Bass v. Facebook, Inc.

Full title: WILLIAM BASS JR., an individual and California resident, and STEPHEN…

Court: UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA

Date published: Jun 21, 2019

394 F. Supp. 3d 1024 (N.D. Cal. 2019)

Opinion

No. C 18-05982 WHA (JSC) Consolidated Cases: Nos. C 18-06022 WHA (JSC) C 19-00117 WHA (JSC)

06-21-2019

William BASS Jr., an individual and California resident, and Stephen Adkins, an individual and Michigan resident, on behalf of themselves and all others similarly situated, Plaintiffs, v. FACEBOOK, INC., Defendant.

Andrew N. Friedman, Pro Hac Vice, Karina Grace Puttieva, Cohen Milstein Sellers & Toll PLLC, Washington, DC, Ariana J. Tadler, Henry J. Kelston, Milberg Tadler Phillips Grossman LLP, New York, NY, John A. Yanchunis, Morgan & Morgan Complex Litigation Group, Tampa, FL, Jeremy Keith Robinson, Casey Gerry Schenk Francavilla Blatt and Penfield, San Diego, CA, Kate M. Baxter-Kauf, Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, for Plaintiffs. Elizabeth L. Deeley, Alexander E. Reicher, Melanie Marilyn Blunschi, Michael H. Rubin, Latham & Watkins LLP, San Francisco, CA, Andrew Brian Clubok, Pro Hac Vice, Susan E. Engel, Pro Hac Vice, Latham & Watkins LLP, Washington, DC, Serrin A. Turner, Pro Hac Vice, Latham & Watkins LLP, New York, NY, for Defendant.

William Alsup, United States District Judge

Andrew N. Friedman, Pro Hac Vice, Karina Grace Puttieva, Cohen Milstein Sellers & Toll PLLC, Washington, DC, Ariana J. Tadler, Henry J. Kelston, Milberg Tadler Phillips Grossman LLP, New York, NY, John A. Yanchunis, Morgan & Morgan Complex Litigation Group, Tampa, FL, Jeremy Keith Robinson, Casey Gerry Schenk Francavilla Blatt and Penfield, San Diego, CA, Kate M. Baxter-Kauf, Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, for Plaintiffs.

Elizabeth L. Deeley, Alexander E. Reicher, Melanie Marilyn Blunschi, Michael H. Rubin, Latham & Watkins LLP, San Francisco, CA, Andrew Brian Clubok, Pro Hac Vice, Susan E. Engel, Pro Hac Vice, Latham & Watkins LLP, Washington, DC, Serrin A. Turner, Pro Hac Vice, Latham & Watkins LLP, New York, NY, for Defendant.

ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS

William Alsup, United States District Judge

INTRODUCTION

In this data-breach putative class action, defendant Facebook, Inc. moves to dismiss the consolidated complaint pursuant to Rule 12(b)(1) and Rule 12(b)(6). The motion to dismiss is GRANTED IN PART AND DENIED IN PART .

STATEMENT

1. FACEBOOK , INC.

Defendant Facebook, Inc. operates an online social network where users stay in touch with family and friends, share their thoughts, and connect with each other (Dkt. No. 76 ¶¶ 1, 9–11). This primarily happens on the user's "Timeline" — a space to share experiences by posting various forms of content, such as comments, photos, and videos (Bream Decl. ¶¶ 7, 8). Facebook's platform is widely used throughout the world. Facebook has approximately 2.2 billion users and an annual revenue of $ 40.65 billion (Dkt. No. 76 ¶¶ 1, 11).

Facebook primarily generates its revenue by monetizing its users' information. None of its 2.2 billion users pay Facebook money (id. ¶ 10). Instead, approximately 96% of Facebook's revenue "originate[s] from the sale of targeted advertising based on the extensive data Facebook collects, analyzes, and maintains about its users" (id. ¶ 11). In addition, the collected information enables the platform technology to operate (id. ¶¶ 26, 28, 32).

At minimum, Facebook requires every user to share their "name, email address or mobile phone number, date of birth, and gender" (id. ¶ 26). In full, however, Facebook purportedly collects a much broader set of data, including:

all posts, photos and videos, all replies, likes and reactions, all friends and friend history, all games, every "follow" including individuals, event, activity, service, application, group, web sites, advertisements, all followers of the same, all messages exchanges, event RSVPs, all profile information (username, devices, authentication methods, recoverable email accounts and credentials, encryption settings, phone numbers, challenge response information, biometric information and settings, birth date, major events, employment, education, education history, personal preferences, "about me," religion and political preferences, work history, book preferences, fitness data, news feed preferences, musical preferences), GPS locations where messages, photos, and posts were made, all "pokes," all advertisements, all calls and messages and associated event logs, and all security and login information including all devices used to access Facebook.

(id. ¶ 126).

The collection and maintenance of all this information has impelled Facebook to provide some transparency as to its data-protection practices. To this end, two separate links posted on the website, entitled "Data Policy" and "Privacy Basics" contain representations as to what data are collected, what data are shared, and with whom (id. ¶¶ 38, 44). The links also include certain representations such as "Privacy Principles" where Facebook asserts "[w]e design privacy into our products from the outset," "[w]e work around the block [sic] to help protect people's accounts," and "[w]e are accountable" (id. ¶ 44).

