrypted laptops containing their sensitive

information were stolen. For purposes of standing, these allegations are sufficient

to “fairly trace” their injury to AvMed’s failures.

      Finally, Plaintiffs must show that a favorable resolution of the case in their

favor could redress their alleged injuries. Friends of the Earth, Inc., 528 U.S. at

180–81, 120 S. Ct. at 704. Plaintiffs allege a monetary injury and an award of

compensatory damages would redress that injury. Plaintiffs have alleged sufficient

facts to confer standing, and we now turn to the merits of their appeal.

                                          IV

      We review a district court’s dismissal of a complaint for failure to state a

claim upon which relief may be granted de novo. Spain v. Brown & Williamson

Tobacco Corp., 363 F.3d 1183, 1187 (11th Cir. 2004).

                                           V

      AvMed contends that the Complaint fails to allege a cognizable injury under

Florida law and that the Complaint fails to allege facts sufficient to establish

                                           8
              Case: 11-13694     Date Filed: 09/05/2012       Page: 9 of 30

causation under the federal pleading standards. We address each argument in turn.

                                          A

      AvMed contends that Plaintiffs’ injuries are not cognizable under Florida

law because the Complaint alleges only “losses,” not “unreimbursed losses.” This

is a specious argument. On a motion to dismiss, we review the pleadings and draw

“reasonable inference[s]” from the facts alleged. Iqbal, 556 U.S. at 678, 129 S. Ct.

at 1949. Under the notice-pleading standard, we no longer require the hyper-

technical code pleadings of ages past, see id. at 678–79, 129 S. Ct. at 1950, and we

“draw on [our] judicial experience and common sense” when construing the

allegations in a complaint, id. at 679, 129 S. Ct. at 1950.

      The Complaint specifically alleges that both Curry and Moore suffered

financial injury (D.E. 31 ¶¶ 47, 48, 49, 51, 63, 66); monetary loss is cognizable

under Florida law for damages in contract, quasi-contract, negligence, and breach

of fiduciary duty. See, e.g., Capitol Envtl. Servs., Inc. v. Earth Tech, Inc., 25 So.

3d 593 (Fla. Dist. Ct. App. 2009) (contract); Young v. Becker & Poliakoff, P.A., 88

So. 3d 1002, 1006, 1008 (Fla. Dist. Ct. App. 2012) (fiduciary duty). Plaintiffs

have therefore alleged a cognizable injury under Florida law.

                                           B

      At the pleading stage, a complaint must contain a “short and plain statement

                                           9
               Case: 11-13694   Date Filed: 09/05/2012    Page: 10 of 30

of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2).

Plaintiffs must plead all facts establishing an entitlement to relief with more than

“labels and conclusions” or “a formulaic recitation of the elements of a cause of

action.” Twombly, 550 U.S. at 555, 127 S. Ct. at 1965. The complaint must

contain enough facts to make a claim for relief plausible on its face; a party must

plead “factual content that allows the court to draw the reasonable inference that

the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678, 129 S.

Ct. at 1949 (citing Twombly, 556 U.S. at 570, 127 S. Ct. at 1965).

       Following the approach suggested by the Supreme Court in Iqbal, we begin

our analysis by identifying “pleadings that, because they are no more than

conclusions, are not entitled to the assumption of truth.” 556 U.S. at 680, 129 S.

Ct. at 1950. We then turn to the “well-pleaded factual allegations” and, assuming

their veracity, “determine whether they plausibly give rise to an entitlement to

relief.” Id.

       First, we determine what must be pled for each cause of action. Plaintiffs

brought seven counts against AvMed, all under Florida law. Of the seven causes

of action alleged, Florida law requires a plaintiff to show that the defendant’s

challenged action caused the plaintiff’s harm in six of them: negligence,

negligence per se, breach of fiduciary duty, breach of contract, breach of contract

                                          10
               Case: 11-13694        Date Filed: 09/05/2012       Page: 11 of 30

implied in fact, 2 and breach of the implied covenant of good faith and fair dealing.