Nevertheless, Facebook users' private information has not been protected. In 2007, Facebook's then-57 million users settled a class action suit which arose from Facebook's "privacy" practices for $ 9.5 million. The following year, Facebook exposed the birthdays of roughly 80 million users (id. ¶¶ 11, 47–50). Then, in 2011, Facebook settled with the Federal Trade Commission over charges that it had deceived users by "telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public" (id. ¶ 54 n.32) (quoting Facebook Settles FTC Charges that it Deceived Consumers by Failing to Keep Privacy Promises , The Fed. Trade Comm'n (Nov. 29, 2011), https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceivedconsumers-failing-keep). More recently, in 2015, the world learned that Cambridge Analytica had misused personal data from Facebook to generate targeted political advertisements. Facebook's relationship with Cambridge Analytica led to a political uproar. All this preceded the instant suit (Dkt. No. 76 ¶¶ 48, 58).

2. ACCESS TOKENS

"Access tokens" star in the instant data breach. When a Facebook user logs into Facebook with a specific username and password, that user can conveniently access Facebook again without being forced to re-enter that information. This ease-of-access is facilitated by the "access token" generated by Facebook for that user upon his or her first log-in. The access token operates as an automatic super password — an electronic object embedded with all of a users' security information — which allows a user to log in numerous times without typing out their username and password each time. Many companies, not just Facebook, use this tool to reduce barriers between the user and the online platform thereby increasing ease-of-access and efficiency (id. ¶¶ 81–83).

Facebook's access tokens, however, carry specific value. As stated in the consolidated complaint:

[o]nce a malicious actor is able to gain access to and compromise that user's access token, Facebook's lack of security and safeguards allowed that malicious actor to then use that access token to gain access to and compromise all tokens from that user's shared or connected web applications (i.e., those applications that utilize the "Facebook Login" system, such as Microsoft Azure cloud platform, SalesForce, etc.). Worse, that malicious actor could then reset all user permissions, passwords, and other safeguards (such as two-factor authentication) not only in Facebook, but also any third-party accounts that utilize Facebook's authentication login features and do so in such a manner that the user is not provided an alert or any other notification . From there, the malicious actor can syphon [sic] PII and other personal data from those accounts without hindrance. To prevent unauthorized users from eavesdropping, there is free software to validate the data transferred between the client browser and the application servers. Most hackers also utilize the free software as a simple method to detect and identify easy areas of exploit.

(Id. ¶ 110) (emphasis added).

Put simply, once a Facebook user's access token is compromised, all tokens from the user's shared or connected web applications (like Skype and Uber) purportedly become accessible. In addition, anyone with access to the token can reset all other user data permissions and steal the tokens of all connected applications without alerting the original user. Facebook's access tokens are allegedly the key to a breathtaking amount of online access (id. ¶¶ 99–101, 109).

Importantly, standard industry practice is for companies to limit the lifespan of the tokens. By contrast, Facebook allegedly designed its access tokens to never expire (id. ¶¶ 83, 106–109). With this background in tow, this order now turns to the events at issue.

3. THE DATA BREACH

On September 14, 2018, Facebook discovered it had a coding vulnerability related to its "View As" feature. The vulnerability revealed users' access tokens. Hackers accordingly stole the access tokens for 69,000 users. This led to the theft of a narrow set of information for 15 million worldwide users (2.7 million United States users) and a more comprehensive set of information for 14 million worldwide users (1.2 million United States users) (id. ¶¶ 84, 95).

The hacking began sometime after July 2017. The specific source of the vulnerability related to the internal coding of Facebook's "View As" feature. This feature permitted users to see what their own "Timeline" looked like to other users (id. ¶¶ 3, 88, 91, 94). To illustrate, if a teenage user wanted to see his own account from the perspective of his parents' account, the teenager would utilize this "View As" feature on his own account to "view" the account "as" his parents. This would enable the teenager to see firsthand what information his parents could and could not see on the teenager's account.

Momentarily stepping outside the consolidated complaint, Facebook has provided a declaration with step-by-step information of how the attack took place. Per the declaration, when a user's "Timeline" would be accessed in the "View As" mode, an access token of the other user would generate in the Hypertext Markup Language ("HTML") of the web page. The HTML is the part of the webpage that says "www.Facebook.com." So, when the teenager viewed his account through the eyes of his parents' account, his parents' access token generated in the part of the webpage that says "www.Facebook.com." These attackers could then utilize the parents' access token to access the parents' account and repeat the identical process with the parents' friends. Ultimately, per Facebook's declaration, approximately 69,000 user accounts had their full accounts accessed through this vulnerability (Bream Decl. ¶¶ 12, 14).

This vulnerability did not occur every time a user utilized the "View As" feature. Rather, the vulnerability only materialized if two additional (somewhat random) conditions were satisfied. First , the teenager's birthday had to be visible on the "Timeline." Second , at least three other users had to have posted birthday messages on that "Timeline" (id. ¶¶ 13, 14).

Significantly, the vulnerability allowed for access tokens to be generated only if the "seed user" (the teenager) met the conditions described above. Accordingly, even if one user was vulnerable, not every account linked was also vulnerable (id. ¶ 16). To illustrate, if the teenager had his birthday visible on his "Timeline" and had three friends wish him happy birthday on his "Timeline," then his parents' access token would be generated when the teenager viewed his account through the eyes of his parents' account. With the parents' access token in hand, the attackers could then turn to the parents' account and treat that account as a new seed user account. If, however, the parents' account did not have a birthday visible on their own "Timeline," the access tokens to the parents' friends' accounts would not be revealed. This would end that branch of the access-token collection tree.

The information taken in the attack did not end with these 69,000 users. Facebook connects users to each other. This means that once accounts have been connected to each other as "friends" on Facebook, one user can see another user's information. Once the attackers compromised the access tokens to an account, account-information associated with connected accounts could be culled as well. This resulted in 29 million users (approximately 4 million users in the United States) having information taken in this data breach, according to Facebook (id. ¶ 9).

These 29 million users can be divided into two groups. The first group comprises of approximately 15 million users (2.7 million users in the United States). For these users, the attackers obtained solely the user's name and basic contact information (phone number and/or email addresses, depending on which users had chosen to provide to Facebook) (id. ¶ 11.c.).

The second group comprises of approximately 14 million users (1.2 million users in the United States). For these users, in addition to the information listed for the first group, the hackers also obtained the username, gender, date of birth, and (if users had chosen to share it) workplace, education, relationship status, religious views, hometown, self-reported current city, website, the user's locale/language, the types of devices used to access Facebook, the last ten places the user "checked into" or was "tagged" in on Facebook, the people or pages that the user "followed" on Facebook, and the user's fifteen most recent searches using the Facebook search bar (id. ¶ 11.d.). 4. THIS ACTION

Facebook first became aware of a potential data breach on September 14, 2018. Facebook's engineering team isolated the security flaws on September 25, 2018. Facebook notified potentially affected users on September 28, 2018. Facebook then purportedly invalidated the access tokens of over 90 million accounts that were potentially impacted by the vulnerability and effected a "forced logout" which "requir[ed] [users] to reenter their passwords" to access their accounts (Dkt. No. 76 ¶¶ 84–87, 91–92).

After the breach had been publically announced, eleven separate lawsuits were filed against Facebook. These lawsuits generally alleged that Facebook failed to adequately protect its users' accounts. A public tutorial on the issue of personal information in the context of data breaches proceeded in the district court. The eleven actions were then consolidated and an amended consolidated complaint was filed (Dkt. Nos. 67, 76). Five named plaintiffs filed the consolidated complaint. Except for one original named plaintiff, every named plaintiff who had not filed the consolidated complaint voluntarily withdrew without prejudice (Dkt. Nos. 87–94).

The consolidated complaint asserted ten claims on behalf of a class of Facebook users in the United States "whose [personal identifiable information] was compromised in the data breach announced by Facebook on September 28, 2018" (id. ¶¶ 13, 179). Those ten claims are: (i) breach of contract; (ii) breach of implied contract; (iii) breach of implied covenant of good faith and fair dealing; (iv) quasi-contract for non-restitutionary damages; (v) negligence; (vi) negligence per se; (vii) violation of California's Unfair Competition Law; (viii) violation of California's Consumer Legal Remedies Act; (ix) breach of confidence; and (x) declaratory judgment.

Due to the number of consolidated cases, an order was issued appointing co-interim class counsel to coordinate motion practice and discovery (Dkt. No. 79). Facebook moved to dismiss (Dkt. No. 96). After full briefing (Dkt. Nos. 108, 115), a hearing followed in May 2019. At the hearing, it came to light that Facebook had asked for, and not received, the benefit of plaintiffs' depositions. Those depositions were immediately ordered.

The depositions took place. The parties filed supplemental briefing (Dkt. Nos. 122, 135). Three of the five remaining named plaintiffs abruptly withdrew (Dkt. Nos. 140–142). This order follows.

ANALYSIS

Facebook moves under two different rules: Rule 12(b)(1) and Rule 12(b)(6). This order assesses each in turn.

1. RULE 12(b)(1)

Rule 12(b)(1) requires dismissal of claims where a plaintiff fails to establish subject-matter jurisdiction. White v. Lee , 227 F.3d 1214, 1242 (9th Cir. 2000). "Rule 12(b)(1) attacks on jurisdiction can be either facial, confining the inquiry to allegations in the complaint, or factual, permitting the court to look beyond the complaint." Savage v. Glendale Union High School, Dist. No. 205, Maricopa County , 343 F.3d 1036, 1039 n.2 (9th Cir. 2003) (citation omitted). Facebook urges both. Still, because the moving party in a factual attack converts the motion into a factual motion, see Safe Air for Everyone v. Meyer , 373 F.3d 1035, 1039 (9th Cir. 2004), the facial attack is subsumed by the factual attack. This order therefore only assesses Facebook's factual attack. We look beyond the complaint.