A negligence claim requires a plaintiff to show that (1) defendants owe plaintiffs a

duty, (2) defendants breached the duty, (3) defendants’ breach injured plaintiffs,

and “(4) [plaintiffs’] damage [was] caused by the injury to the plaintiff as a result

of the defendant’s breach of duty.” Delgado v. Laundromax, Inc., 65 So. 3d 1087,

1089 (Fla. Dist. Ct. App. 2011) (emphasis added). Similarly, under Florida law, an

action for negligence per se requires a plaintiff to show “violation of a statute

which establishes a duty to take precautions to protect a particular class of persons

from a particularly injury or type of injury.” Davis v. Otis Elevator Co., 515 So.

2d 277, 278 (Fla. Dist. Ct. App. 1987) (citing de Jesus v. Seaboard Coast Line

R.R., 281 So. 2d 198, 200–01 (Fla. 1973)). As part of this showing, plaintiffs must

establish “that the violation of the statute was the proximate cause of [their]

injury.” de Jesus, 281 So. 2d at 201 (emphasis added). The elements of a cause of

action for breach of fiduciary duty in Florida include “damages flowing from the

breach.” Crusselle v. Mong, 59 So. 3d 1178, 1181 (Fla. Dist. Ct. App. 2011).

       2
          Plaintiffs do not specify whether they intend to bring an action for breach of contract
implied in law or impilied in fact. The Complaint suggests that they intend to allege a contract
implied in fact, and we analyze it as such. See D.E. 31 ¶¶ 118–119 (“In order to benefit from
Defendant’s healthcare plan, Plaintiffs . . . disclosed Sensitive Information . . . . By providing
that Sensitive Information and upon Defendant’s acceptance of such information, Plaintiffs . . .
and Defendant . . . entered into implied contracts . . . .”). To the extent Plaintiffs allege a
contract implied in law, such contracts must be pled in the same way as unjust enrichment
claims, discussed infra. See Hull & Co. v. Thomas, 834 So. 2d 904, 906–07 (Fla. Dist. Ct. App.
2003).
                                                   11
              Case: 11-13694       Date Filed: 09/05/2012      Page: 12 of 30

       The contract claims also require a showing of causation. In Florida, a breach

of contract claim requires a party to show that damages resulted from the breach.

Rollins, Inc. v. Butland, 951 So. 2d 860, 876 (Fla. Dist. Ct. App. 2006). Florida

courts use breach of contract analysis to evaluate claims of breach of contract

implied in fact 3 and breach of the covenant of good faith and fair dealing. See

Baron v. Osman, 39 So. 3d 449, 451 (Fla. Dist. Ct. App. 2010) (per curiam)

(contract implied in fact); Hospital Corp. of Am. v. Fla. Med. Ctr., Inc., 710 So. 2d

573, 575 (Fla. Dist. Ct. App. 1998) (per curiam) (implied covenant of good faith

and fair dealing).

       In discussing causation, Plaintiffs allege that “AvMed’s data breach caused

[Plaintiffs’] identity theft,” that the facts Plaintiffs allege have “sufficiently shown

that the data breach caused [the] identity theft,” and that “but for AvMed’s data

breach, [Plaintiffs’] identit[ies] would not have been stolen.” Although at this

stage in the proceedings we accept plaintiffs’ allegations as true, we are not bound

to extend the same assumption of truth to plaintiffs’ conclusions of law. Twombly,

550 U.S. at 555, 127 S. Ct. at 1965; see also Iqbal, 556 U.S. at 678, 129 S. Ct. at

1950. These claims state merely that AvMed was the cause of the identity theft—a

conclusion we are not bound to accept as true.
       3
         In Florida, whether a contract is implied in fact is “inferred from the facts and
circumstances of the case.” Eskra v. Provident Life & Accident Ins. Co., 125 F.3d 1406, 1413
(11th Cir. 1997).
                                                 12
              Case: 11-13694     Date Filed: 09/05/2012    Page: 13 of 30