Two named plaintiffs remain in this action — plaintiff Stephen Adkins and plaintiff William Bass. They both allege four theories of harm due to Facebook's alleged inadequate safeguarding of its users' personal information. Facebook has factually attacked plaintiffs' Article III standing by properly presenting the declaration of Christopher Bream, the individual who led the security response to the data breach, and depositions of the named plaintiffs. Both plaintiffs must now defend jurisdiction by "furnish[ing] affidavits or other evidence necessary to satisfy its burden of establishing subject matter jurisdiction." Wolfe v. Strankman , 392 F.3d 358, 362 (9th Cir. 2004) (citation omitted). For the reasons stated below, plaintiff Stephen Adkins satisfied his burden to establish Article III standing. Plaintiff William Bass did not.

A. PLAINTIFF STEPHEN ADKINS

A federal court's subject-matter jurisdiction is limited to "cases" or "controversies." Raines v. Byrd , 521 U.S. 811, 818, 117 S.Ct. 2312, 138 L.Ed.2d 849 (1997). This limitation requires plaintiff to have standing to bring suit. "To establish Article III standing, an injury must be ‘concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.’ " Clapper v. Amnesty Int'l USA , 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) quoting ( Monsanto Co. v. Geertson Seed Farms , 561 U.S. 139, 149, 130 S.Ct. 2743, 177 L.Ed.2d 461 (2010) ). Plaintiff shoulders the burden to establish these elements "with the manner and degree of evidence required at the successive stages of litigation." Lujan v. Def. of Wildlife , 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). Nevertheless, should a plaintiff fail to meet his standing burden, the lawsuit must be dismissed under Rule 12(b)(1). Steel Co. v. Citizens for a Better Env't , 523 U.S. 83, 109–110, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998).

The bugaboo here is the first standing element: injury in fact. To satisfy the injury in fact element, "the plaintiff must show that he personally has suffered some actual or threatened injury as a result of the putatively illegal conduct of the defendant." Gladstone Realtors v. Vill. of Bellwood , 441 U.S. 91, 99, 99 S.Ct. 1601, 60 L.Ed.2d 66 (1979). "[T]hreatened injury must be certainly impending" and a "possible future injury" does not suffice. Clapper , 568 U.S. at 409, 133 S.Ct. 1138 (quotations omitted). "[N]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Lewis v. Casey , 518 U.S. 343, 357, 116 S.Ct. 2174, 135 L.Ed.2d 606 (1996) (citations and internal quotations omitted).

Plaintiff Adkins alleged the following four harms: (i) substantial risk of future identity theft based on the information taken; (ii) lost time responding to the data breach; (iii) loss of the value of personal information; and (iv) failure to receive the benefit of his bargain with Facebook. The former two harms have been sufficiently established at this stage. It is therefore unnecessary to consider the latter two here. (Because they are economic harms, the latter two alleged harms will instead be analyzed in the context of Section 17200 and the CLRA.)

Facebook notified plaintiff Adkins that he had been subject to the data breach. A reasonable inference can therefore be drawn which traces the plausibly alleged harms to the purported mishandling of plaintiff Adkins's personal information through the data breach. Accordingly, at this stage, plaintiff Adkins has established that he has standing.

Plaintiff Adkins provided Facebook with his name, email address, telephone number, date of birth, locations, work and education history, hometown, relationship status, and photographs (Adkins Dep. 185:2–186:10, 314). Facebook informed plaintiff Adkins through a notification that his information had been taken in this data breach. Plaintiff Adkins purported to have subsequently received extensive "phishing" emails and text messages. Plaintiff Adkins also spent as much as an hour managing the aftermath of the data breach (Dkt. No. 76 ¶¶ 163–170). This order now assesses the dual harms of risk of future identity theft and lost time.

i. Risk of Future Identity Theft

The information taken in this data breach gave hackers the means to commit further fraud or identity theft. Plaintiff Adkins personally alleges this information was taken. Specifically, his name, email address, telephone number, date of birth, locations, work and education history, hometown, relationship status, and photographs now reside with criminals (Adkins Dep. 185:2–186:10, 314). Extensive "phishing" emails and text messages have bombarded plaintiff Adkins since the attack. Between the hacking and the phishing, plaintiff Adkins has plausibly shown risk of further fraud and identity theft.

Facebook argues that no sensitive information was taken. In Krottner v. Starbucks Corp. , our court of appeals concluded that the combination of the sensitivity of personal information with its theft can suffice to allege injury-in-fact. 628 F.3d 1139, 1140–43 (9th Cir. 2010). There, some of the data taken included social security numbers. Here, Facebook has gone to great lengths to show that all the information taken was otherwise publicly available information and not sensitive.

The information taken, however, need not be sensitive to weaponize hackers in their quest to commit further fraud or identity theft. To this end, a more recent decision from our court of appeals held that the rightful injury-in-fact determination is not to look at the minutia of what information had been taken — such as credit card information or social security numbers — but to specifically determine whether the data taken "gave hackers the means to commit fraud or identity theft." In re Zappos.com, Inc. , 888 F.3d 1020, 1027–29 (9th Cir. 2018), cert. denied sub nom. Zappos.com v. Stevens , ––– U.S. ––––, 139 S. Ct. 1373, 203 L.Ed.2d 609 (2019). This is not a departure from Krottner , which emphasized that the key inquiry was the "increased risk of identity theft." Krottner , 628 F.3d at 1142. Imminent injury in fact can be established through information similar in function to social security numbers so long as the stolen data operated to be "sufficiently similar to that in Krottner to require the same conclusion...." In re Zappos.com, Inc. , 888 F.3d at 1027.

The stolen data here is sufficiently similar. A social security number derives its value in that it is immutable. So is someone's date of birth, hometown, and high school, which had been taken here from plaintiff Adkins. As a result of this data breach, this information can now forever be wielded to identify plaintiff Adkins and target him in fraudulent schemes and identity theft attacks. The rest of the alterable information taken, such as plaintiff Adkins's name, email address, telephone number, locations, work and education history, relationship status, and photographs, now in the hands of nefarious actors, will provide further ammo. Put simply, the amount of information taken "gave hackers the means to commit fraud or identity theft." Ibid. This suffices under Krottner and Zappos .

We must not forget that the hackers did not merely attack Facebook and loot it. These hackers went out of their way to run search queries on 69,000 hacked accounts for the sole purpose of culling personal information from an additional 30 million people. The attackers' cards have been revealed: the goal was not merely to attack, the goal was to take personal information on a mass scale. It is not too great a leap to assume, therefore, that their goal in targeting and taking this information was to commit further fraud and identity theft.

That each strand of information can be painstakingly collected through a mishmash of other sources is irrelevant. Facebook is a centralized location which stores personal information for billions of users. Constructing this information from random sources bit by bit, would be hard.

"Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints." Galaria v. Nationwide Mut. Ins. Co. , 663 F. App'x 384, 388 (6th Cir. 2016). "Why else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities." Remijas v. Neiman Marcus Grp., LLC , 794 F.3d 688, 693 (7th Cir. 2015). Between the obvious goal of taking personal information, the nature and amount of information taken, and the extended phishing emails which have subsequently followed the attack, plaintiff Adkins has plausibly shown he is at risk of further fraud and identity theft.

ii. Loss of Time

Our court of appeals has never considered whether loss of time rectifying the aftermath of a data breach suffices to establish harm for standing. Recently, however, the United States Court of Appeals for the Seventh Circuit stated that in a data breach, "the value of one's own time needed to set things straight is a loss from an opportunity-cost perspective." Dieffenbach v. Barnes & Noble, Inc. , 887 F.3d 826, 828 (7th Cir. 2018). Here, plaintiff Adkins has stated that he received around 30 e-mails which he spent between a few minutes and an hour sorting through (Adkins Dep. 204:9–205:2). This order agrees with Dieffenbach that loss of time establishes injury in fact.

This order also concludes that the amount of time alleged here establishes injury. True, sorting through a few dozen e-mails may or may not have taken an hour to rectify and perhaps the time spent later proves de minimis. This story, however, has yet to end. As consequences of this data breach continue to unfold, so too, will plaintiff's invested time. More phishing e-mails will pile up. At this stage, the time loss alleged suffices.

* * *

Plaintiff Adkins has established standing through the dual harms of increased risk of future harm and loss of time. As to plaintiff Adkins, Facebook's Rule 12(b)(1) motion is therefore DENIED .

B. PLAINTIFF WILLIAM BASS , JR.

At the pleading stage, plaintiff bears the burden of "demonstrating that ... injury-in-fact is ... fairly traceable to the challenged action." Davidson v. Kimberly-Clark Corp. , 889 F.3d 956, 967 (9th Cir. 2018), cert. denied , ––– U.S. ––––, 139 S. Ct. 640, 202 L.Ed.2d 492 (2018) (citing Monsanto Co. v. Geertson Seed Farms , 561 U.S. 139, 149, 130 S.Ct. 2743, 177 L.Ed.2d 461 (2010) ). Here, the challenged action is Facebook not adequately safeguarding its users' personal information. Plaintiff Bass's allegations do not demonstrate a plausible link to that action. The main difference between plaintiff Bass and plaintiff Adkins in terms of establishing standing, is that plaintiff Adkins alleged he received a notification from Facebook informing him that he had been a victim of the data breach, thereby connecting him to the data breach. Plaintiff Bass never so alleges. Of course, the lack of a notice alone does not foreclose plaintiff Bass from establishing standing. What forecloses plaintiff Bass from establishing standing here is that none of the circumstantial evidence he provides plausibly connects to the data breach. Either the facts do not trace to the data breach at all or are so common the infinite possibilities forecloses plausibility. Plaintiff Bass has not met his burden.

Plaintiff Bass alleges he was a victim of the data breach because of three facts: (i) he had been forcibly logged out of his Facebook account; (ii) he received phone calls from people purporting to be his family members; and (iii) he subsequently received fake Facebook friend requests, spam e-mails, and pornographic links on his Facebook messenger service.

These allegations do not suffice to connect the dots to the data breach. The first two facts do not trace to the data breach at all. The consolidated complaint provided that Facebook logged 90 million users out of their accounts to re-set access tokens (Dkt. No. 76 ¶ 4). Accordingly, the data breach did not cause the log-outs, Facebook's independent action did. It is also impossible to tell why plaintiff Bass assumed the phone calls materialized as a result of the data breach. The calls began in late August or early September (Bass Dep. 57:18–23). This was well before personal information from the data breach began to leak. Zero evidence demonstrates that hackers (or their customers) call their victims purporting to be family. No reasonable inference can be drawn connecting the log-outs and these calls to the data breach.