      We now consider the well-pleaded factual allegations relating to causation to

determine whether they “plausibly suggest an entitlement to relief.” Iqbal, 556

U.S. at 681, 129 S. Ct. at 1951. The complaint alleges that, prior to the data

breach, neither Curry nor Moore had ever had their identities stolen or their

sensitive information “compromised in any way.” It further alleges that “Curry

took substantial precautions to protect herself from identity theft,” including not

transmitting sensitive information over the Internet or any unsecured source; not

storing her sensitive information on a computer or media device; storing sensitive

information in a “safe and secure physical location;” and destroying “documents

she receives in the mail that may contain any of her sensitive information, or that

contain any information that could otherwise be used to steal her identity, such as

credit card offers.” Similarly, Moore alleges in the complaint that he “took

substantial precautions to protect himself from identity theft,” including not

transmitting unencrypted sensitive information over the internet or any other

source, storing documents containing sensitive information “in a safe and secure

physical location and destroy[ing] any documents he receives in the mail” that

include either sensitive information or information that “could otherwise be used to

steal his identity.” Plaintiffs became victims of identity theft for the first time in

their lives ten and fourteen months after the laptops containing their sensitive

                                           13
              Case: 11-13694      Date Filed: 09/05/2012    Page: 14 of 30

information were stolen. Curry’s sensitive information was used to open a Bank of

America account and change her address with the United States Post Office, and

Moore’s sensitive information was used to open an E*Trade Financial account in

his name.

      Our task is to determine whether the pleadings contain “sufficient factual

matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’”

Iqbal, 556 U.S. at 681, 129 S. Ct. at 1949 (quoting Twombly, 550 U.S. at 570, 127

S. Ct. at 1966.) A claim is facially plausible when the court can draw “the

reasonable inference that the defendant is liable for the misconduct alleged” from

the pled facts. Id. Taken as true, these factual allegations are consistent with

Plaintiffs’ conclusion that AvMed’s failure to secure Plaintiffs’ information caused

them to become victims of identity theft. After thorough consideration, we

conclude that the allegations are sufficient to cross the line from merely possible to

plausible. See id.

       Generally, to prove that a data breach caused identity theft, the pleadings

must include allegations of a nexus between the two instances beyond allegations

of time and sequence. In an unpublished opinion on summary judgment, the Ninth

Circuit found that a plaintiff sufficiently showed a causal relationship where “(1)

[plaintiff] gave [the defendant] his personal information; (2) the identity fraud

                                            14
             Case: 11-13694     Date Filed: 09/05/2012    Page: 15 of 30

incidents began six weeks after the hard drives containing [defendant’s] customers’

personal information were stolen; and (3) [plaintiff had] previously not suffered

any such incidents of identity theft.” Stollenwerk v. Tri-West Health Care

Alliance, 254 F. App’x 664, 667 (9th Cir. 2007) (emphasis added). There, the

court stated that these three facts, in conjunction with the inference a jury could

make that the type of information stolen was the same type of information needed

to open the fraudulent accounts, were sufficient to defeat a motion for summary

judgment brought on the basis of a failure to establish causation. Id. at 667–68.

Even with this close connection in time, the court recognized that allegations only

of time and sequence are not enough to establish causation: “purely temporal

connections are often insufficient to establish causation. . . . [H]owever, proximate

cause is supported not only by the temporal[] but also by the logical[] relationship

between the two events.” Id. at 668 (citation omitted).