As to the third alleged fact, spam e-mails and fake friend requests simply occur to most, if not all, e-mail and social media users. They are too common and therefore cannot on their own establish causation here. To hold otherwise would effectively negate the standing requirement as to data breaches. Accordingly, although these occurrences may be evidence of having been the victim of a data breach, on their own , they cannot serve to connect plaintiff Bass to the data breach.

To reiterate, that Facebook did not notify plaintiff Bass that he had been victimized by the data breach does not foreclose a plausible allegation at this early stage. Still, some plausible connection to the data breach must be shown. Plaintiff Bass cannot merely assume he was a victim through facts that do not trace to the data breach and through occurrences so common the link to the data breach is merely possible.

Real victims from this data breach exist. Facebook has put forward sufficient evidence to show that plaintiff Bass was not one of them. Plaintiff Bass has not sufficiently rebutted this evidence. Facebook's Rule 12(b)(1) motion as to plaintiff Bass is GRANTED .

2. RULE 12(b)(6)

To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). A claim is facially plausible when there are sufficient factual allegations to draw a reasonable inference that defendants are liable for the misconduct alleged. While a court must take all of the factual allegations in the complaint as true, it is "not bound to accept as true a legal conclusion couched as a factual allegation." Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007).

A. LIMITATION-OF-LIABILITY SHOWSTOPPER

The limitation-of-liability clause stops five alleged claims from moving forward. These claims are: (i) breach of contract, (ii) implied contract, (iii) implied covenant of good faith and fair dealing, (iv) quasi-contract, and (v) breach of confidence.

The Terms of Service provide that California law governs both the terms and any claim. Perhaps regrettably, "[w]ith respect to claims for breach of contract, limitation of liability clauses are enforceable unless they are unconscionable, that is, the improper result of unequal bargaining power or contrary to public policy." Food Safety Net Servs. v. Eco Safe Sys. USA, Inc. , 209 Cal. App. 4th 1118, 1126, 147 Cal.Rptr.3d 634 (2012). Specifically, the Terms of Service covered use of Facebook.com. The limitation-of-liability clause contained therein provided:

[w]e work hard to provide the best Products we can and to specify clear guidelines for everyone who uses them. Our Products, however, are provided "as is," and we make no guarantees that they always will be safe, secure, or error-free , or that they will function without disruptions, delays, or imperfections.... We do not control or direct what people and others do or say, and we are not responsible for their actions or conduct (whether online or offline) or any content they share (including offensive, inappropriate, obscene, unlawful, and other objectionable content).

We cannot predict when issues might arise with our Products. Accordingly, our liability shall be limited to the fullest extent permitted by applicable law , and under no circumstance will we be liable to you for any lost profits, revenues, information, or data, or consequential, special, indirect, exemplary, punitive, or incidental damages arising out of or related to these Terms or the Facebook Products, even if we have been advised of the possibility of such damages. Our aggregate liability arising out of or relating to these Terms or the Facebook Products will not exceed the greater of $ 100 or the amount you have paid us in the past twelve months.

(Dkt. No. 98, Exh. A at Sec. 4.3) (emphasis added). The "applicable law" within the meaning of the second paragraph quoted above is California Civil Code Section 1668, which established that:

All contracts which have for their object, directly or indirectly, to exempt anyone from responsibility for his own fraud, or willful injury to the person or property of another, or violation of law, whether willful or negligent, are against the policy of the law.¹

1 The Terms of Service was linked to, but not specifically quoted, in the consolidated complaint. Nonetheless, the consolidated complaint relied on the Terms of Service at length to allege its breach of contract claims and statutory claims. As such, Facebook's request to incorporate by reference the Terms of Service (Dkt. No. 99, Exh. A) is Granted .

Accordingly, the only way the breach of contract claims may move forward is if the limitation-of-liability clause is deemed unconscionable. Food Safety Net Servs. , 209 Cal. App. 4th at 1126, 147 Cal.Rptr.3d 634. "[U]nconscionability has both a procedural and a substantive element, the former focusing on oppression or surprise due to unequal bargaining power, the latter on overly harsh or one-sided results." Mohamed v. Uber Techs., Inc. , 848 F.3d 1201, 1210 (9th Cir. 2016) (internal quotation marks and citations omitted). The ultimate issue is whether, in view of all relevant circumstances, the contract is so unfair that enforcement must be withheld.

Facebook is not cost-free. The user incurs the cost of having his information mined and shared. Even if this is not a monetary charge, the user still incurs this burden. Nonetheless, the procedure followed by Facebook was fair. The clause was not buried. The clause was plainly above board and contained clear enough language. True, it is an adhesion contract, but there is no "rule that an adhesion contract is per se unconscionable." Poublon v. C.H. Robinson Co. , 846 F.3d 1251, 1261–62 (9th Cir. 2017). No one is forced to enroll in Facebook's social media service. The four breach-of-contract claims are therefore dismissed. The breach of confidence claim is also dismissed because it is covered by the clause.

* * *

Facebook next argues that the limitation-of-liability clause should be a showstopper for negligence and negligence per se as well. As an aside, "under California law, negligence per se is a doctrine, not an independent cause of action." Dent v. Nat'l Football League , 902 F.3d 1109 (9th Cir. 2018) citing ( Quiroz v. Seventh Ave. Ctr. , 140 Cal. App. 4th 1256, 45 Cal.Rptr.3d 222 (2006) ). These two alleged claims are therefore only one claim. Collapsing both alleged claims into one claim, this order allows the negligence claim to proceed.

"An agreement insulating one from liability for his own negligence must specifically so provide and is strictly construed against the party asserting the exemption, especially where he is the author of the agreement." Viotti v. Giomi , 230 Cal. App. 2d 730, 739, 41 Cal.Rptr. 345 (1964). "An agreement which seeks to limit generally without mentioning negligence is construed to shield a party only for passive negligence, not for active negligence." Burnett v. Chimney Sweep , 123 Cal. App. 4th 1057, 1066, 20 Cal.Rptr.3d 562 (2004) (quotations omitted). "Whereas passive negligence involves mere nonfeasance, such as the failure to discover a dangerous condition or to perform a duty imposed by law, active negligence involves an affirmative act, knowledge of or acquiescence in negligent conduct , or failure to perform specific duties." Frittelli, Inc. v. 350 N. Canon Drive, LP , 202 Cal. App. 4th 35, 48, 135 Cal.Rptr.3d 761 (2011) (quotation omitted) (emphasis added). In other words, Facebook's mere failure to discover the vulnerability might be barred by the clause, but if it had acquiesced to, or known of the vulnerability, the claim would certainly be allowed through.

Here, the limitation-of-liability clause does not mention "negligence" at all, let alone unequivocally preclude liability for negligence. At this early stage, no facts have been teased out. Precluding the claims for negligence pursuant to the liability clause is therefore impossible. They remain for now.

B. CLAIM FOR NEGLIGENCE

This order now turns away from the limitation of liability and considers whether a claim for relief based on negligence has been adequately pled.

This order holds that negligence has been plausibly alleged. To state a claim for negligence in California, a plaintiff must establish the following elements: (1) the defendant had a duty, or an "obligation to conform to a certain standard of conduct for the protection of others against unreasonable risks," (2) the defendant breached that duty, (3) that breach proximately caused the plaintiff's injuries, and (4) damages. Corales v. Bennett , 567 F.3d 554, 572 (9th Cir. 2009) quoting McGarry v. Sax , 158 Cal. App. 4th 983, 70 Cal.Rptr.3d 519 (2008). The consolidated complaint plausibly alleged each of these elements.

Specifically, Facebook allegedly failed to comply with minimum data-security standards during the period of the data breach. For example, "[i]ndustry-standard information and data security best practices demand that companies that utilize access tokens should limit the lifespan of those access tokens to a reasonable period (e.g., an hour, a day, a week, a month)" (Dkt. No. 76 ¶ 82). In turn, this breach plausibly caused the harm to plaintiff resulting in alleged damages. This is a classic negligence claim.

Facebook argues it does not owe its users a duty of care. California courts consider several factors when deciding whether a duty of care exists, including "the foreseeability of harm to the plaintiff, the degree of certainty that the plaintiff suffered injury, the closeness of the connection between the defendant's conduct and the injury suffered, the moral blame attached to the defendant's conduct, the policy of preventing future harm, the extent of the burden to the defendant and the consequences to the community of imposing a duty to exercise care with resulting liability for breach, and the availability, cost, and prevalence of insurance for the risk involved." Regents of Univ. of Cal. v. Superior Court , 4 Cal. 5th 607, 628, 230 Cal.Rptr.3d 415, 413 P.3d 656 (2018) (quoting Rowland v. Christian , 69 Cal. 2d 108 113, 70 Cal.Rptr. 97, 443 P.2d 561 (1968) ). These factors "must be evaluated at a relatively broad level of factual generality." Ibid. (quotation omitted).

These factors have been satisfied here. The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information. Further, some of the information here was private, and plaintiff plausibly placed trust in Facebook to employ appropriate data security. From a policy standpoint, to hold that Facebook has no duty of care here "would create perverse incentives for businesses who profit off the use of consumers' personal data to turn a blind eye and ignore known security risks." In re Equifax, Inc., Customer Data Sec. Breach Litig. , 362 F. Supp. 3d 1295, 1325 (N.D. Ga. 2019) (Judge Thomas Thrash). As such, plaintiff Adkins has met his obligation to plausibly plead duty of care.

Finally, Facebook argues that the economic loss rule bars plaintiff's negligence claim. Generally, purely economic losses are not recoverable in tort. Seely v. White Motor Co. , 63 Cal. 2d 9, 16–17, 45 Cal.Rptr. 17, 403 P.2d 145 (1965). Put simply, "the economic loss rule prevent[s] the law of contract and the law of tort from dissolving one into the other." Robinson Helicopter Co. v. Dana Corp. , 34 Cal. 4th 979, 988, 22 Cal.Rptr.3d 352, 102 P.3d 268 (2004) (quotation omitted). The rule serves to "limit liability in commercial activities that negligently or inadvertently go awry." Id. at 991 n.7, 22 Cal.Rptr.3d 352, 102 P.3d 268. Here, plaintiff alleged his loss of time as a harm and so does not allege pure economic loss. The economic loss rule therefore does not apply.