      Plaintiffs in the present case have pled facts indicating causation similar to

those pled in Stollenwerk, but the inferential leap they ask us to make from the

initial data breach to the stolen identities includes a time span more than six times

greater than the one in Stollenwerk. Rather than a six-week gap between the initial

data breach and the identity theft, Plaintiffs here allege gaps of ten and fourteen

months between the two events. As the Stollenwerk court stated, a mere temporal

                                          15
                Case: 11-13694       Date Filed: 09/05/2012      Page: 16 of 30

connection is not sufficient; Plaintiffs’ pleadings must indicate a logical connection

between the two incidents. Here, Plaintiffs allege a nexus between the two events

that includes more than a coincidence of time and sequence: they allege that the

sensitive information on the stolen laptop was the same sensitive information used

to steal Plaintiffs’ identity. (D.E. 31 ¶¶ 2, 41, 46, 61.) Plaintiffs explicitly make

this connection when they allege that Curry’s identity was stolen by changing her

address and that Moore’s identity was stolen by opening an E*Trade Financial

account in his name because in both of those allegations, Plaintiffs state that the

identity thief used Plaintiffs’ sensitive information. (D.E. 31 ¶¶ 46, 61) We

understand Plaintiffs to make a similar allegation regarding the bank accounts

opened in Curry’s name even though they do not plead precisely that Curry’s

sensitive information was used to open the Bank of America account. The

Complaint states that Curry’s sensitive information was on the unencrypted stolen

laptop (Id. ¶ 7), that her identity was stolen, and that the stolen identity was used to

open unauthorized accounts (Id. ¶ 44). Considering the Complaint as a whole and

applying common sense to our understanding of this allegation, we find that

Plaintiffs allege that the same sensitive information that was stored on the stolen

laptops was used to open the Bank of America account.4 Thus, Plaintiffs’


      4
          Our interpretation of the Complaint is reasonable when considering the allegation
                                                 16
               Case: 11-13694        Date Filed: 09/05/2012        Page: 17 of 30

allegations that the data breach caused their identities to be stolen move from the

realm of the possible into the plausible. Had Plaintiffs alleged fewer facts, we

doubt whether the Complaint could have survived a motion to dismiss. However,

Plaintiffs have sufficiently alleged a nexus between the data theft and the identity

theft and therefore meet the federal pleading standards. Because their contention

that the data breach caused the identity theft is plausible under the facts pled,

Plaintiffs meet the pleading standards for their allegations on the counts of

negligence, negligence per se, breach of fiduciary duty, breach of contract, breach

of implied contract, and breach of the implied covenant of good faith and fair

dealing.

                                                 C

       Plaintiffs’ unjust enrichment claim does not have a causation element, so we

analyze the sufficiency of the Complaint on that claim separately. In the

Complaint, Plaintiffs allege that AvMed cannot equitably retain their monthly

insurance premiums—part of which were intended to pay for the administrative

costs of data security—because AvMed did not properly secure Plaintiffs’ data, as

evinced from the fact that the stolen laptop containing sensitive information was


contained two paragraphs later in paragraph 46, “Curry’s sensitive information was also used to
change her home address with the U.S. Postal Service.” Use of the word “also” indicates that
Plaintiffs intended the allegation made in paragraph 44, that “Curry’s identity was stolen and . . .
used” to mean that Curry’s sensitive information was stolen and used.
                                                17
             Case: 11-13694     Date Filed: 09/05/2012    Page: 18 of 30

unencrypted. AvMed argues that the district court correctly dismissed the

Complaint because Plaintiffs’ alleged injuries are not cognizable under the law and

because Plaintiffs paid AvMed not for data security but for health insurance.

      To establish a cause of action for unjust enrichment/restitution, a Plaintiff

must show that “1) the plaintiff has conferred a benefit on the defendant; 2) the

defendant has knowledge of the benefit; 3) the defendant has accepted or retained

the benefit conferred; and 4) the circumstances are such that it would be

inequitable for the defendant to retain the benefit without paying fair value for it.”

Della Ratta v. Della Ratta, 927 So. 2d 1055, 1059 (Fla. Dist. Ct. App. 2006).

      Plaintiffs allege that they conferred a monetary benefit on AvMed in the

form of monthly premiums, that AvMed “appreciates or has knowledge of such

benefit,” that AvMed uses the premiums to “pay for the administrative costs of

data management and security,” and that AvMed “should not be permitted to retain

the money belonging to Plaintiffs . . . because [AvMed] failed to implement the

data management and security measures that are mandated by industry standards.”

Plaintiffs also allege that AvMed either failed to implement or inadequately

implemented policies to secure sensitive information, as can be seen from the data

breach. Accepting these allegations as true, we find that Plaintiffs alleged

sufficient facts to allow this claim to survive a motion to dismiss.

                                          18
             Case: 11-13694     Date Filed: 09/05/2012    Page: 19 of 30

                                          VI

      AvMed argues that we can affirm the district court because the Complaint

fails to allege an entitlement to relief under Florida law on each count. On review,

we find that two of the pled causes of action do not allow Plaintiffs to recover

under Florida law. We address only the two claims that fail: negligence per se, and

breach of the covenant of good faith and fair dealing.

                                          A

      Plaintiffs allege that AvMed was negligent per se when it violated section

395.3025 of the Florida Statutes by disclosing “Plaintiffs’ health information

without authorization.” Plaintiffs state that this statute was enacted “to protect the

confidentiality of medical information of Florida residents . . . and expressly

provides that a person’s medical information must not be disclosed without his or

her consent.” Plaintiffs contend that they are a part of the class of people the

statute sought to protect and that the harm they suffered was the type of harm the

statute sought to avoid, thereby concluding that AvMed was negligent per se.

      Florida Statute section 395.3025(4) states that “[p]atient records are

confidential and must not be disclosed without the consent of the patient.” This

statute is contained in a chapter regulating the licensure, development,

establishment, and minimum standard enforcement of hospitals, ambulatory

                                          19
             Case: 11-13694      Date Filed: 09/05/2012   Page: 20 of 30

surgical centers, and mobile surgical facilities. Fla. Stat. § 395.001. Because

AvMed is an integrated managed-care organization and not a hospital, ambulatory

surgical center, or mobile surgical facility, AvMed is not subject to this statute.

See Hendley v. State, 58 So. 3d 296, 298 (Fla. Dist. Ct. App. 2011) (finding that

Fla. Stat. § 395.3025 only applies to licensed facilities defined in § 395.002(16)

and not to pharmacies). Section 395.3025 does not purport to regulate AvMed’s

behavior, and so AvMed’s failure to comply with the statute cannot serve as a basis

for a negligence per se claim.

                                          B

      While “every contract contains an implied covenant of good faith and fair

dealing” under Florida law, a breach of this covenant—standing alone—does not

create an independent cause of action. Centurion Air Cargo, Inc. v. United Parcel

Serv. Co., 420 F.3d 1146, 1151 (11th Cir. 2005). The duty of good faith must

“relate to the performance of an express term of the contract and is not an abstract

and independent term of a contract which may be asserted as a source of breach

when all other terms have been performed pursuant to the contract requirements.”

Ins. Concepts & Design, Inc. v. Healthplan Servs., Inc., 785 So. 2d 1232, 1235

(Fla. Dist. Ct. App. 2001) (per curiam) (emphasis omitted) (quoting Hospital Corp.

of Am. v. Fla. Med. Center, Inc., 710 So. 2d 573, 575 (Fla. Dist. Ct. App. 1998)).

                                          20
               Case: 11-13694    Date Filed: 09/05/2012     Page: 21 of 30

A claimant asserting a cause of action for breach of the implied covenant must

allege “a failure or refusal to discharge contractual responsibilities, prompted not

by an honest mistake, bad judgment or negligence; but, rather by a conscious and

deliberate act, which unfairly frustrates the agreed common purpose and

disappoints the reasonable expectations of the other party.” Tiara Condo. Ass’n,

Inc. v. Marsh & McLennan Cos., Inc., 607 F.3d 742, 747 (11th Cir. 2010)

(applying Florida law) (quoting Shibata v. Lim, 133 F. Supp. 2d 1311, 1319 (M.D.

Fla. 2000)).