C. CLAIMS UNDER SECTION 17200 AND THE CLRA

In order to establish standing for Section 17200 and the CLRA, plaintiffs must show that they personally lost money or property "as a result of the unfair competition." Cal. Bus. & Prof. Code § 17204 ; Kwikset Corp. v. Superior Court , 51 Cal. 4th 310, 330, 120 Cal.Rptr.3d 741, 246 P.3d 877 (2011). "There are innumerable ways in which economic injury from unfair competition may be shown. A plaintiff may (1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary." Id. at 323, 120 Cal.Rptr.3d 741, 246 P.3d 877.

Plaintiff Adkins alleged two harms, which if plausible, would satisfy this criteria: (i) loss of the value of the personal information and (ii) failure to receive the benefit of his bargain with Facebook. Neither harm has been plausibly alleged.

As to the loss of value of the personal information, plaintiff Adkins has provided no market for the personal information or the impairment of the ability to participate in that market. This lack of specificity is fatal. It is not enough to merely say the information was taken and therefore it has lost value. In addition, plaintiff Adkins has not shown how this information has economic value to him . That the information has external value, but no economic value to plaintiff, cannot serve to establish that plaintiff has personally lost money or property.

Turning to the second alleged economic harm, plaintiff Adkins alleged that he had given over his personal information with the bargain that the information would be secure. The information was not secure and therefore he lost the benefit of his bargain. Yet, even if plaintiff Adkins did intend to sell his own data — an intention he did not have — it is unclear whether or how the data has been devalued by the breach. This alleged economic harm therefore also fails.

* * *

Plaintiff Adkins has only plausibly alleged harm arising from risk of future harm and loss of time. As alleged, neither of these show "lost money or property as a result of the unfair competition." Cal. Bus. & Prof. Code § 17204. Accordingly, plaintiff Adkins has not sufficiently alleged standing under Section 17200 and the CLRA.

D. DECLARATORY JUDGMENT

Plaintiff seeks a declaratory judgment that Facebook's existing security measures do not comply with its explicit or implicit contractual obligations to provide adequate security, and duties of care towards plaintiff's personal identifiable information. A dispute exists as to the continued risk plaintiff Adkins and similarly situated Facebook users face. While Facebook purports to have fixed the issues which led to this data breach, it is too early in the litigation to confidently say whether that is so. Dismissal of the declaratory judgment relief would be premature here.²

2 The request for incorporation by reference by Facebook of the Privacy Basics website (Dkt. No. 99, Exh. B) and the request for judicial notice by plaintiff Adkins of four Facebook-related privacy webpages (Dkt. No. 108-8) are Denied as moot .
--------

CONCLUSION

To the extent stated, the motion to dismiss is GRANTED IN PART AND DENIED IN PART . Only plaintiff Adkins may proceed with his claims. Plaintiff Bass has not adequately alleged standing. For plaintiff Bass to proceed, he must specify a connection to the data breach. Leave to amend will be allowed for him to attempt to do so.

* * *

Excluding standing, the order holds as follows. First , the four breach of contract claims and the breach of confidence claim cannot move forward because of the limitation-of-liability clause. Leave to amend will be allowed, however, because facts may conceivably be alleged which go towards determining whether procedural unfairness existed upon entering into the contract. Second , turning to the next two claims, negligence and negligence per se, these survive the motion to dismiss as a single claim. The limitation-of-liability clause does not preclude negligence here because contracts that limit liability without mentioning negligence specifically narrow the scope of liability based on a severe factual determination. Some circumstances will bar the claim under the clause. Some will cause the claim to survive the clause. So, this order takes a discovery-first approach to whether the clause applies to the negligence claim. Moving past the waiver, negligence has been plausibly alleged. Third , turning to the next two claims, the Section 17200/CLRA claims are barred because the only harm plaintiff plausibly alleged is risk of future harm and loss of time. Both of these statutes, however, require economic injury (money/property). Plaintiff Adkins may seek leave to amend. Fourth , the last claim is for declaratory judgment. This claim survives because the rights of the parties remain unknown at this early stage. In sum, only the dual claims for negligence and declaratory judgment survive the motion to dismiss. Negligence per se survives as a theory of the asserted negligence claim but not as a standalone claim. The rest of the claims are dismissed with leave to amend as set forth below. Discovery should be moving with alacrity.

* * *

Both plaintiffs may move for leave to amend by JULY 18 at NOON . Any such motion should include as an exhibit a redlined version of the proposed amendments that clearly identifies all changes from the initial complaint. This order highlights certain deficiencies in the initial complaint, but it will not necessarily be enough to add a sentence parroting each missing item identified herein. If plaintiffs so move, they should be sure to plead their best case. Any motion should explain how the proposed complaint overcomes all deficiencies, even those this order did not reach.

IT IS SO ORDERED.