      Plaintiffs here allege that AvMed breached the express provision of the

service contract, which required AvMed to “ensure the ‘confidentiality of

information about members’ medical health condition being maintained by the

Plan and the right to approve or refuse the release of member specific information

including medical records, by AvMed, except when the release is required by

law.’” However, Plaintiffs do not allege that AvMed’s failures to secure their data

resulted from a “conscious and deliberate act, which unfairly frustrates the agreed

common purpose” as required under Florida law. Id.

      From the language used in the Complaint—that AvMed “did not honor” its

obligations and that it “failed to safeguard[,] . . . fail[ed] to promptly and

sufficiently notify[,] . . . [and] fail[ed] to fully comply with the proscriptions of

                                           21
             Case: 11-13694      Date Filed: 09/05/2012    Page: 22 of 30

applicable statutory law”—we do not understand Plaintiffs to allege that AvMed’s

shortcomings were conscious acts to frustrate the common purpose of the

agreement. We find therefore that AvMed failed to meet the pleading standard in

this claim as well.

                                          VII

      In this digital age, our personal information is increasingly becoming

susceptible to attack. People with nefarious interests are taking advantage of the

plethora of opportunities to gain access to our private information and use it in

ways that cause real harm. Even though the perpetrators of these crimes often

remain unidentified and the victims are left to clean up the damage caused by these

identity thieves, cases brought by these victims are subject to the same pleading

standards as are plaintiffs in all civil suits. Here, Plaintiffs have pled a cognizable

injury and have pled sufficient facts to allow for a plausible inference that

AvMed’s failures in securing their data resulted in their identities being stolen.

They have shown a sufficient nexus between the data breach and the identity theft

beyond allegations of time and sequence. However, the Complaint fails to

sufficiently allege an entitlement to relief under Florida law on the allegations of

negligence per se and breach of the implied covenant of good faith and fair

dealing. We therefore affirm in part, reverse in part, and remand to the district

                                           22
             Case: 11-13694      Date Filed: 09/05/2012   Page: 23 of 30

court for further proceedings.

      AFFIRMED IN PART, REVERSED IN PART, AND REMANDED.




                                          23
              Case: 11-13694     Date Filed: 09/05/2012     Page: 24 of 30

PRYOR, Circuit Judge, dissenting:

      I agree with the majority opinion that Curry and Moore have standing to sue,

but Curry and Moore’s complaint should be dismissed for failure to state a claim.

Their complaint fails to allege a plausible basis for finding that AvMed caused

them to suffer identity theft, and their claim of unjust enrichment fails as a matter

of law.

      Because of the paucity of well-pleaded facts about the cause of the identity

thefts, the majority opinion “doubt[s] whether the Complaint could have survived a

motion to dismiss” if Curry and Moore had “alleged fewer facts,” Majority

Opinion at 17, but Curry and Moore’s threadbare allegations about causation fail to

“nudge[] [the] claims” relating to identity theft “across the line from conceivable to

plausible,” Ashcroft v. Iqbal, 556 U.S. 662, 680, 129 S. Ct. 1937, 1951 (2009)

(quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S. Ct. 1955, 1974

(2007)) (internal quotation marks omitted). “To survive a motion to dismiss, a

complaint must contain sufficient factual matter, accepted as true, to ‘state a claim

to relief that is plausible on its face.’” Id. at 678, 129 S. Ct. at 1949 (quoting

Twombly, 550 U.S. at 570, 127 S. Ct. at 1974). “A claim has facial plausibility

when the plaintiff pleads factual content that allows the court to draw the

reasonable inference that the defendant is liable for the misconduct alleged.” Id.

                                           24
              Case: 11-13694     Date Filed: 09/05/2012    Page: 25 of 30

“The plausibility standard is not akin to a ‘probability requirement,’ but it asks for

more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting

Twombly, 550 U.S. at 556, 127 S. Ct. at 1955). “Where a complaint pleads facts

that are ‘merely consistent with’ a defendant’s liability, it ‘stops short of the line

between possibility and plausibility of ‘entitlement to relief.’” Id. (quoting

Twombly, 550 U.S. at 557, 127 S. Ct. at 1955). “[C]ourts may infer from the

factual allegations in the complaint ‘obvious alternative explanation[s],’ which

suggest lawful conduct rather than the unlawful conduct the plaintiff would ask the

court to infer.” Am. Dental Ass’n v. Cigna Corp., 605 F.3d 1283, 1290 (11th Cir.

2010) (quoting Iqbal, 556 U.S. at 682, 129 S. Ct. at 1951–52).

      The parties do not dispute that laptops containing the sensitive information

of Curry and Moore were stolen from AvMed, but Curry and Moore’s second

amended complaint fails to plead enough facts to allow a factfinder to draw a

reasonable inference that the sensitive information identity thieves used to open the

fraudulent accounts in the plaintiffs’ names was obtained from AvMed. In an

attempt to bridge this gap, Curry and Moore allege that they have both been very

careful to protect their sensitive information. For example, Curry alleges that she

“destroys any documents she receives in the mail that contain any of her Sensitive

Information, or that contain any information that could otherwise be used to steal

                                           25
             Case: 11-13694     Date Filed: 09/05/2012    Page: 26 of 30

her identity, such as credit card offers,” Compl. ¶ 55, and Moore alleges that he

“destroys any documents he receives in the mail that contain any of his Sensitive

Information, or that contain any information that could otherwise be used to steal

his identity,” Compl. ¶ 71. But the manner in which Curry and Moore care for the

sensitive information they receive from third parties tells us nothing about how the

third parties care for that sensitive information before or after they send it to Curry

and Moore.

      The factual allegations in the second amended complaint present “obvious

alternative explanation[s],” Am. Dental Ass’n, 605 F.3d at 1290 (quoting Iqbal,

556 U.S. at 682, 129 S. Ct. at 1951–52) (internal quotation marks omitted),

regarding the cause of the identity thefts that Curry and Moore suffered. An

unscrupulous third party that possessed the sensitive information of Curry and

Moore might have sold that information to the identity thieves who opened the

fraudulent accounts or a careless third party might have lost the information that

then found its way into the hands of those thieves. Although it is conceivable that

the unknown identity thieves used the sensitive information stolen from AvMed to

open the fraudulent accounts, it is equally conceivable, in the light of the facts

alleged in the complaint, that the unknown identity thieves obtained the

information from third parties. Curry and Moore do not allege any facts that make

                                          26
             Case: 11-13694     Date Filed: 09/05/2012   Page: 27 of 30

it plausible that the unknown identity thieves who opened the fraudulent accounts

obtained the sensitive information necessary to do so from AvMed.

      The majority opinion attempts to salvage the complaint by asserting that it

alleges that the sensitive information used to steal Curry and Moore’s identities

was obtained from AvMed, Majority Opinion at 16, but the complaint alleges no

such thing. The majority opinion cites six paragraphs of the complaint to support

its conclusion that the complaint plausibly alleges that the sensitive information

used to steal Curry and Moore’s identities was obtained from the stolen laptops:

      • On or about December 10, 2009, two unencrypted laptop computers
      were stolen from AvMed’s Gainesville, Florida corporate office . . . .
      The laptops contained private, personal information including, but not
      limited to, protected health information . . . , Social Security numbers
      . . . , medical information and other information (collectively,
      “Sensitive Information”) of approximately 1.2 million AvMed
      enrollees;

      • As a result of AvMed’s failure to implement and follow basic
      security procedures, Plaintiffs’ Sensitive Information is now in the
      hands of thieves. Plaintiffs now face a substantial increased risk of
      identity theft; in fact, Curry and Moore have already experienced
      repeated instances of identity theft since the data breach. . . .

      • Curry’s Sensitive Information was contained on an unprotected and
      unencrypted laptop computer that was stolen in the data breach. As a
      result of the data breach, Curry’s identity was stolen.

      • Curry’s identity was stolen and, in or around October 2010, it was
      used to open bank accounts with Bank of America and activate cards
      in her name;

                                         27
             Case: 11-13694      Date Filed: 09/05/2012    Page: 28 of 30

      • Curry’s Sensitive Information was also used to change her home
      address with the U.S. Postal Service;

      • The E*Trade Financial bank account was opened by an individual
      using Moore’s Sensitive Information.

Compl. ¶¶ 2, 3, 7, 44, 46, & 61; see also Majority Opinion at 16−17. But these

paragraphs do not plausibly allege that the identity thieves gained access to Curry

and Moore’s sensitive information from the stolen laptops. At most, the complaint

alleges that AvMed lost Curry and Moore’s sensitive information on December 10,

2009, and about a year later, unidentified third parties obtained unspecified

sensitive information from an unidentified source and used that unspecified

information to engage in identity theft. The complaint, in the words of the majority

opinion, alleges nothing “more than a coincidence of time and sequence.” Majority

Opinion at 16.

      The majority opinion assures us that Curry and Moore have, in fact, alleged

something “more than a coincidence of time and sequence” between the stolen

laptops and the identity thefts because “Plaintiffs state that the identity thief used

Plaintiffs’ sensitive information” to open the fraudulent accounts, id., but that

circular reasoning fails. No one disputes that unknown identity thieves used the

plaintiffs’ sensitive information to open fraudulent accounts in their names. The




                                           28
             Case: 11-13694     Date Filed: 09/05/2012    Page: 29 of 30

dispute is whether the unknown identity thieves obtained that sensitive information

from the laptops stolen from AvMed.

      The complaint fails to allege a plausible basis for inferring that the unknown

identity thieves obtained the sensitive information of Curry and Moore from

AvMed. The complaint, for example, does not allege that only AvMed possessed

the sensitive information used to open the fraudulent accounts. The complaint does

not even allege what sensitive information was used to open financial accounts in

the plaintiffs’ names. The complaint alleges, for example, that the sensitive

information stolen from AvMed included health and medical information, but the

complaint fails to allege that this kind of information was used to open financial

accounts in the plaintiffs’ names.

      “Determining whether a complaint states a plausible claim for relief [is] a

context-specific task that requires the reviewing court to draw on its judicial

experience and common sense,” Iqbal, 556 U.S. at 679, 129 S. Ct. at 1950, and that

experience reveals that vast numbers of individuals, businesses, and governmental

bodies possess our sensitive information, e.g., our names, social security numbers,

health information, and other personal data. Technology allows this information to

be copied quickly and transmitted over the Internet in an instant. Because of the

nature of sensitive information—a social security number and a name are the same

                                          29
             Case: 11-13694     Date Filed: 09/05/2012    Page: 30 of 30

regardless of who possesses that information—it may be difficult to pinpoint the

source of the sensitive information that is used to commit identity theft. But that

difficulty does not relieve Curry and Moore of their burden under Rule 8 to plead a

plausible basis for inferring that the sensitive information used by the identity

thieves was obtained from AvMed.

      The complaint also fails to state a claim of unjust enrichment under Florida

law. “Florida courts have held that a plaintiff cannot pursue a quasi-contract claim

for unjust enrichment if an express contract exists concerning the same subject

matter.” Diamond “S” Dev. Corp. v. Mercantile Bank, 989 So. 2d 696, 697 (Fla.

Dist. Ct. App. 2008); see also Am. Safety Ins. Serv., Inc. v. Griggs, 959 So. 2d

322, 331 (Fla. Dist. Ct. App. 2007) (“A plaintiff may recover under quasi-contract

where there is no express or implied-in-fact contract, but the defendant received

something of value or benefited from the service supplied.”). The parties do not

dispute that they entered into an enforceable contract; they dispute whether the

contract has been breached. In that circumstance, a claim of unjust enrichment

cannot be maintained.

      I respectfully dissent.




                                          30
